1*5a923131SAndroid Build Coastguard Worker //
2*5a923131SAndroid Build Coastguard Worker // Copyright (C) 2014 The Android Open Source Project
3*5a923131SAndroid Build Coastguard Worker //
4*5a923131SAndroid Build Coastguard Worker // Licensed under the Apache License, Version 2.0 (the "License");
5*5a923131SAndroid Build Coastguard Worker // you may not use this file except in compliance with the License.
6*5a923131SAndroid Build Coastguard Worker // You may obtain a copy of the License at
7*5a923131SAndroid Build Coastguard Worker //
8*5a923131SAndroid Build Coastguard Worker // http://www.apache.org/licenses/LICENSE-2.0
9*5a923131SAndroid Build Coastguard Worker //
10*5a923131SAndroid Build Coastguard Worker // Unless required by applicable law or agreed to in writing, software
11*5a923131SAndroid Build Coastguard Worker // distributed under the License is distributed on an "AS IS" BASIS,
12*5a923131SAndroid Build Coastguard Worker // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13*5a923131SAndroid Build Coastguard Worker // See the License for the specific language governing permissions and
14*5a923131SAndroid Build Coastguard Worker // limitations under the License.
15*5a923131SAndroid Build Coastguard Worker //
16*5a923131SAndroid Build Coastguard Worker
17*5a923131SAndroid Build Coastguard Worker #include "update_engine/payload_consumer/payload_verifier.h"
18*5a923131SAndroid Build Coastguard Worker
19*5a923131SAndroid Build Coastguard Worker #include <utility>
20*5a923131SAndroid Build Coastguard Worker #include <vector>
21*5a923131SAndroid Build Coastguard Worker
22*5a923131SAndroid Build Coastguard Worker #include <base/logging.h>
23*5a923131SAndroid Build Coastguard Worker #include <openssl/pem.h>
24*5a923131SAndroid Build Coastguard Worker
25*5a923131SAndroid Build Coastguard Worker #include "update_engine/common/constants.h"
26*5a923131SAndroid Build Coastguard Worker #include "update_engine/common/utils.h"
27*5a923131SAndroid Build Coastguard Worker #include "update_engine/payload_consumer/certificate_parser_interface.h"
28*5a923131SAndroid Build Coastguard Worker #include "update_engine/update_metadata.pb.h"
29*5a923131SAndroid Build Coastguard Worker
30*5a923131SAndroid Build Coastguard Worker using std::string;
31*5a923131SAndroid Build Coastguard Worker
32*5a923131SAndroid Build Coastguard Worker namespace chromeos_update_engine {
33*5a923131SAndroid Build Coastguard Worker
34*5a923131SAndroid Build Coastguard Worker namespace {
35*5a923131SAndroid Build Coastguard Worker
36*5a923131SAndroid Build Coastguard Worker // The ASN.1 DigestInfo prefix for encoding SHA256 digest. The complete 51-byte
37*5a923131SAndroid Build Coastguard Worker // DigestInfo consists of 19-byte SHA256_DIGEST_INFO_PREFIX and 32-byte SHA256
38*5a923131SAndroid Build Coastguard Worker // digest.
