1 //
2 // Copyright (C) 2011 The Android Open Source Project
3 //
4 // Licensed under the Apache License, Version 2.0 (the "License");
5 // you may not use this file except in compliance with the License.
6 // You may obtain a copy of the License at
7 //
8 // http://www.apache.org/licenses/LICENSE-2.0
9 //
10 // Unless required by applicable law or agreed to in writing, software
11 // distributed under the License is distributed on an "AS IS" BASIS,
12 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 // See the License for the specific language governing permissions and
14 // limitations under the License.
15 //
16
17 #include "update_engine/payload_generator/payload_signer.h"
18
19 #include <endian.h>
20
21 #include <memory>
22 #include <utility>
23
24 #include <base/logging.h>
25 #include <base/strings/string_number_conversions.h>
26 #include <brillo/data_encoding.h>
27 #include <openssl/err.h>
28 #include <openssl/pem.h>
29 #include <unistd.h>
30
31 #include "update_engine/common/constants.h"
32 #include "update_engine/common/hash_calculator.h"
33 #include "update_engine/common/subprocess.h"
34 #include "update_engine/common/utils.h"
35 #include "update_engine/payload_consumer/payload_metadata.h"
36 #include "update_engine/payload_consumer/payload_verifier.h"
37 #include "update_engine/update_metadata.pb.h"
38
39 using std::string;
40 using std::vector;
41
42 namespace chromeos_update_engine {
43
44 namespace {
45 // Given raw |signatures|, packs them into a protobuf and serializes it into a
46 // string. Returns true on success, false otherwise.
ConvertSignaturesToProtobuf(const vector<brillo::Blob> & signatures,const vector<size_t> & padded_signature_sizes,string * out_serialized_signature)47 bool ConvertSignaturesToProtobuf(const vector<brillo::Blob>& signatures,
48 const vector<size_t>& padded_signature_sizes,
49 string* out_serialized_signature) {
50 TEST_AND_RETURN_FALSE(signatures.size() == padded_signature_sizes.size());
51 // Pack it into a protobuf
52 Signatures out_message;
53 for (size_t i = 0; i < signatures.size(); i++) {
54 const auto& signature = signatures[i];
55 const auto& padded_signature_size = padded_signature_sizes[i];
56 TEST_AND_RETURN_FALSE(padded_signature_size >= signature.size());
57 Signatures::Signature* sig_message = out_message.add_signatures();
58 // Skip assigning the same version number because we don't need to be
59 // compatible with old major version 1 client anymore.
60
61 // TODO(Xunchang) don't need to set the unpadded_signature_size field for
62 // RSA key signed signatures.
63 sig_message->set_unpadded_signature_size(signature.size());
64 brillo::Blob padded_signature = signature;
65 padded_signature.insert(
66 padded_signature.end(), padded_signature_size - signature.size(), 0);
67 sig_message->set_data(padded_signature.data(), padded_signature.size());
68 }
69
70 // Serialize protobuf
71 TEST_AND_RETURN_FALSE(
72 out_message.SerializeToString(out_serialized_signature));
73 LOG(INFO) << "Signature blob size: " << out_serialized_signature->size();
74 return true;
75 }
76
77 // Given an unsigned payload under |payload_path| and the |payload_signature|
78 // and |metadata_signature| generates an updated payload that includes the
79 // signatures. It populates |out_metadata_size| with the size of the final
80 // manifest after adding the fake signature operation, and
81 // |out_signatures_offset| with the expected offset for the new blob, and
82 // |out_metadata_signature_size| which will be size of |metadata_signature|
83 // if the payload major version supports metadata signature, 0 otherwise.
84 // Returns true on success, false otherwise.
