497 lines
21 KiB
C++
497 lines
21 KiB
C++
//
|
|
// Copyright (C) 2011 The Android Open Source Project
|
|
//
|
|
// Licensed under the Apache License, Version 2.0 (the "License");
|
|
// you may not use this file except in compliance with the License.
|
|
// You may obtain a copy of the License at
|
|
//
|
|
// http://www.apache.org/licenses/LICENSE-2.0
|
|
//
|
|
// Unless required by applicable law or agreed to in writing, software
|
|
// distributed under the License is distributed on an "AS IS" BASIS,
|
|
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
// See the License for the specific language governing permissions and
|
|
// limitations under the License.
|
|
//
|
|
|
|
#include "update_engine/payload_generator/payload_signer.h"
|
|
|
|
#include <endian.h>
|
|
|
|
#include <memory>
|
|
#include <utility>
|
|
|
|
#include <base/logging.h>
|
|
#include <base/strings/string_number_conversions.h>
|
|
#include <base/strings/string_split.h>
|
|
#include <base/strings/string_util.h>
|
|
#include <brillo/data_encoding.h>
|
|
#include <openssl/err.h>
|
|
#include <openssl/pem.h>
|
|
|
|
#include "update_engine/common/constants.h"
|
|
#include "update_engine/common/hash_calculator.h"
|
|
#include "update_engine/common/subprocess.h"
|
|
#include "update_engine/common/utils.h"
|
|
#include "update_engine/payload_consumer/delta_performer.h"
|
|
#include "update_engine/payload_consumer/payload_constants.h"
|
|
#include "update_engine/payload_consumer/payload_metadata.h"
|
|
#include "update_engine/payload_consumer/payload_verifier.h"
|
|
#include "update_engine/payload_generator/delta_diff_generator.h"
|
|
#include "update_engine/payload_generator/payload_file.h"
|
|
#include "update_engine/update_metadata.pb.h"
|
|
|
|
using std::string;
|
|
using std::vector;
|
|
|
|
namespace chromeos_update_engine {
|
|
|
|
namespace {
|
|
// Given raw |signatures|, packs them into a protobuf and serializes it into a
|
|
// string. Returns true on success, false otherwise.
|
|
bool ConvertSignaturesToProtobuf(const vector<brillo::Blob>& signatures,
|
|
const vector<size_t>& padded_signature_sizes,
|
|
string* out_serialized_signature) {
|
|
TEST_AND_RETURN_FALSE(signatures.size() == padded_signature_sizes.size());
|
|
// Pack it into a protobuf
|
|
Signatures out_message;
|
|
for (size_t i = 0; i < signatures.size(); i++) {
|
|
const auto& signature = signatures[i];
|
|
const auto& padded_signature_size = padded_signature_sizes[i];
|
|
TEST_AND_RETURN_FALSE(padded_signature_size >= signature.size());
|
|
Signatures::Signature* sig_message = out_message.add_signatures();
|
|
// Skip assigning the same version number because we don't need to be
|
|
// compatible with old major version 1 client anymore.
|
|
|
|
// TODO(Xunchang) don't need to set the unpadded_signature_size field for
|
|
// RSA key signed signatures.
|
|
sig_message->set_unpadded_signature_size(signature.size());
|
|
brillo::Blob padded_signature = signature;
|
|
padded_signature.insert(
|
|
padded_signature.end(), padded_signature_size - signature.size(), 0);
|
|
sig_message->set_data(padded_signature.data(), padded_signature.size());
|
|
}
|
|
|
|
// Serialize protobuf
|
|
TEST_AND_RETURN_FALSE(
|
|
out_message.SerializeToString(out_serialized_signature));
|
|
LOG(INFO) << "Signature blob size: " << out_serialized_signature->size();
|
|
return true;
|
|
}
|
|
|
|
// Given an unsigned payload under |payload_path| and the |payload_signature|
|
|
// and |metadata_signature| generates an updated payload that includes the
|
|
// signatures. It populates |out_metadata_size| with the size of the final
|
|
// manifest after adding the fake signature operation, and
|
|
// |out_signatures_offset| with the expected offset for the new blob, and
|
|
// |out_metadata_signature_size| which will be size of |metadata_signature|
|
|
// if the payload major version supports metadata signature, 0 otherwise.
