1 //
2 // Copyright (C) 2014 The Android Open Source Project
3 //
4 // Licensed under the Apache License, Version 2.0 (the "License");
5 // you may not use this file except in compliance with the License.
6 // You may obtain a copy of the License at
7 //
8 //      http://www.apache.org/licenses/LICENSE-2.0
9 //
10 // Unless required by applicable law or agreed to in writing, software
11 // distributed under the License is distributed on an "AS IS" BASIS,
12 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 // See the License for the specific language governing permissions and
14 // limitations under the License.
15 //
16 
17 #include "update_engine/payload_consumer/payload_verifier.h"
18 
19 #include <utility>
20 #include <vector>
21 
22 #include <base/logging.h>
23 #include <openssl/pem.h>
24 
25 #include "update_engine/common/constants.h"
26 #include "update_engine/common/hash_calculator.h"
27 #include "update_engine/common/utils.h"
28 #include "update_engine/payload_consumer/certificate_parser_interface.h"
29 #include "update_engine/update_metadata.pb.h"
30 
31 using std::string;
32 
33 namespace chromeos_update_engine {
34 
35 namespace {
36 
37 // The ASN.1 DigestInfo prefix for encoding SHA256 digest. The complete 51-byte
38 // DigestInfo consists of 19-byte SHA256_DIGEST_INFO_PREFIX and 32-byte SHA256
39 // digest.
40 //
41 // SEQUENCE(2+49) {
42 //   SEQUENCE(2+13) {
43 //     OBJECT(2+9) id-sha256
44 //     NULL(2+0)
45 //   }
46 //   OCTET STRING(2+32) <actual signature bytes...>
47 // }
48 const uint8_t kSHA256DigestInfoPrefix[] = {
49     0x30, 0x31, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01,
50     0x65, 0x03, 0x04, 0x02, 0x01, 0x05, 0x00, 0x04, 0x20,
51 };
52 
53 }  // namespace
54 
55 std::unique_ptr<PayloadVerifier> PayloadVerifier::CreateInstance(
56     const std::string& pem_public_key) {
57   std::unique_ptr<BIO, decltype(&BIO_free)> bp(
58       BIO_new_mem_buf(pem_public_key.data(), pem_public_key.size()), BIO_free);
59   if (!bp) {
60     LOG(ERROR) << "Failed to read " << pem_public_key << " into buffer.";
61     return nullptr;
62   }
63 
64   auto pub_key = std::unique_ptr<EVP_PKEY, decltype(&EVP_PKEY_free)>(
65       PEM_read_bio_PUBKEY(bp.get(), nullptr, nullptr, nullptr), EVP_PKEY_free);
66   if (!pub_key) {
67     LOG(ERROR) << "Failed to parse the public key in: " << pem_public_key;
68     return nullptr;
69   }
70 
71   std::vector<std::unique_ptr<EVP_PKEY, decltype(&EVP_PKEY_free)>> keys;
72   keys.emplace_back(std::move(pub_key));
73   return std::unique_ptr<PayloadVerifier>(new PayloadVerifier(std::move(keys)));
74 }
75 
76 std::unique_ptr<PayloadVerifier> PayloadVerifier::CreateInstanceFromZipPath(
77     const std::string& certificate_zip_path) {
78   auto parser = CreateCertificateParser();
79   if (!parser) {
80     LOG(ERROR) << "Failed to create certificate parser from "
81                << certificate_zip_path;
82     return nullptr;
83   }
84 
85   std::vector<std::unique_ptr<EVP_PKEY, decltype(&EVP_PKEY_free)>> public_keys;
86   if (!parser->ReadPublicKeysFromCertificates(certificate_zip_path,
87                                               &public_keys) ||
88       public_keys.empty()) {
89     LOG(ERROR) << "Failed to parse public keys in: " << certificate_zip_path;
90     return nullptr;
91   }
92 
93   return std::unique_ptr<PayloadVerifier>(
94       new PayloadVerifier(std::move(public_keys)));
95 }
96 
97 bool PayloadVerifier::VerifySignature(
98     const string& signature_proto, const brillo::Blob& sha256_hash_data) const {
99   TEST_AND_RETURN_FALSE(!public_keys_.empty());
100 
101   Signatures signatures;
102   LOG(INFO) << "signature blob size = " << signature_proto.size();
103   TEST_AND_RETURN_FALSE(signatures.ParseFromString(signature_proto));
104 
105   if (!signatures.signatures_size()) {
106     LOG(ERROR) << "No signatures stored in the blob.";
107     return false;
108   }
109 
110   std::vector<brillo::Blob> tested_hashes;
111   // Tries every signature in the signature blob.
