1 /*
2 * Copyright (c) 2022 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #include "pkg_verify_util.h"
17 #include <unistd.h>
18 #include "dump.h"
19 #include "openssl_util.h"
20 #include "pkcs7_signed_data.h"
21 #include "pkg_utils.h"
22 #include "securec.h"
23 #include "zip_pkg_parse.h"
24
25 namespace Hpackage {
26 namespace {
27 constexpr uint32_t ZIP_EOCD_FIXED_PART_LEN = 22;
28 constexpr uint32_t PKG_FOOTER_SIZE = 6;
29 constexpr uint32_t PKG_HASH_CONTENT_LEN = SHA256_DIGEST_LENGTH;
30 }
31
VerifyPackageSign(const PkgStreamPtr pkgStream) const32 int32_t PkgVerifyUtil::VerifyPackageSign(const PkgStreamPtr pkgStream) const
33 {
34 if (pkgStream == nullptr) {
35 return PKG_INVALID_PARAM;
36 }
37 size_t signatureSize = 0;
38 std::vector<uint8_t> signature;
39 if (GetSignature(pkgStream, signatureSize, signature) != PKG_SUCCESS) {
40 PKG_LOGE("get package signature fail!");
41 return PKG_INVALID_SIGNATURE;
42 }
43 size_t fileLen = pkgStream->GetFileLength();
44 if (fileLen < (signatureSize + ZIP_EOCD_FIXED_PART_LEN)) {
45 PKG_LOGE("Invalid fileLen[%zu] and signature size[%zu]", fileLen, signatureSize);
46 UPDATER_LAST_WORD(PKG_INVALID_PARAM, fileLen, signatureSize);
47 return PKG_INVALID_PARAM;
48 }
49
50 std::vector<uint8_t> hash;
51 int32_t ret = Pkcs7verify(signature, hash);
52 if (ret != PKG_SUCCESS) {
53 PKG_LOGE("pkcs7 verify fail!");
54 return ret;
55 }
56 size_t srcDataLen = fileLen - signatureSize - ZIP_EOCD_FIXED_PART_LEN;
57
58 return HashCheck(pkgStream, srcDataLen, hash);
59 }
60
GetSignature(const PkgStreamPtr pkgStream,size_t & signatureSize,std::vector<uint8_t> & signature) const61 int32_t PkgVerifyUtil::GetSignature(const PkgStreamPtr pkgStream, size_t &signatureSize,
62 std::vector<uint8_t> &signature) const
63 {
64 size_t signatureStart = 0;
65 int32_t ret = ParsePackage(pkgStream, signatureStart, signatureSize);
66 if (ret != PKG_SUCCESS || signatureSize < PKG_FOOTER_SIZE) {
67 PKG_LOGE("Parse package failed.");
68 return -1;
69 }
70
71 size_t signDataLen = signatureSize - PKG_FOOTER_SIZE;
72 PkgBuffer signData(signDataLen);
73 size_t readLen = 0;
74 ret = pkgStream->Read(signData, signatureStart, signDataLen, readLen);
75 if (ret != PKG_SUCCESS) {
76 PKG_LOGE("read signature failed %s", pkgStream->GetFileName().c_str());
77 return ret;
78 }
79 signature.assign(signData.buffer, signData.buffer + readLen);
80
81 return PKG_SUCCESS;
82 }
83
ParsePackage(const PkgStreamPtr pkgStream,size_t & signatureStart,size_t & signatureSize) const84 int32_t PkgVerifyUtil::ParsePackage(const PkgStreamPtr pkgStream, size_t &signatureStart,
85 size_t &signatureSize) const
86 {
87 ZipPkgParse zipParse;
88 int32_t ret = zipParse.ParseZipPkg(pkgStream, signatureStart, signatureSize);
89 if (ret != PKG_SUCCESS) {
90 PKG_LOGE("Parse zip package signature failed.");
91 return ret;
92 }
93
94 return PKG_SUCCESS;
95 }
96
Pkcs7verify(std::vector<uint8_t> & signature,std::vector<uint8_t> & hash) const97 int32_t PkgVerifyUtil::Pkcs7verify(std::vector<uint8_t> &signature, std::vector<uint8_t> &hash) const
98 {
99 Pkcs7SignedData pkcs7;
100
101 return pkcs7.GetHashFromSignBlock(signature.data(), signature.size(), hash);
102 }
103
HashCheck(const PkgStreamPtr srcData,const size_t dataLen,const std::vector<uint8_t> & hash) const104 int32_t PkgVerifyUtil::HashCheck(const PkgStreamPtr srcData, const size_t dataLen,
105 const std::vector<uint8_t> &hash) const
106 {
107 if (srcData == nullptr || dataLen == 0) {
108 return PKG_INVALID_PARAM;
109 }
110
111 size_t digestLen = hash.size();
112 if (digestLen != PKG_HASH_CONTENT_LEN) {
113 PKG_LOGE("calc pkg sha256 digest failed.");
114 return PKG_INVALID_PARAM;
115 }
116 std::vector<uint8_t> sourceDigest(digestLen);
117 int32_t ret = CalcSha256Digest(srcData, dataLen, sourceDigest);
118 if (ret != PKG_SUCCESS) {
119 PKG_LOGE("calc pkg sha256 digest failed.");
120 return ret;
121 }
122
123 if (memcmp(hash.data(), sourceDigest.data(), digestLen) != EOK) {
124 PKG_LOGE("Failed to memcmp data.");
125 return PKG_INVALID_DIGEST;
126 }
127
128 return PKG_SUCCESS;
129 }
130 } // namespace Hpackage
131