1 //
2 // Copyright (C) 2011 The Android Open Source Project
3 //
4 // Licensed under the Apache License, Version 2.0 (the "License");
5 // you may not use this file except in compliance with the License.
6 // You may obtain a copy of the License at
7 //
8 // http://www.apache.org/licenses/LICENSE-2.0
9 //
10 // Unless required by applicable law or agreed to in writing, software
11 // distributed under the License is distributed on an "AS IS" BASIS,
12 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 // See the License for the specific language governing permissions and
14 // limitations under the License.
15 //
16
17 #include "update_engine/payload_generator/payload_signer.h"
18
19 #include <endian.h>
20
21 #include <utility>
22
23 #include <base/logging.h>
24 #include <base/strings/string_number_conversions.h>
25 #include <base/strings/string_split.h>
26 #include <base/strings/string_util.h>
27 #include <brillo/data_encoding.h>
28 #include <openssl/err.h>
29 #include <openssl/pem.h>
30
31 #include "update_engine/common/constants.h"
32 #include "update_engine/common/hash_calculator.h"
33 #include "update_engine/common/subprocess.h"
34 #include "update_engine/common/utils.h"
35 #include "update_engine/payload_consumer/delta_performer.h"
36 #include "update_engine/payload_consumer/payload_constants.h"
37 #include "update_engine/payload_consumer/payload_metadata.h"
38 #include "update_engine/payload_consumer/payload_verifier.h"
39 #include "update_engine/payload_generator/delta_diff_generator.h"
40 #include "update_engine/payload_generator/payload_file.h"
41 #include "update_engine/update_metadata.pb.h"
42
43 using std::string;
44 using std::vector;
45
46 namespace chromeos_update_engine {
47
48 namespace {
49
50 // The payload verifier will check all the signatures included in the payload
51 // regardless of the version field. Old version of the verifier require the
52 // version field to be included and be 1.
53 const uint32_t kSignatureMessageLegacyVersion = 1;
54
55 // Given raw |signatures|, packs them into a protobuf and serializes it into a
56 // string. Returns true on success, false otherwise.
ConvertSignaturesToProtobuf(const vector<brillo::Blob> & signatures,string * out_serialized_signature)57 bool ConvertSignaturesToProtobuf(const vector<brillo::Blob>& signatures,
58 string* out_serialized_signature) {
59 // Pack it into a protobuf
60 Signatures out_message;
61 for (const brillo::Blob& signature : signatures) {
62 Signatures::Signature* sig_message = out_message.add_signatures();
63 // Set all the signatures with the same version number.
64 sig_message->set_version(kSignatureMessageLegacyVersion);
65 sig_message->set_data(signature.data(), signature.size());
66 }
67
68 // Serialize protobuf
69 TEST_AND_RETURN_FALSE(
70 out_message.SerializeToString(out_serialized_signature));
71 LOG(INFO) << "Signature blob size: " << out_serialized_signature->size();
72 return true;
73 }
74
75 // Given an unsigned payload under |payload_path| and the |payload_signature|
76 // and |metadata_signature| generates an updated payload that includes the
77 // signatures. It populates |out_metadata_size| with the size of the final
78 // manifest after adding the dummy signature operation, and
79 // |out_signatures_offset| with the expected offset for the new blob, and
80 // |out_metadata_signature_size| which will be size of |metadata_signature|
81 // if the payload major version supports metadata signature, 0 otherwise.
82 // Returns true on success, false otherwise.
