Allow RSA 4096 key in package verification
The RSA_verify sitll works for 4096 bits keys. And we just need to loose the check on modulus. Sample commands to generate the key & package: 1. openssl genrsa -out keypair.pem 4096 2. openssl pkcs8 -topk8 -inform PEM -outform DER -nocrypt \ -in keypair.pem -out private.pk8 3. openssl req -new -x509 -key keypair.pem -out public.x509.pem \ -days 365 4. java -Djava.library.path=prebuilts/sdk/tools/linux/lib64 -jar \ prebuilts/sdk/tools/lib/signapk.jar -w public.x509.pem private.pk8 \ unsigned.zip signed.zip Bug: 129163830 Test: unit tests pass Change-Id: I5a5ff539c9ff1955c02ec2ce4b17563cb92808a4
This commit is contained in:
xunchang
parent
6287253eb4
commit
908ad77af8
5 changed files with 50 additions and 3 deletions
|
|
@ -158,6 +158,17 @@ TEST(VerifierTest, LoadCertificateFromBuffer_sha256_ec256bits) {
|
|||
VerifyPackageWithSingleCertificate("otasigned_v5.zip", std::move(cert));
|
||||
}
|
||||
|
||||
TEST(VerifierTest, LoadCertificateFromBuffer_sha256_rsa4096_bits) {
|
||||
Certificate cert(0, Certificate::KEY_TYPE_RSA, nullptr, nullptr);
|
||||
LoadKeyFromFile(from_testdata_base("testkey_4096bits.x509.pem"), &cert);
|
||||
|
||||
ASSERT_EQ(SHA256_DIGEST_LENGTH, cert.hash_len);
|
||||
ASSERT_EQ(Certificate::KEY_TYPE_RSA, cert.key_type);
|
||||
ASSERT_EQ(nullptr, cert.ec);
|
||||
|
||||
VerifyPackageWithSingleCertificate("otasigned_4096bits.zip", std::move(cert));
|
||||
}
|
||||
|
||||
TEST(VerifierTest, LoadCertificateFromBuffer_check_rsa_keys) {
|
||||
std::unique_ptr<RSA, RSADeleter> rsa(RSA_new());
|
||||
std::unique_ptr<BIGNUM, decltype(&BN_free)> exponent(BN_new(), BN_free);
|
||||
|
|
|
|||
BIN
tests/testdata/otasigned_4096bits.zip
vendored
Normal file
BIN
tests/testdata/otasigned_4096bits.zip
vendored
Normal file
Binary file not shown.
35
tests/testdata/testkey_4096bits.x509.pem
vendored
Normal file
35
tests/testdata/testkey_4096bits.x509.pem
vendored
Normal file
|
|
@ -0,0 +1,35 @@
|
|||
-----BEGIN CERTIFICATE-----
|
||||
MIIGADCCA+igAwIBAgIJAJiRMVvanGUaMA0GCSqGSIb3DQEBCwUAMIGUMQswCQYD
|
||||
VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNTW91bnRhaW4g
|
||||
VmlldzEQMA4GA1UECgwHQW5kcm9pZDEQMA4GA1UECwwHQW5kcm9pZDEQMA4GA1UE
|
||||
AwwHQW5kcm9pZDEiMCAGCSqGSIb3DQEJARYTYW5kcm9pZEBhbmRyb2lkLmNvbTAe
|
||||
Fw0xODEwMzAxMjEzNTFaFw00NjAzMTcxMjEzNTFaMIGUMQswCQYDVQQGEwJVUzET
|
||||
MBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNTW91bnRhaW4gVmlldzEQMA4G
|
||||
A1UECgwHQW5kcm9pZDEQMA4GA1UECwwHQW5kcm9pZDEQMA4GA1UEAwwHQW5kcm9p
|
||||
ZDEiMCAGCSqGSIb3DQEJARYTYW5kcm9pZEBhbmRyb2lkLmNvbTCCAiIwDQYJKoZI
|
||||
hvcNAQEBBQADggIPADCCAgoCggIBAL3ghKA8Gz9qOORY8gMY4wlB2tCJLDUO2tFG
|
||||
LVK1UphtQMp+YEcz/0VQKVV7de7z6V4EMQ5P1HbxHOsjcKn/zXAl4YgFt7b5kZbC
|
||||
bpNK4CYHEfho3j6fpYtq5d9q8rIA2kI0uZkkqPy1zXKTl2C2PjOoAnLQRk5xBVQG
