tequilaOS/platform_bootable_recovery
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Use BoringSSL instead of mincrypt to speed up package verification.

Browse source 
This changes the verification code in bootable/recovery to use
BoringSSL instead of mincrypt.

Cherry-pick of 452df6d99c, with
merge conflict resolution, extra logging in verifier.cpp, and
an increase in the hash chunk size from 4KiB to 1MiB.

Bug: http://b/28135231
Change-Id: I1ed7efd52223dd6f6a4629cad187cbc383d5aa84
This commit is contained in:
Elliott Hughes 2016-04-13 16:39:56 -07:00
parent a58a6dbe3d
commit 8febafa67e
10 changed files with 284 additions and 256 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
Android.mk
View file

@ -23,7 +23,7 @@ LOCAL_CFLAGS += -D_XOPEN_SOURCE -D_GNU_SOURCE
LOCAL_MODULE := libfusesideload
LOCAL_STATIC_LIBRARIES := libcutils libc libmincrypt
LOCAL_STATIC_LIBRARIES := libcutils libc libcrypto_static
include $(BUILD_STATIC_LIBRARY)
include $(CLEAR_VARS)
@ -71,12 +71,12 @@ LOCAL_STATIC_LIBRARIES := \
libminzip \
libz \
libmtdutils \
libmincrypt \
libminadbd \
libfusesideload \
libminui \
libpng \
libfs_mgr \
libcrypto_static \
libbase \
libcutils \
libutils \
@ -136,6 +136,7 @@ LOCAL_SRC_FILES := \
asn1_decoder.cpp \
verifier.cpp \
ui.cpp
LOCAL_STATIC_LIBRARIES := libcrypto_static
include $(BUILD_STATIC_LIBRARY)
include $(LOCAL_PATH)/minui/Android.mk \

19
fuse_sideload.cpp
View file

@ -61,7 +61,8 @@
#include <sys/uio.h>
#include <unistd.h>
#include "mincrypt/sha256.h"
#include <openssl/sha.h>
#include "fuse_sideload.h"
#define PACKAGE_FILE_ID (FUSE_ROOT_ID+1)
@ -269,22 +270,22 @@ static int fetch_block(struct fuse_data* fd, uint32_t block) {
// block).
// - Otherwise, return -EINVAL for the read.
uint8_t hash[SHA256_DIGEST_SIZE];
SHA256_hash(fd->block_data, fd->block_size, hash);
uint8_t* blockhash = fd->hashes + block * SHA256_DIGEST_SIZE;
if (memcmp(hash, blockhash, SHA256_DIGEST_SIZE) == 0) {
uint8_t hash[SHA256_DIGEST_LENGTH];
SHA256(fd->block_data, fd->block_size, hash);
uint8_t* blockhash = fd->hashes + block * SHA256_DIGEST_LENGTH;
if (memcmp(hash, blockhash, SHA256_DIGEST_LENGTH) == 0) {
return 0;
}
int i;
for (i = 0; i < SHA256_DIGEST_SIZE; ++i) {
for (i = 0; i < SHA256_DIGEST_LENGTH; ++i) {
if (blockhash[i] != 0) {
fd->curr_block = -1;
return -EIO;
}
}
memcpy(blockhash, hash, SHA256_DIGEST_SIZE);
memcpy(blockhash, hash, SHA256_DIGEST_LENGTH);
return 0;
}
@ -393,10 +394,10 @@ int run_fuse_sideload(struct provider_vtab* vtab, void* cookie,
goto done;
}
fd.hashes = (uint8_t*)calloc(fd.file_blocks, SHA256_DIGEST_SIZE);
fd.hashes = (uint8_t*)calloc(fd.file_blocks, SHA256_DIGEST_LENGTH);
if (fd.hashes == NULL) {
fprintf(stderr, "failed to allocate %d bites for hashes\n",
fd.file_blocks * SHA256_DIGEST_SIZE);
fd.file_blocks * SHA256_DIGEST_LENGTH);
result = -1;
goto done;
}

