1 /*
2 * Copyright (C) 2016 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17 #include <stdbool.h>
18 #include <string.h>
19 #include <stdint.h>
20 #include <stdlib.h>
21 #include <stdio.h>
22
23 #include <nanohub/nanohub.h>
24 #include <nanohub/nanoapp.h>
25 #include <nanohub/sha2.h>
26 #include <nanohub/rsa.h>
27
28 static FILE* urandom = NULL;
29
30 #if defined(__APPLE__) || defined(_WIN32)
bswap32(uint32_t x)31 inline uint32_t bswap32 (uint32_t x) {
32 uint32_t out = 0;
33 for (int i=0; i < 4; ++i, x >>= 8)
34 out = (out << 8) | (x & 0xFF);
35 return out;
36 }
37
38 #define htobe32(x) bswap32((x))
39 #define htole32(x) ((uint32_t)(x))
40 #define be32toh(x) bswap32((x))
41 #define le32toh(x) ((uint32_t)(x))
42 #else
43 #include <endian.h>
44 #endif
45
46 //read exactly one hex-encoded byte from a file, skipping all the fluff
getHexEncodedByte(uint8_t * buf,uint32_t * ppos,uint32_t size)47 static int getHexEncodedByte(uint8_t *buf, uint32_t *ppos, uint32_t size)
48 {
49 int c, i;
50 uint32_t pos = *ppos;
51 uint8_t val = 0;
52
53 //for first byte
54 for (i = 0; i < 2; i++) {
55 val <<= 4;
56 while(1) {
57 if (pos == size)
58 return -1;
59 c = buf[pos++];
60 *ppos = pos;
61
62 if (c >= '0' && c <= '9')
63 val += c - '0';
64 else if (c >= 'a' && c <= 'f')
65 val += c + 10 - 'a';
66 else if (c >= 'A' && c <= 'F')
67 val += c + 10 - 'A';
68 else if (i) //disallow everything between first and second nibble
69 return -1;
70 else if (c > 'f' && c <= 'z') //disallow nonalpha data
71 return -1;
72 else if (c > 'F' && c <= 'Z') //disallow nonalpha data
73 return -1;
74 else
75 continue;
76 break;
77 }
78 }
79
80 return val;
81 }
82
83 //provide a random number for which the following property is true ((ret & 0xFF000000) && (ret & 0xFF0000) && (ret & 0xFF00) && (ret & 0xFF))
rand32_no_zero_bytes(void)84 static uint32_t rand32_no_zero_bytes(void)
85 {
86 uint32_t i, v;
87 uint8_t byte;
88
89 if (!urandom) {
90 urandom = fopen("/dev/urandom", "rb");
91 if (!urandom) {
92 fprintf(stderr, "Failed to open /dev/urandom. Cannot procceed!\n");
93 exit(-2);
94 }
95 }
96
97 for (v = 0, i = 0; i < 4; i++) {
98 do {
99 if (!fread(&byte, 1, 1, urandom)) {
100 fprintf(stderr, "Failed to read /dev/urandom. Cannot procceed!\n");
101 exit(-3);
102 }
103 } while (!byte);
104
105 v = (v << 8) | byte;
106 }
107
108 return v;
109 }
110
cleanup(void)111 static void cleanup(void)
112 {
113 if (urandom)
114 fclose(urandom);
115 }
116
117 struct RsaData {
118 uint32_t num[RSA_LIMBS];
119 uint32_t exponent[RSA_LIMBS];
120 uint32_t modulus[RSA_LIMBS];
121 struct RsaState state;
122 };
123
validateSignature(uint8_t * sigPack,struct RsaData * rsa,bool verbose,uint32_t * refHash,bool preset)124 static bool validateSignature(uint8_t *sigPack, struct RsaData *rsa, bool verbose, uint32_t *refHash, bool preset)
125 {
126 int i;
127 const uint32_t *rsaResult;
128 const uint32_t *le32SigPack = (const uint32_t*)sigPack;
129 //convert to native uint32_t; ignore possible alignment issues
130 for (i = 0; i < RSA_LIMBS; i++)
131 rsa->num[i] = le32toh(le32SigPack[i]);
132 //update the user
133 if (verbose)
134 printHashRev(stderr, "RSA cyphertext", rsa->num, RSA_LIMBS);
135 if (!preset)
136 memcpy(rsa->modulus, sigPack + RSA_BYTES, RSA_BYTES);
137
138 //do rsa op
139 rsaResult = rsaPubOp(&rsa->state, rsa->num, rsa->modulus);
140
141 //update the user
142 if (verbose)
