1 /*
2 * Copyright (c) 2023 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #include "hash_data_verifier.h"
17 #include "log/dump.h"
18 #include "openssl_util.h"
19 #include "package/pkg_manager.h"
20 #include "pkcs7_signed_data.h"
21 #include "rust/hash_signed_data.h"
22 #include "updater/updater_const.h"
23 #include "zip_pkg_parse.h"
24
25 namespace Hpackage {
26 using namespace Updater;
27 constexpr static std::size_t MAX_SIG_SIZE = 1024;
28 constexpr const char *UPDATER_HASH_SIGNED_DATA = "hash_signed_data";
29
HashDataVerifier(PkgManager::PkgManagerPtr manager)30 HashDataVerifier::HashDataVerifier(PkgManager::PkgManagerPtr manager)
31 : manager_(manager), pkcs7_(std::make_unique<Pkcs7SignedData>()) {}
32
~HashDataVerifier()33 HashDataVerifier::~HashDataVerifier()
34 {
35 ReleaseHashSignedData(hsd_);
36 }
37
LoadHashDataAndPkcs7(const std::string & pkgPath)38 bool HashDataVerifier::LoadHashDataAndPkcs7(const std::string &pkgPath)
39 {
40 Updater::UPDATER_INIT_RECORD;
41 // only allow loading once
42 if (hsd_ != nullptr) {
43 PKG_LOGW("hash signed data has been loaded before");
44 return true;
45 }
46 if (manager_ == nullptr) {
47 PKG_LOGE("pkg manager is null");
48 UPDATER_LAST_WORD(false);
49 return false;
50 }
51 // load pkcs7 from package
52 if (!LoadPkcs7FromPackage(pkgPath)) {
53 PKG_LOGE("load pkcs7 from %s failed", pkgPath.c_str());
54 UPDATER_LAST_WORD(PKG_INVALID_FILE, pkgPath);
55 return false;
56 }
57 if (!LoadHashDataFromPackage()) {
58 PKG_LOGE("load pkcs7 from %s failed", pkgPath.c_str());
59 UPDATER_LAST_WORD(PKG_INVALID_FILE, pkgPath);
60 return false;
61 }
62 return true;
63 }
64
LoadHashDataFromPackage(void)65 bool HashDataVerifier::LoadHashDataFromPackage(void)
66 {
67 Updater::UPDATER_INIT_RECORD;
68 PkgManager::StreamPtr outStream = nullptr;
69 auto info = manager_->GetFileInfo(UPDATER_HASH_SIGNED_DATA);
70 if (info == nullptr || info->unpackedSize == 0) {
71 PKG_LOGE("hash signed data not find in pkg manager");
72 UPDATER_LAST_WORD(false);
73 return false;
74 }
75 // 1 more byte bigger than unpacked size to ensure a ending '\0' in buffer
76 PkgBuffer buffer {info->unpackedSize + 1};
77 int32_t ret = manager_->CreatePkgStream(outStream, "", buffer);
78 if (ret != PKG_SUCCESS) {
79 PKG_LOGE("create stream fail");
80 UPDATER_LAST_WORD(false);
81 return false;
82 }
83 ret = manager_->ExtractFile(UPDATER_HASH_SIGNED_DATA, outStream);
84 if (ret != PKG_SUCCESS) {
85 manager_->ClosePkgStream(outStream);
86 PKG_LOGE("extract file failed");
87 UPDATER_LAST_WORD(false);
88 return false;
89 }
90 hsd_ = LoadHashSignedData(reinterpret_cast<const char *>(buffer.data.data()));
91 manager_->ClosePkgStream(outStream);
92 if (hsd_ == nullptr) {
93 PKG_LOGE("load hash signed data failed");
94 UPDATER_LAST_WORD(false);
95 return false;
96 }
97 return true;
98 }
99
LoadPkcs7FromPackage(const std::string & pkgPath)100 bool HashDataVerifier::LoadPkcs7FromPackage(const std::string &pkgPath)
101 {
102 PkgManager::StreamPtr pkgStream = nullptr;
103 int32_t ret = manager_->CreatePkgStream(pkgStream, pkgPath, 0, PkgStream::PkgStreamType_Read);
104 if (ret != PKG_SUCCESS) {
105 PKG_LOGE("CreatePackage fail %s", pkgPath.c_str());
106 UPDATER_LAST_WORD(PKG_INVALID_FILE, pkgPath);
107 UPDATER_LAST_WORD(false);
108 return false;
109 }
110
111 PkgVerifyUtil verifyUtil {};
112 size_t signatureSize = 0;
113 std::vector<uint8_t> signature {};
114 uint16_t commentTotalLenAll = 0;
115 ret = verifyUtil.GetSignature(PkgStreamImpl::ConvertPkgStream(pkgStream),
116 signatureSize, signature, commentTotalLenAll);
117 manager_->ClosePkgStream(pkgStream);
118 if (ret != PKG_SUCCESS) {
119 UPDATER_LAST_WORD(ret);
120 return false;
121 }
122 return pkcs7_ != nullptr && pkcs7_->ParsePkcs7Data(signature.data(), signature.size()) == 0;
123 }
124
VerifyHashData(const std::string & fileName,PkgManager::StreamPtr stream) const125 bool HashDataVerifier::VerifyHashData(const std::string &fileName, PkgManager::StreamPtr stream) const
126 {
127 Updater::UPDATER_INIT_RECORD;
128 if (stream == nullptr) {
129 PKG_LOGE("stream is null");
130 UPDATER_LAST_WORD(false);
131 return false;
132 }
133
134 // get hash from stream
135 std::vector<uint8_t> hash {};
136 int32_t ret = CalcSha256Digest(PkgStreamImpl::ConvertPkgStream(stream), stream->GetFileLength(), hash);
137 if (ret != 0) {
138 PKG_LOGE("cal digest for pkg stream");
139 UPDATER_LAST_WORD(false, fileName);
140 return false;
141 }
142
143 // get sig from hash data
144 std::string name = std::string("build_tools/") + fileName;
145 std::vector<uint8_t> sig(MAX_SIG_SIZE, 0);
146 auto sigLen = GetSigFromHashData(hsd_, sig.data(), sig.size(), name.c_str());
147 if (sigLen == 0 || sig.size() < sigLen) {
148 PKG_LOGE("get sig for %s failed", name.c_str());
149 UPDATER_LAST_WORD(PKG_INVALID_SIGNATURE, fileName, sigLen);
150 return false;
151 }
152 sig.resize(sigLen);
153
154 // then using cert from pkcs7 to verify hash data
155 if (pkcs7_ == nullptr || pkcs7_->Verify(hash, sig, false) != 0) {
156 PKG_LOGE("verify hash signed data for %s failed", fileName.c_str());
157 UPDATER_LAST_WORD(PKG_INVALID_SIGNATURE, fileName);
158 return false;
159 }
160 PKG_LOGI("verify hash signed data for %s successfully", fileName.c_str());
161 return true;
162 }
163 } // namespace Hpackage
164