1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
|
/*
* Copyright (C) 2024 The Android Open Source Project
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
//! Module that provides access to a device specific key for this application and serialize the
//! necessary information to derive the same key to a cose-encrypt0 type header
use ciborium::Value;
use coset::{AsCborValue, CborSerializable, Header, ProtectedHeader};
use hwcryptohal_common::{err::HwCryptoError, hwcrypto_err};
use hwkey::{Hwkey, OsRollbackVersion, RollbackVersionSource};
use kmr_common::{
crypto::{self, Aes, Hkdf, Rng},
FallibleAllocExt,
};
use crate::crypto_provider;
/// Size of the base encryption key used by the service to derive other versioned context encryption
/// keys
const SERVICE_KEK_LENGTH: usize = 32;
/// Size of the random context used to derive a versioned context specific encryption key
pub(crate) const KEY_DERIVATION_CTX_LENGTH: usize = 32;
/// Nonce value of all zeroes used in AES-GCM key encryption.
const ZERO_NONCE: [u8; 12] = [0u8; 12];
const KEY_DERIVATION_CTX_COSE_LABEL: i64 = -65539;
const KEY_DERIVATION_VERSION_COSE_LABEL: i64 = -65540;
// Header used to derive a different key per each encrypted context. Encryption of the context is
// similar to what KeyMint does to wrap keys.
pub(crate) struct EncryptionHeader {
key_derivation_context: [u8; KEY_DERIVATION_CTX_LENGTH],
header_version: u32,
}
impl EncryptionHeader {
fn new(key_derivation_context: [u8; KEY_DERIVATION_CTX_LENGTH], header_version: u32) -> Self {
Self { key_derivation_context, header_version }
}
pub(crate) fn generate() -> Result<Self, HwCryptoError> {
let header_version = get_service_current_version()?;
Ok(Self::generate_with_version(header_version))
}
pub(crate) fn generate_with_version(header_version: u32) -> Self {
let key_derivation_context = get_new_key_derivation_context();
Self::new(key_derivation_context, header_version)
}
// Function used to generate different device bound encryption keys tied to the HWCrypto service
// to be used for different purposes, which include VersionContext encryption and key wrapping.
fn derive_service_encryption_key(
&self,
key_context: &[u8],
) -> Result<crypto::aes::Key, HwCryptoError> {
let encryption_key = get_encryption_key(self.header_version, key_context)?;
derive_key_hkdf(&encryption_key, &self.key_derivation_context[..])
}
/// Encrypt CBOR serializable data using a device key derived using `key_context`
pub(crate) fn encrypt_content_service_encryption_key<T: AsCborValue>(
&self,
key_context: &[u8],
content: T,
) -> Result<Vec<u8>, HwCryptoError> {
let kek = self.derive_service_encryption_key(key_context)?;
let aes = crypto_provider::AesImpl;
let cose_encrypt = coset::CoseEncrypt0Builder::new()
.protected(self.try_into()?)
.try_create_ciphertext::<_, HwCryptoError>(
&content.to_cbor_value()?.to_vec()?,
&[],
move |pt, aad| {
let mut op = aes.begin_aead(
kek.into(),
crypto::aes::GcmMode::GcmTag16 { nonce: ZERO_NONCE },
crypto::SymmetricOperation::Encrypt,
)?;
op.update_aad(aad)?;
let mut ct = op.update(pt)?;
ct.try_extend_from_slice(&op.finish()?)?;
Ok(ct)
},
)?
.build();
Ok(cose_encrypt.to_vec()?)