143 printHashRev(stderr, "RSA plaintext", rsaResult, RSA_LIMBS);
144
145 //verify padding is appropriate and valid
146 if ((rsaResult[RSA_LIMBS - 1] & 0xffff0000) != 0x00020000) {
147 fprintf(stderr, "Padding header is invalid\n");
148 return false;
149 }
150
151 //verify first two bytes of padding
152 if (!(rsaResult[RSA_LIMBS - 1] & 0xff00) || !(rsaResult[RSA_LIMBS - 1] & 0xff)) {
153 fprintf(stderr, "Padding bytes 0..1 are invalid\n");
154 return false;
155 }
156
157 //verify last 3 bytes of padding and the zero terminator
158 if (!(rsaResult[8] & 0xff000000) || !(rsaResult[8] & 0xff0000) || !(rsaResult[8] & 0xff00) || (rsaResult[8] & 0xff)) {
159 fprintf(stderr, "Padding last bytes & terminator invalid\n");
160 return false;
161 }
162
163 //verify middle padding bytes
164 for (i = 9; i < RSA_LIMBS - 1; i++) {
165 if (!(rsaResult[i] & 0xff000000) || !(rsaResult[i] & 0xff0000) || !(rsaResult[i] & 0xff00) || !(rsaResult[i] & 0xff)) {
166 fprintf(stderr, "Padding word %d invalid\n", i);
167 return false;
168 }
169 }
170 if (verbose) {
171 printHash(stderr, "Recovered hash ", rsaResult, SHA2_HASH_WORDS);
172 printHash(stderr, "Calculated hash", refHash, SHA2_HASH_WORDS);
173 }
174
175 if (!preset) {
176 // we're doing full verification, with key extracted from signature pack
177 if (memcmp(rsaResult, refHash, SHA2_HASH_SIZE)) {
178 fprintf(stderr, "hash mismatch\n");
179 return false;
180 }
181 } else {
182 // we just decode the signature with key passed as an argument
183 // in this case we return recovered hash
184 memcpy(refHash, rsaResult, SHA2_HASH_SIZE);
185 }
186 return true;
187 }
188
189 #define SIGNATURE_BLOCK_SIZE (2 * RSA_BYTES)
190
handleConvertKey(uint8_t ** pbuf,uint32_t bufUsed,FILE * out,struct RsaData * rsa)191 static int handleConvertKey(uint8_t **pbuf, uint32_t bufUsed, FILE *out, struct RsaData *rsa)
192 {
193 bool haveNonzero = false;
194 uint8_t *buf = *pbuf;
195 int i, c;
196 uint32_t pos = 0;
197 int ret;
198
199 for (i = 0; i < (int)RSA_BYTES; i++) {
200
201 //get a byte, skipping all zeroes (openssl likes to prepend one at times)
202 do {
203 c = getHexEncodedByte(buf, &pos, bufUsed);
204 } while (c == 0 && !haveNonzero);
205 haveNonzero = true;
206 if (c < 0) {
207 fprintf(stderr, "Invalid text RSA input data\n");
208 return 2;
209 }
210
211 buf[i] = c;
212 }
213
214 // change form BE to native; ignore alignment
215 uint32_t *be32Buf = (uint32_t*)buf;
216 for (i = 0; i < RSA_LIMBS; i++)
217 rsa->num[RSA_LIMBS - i - 1] = be32toh(be32Buf[i]);
218
219 //output in our binary format (little-endian)
220 ret = fwrite(rsa->num, 1, RSA_BYTES, out) == RSA_BYTES ? 0 : 2;
221 fprintf(stderr, "Conversion status: %d\n", ret);
222
223 return ret;
224 }
225
handleVerify(uint8_t ** pbuf,uint32_t bufUsed,struct RsaData * rsa,bool verbose,bool bareData)226 static int handleVerify(uint8_t **pbuf, uint32_t bufUsed, struct RsaData *rsa, bool verbose, bool bareData)
227 {
228 struct Sha2state shaState;
229 uint8_t *buf = *pbuf;
230 uint32_t masterPubKey[RSA_LIMBS];
231
232 memcpy(masterPubKey, rsa->modulus, RSA_BYTES);
233 if (!bareData) {
234 struct ImageHeader *image = (struct ImageHeader *)buf;
235 struct AppSecSignHdr *secHdr = (struct AppSecSignHdr *)&image[1];
236 int block = 0;
237 uint8_t *sigPack;
238 bool trusted = false;
239 bool lastTrusted = false;
240 int sigData;
241
242 if (bufUsed < (sizeof(*image) + sizeof(*secHdr))) {
243 fprintf(stderr, "Invalid signature header: file is too short\n");