17
install.cpp
View file

@ -23,19 +23,19 @@
#include <sys/wait.h>
#include <unistd.h>
#include <chrono>
#include <vector>
#include "common.h"
#include "install.h"
#include "mincrypt/rsa.h"
#include "minui/minui.h"
#include "minzip/SysUtil.h"
#include "minzip/Zip.h"
#include "mtdutils/mounts.h"
#include "mtdutils/mtdutils.h"
#include "roots.h"
#include "verifier.h"
#include "ui.h"
#include "verifier.h"
extern RecoveryUI* ui;
@ -229,6 +229,7 @@ really_install_package(const char *path, bool* wipe_cache, bool needs_mount)
return INSTALL_CORRUPT;
}
// Load keys.
std::vector<Certificate> loadedKeys;
if (!load_keys(PUBLIC_KEYS_FILE, loadedKeys)) {
LOGE("Failed to load keys\n");
@ -236,18 +237,19 @@ really_install_package(const char *path, bool* wipe_cache, bool needs_mount)
}
LOGI("%zu key(s) loaded from %s\n", loadedKeys.size(), PUBLIC_KEYS_FILE);
// Verify package.
ui->Print("Verifying update package...\n");
auto t0 = std::chrono::system_clock::now();
int err = verify_file(map.addr, map.length, loadedKeys);
LOGI("verify_file returned %d\n", err);
std::chrono::duration<double> duration = std::chrono::system_clock::now() - t0;
ui->Print("Update package verification took %.1f s (result %d).\n", duration.count(), err);
if (err != VERIFY_SUCCESS) {
LOGE("signature verification failed\n");
sysReleaseMap(&map);
return INSTALL_CORRUPT;
}
/* Try to open the package.
*/
// Try to open the package.
ZipArchive zip;
err = mzOpenZipArchive(map.addr, map.length, &zip);
if (err != 0) {
@ -256,8 +258,7 @@ really_install_package(const char *path, bool* wipe_cache, bool needs_mount)
return INSTALL_CORRUPT;
}
/* Verify and install the contents of the package.
*/
// Verify and install the contents of the package.
ui->Print("Installing update...\n");
ui->SetEnableReboot(false);
int result = try_update_binary(path, &zip, wipe_cache);

1
tests/Android.mk
View file

@ -45,7 +45,6 @@ LOCAL_STATIC_LIBRARIES := \
libmtdutils \
libbase \
libverifier \
libmincrypt \
libcrypto_static \
libminui \
libminzip \