39*5a923131SAndroid Build Coastguard Worker //
40*5a923131SAndroid Build Coastguard Worker // SEQUENCE(2+49) {
41*5a923131SAndroid Build Coastguard Worker // SEQUENCE(2+13) {
42*5a923131SAndroid Build Coastguard Worker // OBJECT(2+9) id-sha256
43*5a923131SAndroid Build Coastguard Worker // NULL(2+0)
44*5a923131SAndroid Build Coastguard Worker // }
45*5a923131SAndroid Build Coastguard Worker // OCTET STRING(2+32) <actual signature bytes...>
46*5a923131SAndroid Build Coastguard Worker // }
47*5a923131SAndroid Build Coastguard Worker const uint8_t kSHA256DigestInfoPrefix[] = {
48*5a923131SAndroid Build Coastguard Worker 0x30, 0x31, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01,
49*5a923131SAndroid Build Coastguard Worker 0x65, 0x03, 0x04, 0x02, 0x01, 0x05, 0x00, 0x04, 0x20,
50*5a923131SAndroid Build Coastguard Worker };
51*5a923131SAndroid Build Coastguard Worker
52*5a923131SAndroid Build Coastguard Worker } // namespace
53*5a923131SAndroid Build Coastguard Worker
CreateInstance(const std::string & pem_public_key)54*5a923131SAndroid Build Coastguard Worker std::unique_ptr<PayloadVerifier> PayloadVerifier::CreateInstance(
55*5a923131SAndroid Build Coastguard Worker const std::string& pem_public_key) {
56*5a923131SAndroid Build Coastguard Worker std::unique_ptr<BIO, decltype(&BIO_free)> bp(
57*5a923131SAndroid Build Coastguard Worker BIO_new_mem_buf(pem_public_key.data(), pem_public_key.size()), BIO_free);
58*5a923131SAndroid Build Coastguard Worker if (!bp) {
59*5a923131SAndroid Build Coastguard Worker LOG(ERROR) << "Failed to read " << pem_public_key << " into buffer.";
60*5a923131SAndroid Build Coastguard Worker return nullptr;
61*5a923131SAndroid Build Coastguard Worker }
62*5a923131SAndroid Build Coastguard Worker
63*5a923131SAndroid Build Coastguard Worker auto pub_key = std::unique_ptr<EVP_PKEY, decltype(&EVP_PKEY_free)>(
64*5a923131SAndroid Build Coastguard Worker PEM_read_bio_PUBKEY(bp.get(), nullptr, nullptr, nullptr), EVP_PKEY_free);
65*5a923131SAndroid Build Coastguard Worker if (!pub_key) {
66*5a923131SAndroid Build Coastguard Worker LOG(ERROR) << "Failed to parse the public key in: " << pem_public_key;
67*5a923131SAndroid Build Coastguard Worker return nullptr;
68*5a923131SAndroid Build Coastguard Worker }
69*5a923131SAndroid Build Coastguard Worker
70*5a923131SAndroid Build Coastguard Worker std::vector<std::unique_ptr<EVP_PKEY, decltype(&EVP_PKEY_free)>> keys;
71*5a923131SAndroid Build Coastguard Worker keys.emplace_back(std::move(pub_key));
72*5a923131SAndroid Build Coastguard Worker return std::unique_ptr<PayloadVerifier>(new PayloadVerifier(std::move(keys)));
73*5a923131SAndroid Build Coastguard Worker }
74*5a923131SAndroid Build Coastguard Worker
CreateInstanceFromZipPath(const std::string & certificate_zip_path)75*5a923131SAndroid Build Coastguard Worker std::unique_ptr<PayloadVerifier> PayloadVerifier::CreateInstanceFromZipPath(
76*5a923131SAndroid Build Coastguard Worker const std::string& certificate_zip_path) {
77*5a923131SAndroid Build Coastguard Worker auto parser = CreateCertificateParser();
78*5a923131SAndroid Build Coastguard Worker if (!parser) {
79*5a923131SAndroid Build Coastguard Worker LOG(ERROR) << "Failed to create certificate parser from "
80*5a923131SAndroid Build Coastguard Worker << certificate_zip_path;
81*5a923131SAndroid Build Coastguard Worker return nullptr;
