Add net/android/keystore.h

net/android/keystore_openssl.cc

+// Copyright (c) 2013 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "net/android/keystore_openssl.h"
+
+#include <jni.h>
+#include <openssl/dsa.h>
+#include <openssl/engine.h>
+#include <openssl/evp.h>
+#include <openssl/rsa.h>
+#include <pthread.h>
+
+#include "base/android/build_info.h"
+#include "base/android/jni_android.h"
+#include "base/android/scoped_java_ref.h"
+#include "base/basictypes.h"
+#include "base/logging.h"
+#include "crypto/openssl_util.h"
+#include "net/android/keystore.h"
+#include "net/base/ssl_client_cert_type.h"
+
+// This include is required to get the ECDSA_METHOD structure definition
+// which isn't currently part of the OpenSSL official ABI. This should
+// not be a concern for Chromium which always links against its own
+// version of the library on Android.
+#include <openssl/../../crypto/ecdsa/ecs_locl.h>

[Ryan Sleevi, 2013/01/31 03:09:53]

This certainly seems the wrong way to include this header.

Can we not modify the include path we use for openssl.gyp to allow the 'correct'
path to be determined (eg: openssl/src/crypto/ecdsa/ecs_local.h, for example).

I want to try and find a solution that doesn't "#include <foo/../../bar>"

[digit1, 2013/01/31 17:44:30]

I've added ../third_party/openssl/ to the 'include_dirs' directive in net.gyp
and this seems to work with #include <openssl/crypto/ecdsa/ecs_locl.h>, i.e.
without touching the other includes.

+
+// IMPORTANT NOTE: The following code will currently only work when used
+// to implement client certificate support with OpenSSL. That's because
+// only signing is implemented here.
+//

[agl, 2013/01/30 14:28:53]

I note that you have a number of "//" lines in here. I would personally remove
them but, if you like it, I've no problem with that either.

[digit1, 2013/01/31 17:44:30]

Done.

+
+// The OpenSSL EVP_PKEY type is a generic wrapper around key pairs.
+// Internally, it can hold a pointer to a RSA, DSA or ECDA structure,

[agl, 2013/01/30 14:28:53]

ECDA -> ECDSA

[digit1, 2013/01/31 17:44:30]

Done.