|
|
// Returns true on success, false otherwise.
|
|
bool AddSignatureBlobToPayload(const string& payload_path,
|
|
const string& payload_signature,
|
|
const string& metadata_signature,
|
|
brillo::Blob* out_payload,
|
|
uint64_t* out_metadata_size,
|
|
uint32_t* out_metadata_signature_size,
|
|
uint64_t* out_signatures_offset) {
|
|
uint64_t manifest_offset = 20;
|
|
const int kProtobufSizeOffset = 12;
|
|
|
|
brillo::Blob payload;
|
|
TEST_AND_RETURN_FALSE(utils::ReadFile(payload_path, &payload));
|
|
PayloadMetadata payload_metadata;
|
|
TEST_AND_RETURN_FALSE(payload_metadata.ParsePayloadHeader(payload));
|
|
uint64_t metadata_size = payload_metadata.GetMetadataSize();
|
|
uint32_t metadata_signature_size =
|
|
payload_metadata.GetMetadataSignatureSize();
|
|
// Write metadata signature size in header.
|
|
uint32_t metadata_signature_size_be = htobe32(metadata_signature.size());
|
|
memcpy(payload.data() + manifest_offset,
|
|
&metadata_signature_size_be,
|
|
sizeof(metadata_signature_size_be));
|
|
manifest_offset += sizeof(metadata_signature_size_be);
|
|
// Replace metadata signature.
|
|
payload.erase(payload.begin() + metadata_size,
|
|
payload.begin() + metadata_size + metadata_signature_size);
|
|
payload.insert(payload.begin() + metadata_size,
|
|
metadata_signature.begin(),
|
|
metadata_signature.end());
|
|
metadata_signature_size = metadata_signature.size();
|
|
LOG(INFO) << "Metadata signature size: " << metadata_signature_size;
|
|
|
|
DeltaArchiveManifest manifest;
|
|
TEST_AND_RETURN_FALSE(payload_metadata.GetManifest(payload, &manifest));
|
|
|
|
// Is there already a signature op in place?
|
|
if (manifest.has_signatures_size()) {
|
|
// The signature op is tied to the size of the signature blob, but not it's
|
|
// contents. We don't allow the manifest to change if there is already an op
|
|
// present, because that might invalidate previously generated
|
|
// hashes/signatures.
|
|
if (manifest.signatures_size() != payload_signature.size()) {
|
|
LOG(ERROR) << "Attempt to insert different signature sized blob. "
|
|
<< "(current:" << manifest.signatures_size()
|
|
<< "new:" << payload_signature.size() << ")";
|
|
return false;
|
|
}
|
|
|
|
LOG(INFO) << "Matching signature sizes already present.";
|
|
} else {
|
|
// Updates the manifest to include the signature operation.
|
|
PayloadSigner::AddSignatureToManifest(
|
|
payload.size() - metadata_size - metadata_signature_size,
|
|
payload_signature.size(),
|
|
&manifest);
|
|
|
|
// Updates the payload to include the new manifest.
|
|
string serialized_manifest;
|
|
TEST_AND_RETURN_FALSE(manifest.AppendToString(&serialized_manifest));
|
|
LOG(INFO) << "Updated protobuf size: " << serialized_manifest.size();
|
|
payload.erase(payload.begin() + manifest_offset,
|
|
payload.begin() + metadata_size);
|
|
payload.insert(payload.begin() + manifest_offset,
|
|
serialized_manifest.begin(),
|
|
serialized_manifest.end());
|
|
|
|
// Updates the protobuf size.