}
/// Decrypt CBOR serializable data using a device key derived using `key_context`. Data needs to
/// include an `EncryptionHeader` on the COSE protected header.
pub(crate) fn decrypt_content_service_encryption_key(
encrypted_context: &[u8],
key_context: &[u8],
) -> Result<(Self, Vec<u8>), HwCryptoError> {
let context: coset::CoseEncrypt0 = coset::CborSerializable::from_slice(encrypted_context)?;
let encryption_header: EncryptionHeader = (&context.protected).try_into()?;
let kek = encryption_header.derive_service_encryption_key(key_context)?;
let aes = crypto_provider::AesImpl;
let mut op = aes.begin_aead(
kek.into(),
crypto::aes::GcmMode::GcmTag16 { nonce: ZERO_NONCE },
crypto::SymmetricOperation::Decrypt,
)?;
let extended_aad = coset::enc_structure_data(
coset::EncryptionContext::CoseEncrypt0,
context.protected.clone(),
&[], // no external AAD
);
op.update_aad(&extended_aad)?;
let mut pt_data = op.update(&context.ciphertext.unwrap_or_default())?;
pt_data.try_extend_from_slice(
&op.finish()
.map_err(|e| hwcrypto_err!(INVALID_KEY, "failed to decrypt context: {:?}", e))?,
)?;
Ok((encryption_header, pt_data))
}
}
// Implementing conversion functions to easily convert from/to COSE headers and `EncryptionHeader`s
impl TryFrom<&ProtectedHeader> for EncryptionHeader {
type Error = HwCryptoError;
fn try_from(value: &ProtectedHeader) -> Result<EncryptionHeader, Self::Error> {
let cose_header_rest = &value.header.rest;
if cose_header_rest.len() != 2 {
return Err(hwcrypto_err!(
BAD_PARAMETER,
"header length was {} instead of 2",
cose_header_rest.len()
));
}
let mut key_derivation_context = None;
let mut header_version = None;
for element in cose_header_rest {
let label: i64 = element
.0
.clone()
.to_cbor_value()?
.into_integer()
.map_err(|_| {
hwcrypto_err!(
SERIALIZATION_ERROR,
"unsupported string header label {:?}",
element.0
)
})?
.try_into()
.map_err(|_| {
hwcrypto_err!(
SERIALIZATION_ERROR,
"error converting cose label {:?}",
element.0
)
})?;
match label {
KEY_DERIVATION_CTX_COSE_LABEL => {
key_derivation_context =
Some(parse_cborium_bytes_to_fixed_array(&element.1, "KEK context")?);
}
KEY_DERIVATION_VERSION_COSE_LABEL => {
header_version = Some(parse_cborium_u32(&element.1, "header version")?);
}
_ => return Err(hwcrypto_err!(BAD_PARAMETER, "unknown label {}", label)),
}
}
let key_derivation_context = key_derivation_context
.ok_or(hwcrypto_err!(SERIALIZATION_ERROR, "couldn't parse key context"))?;
let header_version = header_version
.ok_or(hwcrypto_err!(SERIALIZATION_ERROR, "couldn't parse header version"))?;
Ok(Self::new(key_derivation_context, header_version))
}
}
impl TryFrom<&EncryptionHeader> for Header {
type Error = HwCryptoError;
fn try_from(value: &EncryptionHeader) -> Result<Header, Self::Error> {
let mut key_derivation_context = Vec::<u8>::new();
key_derivation_context.try_extend_from_slice(&value.key_derivation_context[..])?;
let cose_header = coset::HeaderBuilder::new()
.algorithm(coset::iana::Algorithm::A256GCM)
.value(KEY_DERIVATION_CTX_COSE_LABEL, Value::Bytes(key_derivation_context))
.value(KEY_DERIVATION_VERSION_COSE_LABEL, Value::Integer(value.header_version.into()))
.build();
Ok(cose_header)
}
}
/// Get the base versioned encryption key used by the service to derive other versioned context
/// encryption keys
fn get_encryption_key(header_version: u32, key_context: &[u8]) -> Result<Vec<u8>, HwCryptoError> {
let mut key = Vec::<u8>::new();
key.try_reserve(SERVICE_KEK_LENGTH)?;
key.resize(SERVICE_KEK_LENGTH, 0);
let hwkey_session = Hwkey::open()
.map_err(|e| hwcrypto_err!(GENERIC_ERROR, "could not connect to hwkey service {:?}", e))?;
hwkey_session
.derive_key_req()
.unique_key()
.rollback_version_source(RollbackVersionSource::CommittedVersion)
.os_rollback_version(OsRollbackVersion::Version(header_version))
.derive(key_context, &mut key[..])