131
tests/component/verifier_test.cpp
View file

@ -19,19 +19,19 @@
#include <gtest/gtest.h>
#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <memory>
#include <string>
#include <vector>
#include <openssl/sha.h>
#include <android-base/stringprintf.h>
#include "common.h"
#include "common/test_constants.h"
#include "mincrypt/sha.h"
#include "mincrypt/sha256.h"
#include "minzip/SysUtil.h"
#include "ui.h"
#include "verifier.h"
@ -39,94 +39,6 @@
static const char* DATA_PATH = getenv("ANDROID_DATA");
static const char* TESTDATA_PATH = "/recovery/testdata/";
// This is build/target/product/security/testkey.x509.pem after being
// dumped out by dumpkey.jar.
RSAPublicKey test_key =
{ 64, 0xc926ad21,
{ 0x6afee91fu, 0x7fa31d5bu, 0x38a0b217u, 0x99df9baeu,
0xfe72991du, 0x727d3c04u, 0x20943f99u, 0xd08e7826u,
0x69e7c8a2u, 0xdeeccc8eu, 0x6b9af76fu, 0x553311c4u,
0x07b9e247u, 0x54c8bbcau, 0x6a540d81u, 0x48dbf567u,
0x98c92877u, 0x134fbfdeu, 0x01b32564u, 0x24581948u,
0x6cddc3b8u, 0x0cd444dau, 0xfe0381ccu, 0xf15818dfu,
0xc06e6d42u, 0x2e2f6412u, 0x093a6737u, 0x94d83b31u,
0xa466c87au, 0xb3f284a0u, 0xa694ec2cu, 0x053359e6u,
0x9717ee6au, 0x0732e080u, 0x220d5008u, 0xdc4af350u,
0x93d0a7c3u, 0xe330c9eau, 0xcac3da1eu, 0x8ebecf8fu,
0xc2be387fu, 0x38a14e89u, 0x211586f0u, 0x18b846f5u,
0x43be4c72u, 0xb578c204u, 0x1bbfb230u, 0xf1e267a8u,
0xa2d3e656u, 0x64b8e4feu, 0xe7e83d4bu, 0x3e77a943u,
0x3559ffd9u, 0x0ebb0f99u, 0x0aa76ce6u, 0xd3786ea7u,
0xbca8cd6bu, 0x068ca8e8u, 0xeb1de2ffu, 0x3e3ecd6cu,
0xe0d9d825u, 0xb1edc762u, 0xdec60b24u, 0xd6931904u},
{ 0xccdcb989u, 0xe19281f9u, 0xa6e80accu, 0xb7f40560u,
0x0efb0bccu, 0x7f12b0bbu, 0x1e90531au, 0x136d95d0u,
0x9e660665u, 0x7d54918fu, 0xe3b93ea2u, 0x2f415d10u,
0x3d2df6e6u, 0x7a627ecfu, 0xa6f22d70u, 0xb995907au,
0x09de16b2u, 0xfeb8bd61u, 0xf24ec294u, 0x716a427fu,
0x2e12046fu, 0xeaf3d56au, 0xd9b873adu, 0x0ced340bu,
0xbc9cec09u, 0x73c65903u, 0xee39ce9bu, 0x3eede25au,
0x397633b7u, 0x2583c165u, 0x8514f97du, 0xe9166510u,
0x0b6fae99u, 0xa47139fdu, 0xdb8352f0u, 0xb2ad7f2cu,
0xa11552e2u, 0xd4d490a7u, 0xe11e8568u, 0xe9e484dau,
0xd3ef8449u, 0xa47055dau, 0x4edd9557u, 0x03a78ba1u,
0x770e130du, 0x16762facu, 0x0cbdfcc4u, 0xf3070540u,
0x008b6515u, 0x60e7e1b7u, 0xa72cf7f9u, 0xaff86e39u,
0x4296faadu, 0xfc90430eu, 0x6cc8f377u, 0xb398fd43u,
0x423c5997u, 0x991d59c4u, 0x6464bf73u, 0x96431575u,
0x15e3d207u, 0x30532a7au, 0x8c4be618u, 0x460a4d76u },
3
};
RSAPublicKey test_f4_key =
{ 64, 0xc9bd1f21,
{ 0x1178db1fu, 0xbf5d0e55u, 0x3393a165u, 0x0ef4c287u,
0xbc472a4au, 0x383fc5a1u, 0x4a13b7d2u, 0xb1ff2ac3u,
0xaf66b4d9u, 0x9280acefu, 0xa2165bdbu, 0x6a4d6e5cu,
0x08ea676bu, 0xb7ac70c7u, 0xcd158139u, 0xa635ccfeu,
0xa46ab8a8u, 0x445a3e8bu, 0xdc81d9bbu, 0x91ce1a20u,
0x68021cdeu, 0x4516eda9u, 0x8d43c30cu, 0xed1eff14u,
0xca387e4cu, 0x58adc233u, 0x4657ab27u, 0xa95b521eu,
0xdfc0e30cu, 0x394d64a1u, 0xc6b321a1u, 0x2ca22cb8u,
0xb1892d5cu, 0x5d605f3eu, 0x6025483cu, 0x9afd5181u,
0x6e1a7105u, 0x03010593u, 0x70acd304u, 0xab957cbfu,
0x8844abbbu, 0x53846837u, 0x24e98a43u, 0x2ba060c1u,
0x8b88b88eu, 0x44eea405u, 0xb259fc41u, 0x0907ad9cu,
0x13003adau, 0xcf79634eu, 0x7d314ec9u, 0xfbbe4c2bu,
0xd84d0823u, 0xfd30fd88u, 0x68d8a909u, 0xfb4572d9u,
0xa21301c2u, 0xd00a4785u, 0x6862b50cu, 0xcfe49796u,
0xdaacbd83u, 0xfb620906u, 0xdf71e0ccu, 0xbbc5b030u },
{ 0x69a82189u, 0x1a8b22f4u, 0xcf49207bu, 0x68cc056au,
0xb206b7d2u, 0x1d449bbdu, 0xe9d342f2u, 0x29daea58u,
0xb19d011au, 0xc62f15e4u, 0x9452697au, 0xb62bb87eu,
0x60f95cc2u, 0x279ebb2du, 0x17c1efd8u, 0xec47558bu,
0xc81334d1u, 0x88fe7601u, 0x79992eb1u, 0xb4555615u,
0x2022ac8cu, 0xc79a4b8cu, 0xb288b034u, 0xd6b942f0u,
0x0caa32fbu, 0xa065ba51u, 0x4de9f154u, 0x29f64f6cu,
0x7910af5eu, 0x3ed4636au, 0xe4c81911u, 0x9183f37du,
0x5811e1c4u, 0x29c7a58cu, 0x9715d4d3u, 0xc7e2dce3u,
0x140972ebu, 0xf4c8a69eu, 0xa104d424u, 0x5dabbdfbu,
0x41cb4c6bu, 0xd7f44717u, 0x61785ff7u, 0x5e0bc273u,
0x36426c70u, 0x2aa6f08eu, 0x083badbfu, 0x3cab941bu,
0x8871da23u, 0x1ab3dbaeu, 0x7115a21du, 0xf5aa0965u,
0xf766f562u, 0x7f110225u, 0x86d96a04u, 0xc50a120eu,
0x3a751ca3u, 0xc21aa186u, 0xba7359d0u, 0x3ff2b257u,
0xd116e8bbu, 0xfc1318c0u, 0x070e5b1du, 0x83b759a6u },
65537
};
ECPublicKey test_ec_key =
{
{
{0xd656fa24u, 0x931416cau, 0x1c0278c6u, 0x174ebe4cu,
0x6018236au, 0x45ba1656u, 0xe8c05d84u, 0x670ed500u}
},
{
{0x0d179adeu, 0x4c16827du, 0x9f8cb992u, 0x8f69ff8au,
0x481b1020u, 0x798d91afu, 0x184db8e9u, 0xb5848dd9u}
}
};
RecoveryUI* ui = NULL;
class MockUI : public RecoveryUI {
@ -177,31 +89,34 @@ class VerifierTest : public testing::TestWithParam<std::vector<std::string>> {
virtual void SetUp() {
std::vector<std::string> args = GetParam();
std::string package = android::base::StringPrintf("%s%s%s%s", DATA_PATH, NATIVE_TEST_PATH,
TESTDATA_PATH, args[0].c_str());
std::string package =
android::base::StringPrintf("%s%s%s%s", DATA_PATH, NATIVE_TEST_PATH,
TESTDATA_PATH, args[0].c_str());
if (sysMapFile(package.c_str(), &memmap) != 0) {
FAIL() << "Failed to mmap " << package << ": " << strerror(errno)
<< "\n";
}
for (auto it = ++(args.cbegin()); it != args.cend(); ++it) {
if (it->substr(it->length() - 3, it->length()) == "256") {
if (certs.empty()) {
FAIL() << "May only specify -sha256 after key type\n";
}
certs.back().hash_len = SHA256_DIGEST_SIZE;
} else if (*it == "ec") {
certs.emplace_back(SHA_DIGEST_SIZE, Certificate::EC,
nullptr, std::unique_ptr<ECPublicKey>(new ECPublicKey(test_ec_key)));
} else if (*it == "e3") {
certs.emplace_back(SHA_DIGEST_SIZE, Certificate::RSA,
std::unique_ptr<RSAPublicKey>(new RSAPublicKey(test_key)), nullptr);
} else if (*it == "f4") {
certs.emplace_back(SHA_DIGEST_SIZE, Certificate::RSA,
std::unique_ptr<RSAPublicKey>(new RSAPublicKey(test_f4_key)), nullptr);
certs.back().hash_len = SHA256_DIGEST_LENGTH;
} else {
std::string public_key_file = android::base::StringPrintf(
"%s%s%stest_key_%s.txt", DATA_PATH, NATIVE_TEST_PATH,
TESTDATA_PATH, it->c_str());
ASSERT_TRUE(load_keys(public_key_file.c_str(), certs));
certs.back().hash_len = SHA_DIGEST_LENGTH;
}
}
if (certs.empty()) {
certs.emplace_back(SHA_DIGEST_SIZE, Certificate::RSA,
std::unique_ptr<RSAPublicKey>(new RSAPublicKey(test_key)), nullptr);
}
if (sysMapFile(package.c_str(), &memmap) != 0) {
FAIL() << "Failed to mmap " << package << ": " << strerror(errno) << "\n";
std::string public_key_file = android::base::StringPrintf(
"%s%s%stest_key_e3.txt", DATA_PATH, NATIVE_TEST_PATH,
TESTDATA_PATH);
ASSERT_TRUE(load_keys(public_key_file.c_str(), certs));
certs.back().hash_len = SHA_DIGEST_LENGTH;
}
}