|
|
uint64_t size_be = htobe64(serialized_manifest.size());
|
|
memcpy(&payload[kProtobufSizeOffset], &size_be, sizeof(size_be));
|
|
metadata_size = serialized_manifest.size() + manifest_offset;
|
|
|
|
LOG(INFO) << "Updated payload size: " << payload.size();
|
|
LOG(INFO) << "Updated metadata size: " << metadata_size;
|
|
}
|
|
uint64_t signatures_offset =
|
|
metadata_size + metadata_signature_size + manifest.signatures_offset();
|
|
LOG(INFO) << "Signature Blob Offset: " << signatures_offset;
|
|
payload.resize(signatures_offset);
|
|
payload.insert(payload.begin() + signatures_offset,
|
|
payload_signature.begin(),
|
|
payload_signature.end());
|
|
|
|
*out_payload = std::move(payload);
|
|
*out_metadata_size = metadata_size;
|
|
*out_metadata_signature_size = metadata_signature_size;
|
|
*out_signatures_offset = signatures_offset;
|
|
return true;
|
|
}
|
|
|
|
// Given a |payload| with correct signature op and metadata signature size in
|
|
// header and |metadata_size|, |metadata_signature_size|, |signatures_offset|,
|
|
// calculate hash for payload and metadata, save it to |out_hash_data| and
|
|
// |out_metadata_hash|.
|
|
bool CalculateHashFromPayload(const brillo::Blob& payload,
|
|
const uint64_t metadata_size,
|
|
const uint32_t metadata_signature_size,
|
|
const uint64_t signatures_offset,
|
|
brillo::Blob* out_hash_data,
|
|
brillo::Blob* out_metadata_hash) {
|
|
if (out_metadata_hash) {
|
|
// Calculates the hash on the manifest.
|
|
TEST_AND_RETURN_FALSE(HashCalculator::RawHashOfBytes(
|
|
payload.data(), metadata_size, out_metadata_hash));
|
|
}
|
|
if (out_hash_data) {
|
|
// Calculates the hash on the updated payload. Note that we skip metadata
|
|
// signature and payload signature.
|
|
HashCalculator calc;
|
|
TEST_AND_RETURN_FALSE(calc.Update(payload.data(), metadata_size));
|
|
TEST_AND_RETURN_FALSE(signatures_offset >=
|
|
metadata_size + metadata_signature_size);
|
|
TEST_AND_RETURN_FALSE(calc.Update(
|
|
payload.data() + metadata_size + metadata_signature_size,
|
|
signatures_offset - metadata_size - metadata_signature_size));
|
|
TEST_AND_RETURN_FALSE(calc.Finalize());
|
|
*out_hash_data = calc.raw_hash();
|
|
}
|
|
return true;
|
|
}
|
|
|
|
std::unique_ptr<EVP_PKEY, decltype(&EVP_PKEY_free)> CreatePrivateKeyFromPath(
|
|
const string& private_key_path) {
|
|
FILE* fprikey = fopen(private_key_path.c_str(), "rb");
|
|
if (!fprikey) {
|
|
PLOG(ERROR) << "Failed to read " << private_key_path;
|
|
return {nullptr, nullptr};
|
|
}
|
|
|
|
auto private_key = std::unique_ptr<EVP_PKEY, decltype(&EVP_PKEY_free)>(
|
|
PEM_read_PrivateKey(fprikey, nullptr, nullptr, nullptr), EVP_PKEY_free);
|
|
fclose(fprikey);
|
|
return private_key;
|
|
}
|
|
|
|
} // namespace
|
|
|
|
bool PayloadSigner::GetMaximumSignatureSize(const string& private_key_path,
|
|
size_t* signature_size) {
|
|
*signature_size = 0;
|
|
auto private_key = CreatePrivateKeyFromPath(private_key_path);
|
|
if (!private_key) {
|
|
LOG(ERROR) << "Failed to create private key from " << private_key_path;
|
|
return false;
|
|
}
|
|
|
|
*signature_size = EVP_PKEY_size(private_key.get());
|
|
return true;
|
|
}
|
|
|
|
void PayloadSigner::AddSignatureToManifest(uint64_t signature_blob_offset,
|
|
uint64_t signature_blob_length,
