| OLD | NEW | 
|---|
| 1 // Copyright 2015 The Chromium Authors. All rights reserved. | 1 // Copyright 2015 The Chromium Authors. All rights reserved. | 
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be | 
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. | 
| 4 | 4 | 
| 5 #include "net/ssl/ssl_platform_key.h" | 5 #include "net/ssl/ssl_platform_key_android.h" | 
| 6 | 6 | 
| 7 #include <openssl/digest.h> | 7 #include <openssl/ecdsa.h> | 
| 8 #include <openssl/evp.h> | 8 #include <openssl/rsa.h> | 
|  | 9 #include <strings.h> | 
| 9 | 10 | 
|  | 11 #include <memory> | 
| 10 #include <utility> | 12 #include <utility> | 
|  | 13 #include <vector> | 
| 11 | 14 | 
|  | 15 #include "base/android/build_info.h" | 
|  | 16 #include "base/android/scoped_java_ref.h" | 
|  | 17 #include "base/lazy_instance.h" | 
| 12 #include "base/logging.h" | 18 #include "base/logging.h" | 
| 13 #include "base/macros.h" | 19 #include "base/macros.h" | 
| 14 #include "base/memory/ptr_util.h" | 20 #include "base/memory/ptr_util.h" | 
| 15 #include "crypto/scoped_openssl_types.h" | 21 #include "crypto/scoped_openssl_types.h" | 
|  | 22 #include "net/android/keystore.h" | 
|  | 23 #include "net/android/legacy_openssl.h" | 
| 16 #include "net/base/net_errors.h" | 24 #include "net/base/net_errors.h" | 
| 17 #include "net/ssl/openssl_client_key_store.h" | 25 #include "net/ssl/openssl_client_key_store.h" | 
|  | 26 #include "net/ssl/ssl_platform_key.h" | 
| 18 #include "net/ssl/ssl_platform_key_task_runner.h" | 27 #include "net/ssl/ssl_platform_key_task_runner.h" | 
| 19 #include "net/ssl/ssl_private_key.h" |  | 
| 20 #include "net/ssl/threaded_ssl_private_key.h" | 28 #include "net/ssl/threaded_ssl_private_key.h" | 
| 21 | 29 | 
|  | 30 using base::android::ScopedJavaGlobalRef; | 
|  | 31 using base::android::ScopedJavaLocalRef; | 
|  | 32 | 
| 22 namespace net { | 33 namespace net { | 
| 23 | 34 | 
| 24 namespace { | 35 namespace { | 
| 25 | 36 | 
|  | 37 // On Android < 4.2, the libkeystore.so ENGINE uses CRYPTO_EX_DATA and is not | 
|  | 38 // added to the global engine list. If all references to it are dropped, OpenSSL | 
|  | 39 // will dlclose the module, leaving a dangling function pointer in the RSA | 
|  | 40 // CRYPTO_EX_DATA class. To work around this, leak an extra reference to the | 
|  | 41 // ENGINE we extract in GetRsaLegacyKey. | 
|  | 42 // | 
|  | 43 // In 4.2, this change avoids the problem: | 
|  | 44 // https://android.googlesource.com/platform/libcore/+/106a8928fb4249f2f3d4dba1d
     ddbe73ca5cb3d61 | 
|  | 45 // | 
|  | 46 // https://crbug.com/381465 | 
|  | 47 class KeystoreEngineWorkaround { | 
|  | 48  public: | 
|  | 49   KeystoreEngineWorkaround() {} | 
|  | 50 | 
|  | 51   void LeakEngine(jobject key) { | 
|  | 52     if (!engine_.is_null()) | 
|  | 53       return; | 
|  | 54     ScopedJavaLocalRef<jobject> engine = | 
|  | 55         android::GetOpenSSLEngineForPrivateKey(key); | 
|  | 56     if (engine.is_null()) { | 
|  | 57       NOTREACHED(); | 
|  | 58       return; | 
|  | 59     } | 
|  | 60     engine_.Reset(engine); | 
|  | 61   } | 
|  | 62 | 
|  | 63  private: | 
|  | 64   ScopedJavaGlobalRef<jobject> engine_; | 
|  | 65 }; | 
|  | 66 | 
|  | 67 void LeakEngine(jobject private_key) { | 
|  | 68   static base::LazyInstance<KeystoreEngineWorkaround>::Leaky s_instance = | 