AddSignatureBlobToPayload(const string & payload_path,const string & payload_signature,const string & metadata_signature,brillo::Blob * out_payload,uint64_t * out_metadata_size,uint32_t * out_metadata_signature_size,uint64_t * out_signatures_offset)85 bool AddSignatureBlobToPayload(const string& payload_path,
86 const string& payload_signature,
87 const string& metadata_signature,
88 brillo::Blob* out_payload,
89 uint64_t* out_metadata_size,
90 uint32_t* out_metadata_signature_size,
91 uint64_t* out_signatures_offset) {
92 uint64_t manifest_offset = 20;
93 const int kProtobufSizeOffset = 12;
94
95 brillo::Blob payload;
96 TEST_AND_RETURN_FALSE(utils::ReadFile(payload_path, &payload));
97 PayloadMetadata payload_metadata;
98 TEST_AND_RETURN_FALSE(payload_metadata.ParsePayloadHeader(payload));
99 uint64_t metadata_size = payload_metadata.GetMetadataSize();
100 uint32_t metadata_signature_size =
101 payload_metadata.GetMetadataSignatureSize();
102 // Write metadata signature size in header.
103 uint32_t metadata_signature_size_be = htobe32(metadata_signature.size());
104 memcpy(payload.data() + manifest_offset,
105 &metadata_signature_size_be,
106 sizeof(metadata_signature_size_be));
107 manifest_offset += sizeof(metadata_signature_size_be);
108 // Replace metadata signature.
109 payload.erase(payload.begin() + metadata_size,
110 payload.begin() + metadata_size + metadata_signature_size);
111 payload.insert(payload.begin() + metadata_size,
112 metadata_signature.begin(),
113 metadata_signature.end());
114 metadata_signature_size = metadata_signature.size();
115 LOG(INFO) << "Metadata signature size: " << metadata_signature_size;
116
117 DeltaArchiveManifest manifest;
118 TEST_AND_RETURN_FALSE(payload_metadata.GetManifest(payload, &manifest));
119
120 // Erase existing signatures.
121 if (manifest.has_signatures_offset()) {
122 payload.resize(manifest.signatures_offset() + metadata_size +
123 metadata_signature_size);
124 }
125
126 // Updates the manifest to include the signature operation.
127 PayloadSigner::AddSignatureToManifest(
128 payload.size() - metadata_size - metadata_signature_size,
129 payload_signature.size(),
130 &manifest);
131
132 // Updates the payload to include the new manifest.
133 string serialized_manifest;
134 TEST_AND_RETURN_FALSE(manifest.AppendToString(&serialized_manifest));
135 LOG(INFO) << "Updated protobuf size: " << serialized_manifest.size();
136 payload.erase(payload.begin() + manifest_offset,
137 payload.begin() + metadata_size);
138 payload.insert(payload.begin() + manifest_offset,
139 serialized_manifest.begin(),
140 serialized_manifest.end());
141
142 // Updates the protobuf size.
143 uint64_t size_be = htobe64(serialized_manifest.size());
144 memcpy(&payload[kProtobufSizeOffset], &size_be, sizeof(size_be));
145 metadata_size = serialized_manifest.size() + manifest_offset;
146
147 LOG(INFO) << "Updated payload size: " << payload.size();
148 LOG(INFO) << "Updated metadata size: " << metadata_size;
149 uint64_t signatures_offset =
150 metadata_size + metadata_signature_size + manifest.signatures_offset();
151 LOG(INFO) << "Signature Blob Offset: " << signatures_offset;
152 payload.resize(signatures_offset);
153 payload.insert(payload.begin() + signatures_offset,
154 payload_signature.begin(),
155 payload_signature.end());
156
157 *out_payload = std::move(payload);
158 *out_metadata_size = metadata_size;
159 *out_metadata_signature_size = metadata_signature_size;
160 *out_signatures_offset = signatures_offset;
161 return true;
162 }
163
164 // Given a |payload| with correct signature op and metadata signature size in
165 // header and |metadata_size|, |metadata_signature_size|, |signatures_offset|,
166 // calculate hash for payload and metadata, save it to |out_hash_data| and
167 // |out_metadata_hash|.