|
|
DeltaArchiveManifest* manifest) {
|
|
LOG(INFO) << "Making room for signature in file";
|
|
manifest->set_signatures_offset(signature_blob_offset);
|
|
manifest->set_signatures_size(signature_blob_length);
|
|
}
|
|
|
|
bool PayloadSigner::VerifySignedPayload(const string& payload_path,
|
|
const string& public_key_path) {
|
|
brillo::Blob payload;
|
|
TEST_AND_RETURN_FALSE(utils::ReadFile(payload_path, &payload));
|
|
PayloadMetadata payload_metadata;
|
|
TEST_AND_RETURN_FALSE(payload_metadata.ParsePayloadHeader(payload));
|
|
DeltaArchiveManifest manifest;
|
|
TEST_AND_RETURN_FALSE(payload_metadata.GetManifest(payload, &manifest));
|
|
TEST_AND_RETURN_FALSE(manifest.has_signatures_offset() &&
|
|
manifest.has_signatures_size());
|
|
uint64_t metadata_size = payload_metadata.GetMetadataSize();
|
|
uint32_t metadata_signature_size =
|
|
payload_metadata.GetMetadataSignatureSize();
|
|
uint64_t signatures_offset =
|
|
metadata_size + metadata_signature_size + manifest.signatures_offset();
|
|
CHECK_EQ(payload.size(), signatures_offset + manifest.signatures_size());
|
|
brillo::Blob payload_hash, metadata_hash;
|
|
TEST_AND_RETURN_FALSE(CalculateHashFromPayload(payload,
|
|
metadata_size,
|
|
metadata_signature_size,
|
|
signatures_offset,
|
|
&payload_hash,
|
|
&metadata_hash));
|
|
string signature(payload.begin() + signatures_offset, payload.end());
|
|
string public_key;
|
|
TEST_AND_RETURN_FALSE(utils::ReadFile(public_key_path, &public_key));
|
|
TEST_AND_RETURN_FALSE(payload_hash.size() == kSHA256Size);
|
|
|
|
auto payload_verifier = PayloadVerifier::CreateInstance(public_key);
|
|
TEST_AND_RETURN_FALSE(payload_verifier != nullptr);
|
|
|
|
TEST_AND_RETURN_FALSE(
|
|
payload_verifier->VerifySignature(signature, payload_hash));
|
|
if (metadata_signature_size) {
|
|
signature.assign(payload.begin() + metadata_size,
|
|
payload.begin() + metadata_size + metadata_signature_size);
|
|
TEST_AND_RETURN_FALSE(metadata_hash.size() == kSHA256Size);
|
|
TEST_AND_RETURN_FALSE(
|
|
payload_verifier->VerifySignature(signature, metadata_hash));
|
|
}
|
|
return true;
|
|
}
|
|
|
|
bool PayloadSigner::SignHash(const brillo::Blob& hash,
|
|
const string& private_key_path,
|
|
brillo::Blob* out_signature) {
|
|
LOG(INFO) << "Signing hash with private key: " << private_key_path;
|
|
// We expect unpadded SHA256 hash coming in
|
|
TEST_AND_RETURN_FALSE(hash.size() == kSHA256Size);
|
|
// The code below executes the equivalent of:
|
|
//
|
|
// openssl rsautl -raw -sign -inkey |private_key_path|
|
|
// -in |padded_hash| -out |out_signature|
|
|
|
|
auto private_key = CreatePrivateKeyFromPath(private_key_path);
|
|
if (!private_key) {
|
|
LOG(ERROR) << "Failed to create private key from " << private_key_path;
|
|
return false;
|
|
}
|
|
|
|
int key_type = EVP_PKEY_id(private_key.get());
|
|
brillo::Blob signature;
|
|
if (key_type == EVP_PKEY_RSA) {
|
|
RSA* rsa = EVP_PKEY_get0_RSA(private_key.get());
|
|
TEST_AND_RETURN_FALSE(rsa != nullptr);
|
|
|
|
brillo::Blob padded_hash = hash;
|
|
PayloadVerifier::PadRSASHA256Hash(&padded_hash, RSA_size(rsa));
|
|
|
|
signature.resize(RSA_size(rsa));
|
|
ssize_t signature_size = RSA_private_encrypt(padded_hash.size(),
|
|
padded_hash.data(),
|
|
signature.data(),
|
