| /* |
| * Copyright 2015 The Android Open Source Project |
| * |
| * Licensed under the Apache License, Version 2.0 (the "License"); |
| * you may not use this file except in compliance with the License. |
| * You may obtain a copy of the License at |
| * |
| * http://www.apache.org/licenses/LICENSE-2.0 |
| * |
| * Unless required by applicable law or agreed to in writing, software |
| * distributed under the License is distributed on an "AS IS" BASIS, |
| * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| * See the License for the specific language governing permissions and |
| * limitations under the License. |
| */ |
| |
| #include <keymaster/km_openssl/ecies_kem.h> |
| |
| #include <keymaster/km_openssl/nist_curve_key_exchange.h> |
| #include <keymaster/km_openssl/openssl_err.h> |
| |
| namespace keymaster { |
| |
| EciesKem::EciesKem(const AuthorizationSet& kem_description, keymaster_error_t* error) { |
| const AuthorizationSet& authorizations(kem_description); |
| |
| if (!authorizations.GetTagValue(TAG_EC_CURVE, &curve_)) { |
| LOG_E("%s", "EciesKem: no curve specified"); |
| *error = KM_ERROR_INVALID_ARGUMENT; |
| return; |
| } |
| |
| switch (curve_) { |
| case KM_EC_CURVE_P_224: |
| case KM_EC_CURVE_P_256: |
| case KM_EC_CURVE_P_384: |
| case KM_EC_CURVE_P_521: |
| break; |
| default: |
| LOG_E("EciesKem: curve %d is unsupported", curve_); |
| *error = KM_ERROR_UNSUPPORTED_EC_CURVE; |
| return; |
| } |
| |
| keymaster_kdf_t kdf; |
| if (!authorizations.GetTagValue(TAG_KDF, &kdf)) { |
| LOG_E("EciesKem: No KDF specified", 0); |
| *error = KM_ERROR_UNSUPPORTED_KDF; |
| return; |
| } |
| switch (kdf) { |
| case KM_KDF_RFC5869_SHA256: |
| kdf_.reset(new (std::nothrow) Rfc5869Sha256Kdf()); |
| break; |
| default: |
| LOG_E("Kdf %d is unsupported", kdf); |
| *error = KM_ERROR_UNSUPPORTED_KDF; |
| return; |
| } |
| if (!kdf_.get()) { |
| *error = KM_ERROR_MEMORY_ALLOCATION_FAILED; |
| return; |
| } |
| |
| if (!authorizations.GetTagValue(TAG_KEY_SIZE, &key_bytes_to_generate_)) { |
| LOG_E("%s", "EciesKem: no key length specified"); |
| *error = KM_ERROR_UNSUPPORTED_KEY_SIZE; |
| return; |
| } |
| |
| single_hash_mode_ = authorizations.GetTagValue(TAG_ECIES_SINGLE_HASH_MODE); |
| *error = KM_ERROR_OK; |
| } |
| |
| bool EciesKem::Encrypt(const Buffer& peer_public_value, Buffer* output_clear_key, |
| Buffer* output_encrypted_key) { |
| return Encrypt(peer_public_value.peek_read(), peer_public_value.available_read(), |
| output_clear_key, output_encrypted_key); |
| } |
| |
| // http://www.shoup.net/iso/std6.pdf, section 10.2.3. |
| bool EciesKem::Encrypt(const uint8_t* peer_public_value, size_t peer_public_value_len, |
| Buffer* output_clear_key, Buffer* output_encrypted_key) { |
| |
| key_exchange_.reset(NistCurveKeyExchange::GenerateKeyExchange(curve_)); |
| if (!key_exchange_.get()) { |
| return false; |
| } |
| |
| Buffer shared_secret; |
| if (!key_exchange_->CalculateSharedKey(peer_public_value, peer_public_value_len, |
| &shared_secret)) { |
| LOG_E("EciesKem: ECDH failed, can't obtain shared secret", 0); |
| return false; |
| } |
