Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_update_engine / 6cf830b8913e741d7d3c7ed047b2cbdbb222034e / . / payload_consumer / payload_verifier.cc
blob: b2c5be4742b6cd3230079d43c2c645612ccf331e [file] [log] [blame]
Alex Deymoaea4c1c2015-08-19 20:24:43 -0700[diff] [blame]1//
2// Copyright (C) 2014 The Android Open Source Project
3//
4// Licensed under the Apache License, Version 2.0 (the "License");
5// you may not use this file except in compliance with the License.
6// You may obtain a copy of the License at
7//
8// http://www.apache.org/licenses/LICENSE-2.0
9//
10// Unless required by applicable law or agreed to in writing, software
11// distributed under the License is distributed on an "AS IS" BASIS,
12// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13// See the License for the specific language governing permissions and
14// limitations under the License.
15//
Alex Deymo923d8fa2014-07-15 17:58:51 -0700[diff] [blame]16
Alex Deymo39910dc2015-11-09 17:04:30 -0800[diff] [blame]17#include "update_engine/payload_consumer/payload_verifier.h"
Alex Deymo923d8fa2014-07-15 17:58:51 -0700[diff] [blame]18
xunchangcda3c032019-03-26 15:41:14 -0700[diff] [blame]19#include <utility>
Sen Jiang08c6da12019-01-07 18:28:56 -0800[diff] [blame]20#include <vector>
21
Alex Deymo923d8fa2014-07-15 17:58:51 -0700[diff] [blame]22#include <base/logging.h>
23#include <openssl/pem.h>
24
xunchangcda3c032019-03-26 15:41:14 -0700[diff] [blame]25#include "update_engine/common/constants.h"
Alex Deymo39910dc2015-11-09 17:04:30 -0800[diff] [blame]26#include "update_engine/common/hash_calculator.h"
27#include "update_engine/common/utils.h"
Alex Deymo923d8fa2014-07-15 17:58:51 -0700[diff] [blame]28#include "update_engine/update_metadata.pb.h"
Alex Deymo923d8fa2014-07-15 17:58:51 -0700[diff] [blame]29
30using std::string;
Alex Deymo923d8fa2014-07-15 17:58:51 -0700[diff] [blame]31
32namespace chromeos_update_engine {
33
Alex Deymo923d8fa2014-07-15 17:58:51 -0700[diff] [blame]34namespace {
35
xunchangcda3c032019-03-26 15:41:14 -0700[diff] [blame]36// The ASN.1 DigestInfo prefix for encoding SHA256 digest. The complete 51-byte
37// DigestInfo consists of 19-byte SHA256_DIGEST_INFO_PREFIX and 32-byte SHA256
38// digest.
Alex Deymo923d8fa2014-07-15 17:58:51 -0700[diff] [blame]39//
xunchangcda3c032019-03-26 15:41:14 -0700[diff] [blame]40// SEQUENCE(2+49) {
Alex Deymo923d8fa2014-07-15 17:58:51 -0700[diff] [blame]41// SEQUENCE(2+13) {
xunchangcda3c032019-03-26 15:41:14 -0700[diff] [blame]42// OBJECT(2+9) id-sha256
43// NULL(2+0)
Alex Deymo923d8fa2014-07-15 17:58:51 -0700[diff] [blame]44// }
45// OCTET STRING(2+32) <actual signature bytes...>
xunchangcda3c032019-03-26 15:41:14 -0700[diff] [blame]46// }
47const uint8_t kSHA256DigestInfoPrefix[] = {
48 0x30, 0x31, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01,
49 0x65, 0x03, 0x04, 0x02, 0x01, 0x05, 0x00, 0x04, 0x20,
Alex Deymo923d8fa2014-07-15 17:58:51 -0700[diff] [blame]50};
51
52} // namespace
53
Tianjie Xu6cf830b2019-09-30 11:31:49 -0700[diff] [blame^]54std::unique_ptr<PayloadVerifier> PayloadVerifier::CreateInstance(
55 const std::string& pem_public_key) {
56 std::unique_ptr<BIO, decltype(&BIO_free)> bp(
57 BIO_new_mem_buf(pem_public_key.data(), pem_public_key.size()), BIO_free);
58 if (!bp) {