1
tests/testdata/test_key_e3.txt vendored Normal file
View file

@ -0,0 +1 @@
{64,0xc926ad21,{1795090719,2141396315,950055447,2581568430,4268923165,1920809988,546586521,3498997798,1776797858,3740060814,1805317999,1429410244,129622599,1422441418,1783893377,1222374759,2563319927,323993566,28517732,609753416,1826472888,215237850,4261642700,4049082591,3228462402,774857746,154822455,2497198897,2758199418,3019015328,2794777644,87251430,2534927978,120774784,571297800,3695899472,2479925187,3811625450,3401832990,2394869647,3267246207,950095497,555058928,414729973,1136544882,3044590084,465547824,4058146728,2731796054,1689838846,3890756939,1048029507,895090649,247140249,178744550,3547885223,3165179243,109881576,3944604415,1044303212,3772373029,2985150306,3737520932,3599964420},{3437017481,3784475129,2800224972,3086222688,251333580,2131931323,512774938,325948880,2657486437,2102694287,3820568226,792812816,1026422502,2053275343,2800889200,3113586810,165549746,4273519969,4065247892,1902789247,772932719,3941848426,3652744109,216871947,3164400649,1942378755,3996765851,1055777370,964047799,629391717,2232744317,3910558992,191868569,2758883837,3682816752,2997714732,2702529250,3570700455,3776873832,3924067546,3555689545,2758825434,1323144535,61311905,1997411085,376844204,213777604,4077323584,9135381,1625809335,2804742137,2952293945,1117190829,4237312782,1825108855,3013147971,1111251351,2568837572,1684324211,2520978805,367251975,810756730,2353784344,1175080310}}

1
tests/testdata/test_key_ec.txt vendored Normal file
View file

@ -0,0 +1 @@
v5 {32,{36,250,86,214,202,22,20,147,198,120,2,28,76,190,78,23,106,35,24,96,86,22,186,69,132,93,192,232,0,213,14,103},{222,154,23,13,125,130,22,76,146,185,140,159,138,255,105,143,32,16,27,72,175,145,141,121,233,184,77,24,217,141,132,181}}