+// which model keypair implementations of each respective crypto
+// algorithm.
+//
+// The RSA type has a 'method' field pointer to a vtable-like structure
+// called a RSA_METHOD. This contains several function pointers that
+// correspond to operations on RSA keys (e.g. decode/encode with public
+// key, decode/encode with private key, signing, validation), as well as
+// a few flags.
+//
+// For example, the RSA_sign() function will call "method->rsa_sign()" if
+// method->rsa_sign is not NULL, otherwise, it will perform a regular
+// signing operation using the other fields in the RSA structure (which
+// are used to hold the typical modulus / exponent / parameters for the
+// key pair).
+//
+// This source file thus defines a custom RSA_METHOD structure, which
+// fields points to static methods used to implement the corresponding
+// RSA operation using platform Android APIs.
+//
+// However, the platform APIs require a jobject JNI reference to work.
+// It must be stored in the RSA instance, or made accessible when the
+// custom RSA methods are called. This is done by using RSA_set_app_data()
+// and RSA_get_app_data().
+//
+// One can thus _directly_ create a new EVP_PKEY that uses a custom RSA
+// object with the following:
+//
+//    RSA* rsa = RSA_new()
+//    RSA_set_method(&custom_rsa_method);
+//    RSA_set_app_data(rsa, jni_private_key);
+//
+//    EVP_PKEY* pkey = EVP_PKEY_new();
+//    EVP_PKEY_assign_RSA(pkey, rsa);
+//
+// Note that because EVP_PKEY_assign_RSA() is used, instead of
+// EVP_PKEY_set1_RSA(), the new EVP_PKEY now owns the RSA object, and
+// will destroy it when it is itself destroyed.
+//
+// Similarly, custom DSA_METHOD and ECDSA_METHOD are defined by this source
+// file.
+//
+// Note that there is no need to define an OpenSSL ENGINE here. These
+// are objects that can be used to expose custom methods (i.e. either
+// RSA_METHOD, DSA_METHOD, ECDSA_METHOD, and a large number of other ones
+// for types not related to this source file), and make them used by
+// default for a lot of operations. Very fortunately, this is not needed
+// here, which saves a lot of complexity.
+//
+
+namespace {
+
+///////////////////////////////////////////////////////////////////////////
+//
+// Custom RSA_METHOD that uses the platform APIs.
+// Note that for now, only signing through RSA_sign() is really supported.
+// all other method pointers are either stubs returning errors, or no-ops.
+//
+// See <openssl/rsa.h> for exact declaration of RSA_METHOD.
+//
+
+int RsaMethodPubEnc(int flen,
+                    const unsigned char* from,
+                    unsigned char* to,
+                    RSA* rsa,
+                    int padding) {
+  NOTIMPLEMENTED();
+  RSAerr(RSA_F_RSA_PUBLIC_ENCRYPT, RSA_R_RSA_OPERATIONS_NOT_SUPPORTED);
+  return -1;
+}
+
+int RsaMethodPubDec(int flen,
+                    const unsigned char* from,
+                    unsigned char* to,
+                    RSA* rsa,
+                    int padding) {
+  NOTIMPLEMENTED();
+  RSAerr(RSA_F_RSA_PUBLIC_DECRYPT, RSA_R_RSA_OPERATIONS_NOT_SUPPORTED);
+  return -1;
+}
+
+int RsaMethodPrivEnc(int flen,
+                     const unsigned char *from,
+                     unsigned char *to,
+                     RSA *rsa,
+                     int padding) {
+  NOTIMPLEMENTED();
+  RSAerr(RSA_F_RSA_PRIVATE_ENCRYPT, RSA_R_RSA_OPERATIONS_NOT_SUPPORTED);
+  return -1;
+}
+
+int RsaMethodPrivDec(int flen,
+                     const unsigned char* from,
+                     unsigned char* to,
+                     RSA* rsa,
+                     int padding) {
+  NOTIMPLEMENTED();
+  RSAerr(RSA_F_RSA_PRIVATE_DECRYPT, RSA_R_RSA_OPERATIONS_NOT_SUPPORTED);
+  return -1;
+}
+
+int RsaMethodInit(RSA* rsa) {
+  // Required to ensure that RsaMethodSign will be called.
+  rsa->flags |= RSA_FLAG_SIGN_VER;
+  return 0;
+}
+
+int RsaMethodFinish(RSA* rsa) {
+  // Ensure the global JNI reference is destroyed with this key.
+  jobject key = reinterpret_cast<jobject>(RSA_get_app_data(rsa));
+  if (key != NULL) {
+    RSA_set_app_data(rsa, NULL);
+    JNIEnv* env = base::android::AttachCurrentThread();
+    env->DeleteGlobalRef(key);
+  }
+  // Actual return value is ignored by OpenSSL. There are no docs
+  // explaining what this is supposed to be.
+  return 0;
+}
+
+int RsaMethodSign(int type,
+                  const unsigned char* message,
+                  unsigned int message_len,
+                  unsigned char* signature,
+                  unsigned int* signature_len,
+                  const RSA* rsa) {
+  // This is only used for client certificate support, which
+  // will always pass the NID_md5_sha1 |type| value.

[agl, 2013/01/30 14:28:53]

This will stop being true when we add TLS 1.2 support, which is an OKR for this
quarter. TLS 1.2 can negotiate the hash function to use and typically uses
SHA-256.

[digit1, 2013/01/31 17:44:30]

I know, that's why I've put the check here. I don't know enough OpenSSL to know
what to do exactly here if the 'type' is different. My understanding is that for
TLS 1.2, RSA_sign() will never be called directly. Instead, the
RsaMethodPrivEnv() method will have to be implemented because it can deal with
extra padding requirements and stuff. If you have any kind of pointers to more
details, I'd be happy to look at them.