CalculateHashFromPayload(const brillo::Blob & payload,const uint64_t metadata_size,const uint32_t metadata_signature_size,const uint64_t signatures_offset,brillo::Blob * out_hash_data,brillo::Blob * out_metadata_hash)168 bool CalculateHashFromPayload(const brillo::Blob& payload,
169 const uint64_t metadata_size,
170 const uint32_t metadata_signature_size,
171 const uint64_t signatures_offset,
172 brillo::Blob* out_hash_data,
173 brillo::Blob* out_metadata_hash) {
174 if (out_metadata_hash) {
175 // Calculates the hash on the manifest.
176 TEST_AND_RETURN_FALSE(HashCalculator::RawHashOfBytes(
177 payload.data(), metadata_size, out_metadata_hash));
178 }
179 if (out_hash_data) {
180 // Calculates the hash on the updated payload. Note that we skip metadata
181 // signature and payload signature.
182 HashCalculator calc;
183 TEST_AND_RETURN_FALSE(calc.Update(payload.data(), metadata_size));
184 TEST_AND_RETURN_FALSE(signatures_offset >=
185 metadata_size + metadata_signature_size);
186 TEST_AND_RETURN_FALSE(calc.Update(
187 payload.data() + metadata_size + metadata_signature_size,
188 signatures_offset - metadata_size - metadata_signature_size));
189 TEST_AND_RETURN_FALSE(calc.Finalize());
190 *out_hash_data = calc.raw_hash();
191 }
192 return true;
193 }
194
CreatePrivateKeyFromPath(const string & private_key_path)195 std::unique_ptr<EVP_PKEY, decltype(&EVP_PKEY_free)> CreatePrivateKeyFromPath(
196 const string& private_key_path) {
197 FILE* fprikey = fopen(private_key_path.c_str(), "rb");
198 if (!fprikey) {
199 PLOG(ERROR) << "Failed to read " << private_key_path;
200 return {nullptr, nullptr};
201 }
202
203 auto private_key = std::unique_ptr<EVP_PKEY, decltype(&EVP_PKEY_free)>(
204 PEM_read_PrivateKey(fprikey, nullptr, nullptr, nullptr), EVP_PKEY_free);
205 fclose(fprikey);
206 return private_key;
207 }
208
209 } // namespace
210
GetMaximumSignatureSize(const string & private_key_path,size_t * signature_size)211 bool PayloadSigner::GetMaximumSignatureSize(const string& private_key_path,
212 size_t* signature_size) {
213 *signature_size = 0;
214 auto private_key = CreatePrivateKeyFromPath(private_key_path);
215 if (!private_key) {
216 LOG(ERROR) << "Failed to create private key from " << private_key_path;
217 return false;
218 }
219
220 *signature_size = EVP_PKEY_size(private_key.get());
221 return true;
222 }
223
AddSignatureToManifest(uint64_t signature_blob_offset,uint64_t signature_blob_length,DeltaArchiveManifest * manifest)224 void PayloadSigner::AddSignatureToManifest(uint64_t signature_blob_offset,
225 uint64_t signature_blob_length,
226 DeltaArchiveManifest* manifest) {
227 LOG(INFO) << "Making room for signature in file";
228 manifest->set_signatures_offset(signature_blob_offset);
229 manifest->set_signatures_size(signature_blob_length);
230 }
231
VerifySignedPayload(const string & payload_path,const string & public_key_path)232 bool PayloadSigner::VerifySignedPayload(const string& payload_path,
233 const string& public_key_path) {
234 brillo::Blob payload;
235 TEST_AND_RETURN_FALSE(utils::ReadFile(payload_path, &payload));
236 PayloadMetadata payload_metadata;
237 TEST_AND_RETURN_FALSE(payload_metadata.ParsePayloadHeader(payload));
238 DeltaArchiveManifest manifest;
239 TEST_AND_RETURN_FALSE(payload_metadata.GetManifest(payload, &manifest));
