summaryrefslogtreecommitdiff
path: root/payload_consumer/payload_metadata.cc
diff options
context:
space:
mode:
Diffstat (limited to 'payload_consumer/payload_metadata.cc')
-rw-r--r--payload_consumer/payload_metadata.cc19
1 files changed, 12 insertions, 7 deletions
diff --git a/payload_consumer/payload_metadata.cc b/payload_consumer/payload_metadata.cc
index b631c87c..8b3eb4e1 100644
--- a/payload_consumer/payload_metadata.cc
+++ b/payload_consumer/payload_metadata.cc
@@ -25,6 +25,8 @@
#include "update_engine/payload_consumer/payload_constants.h"
#include "update_engine/payload_consumer/payload_verifier.h"
+using std::string;
+
namespace chromeos_update_engine {
const uint64_t PayloadMetadata::kDeltaVersionOffset = sizeof(kDeltaMagic);
@@ -155,12 +157,16 @@ bool PayloadMetadata::GetManifest(const brillo::Blob& payload,
ErrorCode PayloadMetadata::ValidateMetadataSignature(
const brillo::Blob& payload,
- const std::string& metadata_signature,
- const std::string& pem_public_key) const {
+ const string& metadata_signature,
+ const string& pem_public_key) const {
if (payload.size() < metadata_size_ + metadata_signature_size_)
return ErrorCode::kDownloadMetadataSignatureError;
- brillo::Blob metadata_signature_blob, metadata_signature_protobuf_blob;
+ // A single signature in raw bytes.
+ brillo::Blob metadata_signature_blob;
+ // The serialized Signatures protobuf message stored in major version >=2
+ // payload, it may contain multiple signatures.
+ string metadata_signature_protobuf;
if (!metadata_signature.empty()) {
// Convert base64-encoded signature to raw bytes.
if (!brillo::data_encoding::Base64Decode(metadata_signature,
@@ -170,13 +176,12 @@ ErrorCode PayloadMetadata::ValidateMetadataSignature(
return ErrorCode::kDownloadMetadataSignatureError;
}
} else if (major_payload_version_ == kBrilloMajorPayloadVersion) {
- metadata_signature_protobuf_blob.assign(
+ metadata_signature_protobuf.assign(
payload.begin() + metadata_size_,
payload.begin() + metadata_size_ + metadata_signature_size_);
}
- if (metadata_signature_blob.empty() &&
- metadata_signature_protobuf_blob.empty()) {
+ if (metadata_signature_blob.empty() && metadata_signature_protobuf.empty()) {
LOG(ERROR) << "Missing mandatory metadata signature in both Omaha "
<< "response and payload.";
return ErrorCode::kDownloadMetadataSignatureMissingError;
@@ -210,7 +215,7 @@ ErrorCode PayloadMetadata::ValidateMetadataSignature(
return ErrorCode::kDownloadMetadataSignatureMismatch;
}
} else {
- if (!PayloadVerifier::VerifySignature(metadata_signature_protobuf_blob,
+ if (!PayloadVerifier::VerifySignature(metadata_signature_protobuf,
pem_public_key,
calculated_metadata_hash)) {
LOG(ERROR) << "Manifest hash verification failed.";
generated by cgit v1.2.3 (git 2.25.1) at 2025-10-09 16:43:46 +0000