.map_err(|e| hwcrypto_err!(GENERIC_ERROR, "could derive key {:?}", e))?;
Ok(key)
}
// Create an AES key compatible with the current crypto backend used
fn derive_key_hkdf(
derivation_key: &[u8],
derivation_context: &[u8],
) -> Result<crypto::aes::Key, HwCryptoError> {
let kdf = crypto_provider::HmacImpl;
let raw_key = kdf.hkdf(&[], &derivation_key, &derivation_context, SERVICE_KEK_LENGTH)?;
let key_material = crypto::aes::Key::Aes256(
raw_key.try_into().expect("should not fail, call with SERVICE_KEK_LENGTH returns 32 bytes"),
);
Ok(key_material)
}
fn get_new_key_derivation_context() -> [u8; KEY_DERIVATION_CTX_LENGTH] {
let mut rng = crypto_provider::RngImpl::default();
let mut key_ctx = [0u8; KEY_DERIVATION_CTX_LENGTH];
rng.fill_bytes(&mut key_ctx[..]);
key_ctx
}
fn parse_cborium_bytes_to_fixed_array(
value: &ciborium::value::Value,
name: &str,
) -> Result<[u8; KEY_DERIVATION_CTX_LENGTH], HwCryptoError> {
let value_bytes = value.as_bytes().ok_or(hwcrypto_err!(
SERIALIZATION_ERROR,
"wrong type when trying to parse bytes for {}",
name,
))?;
if value_bytes.len() != KEY_DERIVATION_CTX_LENGTH {
return Err(hwcrypto_err!(
SERIALIZATION_ERROR,
"wrong number of bytes for {}, found {}, expected {}",
name,
value_bytes.len(),
KEY_DERIVATION_CTX_LENGTH
));
}
Ok(value_bytes.as_slice().try_into().expect("Shouldn't fail, we checked size already"))
}
fn parse_cborium_u32(
value: &ciborium::value::Value,
value_name: &str,
) -> Result<u32, HwCryptoError> {
let integer_value = value.as_integer().ok_or(hwcrypto_err!(
SERIALIZATION_ERROR,
"wrong type when trying to parse a u32 from {}",
value_name
))?;
integer_value.try_into().map_err(|e| {
hwcrypto_err!(SERIALIZATION_ERROR, "Error converting {} to u32: {}", value_name, e)
})
}
pub(crate) fn get_service_current_version() -> Result<u32, HwCryptoError> {
let hwkey_session = Hwkey::open()?;
match hwkey_session.query_current_os_version(RollbackVersionSource::CommittedVersion) {
Ok(OsRollbackVersion::Version(n)) => Ok(n),
_ => Err(hwcrypto_err!(GENERIC_ERROR, "error communicating with HwKey service")),
}
}
#[cfg(test)]
mod tests {
use super::*;
use test::{expect, expect_eq};
#[test]
fn header_encryption_decryption() {
let header = EncryptionHeader::generate();
expect!(header.is_ok(), "couldn't generate header");
let header = header.unwrap();
let encrypted_content = header.encrypt_content_service_encryption_key(
b"fake_context",
Value::Bytes(b"test_data".to_vec()),
);
expect!(encrypted_content.is_ok(), "couldn't generate header");
let encrypted_content = encrypted_content.unwrap();
let decrypted_data = EncryptionHeader::decrypt_content_service_encryption_key(
&encrypted_content[..],
b"fake_context",
);
expect!(decrypted_data.is_ok(), "couldn't generate header");
let (decrypted_header, decrypted_content) = decrypted_data.unwrap();
let decrypted_content =
Value::from_slice(&decrypted_content[..]).unwrap().into_bytes().unwrap();
expect_eq!(
header.key_derivation_context,
decrypted_header.key_derivation_context,
"header key derivation context do not match"
);
expect_eq!(
header.header_version,
decrypted_header.header_version,
"header version do not match"
);
expect_eq!(decrypted_content, b"test_data", "decrypted data do not match");
}
}
|
