payload_consumer/payload_verifier.cc


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251

//
// Copyright (C) 2014 The Android Open Source Project
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
//      http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
//

#include "update_engine/payload_consumer/payload_verifier.h"

#include <utility>
#include <vector>

#include <base/logging.h>
#include <openssl/pem.h>

#include "update_engine/common/constants.h"
#include "update_engine/common/hash_calculator.h"
#include "update_engine/common/utils.h"
#include "update_engine/payload_consumer/certificate_parser_interface.h"
#include "update_engine/update_metadata.pb.h"

using std::string;

namespace chromeos_update_engine {

namespace {

// The ASN.1 DigestInfo prefix for encoding SHA256 digest. The complete 51-byte
// DigestInfo consists of 19-byte SHA256_DIGEST_INFO_PREFIX and 32-byte SHA256
// digest.
//
// SEQUENCE(2+49) {
//   SEQUENCE(2+13) {
//     OBJECT(2+9) id-sha256
//     NULL(2+0)
//   }
//   OCTET STRING(2+32) <actual signature bytes...>
// }
const uint8_t kSHA256DigestInfoPrefix[] = {
    0x30, 0x31, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01,
    0x65, 0x03, 0x04, 0x02, 0x01, 0x05, 0x00, 0x04, 0x20,
};

}  // namespace

std::unique_ptr<PayloadVerifier> PayloadVerifier::CreateInstance(
    const std::string& pem_public_key) {
  std::unique_ptr<BIO, decltype(&BIO_free)> bp(
      BIO_new_mem_buf(pem_public_key.data(), pem_public_key.size()), BIO_free);
  if (!bp) {
    LOG(ERROR) << "Failed to read " << pem_public_key << " into buffer.";
    return nullptr;
  }

  auto pub_key = std::unique_ptr<EVP_PKEY, decltype(&EVP_PKEY_free)>(
      PEM_read_bio_PUBKEY(bp.get(), nullptr, nullptr, nullptr), EVP_PKEY_free);
  if (!pub_key) {
    LOG(ERROR) << "Failed to parse the public key in: " << pem_public_key;
    return nullptr;
  }

  std::vector<std::unique_ptr<EVP_PKEY, decltype(&EVP_PKEY_free)>> keys;
  keys.emplace_back(std::move(pub_key));
  return std::unique_ptr<PayloadVerifier>(new PayloadVerifier(std::move(keys)));
}

std::unique_ptr<PayloadVerifier> PayloadVerifier::CreateInstanceFromZipPath(
    const std::string& certificate_zip_path) {
  auto parser = CreateCertificateParser();
  if (!parser) {
    LOG(ERROR) << "Failed to create certificate parser from "
               << certificate_zip_path;
    return nullptr;
  }

  std::vector<std::unique_ptr<EVP_PKEY, decltype(&EVP_PKEY_free)>> public_keys;
  if (!parser->ReadPublicKeysFromCertificates(certificate_zip_path,
                                              &public_keys) ||
      public_keys.empty()) {
    LOG(ERROR) << "Failed to parse public keys in: " << certificate_zip_path;
    return nullptr;
  }

  return std::unique_ptr<PayloadVerifier>(
      new PayloadVerifier(std::move(public_keys)));
}

bool PayloadVerifier::VerifySignature(
    const string& signature_proto, const brillo::Blob& sha256_hash_data) const {
  TEST_AND_RETURN_FALSE(!public_keys_.empty());

  Signatures signatures;
  LOG(INFO) << "signature blob size = " << signature_proto.size();
  TEST_AND_RETURN_FALSE(signatures.ParseFromString(signature_proto));

  if (!signatures.signatures_size()) {
    LOG(ERROR) << "No signatures stored in the blob.";
    return false;
  }

  std::vector<brillo::Blob> tested_hashes;
  // Tries every signature in the signature blob.
  for (int i = 0; i < signatures.signatures_size(); i++) {
    const Signatures::Signature& signature = signatures.signatures(i);
    brillo::Blob sig_data;
    if (signature.has_unpadded_signature_size()) {
      TEST_AND_RETURN_FALSE(signature.unpadded_signature_size() <=
                            signature.data().size());
      LOG(INFO) << "Truncating the signature to its unpadded size: "
                << signature.unpadded_signature_size() << ".";
      sig_data.assign(
          signature.data().begin(),
          signature.data().begin() + signature.unpadded_signature_size());
    } else {
      sig_data.assign(signature.data().begin(), signature.data().end());
    }