|  | 69       LAZY_INSTANCE_INITIALIZER; | 
|  | 70   s_instance.Get().LeakEngine(private_key); | 
|  | 71 } | 
|  | 72 | 
| 26 class SSLPlatformKeyAndroid : public ThreadedSSLPrivateKey::Delegate { | 73 class SSLPlatformKeyAndroid : public ThreadedSSLPrivateKey::Delegate { | 
| 27  public: | 74  public: | 
| 28   SSLPlatformKeyAndroid(crypto::ScopedEVP_PKEY key, SSLPrivateKey::Type type) | 75   SSLPlatformKeyAndroid(SSLPrivateKey::Type type, | 
| 29       : key_(std::move(key)), type_(type) {} | 76                         jobject key, | 
|  | 77                         size_t max_length, | 
|  | 78                         android::AndroidRSA* legacy_rsa) | 
|  | 79       : type_(type), max_length_(max_length), legacy_rsa_(legacy_rsa) { | 
|  | 80     key_.Reset(nullptr, key); | 
|  | 81   } | 
| 30 | 82 | 
| 31   ~SSLPlatformKeyAndroid() override {} | 83   ~SSLPlatformKeyAndroid() override {} | 
| 32 | 84 | 
| 33   SSLPrivateKey::Type GetType() override { return type_; } | 85   SSLPrivateKey::Type GetType() override { return type_; } | 
| 34 | 86 | 
| 35   std::vector<SSLPrivateKey::Hash> GetDigestPreferences() override { | 87   std::vector<SSLPrivateKey::Hash> GetDigestPreferences() override { | 
| 36     static const SSLPrivateKey::Hash kHashes[] = { | 88     static const SSLPrivateKey::Hash kHashes[] = { | 
| 37         SSLPrivateKey::Hash::SHA512, SSLPrivateKey::Hash::SHA384, | 89         SSLPrivateKey::Hash::SHA512, SSLPrivateKey::Hash::SHA384, | 
| 38         SSLPrivateKey::Hash::SHA256, SSLPrivateKey::Hash::SHA1}; | 90         SSLPrivateKey::Hash::SHA256, SSLPrivateKey::Hash::SHA1}; | 
| 39     return std::vector<SSLPrivateKey::Hash>(kHashes, | 91     return std::vector<SSLPrivateKey::Hash>(kHashes, | 
| 40                                             kHashes + arraysize(kHashes)); | 92                                             kHashes + arraysize(kHashes)); | 
| 41   } | 93   } | 
| 42 | 94 | 
| 43   size_t GetMaxSignatureLengthInBytes() override { | 95   size_t GetMaxSignatureLengthInBytes() override { return max_length_; } | 
| 44     return EVP_PKEY_size(key_.get()); |  | 
| 45   } |  | 
| 46 | 96 | 
| 47   Error SignDigest(SSLPrivateKey::Hash hash, | 97   Error SignDigest(SSLPrivateKey::Hash hash, | 
| 48                    const base::StringPiece& input, | 98                    const base::StringPiece& input_in, | 
| 49                    std::vector<uint8_t>* signature) override { | 99                    std::vector<uint8_t>* signature) override { | 
| 50     crypto::ScopedEVP_PKEY_CTX ctx = | 100     base::StringPiece input = input_in; | 
| 51         crypto::ScopedEVP_PKEY_CTX(EVP_PKEY_CTX_new(key_.get(), NULL)); |  | 
| 52     if (!ctx) |  | 
| 53       return ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED; |  | 
| 54     if (!EVP_PKEY_sign_init(ctx.get())) |  | 
| 55       return ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED; |  | 
| 56 | 101 | 
|  | 102     // Prepend the DigestInfo for RSA. | 
|  | 103     crypto::ScopedOpenSSLBytes digest_info_storage; | 
| 57     if (type_ == SSLPrivateKey::Type::RSA) { | 104     if (type_ == SSLPrivateKey::Type::RSA) { | 
| 58       const EVP_MD* digest = nullptr; | 105       int hash_nid = NID_undef; | 
| 59       switch (hash) { | 106       switch (hash) { | 
