| // Copyright 2021 The Chromium OS Authors. All rights reserved. |
| // Use of this source code is governed by a BSD-style license that can be |
| // found in the LICENSE file. |
| |
| #include "cryptohome/user_secret_stash.h" |
| |
| #include <base/check.h> |
| #include <base/logging.h> |
| #include <base/notreached.h> |
| #include <base/optional.h> |
| #include <brillo/secure_blob.h> |
| #include <stdint.h> |
| |
| #include <map> |
| #include <memory> |
| #include <string> |
| #include <utility> |
| #include <vector> |
| |
| #include "cryptohome/crypto/aes.h" |
| #include "cryptohome/crypto/secure_blob_util.h" |
| #include "cryptohome/cryptohome_common.h" |
| #include "cryptohome/flatbuffer_secure_allocator_bridge.h" |
| #include "cryptohome/user_secret_stash_container_generated.h" |
| #include "cryptohome/user_secret_stash_payload_generated.h" |
| |
| namespace cryptohome { |
| |
| namespace { |
| |
| // Serializes the UserSecretStashWrappedKeyBlock table into the given flatbuffer |
| // builder. Returns the flatbuffer offset, to be used for building the outer |
| // table. |
| flatbuffers::Offset<UserSecretStashWrappedKeyBlock> |
| GenerateUserSecretStashWrappedKeyBlock( |
| const std::string& wrapping_id, |
| const UserSecretStash::WrappedKeyBlock& wrapped_key_block, |
| flatbuffers::FlatBufferBuilder* builder) { |
| // Serialize the table's fields. |
| auto wrapping_id_string = builder->CreateString(wrapping_id); |
| auto encrypted_key_vector = |
| builder->CreateVector(wrapped_key_block.encrypted_key.data(), |
| wrapped_key_block.encrypted_key.size()); |
| auto iv_vector = builder->CreateVector(wrapped_key_block.iv.data(), |
| wrapped_key_block.iv.size()); |
| auto gcm_tag_vector = builder->CreateVector(wrapped_key_block.gcm_tag.data(), |
| wrapped_key_block.gcm_tag.size()); |
| |
| // Serialize the table itself. |
| UserSecretStashWrappedKeyBlockBuilder table_builder(*builder); |
| table_builder.add_wrapping_id(wrapping_id_string); |
| table_builder.add_encryption_algorithm( |
| wrapped_key_block.encryption_algorithm); |
| table_builder.add_encrypted_key(encrypted_key_vector); |
| table_builder.add_iv(iv_vector); |
| table_builder.add_gcm_tag(gcm_tag_vector); |
| return table_builder.Finish(); |
| } |
| |
| // Serializes the UserSecretStashContainer table. Returns the resulting |
| // flatbuffer as a blob. |
| brillo::SecureBlob GenerateUserSecretStashContainer( |
| const brillo::SecureBlob& ciphertext, |
| const brillo::SecureBlob& tag, |
| const brillo::SecureBlob& iv, |
| const std::map<std::string, UserSecretStash::WrappedKeyBlock>& |
| wrapped_key_blocks) { |
| FlatbufferSecureAllocatorBridge allocator; |
| flatbuffers::FlatBufferBuilder builder(/*initial_size=*/4096, &allocator, |
| /*own_allocator=*/false); |
| |
| auto ciphertext_vector = |
| builder.CreateVector(ciphertext.data(), ciphertext.size()); |
| auto tag_vector = builder.CreateVector(tag.data(), tag.size()); |
| auto iv_vector = builder.CreateVector(iv.data(), iv.size()); |
| std::vector<flatbuffers::Offset<UserSecretStashWrappedKeyBlock>> |
| wrapped_key_block_items; |
| for (const auto& item : wrapped_key_blocks) { |
| const std::string& wrapping_id = item.first; |
| const UserSecretStash::WrappedKeyBlock& wrapped_key_block = item.second; |
| wrapped_key_block_items.push_back(GenerateUserSecretStashWrappedKeyBlock( |
| wrapping_id, wrapped_key_block, &builder)); |
| } |
| auto wrapped_key_blocks_vector = |
| builder.CreateVector(wrapped_key_block_items); |
| |
