1 // 2 // Copyright (C) 2010 The Android Open Source Project 3 // 4 // Licensed under the Apache License, Version 2.0 (the "License"); 5 // you may not use this file except in compliance with the License. 6 // You may obtain a copy of the License at 7 // 8 // http://www.apache.org/licenses/LICENSE-2.0 9 // 10 // Unless required by applicable law or agreed to in writing, software 11 // distributed under the License is distributed on an "AS IS" BASIS, 12 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 // See the License for the specific language governing permissions and 14 // limitations under the License. 15 // 16 17 #ifndef UPDATE_ENGINE_PAYLOAD_GENERATOR_PAYLOAD_SIGNER_H_ 18 #define UPDATE_ENGINE_PAYLOAD_GENERATOR_PAYLOAD_SIGNER_H_ 19 20 #include <string> 21 #include <vector> 22 23 #include <base/macros.h> 24 #include <brillo/key_value_store.h> 25 #include <brillo/secure_blob.h> 26 27 #include "update_engine/update_metadata.pb.h" 28 29 // This class encapsulates methods used for payload signing. 30 // See update_metadata.proto for more info. 31 32 namespace chromeos_update_engine { 33 34 class PayloadSigner { 35 public: 36 // Returns true if the payload in |payload_path| is signed and its hash can be 37 // verified using the public key in |public_key_path| with the signature 38 // of a given version in the signature blob. Returns false otherwise. 39 static bool VerifySignedPayload(const std::string& payload_path, 40 const std::string& public_key_path); 41 42 // Adds specified signature offset/length to given |manifest|, also adds a 43 // dummy operation that points to a signature blob located at the specified 44 // offset/length if |add_dummy_op| is true. 45 static void AddSignatureToManifest(uint64_t signature_blob_offset, 46 uint64_t signature_blob_length, 47 bool add_dummy_op, 48 DeltaArchiveManifest* manifest); 49 50 // Given a raw |hash| and a private key in |private_key_path| calculates the 51 // raw signature in |out_signature|. Returns true on success, false otherwise. 52 static bool SignHash(const brillo::Blob& hash, 53 const std::string& private_key_path, 54 brillo::Blob* out_signature); 55 56 // Sign |hash_data| blob with all private keys in |private_key_paths|, then 57 // convert the signatures to serialized protobuf. 58 static bool SignHashWithKeys( 59 const brillo::Blob& hash_data, 60 const std::vector<std::string>& private_key_paths, 61 std::string* out_serialized_signature); 62 63 // Given an unsigned payload in |unsigned_payload_path|, private keys in 64 // |private_key_path|, metadata size in |metadata_size|, metadata signature 65 // size in |metadata_signature_size| and signatures offset in 66 // |signatures_offset|, calculates the payload signature blob into 67 // |out_serialized_signature|. Note that the payload must already have an 68 // updated manifest that includes the dummy signature op and correct metadata 69 // signature size in header. Returns true on success, false otherwise. 70 static bool SignPayload(const std::string& unsigned_payload_path, 71 const std::vector<std::string>& private_key_paths, 72 const uint64_t metadata_size, 73 const uint32_t metadata_signature_size, 74 const uint64_t signatures_offset, 75 std::string* out_serialized_signature); 76 77 // Returns the length of out_serialized_signature that will result in a call 78 // to SignPayload with the given private keys. Returns true on success. 79 static bool SignatureBlobLength( 80 const std::vector<std::string>& private_key_paths, uint64_t* out_length); 81 82 // Given an unsigned payload in |payload_path|, 83 // this method does two things: 84 // 1. It loads the payload into memory, and inserts placeholder signature 85 // operations and placeholder metadata signature to make the header and 86 // the manifest match what the final signed payload will look like based 87 // on |signatures_sizes|, if needed. 88 // 2. It calculates the raw SHA256 hash of the payload and the metadata in 89 // |payload_path| (except signatures) and returns the result in 90 // |out_hash_data| and |out_metadata_hash| respectively. 91 // 92 // The changes to payload are not preserved or written to disk. 93 static bool HashPayloadForSigning(const std::string& payload_path, 94 const std::vector<int>& signature_sizes, 95 brillo::Blob* out_payload_hash_data, 96 brillo::Blob* out_metadata_hash); 97 98 // Given an unsigned payload in |payload_path| (with no dummy signature op) 99 // and the raw |payload_signatures| and |metadata_signatures| updates the 100 // payload to include the signature thus turning it into a signed payload. The 101 // new payload is stored in |signed_payload_path|. |payload_path| and 102 // |signed_payload_path| can point to the same file. Populates 103 // |out_metadata_size| with the size of the metadata after adding the 104 // signature operation in the manifest. Returns true on success, false 105 // otherwise. 106 static bool AddSignatureToPayload( 107 const std::string& payload_path, 108 const std::vector<brillo::Blob>& payload_signatures, 109 const std::vector<brillo::Blob>& metadata_signatures, 110 const std::string& signed_payload_path, 111 uint64_t* out_metadata_size); 112 113 // Computes the SHA256 hash of the first metadata_size bytes of |metadata| 114 // and signs the hash with the given private_key_path and writes the signed 115 // hash in |out_signature|. Returns true if successful or false if there was 116 // any error in the computations. 117 static bool GetMetadataSignature(const void* const metadata, 118 size_t metadata_size, 119 const std::string& private_key_path, 120 std::string* out_signature); 121 122 static bool ExtractPayloadProperties(const std::string& payload_path, 123 brillo::KeyValueStore* properties); 124 125 private: 126 // This should never be constructed 127 DISALLOW_IMPLICIT_CONSTRUCTORS(PayloadSigner); 128 }; 129 130 } // namespace chromeos_update_engine 131 132 #endif // UPDATE_ENGINE_PAYLOAD_GENERATOR_PAYLOAD_SIGNER_H_ 133