244 return 2;
245 }
246
247 if (verbose)
248 fprintf(stderr, "Original Data len=%" PRIu32 " b; file size=%" PRIu32 " b; diff=%" PRIu32 " b\n",
249 secHdr->appDataLen, bufUsed, bufUsed - secHdr->appDataLen);
250
251 if (!(image->aosp.flags & NANOAPP_SIGNED_FLAG)) {
252 fprintf(stderr, "image is not marked as signed, can not verify\n");
253 return 2;
254 }
255 sigData = bufUsed - (secHdr->appDataLen + sizeof(*image) + sizeof(*secHdr));
256 if (sigData <= 0 || (sigData % SIGNATURE_BLOCK_SIZE) != 0) {
257 fprintf(stderr, "Invalid signature header: data size mismatch\n");
258 return 2;
259 }
260
261 sha2init(&shaState);
262 sha2processBytes(&shaState, buf, bufUsed - sigData);
263 int nSig = sigData / SIGNATURE_BLOCK_SIZE;
264 sigPack = buf + bufUsed - sigData;
265 for (block = 0; block < nSig; ++block) {
266 if (!validateSignature(sigPack, rsa, verbose, (uint32_t*)sha2finish(&shaState), false)) {
267 fprintf(stderr, "Signature verification failed: signature block #%d\n", block);
268 return 2;
269 }
270 if (memcmp(masterPubKey, rsa->modulus, RSA_BYTES) == 0) {
271 fprintf(stderr, "Key in block %d is trusted\n", block);
272 trusted = true;
273 lastTrusted = true;
274 } else {
275 lastTrusted = false;
276 }
277 sha2init(&shaState);
278 sha2processBytes(&shaState, sigPack+RSA_BYTES, RSA_BYTES);
279 sigPack += SIGNATURE_BLOCK_SIZE;
280 }
281 if (trusted && !lastTrusted) {
282 fprintf(stderr, "Trusted key is not the last in key sequence\n");
283 }
284 return trusted ? 0 : 2;
285 } else {
286 uint8_t *sigPack = buf + bufUsed - SIGNATURE_BLOCK_SIZE;
287 uint32_t *hash;
288 // can not do signature chains in bare mode
289 if (bufUsed > SIGNATURE_BLOCK_SIZE) {
290 sha2init(&shaState);
291 sha2processBytes(&shaState, buf, bufUsed - SIGNATURE_BLOCK_SIZE);
292 hash = (uint32_t*)sha2finish(&shaState);
293 printHash(stderr, "File hash", hash, SHA2_HASH_WORDS);
294 if (verbose)
295 printHashRev(stderr, "File PubKey", (uint32_t *)(sigPack + RSA_BYTES), RSA_LIMBS);
296 if (!validateSignature(sigPack, rsa, verbose, hash, false)) {
297 fprintf(stderr, "Signature verification failed on raw data\n");
298 return 2;
299 }
300 if (memcmp(masterPubKey, sigPack + RSA_BYTES, RSA_BYTES) == 0) {
301 fprintf(stderr, "Signature verification passed and the key is trusted\n");
302 return 0;
303 } else {
304 fprintf(stderr, "Signature verification passed but the key is not trusted\n");
305 return 2;
306 }
307 } else {
308 fprintf(stderr, "Not enough raw data to extract signature from\n");
309 return 2;
310 }
311 }
312
313 return 0;
314 }
315
handleSign(uint8_t ** pbuf,uint32_t bufUsed,FILE * out,struct RsaData * rsa,bool verbose,bool bareData)316 static int handleSign(uint8_t **pbuf, uint32_t bufUsed, FILE *out, struct RsaData *rsa, bool verbose, bool bareData)
317 {
318 struct Sha2state shaState;
319 uint8_t *buf = *pbuf;
320 uint32_t i;
321 const uint32_t *hash;
322 const uint32_t *rsaResult;
323 int ret;
324
325 if (!bareData) {
326 struct ImageHeader *image = (struct ImageHeader *)buf;
327 struct AppSecSignHdr *secHdr = (struct AppSecSignHdr *)&image[1];
328 uint32_t grow = sizeof(*secHdr);
329 if (!(image->aosp.flags & NANOAPP_SIGNED_FLAG)) {
330 // this is the 1st signature in the chain; inject header, set flag
331 buf = reallocOrDie(buf, bufUsed + grow);
332 *pbuf = buf;
333 image = (struct ImageHeader *)buf;
334 secHdr = (struct AppSecSignHdr *)&image[1];
335