AddSignatureBlobToPayload(const string & payload_path,const string & payload_signature,const string & metadata_signature,brillo::Blob * out_payload,uint64_t * out_metadata_size,uint32_t * out_metadata_signature_size,uint64_t * out_signatures_offset)83 bool AddSignatureBlobToPayload(const string& payload_path,
84 const string& payload_signature,
85 const string& metadata_signature,
86 brillo::Blob* out_payload,
87 uint64_t* out_metadata_size,
88 uint32_t* out_metadata_signature_size,
89 uint64_t* out_signatures_offset) {
90 uint64_t manifest_offset = 20;
91 const int kProtobufSizeOffset = 12;
92
93 brillo::Blob payload;
94 TEST_AND_RETURN_FALSE(utils::ReadFile(payload_path, &payload));
95 PayloadMetadata payload_metadata;
96 TEST_AND_RETURN_FALSE(payload_metadata.ParsePayloadHeader(payload));
97 uint64_t metadata_size = payload_metadata.GetMetadataSize();
98 uint32_t metadata_signature_size =
99 payload_metadata.GetMetadataSignatureSize();
100 if (payload_metadata.GetMajorVersion() == kBrilloMajorPayloadVersion) {
101 // Write metadata signature size in header.
102 uint32_t metadata_signature_size_be = htobe32(metadata_signature.size());
103 memcpy(payload.data() + manifest_offset,
104 &metadata_signature_size_be,
105 sizeof(metadata_signature_size_be));
106 manifest_offset += sizeof(metadata_signature_size_be);
107 // Replace metadata signature.
108 payload.erase(payload.begin() + metadata_size,
109 payload.begin() + metadata_size + metadata_signature_size);
110 payload.insert(payload.begin() + metadata_size,
111 metadata_signature.begin(),
112 metadata_signature.end());
113 metadata_signature_size = metadata_signature.size();
114 LOG(INFO) << "Metadata signature size: " << metadata_signature_size;
115 }
116
117 DeltaArchiveManifest manifest;
118 TEST_AND_RETURN_FALSE(payload_metadata.GetManifest(payload, &manifest));
119
120 // Is there already a signature op in place?
121 if (manifest.has_signatures_size()) {
122 // The signature op is tied to the size of the signature blob, but not it's
123 // contents. We don't allow the manifest to change if there is already an op
124 // present, because that might invalidate previously generated
125 // hashes/signatures.
126 if (manifest.signatures_size() != payload_signature.size()) {
127 LOG(ERROR) << "Attempt to insert different signature sized blob. "
128 << "(current:" << manifest.signatures_size()
129 << "new:" << payload_signature.size() << ")";
130 return false;
131 }
132
133 LOG(INFO) << "Matching signature sizes already present.";
134 } else {
135 // Updates the manifest to include the signature operation.
136 PayloadSigner::AddSignatureToManifest(
137 payload.size() - metadata_size - metadata_signature_size,
138 payload_signature.size(),
139 payload_metadata.GetMajorVersion() == kChromeOSMajorPayloadVersion,
140 &manifest);
141
142 // Updates the payload to include the new manifest.
143 string serialized_manifest;
144 TEST_AND_RETURN_FALSE(manifest.AppendToString(&serialized_manifest));
145 LOG(INFO) << "Updated protobuf size: " << serialized_manifest.size();
146 payload.erase(payload.begin() + manifest_offset,
147 payload.begin() + metadata_size);
148 payload.insert(payload.begin() + manifest_offset,
149 serialized_manifest.begin(),
150 serialized_manifest.end());
151
152 // Updates the protobuf size.
153 uint64_t size_be = htobe64(serialized_manifest.size());
154 memcpy(&payload[kProtobufSizeOffset], &size_be, sizeof(size_be));
155 metadata_size = serialized_manifest.size() + manifest_offset;
156
157 LOG(INFO) << "Updated payload size: " << payload.size();
158 LOG(INFO) << "Updated metadata size: " << metadata_size;
159 }
160 uint64_t signatures_offset =
161 metadata_size + metadata_signature_size + manifest.signatures_offset();
162 LOG(INFO) << "Signature Blob Offset: " << signatures_offset;
163 payload.resize(signatures_offset);
164 payload.insert(payload.begin() + signatures_offset,
165 payload_signature.begin(),
166 payload_signature.end());
167
168 *out_payload = std::move(payload);
169 *out_metadata_size = metadata_size;
170 *out_metadata_signature_size = metadata_signature_size;
171 *out_signatures_offset = signatures_offset;
172 return true;
173 }
174
175 // Given a |payload| with correct signature op and metadata signature size in
176 // header and |metadata_size|, |metadata_signature_size|, |signatures_offset|,
177 // calculate hash for payload and metadata, save it to |out_hash_data| and
178 // |out_metadata_hash|.