| 60         case SSLPrivateKey::Hash::MD5_SHA1: | 107         case SSLPrivateKey::Hash::MD5_SHA1: | 
| 61           digest = EVP_md5_sha1(); | 108           hash_nid = NID_md5_sha1; | 
| 62           break; | 109           break; | 
| 63         case SSLPrivateKey::Hash::SHA1: | 110         case SSLPrivateKey::Hash::SHA1: | 
| 64           digest = EVP_sha1(); | 111           hash_nid = NID_sha1; | 
| 65           break; | 112           break; | 
| 66         case SSLPrivateKey::Hash::SHA256: | 113         case SSLPrivateKey::Hash::SHA256: | 
| 67           digest = EVP_sha256(); | 114           hash_nid = NID_sha256; | 
| 68           break; | 115           break; | 
| 69         case SSLPrivateKey::Hash::SHA384: | 116         case SSLPrivateKey::Hash::SHA384: | 
| 70           digest = EVP_sha384(); | 117           hash_nid = NID_sha384; | 
| 71           break; | 118           break; | 
| 72         case SSLPrivateKey::Hash::SHA512: | 119         case SSLPrivateKey::Hash::SHA512: | 
| 73           digest = EVP_sha512(); | 120           hash_nid = NID_sha512; | 
| 74           break; | 121           break; | 
| 75         default: |  | 
| 76           return ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED; |  | 
| 77       } | 122       } | 
| 78       DCHECK(digest); | 123       DCHECK_NE(NID_undef, hash_nid); | 
| 79       if (!EVP_PKEY_CTX_set_rsa_padding(ctx.get(), RSA_PKCS1_PADDING)) | 124 | 
|  | 125       uint8_t* digest_info; | 
|  | 126       size_t digest_info_len; | 
|  | 127       int is_alloced; | 
|  | 128       if (!RSA_add_pkcs1_prefix( | 
|  | 129               &digest_info, &digest_info_len, &is_alloced, hash_nid, | 
|  | 130               reinterpret_cast<const uint8_t*>(input.data()), input.size())) { | 
| 80         return ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED; | 131         return ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED; | 
| 81       if (!EVP_PKEY_CTX_set_signature_md(ctx.get(), digest)) | 132       } | 
| 82         return ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED; | 133 | 
|  | 134       if (is_alloced) | 
|  | 135         digest_info_storage.reset(digest_info); | 
|  | 136       input = base::StringPiece(reinterpret_cast<const char*>(digest_info), | 
|  | 137                                 digest_info_len); | 
| 83     } | 138     } | 
| 84 | 139 | 
| 85     const uint8_t* input_ptr = reinterpret_cast<const uint8_t*>(input.data()); | 140     // Pre-4.2 legacy codepath. | 
| 86     size_t input_len = input.size(); | 141     if (legacy_rsa_) { | 
| 87     size_t sig_len = 0; | 142       signature->resize(max_length_); | 
| 88     if (!EVP_PKEY_sign(ctx.get(), NULL, &sig_len, input_ptr, input_len)) | 143       int ret = legacy_rsa_->meth->rsa_priv_enc( | 
| 89       return ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED; | 144           input.size(), reinterpret_cast<const uint8_t*>(input.data()), | 
| 90     signature->resize(sig_len); | 145           signature->data(), legacy_rsa_, android::ANDROID_RSA_PKCS1_PADDING); | 
| 91     if (!EVP_PKEY_sign(ctx.get(), signature->data(), &sig_len, input_ptr, | 146       if (ret < 0) { | 
| 92                        input_len)) { | 147         LOG(WARNING) << "Could not sign message with legacy RSA key!"; | 