240 TEST_AND_RETURN_FALSE(manifest.has_signatures_offset() &&
241 manifest.has_signatures_size());
242 uint64_t metadata_size = payload_metadata.GetMetadataSize();
243 uint32_t metadata_signature_size =
244 payload_metadata.GetMetadataSignatureSize();
245 uint64_t signatures_offset =
246 metadata_size + metadata_signature_size + manifest.signatures_offset();
247 CHECK_EQ(payload.size(), signatures_offset + manifest.signatures_size());
248 brillo::Blob payload_hash, metadata_hash;
249 TEST_AND_RETURN_FALSE(CalculateHashFromPayload(payload,
250 metadata_size,
251 metadata_signature_size,
252 signatures_offset,
253 &payload_hash,
254 &metadata_hash));
255 string signature(payload.begin() + signatures_offset, payload.end());
256 string public_key;
257 TEST_AND_RETURN_FALSE(utils::ReadFile(public_key_path, &public_key));
258 TEST_AND_RETURN_FALSE(payload_hash.size() == kSHA256Size);
259
260 auto payload_verifier = PayloadVerifier::CreateInstance(public_key);
261 TEST_AND_RETURN_FALSE(payload_verifier != nullptr);
262
263 TEST_AND_RETURN_FALSE(
264 payload_verifier->VerifySignature(signature, payload_hash));
265 if (metadata_signature_size) {
266 signature.assign(payload.begin() + metadata_size,
267 payload.begin() + metadata_size + metadata_signature_size);
268 TEST_AND_RETURN_FALSE(metadata_hash.size() == kSHA256Size);
269 TEST_AND_RETURN_FALSE(
270 payload_verifier->VerifySignature(signature, metadata_hash));
271 }
272 return true;
273 }
274
SignHash(const brillo::Blob & hash,const string & private_key_path,brillo::Blob * out_signature)275 bool PayloadSigner::SignHash(const brillo::Blob& hash,
276 const string& private_key_path,
277 brillo::Blob* out_signature) {
278 LOG(INFO) << "Signing hash with private key: " << private_key_path;
279 // We expect unpadded SHA256 hash coming in
280 TEST_AND_RETURN_FALSE(hash.size() == kSHA256Size);
281 // The code below executes the equivalent of:
282 //
283 // openssl rsautl -raw -sign -inkey |private_key_path|
284 // -in |padded_hash| -out |out_signature|
285
286 auto private_key = CreatePrivateKeyFromPath(private_key_path);
287 if (!private_key) {
288 LOG(ERROR) << "Failed to create private key from " << private_key_path;
289 return false;
290 }
291
292 int key_type = EVP_PKEY_id(private_key.get());
293 brillo::Blob signature;
294 if (key_type == EVP_PKEY_RSA) {
295 RSA* rsa = EVP_PKEY_get0_RSA(private_key.get());
296 TEST_AND_RETURN_FALSE(rsa != nullptr);
297
298 brillo::Blob padded_hash = hash;
299 PayloadVerifier::PadRSASHA256Hash(&padded_hash, RSA_size(rsa));
300
301 signature.resize(RSA_size(rsa));
302 ssize_t signature_size = RSA_private_encrypt(padded_hash.size(),
303 padded_hash.data(),
304 signature.data(),
305 rsa,
306 RSA_NO_PADDING);
307 if (signature_size < 0) {
308 LOG(ERROR) << "Signing hash failed: "
309 << ERR_error_string(ERR_get_error(), nullptr);
310 return false;
311 }
312 TEST_AND_RETURN_FALSE(static_cast<size_t>(signature_size) ==
313 signature.size());
314 } else if (key_type == EVP_PKEY_EC) {
315 EC_KEY* ec_key = EVP_PKEY_get0_EC_KEY(private_key.get());
316 TEST_AND_RETURN_FALSE(ec_key != nullptr);
317
318 signature.resize(ECDSA_size(ec_key));
319 unsigned int signature_size;
320 if (ECDSA_sign(0,
321 hash.data(),
322 hash.size(),
323 signature.data(),