+  DCHECK_EQ(NID_md5_sha1, type);
+  if (type != NID_md5_sha1) {
+    RSAerr(RSA_F_RSA_SIGN, RSA_R_UNKNOWN_ALGORITHM_TYPE);
+    return 0;
+  }
+  // Retrieve private key JNI reference.
+  jobject private_key = reinterpret_cast<jobject>(RSA_get_app_data(rsa));
+  if (!private_key) {
+    LOG(WARNING) << "Null JNI reference passed to RsaMethodSign!";
+    return 0;
+  }
+  // Sign message with it through JNI.
+  base::StringPiece message_piece(reinterpret_cast<const char*>(message),
+                                  static_cast<size_t>(message_len));
+  std::vector<uint8> result;
+
+  if (!net::android::SignWithPrivateKey(
+        private_key, message_piece, &result)) {
+    LOG(WARNING) << "Could not sign message in RsaMethodSign!";
+    return 0;
+  }
+  // Copy result to OpenSSL-provided buffer
+  memcpy(signature, &result[0], result.size());

[Ryan Sleevi, 2013/01/31 03:09:53]

BUG:

No check that result.size() == RSA_size(rsa), which is the expectation of how
much memory will be provided in this method call.

RSA_size uses r->n (eg: ignoring the method), which is going to fail under your
synthetic key because you've failed to define the public parameters for it, so
there's no reliable way for the underlying OpenSSL calls to be "well behaved"

I'm not sure that your RSA_method approach is fully correct because of that.

[digit1, 2013/01/31 17:44:30]

I have added code that setups r->n in the custom RSA key, This makes RSA_size()
return the right value. Added a check here for it + a unittest.

+  *signature_len = static_cast<unsigned int>(result.size());
+  return 1;
+}
+
+const RSA_METHOD android_rsa_method = {
+  /* .name = */ "Android signing-only RSA method",
+  /* .rsa_pub_enc = */ RsaMethodPubEnc,
+  /* .rsa_pub_dec = */ RsaMethodPubDec,
+  /* .rsa_priv_enc = */ RsaMethodPrivEnc,
+  /* .rsa_priv_dec = */ RsaMethodPrivDec,
+  /* .rsa_mod_exp = */ NULL,
+  /* .bn_mod_exp = */ NULL,
+  /* .init = */ RsaMethodInit,
+  /* .finish = */ RsaMethodFinish,
+  /* .flags = */ RSA_FLAG_SIGN_VER,  // indicates that rsa_sign is usable.
+  /* .app_data = */ NULL,
+  /* .rsa_sign = */ RsaMethodSign,
+  /* .rsa_verify = */ NULL,
+  /* .rsa_keygen = */ NULL,
+};
+
+///////////////////////////////////////////////////////////////////////////
+//
+// Custom DSA_METHOD that uses the platform APIs.
+// Note that for now, only signing through DSA_sign() is really supported.
+// all other method pointers are either stubs returning errors, or no-ops.
+//
+// See <openssl/dsa.h> for exact declaration of DSA_METHOD.
+//
+// Note: There is no DSA_set_app_data() and DSA_get_app_data() functions,
+//       but RSA_set_app_data() is defined as a simple macro that calls
+//       RSA_set_ex_data() with a hard-coded index of 0, so this code
+//       does the same thing here.
+//
+
+static DSA_SIG* DsaMethodDoSign(const unsigned char* dgst,
+                                int dlen,
+                                DSA* dsa) {
+  // Extract the JNI reference to the PrivateKey object.
+  jobject private_key = reinterpret_cast<jobject>(DSA_get_ex_data(dsa, 0));
+  if (private_key == NULL)
+    return NULL;
+
+  // Sign the message with it, calling platform APIs.
+  std::vector<uint8> signature;
+  if (!net::android::SignWithPrivateKey(
+      private_key,
+      base::StringPiece(
+          reinterpret_cast<const char*>(dgst),
+          static_cast<size_t>(dlen)),
+      &signature)) {

[Ryan Sleevi, 2013/01/31 03:09:53]

I don't believe the indents are correct here for the conditionals

[digit1, 2013/01/31 17:44:30]

I'm not sure, what would you propose instead?

+    return NULL;
+  }
+

[digit1, 2013/01/31 17:44:30]

Note: I've added code to implement DSA_size() properly, and I've added a check
here for signature.size() == DSA_size(dsa) - 2 here.