| UserSecretStashContainerBuilder uss_container_builder(builder); |
| uss_container_builder.add_encryption_algorithm( |
| UserSecretStashEncryptionAlgorithm::AES_GCM_256); |
| uss_container_builder.add_ciphertext(ciphertext_vector); |
| uss_container_builder.add_gcm_tag(tag_vector); |
| uss_container_builder.add_iv(iv_vector); |
| uss_container_builder.add_wrapped_key_blocks(wrapped_key_blocks_vector); |
| auto uss_container = uss_container_builder.Finish(); |
| |
| builder.Finish(uss_container); |
| |
| auto ret_val = |
| brillo::SecureBlob(builder.GetBufferPointer(), |
| builder.GetBufferPointer() + builder.GetSize()); |
| |
| builder.Clear(); |
| |
| return ret_val; |
| } |
| |
| std::map<std::string, UserSecretStash::WrappedKeyBlock> |
| LoadUserSecretStashWrappedKeyBlocks( |
| const flatbuffers::Vector< |
| flatbuffers::Offset<UserSecretStashWrappedKeyBlock>>& |
| wrapped_key_block_vector) { |
| std::map<std::string, UserSecretStash::WrappedKeyBlock> loaded_key_blocks; |
| |
| for (const UserSecretStashWrappedKeyBlock* wrapped_key_block : |
| wrapped_key_block_vector) { |
| std::string wrapping_id; |
| if (wrapped_key_block->wrapping_id()) { |
| wrapping_id = wrapped_key_block->wrapping_id()->str(); |
| } |
| if (wrapping_id.empty()) { |
| LOG(WARNING) |
| << "Ignoring UserSecretStash wrapped key block with an empty ID."; |
| continue; |
| } |
| if (loaded_key_blocks.count(wrapping_id)) { |
| LOG(WARNING) |
| << "Ignoring UserSecretStash wrapped key block with duplicate ID " |
| << wrapping_id << "."; |
| continue; |
| } |
| UserSecretStash::WrappedKeyBlock loaded_block; |
| |
| if (wrapped_key_block->encryption_algorithm() != |
| UserSecretStashEncryptionAlgorithm::AES_GCM_256) { |
| LOG(WARNING) << "Ignoring UserSecretStash wrapped key block with an " |
| "unknown algorithm: " |
| << static_cast<int>( |
| wrapped_key_block->encryption_algorithm()); |
| } |
| loaded_block.encryption_algorithm = |
| wrapped_key_block->encryption_algorithm(); |
| |
| if (!wrapped_key_block->encrypted_key() || |
| !wrapped_key_block->encrypted_key()->size()) { |
| LOG(WARNING) << "Ignoring UserSecretStash wrapped key block with an " |
| "empty encrypted key."; |
| continue; |
| } |
| loaded_block.encrypted_key.assign( |
| wrapped_key_block->encrypted_key()->begin(), |
| wrapped_key_block->encrypted_key()->end()); |
| |
| if (!wrapped_key_block->iv() || !wrapped_key_block->iv()->size()) { |
| LOG(WARNING) |
| << "Ignoring UserSecretStash wrapped key block with an empty IV."; |
| continue; |
| } |
| loaded_block.iv.assign(wrapped_key_block->iv()->begin(), |
| wrapped_key_block->iv()->end()); |
| |
| if (!wrapped_key_block->gcm_tag() || |
| !wrapped_key_block->gcm_tag()->size()) { |
| LOG(WARNING) << "Ignoring UserSecretStash wrapped key block with an " |
| "empty AES-GCM tag."; |
| continue; |
| } |
| loaded_block.gcm_tag.assign(wrapped_key_block->gcm_tag()->begin(), |
| wrapped_key_block->gcm_tag()->end()); |
| |
| loaded_key_blocks.insert({std::move(wrapping_id), std::move(loaded_block)}); |
| } |
| |
| return loaded_key_blocks; |
| } |
| |
| } // namespace |
| |
| // static |
| std::unique_ptr<UserSecretStash> UserSecretStash::CreateRandom() { |
| brillo::SecureBlob file_system_key = |
| CreateSecureRandomBlob(CRYPTOHOME_DEFAULT_512_BIT_KEY_SIZE); |
| brillo::SecureBlob reset_secret = |
| CreateSecureRandomBlob(CRYPTOHOME_RESET_SECRET_LENGTH); |
| // Note: make_unique() wouldn't work due to the constructor being private. |
| return std::unique_ptr<UserSecretStash>( |
