Gitiles
Code Review Sign In
gerrit.omnirom.org / android_build / 3b0cb6e842a37cacfacad2dbca0c7b9d8ba2d840 / . / tools / releasetools / check_ota_package_signature.py
blob: 0da61b10529a99e0efa515e5159b5a07ae3aabb6 [file] [log] [blame]
Tao Bao9c63fb52016-09-13 11:13:48 -0700[diff] [blame]1#!/usr/bin/env python
2#
3# Copyright (C) 2016 The Android Open Source Project
4#
5# Licensed under the Apache License, Version 2.0 (the "License");
6# you may not use this file except in compliance with the License.
7# You may obtain a copy of the License at
8#
9# http://www.apache.org/licenses/LICENSE-2.0
10#
11# Unless required by applicable law or agreed to in writing, software
12# distributed under the License is distributed on an "AS IS" BASIS,
13# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14# See the License for the specific language governing permissions and
15# limitations under the License.
16
17"""
18Verify a given OTA package with the specifed certificate.
19"""
20
21from __future__ import print_function
22
23import argparse
24import common
25import re
26import subprocess
27import sys
28
29from hashlib import sha1
30from hashlib import sha256
31
32
33def cert_uses_sha256(cert):
34 """Check if the cert uses SHA-256 hashing algorithm."""
35
36 cmd = ['openssl', 'x509', '-text', '-noout', '-in', cert]
37 p1 = common.Run(cmd, stdout=subprocess.PIPE)
38 cert_dump, _ = p1.communicate()
39
40 algorithm = re.search(r'Signature Algorithm: ([a-zA-Z0-9]+)', cert_dump)
41 assert algorithm, "Failed to identify the signature algorithm."
42
43 assert not algorithm.group(1).startswith('ecdsa'), (
44 'This script doesn\'t support verifying ECDSA signed package yet.')
45
46 return algorithm.group(1).startswith('sha256')
47
48
49def verify_package(cert, package):
50 """Verify the given package with the certificate.
51
52 (Comments from bootable/recovery/verifier.cpp:)
53
54 An archive with a whole-file signature will end in six bytes:
55
56 (2-byte signature start) $ff $ff (2-byte comment size)
57
58 (As far as the ZIP format is concerned, these are part of the
59 archive comment.) We start by reading this footer, this tells
60 us how far back from the end we have to start reading to find
61 the whole comment.
62 """
63
64 print('Package: %s' % (package,))
65 print('Certificate: %s' % (cert,))
66
67 # Read in the package.
68 with open(package) as package_file:
69 package_bytes = package_file.read()
70
71 length = len(package_bytes)
72 assert length >= 6, "Not big enough to contain footer."
73
74 footer = [ord(x) for x in package_bytes[-6:]]
75 assert footer[2] == 0xff and footer[3] == 0xff, "Footer is wrong."
76
77 signature_start_from_end = (footer[1] << 8) + footer[0]
78 assert signature_start_from_end > 6, "Signature start is in the footer."
79
80 signature_start = length - signature_start_from_end
81
82 # Determine how much of the file is covered by the signature. This is
83 # everything except the signature data and length, which includes all of the
84 # EOCD except for the comment length field (2 bytes) and the comment data.
85 comment_len = (footer[5] << 8) + footer[4]
86 signed_len = length - comment_len - 2
87
88 print('Package length: %d' % (length,))
89 print('Comment length: %d' % (comment_len,))
90 print('Signed data length: %d' % (signed_len,))
91 print('Signature start: %d' % (signature_start,))
92
93 use_sha256 = cert_uses_sha256(cert)
94 print('Use SHA-256: %s' % (use_sha256,))
95
96 if use_sha256:
97 h = sha256()
98 else:
99 h = sha1()
100 h.update(package_bytes[:signed_len])
101 package_digest = h.hexdigest().lower()
102
103 print('Digest: %s\n' % (package_digest,))
104
105 # Get the signature from the input package.
106 signature = package_bytes[signature_start:-6]
107 sig_file = common.MakeTempFile(prefix='sig-', suffix='')
108 with open(sig_file, 'wb') as f:
109 f.write(signature)
110
111 # Parse the signature and get the hash.
112 cmd = ['openssl', 'asn1parse', '-inform', 'DER', '-in', sig_file]
113 p1 = common.Run(cmd, stdout=subprocess.PIPE)
114 sig, _ = p1.communicate()
115 assert p1.returncode == 0, "Failed to parse the signature."
116
117 digest_line = sig.strip().split('\n')[-1]
118 digest_string = digest_line.split(':')[3]
119 digest_file = common.MakeTempFile(prefix='digest-', suffix='')
120 with open(digest_file, 'wb') as f:
121 f.write(digest_string.decode('hex'))
122
123 # Verify the digest by outputing the decrypted result in ASN.1 structure.
124 decrypted_file = common.MakeTempFile(prefix='decrypted-', suffix='')
125 cmd = ['openssl', 'rsautl', '-verify', '-certin', '-inkey', cert,
126 '-in', digest_file, '-out', decrypted_file]
127 p1 = common.Run(cmd, stdout=subprocess.PIPE)
128 p1.communicate()
129 assert p1.returncode == 0, "Failed to run openssl rsautl -verify."
130
131 # Parse the output ASN.1 structure.
132 cmd = ['openssl', 'asn1parse', '-inform', 'DER', '-in', decrypted_file]
133 p1 = common.Run(cmd, stdout=subprocess.PIPE)
134 decrypted_output, _ = p1.communicate()
135 assert p1.returncode == 0, "Failed to parse the output."
136
137 digest_line = decrypted_output.strip().split('\n')[-1]
138 digest_string = digest_line.split(':')[3].lower()
139
140 # Verify that the two digest strings match.
141 assert package_digest == digest_string, "Verification failed."
142
143 # Verified successfully upon reaching here.
144 print('VERIFIED\n')
145
146
147def main():
148 parser = argparse.ArgumentParser()
149 parser.add_argument('certificate', help='The certificate to be used.')
150 parser.add_argument('package', help='The OTA package to be verified.')
151 args = parser.parse_args()
152
153 verify_package(args.certificate, args.package)
154
155
156if __name__ == '__main__':
157 try:
158 main()
159 except AssertionError as err:
160 print('\n ERROR: %s\n' % (err,))
161 sys.exit(1)