1
tests/testdata/test_key_f4.txt vendored Normal file
View file

@ -0,0 +1 @@
v2 {64,0xc9bd1f21,{293133087,3210546773,865313125,250921607,3158780490,943703457,1242806226,2986289859,2942743769,2457906415,2719374299,1783459420,149579627,3081531591,3440738617,2788543742,2758457512,1146764939,3699497403,2446203424,1744968926,1159130537,2370028300,3978231572,3392699980,1487782451,1180150567,2841334302,3753960204,961373345,3333628321,748825784,2978557276,1566596926,1613056060,2600292737,1847226629,50398611,1890374404,2878700735,2286201787,1401186359,619285059,731930817,2340993166,1156490245,2992241729,151498140,318782170,3480838990,2100383433,4223552555,3628927011,4247846280,1759029513,4215632601,2719154626,3490334597,1751299340,3487864726,3668753795,4217506054,3748782284,3150295088},{1772626313,445326068,3477676155,1758201194,2986784722,491035581,3922936562,702212696,2979856666,3324974564,2488428922,3056318590,1626954946,664714029,398585816,3964097931,3356701905,2298377729,2040082097,3025491477,539143308,3348777868,2995302452,3602465520,212480763,2691021393,1307177300,704008044,2031136606,1054106474,3838318865,2441343869,1477566916,700949900,2534790355,3353533667,336163563,4106790558,2701448228,1571536379,1103842411,3623110423,1635278839,1577828979,910322800,715583630,138128831,1017877531,2289162787,447994798,1897243165,4121561445,4150719842,2131821093,2262395396,3305771534,980753571,3256525190,3128121808,1072869975,3507939515,4229109952,118381341,2209831334}}