324 &signature_size,
325 ec_key) != 1) {
326 LOG(ERROR) << "Signing hash failed: "
327 << ERR_error_string(ERR_get_error(), nullptr);
328 return false;
329 }
330
331 // NIST P-256
332 LOG(ERROR) << "signature max size " << signature.size() << " size "
333 << signature_size;
334 TEST_AND_RETURN_FALSE(signature.size() >= signature_size);
335 signature.resize(signature_size);
336 } else {
337 LOG(ERROR) << "key_type " << key_type << " isn't supported for signing";
338 return false;
339 }
340 out_signature->swap(signature);
341 return true;
342 }
343
SignHashWithKeys(const brillo::Blob & hash_data,const vector<string> & private_key_paths,string * out_serialized_signature)344 bool PayloadSigner::SignHashWithKeys(const brillo::Blob& hash_data,
345 const vector<string>& private_key_paths,
346 string* out_serialized_signature) {
347 vector<brillo::Blob> signatures;
348 vector<size_t> padded_signature_sizes;
349 for (const string& path : private_key_paths) {
350 brillo::Blob signature;
351 TEST_AND_RETURN_FALSE(SignHash(hash_data, path, &signature));
352 signatures.push_back(signature);
353
354 size_t padded_signature_size;
355 TEST_AND_RETURN_FALSE(
356 GetMaximumSignatureSize(path, &padded_signature_size));
357 padded_signature_sizes.push_back(padded_signature_size);
358 }
359 TEST_AND_RETURN_FALSE(ConvertSignaturesToProtobuf(
360 signatures, padded_signature_sizes, out_serialized_signature));
361 return true;
362 }
363
SignPayload(const string & unsigned_payload_path,const vector<string> & private_key_paths,const uint64_t metadata_size,const uint32_t metadata_signature_size,const uint64_t signatures_offset,string * out_serialized_signature)364 bool PayloadSigner::SignPayload(const string& unsigned_payload_path,
365 const vector<string>& private_key_paths,
366 const uint64_t metadata_size,
367 const uint32_t metadata_signature_size,
368 const uint64_t signatures_offset,
369 string* out_serialized_signature) {
370 brillo::Blob payload;
371 TEST_AND_RETURN_FALSE(utils::ReadFile(unsigned_payload_path, &payload));
372 brillo::Blob hash_data;
373 TEST_AND_RETURN_FALSE(CalculateHashFromPayload(payload,
374 metadata_size,
375 metadata_signature_size,
376 signatures_offset,
377 &hash_data,
378 nullptr));
379 TEST_AND_RETURN_FALSE(
380 SignHashWithKeys(hash_data, private_key_paths, out_serialized_signature));
381 return true;
382 }
383
SignatureBlobLength(const vector<string> & private_key_paths,uint64_t * out_length)384 bool PayloadSigner::SignatureBlobLength(const vector<string>& private_key_paths,
385 uint64_t* out_length) {
386 DCHECK(out_length);
387 brillo::Blob hash_blob;
388 TEST_AND_RETURN_FALSE(HashCalculator::RawHashOfData({'x'}, &hash_blob));
389 string sig_blob;
390 TEST_AND_RETURN_FALSE(
391 SignHashWithKeys(hash_blob, private_key_paths, &sig_blob));
392 *out_length = sig_blob.size();
393 return true;
394 }
395
HashPayloadForSigning(const string & payload_path,const vector<size_t> & signature_sizes,brillo::Blob * out_payload_hash_data,brillo::Blob * out_metadata_hash)396 bool PayloadSigner::HashPayloadForSigning(const string& payload_path,
397 const vector<size_t>& signature_sizes,
398 brillo::Blob* out_payload_hash_data,
399 brillo::Blob* out_metadata_hash) {
400 // Create a signature blob with signatures filled with 0.