CalculateHashFromPayload(const brillo::Blob & payload,const uint64_t metadata_size,const uint32_t metadata_signature_size,const uint64_t signatures_offset,brillo::Blob * out_hash_data,brillo::Blob * out_metadata_hash)179 bool CalculateHashFromPayload(const brillo::Blob& payload,
180 const uint64_t metadata_size,
181 const uint32_t metadata_signature_size,
182 const uint64_t signatures_offset,
183 brillo::Blob* out_hash_data,
184 brillo::Blob* out_metadata_hash) {
185 if (out_metadata_hash) {
186 // Calculates the hash on the manifest.
187 TEST_AND_RETURN_FALSE(HashCalculator::RawHashOfBytes(
188 payload.data(), metadata_size, out_metadata_hash));
189 }
190 if (out_hash_data) {
191 // Calculates the hash on the updated payload. Note that we skip metadata
192 // signature and payload signature.
193 HashCalculator calc;
194 TEST_AND_RETURN_FALSE(calc.Update(payload.data(), metadata_size));
195 TEST_AND_RETURN_FALSE(signatures_offset >=
196 metadata_size + metadata_signature_size);
197 TEST_AND_RETURN_FALSE(calc.Update(
198 payload.data() + metadata_size + metadata_signature_size,
199 signatures_offset - metadata_size - metadata_signature_size));
200 TEST_AND_RETURN_FALSE(calc.Finalize());
201 *out_hash_data = calc.raw_hash();
202 }
203 return true;
204 }
205
206 } // namespace
207
AddSignatureToManifest(uint64_t signature_blob_offset,uint64_t signature_blob_length,bool add_dummy_op,DeltaArchiveManifest * manifest)208 void PayloadSigner::AddSignatureToManifest(uint64_t signature_blob_offset,
209 uint64_t signature_blob_length,
210 bool add_dummy_op,
211 DeltaArchiveManifest* manifest) {
212 LOG(INFO) << "Making room for signature in file";
213 manifest->set_signatures_offset(signature_blob_offset);
214 LOG(INFO) << "set? " << manifest->has_signatures_offset();
215 manifest->set_signatures_offset(signature_blob_offset);
216 manifest->set_signatures_size(signature_blob_length);
217 // Add a dummy op at the end to appease older clients
218 if (add_dummy_op) {
219 InstallOperation* dummy_op = manifest->add_kernel_install_operations();
220 dummy_op->set_type(InstallOperation::REPLACE);
221 dummy_op->set_data_offset(signature_blob_offset);
222 dummy_op->set_data_length(signature_blob_length);
223 Extent* dummy_extent = dummy_op->add_dst_extents();
224 // Tell the dummy op to write this data to a big sparse hole
225 dummy_extent->set_start_block(kSparseHole);
226 dummy_extent->set_num_blocks(
227 utils::DivRoundUp(signature_blob_length, kBlockSize));
228 }
229 }
230
VerifySignedPayload(const string & payload_path,const string & public_key_path)231 bool PayloadSigner::VerifySignedPayload(const string& payload_path,
232 const string& public_key_path) {
233 brillo::Blob payload;
234 TEST_AND_RETURN_FALSE(utils::ReadFile(payload_path, &payload));
235 PayloadMetadata payload_metadata;
236 TEST_AND_RETURN_FALSE(payload_metadata.ParsePayloadHeader(payload));
237 DeltaArchiveManifest manifest;
238 TEST_AND_RETURN_FALSE(payload_metadata.GetManifest(payload, &manifest));
239 TEST_AND_RETURN_FALSE(manifest.has_signatures_offset() &&
240 manifest.has_signatures_size());
241 uint64_t metadata_size = payload_metadata.GetMetadataSize();
242 uint32_t metadata_signature_size =