59 LOG(ERROR) << "Failed to read " << pem_public_key << " into buffer.";
60 return nullptr;
61 }
62
63 auto pub_key = std::unique_ptr<EVP_PKEY, decltype(&EVP_PKEY_free)>(
64 PEM_read_bio_PUBKEY(bp.get(), nullptr, nullptr, nullptr), EVP_PKEY_free);
65 if (!pub_key) {
66 LOG(ERROR) << "Failed to parse the public key in " << pem_public_key;
67 return nullptr;
68 }
69
70 return std::unique_ptr<PayloadVerifier>(
71 new PayloadVerifier(std::move(pub_key)));
72}
73
74bool PayloadVerifier::VerifySignature(
75 const string& signature_proto, const brillo::Blob& sha256_hash_data) const {
76 TEST_AND_RETURN_FALSE(public_key_ != nullptr);
77
Alex Deymo923d8fa2014-07-15 17:58:51 -0700[diff] [blame]78 Signatures signatures;
Sen Jiang9b2f1782019-01-24 14:27:50 -0800[diff] [blame]79 LOG(INFO) << "signature blob size = " << signature_proto.size();
80 TEST_AND_RETURN_FALSE(signatures.ParseFromString(signature_proto));
Alex Deymo923d8fa2014-07-15 17:58:51 -0700[diff] [blame]81
Alex Deymob552a682015-09-30 09:36:49 -0700[diff] [blame]82 if (!signatures.signatures_size()) {
83 LOG(ERROR) << "No signatures stored in the blob.";
84 return false;
Alex Deymo923d8fa2014-07-15 17:58:51 -0700[diff] [blame]85 }
Alex Deymo923d8fa2014-07-15 17:58:51 -0700[diff] [blame]86
Alex Vakulenko3f39d5c2015-10-13 09:27:13 -0700[diff] [blame]87 std::vector<brillo::Blob> tested_hashes;
Alex Deymob552a682015-09-30 09:36:49 -0700[diff] [blame]88 // Tries every signature in the signature blob.
89 for (int i = 0; i < signatures.signatures_size(); i++) {
Sen Jiang9b2f1782019-01-24 14:27:50 -0800[diff] [blame]90 const Signatures::Signature& signature = signatures.signatures(i);
Alex Vakulenko3f39d5c2015-10-13 09:27:13 -0700[diff] [blame]91 brillo::Blob sig_data(signature.data().begin(), signature.data().end());
92 brillo::Blob sig_hash_data;
Tianjie Xu6cf830b2019-09-30 11:31:49 -0700[diff] [blame^]93 if (VerifyRawSignature(sig_data, sha256_hash_data, &sig_hash_data)) {
Alex Deymob552a682015-09-30 09:36:49 -0700[diff] [blame]94 LOG(INFO) << "Verified correct signature " << i + 1 << " out of "
95 << signatures.signatures_size() << " signatures.";
96 return true;
97 }
Tianjie Xu6cf830b2019-09-30 11:31:49 -0700[diff] [blame^]98 if (!sig_hash_data.empty()) {
99 tested_hashes.push_back(sig_hash_data);
100 }
Alex Deymob552a682015-09-30 09:36:49 -0700[diff] [blame]101 }
102 LOG(ERROR) << "None of the " << signatures.signatures_size()
xunchangcda3c032019-03-26 15:41:14 -0700[diff] [blame]103 << " signatures is correct. Expected hash before padding:";
104 utils::HexDumpVector(sha256_hash_data);
Alex Deymob552a682015-09-30 09:36:49 -0700[diff] [blame]105 LOG(ERROR) << "But found decrypted hashes:";
106 for (const auto& sig_hash_data : tested_hashes) {
107 utils::HexDumpVector(sig_hash_data);
108 }
109 return false;
Alex Deymo923d8fa2014-07-15 17:58:51 -0700[diff] [blame]110}
111
Tianjie Xu6cf830b2019-09-30 11:31:49 -0700[diff] [blame^]112bool PayloadVerifier::VerifyRawSignature(
113 const brillo::Blob& sig_data,
114 const brillo::Blob& sha256_hash_data,
115 brillo::Blob* decrypted_sig_data) const {
116 TEST_AND_RETURN_FALSE(public_key_ != nullptr);
117
118 int key_type = EVP_PKEY_id(public_key_.get());
119 TEST_AND_RETURN_FALSE(key_type == EVP_PKEY_RSA);
120 brillo::Blob sig_hash_data;