+  // Convert the signature into a DSA_SIG object.
+  const unsigned char* sigbuf =
+      reinterpret_cast<const unsigned char*>(&signature[0]);
+  int siglen = static_cast<size_t>(signature.size());
+  DSA_SIG* dsa_sig = d2i_DSA_SIG(NULL, &sigbuf, siglen);
+  return dsa_sig;
+}
+
+static int DsaMethodSignSetup(DSA* dsa,
+                              BN_CTX* ctx_in,
+                              BIGNUM** kinvp,
+                              BIGNUM** rp) {
+  NOTIMPLEMENTED();
+  DSAerr(DSA_F_DSA_SIGN_SETUP, DSA_R_INVALID_DIGEST_TYPE);
+  return -1;
+}
+
+static int DsaMethodDoVerify(const unsigned char* dgst,
+                             int dgst_len,
+                             DSA_SIG* sig,
+                             DSA* dsa) {
+  NOTIMPLEMENTED();
+  DSAerr(DSA_F_DSA_DO_VERIFY, DSA_R_INVALID_DIGEST_TYPE);
+  return -1;
+}
+
+static int DsaMethodFinish(DSA* dsa) {
+  // Free the global JNI reference.
+  jobject key = reinterpret_cast<jobject>(DSA_get_ex_data(dsa,0));
+  if (key != NULL) {
+    DSA_set_ex_data(dsa, 0, NULL);
+    JNIEnv* env = base::android::AttachCurrentThread();
+    env->DeleteGlobalRef(key);
+  }
+  // Actual return value is ignored by OpenSSL. There are no docs
+  // explaining what this is supposed to be.
+  return 0;
+}
+
+const DSA_METHOD android_dsa_method = {
+  /* .name = */ "Android signing-only DSA method",
+  /* .dsa_do_sign = */ DsaMethodDoSign,
+  /* .dsa_sign_setup = */ DsaMethodSignSetup,
+  /* .dsa_do_verify = */ DsaMethodDoVerify,
+  /* .dsa_mod_exp = */ NULL,
+  /* .bn_mod_exp = */ NULL,
+  /* .init = */ NULL,  // nothing to do here.
+  /* .finish = */ DsaMethodFinish,
+  /* .flags = */ 0,
+  /* .app_data = */ NULL,
+  /* .dsa_paramgem = */ NULL,
+  /* .dsa_keygen = */ NULL
+};
+
+///////////////////////////////////////////////////////////////////////////
+//
+// Custom ECDSA_METHOD that uses the platform APIs.
+// Note that for now, only signing through ECDSA_sign() is really supported.
+// all other method pointers are either stubs returning errors, or no-ops.
+//
+
+// Note: The ECDSA_METHOD structure doesn't have init/finish
+//       methods. As such, the only way to to ensure the global
+//       JNI reference is properly released when the EVP_PKEY is
+//       destroyed is to use a custom EX_DATA type.
+
+// Used to ensure that the global JNI reference associated with a
+// custom EC_KEY + ECDSA_METHOD is released when the key is destroyed.
+void ExDataFree(void* parent,
+                void* ptr,
+                CRYPTO_EX_DATA* ad,
+                int idx,
+                long argl,
+                void* argp) {
+  jobject private_key = reinterpret_cast<jobject>(ptr);
+  if (private_key == NULL)
+    return;
+
+  CRYPTO_set_ex_data(ad, idx, NULL);
+
+  JNIEnv* env = base::android::AttachCurrentThread();
+  env->DeleteGlobalRef(private_key);
+}
+
+int ExDataDup(CRYPTO_EX_DATA* to,
+              CRYPTO_EX_DATA* from,
+              void* from_d,
+              int idx,
+              long argl,
+              void* argp) {
+  // This callback shall never be called with the current OpenSSL
+  // implementation (the library only ever duplicates EX_DATA items
+  // for SSL and BIO objects). But provide this to catch regressions
+  // in the future.
+  NOTIMPLEMENTED();
+  LOG(WARNING) << "ExDataDup for was called for ECDSA custom key !?";
+  // Return value is currently ignored by OpenSSL.
+  return 0;
+}
+
+int s_ecdsa_ex_data_index;
+
+void EcdsaInitExDataIndex(void) {
+  // Note that OpenSSL does not provide a way to unregister these
+  // indices, so don't worry about releasing them on program exit.
+  // There is also no need for an ExDataNew function.
+  s_ecdsa_ex_data_index = ECDSA_get_ex_new_index(0,           // argl
+                                                 NULL,        // argp
+                                                 NULL,        // new_func
+                                                 ExDataDup,   // dup_func
+                                                 ExDataFree); // free_func
+}
+
+// Returns the index of the custom EX_DATA used to store the JNI reference.
+int EcdsaGetExDataIndex(void) {
+  // The index must be initialized once per processs, and this function
+  // can be called from distinct threads. Use a pthread_once_t to perform
+  // proper lazy initialization.
+  static pthread_once_t once = PTHREAD_ONCE_INIT;
+  pthread_once(&once, EcdsaInitExDataIndex);
+  return s_ecdsa_ex_data_index;
+}
+
+ECDSA_SIG* EcdsaMethodDoSign(const unsigned char* dgst,
+                             int dgst_len,
+                             const BIGNUM* inv,
+                             const BIGNUM* rp,
+                             EC_KEY* eckey) {
+  // Retrieve private key JNI reference.
+  jobject private_key = reinterpret_cast<jobject>(
+      ECDSA_get_ex_data(eckey, EcdsaGetExDataIndex()));
+  if (!private_key) {
+    LOG(WARNING) << "Null JNI reference passed to EcdsaMethodDoSign!";
+    return NULL;
+  }
+  // Sign message with it through JNI.
+  std::vector<uint8> signature;
+  if (!net::android::SignWithPrivateKey(
+        private_key,
+        base::StringPiece(
+            reinterpret_cast<const char*>(dgst),
+            static_cast<size_t>(dgst_len)),
+        &signature)) {
+    LOG(WARNING) << "Could not sign message in EcdsaMethodDoSign!";
+    return NULL;
+  }
+

