// // Copyright (C) 2011 The Android Open Source Project // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. // You may obtain a copy of the License at // // http://www.apache.org/licenses/LICENSE-2.0 // // Unless required by applicable law or agreed to in writing, software // distributed under the License is distributed on an "AS IS" BASIS, // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. // See the License for the specific language governing permissions and // limitations under the License. // #include "update_engine/payload_generator/payload_signer.h" #include #include #include #include #include #include #include #include #include #include #include "update_engine/common/constants.h" #include "update_engine/common/hash_calculator.h" #include "update_engine/common/subprocess.h" #include "update_engine/common/utils.h" #include "update_engine/payload_consumer/delta_performer.h" #include "update_engine/payload_consumer/payload_constants.h" #include "update_engine/payload_consumer/payload_metadata.h" #include "update_engine/payload_consumer/payload_verifier.h" #include "update_engine/payload_generator/delta_diff_generator.h" #include "update_engine/payload_generator/payload_file.h" #include "update_engine/update_metadata.pb.h" using std::string; using std::vector; namespace chromeos_update_engine { namespace { // Given raw |signatures|, packs them into a protobuf and serializes it into a // string. Returns true on success, false otherwise. bool ConvertSignaturesToProtobuf(const vector& signatures, const vector& padded_signature_sizes, string* out_serialized_signature) { TEST_AND_RETURN_FALSE(signatures.size() == padded_signature_sizes.size()); // Pack it into a protobuf Signatures out_message; for (size_t i = 0; i < signatures.size(); i++) { const auto& signature = signatures[i]; const auto& padded_signature_size = padded_signature_sizes[i]; TEST_AND_RETURN_FALSE(padded_signature_size >= signature.size()); Signatures::Signature* sig_message = out_message.add_signatures(); // Skip assigning the same version number because we don't need to be // compatible with old major version 1 client anymore. // TODO(Xunchang) don't need to set the unpadded_signature_size field for // RSA key signed signatures. sig_message->set_unpadded_signature_size(signature.size()); brillo::Blob padded_signature = signature; padded_signature.insert( padded_signature.end(), padded_signature_size - signature.size(), 0); sig_message->set_data(padded_signature.data(), padded_signature.size()); } // Serialize protobuf TEST_AND_RETURN_FALSE( out_message.SerializeToString(out_serialized_signature)); LOG(INFO) << "Signature blob size: " << out_serialized_signature->size(); return true; } // Given an unsigned payload under |payload_path| and the |payload_signature| // and |metadata_signature| generates an updated payload that includes the // signatures. It populates |out_metadata_size| with the size of the final // manifest after adding the fake signature operation, and // |out_signatures_offset| with the expected offset for the new blob, and // |out_metadata_signature_size| which will be size of |metadata_signature| // if the payload major version supports metadata signature, 0 otherwise. // Returns true on success, false otherwise. bool AddSignatureBlobToPayload(const string& payload_path, const string& payload_signature, const string& metadata_signature, brillo::Blob* out_payload, uint64_t* out_metadata_size, uint32_t* out_metadata_signature_size, uint64_t* out_signatures_offset) { uint64_t manifest_offset = 20; const int kProtobufSizeOffset = 12; brillo::Blob payload; TEST_AND_RETURN_FALSE(utils::ReadFile(payload_path, &payload)); PayloadMetadata payload_metadata; TEST_AND_RETURN_FALSE(payload_metadata.ParsePayloadHeader(payload)); uint64_t metadata_size = payload_metadata.GetMetadataSize(); uint32_t metadata_signature_size = payload_metadata.GetMetadataSignatureSize(); // Write metadata signature size in header. uint32_t