243 payload_metadata.GetMetadataSignatureSize();
244 uint64_t signatures_offset =
245 metadata_size + metadata_signature_size + manifest.signatures_offset();
246 CHECK_EQ(payload.size(), signatures_offset + manifest.signatures_size());
247 brillo::Blob payload_hash, metadata_hash;
248 TEST_AND_RETURN_FALSE(CalculateHashFromPayload(payload,
249 metadata_size,
250 metadata_signature_size,
251 signatures_offset,
252 &payload_hash,
253 &metadata_hash));
254 string signature(payload.begin() + signatures_offset, payload.end());
255 string public_key;
256 TEST_AND_RETURN_FALSE(utils::ReadFile(public_key_path, &public_key));
257 TEST_AND_RETURN_FALSE(payload_hash.size() == kSHA256Size);
258 TEST_AND_RETURN_FALSE(
259 PayloadVerifier::VerifySignature(signature, public_key, payload_hash));
260 if (metadata_signature_size) {
261 signature.assign(payload.begin() + metadata_size,
262 payload.begin() + metadata_size + metadata_signature_size);
263 TEST_AND_RETURN_FALSE(metadata_hash.size() == kSHA256Size);
264 TEST_AND_RETURN_FALSE(
265 PayloadVerifier::VerifySignature(signature, public_key, metadata_hash));
266 }
267 return true;
268 }
269
SignHash(const brillo::Blob & hash,const string & private_key_path,brillo::Blob * out_signature)270 bool PayloadSigner::SignHash(const brillo::Blob& hash,
271 const string& private_key_path,
272 brillo::Blob* out_signature) {
273 LOG(INFO) << "Signing hash with private key: " << private_key_path;
274 // We expect unpadded SHA256 hash coming in
275 TEST_AND_RETURN_FALSE(hash.size() == kSHA256Size);
276 // The code below executes the equivalent of:
277 //
278 // openssl rsautl -raw -sign -inkey |private_key_path|
279 // -in |padded_hash| -out |out_signature|
280
281 FILE* fprikey = fopen(private_key_path.c_str(), "rb");
282 TEST_AND_RETURN_FALSE(fprikey != nullptr);
283 RSA* rsa = PEM_read_RSAPrivateKey(fprikey, nullptr, nullptr, nullptr);
284 fclose(fprikey);
285 TEST_AND_RETURN_FALSE(rsa != nullptr);
286
287 brillo::Blob padded_hash = hash;
288 PayloadVerifier::PadRSASHA256Hash(&padded_hash, RSA_size(rsa));
289
290 brillo::Blob signature(RSA_size(rsa));
291 ssize_t signature_size = RSA_private_encrypt(padded_hash.size(),
292 padded_hash.data(),
293 signature.data(),
294 rsa,
295 RSA_NO_PADDING);
296 RSA_free(rsa);
297 if (signature_size < 0) {
298 LOG(ERROR) << "Signing hash failed: "
299 << ERR_error_string(ERR_get_error(), nullptr);
300 return false;
301 }
302 TEST_AND_RETURN_FALSE(static_cast<size_t>(signature_size) ==
303 signature.size());
304 out_signature->swap(signature);
305 return true;
306 }
307
SignHashWithKeys(const brillo::Blob & hash_data,const vector<string> & private_key_paths,string * out_serialized_signature)308 bool PayloadSigner::SignHashWithKeys(const brillo::Blob& hash_data,
309 const vector<string>& private_key_paths,
310 string* out_serialized_signature) {
311 vector<brillo::Blob> signatures;
312 for (const string& path : private_key_paths) {
313 brillo::Blob signature;
314 TEST_AND_RETURN_FALSE(SignHash(hash_data, path, &signature));
315 signatures.push_back(signature);
316 }
317 TEST_AND_RETURN_FALSE(
318 ConvertSignaturesToProtobuf(signatures, out_serialized_signature));
319 return true;
320 }
321