[digit1, 2013/01/31 17:44:30]

I'd like to add a check for signature.size() == ECDA_size() - 2 here, but I'm
not sure how to setup the EC_KEY so that ECDSA_size() would always return the
right value for it.

It looks like what is needed is setup the key's group with a value that has the
same order than the PrivateKey. However, I'm not too familiar with elliptical
cryptography. I can see a way to retrieve the PrivateKey's parameters with
platform APIs, but I miss a way to create an EC_KEY / EC_GROUP with this
information. Any idea?

[Ryan Sleevi, 2013/02/01 00:51:29]

So the ECParameterSpec (
http://docs.oracle.com/javase/1.5.0/docs/api/java/security/spec/ECParameterSp...
) for an ECKey (
http://docs.oracle.com/javase/1.5.0/docs/api/java/security/interfaces/ECKey.h...
), which an ECPrivateKey subclasses (
http://docs.oracle.com/javase/1.5.0/docs/api/java/security/interfaces/ECPriva...
) should contain the parameters from the PrivateKey

ECDSA_size uses EC_GROUP_get_order to find out the number of bits in the order
to work through the size of r & s (combined, they make up the signature)

EC_GROUP_get_order requires that EC_KEY_get0_group returns an EC_GROUP

You can set the EC_GROUP for an EC_KEY by using EC_KEY_set_group, which requires
you supply an EC_GROUP (and that it be dup-able)

The EC_GROUP_new requires an EC_METHOD to handle the group parameters.
EG_GROUP_new uses meth->group_init to initialize the parameters, which it
expects to fill in the order, the cofactor, and the curve name/flags

EC_GROUP_free expects to be able to use meth->group_finish

The order is available via ECParameterSpec::getOrder

I'm *pretty* sure that that is the only thing you *actually* need to stub in to
be able to fake it. Adam should confirm.

[digit1, 2013/02/01 21:44:36]

That's essentially what I ended up implementing. I'm creating a group with a
default EC_METHOD, then modifying the order member in-place. Seems to work
right.