401 // Will be used for both payload signature and metadata signature.
402 vector<brillo::Blob> signatures;
403 for (int signature_size : signature_sizes) {
404 signatures.emplace_back(signature_size, 0);
405 }
406 string signature;
407 TEST_AND_RETURN_FALSE(
408 ConvertSignaturesToProtobuf(signatures, signature_sizes, &signature));
409
410 brillo::Blob payload;
411 uint64_t metadata_size, signatures_offset;
412 uint32_t metadata_signature_size;
413 // Prepare payload for hashing.
414 TEST_AND_RETURN_FALSE(AddSignatureBlobToPayload(payload_path,
415 signature,
416 signature,
417 &payload,
418 &metadata_size,
419 &metadata_signature_size,
420 &signatures_offset));
421 TEST_AND_RETURN_FALSE(CalculateHashFromPayload(payload,
422 metadata_size,
423 metadata_signature_size,
424 signatures_offset,
425 out_payload_hash_data,
426 out_metadata_hash));
427 return true;
428 }
429
AddSignatureToPayload(const string & payload_path,const vector<size_t> & padded_signature_sizes,const vector<brillo::Blob> & payload_signatures,const vector<brillo::Blob> & metadata_signatures,const string & signed_payload_path,uint64_t * out_metadata_size)430 bool PayloadSigner::AddSignatureToPayload(
431 const string& payload_path,
432 const vector<size_t>& padded_signature_sizes,
433 const vector<brillo::Blob>& payload_signatures,
434 const vector<brillo::Blob>& metadata_signatures,
435 const string& signed_payload_path,
436 uint64_t* out_metadata_size) {
437 // TODO(petkov): Reduce memory usage -- the payload is manipulated in memory.
438
439 // Loads the payload and adds the signature op to it.
440 string payload_signature, metadata_signature;
441 TEST_AND_RETURN_FALSE(ConvertSignaturesToProtobuf(
442 payload_signatures, padded_signature_sizes, &payload_signature));
443 if (!metadata_signatures.empty()) {
444 TEST_AND_RETURN_FALSE(ConvertSignaturesToProtobuf(
445 metadata_signatures, padded_signature_sizes, &metadata_signature));
446 }
447 brillo::Blob payload;
448 uint64_t signatures_offset;
449 uint32_t metadata_signature_size;
450 TEST_AND_RETURN_FALSE(AddSignatureBlobToPayload(payload_path,
451 payload_signature,
452 metadata_signature,
453 &payload,
454 out_metadata_size,
455 &metadata_signature_size,
456 &signatures_offset));
457
458 LOG(INFO) << "Signed payload size: " << payload.size();
459 TEST_AND_RETURN_FALSE(utils::WriteFile(
460 signed_payload_path.c_str(), payload.data(), payload.size()));
461 return true;
462 }
463
GetMetadataSignature(const void * const metadata,size_t metadata_size,const string & private_key_path,string * out_signature)464 bool PayloadSigner::GetMetadataSignature(const void* const metadata,
465 size_t metadata_size,
466 const string& private_key_path,
467 string* out_signature) {
468 // Calculates the hash on the updated payload. Note that the payload includes
469 // the signature op but doesn't include the signature blob at the end.
470 brillo::Blob metadata_hash;
471 TEST_AND_RETURN_FALSE(
472 HashCalculator::RawHashOfBytes(metadata, metadata_size, &metadata_hash));
473
474 brillo::Blob signature;
475 TEST_AND_RETURN_FALSE(SignHash(metadata_hash, private_key_path, &signature));
476
477 *out_signature = brillo::data_encoding::Base64Encode(signature);
478 return true;
479 }
480
481 } // namespace chromeos_update_engine
482