336 fprintf(stderr, "Generating signature header\n");
337 image->aosp.flags |= NANOAPP_SIGNED_FLAG;
338 memmove((uint8_t*)&image[1] + grow, &image[1], bufUsed - sizeof(*image));
339 secHdr->appDataLen = bufUsed - sizeof(*image);
340 bufUsed += grow;
341 fprintf(stderr, "Rehashing file\n");
342 sha2init(&shaState);
343 sha2processBytes(&shaState, buf, bufUsed);
344 } else {
345 int sigSz = bufUsed - sizeof(*image) - sizeof(*secHdr) - secHdr->appDataLen;
346 int numSigs = sigSz / SIGNATURE_BLOCK_SIZE;
347 if ((numSigs * (int)SIGNATURE_BLOCK_SIZE) != sigSz) {
348 fprintf(stderr, "Invalid signature block(s) detected\n");
349 return 2;
350 } else {
351 fprintf(stderr, "Found %d appended signature(s)\n", numSigs);
352 // generating SHA256 of the last PubKey in chain
353 fprintf(stderr, "Hashing last signature's PubKey\n");
354 sha2init(&shaState);
355 sha2processBytes(&shaState, buf + bufUsed- RSA_BYTES, RSA_BYTES);
356 }
357 }
358 } else {
359 fprintf(stderr, "Signing raw data\n");
360 sha2init(&shaState);
361 sha2processBytes(&shaState, buf, bufUsed);
362 }
363
364 //update the user on the progress
365 hash = sha2finish(&shaState);
366 if (verbose)
367 printHash(stderr, "SHA2 hash", hash, SHA2_HASH_WORDS);
368
369 memcpy(rsa->num, hash, SHA2_HASH_SIZE);
370
371 i = SHA2_HASH_WORDS;
372 //write padding
373 rsa->num[i++] = rand32_no_zero_bytes() << 8; //low byte here must be zero as per padding spec
374 for (;i < RSA_LIMBS - 1; i++)
375 rsa->num[i] = rand32_no_zero_bytes();
376 rsa->num[i] = (rand32_no_zero_bytes() >> 16) | 0x00020000; //as per padding spec
377
378 //update the user
379 if (verbose)
380 printHashRev(stderr, "RSA plaintext", rsa->num, RSA_LIMBS);
381
382 //do the RSA thing
383 fprintf(stderr, "Retriculating splines...");
384 rsaResult = rsaPrivOp(&rsa->state, rsa->num, rsa->exponent, rsa->modulus);
385 fprintf(stderr, "DONE\n");
386
387 //update the user
388 if (verbose)
389 printHashRev(stderr, "RSA cyphertext", rsaResult, RSA_LIMBS);
390
391 // output in a format that our microcontroller will be able to digest easily & directly
392 // (an array of bytes representing little-endian 32-bit words)
393 fwrite(buf, 1, bufUsed, out);
394 fwrite(rsaResult, 1, sizeof(uint32_t[RSA_LIMBS]), out);
395 ret = (fwrite(rsa->modulus, 1, RSA_BYTES, out) == RSA_BYTES) ? 0 : 2;
396
397 fprintf(stderr, "Status: %s (%d)\n", ret == 0 ? "success" : "failed", ret);
398 return ret;
399
400 }
401
fatalUsage(const char * name,const char * msg,const char * arg)402 static void fatalUsage(const char *name, const char *msg, const char *arg)
403 {
404 if (msg && arg)
405 fprintf(stderr, "Error: %s: %s\n\n", msg, arg);
406 else if (msg)
407 fprintf(stderr, "Error: %s\n\n", msg);
408
409 fprintf(stderr, "USAGE: %s [-v] [-e <pvt key>] [-m <pub key>] [-t] [-s] [-b] <input file> [<output file>]\n"
410 " -v : be verbose\n"
411 " -b : generate binary key from text file created by OpenSSL\n"
412 " -s : sign post-processed file\n"
413 " -t : verify signature of signed post-processed file\n"
414 " -e : RSA binary private key\n"
415 " -m : RSA binary public key\n"
416 " -r : do not parse headers, do not generate headers (with -t, -s)\n"
417 , name);
418 exit(1);
419 }
420
main(int argc,char ** argv)421 int main(int argc, char **argv)
422 {
423 uint32_t bufUsed = 0;
424 uint8_t *buf = NULL;
425 int ret = -1;
426 const char **strArg = NULL;
427 const char *appName = argv[0];
