1 /*
2  * Copyright (C) 2021 The Android Open Source Project
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  *      http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16 
17 #include <android-base/file.h>
18 #include <android-base/properties.h>
19 #include <gtest/gtest.h>
20 #include <openssl/sha.h>
21 
22 #include "gsi_validation_utils.h"
23 
HexDigitToByte(char c)24 uint8_t HexDigitToByte(char c) {
25   if (c >= '0' && c <= '9') {
26     return c - '0';
27   }
28   if (c >= 'a' && c <= 'f') {
29     return c - 'a' + 10;
30   }
31   if (c >= 'A' && c <= 'Z') {
32     return c - 'A' + 10;
33   }
34   return 0xff;
35 }
36 
HexToBytes(const std::string & hex,std::vector<uint8_t> * bytes)37 bool HexToBytes(const std::string &hex, std::vector<uint8_t> *bytes) {
38   if (hex.size() % 2 != 0) {
39     return false;
40   }
41   bytes->resize(hex.size() / 2);
42   for (unsigned i = 0; i < bytes->size(); i++) {
43     uint8_t hi = HexDigitToByte(hex[i * 2]);
44     uint8_t lo = HexDigitToByte(hex[i * 2 + 1]);
45     if (lo > 0xf || hi > 0xf) {
46       return false;
47     }
48     bytes->at(i) = (hi << 4) | lo;
49   }
50   return true;
51 }
52 
CreateShaHasher(const std::string & algorithm)53 std::unique_ptr<ShaHasher> CreateShaHasher(const std::string &algorithm) {
54   if (algorithm == "sha1") {
55     return std::make_unique<ShaHasherImpl<SHA_CTX>>(
56         SHA1_Init, SHA1_Update, SHA1_Final, SHA_DIGEST_LENGTH);
57   }
58   if (algorithm == "sha256") {
59     return std::make_unique<ShaHasherImpl<SHA256_CTX>>(
60         SHA256_Init, SHA256_Update, SHA256_Final, SHA256_DIGEST_LENGTH);
61   }
62   if (algorithm == "sha512") {
63     return std::make_unique<ShaHasherImpl<SHA512_CTX>>(
64         SHA512_Init, SHA512_Update, SHA512_Final, SHA512_DIGEST_LENGTH);
65   }
66   return nullptr;
67 }
68 
ValidatePublicKeyBlob(const std::string & key_blob_to_validate)69 bool ValidatePublicKeyBlob(const std::string &key_blob_to_validate) {
70   if (key_blob_to_validate.empty()) {
71     GTEST_LOG_(ERROR) << "Failed to validate an empty key";
72     return false;
73   }
74 
75   const std::string exec_dir = android::base::GetExecutableDirectory();
76   std::vector<std::string> allowed_key_names = {
77       "q-gsi.avbpubkey", "r-gsi.avbpubkey",    "s-gsi.avbpubkey",
78       "t-gsi.avbpubkey", "qcar-gsi.avbpubkey",
79   };
80   for (const auto &key_name : allowed_key_names) {
81     const auto key_path = exec_dir + "/" + key_name;
82     std::string allowed_key_blob;
83     if (android::base::ReadFileToString(key_path, &allowed_key_blob)) {
84       if (key_blob_to_validate == allowed_key_blob) {
85         GTEST_LOG_(INFO) << "Found matching GSI key: " << key_path;
86         return true;
87       }
88     }
89   }
90   return false;
91 }
92 
93 const uint32_t kCurrentApiLevel = 10000;
94 
ReadApiLevelProps(const std::vector<std::string> & api_level_props)95 static uint32_t ReadApiLevelProps(
96     const std::vector<std::string> &api_level_props) {
97   uint32_t api_level = kCurrentApiLevel;
98   for (const auto &api_level_prop : api_level_props) {
99     api_level = android::base::GetUintProperty<uint32_t>(api_level_prop,
100                                                          kCurrentApiLevel);
101     if (api_level != kCurrentApiLevel) {
102       break;
103     }
104   }
105   return api_level;
106 }
107 
GetSdkLevel()108 uint32_t GetSdkLevel() {
109   uint32_t sdk_level = ReadApiLevelProps({"ro.build.version.sdk"});
110   if (sdk_level == kCurrentApiLevel) {
111     ADD_FAILURE() << "Failed to determine SDK level";
112     return 0;
113   }
114   return sdk_level;
115 }
116 
GetProductFirstApiLevel()117 uint32_t GetProductFirstApiLevel() {
118   uint32_t product_api_level =
119       ReadApiLevelProps({"ro.product.first_api_level", "ro.build.version.sdk"});
120   if (product_api_level == kCurrentApiLevel) {
121     ADD_FAILURE() << "Failed to determine product first API level";
122     return 0;
123   }
124   return product_api_level;
125 }
126 
GetVendorApiLevel()127 uint32_t GetVendorApiLevel() {
128   // "ro.vendor.api_level" is added in Android T.
129   uint32_t vendor_api_level = ReadApiLevelProps({"ro.vendor.api_level"});
130   if (vendor_api_level != kCurrentApiLevel) {
131     return vendor_api_level;
132   }
133   // For pre-T devices, determine the board API level by ourselves.
134   uint32_t product_api_level = GetProductFirstApiLevel();
135   uint32_t board_api_level =
136       ReadApiLevelProps({"ro.board.api_level", "ro.board.first_api_level"});
137   uint32_t api_level = std::min(board_api_level, product_api_level);
138   if (api_level == kCurrentApiLevel) {
139     ADD_FAILURE() << "Failed to determine vendor API level";
140     return 0;
141   }
142   return api_level;
143 }
144 
GetBoardApiLevel()145 std::optional<uint32_t> GetBoardApiLevel() {
146   uint32_t board_api_level =
147       ReadApiLevelProps({"ro.board.api_level", "ro.board.first_api_level"});
148   if (board_api_level == kCurrentApiLevel) {
149     return std::nullopt;
150   }
151   return board_api_level;
152 }
153 
IsReleasedAndroidVersion()154 bool IsReleasedAndroidVersion() {
155   return android::base::GetProperty("ro.build.version.codename", "") == "REL";
156 }
157