# Copyright (c) 2013 The Chromium OS Authors. All rights reserved. # Use of this source code is governed by a BSD-style license that can be # found in the LICENSE file. import os import urlparse from autotest_lib.client.common_lib import error from autotest_lib.client.common_lib.cros import dev_server from autotest_lib.server import autotest, test def _split_url(url): """Splits a URL into the URL base and path.""" split_url = urlparse.urlsplit(url) url_base = urlparse.urlunsplit( (split_url.scheme, split_url.netloc, '', '', '')) url_path = split_url.path return url_base, url_path.lstrip('/') class autoupdate_CatchBadSignatures(test.test): """This is a test to verify that update_engine correctly checks signatures in the metadata hash and the update payload itself. This is achieved by feeding updates to update_engine where the private key used to make the signature, intentionally does not match with the public key used for verification. By its very nature, this test requires an image signed with a well-known key. Since payload-generation is a resource-intensive process, we prepare the image ahead of time. Also, since the image is never successfully applied, we can get away with not caring that the image is built for one board but used on another. If you ever need to replace the test image, follow these eight simple steps: 1. Build a test image: $ cd ~/trunk/src/scripts $ ./build_packages --board=${BOARD} $ ./build_image --board=${BOARD} --noenable_rootfs_verification test 2. Serve the image the DUT like this: $ cd ~/trunk/src/platform/dev $ ./devserver.py --test_image \ --private_key \ ../../aosp/system/update_engine/unittest_key.pem \ --private_key_for_metadata_hash_signature \ ../../aosp/system/update_engine/unittest_key.pem \ --public_key \ ../../aosp/system/update_engine/unittest_key2.pub.pem Note that unittest_key2.pub.pem can be generated via $ openssl rsa \ -in ../../aosp/system/update_engine/unittest_key2.pem -pubout \ -out ../../aosp/system/update_engine/unittest_key2.pub.pem 3. Update the DUT - the update should fail at the metadata verification stage. 4. From the update_engine logs (stored in /var/log/update_engine/) on the DUT, find the Omaha response sent to the DUT and update the following constants with values from the XML: _IMAGE_SHA256: set it to the 'sha256' _IMAGE_METADATA_SIZE: set it to the 'MetadataSize' _IMAGE_PUBLIC_KEY2: set it to the 'PublicKeyRsa' _IMAGE_METADATA_SIGNATURE_WITH_KEY1: set it to 'MetadataSignatureRsa' Also download the image payload (follow 'url' and 'codebase' tags for directory then 'package' for the file name and its size), upload it to Google Storage and update the _IMAGE_GS_URL and _IMAGE_SIZE constants with the resulting URL and the size. 5. Serve the image to the DUT again and note the slightly different parameters this time. Note that the image served is the same, however the Omaha response will be different. $ cd ~/trunk/src/platform/dev $ ./devserver.py --test_image \ --private_key \ ../../aosp/system/update_engine/unittest_key.pem \ --private_key_for_metadata_hash_signature \ ../../aosp/system/update_engine/unittest_key2.pem \ --public_key \ ../../aosp/system/update_engine/unittest_key2.pub.pem 6. Update the DUT - the update should fail at the payload verification stage. 7. Like in step 4., examine the update_engine logs and update the following constants: _IMAGE_METADATA_SIGNATURE_WITH_KEY2: set to 'MetadataSignatureRsa' 8. Now run the test and ensure that it passes $ cd ~/trunk/src/scripts $ test_that -b ${BOARD} --fast autoupdate_CatchBadSignatures """ version = 1 # The test image to use and the values associated with it. _IMAGE_GS_URL='gs://chromiumos-test-assets-public/autoupdate/autoupdate_CatchBadSignatures-payload-sentry-R54-8719.0.2016_08_18_2057-a1' _IMAGE_SIZE=405569018 _IMAGE_METADATA_SIZE=49292 _IMAGE_SHA256='PHjzsTdCRMvMM7s+8f7K8ZegKoFnAf1UNhG6qc7zjRU=' _IMAGE_PUBLIC_KEY1='LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUF4NmhxUytIYmM3ak44MmVrK09CawpISk52bFdYa3R5UzJYQ3VRdEd0bkhqRVY3T3U1aEhORjk2czV3RW44UkR0cmRMb2NtMGErU3FYWGY3S3ljRlJUClp4TGREYnFXQU1VbFBYT2FQSStQWkxXa0I3L0tWN0NkajZ2UEdiZXE3ZWx1K2FUL2J1ZGh6VHZxMnN0WXJyQWwKY3IvMjF0T1ZEUGlXdGZDZHlraDdGQ1hpNkZhWUhvTnk1QTZFS1FMZkxCdUpvVS9Rb0N1ZmxkbXdsRmFGREtsKwpLb29zNlIxUVlKZkNOWmZnb2NyVzFQSWgrOHQxSkl2dzZJem84K2ZUbWU3bmV2N09sMllaaU1XSnBSWUt4OE1nCnhXMlVnVFhsUnBtUU41NnBjOUxVc25WQThGTkRCTjU3K2dNSmorWG1kRG1idE1wT3N5WGZTTkVnbnV3TVBjRWMKbXdJREFRQUIKLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tCg==' _IMAGE_METADATA_SIGNATURE_WITH_KEY1='RH0QkJErsz9T6u5/0nNYKRjVPfH08+j/zdBU2BimU2jAa4zn7HElhIk4v7l92qtHJAdAfH8JzTCCUQcqxfBL0CLxoXClKbnFjb4DKKp5z4GHJ4Be7q5hq+OVFFTMs+WV6rVP+VPWfirKN3RQy2CaUnkcoaBsa9pgU3SfZYGK4EkgSY7Fwnjzeu1oCUb8v+VrY93Hia8vJgKRG1EBtK2a9qLy/2uZ9twHyKnykt5VeLXMUL7x2ChdY1IzJaPDfGMyneoUQ2k1Yr/ROuVaYWI08lZfM0W2Abj6uCCHNu/K2oPHevJs1yyy4lmRRr2aWDnZ93GA17Jb7XwJO4JgNUHQgQ==' _IMAGE_PUBLIC_KEY2='LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUFxZE03Z25kNDNjV2ZRenlydDE2UQpESEUrVDB5eGcxOE9aTys5c2M4aldwakMxekZ0b01Gb2tFU2l1OVRMVXArS1VDMjc0ZitEeElnQWZTQ082VTVECkpGUlBYVXp2ZTF2YVhZZnFsalVCeGMrSlljR2RkNlBDVWw0QXA5ZjAyRGhrckduZi9ya0hPQ0VoRk5wbTUzZG8Kdlo5QTZRNUtCZmNnMUhlUTA4OG9wVmNlUUd0VW1MK2JPTnE1dEx2TkZMVVUwUnUwQW00QURKOFhtdzRycHZxdgptWEphRm1WdWYvR3g3K1RPbmFKdlpUZU9POUFKSzZxNlY4RTcrWlppTUljNUY0RU9zNUFYL2xaZk5PM1JWZ0cyCk83RGh6emErbk96SjNaSkdLNVI0V3daZHVobjlRUllvZ1lQQjBjNjI4NzhxWHBmMkJuM05wVVBpOENmL1JMTU0KbVFJREFRQUIKLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tCg==' _IMAGE_METADATA_SIGNATURE_WITH_KEY2='TWzj+aki+yS0nKCzy0/t+pTdHMh0N9ffjNbwIJhSx9bQ3813oYaF3vQsky29o0PuDWih1363uEHOoCjYrzxLnwuk1NK7/6Psb88kAYjc7gk1IgW/xuFTybxSL0bbOAN4p1QI6oRMPYrf5mZCE+VHhbSaMazK0AebFEg0fwvXkaoo/pQQWRWCH0u0GCqDBfGZlQATe/79inXda4mD19E9EvvMqm2ZStys7MMPCkkYyEsZWFmm6AFykiWtVMNyc6JWSTKh6ZKsme+l2Rr5orTubFbdwMuItcb6KySnsgOj5MAQ+HVFfjgJuEs4eRsP/Tfjn213v4bJVUSt6DwABg7/gw==' @staticmethod def _string_has_strings(haystack, needles): """Returns True iff all the strings in the list |needles| are present in the string |haystack|.""" for n in needles: if haystack.find(n) == -1: return False return True def _check_signature(self, metadata_signature, public_key, expected_log_messages, failure_message): """Helper function for updating with a Canned Omaha response.""" # Runs the update on the DUT and expect it to fail. client_host = autotest.Autotest(self._host) client_host.run_test( 'autoupdate_CannedOmahaUpdate', image_url=self._staged_payload_url, image_size=self._IMAGE_SIZE, image_sha256=self._IMAGE_SHA256, allow_failure=True, metadata_size=self._IMAGE_METADATA_SIZE, metadata_signature=metadata_signature, public_key=public_key) cmdresult = self._host.run('cat /var/log/update_engine.log') if not self._string_has_strings(cmdresult.stdout, expected_log_messages): raise error.TestFail(failure_message) def _check_bad_metadata_signature(self): """Checks that update_engine rejects updates where the payload and Omaha response do not agree on the metadata signature.""" expected_log_messages = [ 'Mandating payload hash checks since Omaha Response for ' 'unofficial build includes public RSA key', 'Mandatory metadata signature validation failed'] self._check_signature( metadata_signature=self._IMAGE_METADATA_SIGNATURE_WITH_KEY1, public_key=self._IMAGE_PUBLIC_KEY2, expected_log_messages=expected_log_messages, failure_message='Check for bad metadata signature failed.') def _check_bad_payload_signature(self): """Checks that update_engine rejects updates where the payload signature does not match what is expected.""" expected_log_messages = [ 'Mandating payload hash checks since Omaha Response for ' 'unofficial build includes public RSA key', 'Metadata hash signature matches value in Omaha response.', 'Public key verification failed, thus update failed'] self._check_signature( metadata_signature=self._IMAGE_METADATA_SIGNATURE_WITH_KEY2, public_key=self._IMAGE_PUBLIC_KEY2, expected_log_messages=expected_log_messages, failure_message='Check for payload signature failed.') def _stage_image(self, image_url): """Requests an image server from the lab to stage the image specified by |image_url| (typically a Google Storage URL). Returns the URL to the staged image.""" # We don't have a build so just fake the string. build = 'x86-fake-release/R42-4242.0.0-a1-bFAKE' image_server = dev_server.ImageServer.resolve(build, self._host.hostname) archive_url = os.path.dirname(image_url) filename = os.path.basename(image_url) # ImageServer expects an image parameter, but we don't have one. image_server.stage_artifacts(image='fake_image', files=[filename], archive_url=archive_url) # ImageServer has no way to give us the URL of the staged file... base, name = _split_url(image_url) staged_url = '%s/static/%s' % (image_server.url(), name) return staged_url def cleanup(self): if self._host: self._host.reboot() def run_once(self, host): """Runs the test on the DUT represented by |host|.""" self._host = host # First, stage the image. self._staged_payload_url = self._stage_image(self._IMAGE_GS_URL) # Then run the tests. self._check_bad_metadata_signature() self._check_bad_payload_signature()