82*5a923131SAndroid Build Coastguard Worker }
83*5a923131SAndroid Build Coastguard Worker
84*5a923131SAndroid Build Coastguard Worker std::vector<std::unique_ptr<EVP_PKEY, decltype(&EVP_PKEY_free)>> public_keys;
85*5a923131SAndroid Build Coastguard Worker if (!parser->ReadPublicKeysFromCertificates(certificate_zip_path,
86*5a923131SAndroid Build Coastguard Worker &public_keys) ||
87*5a923131SAndroid Build Coastguard Worker public_keys.empty()) {
88*5a923131SAndroid Build Coastguard Worker LOG(ERROR) << "Failed to parse public keys in: " << certificate_zip_path;
89*5a923131SAndroid Build Coastguard Worker return nullptr;
90*5a923131SAndroid Build Coastguard Worker }
91*5a923131SAndroid Build Coastguard Worker
92*5a923131SAndroid Build Coastguard Worker return std::unique_ptr<PayloadVerifier>(
93*5a923131SAndroid Build Coastguard Worker new PayloadVerifier(std::move(public_keys)));
94*5a923131SAndroid Build Coastguard Worker }
95*5a923131SAndroid Build Coastguard Worker
VerifySignature(const string & signature_proto,const brillo::Blob & sha256_hash_data) const96*5a923131SAndroid Build Coastguard Worker bool PayloadVerifier::VerifySignature(
97*5a923131SAndroid Build Coastguard Worker const string& signature_proto, const brillo::Blob& sha256_hash_data) const {
98*5a923131SAndroid Build Coastguard Worker TEST_AND_RETURN_FALSE(!public_keys_.empty());
99*5a923131SAndroid Build Coastguard Worker
100*5a923131SAndroid Build Coastguard Worker Signatures signatures;
101*5a923131SAndroid Build Coastguard Worker LOG(INFO) << "signature blob size = " << signature_proto.size();
102*5a923131SAndroid Build Coastguard Worker TEST_AND_RETURN_FALSE(signatures.ParseFromString(signature_proto));
103*5a923131SAndroid Build Coastguard Worker
104*5a923131SAndroid Build Coastguard Worker if (!signatures.signatures_size()) {
105*5a923131SAndroid Build Coastguard Worker LOG(ERROR) << "No signatures stored in the blob.";
106*5a923131SAndroid Build Coastguard Worker return false;
107*5a923131SAndroid Build Coastguard Worker }
108*5a923131SAndroid Build Coastguard Worker
109*5a923131SAndroid Build Coastguard Worker std::vector<brillo::Blob> tested_hashes;
110*5a923131SAndroid Build Coastguard Worker // Tries every signature in the signature blob.
111*5a923131SAndroid Build Coastguard Worker for (int i = 0; i < signatures.signatures_size(); i++) {
112*5a923131SAndroid Build Coastguard Worker const Signatures::Signature& signature = signatures.signatures(i);
113*5a923131SAndroid Build Coastguard Worker brillo::Blob sig_data;
114*5a923131SAndroid Build Coastguard Worker if (signature.has_unpadded_signature_size()) {
115*5a923131SAndroid Build Coastguard Worker TEST_AND_RETURN_FALSE(signature.unpadded_signature_size() <=
116*5a923131SAndroid Build Coastguard Worker signature.data().size());
117*5a923131SAndroid Build Coastguard Worker LOG(INFO) << "Truncating the signature to its unpadded size: "
118*5a923131SAndroid Build Coastguard Worker << signature.unpadded_signature_size() << ".";
119*5a923131SAndroid Build Coastguard Worker sig_data.assign(
120*5a923131SAndroid Build Coastguard Worker signature.data().begin(),
121*5a923131SAndroid Build Coastguard Worker signature.data().begin() + signature.unpadded_signature_size());
122*5a923131SAndroid Build Coastguard Worker } else {
123*5a923131SAndroid Build Coastguard Worker sig_data.assign(signature.data().begin(), signature.data().end());