| if (!key_exchange_->public_value(output_encrypted_key)) { |
| LOG_E("EciesKem: Can't obtain public value", 0); |
| return false; |
| } |
| |
| Buffer z; |
| if (single_hash_mode_) { |
| // z is empty. |
| } else { |
| // z = C0 |
| z.Reinitialize(output_encrypted_key->peek_read(), output_encrypted_key->available_read()); |
| } |
| |
| Buffer actual_secret(z.available_read() + shared_secret.available_read()); |
| actual_secret.write(z.peek_read(), z.available_read()); |
| actual_secret.write(shared_secret.peek_read(), shared_secret.available_read()); |
| |
| if (!kdf_->Init(actual_secret.peek_read(), actual_secret.available_read(), nullptr /* salt */, |
| 0 /* salt_len */)) { |
| LOG_E("EciesKem: KDF failed, can't derived keys", 0); |
| return false; |
| } |
| output_clear_key->Reinitialize(key_bytes_to_generate_); |
| if (!kdf_->GenerateKey(nullptr /* info */, 0 /* info length */, output_clear_key->peek_write(), |
| key_bytes_to_generate_)) { |
| LOG_E("EciesKem: KDF failed, can't derived keys", 0); |
| return false; |
| } |
| output_clear_key->advance_write(key_bytes_to_generate_); |
| |
| return true; |
| } |
| |
| bool EciesKem::Decrypt(EC_KEY* private_key, const Buffer& encrypted_key, Buffer* output_key) { |
| return Decrypt(private_key, encrypted_key.peek_read(), encrypted_key.available_read(), |
| output_key); |
| } |
| |
| // http://www.shoup.net/iso/std6.pdf, section 10.2.4. |
| bool EciesKem::Decrypt(EC_KEY* private_key, const uint8_t* encrypted_key, size_t encrypted_key_len, |
| Buffer* output_key) { |
| |
| keymaster_error_t error; |
| key_exchange_.reset(new (std::nothrow) NistCurveKeyExchange(private_key, &error)); |
| if (!key_exchange_.get() || error != KM_ERROR_OK) { |
| return false; |
| } |
| |
| Buffer shared_secret; |
| if (!key_exchange_->CalculateSharedKey(encrypted_key, encrypted_key_len, &shared_secret)) { |
| LOG_E("EciesKem: ECDH failed, can't obtain shared secret", 0); |
| return false; |
| } |
| |
| Buffer public_value; |
| if (!key_exchange_->public_value(&public_value)) { |
| LOG_E("%s", "EciesKem: Can't obtain public value"); |
| return false; |
| } |
| |
| Buffer z; |
| if (single_hash_mode_) { |
| // z is empty. |
| } else { |
| // z = C0 |
| z.Reinitialize(public_value.peek_read(), public_value.available_read()); |
| } |
| |
| Buffer actual_secret(z.available_read() + shared_secret.available_read()); |
| actual_secret.write(z.peek_read(), z.available_read()); |
| actual_secret.write(shared_secret.peek_read(), shared_secret.available_read()); |
| |
| if (!kdf_->Init(actual_secret.peek_read(), actual_secret.available_read(), nullptr /* salt */, |
| 0 /* salt_len */)) { |
| LOG_E("%s", "EciesKem: KDF failed, can't derived keys"); |
| return false; |
| } |
| |
| output_key->Reinitialize(key_bytes_to_generate_); |
| if (!kdf_->GenerateKey(nullptr /* info */, 0 /* info_len */, output_key->peek_write(), |
| key_bytes_to_generate_)) { |
| LOG_E("%s", "EciesKem: KDF failed, can't derived keys"); |
| return false; |
| } |
| output_key->advance_write(key_bytes_to_generate_); |
| |
| return true; |
| } |
| |
| } // namespace keymaster |