metadata_signature_size_be = htobe32(metadata_signature.size()); memcpy(payload.data() + manifest_offset, &metadata_signature_size_be, sizeof(metadata_signature_size_be)); manifest_offset += sizeof(metadata_signature_size_be); // Replace metadata signature. payload.erase(payload.begin() + metadata_size, payload.begin() + metadata_size + metadata_signature_size); payload.insert(payload.begin() + metadata_size, metadata_signature.begin(), metadata_signature.end()); metadata_signature_size = metadata_signature.size(); LOG(INFO) << "Metadata signature size: " << metadata_signature_size; DeltaArchiveManifest manifest; TEST_AND_RETURN_FALSE(payload_metadata.GetManifest(payload, &manifest)); // Is there already a signature op in place? if (manifest.has_signatures_size()) { // The signature op is tied to the size of the signature blob, but not it's // contents. We don't allow the manifest to change if there is already an op // present, because that might invalidate previously generated // hashes/signatures. if (manifest.signatures_size() != payload_signature.size()) { LOG(ERROR) << "Attempt to insert different signature sized blob. " << "(current:" << manifest.signatures_size() << "new:" << payload_signature.size() << ")"; return false; } LOG(INFO) << "Matching signature sizes already present."; } else { // Updates the manifest to include the signature operation. PayloadSigner::AddSignatureToManifest( payload.size() - metadata_size - metadata_signature_size, payload_signature.size(), &manifest); // Updates the payload to include the new manifest. string serialized_manifest; TEST_AND_RETURN_FALSE(manifest.AppendToString(&serialized_manifest)); LOG(INFO) << "Updated protobuf size: " << serialized_manifest.size(); payload.erase(payload.begin() + manifest_offset, payload.begin() + metadata_size); payload.insert(payload.begin() + manifest_offset, serialized_manifest.begin(), serialized_manifest.end()); // Updates the protobuf size. uint64_t size_be = htobe64(serialized_manifest.size()); memcpy(&payload[kProtobufSizeOffset], &size_be, sizeof(size_be)); metadata_size = serialized_manifest.size() + manifest_offset; LOG(INFO) << "Updated payload size: " << payload.size(); LOG(INFO) << "Updated metadata size: " << metadata_size; } uint64_t signatures_offset = metadata_size + metadata_signature_size + manifest.signatures_offset(); LOG(INFO) << "Signature Blob Offset: " << signatures_offset; payload.resize(signatures_offset); payload.insert(payload.begin() + signatures_offset, payload_signature.begin(), payload_signature.end()); *out_payload = std::move(payload); *out_metadata_size = metadata_size; *out_metadata_signature_size = metadata_signature_size; *out_signatures_offset = signatures_offset; return true; } // Given a |payload| with correct signature op and metadata signature size in // header and |metadata_size|, |metadata_signature_size|, |signatures_offset|, // calculate hash for payload and metadata, save it to |out_hash_data| and // |out_metadata_hash|. bool CalculateHashFromPayload(const brillo::Blob& payload, const uint64_t metadata_size, const uint32_t metadata_signature_size, const uint64_t signatures_offset, brillo::Blob* out_hash_data, brillo::Blob* out_metadata_hash) { if (out_metadata_hash) { // Calculates the hash on the manifest. TEST_AND_RETURN_FALSE(HashCalculator::RawHashOfBytes( payload.data(), metadata_size, out_metadata_hash)); } if (out_hash_data) { // Calculates the hash on the updated payload. Note that we skip metadata // signature and payload signature. HashCalculator calc; TEST_AND_RETURN_FALSE(calc.Update(payload.data(), metadata_size)); TEST_AND_RETURN_FALSE(signatures_offset >= metadata_size + metadata_signature_size); TEST_AND_RETURN_FALSE(calc.Update( payload.data() + metadata_size + metadata_signature_size, signatures_offset - metadata_size - metadata_signature_size)); TEST_AND_RETURN_FALSE(calc.Finalize()); *out_hash_data = calc.raw_hash(); } return true; } std::unique_ptr