124*5a923131SAndroid Build Coastguard Worker }
125*5a923131SAndroid Build Coastguard Worker
126*5a923131SAndroid Build Coastguard Worker brillo::Blob sig_hash_data;
127*5a923131SAndroid Build Coastguard Worker if (VerifyRawSignature(sig_data, sha256_hash_data, &sig_hash_data)) {
128*5a923131SAndroid Build Coastguard Worker LOG(INFO) << "Verified correct signature " << i + 1 << " out of "
129*5a923131SAndroid Build Coastguard Worker << signatures.signatures_size() << " signatures.";
130*5a923131SAndroid Build Coastguard Worker return true;
131*5a923131SAndroid Build Coastguard Worker }
132*5a923131SAndroid Build Coastguard Worker if (!sig_hash_data.empty()) {
133*5a923131SAndroid Build Coastguard Worker tested_hashes.push_back(sig_hash_data);
134*5a923131SAndroid Build Coastguard Worker }
135*5a923131SAndroid Build Coastguard Worker }
136*5a923131SAndroid Build Coastguard Worker LOG(ERROR) << "None of the " << signatures.signatures_size()
137*5a923131SAndroid Build Coastguard Worker << " signatures is correct. Expected hash before padding:";
138*5a923131SAndroid Build Coastguard Worker utils::HexDumpVector(sha256_hash_data);
139*5a923131SAndroid Build Coastguard Worker LOG(ERROR) << "But found RSA decrypted hashes:";
140*5a923131SAndroid Build Coastguard Worker for (const auto& sig_hash_data : tested_hashes) {
141*5a923131SAndroid Build Coastguard Worker utils::HexDumpVector(sig_hash_data);
142*5a923131SAndroid Build Coastguard Worker }
143*5a923131SAndroid Build Coastguard Worker return false;
144*5a923131SAndroid Build Coastguard Worker }
145*5a923131SAndroid Build Coastguard Worker
VerifyRawSignature(const brillo::Blob & sig_data,const brillo::Blob & sha256_hash_data,brillo::Blob * decrypted_sig_data) const146*5a923131SAndroid Build Coastguard Worker bool PayloadVerifier::VerifyRawSignature(
147*5a923131SAndroid Build Coastguard Worker const brillo::Blob& sig_data,
148*5a923131SAndroid Build Coastguard Worker const brillo::Blob& sha256_hash_data,
149*5a923131SAndroid Build Coastguard Worker brillo::Blob* decrypted_sig_data) const {
150*5a923131SAndroid Build Coastguard Worker TEST_AND_RETURN_FALSE(!public_keys_.empty());
151*5a923131SAndroid Build Coastguard Worker
152*5a923131SAndroid Build Coastguard Worker for (const auto& public_key : public_keys_) {
153*5a923131SAndroid Build Coastguard Worker int key_type = EVP_PKEY_id(public_key.get());
154*5a923131SAndroid Build Coastguard Worker if (key_type == EVP_PKEY_RSA) {
155*5a923131SAndroid Build Coastguard Worker brillo::Blob sig_hash_data;
156*5a923131SAndroid Build Coastguard Worker if (!GetRawHashFromSignature(
157*5a923131SAndroid Build Coastguard Worker sig_data, public_key.get(), &sig_hash_data)) {
158*5a923131SAndroid Build Coastguard Worker LOG(WARNING)
159*5a923131SAndroid Build Coastguard Worker << "Failed to get the raw hash with RSA key. Trying other keys.";
160*5a923131SAndroid Build Coastguard Worker continue;
161*5a923131SAndroid Build Coastguard Worker }
162*5a923131SAndroid Build Coastguard Worker
163*5a923131SAndroid Build Coastguard Worker if (decrypted_sig_data != nullptr) {
164*5a923131SAndroid Build Coastguard Worker *decrypted_sig_data = sig_hash_data;
165*5a923131SAndroid Build Coastguard Worker }
166*5a923131SAndroid Build Coastguard Worker