SignPayload(const string & unsigned_payload_path,const vector<string> & private_key_paths,const uint64_t metadata_size,const uint32_t metadata_signature_size,const uint64_t signatures_offset,string * out_serialized_signature)322 bool PayloadSigner::SignPayload(const string& unsigned_payload_path,
323 const vector<string>& private_key_paths,
324 const uint64_t metadata_size,
325 const uint32_t metadata_signature_size,
326 const uint64_t signatures_offset,
327 string* out_serialized_signature) {
328 brillo::Blob payload;
329 TEST_AND_RETURN_FALSE(utils::ReadFile(unsigned_payload_path, &payload));
330 brillo::Blob hash_data;
331 TEST_AND_RETURN_FALSE(CalculateHashFromPayload(payload,
332 metadata_size,
333 metadata_signature_size,
334 signatures_offset,
335 &hash_data,
336 nullptr));
337 TEST_AND_RETURN_FALSE(
338 SignHashWithKeys(hash_data, private_key_paths, out_serialized_signature));
339 return true;
340 }
341
SignatureBlobLength(const vector<string> & private_key_paths,uint64_t * out_length)342 bool PayloadSigner::SignatureBlobLength(const vector<string>& private_key_paths,
343 uint64_t* out_length) {
344 DCHECK(out_length);
345 brillo::Blob hash_blob;
346 TEST_AND_RETURN_FALSE(HashCalculator::RawHashOfData({'x'}, &hash_blob));
347 string sig_blob;
348 TEST_AND_RETURN_FALSE(
349 SignHashWithKeys(hash_blob, private_key_paths, &sig_blob));
350 *out_length = sig_blob.size();
351 return true;
352 }
353
HashPayloadForSigning(const string & payload_path,const vector<int> & signature_sizes,brillo::Blob * out_payload_hash_data,brillo::Blob * out_metadata_hash)354 bool PayloadSigner::HashPayloadForSigning(const string& payload_path,
355 const vector<int>& signature_sizes,
356 brillo::Blob* out_payload_hash_data,
357 brillo::Blob* out_metadata_hash) {
358 // Create a signature blob with signatures filled with 0.
359 // Will be used for both payload signature and metadata signature.
360 vector<brillo::Blob> signatures;
361 for (int signature_size : signature_sizes) {
362 signatures.emplace_back(signature_size, 0);
363 }
364 string signature;
365 TEST_AND_RETURN_FALSE(ConvertSignaturesToProtobuf(signatures, &signature));
366
367 brillo::Blob payload;
368 uint64_t metadata_size, signatures_offset;
369 uint32_t metadata_signature_size;
370 // Prepare payload for hashing.
371 TEST_AND_RETURN_FALSE(AddSignatureBlobToPayload(payload_path,
372 signature,
373 signature,
374 &payload,
375 &metadata_size,
376 &metadata_signature_size,
377 &signatures_offset));
378 TEST_AND_RETURN_FALSE(CalculateHashFromPayload(payload,
379 metadata_size,
380 metadata_signature_size,
381 signatures_offset,
382 out_payload_hash_data,
383 out_metadata_hash));
384 return true;
385 }
386
AddSignatureToPayload(const string & payload_path,const vector<brillo::Blob> & payload_signatures,const vector<brillo::Blob> & metadata_signatures,const string & signed_payload_path,uint64_t * out_metadata_size)387 bool PayloadSigner::AddSignatureToPayload(
388 const string& payload_path,
389 const vector<brillo::Blob>& payload_signatures,
390 const vector<brillo::Blob>& metadata_signatures,
391 const string& signed_payload_path,
392 uint64_t* out_metadata_size) {
393 // TODO(petkov): Reduce memory usage -- the payload is manipulated in memory.