| new UserSecretStash(file_system_key, reset_secret)); |
| } |
| |
| // static |
| std::unique_ptr<UserSecretStash> UserSecretStash::FromEncryptedContainer( |
| const brillo::SecureBlob& flatbuffer, const brillo::SecureBlob& main_key) { |
| if (main_key.size() != kAesGcm256KeySize) { |
| LOG(ERROR) << "The UserSecretStash main key is of wrong length: " |
| << main_key.size() << ", expected: " << kAesGcm256KeySize; |
| return nullptr; |
| } |
| |
| flatbuffers::Verifier payload_verifier(flatbuffer.data(), flatbuffer.size()); |
| if (!VerifyUserSecretStashContainerBuffer(payload_verifier)) { |
| LOG(ERROR) << "The UserSecretStashContainer flatbuffer is invalid"; |
| return nullptr; |
| } |
| |
| auto uss_container = GetUserSecretStashContainer(flatbuffer.data()); |
| |
| UserSecretStashEncryptionAlgorithm algorithm = |
| uss_container->encryption_algorithm(); |
| if (algorithm != UserSecretStashEncryptionAlgorithm::AES_GCM_256) { |
| LOG(ERROR) << "UserSecretStashContainer uses unknown algorithm: " |
| << static_cast<int>(algorithm); |
| return nullptr; |
| } |
| |
| if (!uss_container->ciphertext() || !uss_container->ciphertext()->size()) { |
| LOG(ERROR) << "UserSecretStash has empty ciphertext"; |
| return nullptr; |
| } |
| brillo::SecureBlob ciphertext(uss_container->ciphertext()->begin(), |
| uss_container->ciphertext()->end()); |
| |
| if (!uss_container->iv() || !uss_container->iv()->size()) { |
| LOG(ERROR) << "UserSecretStash has empty IV"; |
| return nullptr; |
| } |
| if (uss_container->iv()->size() != kAesGcmIVSize) { |
| LOG(ERROR) << "UserSecretStash has IV of wrong length: " |
| << uss_container->iv()->size() |
| << ", expected: " << kAesGcmIVSize; |
| return nullptr; |
| } |
| brillo::SecureBlob iv(uss_container->iv()->begin(), |
| uss_container->iv()->end()); |
| |
| if (!uss_container->gcm_tag() || !uss_container->gcm_tag()->size()) { |
| LOG(ERROR) << "UserSecretStash has empty AES-GCM tag"; |
| return nullptr; |
| } |
| if (uss_container->gcm_tag()->size() != kAesGcmTagSize) { |
| LOG(ERROR) << "UserSecretStash has AES-GCM tag of wrong length: " |
| << uss_container->gcm_tag()->size() |
| << ", expected: " << kAesGcmTagSize; |
| return nullptr; |
| } |
| brillo::SecureBlob tag(uss_container->gcm_tag()->begin(), |
| uss_container->gcm_tag()->end()); |
| |
| std::map<std::string, WrappedKeyBlock> wrapped_key_blocks; |
| if (uss_container->wrapped_key_blocks()) { |
| wrapped_key_blocks = LoadUserSecretStashWrappedKeyBlocks( |
| *uss_container->wrapped_key_blocks()); |
| } |
| |
| brillo::SecureBlob serialized_uss; |
| if (!AesGcmDecrypt(ciphertext, /*ad=*/base::nullopt, tag, main_key, iv, |
| &serialized_uss)) { |
| LOG(ERROR) << "Failed to decrypt UserSecretStash"; |
| return nullptr; |
| } |
| |
| flatbuffers::Verifier uss_verifier(serialized_uss.data(), |
| serialized_uss.size()); |
| if (!VerifyUserSecretStashPayloadBuffer(uss_verifier)) { |
| LOG(ERROR) << "The UserSecretStashPayload flatbuffer is invalid"; |
| return nullptr; |
| } |
| |
| auto uss = GetUserSecretStashPayload(serialized_uss.data()); |
| |
| if (!uss->file_system_key() || !uss->file_system_key()->size()) { |
| LOG(ERROR) << "UserSecretStashPayload has no file system key"; |
| return nullptr; |
| } |
| brillo::SecureBlob file_system_key(uss->file_system_key()->begin(), |
| uss->file_system_key()->end()); |
| |
| if (!uss->reset_secret() || !uss->reset_secret()->size()) { |
| LOG(ERROR) << "UserSecretStashPayload has no reset secret"; |
| return nullptr; |
| } |
