• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 //
2 // Copyright (C) 2014 The Android Open Source Project
3 //
4 // Licensed under the Apache License, Version 2.0 (the "License");
5 // you may not use this file except in compliance with the License.
6 // You may obtain a copy of the License at
7 //
8 //      http://www.apache.org/licenses/LICENSE-2.0
9 //
10 // Unless required by applicable law or agreed to in writing, software
11 // distributed under the License is distributed on an "AS IS" BASIS,
12 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 // See the License for the specific language governing permissions and
14 // limitations under the License.
15 //
16 
17 #include "update_engine/payload_consumer/payload_verifier.h"
18 
19 #include <utility>
20 #include <vector>
21 
22 #include <base/logging.h>
23 #include <openssl/pem.h>
24 
25 #include "update_engine/common/constants.h"
26 #include "update_engine/common/hash_calculator.h"
27 #include "update_engine/common/utils.h"
28 #include "update_engine/update_metadata.pb.h"
29 
30 using std::string;
31 
32 namespace chromeos_update_engine {
33 
34 namespace {
35 
36 // The ASN.1 DigestInfo prefix for encoding SHA256 digest. The complete 51-byte
37 // DigestInfo consists of 19-byte SHA256_DIGEST_INFO_PREFIX and 32-byte SHA256
38 // digest.
39 //
40 // SEQUENCE(2+49) {
41 //   SEQUENCE(2+13) {
42 //     OBJECT(2+9) id-sha256
43 //     NULL(2+0)
44 //   }
45 //   OCTET STRING(2+32) <actual signature bytes...>
46 // }
47 const uint8_t kSHA256DigestInfoPrefix[] = {
48     0x30, 0x31, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01,
49     0x65, 0x03, 0x04, 0x02, 0x01, 0x05, 0x00, 0x04, 0x20,
50 };
51 
52 }  // namespace
53 
VerifySignature(const string & signature_proto,const string & pem_public_key,const brillo::Blob & sha256_hash_data)54 bool PayloadVerifier::VerifySignature(const string& signature_proto,
55                                       const string& pem_public_key,
56                                       const brillo::Blob& sha256_hash_data) {
57   Signatures signatures;
58   LOG(INFO) << "signature blob size = " << signature_proto.size();
59   TEST_AND_RETURN_FALSE(signatures.ParseFromString(signature_proto));
60 
61   if (!signatures.signatures_size()) {
62     LOG(ERROR) << "No signatures stored in the blob.";
63     return false;
64   }
65 
66   std::vector<brillo::Blob> tested_hashes;
67   // Tries every signature in the signature blob.
68   for (int i = 0; i < signatures.signatures_size(); i++) {
69     const Signatures::Signature& signature = signatures.signatures(i);
70     brillo::Blob sig_data(signature.data().begin(), signature.data().end());
71     brillo::Blob sig_hash_data;
72     if (!GetRawHashFromSignature(sig_data, pem_public_key, &sig_hash_data))
73       continue;
74 
75     brillo::Blob padded_hash_data = sha256_hash_data;
76     if (PadRSASHA256Hash(&padded_hash_data, sig_hash_data.size()) &&
77         padded_hash_data == sig_hash_data) {
78       LOG(INFO) << "Verified correct signature " << i + 1 << " out of "
79                 << signatures.signatures_size() << " signatures.";
80       return true;
81     }
82     tested_hashes.push_back(sig_hash_data);
83   }
84   LOG(ERROR) << "None of the " << signatures.signatures_size()
85              << " signatures is correct. Expected hash before padding:";
86   utils::HexDumpVector(sha256_hash_data);
87   LOG(ERROR) << "But found decrypted hashes:";
88   for (const auto& sig_hash_data : tested_hashes) {
89     utils::HexDumpVector(sig_hash_data);
90   }
91   return false;
92 }
93 
GetRawHashFromSignature(const brillo::Blob & sig_data,const string & pem_public_key,brillo::Blob * out_hash_data)94 bool PayloadVerifier::GetRawHashFromSignature(const brillo::Blob& sig_data,
95                                               const string& pem_public_key,
96                                               brillo::Blob* out_hash_data) {
97   // The code below executes the equivalent of:
98   //
99   // openssl rsautl -verify -pubin -inkey <(echo |pem_public_key|)
100   //   -in |sig_data| -out |out_hash_data|
101 
102   BIO* bp = BIO_new_mem_buf(pem_public_key.data(), pem_public_key.size());
103   char dummy_password[] = {' ', 0};  // Ensure no password is read from stdin.
104   RSA* rsa = PEM_read_bio_RSA_PUBKEY(bp, nullptr, nullptr, dummy_password);
105   BIO_free(bp);
106 
107   TEST_AND_RETURN_FALSE(rsa != nullptr);
108   unsigned int keysize = RSA_size(rsa);
109   if (sig_data.size() > 2 * keysize) {
110     LOG(ERROR) << "Signature size is too big for public key size.";
111     RSA_free(rsa);
112     return false;
113   }
114 
115   // Decrypts the signature.
116   brillo::Blob hash_data(keysize);
117   int decrypt_size = RSA_public_decrypt(
118       sig_data.size(), sig_data.data(), hash_data.data(), rsa, RSA_NO_PADDING);
119   RSA_free(rsa);
120   TEST_AND_RETURN_FALSE(decrypt_size > 0 &&
121                         decrypt_size <= static_cast<int>(hash_data.size()));
122   hash_data.resize(decrypt_size);
123   out_hash_data->swap(hash_data);
124   return true;
125 }
126 
PadRSASHA256Hash(brillo::Blob * hash,size_t rsa_size)127 bool PayloadVerifier::PadRSASHA256Hash(brillo::Blob* hash, size_t rsa_size) {
128   TEST_AND_RETURN_FALSE(hash->size() == kSHA256Size);
129   TEST_AND_RETURN_FALSE(rsa_size == 256 || rsa_size == 512);
130 
131   // The following is a standard PKCS1-v1_5 padding for SHA256 signatures, as
132   // defined in RFC3447 section 9.2. It is prepended to the actual signature
133   // (32 bytes) to form a sequence of 256|512 bytes (2048|4096 bits) that is
134   // amenable to RSA signing. The padded hash will look as follows:
135   //
136   //    0x00 0x01 0xff ... 0xff 0x00  ASN1HEADER  SHA256HASH
137   //   |-----------205|461----------||----19----||----32----|
138   size_t padding_string_size =
139       rsa_size - hash->size() - sizeof(kSHA256DigestInfoPrefix) - 3;
140   brillo::Blob padded_result = brillo::CombineBlobs({
141       {0x00, 0x01},
142       brillo::Blob(padding_string_size, 0xff),
143       {0x00},
144       brillo::Blob(kSHA256DigestInfoPrefix,
145                    kSHA256DigestInfoPrefix + sizeof(kSHA256DigestInfoPrefix)),
146       *hash,
147   });
148 
149   *hash = std::move(padded_result);
150   TEST_AND_RETURN_FALSE(hash->size() == rsa_size);
151   return true;
152 }
153 
154 }  // namespace chromeos_update_engine
155