318
verifier.cpp
View file

@ -14,25 +14,26 @@
* limitations under the License.
*/
#include "asn1_decoder.h"
#include "common.h"
#include "ui.h"
#include "verifier.h"
#include "mincrypt/dsa_sig.h"
#include "mincrypt/p256.h"
#include "mincrypt/p256_ecdsa.h"
#include "mincrypt/rsa.h"
#include "mincrypt/sha.h"
#include "mincrypt/sha256.h"
#include <errno.h>
#include <malloc.h>
#include <stdio.h>
#include <string.h>
#include <algorithm>
#include <memory>
#include <openssl/ecdsa.h>
#include <openssl/obj_mac.h>
#include "asn1_decoder.h"
#include "common.h"
#include "ui.h"
#include "verifier.h"
extern RecoveryUI* ui;
static constexpr size_t MiB = 1024 * 1024;
/*
* Simple version of PKCS#7 SignedData extraction. This extracts the
* signature OCTET STRING to be used for signature verification.
@ -188,30 +189,30 @@ int verify_file(unsigned char* addr, size_t length,
}
}
#define BUFFER_SIZE 4096
bool need_sha1 = false;
bool need_sha256 = false;
for (const auto& key : keys) {
switch (key.hash_len) {
case SHA_DIGEST_SIZE: need_sha1 = true; break;
case SHA256_DIGEST_SIZE: need_sha256 = true; break;
case SHA_DIGEST_LENGTH: need_sha1 = true; break;
case SHA256_DIGEST_LENGTH: need_sha256 = true; break;
}
}
SHA_CTX sha1_ctx;
SHA256_CTX sha256_ctx;
SHA_init(&sha1_ctx);
SHA256_init(&sha256_ctx);
SHA1_Init(&sha1_ctx);
SHA256_Init(&sha256_ctx);
double frac = -1.0;
size_t so_far = 0;
while (so_far < signed_len) {
size_t size = signed_len - so_far;
if (size > BUFFER_SIZE) size = BUFFER_SIZE;
// On a Nexus 9, experiment didn't show any performance improvement with
// larger sizes past 1MiB, and they reduce the granularity of the progress
// bar. http://b/28135231.
size_t size = std::min(signed_len - so_far, 1 * MiB);
if (need_sha1) SHA_update(&sha1_ctx, addr + so_far, size);
if (need_sha256) SHA256_update(&sha256_ctx, addr + so_far, size);
if (need_sha1) SHA1_Update(&sha1_ctx, addr + so_far, size);
if (need_sha256) SHA256_Update(&sha256_ctx, addr + so_far, size);
so_far += size;
double f = so_far / (double)signed_len;
@ -221,8 +222,10 @@ int verify_file(unsigned char* addr, size_t length,
}
}
const uint8_t* sha1 = SHA_final(&sha1_ctx);
const uint8_t* sha256 = SHA256_final(&sha256_ctx);
uint8_t sha1[SHA_DIGEST_LENGTH];
SHA1_Final(sha1, &sha1_ctx);
uint8_t sha256[SHA256_DIGEST_LENGTH];
SHA256_Final(sha256, &sha256_ctx);
uint8_t* sig_der = nullptr;
size_t sig_der_length = 0;
@ -242,23 +245,25 @@ int verify_file(unsigned char* addr, size_t length,
size_t i = 0;
for (const auto& key : keys) {
const uint8_t* hash;
int hash_nid;
switch (key.hash_len) {
case SHA_DIGEST_SIZE: hash = sha1; break;
case SHA256_DIGEST_SIZE: hash = sha256; break;
default: continue;
case SHA_DIGEST_LENGTH:
hash = sha1;
hash_nid = NID_sha1;
break;
case SHA256_DIGEST_LENGTH:
hash = sha256;
hash_nid = NID_sha256;
break;
default:
continue;
}
// The 6 bytes is the "(signature_start) $ff $ff (comment_size)" that
// the signing tool appends after the signature itself.
if (key.key_type == Certificate::RSA) {
if (sig_der_length < RSANUMBYTES) {
// "signature" block isn't big enough to contain an RSA block.
LOGI("signature is too short for RSA key %zu\n", i);
continue;
}
if (!RSA_verify(key.rsa.get(), sig_der, RSANUMBYTES,
hash, key.hash_len)) {
if (key.key_type == Certificate::KEY_TYPE_RSA) {
if (!RSA_verify(hash_nid, hash, key.hash_len, sig_der,
sig_der_length, key.rsa.get())) {
LOGI("failed to verify against RSA key %zu\n", i);
continue;
}
@ -266,18 +271,10 @@ int verify_file(unsigned char* addr, size_t length,
LOGI("whole-file signature verified against RSA key %zu\n", i);
free(sig_der);
return VERIFY_SUCCESS;
} else if (key.key_type == Certificate::EC
&& key.hash_len == SHA256_DIGEST_SIZE) {
p256_int r, s;
if (!dsa_sig_unpack(sig_der, sig_der_length, &r, &s)) {
LOGI("Not a DSA signature block for EC key %zu\n", i);
continue;
}
p256_int p256_hash;
p256_from_bin(hash, &p256_hash);
if (!p256_ecdsa_verify(&(key.ec->x), &(key.ec->y),
&p256_hash, &r, &s)) {
} else if (key.key_type == Certificate::KEY_TYPE_EC
&& key.hash_len == SHA256_DIGEST_LENGTH) {
if (!ECDSA_verify(0, hash, key.hash_len, sig_der,
sig_der_length, key.ec.get())) {
LOGI("failed to verify against EC key %zu\n", i);
continue;
}
@ -295,6 +292,144 @@ int verify_file(unsigned char* addr, size_t length,
return VERIFY_FAILURE;
}
std::unique_ptr<RSA, RSADeleter> parse_rsa_key(FILE* file, uint32_t exponent) {
// Read key length in words and n0inv. n0inv is a precomputed montgomery
// parameter derived from the modulus and can be used to speed up
// verification. n0inv is 32 bits wide here, assuming the verification logic
// uses 32 bit arithmetic. However, BoringSSL may use a word size of 64 bits
// internally, in which case we don't have a valid n0inv. Thus, we just
// ignore the montgomery parameters and have BoringSSL recompute them
// internally. If/When the speedup from using the montgomery parameters
// becomes relevant, we can add more sophisticated code here to obtain a
// 64-bit n0inv and initialize the montgomery parameters in the key object.
uint32_t key_len_words = 0;
uint32_t n0inv = 0;
if (fscanf(file, " %i , 0x%x", &key_len_words, &n0inv) != 2) {
return nullptr;
}
if (key_len_words > 8192 / 32) {
LOGE("key length (%d) too large\n", key_len_words);
return nullptr;
}
// Read the modulus.
std::unique_ptr<uint32_t[]> modulus(new uint32_t[key_len_words]);
if (fscanf(file, " , { %u", &modulus[0]) != 1) {
return nullptr;
}
for (uint32_t i = 1; i < key_len_words; ++i) {
if (fscanf(file, " , %u", &modulus[i]) != 1) {
return nullptr;
}
}
// Cconvert from little-endian array of little-endian words to big-endian
// byte array suitable as input for BN_bin2bn.
std::reverse((uint8_t*)modulus.get(),
(uint8_t*)(modulus.get() + key_len_words));
// The next sequence of values is the montgomery parameter R^2. Since we
// generally don't have a valid |n0inv|, we ignore this (see comment above).
uint32_t rr_value;