428 const char *posArg[2] = { NULL };
429 uint32_t posArgCnt = 0;
430 FILE *out = NULL;
431 const char *prev = NULL;
432 bool verbose = false;
433 bool sign = false;
434 bool verify = false;
435 bool txt2bin = false;
436 bool bareData = false;
437 const char *keyPvtFile = NULL;
438 const char *keyPubFile = NULL;
439 int multi = 0;
440 struct RsaData rsa;
441 struct ImageHeader *image;
442
443 //it might not matter, but we still like to try to cleanup after ourselves
444 (void)atexit(cleanup);
445
446 for (int i = 1; i < argc; i++) {
447 if (argv[i][0] == '-') {
448 prev = argv[i];
449 if (!strcmp(argv[i], "-v"))
450 verbose = true;
451 else if (!strcmp(argv[i], "-s"))
452 sign = true;
453 else if (!strcmp(argv[i], "-t"))
454 verify = true;
455 else if (!strcmp(argv[i], "-b"))
456 txt2bin = true;
457 else if (!strcmp(argv[i], "-e"))
458 strArg = &keyPvtFile;
459 else if (!strcmp(argv[i], "-m"))
460 strArg = &keyPubFile;
461 else if (!strcmp(argv[i], "-r"))
462 bareData = true;
463 else
464 fatalUsage(appName, "unknown argument", argv[i]);
465 } else {
466 if (strArg) {
467 *strArg = argv[i];
468 strArg = NULL;
469 } else {
470 if (posArgCnt < 2)
471 posArg[posArgCnt++] = argv[i];
472 else
473 fatalUsage(appName, "too many positional arguments", argv[i]);
474 }
475 prev = 0;
476 }
477 }
478 if (prev)
479 fatalUsage(appName, "missing argument after", prev);
480
481 if (!posArgCnt)
482 fatalUsage(appName, "missing input file name", NULL);
483
484 if (sign)
485 multi++;
486 if (verify)
487 multi++;
488 if (txt2bin)
489 multi++;
490
491 if (multi != 1)
492 fatalUsage(appName, "select either -s, -t, or -b", NULL);
493
494 memset(&rsa, 0, sizeof(rsa));
495
496 if (sign && !(keyPvtFile && keyPubFile))
497 fatalUsage(appName, "We need both PUB (-m) and PVT (-e) keys for signing", NULL);
498
499 if (verify && (!keyPubFile || keyPvtFile))
500 fatalUsage(appName, "We only need PUB (-m) key for signature checking", NULL);
501
502 if (keyPvtFile) {
503 if (!readFile(rsa.exponent, sizeof(rsa.exponent), keyPvtFile))
504 fatalUsage(appName, "Can't read PVT key from", keyPvtFile);
505 #ifdef DEBUG_KEYS
506 else if (verbose)
507 printHashRev(stderr, "RSA exponent", rsa.exponent, RSA_LIMBS);
508 #endif
509 }
510
511 if (keyPubFile) {
512 if (!readFile(rsa.modulus, sizeof(rsa.modulus), keyPubFile))
513 fatalUsage(appName, "Can't read PUB key from", keyPubFile);
514 else if (verbose)
515 printHashRev(stderr, "RSA modulus", rsa.modulus, RSA_LIMBS);
516 }
517
518 buf = loadFile(posArg[0], &bufUsed);
519 fprintf(stderr, "Read %" PRIu32 " bytes\n", bufUsed);
520
521 image = (struct ImageHeader *)buf;
522 if (!bareData && !txt2bin) {
523 if (bufUsed >= sizeof(*image) &&
524 image->aosp.header_version == 1 &&
525 image->aosp.magic == NANOAPP_AOSP_MAGIC &&
526 image->layout.magic == GOOGLE_LAYOUT_MAGIC) {
527 fprintf(stderr, "Found AOSP header\n");
528 } else {
529 fprintf(stderr, "Unknown binary format\n");
530 return 2;
531 }
532 }
533
534 if (!posArg[1])
535 out = stdout;
536 else
537 out = fopen(posArg[1], "w");
538 if (!out)
539 fatalUsage(appName, "failed to create/open output file", posArg[1]);
540
541 if (sign)
542 ret = handleSign(&buf, bufUsed, out, &rsa, verbose, bareData);
543 else if (verify)
544 ret = handleVerify(&buf, bufUsed, &rsa, verbose, bareData);
545 else if (txt2bin)
546 ret = handleConvertKey(&buf, bufUsed, out, &rsa);
547
548 free(buf);
549 fclose(out);
550 return ret;
551 }
552