+  // Convert signature to ECDSA_SIG object
+  const unsigned char* sigbuf =
+      reinterpret_cast<const unsigned char*>(&signature[0]);
+  long siglen = static_cast<long>(signature.size());
+  return d2i_ECDSA_SIG(NULL, &sigbuf, siglen);
+}
+
+int EcdsaMethodSignSetup(EC_KEY* eckey,
+                         BN_CTX* ctx,
+                         BIGNUM** kinv,
+                         BIGNUM** r) {
+  NOTIMPLEMENTED();
+  ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, ECDSA_R_ERR_EC_LIB);
+  return -1;
+}
+
+int EcdsaMethodDoVerify(const unsigned char* dgst,
+                        int dgst_len,
+                        const ECDSA_SIG* sig,
+                        EC_KEY* eckey) {
+  NOTIMPLEMENTED();
+  ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ECDSA_R_ERR_EC_LIB);
+  return -1;
+}
+
+const ECDSA_METHOD android_ecdsa_method = {
+  /* .name = */ "Android signing-only ECDSA method",
+  /* .ecdsa_do_sign = */ EcdsaMethodDoSign,
+  /* .ecdsa_sign_setup = */ EcdsaMethodSignSetup,
+  /* .ecdsa_do_verify = */ EcdsaMethodDoVerify,
+  /* .flags = */ 0,
+  /* .app_data = */ NULL,
+};
+
+}  // namespace
+
+
+namespace net {
+namespace android {
+
+EVP_PKEY* GetOpenSSLPrivateKeyWrapper(jobject private_key) {
+  // Create scoped JNI global reference from the private key.
+  // This ensure that it will be usable from any thread, not only
+  // from the caller's.
+  //
+  // Note: "ScopedJavaGlobalRef<jobject> ref(a_jobject)" doesn't
+  // compile. Route around this by creating an empty object first,
+  // then resetting it.
+  base::android::ScopedJavaGlobalRef<jobject> global_key;
+  global_key.Reset(NULL, private_key);
+  if (global_key.is_null())
+    return NULL;
+
+  // Create new empty EVP_PKEY instance.
+  crypto::ScopedOpenSSL<EVP_PKEY, EVP_PKEY_free> pkey(EVP_PKEY_new());
+  if (!pkey.get())
+    return NULL;
+
+  // Create sub key type, depending on private key's algorithm type.
+  PrivateKeyType key_type = GetPrivateKeyType(global_key.obj());
+  switch (key_type) {
+    case PRIVATE_KEY_TYPE_RSA:
+      {
+        // Route around platform bug: if Android < 4.2, then
+        // base::android::SignWithPrivateKey() cannot work, so
+        // instead, obtain a raw EVP_PKEY* to the system object
+        // backing this PrivateKey object.
+        const int kAndroid42ApiLevel = 17;
+        if (base::android::BuildInfo::GetInstance()->sdk_int() <
+            kAndroid42ApiLevel) {
+          EVP_PKEY* sys_pkey =
+              GetOpenSSLSystemHandleForPrivateKey(global_key.obj());
+          if (sys_pkey == NULL) {
+            LOG(ERROR) << "Can't get system OpenSSL key!";
+            return NULL;
+          }
+          CRYPTO_add(&sys_pkey->references, 1, CRYPTO_LOCK_EVP_PKEY);
+          pkey.reset(sys_pkey);
+        } else {
+          RSA* rsa = RSA_new();
+          RSA_set_method(rsa, &android_rsa_method);
+          RSA_set_app_data(rsa, global_key.Release());
+          EVP_PKEY_assign_RSA(pkey.get(), rsa);
+        }
+      }
+      break;
+    case PRIVATE_KEY_TYPE_DSA:
+      {
+        DSA* dsa = DSA_new();
+        DSA_set_method(dsa, &android_dsa_method);
+        DSA_set_ex_data(dsa, 0, global_key.Release());
+        EVP_PKEY_assign_DSA(pkey.get(), dsa);
+      }
+      break;
+    case PRIVATE_KEY_TYPE_ECDSA:
+      {
+        EC_KEY* ec_key = EC_KEY_new();
+        ECDSA_set_method(ec_key, &android_ecdsa_method);
+        ECDSA_set_ex_data(ec_key, EcdsaGetExDataIndex(), global_key.Release());
+        EVP_PKEY_assign_EC_KEY(pkey.get(), ec_key);
+      }
+      break;
+    default:
+      LOG(WARNING)
+          << "GetOpenSSLPrivateKeyWrapper() called with invalid key type";
+      return NULL;
+  }
+
+  return pkey.release();
+}
+
+}  // namespace android
+}  // namespace net