if (fscanf(file, " } , { %u", &rr_value) != 1) {
return nullptr;
}
for (uint32_t i = 1; i < key_len_words; ++i) {
if (fscanf(file, " , %u", &rr_value) != 1) {
return nullptr;
}
}
if (fscanf(file, " } } ") != 0) {
return nullptr;
}
// Initialize the key.
std::unique_ptr<RSA, RSADeleter> key(RSA_new());
if (!key) {
return nullptr;
}
key->n = BN_bin2bn((uint8_t*)modulus.get(),
key_len_words * sizeof(uint32_t), NULL);
if (!key->n) {
return nullptr;
}
key->e = BN_new();
if (!key->e || !BN_set_word(key->e, exponent)) {
return nullptr;
}
return key;
}
struct BNDeleter {
void operator()(BIGNUM* bn) {
BN_free(bn);
}
};
std::unique_ptr<EC_KEY, ECKEYDeleter> parse_ec_key(FILE* file) {
uint32_t key_len_bytes = 0;
if (fscanf(file, " %i", &key_len_bytes) != 1) {
return nullptr;
}
std::unique_ptr<EC_GROUP, void (*)(EC_GROUP*)> group(
EC_GROUP_new_by_curve_name(NID_X9_62_prime256v1), EC_GROUP_free);
if (!group) {
return nullptr;
}
// Verify that |key_len| matches the group order.
if (key_len_bytes != BN_num_bytes(EC_GROUP_get0_order(group.get()))) {
return nullptr;
}
// Read the public key coordinates. Note that the byte order in the file is
// little-endian, so we convert to big-endian here.
std::unique_ptr<uint8_t[]> bytes(new uint8_t[key_len_bytes]);
std::unique_ptr<BIGNUM, BNDeleter> point[2];
for (int i = 0; i < 2; ++i) {
unsigned int byte = 0;
if (fscanf(file, " , { %u", &byte) != 1) {
return nullptr;
}
bytes[key_len_bytes - 1] = byte;
for (size_t i = 1; i < key_len_bytes; ++i) {
if (fscanf(file, " , %u", &byte) != 1) {
return nullptr;
}
bytes[key_len_bytes - i - 1] = byte;
}
point[i].reset(BN_bin2bn(bytes.get(), key_len_bytes, nullptr));
if (!point[i]) {
return nullptr;
}
if (fscanf(file, " }") != 0) {
return nullptr;
}
}
if (fscanf(file, " } ") != 0) {
return nullptr;
}
// Create and initialize the key.
std::unique_ptr<EC_KEY, ECKEYDeleter> key(EC_KEY_new());
if (!key || !EC_KEY_set_group(key.get(), group.get()) ||
!EC_KEY_set_public_key_affine_coordinates(key.get(), point[0].get(),
point[1].get())) {
return nullptr;
}
return key;
}
// Reads a file containing one or more public keys as produced by
// DumpPublicKey: this is an RSAPublicKey struct as it would appear
// as a C source literal, eg:
@ -335,94 +470,57 @@ bool load_keys(const char* filename, std::vector<Certificate>& certs) {
}
while (true) {
certs.emplace_back(0, Certificate::RSA, nullptr, nullptr);
certs.emplace_back(0, Certificate::KEY_TYPE_RSA, nullptr, nullptr);
Certificate& cert = certs.back();
uint32_t exponent = 0;
char start_char;
if (fscanf(f.get(), " %c", &start_char) != 1) return false;
if (start_char == '{') {
// a version 1 key has no version specifier.
cert.key_type = Certificate::RSA;
cert.rsa = std::unique_ptr<RSAPublicKey>(new RSAPublicKey);
cert.rsa->exponent = 3;
cert.hash_len = SHA_DIGEST_SIZE;
cert.key_type = Certificate::KEY_TYPE_RSA;
exponent = 3;
cert.hash_len = SHA_DIGEST_LENGTH;
} else if (start_char == 'v') {
int version;
if (fscanf(f.get(), "%d {", &version) != 1) return false;
switch (version) {
case 2:
cert.key_type = Certificate::RSA;
cert.rsa = std::unique_ptr<RSAPublicKey>(new RSAPublicKey);
cert.rsa->exponent = 65537;
cert.hash_len = SHA_DIGEST_SIZE;
cert.key_type = Certificate::KEY_TYPE_RSA;
exponent = 65537;
cert.hash_len = SHA_DIGEST_LENGTH;
break;
case 3:
cert.key_type = Certificate::RSA;
cert.rsa = std::unique_ptr<RSAPublicKey>(new RSAPublicKey);
cert.rsa->exponent = 3;
cert.hash_len = SHA256_DIGEST_SIZE;
cert.key_type = Certificate::KEY_TYPE_RSA;
exponent = 3;
cert.hash_len = SHA256_DIGEST_LENGTH;
break;
case 4:
cert.key_type = Certificate::RSA;
cert.rsa = std::unique_ptr<RSAPublicKey>(new RSAPublicKey);
cert.rsa->exponent = 65537;
cert.hash_len = SHA256_DIGEST_SIZE;
cert.key_type = Certificate::KEY_TYPE_RSA;
exponent = 65537;
cert.hash_len = SHA256_DIGEST_LENGTH;
break;
case 5:
cert.key_type = Certificate::EC;
cert.ec = std::unique_ptr<ECPublicKey>(new ECPublicKey);
cert.hash_len = SHA256_DIGEST_SIZE;
cert.key_type = Certificate::KEY_TYPE_EC;
cert.hash_len = SHA256_DIGEST_LENGTH;
break;
default:
return false;
}
}
if (cert.key_type == Certificate::RSA) {
RSAPublicKey* key = cert.rsa.get();
if (fscanf(f.get(), " %i , 0x%x , { %u", &(key->len), &(key->n0inv),
&(key->n[0])) != 3) {
return false;
if (cert.key_type == Certificate::KEY_TYPE_RSA) {
cert.rsa = parse_rsa_key(f.get(), exponent);
if (!cert.rsa) {
return false;
}
if (key->len != RSANUMWORDS) {
LOGE("key length (%d) does not match expected size\n", key->len);
return false;
}
for (int i = 1; i < key->len; ++i) {
if (fscanf(f.get(), " , %u", &(key->n[i])) != 1) return false;
}
if (fscanf(f.get(), " } , { %u", &(key->rr[0])) != 1) return false;
for (int i = 1; i < key->len; ++i) {
if (fscanf(f.get(), " , %u", &(key->rr[i])) != 1) return false;
}
fscanf(f.get(), " } } ");
LOGI("read key e=%d hash=%d\n", key->exponent, cert.hash_len);
} else if (cert.key_type == Certificate::EC) {
ECPublicKey* key = cert.ec.get();
int key_len;
unsigned int byte;
uint8_t x_bytes[P256_NBYTES];
uint8_t y_bytes[P256_NBYTES];
if (fscanf(f.get(), " %i , { %u", &key_len, &byte) != 2) return false;
if (key_len != P256_NBYTES) {
LOGE("Key length (%d) does not match expected size %d\n", key_len, P256_NBYTES);
return false;
LOGI("read key e=%d hash=%d\n", exponent, cert.hash_len);
} else if (cert.key_type == Certificate::KEY_TYPE_EC) {
cert.ec = parse_ec_key(f.get());
if (!cert.ec) {
return false;
}
x_bytes[P256_NBYTES - 1] = byte;
for (int i = P256_NBYTES - 2; i >= 0; --i) {
if (fscanf(f.get(), " , %u", &byte) != 1) return false;
x_bytes[i] = byte;
}
if (fscanf(f.get(), " } , { %u", &byte) != 1) return false;
y_bytes[P256_NBYTES - 1] = byte;
for (int i = P256_NBYTES - 2; i >= 0; --i) {
if (fscanf(f.get(), " , %u", &byte) != 1) return false;
y_bytes[i] = byte;
}
fscanf(f.get(), " } } ");
p256_from_bin(x_bytes, &key->x);
p256_from_bin(y_bytes, &key->y);
} else {
LOGE("Unknown key type %d\n", cert.key_type);
return false;

