// SPDX-License-Identifier: GPL-2.0+ /* * Signature support for 'fsverity setup' * * Copyright (C) 2018 Google LLC * * Written by Eric Biggers. */ #include #include #include #include #include #include #include #include #include "fsverity_uapi.h" #include "fsveritysetup.h" #include "hash_algs.h" static void __printf(1, 2) __cold error_msg_openssl(const char *format, ...) { va_list va; va_start(va, format); do_error_msg(format, va, 0); va_end(va); if (ERR_peek_error() == 0) return; fprintf(stderr, "OpenSSL library errors:\n"); ERR_print_errors_fp(stderr); } /* Read a PEM PKCS#8 formatted private key */ static EVP_PKEY *read_private_key(const char *keyfile) { BIO *bio; EVP_PKEY *pkey; bio = BIO_new_file(keyfile, "r"); if (!bio) { error_msg_openssl("can't open '%s' for reading", keyfile); return NULL; } pkey = PEM_read_bio_PrivateKey(bio, NULL, NULL, NULL); if (!pkey) { error_msg_openssl("Failed to parse private key file '%s'.\n" " Note: it must be in PEM PKCS#8 format.", keyfile); } BIO_free(bio); return pkey; } /* Read a PEM X.509 formatted certificate */ static X509 *read_certificate(const char *certfile) { BIO *bio; X509 *cert; bio = BIO_new_file(certfile, "r"); if (!bio) { error_msg_openssl("can't open '%s' for reading", certfile); return NULL; } cert = PEM_read_bio_X509(bio, NULL, NULL, NULL); if (!cert) { error_msg_openssl("Failed to parse X.509 certificate file '%s'.\n" " Note: it must be in PEM format.", certfile); } BIO_free(bio); return cert; } /* * Check that the given data is a valid 'struct fsverity_digest_disk' that * matches the given @expected_digest and @hash_alg. * * Return: NULL if the digests match, else a string describing the difference. */ static const char * compare_fsverity_digest(const void *data, size_t size, const u8 *expected_digest, const struct fsverity_hash_alg *hash_alg) { const struct fsverity_digest_disk *d = data; if (size != sizeof(*d) + hash_alg->digest_size) return "unexpected length"; if (le16_to_cpu(d->digest_algorithm) != hash_alg - fsverity_hash_algs) return "unexpected hash algorithm"; if (le16_to_cpu(d->digest_size) != hash_alg->digest_size) return "wrong digest size for hash algorithm"; if (memcmp(expected_digest, d->digest, hash_alg->digest_size)) return "wrong digest"; return NULL; } #ifdef OPENSSL_IS_BORINGSSL static bool sign_pkcs7(const void *data_to_sign, size_t data_size, EVP_PKEY *pkey, X509 *cert, const EVP_MD *md, void **sig_ret, int *sig_size_ret) { CBB out, outer_seq, wrapped_seq, seq, digest_algos_set, digest_algo, null, content_info, issuer_and_serial, signed_data, wrapped_signed_data, signer_infos, signer_info, sign_algo, signature; EVP_MD_CTX md_ctx; u8 *name_der = NULL, *sig = NULL, *pkcs7_data = NULL; size_t pkcs7_data_len, sig_len; int name_der_len, sig_nid; bool ok = false; EVP_MD_CTX_init(&md_ctx); BIGNUM *serial = ASN1_INTEGER_to_BN(X509_get_serialNumber(cert), NULL); if (!CBB_init(&out, 1024)) { error_msg("out of memory"); goto out; } name_der_len = i2d_X509_NAME(X509_get_subject_name(cert), &name_der); if (name_der_len < 0) { error_msg_openssl("i2d_X509_NAME failed"); goto out; } if (!EVP_DigestSignInit(&md_ctx, NULL, md, NULL, pkey)) { error_msg_openssl("EVP_DigestSignInit failed"); goto out; } sig_len = EVP_PKEY_size(pkey); sig = xmalloc(sig_len); if (!EVP_DigestSign(&md_ctx, sig, &sig_len, data_to_sign, data_size)) { error_msg_openssl("EVP_DigestSign failed"); goto out; } sig_nid = EVP_PKEY_id(pkey); /* To mirror OpenSSL behaviour, always use |NID_rsaEncryption| with RSA * rather than the combined hash+pkey NID. */ if (sig_nid != NID_rsaEncryption) { OBJ_find_sigid_by_algs(&sig_nid, EVP_MD_type(md), EVP_PKEY_id(pkey)); } // See https://tools.ietf.org/html/rfc2315#section-7 if (!CBB_add_asn1(&out, &outer_seq, CBS_ASN1_SEQUENCE) || !OBJ_nid2cbb(&outer_seq, NID_pkcs7_signed) || !CBB_add_asn1(&outer_seq, &wrapped_seq, CBS_ASN1_CONTEXT_SPECIFIC | CBS_ASN1_CONSTRUCTED | 0) || // See https://tools.ietf.org/html/rfc2315#section-9.1 !CBB_add_asn1(&wrapped_seq, &seq, CBS_ASN1_SEQUENCE) || !CBB_add_asn1_uint64(&seq, 1 /* version */) || !CBB_add_asn1(&seq, &digest_algos_set, CBS_ASN1_SET) || !CBB_add_asn1(&digest_algos_set, &digest_algo, CBS_ASN1_SEQUENCE) || !OBJ_nid2cbb(&digest_algo, EVP_MD_type(md)) || !CBB_add_asn1(&digest_algo, &null, CBS_ASN1_NULL) || !CBB_add_asn1(&seq, &content_info, CBS_ASN1_SEQUENCE) || !OBJ_nid2cbb(&content_info, NID_pkcs7_data) || !CBB_add_asn1( &content_info, &signed_data, CBS_ASN1_CONTEXT_SPECIFIC | CBS_ASN1_CONSTRUCTED | 0) || !CBB_add_asn1(&signed_data, &wrapped_signed_data, CBS_ASN1_OCTETSTRING) || !CBB_add_bytes(&wrapped_signed_data, (const u8 *)data_to_sign, data_size) || !CBB_add_asn1(&seq, &signer_infos, CBS_ASN1_SET) || !CBB_add_asn1(&signer_infos, &signer_info, CBS_ASN1_SEQUENCE) || !CBB_add_asn1_uint64(&signer_info, 1 /* version */) || !CBB_add_asn1(&signer_info, &issuer_and_serial, CBS_ASN1_SEQUENCE) || !CBB_add_bytes(&issuer_and_serial, name_der, name_der_len) || !BN_marshal_asn1(&issuer_and_serial, serial) || !CBB_add_asn1(&signer_info, &digest_algo, CBS_ASN1_SEQUENCE) || !OBJ_nid2cbb(&digest_algo, EVP_MD_type(md)) || !CBB_add_asn1(&digest_algo, &null, CBS_ASN1_NULL) || !CBB_add_asn1(&signer_info, &sign_algo, CBS_ASN1_SEQUENCE) || !OBJ_nid2cbb(&sign_algo, sig_nid) || !CBB_add_asn1(&sign_algo, &null, CBS_ASN1_NULL) || !CBB_add_asn1(&signer_info, &signature, CBS_ASN1_OCTETSTRING) || !CBB_add_bytes(&signature, sig, sig_len) || !CBB_finish(&out, &pkcs7_data, &pkcs7_data_len)) { error_msg_openssl("failed to construct PKCS#7 data"); goto out; } *sig_ret = xmemdup(pkcs7_data, pkcs7_data_len); *sig_size_ret = pkcs7_data_len; ok = true; out: BN_free(serial); EVP_MD_CTX_cleanup(&md_ctx); CBB_cleanup(&out); free(sig); OPENSSL_free(name_der); OPENSSL_free(pkcs7_data); return ok; } static const char * compare_fsverity_digest_pkcs7(const void *sig, size_t sig_len, const u8 *expected_measurement, const struct fsverity_hash_alg *hash_alg) { CBS in, content_info, content_type, wrapped_signed_data, signed_data, content, wrapped_data, data; u64 version; CBS_init(&in, sig, sig_len); if (!CBS_get_asn1(&in, &content_info, CBS_ASN1_SEQUENCE) || !CBS_get_asn1(&content_info, &content_type, CBS_ASN1_OBJECT) || (OBJ_cbs2nid(&content_type) != NID_pkcs7_signed) || !CBS_get_asn1( &content_info, &wrapped_signed_data, CBS_ASN1_CONTEXT_SPECIFIC | CBS_ASN1_CONSTRUCTED | 0) || !CBS_get_asn1(&wrapped_signed_data, &signed_data, CBS_ASN1_SEQUENCE) || !CBS_get_asn1_uint64(&signed_data, &version) || (version < 1) || !CBS_get_asn1(&signed_data, NULL /* digests */, CBS_ASN1_SET) || !CBS_get_asn1(&signed_data, &content, CBS_ASN1_SEQUENCE) || !CBS_get_asn1(&content, &content_type, CBS_ASN1_OBJECT) || (OBJ_cbs2nid(&content_type) != NID_pkcs7_data) || !CBS_get_asn1(&content, &wrapped_data, CBS_ASN1_CONTEXT_SPECIFIC | CBS_ASN1_CONSTRUCTED | 0) || !CBS_get_asn1(&wrapped_data, &data, CBS_ASN1_OCTETSTRING)) { return "invalid PKCS#7 data"; } return compare_fsverity_digest(CBS_data(&data), CBS_len(&data), expected_measurement, hash_alg); } #else /* OPENSSL_IS_BORINGSSL */ static BIO *new_mem_buf(const void *buf, size_t size) { BIO *bio; ASSERT(size <= INT_MAX); /* * Prior to OpenSSL 1.1.0, BIO_new_mem_buf() took a non-const pointer, * despite still marking the resulting bio as read-only. So cast away * the const to avoid a compiler warning with older OpenSSL versions. */ bio = BIO_new_mem_buf((void *)buf, size); if (!bio) error_msg_openssl("out of memory"); return bio; } static bool sign_pkcs7(const void *data_to_sign, size_t data_size, EVP_PKEY *pkey, X509 *cert, const EVP_MD *md, void **sig_ret, int *sig_size_ret) { /* * PKCS#7 signing flags: * * - PKCS7_BINARY signing binary data, so skip MIME translation * * - PKCS7_NOATTR omit extra authenticated attributes, such as * SMIMECapabilities * * - PKCS7_NOCERTS omit the signer's certificate * * - PKCS7_PARTIAL PKCS7_sign() creates a handle only, then * PKCS7_sign_add_signer() can add a signer later. * This is necessary to change the message digest * algorithm from the default of SHA-1. Requires * OpenSSL 1.0.0 or later. */ int pkcs7_flags = PKCS7_BINARY | PKCS7_NOATTR | PKCS7_NOCERTS | PKCS7_PARTIAL; void *sig; int sig_size; BIO *bio = NULL; PKCS7 *p7 = NULL; bool ok = false; bio = new_mem_buf(data_to_sign, data_size); if (!bio) goto out; p7 = PKCS7_sign(NULL, NULL, NULL, bio, pkcs7_flags); if (!p7) { error_msg_openssl("failed to initialize PKCS#7 signature object"); goto out; } if (!PKCS7_sign_add_signer(p7, cert, pkey, md, pkcs7_flags)) { error_msg_openssl("failed to add signer to PKCS#7 signature object"); goto out; } if (PKCS7_final(p7, bio, pkcs7_flags) != 1) { error_msg_openssl("failed to finalize PKCS#7 signature"); goto out; } BIO_free(bio); bio = BIO_new(BIO_s_mem()); if (!bio) { error_msg_openssl("out of memory"); goto out; } if (i2d_PKCS7_bio(bio, p7) != 1) { error_msg_openssl("failed to DER-encode PKCS#7 signature object"); goto out; } sig_size = BIO_get_mem_data(bio, &sig); *sig_ret = xmemdup(sig, sig_size); *sig_size_ret = sig_size; ok = true; out: PKCS7_free(p7); BIO_free(bio); return ok; } static const char * compare_fsverity_digest_pkcs7(const void *sig, size_t sig_len, const u8 *expected_measurement, const struct fsverity_hash_alg *hash_alg) { BIO *bio = NULL; PKCS7 *p7 = NULL; const char *reason = NULL; bio = new_mem_buf(sig, sig_len); if (!bio) return "out of memory"; p7 = d2i_PKCS7_bio(bio, NULL); if (!p7) { reason = "failed to decode PKCS#7 signature"; goto out; } if (OBJ_obj2nid(p7->type) != NID_pkcs7_signed || OBJ_obj2nid(p7->d.sign->contents->type) != NID_pkcs7_data) { reason = "unexpected PKCS#7 content type"; } else { const ASN1_OCTET_STRING *o = p7->d.sign->contents->d.data; reason = compare_fsverity_digest(o->data, o->length, expected_measurement, hash_alg); } out: BIO_free(bio); PKCS7_free(p7); return reason; } #endif /* !OPENSSL_IS_BORINGSSL */ /* * Sign the specified @data_to_sign of length @data_size bytes using the private * key in @keyfile, the certificate in @certfile, and the hash algorithm * @hash_alg. Returns the DER-formatted PKCS#7 signature, with the signed data * included (not detached), in @sig_ret and @sig_size_ret. */ static bool sign_data(const void *data_to_sign, size_t data_size, const char *keyfile, const char *certfile, const struct fsverity_hash_alg *hash_alg, void **sig_ret, int *sig_size_ret) { EVP_PKEY *pkey = NULL; X509 *cert = NULL; const EVP_MD *md; bool ok = false; pkey = read_private_key(keyfile); if (!pkey) goto out; cert = read_certificate(certfile); if (!cert) goto out; OpenSSL_add_all_digests(); ASSERT(hash_alg->cryptographic); md = EVP_get_digestbyname(hash_alg->name); if (!md) { fprintf(stderr, "Warning: '%s' algorithm not found in OpenSSL library.