121 TEST_AND_RETURN_FALSE(
122 GetRawHashFromSignature(sig_data, public_key_.get(), &sig_hash_data));
123
124 if (decrypted_sig_data != nullptr) {
125 *decrypted_sig_data = sig_hash_data;
126 }
127
128 brillo::Blob padded_hash_data = sha256_hash_data;
129 TEST_AND_RETURN_FALSE(
130 PadRSASHA256Hash(&padded_hash_data, sig_hash_data.size()));
131
132 return padded_hash_data == sig_hash_data;
133}
134
135bool PayloadVerifier::GetRawHashFromSignature(
136 const brillo::Blob& sig_data,
137 const EVP_PKEY* public_key,
138 brillo::Blob* out_hash_data) const {
Alex Deymo923d8fa2014-07-15 17:58:51 -0700[diff] [blame]139 // The code below executes the equivalent of:
140 //
Tianjie Xu6cf830b2019-09-30 11:31:49 -0700[diff] [blame^]141 // openssl rsautl -verify -pubin -inkey <(echo pem_public_key)
Alex Deymo923d8fa2014-07-15 17:58:51 -0700[diff] [blame]142 // -in |sig_data| -out |out_hash_data|
Tianjie Xu6cf830b2019-09-30 11:31:49 -0700[diff] [blame^]143 RSA* rsa = EVP_PKEY_get0_RSA(public_key);
Alex Deymo923d8fa2014-07-15 17:58:51 -0700[diff] [blame]144
Alex Vakulenko88b591f2014-08-28 16:48:57 -0700[diff] [blame]145 TEST_AND_RETURN_FALSE(rsa != nullptr);
Alex Deymo923d8fa2014-07-15 17:58:51 -0700[diff] [blame]146 unsigned int keysize = RSA_size(rsa);
147 if (sig_data.size() > 2 * keysize) {
148 LOG(ERROR) << "Signature size is too big for public key size.";
Alex Deymo923d8fa2014-07-15 17:58:51 -0700[diff] [blame]149 return false;
150 }
151
152 // Decrypts the signature.
Alex Vakulenko3f39d5c2015-10-13 09:27:13 -0700[diff] [blame]153 brillo::Blob hash_data(keysize);
Amin Hassani008c4582019-01-13 16:22:47 -0800[diff] [blame]154 int decrypt_size = RSA_public_decrypt(
155 sig_data.size(), sig_data.data(), hash_data.data(), rsa, RSA_NO_PADDING);
Alex Deymo923d8fa2014-07-15 17:58:51 -0700[diff] [blame]156 TEST_AND_RETURN_FALSE(decrypt_size > 0 &&
157 decrypt_size <= static_cast<int>(hash_data.size()));
158 hash_data.resize(decrypt_size);
159 out_hash_data->swap(hash_data);
160 return true;
161}
162
xunchangcda3c032019-03-26 15:41:14 -0700[diff] [blame]163bool PayloadVerifier::PadRSASHA256Hash(brillo::Blob* hash, size_t rsa_size) {
164 TEST_AND_RETURN_FALSE(hash->size() == kSHA256Size);
165 TEST_AND_RETURN_FALSE(rsa_size == 256 || rsa_size == 512);
166
167 // The following is a standard PKCS1-v1_5 padding for SHA256 signatures, as
168 // defined in RFC3447 section 9.2. It is prepended to the actual signature
169 // (32 bytes) to form a sequence of 256|512 bytes (2048|4096 bits) that is
170 // amenable to RSA signing. The padded hash will look as follows:
171 //
172 // 0x00 0x01 0xff ... 0xff 0x00 ASN1HEADER SHA256HASH
173 // |-----------205|461----------||----19----||----32----|
174 size_t padding_string_size =
175 rsa_size - hash->size() - sizeof(kSHA256DigestInfoPrefix) - 3;
176 brillo::Blob padded_result = brillo::CombineBlobs({
177 {0x00, 0x01},
178 brillo::Blob(padding_string_size, 0xff),
179 {0x00},
180 brillo::Blob(kSHA256DigestInfoPrefix,
181 kSHA256DigestInfoPrefix + sizeof(kSHA256DigestInfoPrefix)),
182 *hash,
183 });
184
185 *hash = std::move(padded_result);
186 TEST_AND_RETURN_FALSE(hash->size() == rsa_size);
Alex Deymo923d8fa2014-07-15 17:58:51 -0700[diff] [blame]187 return true;
188}
189
190} // namespace chromeos_update_engine