46
verifier.h
View file

@ -20,32 +20,42 @@
#include <memory>
#include <vector>
#include "mincrypt/p256.h"
#include "mincrypt/rsa.h"
#include <openssl/ec_key.h>
#include <openssl/rsa.h>
#include <openssl/sha.h>
typedef struct {
p256_int x;
p256_int y;
} ECPublicKey;
struct RSADeleter {
void operator()(RSA* rsa) {
RSA_free(rsa);
}
};
struct ECKEYDeleter {
void operator()(EC_KEY* ec_key) {
EC_KEY_free(ec_key);
}
};
struct Certificate {
typedef enum {
RSA,
EC,
KEY_TYPE_RSA,
KEY_TYPE_EC,
} KeyType;
Certificate(int hash_len_, KeyType key_type_,
std::unique_ptr<RSAPublicKey>&& rsa_,
std::unique_ptr<ECPublicKey>&& ec_) :
hash_len(hash_len_),
key_type(key_type_),
rsa(std::move(rsa_)),
ec(std::move(ec_)) { }
Certificate(int hash_len_,
KeyType key_type_,
std::unique_ptr<RSA, RSADeleter>&& rsa_,
std::unique_ptr<EC_KEY, ECKEYDeleter>&& ec_)
: hash_len(hash_len_),
key_type(key_type_),
rsa(std::move(rsa_)),
ec(std::move(ec_)) {}
int hash_len; // SHA_DIGEST_SIZE (SHA-1) or SHA256_DIGEST_SIZE (SHA-256)
// SHA_DIGEST_LENGTH (SHA-1) or SHA256_DIGEST_LENGTH (SHA-256)
int hash_len;
KeyType key_type;
std::unique_ptr<RSAPublicKey> rsa;
std::unique_ptr<ECPublicKey> ec;
std::unique_ptr<RSA, RSADeleter> rsa;
std::unique_ptr<EC_KEY, ECKEYDeleter> ec;
};
/* addr and length define a an update package file that has been