167*5a923131SAndroid Build Coastguard Worker brillo::Blob padded_hash_data = sha256_hash_data;
168*5a923131SAndroid Build Coastguard Worker TEST_AND_RETURN_FALSE(
169*5a923131SAndroid Build Coastguard Worker PadRSASHA256Hash(&padded_hash_data, sig_hash_data.size()));
170*5a923131SAndroid Build Coastguard Worker
171*5a923131SAndroid Build Coastguard Worker if (padded_hash_data == sig_hash_data) {
172*5a923131SAndroid Build Coastguard Worker return true;
173*5a923131SAndroid Build Coastguard Worker }
174*5a923131SAndroid Build Coastguard Worker } else if (key_type == EVP_PKEY_EC) {
175*5a923131SAndroid Build Coastguard Worker EC_KEY* ec_key = EVP_PKEY_get0_EC_KEY(public_key.get());
176*5a923131SAndroid Build Coastguard Worker TEST_AND_RETURN_FALSE(ec_key != nullptr);
177*5a923131SAndroid Build Coastguard Worker if (ECDSA_verify(0,
178*5a923131SAndroid Build Coastguard Worker sha256_hash_data.data(),
179*5a923131SAndroid Build Coastguard Worker sha256_hash_data.size(),
180*5a923131SAndroid Build Coastguard Worker sig_data.data(),
181*5a923131SAndroid Build Coastguard Worker sig_data.size(),
182*5a923131SAndroid Build Coastguard Worker ec_key) == 1) {
183*5a923131SAndroid Build Coastguard Worker return true;
184*5a923131SAndroid Build Coastguard Worker }
185*5a923131SAndroid Build Coastguard Worker } else {
186*5a923131SAndroid Build Coastguard Worker LOG(ERROR) << "Unsupported key type " << key_type;
187*5a923131SAndroid Build Coastguard Worker return false;
188*5a923131SAndroid Build Coastguard Worker }
189*5a923131SAndroid Build Coastguard Worker }
190*5a923131SAndroid Build Coastguard Worker LOG(INFO) << "Failed to verify the signature with " << public_keys_.size()
191*5a923131SAndroid Build Coastguard Worker << " keys.";
192*5a923131SAndroid Build Coastguard Worker return false;
193*5a923131SAndroid Build Coastguard Worker }
194*5a923131SAndroid Build Coastguard Worker
GetRawHashFromSignature(const brillo::Blob & sig_data,const EVP_PKEY * public_key,brillo::Blob * out_hash_data) const195*5a923131SAndroid Build Coastguard Worker bool PayloadVerifier::GetRawHashFromSignature(
196*5a923131SAndroid Build Coastguard Worker const brillo::Blob& sig_data,
197*5a923131SAndroid Build Coastguard Worker const EVP_PKEY* public_key,
198*5a923131SAndroid Build Coastguard Worker brillo::Blob* out_hash_data) const {
199*5a923131SAndroid Build Coastguard Worker // The code below executes the equivalent of:
200*5a923131SAndroid Build Coastguard Worker //
201*5a923131SAndroid Build Coastguard Worker // openssl rsautl -verify -pubin -inkey <(echo pem_public_key)
202*5a923131SAndroid Build Coastguard Worker // -in |sig_data| -out |out_hash_data|
203*5a923131SAndroid Build Coastguard Worker RSA* rsa = EVP_PKEY_get0_RSA(const_cast<EVP_PKEY*>(public_key));
204*5a923131SAndroid Build Coastguard Worker
205*5a923131SAndroid Build Coastguard Worker TEST_AND_RETURN_FALSE(rsa != nullptr);
206*5a923131SAndroid Build Coastguard Worker unsigned int keysize = RSA_size(rsa);
207*5a923131SAndroid Build Coastguard Worker if (sig_data.size() > 2 * keysize) {
208*5a923131SAndroid Build Coastguard Worker LOG(ERROR) << "Signature size is too big for public key size.";
209*5a923131SAndroid Build Coastguard Worker return false;
210*5a923131SAndroid Build Coastguard Worker }
211*5a923131SAndroid Build Coastguard Worker
212*5a923131SAndroid Build Coastguard Worker // Decrypts the signature.