\n" " Falling back to SHA-256 signature.\n", hash_alg->name); md = EVP_sha256(); } ok = sign_pkcs7(data_to_sign, data_size, pkey, cert, md, sig_ret, sig_size_ret); out: EVP_PKEY_free(pkey); X509_free(cert); return ok; } /* * Read a file measurement signature in PKCS#7 DER format from @signature_file, * validate that the signed data matches the expected measurement, then return * the PKCS#7 DER message in @sig_ret and @sig_size_ret. */ static bool read_signature(const char *signature_file, const u8 *expected_measurement, const struct fsverity_hash_alg *hash_alg, void **sig_ret, int *sig_size_ret) { struct filedes file = { .fd = -1 }; u64 filesize; void *sig = NULL; bool ok = false; const char *reason; if (!open_file(&file, signature_file, O_RDONLY, 0)) goto out; if (!get_file_size(&file, &filesize)) goto out; if (filesize <= 0) { error_msg("signature file '%s' is empty", signature_file); goto out; } if (filesize > 1000000) { error_msg("signature file '%s' is too large", signature_file); goto out; } sig = xmalloc(filesize); if (!full_read(&file, sig, filesize)) goto out; reason = compare_fsverity_digest_pkcs7(sig, filesize, expected_measurement, hash_alg); if (reason) { error_msg("signed file measurement from '%s' is invalid (%s)", signature_file, reason); goto out; } printf("Using existing signed file measurement from '%s'\n", signature_file); *sig_ret = sig; *sig_size_ret = filesize; sig = NULL; ok = true; out: filedes_close(&file); free(sig); return ok; } static bool write_signature(const char *signature_file, const void *sig, int sig_size) { struct filedes file; bool ok; if (!open_file(&file, signature_file, O_WRONLY|O_CREAT|O_TRUNC, 0644)) return false; ok = full_write(&file, sig, sig_size); ok &= filedes_close(&file); if (ok) printf("Wrote signed file measurement to '%s'\n", signature_file); return ok; } /* * Append the signed file measurement to the output file as a PKCS7_SIGNATURE * extension item. * * Return: exit status code (0 on success, nonzero on failure) */ int append_signed_measurement(struct filedes *out, const struct fsveritysetup_params *params, const u8 *measurement) { struct fsverity_digest_disk *data_to_sign = NULL; void *sig = NULL; void *extbuf = NULL; void *tmp; int sig_size; int status; if (params->signing_key_file) { size_t data_size = sizeof(*data_to_sign) + params->hash_alg->digest_size; /* Sign the file measurement using the given key */ data_to_sign = xzalloc(data_size); data_to_sign->digest_algorithm = cpu_to_le16(params->hash_alg - fsverity_hash_algs); data_to_sign->digest_size = cpu_to_le16(params->hash_alg->digest_size); memcpy(data_to_sign->digest, measurement, params->hash_alg->digest_size); ASSERT(compare_fsverity_digest(data_to_sign, data_size, measurement, params->hash_alg) == NULL); if (!sign_data(data_to_sign, data_size, params->signing_key_file, params->signing_cert_file ?: params->signing_key_file, params->hash_alg, &sig, &sig_size)) goto out_err; if (params->signature_file && !write_signature(params->signature_file, sig, sig_size)) goto out_err; } else { /* Using a signature that was already created */ if (!read_signature(params->signature_file, measurement, params->hash_alg, &sig, &sig_size)) goto out_err; } tmp = extbuf = xzalloc(FSVERITY_EXTLEN(sig_size)); fsverity_append_extension(&tmp, FS_VERITY_EXT_PKCS7_SIGNATURE, sig, sig_size); ASSERT(tmp == extbuf + FSVERITY_EXTLEN(sig_size)); if (!full_write(out, extbuf, FSVERITY_EXTLEN(sig_size))) goto out_err; status = 0; out: free(data_to_sign); free(sig); free(extbuf); return status; out_err: status = 1; goto out; }