|
rsa,
|
|
RSA_NO_PADDING);
|
|
if (signature_size < 0) {
|
|
LOG(ERROR) << "Signing hash failed: "
|
|
<< ERR_error_string(ERR_get_error(), nullptr);
|
|
return false;
|
|
}
|
|
TEST_AND_RETURN_FALSE(static_cast<size_t>(signature_size) ==
|
|
signature.size());
|
|
} else if (key_type == EVP_PKEY_EC) {
|
|
EC_KEY* ec_key = EVP_PKEY_get0_EC_KEY(private_key.get());
|
|
TEST_AND_RETURN_FALSE(ec_key != nullptr);
|
|
|
|
signature.resize(ECDSA_size(ec_key));
|
|
unsigned int signature_size;
|
|
if (ECDSA_sign(0,
|
|
hash.data(),
|
|
hash.size(),
|
|
signature.data(),
|
|
&signature_size,
|
|
ec_key) != 1) {
|
|
LOG(ERROR) << "Signing hash failed: "
|
|
<< ERR_error_string(ERR_get_error(), nullptr);
|
|
return false;
|
|
}
|
|
|
|
// NIST P-256
|
|
LOG(ERROR) << "signature max size " << signature.size() << " size "
|
|
<< signature_size;
|
|
TEST_AND_RETURN_FALSE(signature.size() >= signature_size);
|
|
signature.resize(signature_size);
|
|
} else {
|
|
LOG(ERROR) << "key_type " << key_type << " isn't supported for signing";
|
|
return false;
|
|
}
|
|
out_signature->swap(signature);
|
|
return true;
|
|
}
|
|
|
|
bool PayloadSigner::SignHashWithKeys(const brillo::Blob& hash_data,
|
|
const vector<string>& private_key_paths,
|
|
string* out_serialized_signature) {
|
|
vector<brillo::Blob> signatures;
|
|
vector<size_t> padded_signature_sizes;
|
|
for (const string& path : private_key_paths) {
|
|
brillo::Blob signature;
|
|
TEST_AND_RETURN_FALSE(SignHash(hash_data, path, &signature));
|
|
signatures.push_back(signature);
|
|
|
|
size_t padded_signature_size;
|
|
TEST_AND_RETURN_FALSE(
|
|
GetMaximumSignatureSize(path, &padded_signature_size));
|
|
padded_signature_sizes.push_back(padded_signature_size);
|
|
}
|
|
TEST_AND_RETURN_FALSE(ConvertSignaturesToProtobuf(
|
|
signatures, padded_signature_sizes, out_serialized_signature));
|
|
return true;
|
|
}
|
|
|
|
bool PayloadSigner::SignPayload(const string& unsigned_payload_path,
|
|
const vector<string>& private_key_paths,
|
|
const uint64_t metadata_size,
|
|
const uint32_t metadata_signature_size,
|
|
const uint64_t signatures_offset,
|
|
string* out_serialized_signature) {
|
|
brillo::Blob payload;
|
|
TEST_AND_RETURN_FALSE(utils::ReadFile(unsigned_payload_path, &payload));
|
|
brillo::Blob hash_data;
|
|
TEST_AND_RETURN_FALSE(CalculateHashFromPayload(payload,
|
|
metadata_size,
|
|
metadata_signature_size,
|
|
signatures_offset,
|
|
&hash_data,
|
|
nullptr));
|
|
TEST_AND_RETURN_FALSE(
|
|
SignHashWithKeys(hash_data, private_key_paths, out_serialized_signature));
|
|
return true;
|
|
}
|
|
|
|
bool PayloadSigner::SignatureBlobLength(const vector<string>& private_key_paths,
|
|
uint64_t* out_length) {
|
|
DCHECK(out_length);
|
|
brillo::Blob hash_blob;
|
|
TEST_AND_RETURN_FALSE(HashCalculator::RawHashOfData({'x'}, &hash_blob));
|
|
string sig_blob;
|
|
TEST_AND_RETURN_FALSE(
|
|
SignHashWithKeys(hash_blob, private_key_paths, &sig_blob));
|
|
*out_length = sig_blob.size();
|
|
return true;
|
|
}
|
|
|
|
bool PayloadSigner::HashPayloadForSigning(const string& payload_path,
|
|
const vector<size_t>& signature_sizes,
|
|
brillo::Blob* out_payload_hash_data,
|
|
brillo::Blob* out_metadata_hash) {
|
|
// Create a signature blob with signatures filled with 0.