|
||||
M10/wYsf7yX36mSWoJJwKPp/EzVFpA+hX8HpljeIiZ6CFzKwJdqv9zO/xzfp6NsX
|
||||
Tv5EGdkDxmw3qQqKgyl8dLMTZ/2zNfvVOMeZDusEPDF7A/lbU1byLWrKQdCzVb40
|
||||
yc7BCSRGYwM29R/byOcgD+lslwKSGzgzNmQXICt1tXz9bSJR8qh4tlAaiRc3ZKBe
|
||||
hJWIFGkGtD/cDGtDE5DbNAOz6CdSDdE2XN0Qf0cfN1RHVE6fo2FtFicRRVuFBt8M
|
||||
2cbQ7bzmEvtHD6W6dsf120FH7gppXKmnhMx1WazpxR2QltbiYDTy2ZZi4paS/jDB
|
||||
fL9gMCWp3Ohg2y74NGfUw5CQWQsDpcki6I7RvwClBCyOV51LHn5LE/nY4DkVrZxk
|
||||
Pw0/YrTWz5J5PbdMetTuIunE4ec4lm8nZnh1ET+2MHx2+RoyF5vBs4rp1KHHRaEA
|
||||
veD2AfQOWxz7kOG9+akFot7n+QoWEGdwY0mJ9jsO/IITCjv3VbD7o0OoJv1R2AW5
|
||||
sK2KQ4PDAgMBAAGjUzBRMB0GA1UdDgQWBBT2EbrayXGhY6VCvSlLtRNyjW9ceDAf
|
||||
BgNVHSMEGDAWgBT2EbrayXGhY6VCvSlLtRNyjW9ceDAPBgNVHRMBAf8EBTADAQH/
|
||||
MA0GCSqGSIb3DQEBCwUAA4ICAQC7SsWap9zDKmuR0qMUZ6wlualnag0hUG1jZHQP
|
||||
t63KO6LmNNMSuXRX60Zcq6WWzgLOyoT4HqHZZ47Jamfb4XQQcnWMMW0tJ3pDtTkz
|
||||
dZILBInHJO8QPYI8Du6XWsDLSvMajq6ueBtO3NdcgsNL7eiHf3WoOtajLZxFM94Z
|
||||
MESkUQOIsqHolYeTMHLTsuGkX1CK2Zw3Xn18bUSTYwZCHa6mYH00ItUBfetGCnWh
|
||||
Y7bth/R15Cc+hocSB7ZsOa/R5kDyDdFDIKrnV5nH5Yd7CryrYC6Ac5UarYrxSJTq
|
||||
eKPwqUlJB/tJW/lvdLt8YaURbFGzf/ZqU12zZRafYjmMjcQvfpzMoDSnbvHTA9IR
|
||||
ZGO7dwhwykoSaL4/8LWde49xQUq6F2pQBRmEr+7mTzml1MaM5cWEk5emkCMXgLog
|
||||
k+c56CAk1EdM1teWik7wR0TIqkkYyYJHTSg61GkXUIXrZJ6iYx2ejDg1+QTPm9rU
|
||||
Yr7nP52gVkQuUAX1+xB6wKLSDizQJw8SNiUGXl5+2vwV6+0BI3/CXlQ8I/nRPBC1
|
||||
oqOIkRSbE+IF7DP9QvYuNG/3bZZQ8LUVeHxqI5Mq8K2VIJZd95AIwPNMH34SaDGz
|
||||
9xjG28Fq4ZkuDP0pCsHM9d2XEwK5PEVS18WW5fJ/QcJKMno4IPTB70ZBBjVzv6Y+
|
||||
MYjOrw==
|
||||
-----END CERTIFICATE-----
|
||||
|
|
@ -373,8 +373,8 @@ bool CheckRSAKey(const std::unique_ptr<RSA, RSADeleter>& rsa) {
|
|||
const BIGNUM* out_e;
|
||||
RSA_get0_key(rsa.get(), &out_n, &out_e, nullptr /* private exponent */);
|
||||
auto modulus_bits = BN_num_bits(out_n);
|
||||
if (modulus_bits != 2048) {
|
||||
LOG(ERROR) << "Modulus should be 2048 bits long, actual: " << modulus_bits;
|
||||
if (modulus_bits != 2048 && modulus_bits != 4096) {
|
||||
LOG(ERROR) << "Modulus should be 2048 or 4096 bits long, actual: " << modulus_bits;
|
||||
return false;
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -88,7 +88,8 @@ class VerifierInterface {
|
|||
// VERIFY_FAILURE (if any error is encountered or no key matches the signature).
|
||||
int verify_file(VerifierInterface* package, const std::vector<Certificate>& keys);
|
||||
|
||||
// Checks that the RSA key has a modulus of 2048 bits long, and public exponent is 3 or 65537.
|
||||
// Checks that the RSA key has a modulus of 2048 or 4096 bits long, and public exponent is 3 or
|
||||
// 65537.
|
||||
bool CheckRSAKey(const std::unique_ptr<RSA, RSADeleter>& rsa);
|
||||
|
||||
// Checks that the field size of the curve for the EC key is 256 bits.
|
||||
|
|
|
|||
Loading…
Reference in a new issue