213*5a923131SAndroid Build Coastguard Worker brillo::Blob hash_data(keysize);
214*5a923131SAndroid Build Coastguard Worker int decrypt_size = RSA_public_decrypt(
215*5a923131SAndroid Build Coastguard Worker sig_data.size(), sig_data.data(), hash_data.data(), rsa, RSA_NO_PADDING);
216*5a923131SAndroid Build Coastguard Worker TEST_AND_RETURN_FALSE(decrypt_size > 0 &&
217*5a923131SAndroid Build Coastguard Worker decrypt_size <= static_cast<int>(hash_data.size()));
218*5a923131SAndroid Build Coastguard Worker hash_data.resize(decrypt_size);
219*5a923131SAndroid Build Coastguard Worker out_hash_data->swap(hash_data);
220*5a923131SAndroid Build Coastguard Worker return true;
221*5a923131SAndroid Build Coastguard Worker }
222*5a923131SAndroid Build Coastguard Worker
PadRSASHA256Hash(brillo::Blob * hash,size_t rsa_size)223*5a923131SAndroid Build Coastguard Worker bool PayloadVerifier::PadRSASHA256Hash(brillo::Blob* hash, size_t rsa_size) {
224*5a923131SAndroid Build Coastguard Worker TEST_AND_RETURN_FALSE(hash->size() == kSHA256Size);
225*5a923131SAndroid Build Coastguard Worker TEST_AND_RETURN_FALSE(rsa_size == 256 || rsa_size == 512);
226*5a923131SAndroid Build Coastguard Worker
227*5a923131SAndroid Build Coastguard Worker // The following is a standard PKCS1-v1_5 padding for SHA256 signatures, as
228*5a923131SAndroid Build Coastguard Worker // defined in RFC3447 section 9.2. It is prepended to the actual signature
229*5a923131SAndroid Build Coastguard Worker // (32 bytes) to form a sequence of 256|512 bytes (2048|4096 bits) that is
230*5a923131SAndroid Build Coastguard Worker // amenable to RSA signing. The padded hash will look as follows:
231*5a923131SAndroid Build Coastguard Worker //
232*5a923131SAndroid Build Coastguard Worker // 0x00 0x01 0xff ... 0xff 0x00 ASN1HEADER SHA256HASH
233*5a923131SAndroid Build Coastguard Worker // |-----------205|461----------||----19----||----32----|
234*5a923131SAndroid Build Coastguard Worker size_t padding_string_size =
235*5a923131SAndroid Build Coastguard Worker rsa_size - hash->size() - sizeof(kSHA256DigestInfoPrefix) - 3;
236*5a923131SAndroid Build Coastguard Worker brillo::Blob padded_result = brillo::CombineBlobs({
237*5a923131SAndroid Build Coastguard Worker {0x00, 0x01},
238*5a923131SAndroid Build Coastguard Worker brillo::Blob(padding_string_size, 0xff),
239*5a923131SAndroid Build Coastguard Worker {0x00},
240*5a923131SAndroid Build Coastguard Worker brillo::Blob(kSHA256DigestInfoPrefix,
241*5a923131SAndroid Build Coastguard Worker kSHA256DigestInfoPrefix + sizeof(kSHA256DigestInfoPrefix)),
242*5a923131SAndroid Build Coastguard Worker *hash,
243*5a923131SAndroid Build Coastguard Worker });
244*5a923131SAndroid Build Coastguard Worker
245*5a923131SAndroid Build Coastguard Worker *hash = std::move(padded_result);
246*5a923131SAndroid Build Coastguard Worker TEST_AND_RETURN_FALSE(hash->size() == rsa_size);
247*5a923131SAndroid Build Coastguard Worker return true;
248*5a923131SAndroid Build Coastguard Worker }
249*5a923131SAndroid Build Coastguard Worker
250*5a923131SAndroid Build Coastguard Worker } // namespace chromeos_update_engine
251