|
|
// Will be used for both payload signature and metadata signature.
|
|
vector<brillo::Blob> signatures;
|
|
for (int signature_size : signature_sizes) {
|
|
signatures.emplace_back(signature_size, 0);
|
|
}
|
|
string signature;
|
|
TEST_AND_RETURN_FALSE(
|
|
ConvertSignaturesToProtobuf(signatures, signature_sizes, &signature));
|
|
|
|
brillo::Blob payload;
|
|
uint64_t metadata_size, signatures_offset;
|
|
uint32_t metadata_signature_size;
|
|
// Prepare payload for hashing.
|
|
TEST_AND_RETURN_FALSE(AddSignatureBlobToPayload(payload_path,
|
|
signature,
|
|
signature,
|
|
&payload,
|
|
&metadata_size,
|
|
&metadata_signature_size,
|
|
&signatures_offset));
|
|
TEST_AND_RETURN_FALSE(CalculateHashFromPayload(payload,
|
|
metadata_size,
|
|
metadata_signature_size,
|
|
signatures_offset,
|
|
out_payload_hash_data,
|
|
out_metadata_hash));
|
|
return true;
|
|
}
|
|
|
|
bool PayloadSigner::AddSignatureToPayload(
|
|
const string& payload_path,
|
|
const vector<size_t>& padded_signature_sizes,
|
|
const vector<brillo::Blob>& payload_signatures,
|
|
const vector<brillo::Blob>& metadata_signatures,
|
|
const string& signed_payload_path,
|
|
uint64_t* out_metadata_size) {
|
|
// TODO(petkov): Reduce memory usage -- the payload is manipulated in memory.
|
|
|
|
// Loads the payload and adds the signature op to it.
|
|
string payload_signature, metadata_signature;
|
|
TEST_AND_RETURN_FALSE(ConvertSignaturesToProtobuf(
|
|
payload_signatures, padded_signature_sizes, &payload_signature));
|
|
if (!metadata_signatures.empty()) {
|
|
TEST_AND_RETURN_FALSE(ConvertSignaturesToProtobuf(
|
|
metadata_signatures, padded_signature_sizes, &metadata_signature));
|
|
}
|
|
brillo::Blob payload;
|
|
uint64_t signatures_offset;
|
|
uint32_t metadata_signature_size;
|
|
TEST_AND_RETURN_FALSE(AddSignatureBlobToPayload(payload_path,
|
|
payload_signature,
|
|
metadata_signature,
|
|
&payload,
|
|
out_metadata_size,
|
|
&metadata_signature_size,
|
|
&signatures_offset));
|
|
|
|
LOG(INFO) << "Signed payload size: " << payload.size();
|
|
TEST_AND_RETURN_FALSE(utils::WriteFile(
|
|
signed_payload_path.c_str(), payload.data(), payload.size()));
|
|
return true;
|
|
}
|
|
|
|
bool PayloadSigner::GetMetadataSignature(const void* const metadata,
|
|
size_t metadata_size,
|
|
const string& private_key_path,
|
|
string* out_signature) {
|
|
// Calculates the hash on the updated payload. Note that the payload includes
|
|
// the signature op but doesn't include the signature blob at the end.
|
|
brillo::Blob metadata_hash;
|
|
TEST_AND_RETURN_FALSE(
|
|
HashCalculator::RawHashOfBytes(metadata, metadata_size, &metadata_hash));
|
|
|
|
brillo::Blob signature;
|
|
TEST_AND_RETURN_FALSE(SignHash(metadata_hash, private_key_path, &signature));
|
|
|
|
*out_signature = brillo::data_encoding::Base64Encode(signature);
|
|
return true;
|
|
}
|
|
|
|
} // namespace chromeos_update_engine
|