| brillo::SecureBlob reset_secret(uss->reset_secret()->begin(), |
| uss->reset_secret()->end()); |
| |
| // Note: make_unique() wouldn't work due to the constructor being private. |
| std::unique_ptr<UserSecretStash> stash( |
| new UserSecretStash(file_system_key, reset_secret)); |
| stash->wrapped_key_blocks_ = std::move(wrapped_key_blocks); |
| |
| return stash; |
| } |
| |
| const brillo::SecureBlob& UserSecretStash::GetFileSystemKey() const { |
| return file_system_key_; |
| } |
| |
| void UserSecretStash::SetFileSystemKey(const brillo::SecureBlob& key) { |
| file_system_key_ = key; |
| } |
| |
| const brillo::SecureBlob& UserSecretStash::GetResetSecret() const { |
| return reset_secret_; |
| } |
| |
| void UserSecretStash::SetResetSecret(const brillo::SecureBlob& secret) { |
| reset_secret_ = secret; |
| } |
| |
| bool UserSecretStash::HasWrappedMainKey(const std::string& wrapping_id) const { |
| return wrapped_key_blocks_.count(wrapping_id); |
| } |
| |
| base::Optional<brillo::SecureBlob> UserSecretStash::UnwrapMainKey( |
| const std::string& wrapping_id, |
| const brillo::SecureBlob& wrapping_key) const { |
| // Verify preconditions. |
| if (wrapping_id.empty()) { |
| NOTREACHED() << "Empty wrapping ID is passed for UserSecretStash main key " |
| "unwrapping."; |
| return base::nullopt; |
| } |
| if (wrapping_key.size() != kAesGcm256KeySize) { |
| NOTREACHED() << "Wrong wrapping key size is passed for UserSecretStash " |
| "main key unwrapping. Received: " |
| << wrapping_key.size() << ", expected " << kAesGcm256KeySize |
| << "."; |
| return base::nullopt; |
| } |
| |
| // Find the wrapped key block. |
| const auto wrapped_key_block_iter = wrapped_key_blocks_.find(wrapping_id); |
| if (wrapped_key_block_iter == wrapped_key_blocks_.end()) { |
| LOG(ERROR) |
| << "UserSecretStash wrapped key block with the given ID not found."; |
| return base::nullopt; |
| } |
| const WrappedKeyBlock& wrapped_key_block = wrapped_key_block_iter->second; |
| |
| // Verify the wrapped key block format. No NOTREACHED() checks here, since the |
| // key block is a deserialization of the persisted blob. |
| if (wrapped_key_block.encryption_algorithm != |
| UserSecretStashEncryptionAlgorithm::AES_GCM_256) { |
| LOG(ERROR) << "UserSecretStash wrapped main key uses unknown algorithm: " |
| << static_cast<int>(wrapped_key_block.encryption_algorithm) |
| << "."; |
| return base::nullopt; |
| } |
| if (wrapped_key_block.encrypted_key.empty()) { |
| LOG(ERROR) << "UserSecretStash wrapped main key has empty encrypted key."; |
| return base::nullopt; |
| } |
| if (wrapped_key_block.iv.size() != kAesGcmIVSize) { |
| LOG(ERROR) << "UserSecretStash wrapped main key has IV of wrong length: " |
| << wrapped_key_block.iv.size() << ", expected: " << kAesGcmIVSize |
| << "."; |
| return base::nullopt; |
| } |
| if (wrapped_key_block.gcm_tag.size() != kAesGcmTagSize) { |
| LOG(ERROR) |
| << "UserSecretStash wrapped main key has AES-GCM tag of wrong length: " |
| << wrapped_key_block.gcm_tag.size() << ", expected: " << kAesGcmTagSize |
| << "."; |
| return base::nullopt; |
| } |
| |
| // Attempt the unwrapping. |
| brillo::SecureBlob main_key; |
| if (!AesGcmDecrypt(wrapped_key_block.encrypted_key, /*ad=*/base::nullopt, |
| wrapped_key_block.gcm_tag, wrapping_key, |
| wrapped_key_block.iv, &main_key)) { |
| LOG(ERROR) << "Failed to unwrap UserSecretStash main key"; |
| return base::nullopt; |
| } |
| return main_key; |
| } |
| |
| bool UserSecretStash::AddWrappedMainKey( |