|  | 148         // System OpenSSL will use a separate error queue, so it is still | 
|  | 149         // necessary to push a new error. | 
|  | 150         // | 
|  | 151         // TODO(davidben): It would be good to also clear the system error queue | 
|  | 152         // if there were some way to convince Java to do it. (Without going | 
|  | 153         // through Java, it's difficult to get a handle on a system OpenSSL | 
|  | 154         // function; dlopen loads a second copy.) | 
|  | 155         return ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED; | 
|  | 156       } | 
|  | 157       signature->resize(ret); | 
|  | 158       return OK; | 
|  | 159     } | 
|  | 160 | 
|  | 161     if (!android::RawSignDigestWithPrivateKey(key_.obj(), input, signature)) { | 
|  | 162       LOG(WARNING) << "Could not sign message with private key!"; | 
| 93       return ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED; | 163       return ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED; | 
| 94     } | 164     } | 
| 95 |  | 
| 96     signature->resize(sig_len); |  | 
| 97 |  | 
| 98     return OK; | 165     return OK; | 
| 99   } | 166   } | 
| 100 | 167 | 
| 101  private: | 168  private: | 
| 102   crypto::ScopedEVP_PKEY key_; |  | 
| 103   SSLPrivateKey::Type type_; | 169   SSLPrivateKey::Type type_; | 
|  | 170   ScopedJavaGlobalRef<jobject> key_; | 
|  | 171   size_t max_length_; | 
|  | 172   android::AndroidRSA* legacy_rsa_; | 
| 104 | 173 | 
| 105   DISALLOW_COPY_AND_ASSIGN(SSLPlatformKeyAndroid); | 174   DISALLOW_COPY_AND_ASSIGN(SSLPlatformKeyAndroid); | 
| 106 }; | 175 }; | 
| 107 | 176 | 
| 108 scoped_refptr<SSLPrivateKey> WrapOpenSSLPrivateKey(crypto::ScopedEVP_PKEY key) { | 177 // VectorBignumSize returns the number of bytes needed to represent the bignum | 
| 109   if (!key) | 178 // given in |v|, i.e. the length of |v| less any leading zero bytes. | 
|  | 179 size_t VectorBignumSize(const std::vector<uint8_t>& v) { | 
|  | 180   size_t size = v.size(); | 
|  | 181   // Ignore any leading zero bytes. | 
|  | 182   for (size_t i = 0; i < v.size() && v[i] == 0; i++) { | 
|  | 183     size--; | 
|  | 184   } | 
|  | 185   return size; | 
|  | 186 } | 
|  | 187 | 
|  | 188 std::unique_ptr<SSLPlatformKeyAndroid> CreateRsaKey(jobject key) { | 
|  | 189   android::AndroidRSA* sys_rsa = nullptr; | 
|  | 190   const int kAndroid42ApiLevel = 17; | 
|  | 191   if (base::android::BuildInfo::GetInstance()->sdk_int() < kAndroid42ApiLevel) { | 
|  | 192     // Route around platform limitations: if Android < 4.2, then | 
|  | 193     // base::android::RawSignDigestWithPrivateKey() cannot work, so try to get | 
|  | 194     // the system OpenSSL's EVP_PKEY backing this PrivateKey object. | 
|  | 195     android::AndroidEVP_PKEY* sys_pkey = | 
|  | 196         android::GetOpenSSLSystemHandleForPrivateKey(key); | 
|  | 197     if (!sys_pkey) | 
|  | 198       return nullptr; | 
|  | 199 | 
|  | 200     if (sys_pkey->type != android::ANDROID_EVP_PKEY_RSA) { | 
|  | 201       LOG(ERROR) << "Private key has wrong type!"; | 
|  | 202       return nullptr; | 
|  | 203     } | 
|  | 204 | 
|  | 205     sys_rsa = sys_pkey->pkey.rsa; | 
|  | 206     if (sys_rsa->engine) { | 
|  | 207       // |private_key| may not have an engine if the PrivateKey did not come | 