112   for (int i = 0; i < signatures.signatures_size(); i++) {
113     const Signatures::Signature& signature = signatures.signatures(i);
114     brillo::Blob sig_data;
115     if (signature.has_unpadded_signature_size()) {
116       TEST_AND_RETURN_FALSE(signature.unpadded_signature_size() <=
117                             signature.data().size());
118       LOG(INFO) << "Truncating the signature to its unpadded size: "
119                 << signature.unpadded_signature_size() << ".";
120       sig_data.assign(
121           signature.data().begin(),
122           signature.data().begin() + signature.unpadded_signature_size());
123     } else {
124       sig_data.assign(signature.data().begin(), signature.data().end());
125     }
126 
127     brillo::Blob sig_hash_data;
128     if (VerifyRawSignature(sig_data, sha256_hash_data, &sig_hash_data)) {
129       LOG(INFO) << "Verified correct signature " << i + 1 << " out of "
130                 << signatures.signatures_size() << " signatures.";
131       return true;
132     }
133     if (!sig_hash_data.empty()) {
134       tested_hashes.push_back(sig_hash_data);
135     }
136   }
137   LOG(ERROR) << "None of the " << signatures.signatures_size()
138              << " signatures is correct. Expected hash before padding:";
139   utils::HexDumpVector(sha256_hash_data);
140   LOG(ERROR) << "But found RSA decrypted hashes:";
141   for (const auto& sig_hash_data : tested_hashes) {
142     utils::HexDumpVector(sig_hash_data);
143   }
144   return false;
145 }
146 
147 bool PayloadVerifier::VerifyRawSignature(
148     const brillo::Blob& sig_data,
149     const brillo::Blob& sha256_hash_data,
150     brillo::Blob* decrypted_sig_data) const {
151   TEST_AND_RETURN_FALSE(!public_keys_.empty());
152 
153   for (const auto& public_key : public_keys_) {
154     int key_type = EVP_PKEY_id(public_key.get());
155     if (key_type == EVP_PKEY_RSA) {
156       brillo::Blob sig_hash_data;
157       if (!GetRawHashFromSignature(
158               sig_data, public_key.get(), &sig_hash_data)) {
159         LOG(WARNING)
160             << "Failed to get the raw hash with RSA key. Trying other keys.";
161         continue;
162       }
163 
164       if (decrypted_sig_data != nullptr) {
165         *decrypted_sig_data = sig_hash_data;
166       }
167 
168       brillo::Blob padded_hash_data = sha256_hash_data;
169       TEST_AND_RETURN_FALSE(
170           PadRSASHA256Hash(&padded_hash_data, sig_hash_data.size()));
171 
172       if (padded_hash_data == sig_hash_data) {
173         return true;
174       }
175     }
176 
177     if (key_type == EVP_PKEY_EC) {
178       EC_KEY* ec_key = EVP_PKEY_get0_EC_KEY(public_key.get());
179       TEST_AND_RETURN_FALSE(ec_key != nullptr);
180       if (ECDSA_verify(0,
181                        sha256_hash_data.data(),
182                        sha256_hash_data.size(),
183                        sig_data.data(),
184                        sig_data.size(),
185                        ec_key) == 1) {
186         return true;
187       }
188     }
189 
190     LOG(ERROR) << "Unsupported key type " << key_type;
191     return false;
192   }
193   LOG(INFO) << "Failed to verify the signature with " << public_keys_.size()
194             << " keys.";
195   return false;
196 }
197 
198 bool PayloadVerifier::GetRawHashFromSignature(
199     const brillo::Blob& sig_data,
200     const EVP_PKEY* public_key,
201     brillo::Blob* out_hash_data) const {
202   // The code below executes the equivalent of:
203   //
204   // openssl rsautl -verify -pubin -inkey <(echo pem_public_key)
205   //   -in |sig_data| -out |out_hash_data|
206   RSA* rsa = EVP_PKEY_get0_RSA(public_key);
207 
208   TEST_AND_RETURN_FALSE(rsa != nullptr);
209   unsigned int keysize = RSA_size(rsa);
210   if (sig_data.size() > 2 * keysize) {
211     LOG(ERROR) << "Signature size is too big for public key size.";
212     return false;
213   }
214 
215   // Decrypts the signature.
216   brillo::Blob hash_data(keysize);
217   int decrypt_size = RSA_public_decrypt(
218       sig_data.size(), sig_data.data(), hash_data.data(), rsa, RSA_NO_PADDING);
219   TEST_AND_RETURN_FALSE(decrypt_size > 0 &&
220                         decrypt_size <= static_cast<int>(hash_data.size()));
221   hash_data.resize(decrypt_size);
222   out_hash_data->swap(hash_data);
223   return true;
224 }
225 
226 bool PayloadVerifier::PadRSASHA256Hash(brillo::Blob* hash, size_t rsa_size) {
227   TEST_AND_RETURN_FALSE(hash->size() == kSHA256Size);
228   TEST_AND_RETURN_FALSE(rsa_size == 256 || rsa_size == 512);
229 
230   // The following is a standard PKCS1-v1_5 padding for SHA256 signatures, as
231   // defined in RFC3447 section 9.2. It is prepended to the actual signature
232   // (32 bytes) to form a sequence of 256|512 bytes (2048|4096 bits) that is
233   // amenable to RSA signing. The padded hash will look as follows:
234   //
235   //    0x00 0x01 0xff ... 0xff 0x00  ASN1HEADER  SHA256HASH
236   //   |-----------205|461----------||----19----||----32----|
237   size_t padding_string_size =
238       rsa_size - hash->size() - sizeof(kSHA256DigestInfoPrefix) - 3;
239   brillo::Blob padded_result = brillo::CombineBlobs({
240       {0x00, 0x01},
241       brillo::Blob(padding_string_size, 0xff),
242       {0x00},
243       brillo::Blob(kSHA256DigestInfoPrefix,
244                    kSHA256DigestInfoPrefix + sizeof(kSHA256DigestInfoPrefix)),
245       *hash,
246   });
247 
248   *hash = std::move(padded_result);
249   TEST_AND_RETURN_FALSE(hash->size() == rsa_size);
250   return true;
251 }
252 
253 }  // namespace chromeos_update_engine
254