| const brillo::SecureBlob& main_key, |
| const std::string& wrapping_id, |
| const brillo::SecureBlob& wrapping_key) { |
| // Verify preconditions. |
| if (main_key.empty()) { |
| NOTREACHED() << "Empty UserSecretStash main key is passed for wrapping."; |
| return false; |
| } |
| if (wrapping_id.empty()) { |
| NOTREACHED() |
| << "Empty wrapping ID is passed for UserSecretStash main key wrapping."; |
| return false; |
| } |
| if (wrapping_key.size() != kAesGcm256KeySize) { |
| NOTREACHED() << "Wrong wrapping key size is passed for UserSecretStash " |
| "main key wrapping. Received: " |
| << wrapping_key.size() << ", expected " << kAesGcm256KeySize |
| << "."; |
| return false; |
| } |
| |
| // Protect from duplicate wrapping IDs. |
| if (wrapped_key_blocks_.count(wrapping_id)) { |
| LOG(ERROR) << "A UserSecretStash main key with the given wrapping_id " |
| "already exists."; |
| return false; |
| } |
| |
| // Perform the wrapping. |
| WrappedKeyBlock wrapped_key_block; |
| wrapped_key_block.encryption_algorithm = |
| UserSecretStashEncryptionAlgorithm::AES_GCM_256; |
| if (!AesGcmEncrypt(main_key, /*ad=*/base::nullopt, wrapping_key, |
| &wrapped_key_block.iv, &wrapped_key_block.gcm_tag, |
| &wrapped_key_block.encrypted_key)) { |
| LOG(ERROR) << "Failed to wrap UserSecretStash main key."; |
| return false; |
| } |
| |
| wrapped_key_blocks_[wrapping_id] = std::move(wrapped_key_block); |
| return true; |
| } |
| |
| bool UserSecretStash::RemoveWrappedMainKey(const std::string& wrapping_id) { |
| auto iter = wrapped_key_blocks_.find(wrapping_id); |
| if (iter == wrapped_key_blocks_.end()) { |
| LOG(ERROR) << "No UserSecretStash wrapped key block is found with the " |
| "given wrapping ID."; |
| return false; |
| } |
| wrapped_key_blocks_.erase(iter); |
| return true; |
| } |
| |
| base::Optional<brillo::SecureBlob> UserSecretStash::GetEncryptedContainer( |
| const brillo::SecureBlob& main_key) { |
| FlatbufferSecureAllocatorBridge allocator; |
| flatbuffers::FlatBufferBuilder builder(/*initial_size=*/4096, &allocator, |
| /*own_allocator=*/false); |
| |
| auto fs_key_vector = |
| builder.CreateVector(file_system_key_.data(), file_system_key_.size()); |
| auto reset_secret_vector = |
| builder.CreateVector(reset_secret_.data(), reset_secret_.size()); |
| |
| UserSecretStashPayloadBuilder uss_builder(builder); |
| uss_builder.add_file_system_key(fs_key_vector); |
| uss_builder.add_reset_secret(reset_secret_vector); |
| auto uss = uss_builder.Finish(); |
| |
| builder.Finish(uss); |
| |
| brillo::SecureBlob serialized_uss( |
| builder.GetBufferPointer(), |
| builder.GetBufferPointer() + builder.GetSize()); |
| |
| brillo::SecureBlob tag, iv, ciphertext; |
| if (!AesGcmEncrypt(serialized_uss, /*ad=*/base::nullopt, main_key, &iv, &tag, |
| &ciphertext)) { |
| LOG(ERROR) << "Failed to encrypt UserSecretStash"; |
| return base::nullopt; |
| } |
| |
| builder.Clear(); |
| |
| // Note: It can happen that the USS container is created with empty |
| // |wrapped_key_blocks_| - they may be added later, when the user registers |
| // the first credential with their cryptohome. |
| return GenerateUserSecretStashContainer(ciphertext, tag, iv, |
| wrapped_key_blocks_); |
| } |
| |
| UserSecretStash::UserSecretStash(const brillo::SecureBlob& file_system_key, |
| const brillo::SecureBlob& reset_secret) |
| : file_system_key_(file_system_key), reset_secret_(reset_secret) { |
| CHECK(!file_system_key_.empty()); |
| CHECK(!reset_secret_.empty()); |
| } |
| |
| } // namespace cryptohome |