    brillo::Blob sig_hash_data;
    if (VerifyRawSignature(sig_data, sha256_hash_data, &sig_hash_data)) {
      LOG(INFO) << "Verified correct signature " << i + 1 << " out of "
                << signatures.signatures_size() << " signatures.";
      return true;
    }
    if (!sig_hash_data.empty()) {
      tested_hashes.push_back(sig_hash_data);
    }
  }
  LOG(ERROR) << "None of the " << signatures.signatures_size()
             << " signatures is correct. Expected hash before padding:";
  utils::HexDumpVector(sha256_hash_data);
  LOG(ERROR) << "But found RSA decrypted hashes:";
  for (const auto& sig_hash_data : tested_hashes) {
    utils::HexDumpVector(sig_hash_data);
  }
  return false;
}

bool PayloadVerifier::VerifyRawSignature(
    const brillo::Blob& sig_data,
    const brillo::Blob& sha256_hash_data,
    brillo::Blob* decrypted_sig_data) const {
  TEST_AND_RETURN_FALSE(!public_keys_.empty());

  for (const auto& public_key : public_keys_) {
    int key_type = EVP_PKEY_id(public_key.get());
    if (key_type == EVP_PKEY_RSA) {
      brillo::Blob sig_hash_data;
      if (!GetRawHashFromSignature(
              sig_data, public_key.get(), &sig_hash_data)) {
        LOG(WARNING)
            << "Failed to get the raw hash with RSA key. Trying other keys.";
        continue;
      }

      if (decrypted_sig_data != nullptr) {
        *decrypted_sig_data = sig_hash_data;
      }

      brillo::Blob padded_hash_data = sha256_hash_data;
      TEST_AND_RETURN_FALSE(
          PadRSASHA256Hash(&padded_hash_data, sig_hash_data.size()));

      if (padded_hash_data == sig_hash_data) {
        return true;
      }
    } else if (key_type == EVP_PKEY_EC) {
      EC_KEY* ec_key = EVP_PKEY_get0_EC_KEY(public_key.get());
      TEST_AND_RETURN_FALSE(ec_key != nullptr);
      if (ECDSA_verify(0,
                       sha256_hash_data.data(),
                       sha256_hash_data.size(),
                       sig_data.data(),
                       sig_data.size(),
                       ec_key) == 1) {
        return true;
      }
    } else {
      LOG(ERROR) << "Unsupported key type " << key_type;
      return false;
    }
  }
  LOG(INFO) << "Failed to verify the signature with " << public_keys_.size()
            << " keys.";
  return false;
}

bool PayloadVerifier::GetRawHashFromSignature(
    const brillo::Blob& sig_data,
    const EVP_PKEY* public_key,
    brillo::Blob* out_hash_data) const {
  // The code below executes the equivalent of:
  //
  // openssl rsautl -verify -pubin -inkey <(echo pem_public_key)
  //   -in |sig_data| -out |out_hash_data|
  RSA* rsa = EVP_PKEY_get0_RSA(const_cast<EVP_PKEY*>(public_key));

  TEST_AND_RETURN_FALSE(rsa != nullptr);
  unsigned int keysize = RSA_size(rsa);
  if (sig_data.size() > 2 * keysize) {
    LOG(ERROR) << "Signature size is too big for public key size.";
    return false;
  }

  // Decrypts the signature.
  brillo::Blob hash_data(keysize);
  int decrypt_size = RSA_public_decrypt(
      sig_data.size(), sig_data.data(), hash_data.data(), rsa, RSA_NO_PADDING);
  TEST_AND_RETURN_FALSE(decrypt_size > 0 &&
                        decrypt_size <= static_cast<int>(hash_data.size()));
  hash_data.resize(decrypt_size);
  out_hash_data->swap(hash_data);
  return true;
}

bool PayloadVerifier::PadRSASHA256Hash(brillo::Blob* hash, size_t rsa_size) {
  TEST_AND_RETURN_FALSE(hash->size() == kSHA256Size);
  TEST_AND_RETURN_FALSE(rsa_size == 256 || rsa_size == 512);

  // The following is a standard PKCS1-v1_5 padding for SHA256 signatures, as
  // defined in RFC3447 section 9.2. It is prepended to the actual signature
  // (32 bytes) to form a sequence of 256|512 bytes (2048|4096 bits) that is
  // amenable to RSA signing. The padded hash will look as follows:
  //
  //    0x00 0x01 0xff ... 0xff 0x00  ASN1HEADER  SHA256HASH
  //   |-----------205|461----------||----19----||----32----|
  size_t padding_string_size =
      rsa_size - hash->size() - sizeof(kSHA256DigestInfoPrefix) - 3;
  brillo::Blob padded_result = brillo::CombineBlobs({
      {0x00, 0x01},
      brillo::Blob(padding_string_size, 0xff),
      {0x00},
      brillo::Blob(kSHA256DigestInfoPrefix,
                   kSHA256DigestInfoPrefix + sizeof(kSHA256DigestInfoPrefix)),
      *hash,
  });

  *hash = std::move(padded_result);
  TEST_AND_RETURN_FALSE(hash->size() == rsa_size);
  return true;
}

}  // namespace chromeos_update_engine