|  | 208       // from the key store, such as in unit tests. | 
|  | 209       if (strcmp(sys_rsa->engine->id, "keystore") == 0) { | 
|  | 210         LeakEngine(key); | 
|  | 211       } else { | 
|  | 212         NOTREACHED(); | 
|  | 213       } | 
|  | 214     } | 
|  | 215   } | 
|  | 216 | 
|  | 217   std::vector<uint8_t> modulus; | 
|  | 218   if (!android::GetRSAKeyModulus(key, &modulus)) { | 
|  | 219     LOG(ERROR) << "Failed to get private key modulus"; | 
| 110     return nullptr; | 220     return nullptr; | 
|  | 221   } | 
| 111 | 222 | 
| 112   SSLPrivateKey::Type type; | 223   return base::MakeUnique<SSLPlatformKeyAndroid>( | 
| 113   switch (EVP_PKEY_id(key.get())) { | 224       SSLPrivateKey::Type::RSA, key, VectorBignumSize(modulus), sys_rsa); | 
| 114     case EVP_PKEY_RSA: | 225 } | 
| 115       type = SSLPrivateKey::Type::RSA; | 226 | 
| 116       break; | 227 std::unique_ptr<SSLPlatformKeyAndroid> CreateEcdsaKey(jobject key) { | 
| 117     case EVP_PKEY_EC: | 228   std::vector<uint8_t> order; | 
| 118       type = SSLPrivateKey::Type::ECDSA; | 229   if (!android::GetECKeyOrder(key, &order)) { | 
| 119       break; | 230     LOG(ERROR) << "Can't extract order parameter from EC private key"; | 
| 120     default: | 231     return nullptr; | 
| 121       LOG(ERROR) << "Unknown key type: " << EVP_PKEY_id(key.get()); |  | 
| 122       return nullptr; |  | 
| 123   } | 232   } | 
| 124   return make_scoped_refptr(new ThreadedSSLPrivateKey( | 233 | 
| 125       base::WrapUnique(new SSLPlatformKeyAndroid(std::move(key), type)), | 234   return base::MakeUnique<SSLPlatformKeyAndroid>( | 
| 126       GetSSLPlatformKeyTaskRunner())); | 235       SSLPrivateKey::Type::ECDSA, key, | 
|  | 236       ECDSA_SIG_max_len(VectorBignumSize(order)), nullptr); | 
| 127 } | 237 } | 
| 128 | 238 | 
| 129 }  // namespace | 239 }  // namespace | 
| 130 | 240 | 
|  | 241 scoped_refptr<SSLPrivateKey> WrapJavaPrivateKey(jobject key) { | 
|  | 242   std::unique_ptr<SSLPlatformKeyAndroid> delegate; | 
|  | 243   switch (android::GetPrivateKeyType(key)) { | 
|  | 244     case android::PRIVATE_KEY_TYPE_RSA: | 
|  | 245       delegate = CreateRsaKey(key); | 
|  | 246       break; | 
|  | 247     case android::PRIVATE_KEY_TYPE_ECDSA: | 
|  | 248       delegate = CreateEcdsaKey(key); | 
|  | 249       break; | 
|  | 250     default: | 
|  | 251       LOG(WARNING) << "GetPrivateKeyType() returned invalid type"; | 
|  | 252       return nullptr; | 
|  | 253   } | 
|  | 254 | 
|  | 255   return make_scoped_refptr(new ThreadedSSLPrivateKey( | 
|  | 256       std::move(delegate), GetSSLPlatformKeyTaskRunner())); | 
|  | 257 } | 
|  | 258 | 
| 131 scoped_refptr<SSLPrivateKey> FetchClientCertPrivateKey( | 259 scoped_refptr<SSLPrivateKey> FetchClientCertPrivateKey( | 
| 132     X509Certificate* certificate) { | 260     X509Certificate* certificate) { | 
| 133   crypto::ScopedEVP_PKEY key = | 261   return OpenSSLClientKeyStore::GetInstance()->FetchClientCertPrivateKey( | 
| 134       OpenSSLClientKeyStore::GetInstance()->FetchClientCertPrivateKey( | 262       certificate); | 
| 135           certificate); |  | 
| 136   return WrapOpenSSLPrivateKey(std::move(key)); |  | 
| 137 } | 263 } | 
| 138 | 264 | 
| 139 }  // namespace net | 265 }  // namespace net | 
| OLD | NEW | 
|---|