commit dc05bb32d07183faeba06fc4be41fe1a4b782b75
author Martijn Coenen <maco@google.com> Mon Mar 08 10:52:48 2021 +0100
committer Martijn Coenen <maco@google.com> Mon Mar 08 16:31:53 2021 +0100
tree 2bb3486cd76b5ff1e650385bf2d9b5b55d0a97b9
parent ba1c9dc8a432050e13e8bbd90b51cad1cd982752

On-device signing: Verify signature of odsign.info.

This was left to be implemented with RSA_verify.

Bug: 165630556
Test: signature matches
Change-Id: Iaa66baa54c0479d35ced7a95afccb0328baa4394

ondevice-signing/odsign_main.cpp

diff --git a/ondevice-signing/odsign_main.cpp b/ondevice-signing/odsign_main.cpp
index 853f349..eeef868 100644
--- a/ondevice-signing/odsign_main.cpp
+++ b/ondevice-signing/odsign_main.cpp
@@ -178,7 +178,7 @@
     return verifyDigests(*result, trusted_digests);
 }
 
-Result<OdsignInfo> getOdsignInfo(const SigningKey& /* key */) {
+Result<OdsignInfo> getOdsignInfo(const SigningKey& key) {
     std::string persistedSignature;
     OdsignInfo odsignInfo;
 
@@ -190,24 +190,20 @@
     if (!odsign_info) {
         return Error() << "Failed to open " << kOdsignInfo;
     }
+    odsign_info.seekg(0);
     // Verify the hash
     std::string odsign_info_str((std::istreambuf_iterator<char>(odsign_info)),
                                 std::istreambuf_iterator<char>());
 
-    // TODO: this is way too slow - replace with a local RSA_verify implementation.
-    /*
-    auto verifiedSignature = key.sign(odsign_info_str);
-    if (!verifiedSignature.ok()) {
-        return Error() << "Failed to sign " << kOdsignInfo;
-    }
-
-    if (*verifiedSignature != persistedSignature) {
+    auto publicKey = key.getPublicKey();
+    auto signResult = verifySignature(odsign_info_str, persistedSignature, *publicKey);
+    if (!signResult.ok()) {
         return Error() << kOdsignInfoSignature << " does not match.";
     } else {
         LOG(INFO) << kOdsignInfoSignature << " matches.";
     }
-    */
 
+    odsign_info.seekg(0);
     if (!odsignInfo.ParseFromIstream(&odsign_info)) {
         return Error() << "Failed to parse " << kOdsignInfo;
     }
@@ -223,19 +219,20 @@
     auto map = signInfo.mutable_file_hashes();
     *map = proto_hashes;
 
-    std::fstream odsign_info(kOdsignInfo, std::ios::out | std::ios::trunc | std::ios::binary);
+    std::fstream odsign_info(kOdsignInfo,
+                             std::ios::in | std::ios::out | std::ios::trunc | std::ios::binary);
     if (!signInfo.SerializeToOstream(&odsign_info)) {
         return Error() << "Failed to persist root hashes in " << kOdsignInfo;
     }
 
-    odsign_info.seekg(0);
+    // Sign the signatures with our key itself, and write that to storage
+    odsign_info.seekg(0, std::ios::beg);
     std::string odsign_info_str((std::istreambuf_iterator<char>(odsign_info)),
                                 std::istreambuf_iterator<char>());
     auto signResult = key.sign(odsign_info_str);
     if (!signResult.ok()) {
         return Error() << "Failed to sign " << kOdsignInfo;
     }
-    // Sign the files with our key itself, and write that to storage
     android::base::WriteStringToFile(*signResult, kOdsignInfoSignature);
     return {};
 }