394
395 // Loads the payload and adds the signature op to it.
396 string payload_signature, metadata_signature;
397 TEST_AND_RETURN_FALSE(
398 ConvertSignaturesToProtobuf(payload_signatures, &payload_signature));
399 if (!metadata_signatures.empty()) {
400 TEST_AND_RETURN_FALSE(
401 ConvertSignaturesToProtobuf(metadata_signatures, &metadata_signature));
402 }
403 brillo::Blob payload;
404 uint64_t signatures_offset;
405 uint32_t metadata_signature_size;
406 TEST_AND_RETURN_FALSE(AddSignatureBlobToPayload(payload_path,
407 payload_signature,
408 metadata_signature,
409 &payload,
410 out_metadata_size,
411 &metadata_signature_size,
412 &signatures_offset));
413
414 LOG(INFO) << "Signed payload size: " << payload.size();
415 TEST_AND_RETURN_FALSE(utils::WriteFile(
416 signed_payload_path.c_str(), payload.data(), payload.size()));
417 return true;
418 }
419
GetMetadataSignature(const void * const metadata,size_t metadata_size,const string & private_key_path,string * out_signature)420 bool PayloadSigner::GetMetadataSignature(const void* const metadata,
421 size_t metadata_size,
422 const string& private_key_path,
423 string* out_signature) {
424 // Calculates the hash on the updated payload. Note that the payload includes
425 // the signature op but doesn't include the signature blob at the end.
426 brillo::Blob metadata_hash;
427 TEST_AND_RETURN_FALSE(
428 HashCalculator::RawHashOfBytes(metadata, metadata_size, &metadata_hash));
429
430 brillo::Blob signature;
431 TEST_AND_RETURN_FALSE(SignHash(metadata_hash, private_key_path, &signature));
432
433 *out_signature = brillo::data_encoding::Base64Encode(signature);
434 return true;
435 }
436
ExtractPayloadProperties(const string & payload_path,brillo::KeyValueStore * properties)437 bool PayloadSigner::ExtractPayloadProperties(
438 const string& payload_path, brillo::KeyValueStore* properties) {
439 brillo::Blob payload;
440 TEST_AND_RETURN_FALSE(
441 utils::ReadFileChunk(payload_path, 0, kMaxPayloadHeaderSize, &payload));
442
443 PayloadMetadata payload_metadata;
444 TEST_AND_RETURN_FALSE(payload_metadata.ParsePayloadHeader(payload));
445 uint64_t metadata_size = payload_metadata.GetMetadataSize();
446
447 uint64_t file_size = utils::FileSize(payload_path);
448 properties->SetString(kPayloadPropertyFileSize, std::to_string(file_size));
449 properties->SetString(kPayloadPropertyMetadataSize,
450 std::to_string(metadata_size));
451
452 brillo::Blob file_hash, metadata_hash;
453 TEST_AND_RETURN_FALSE(
454 HashCalculator::RawHashOfFile(payload_path, file_size, &file_hash) ==
455 static_cast<off_t>(file_size));
456
457 TEST_AND_RETURN_FALSE(HashCalculator::RawHashOfFile(
458 payload_path, metadata_size, &metadata_hash) ==
459 static_cast<off_t>(metadata_size));
460
461 properties->SetString(kPayloadPropertyFileHash,
462 brillo::data_encoding::Base64Encode(file_hash));
463 properties->SetString(kPayloadPropertyMetadataHash,
464 brillo::data_encoding::Base64Encode(metadata_hash));
465 return true;
466 }
467
468 } // namespace chromeos_update_engine
469