CreatePrivateKeyFromPath( const string& private_key_path) { FILE* fprikey = fopen(private_key_path.c_str(), "rb"); if (!fprikey) { PLOG(ERROR) << "Failed to read " << private_key_path; return {nullptr, nullptr}; } auto private_key = std::unique_ptr( PEM_read_PrivateKey(fprikey, nullptr, nullptr, nullptr), EVP_PKEY_free); fclose(fprikey); return private_key; } } // namespace bool PayloadSigner::GetMaximumSignatureSize(const string& private_key_path, size_t* signature_size) { *signature_size = 0; auto private_key = CreatePrivateKeyFromPath(private_key_path); if (!private_key) { LOG(ERROR) << "Failed to create private key from " << private_key_path; return false; } *signature_size = EVP_PKEY_size(private_key.get()); return true; } void PayloadSigner::AddSignatureToManifest(uint64_t signature_blob_offset, uint64_t signature_blob_length, DeltaArchiveManifest* manifest) { LOG(INFO) << "Making room for signature in file"; manifest->set_signatures_offset(signature_blob_offset); manifest->set_signatures_size(signature_blob_length); } bool PayloadSigner::VerifySignedPayload(const string& payload_path, const string& public_key_path) { brillo::Blob payload; TEST_AND_RETURN_FALSE(utils::ReadFile(payload_path, &payload)); PayloadMetadata payload_metadata; TEST_AND_RETURN_FALSE(payload_metadata.ParsePayloadHeader(payload)); DeltaArchiveManifest manifest; TEST_AND_RETURN_FALSE(payload_metadata.GetManifest(payload, &manifest)); TEST_AND_RETURN_FALSE(manifest.has_signatures_offset() && manifest.has_signatures_size()); uint64_t metadata_size = payload_metadata.GetMetadataSize(); uint32_t metadata_signature_size = payload_metadata.GetMetadataSignatureSize(); uint64_t signatures_offset = metadata_size + metadata_signature_size + manifest.signatures_offset(); CHECK_EQ(payload.size(), signatures_offset + manifest.signatures_size()); brillo::Blob payload_hash, metadata_hash; TEST_AND_RETURN_FALSE(CalculateHashFromPayload(payload, metadata_size, metadata_signature_size, signatures_offset, &payload_hash, &metadata_hash)); string signature(payload.begin() + signatures_offset, payload.end()); string public_key; TEST_AND_RETURN_FALSE(utils::ReadFile(public_key_path, &public_key)); TEST_AND_RETURN_FALSE(payload_hash.size() == kSHA256Size); auto payload_verifier = PayloadVerifier::CreateInstance(public_key); TEST_AND_RETURN_FALSE(payload_verifier != nullptr); TEST_AND_RETURN_FALSE( payload_verifier->VerifySignature(signature, payload_hash)); if (metadata_signature_size) { signature.assign(payload.begin() + metadata_size, payload.begin() + metadata_size + metadata_signature_size); TEST_AND_RETURN_FALSE(metadata_hash.size() == kSHA256Size); TEST_AND_RETURN_FALSE( payload_verifier->VerifySignature(signature, metadata_hash)); } return true; } bool PayloadSigner::SignHash(const brillo::Blob& hash, const string& private_key_path, brillo::Blob* out_signature) { LOG(INFO) << "Signing hash with private key: " << private_key_path; // We expect unpadded SHA256 hash coming in TEST_AND_RETURN_FALSE(hash.size() == kSHA256Size); // The code below executes the equivalent of: // // openssl rsautl -raw -sign -inkey |private_key_path| // -in |padded_hash| -out |out_signature| auto private_key = CreatePrivateKeyFromPath(private_key_path); if (!private_key) { LOG(ERROR) << "Failed to create private key from " << private_key_path; return false; } int key_type = EVP_PKEY_id(private_key.get()); brillo::Blob signature; if (key_type == EVP_PKEY_RSA) { RSA* rsa = EVP_PKEY_get0_RSA(private_key.get()); TEST_AND_RETURN_FALSE(rsa != nullptr); brillo::Blob padded_hash = hash; PayloadVerifier::PadRSASHA256Hash(&padded_hash, RSA_size(rsa)); signature.resize(RSA_size(rsa)); ssize_t signature_size = RSA_private_encrypt(padded_hash.size(), padded_hash.data(), signature.data(), rsa, RSA_NO_PADDING); if (signature_size < 0) { LOG(ERROR) << "Signing hash failed: " << ERR_error_string(ERR_get_error(), nullptr); return false; } TEST_AND_RETURN_FALSE(static_cast(signature_size) == signature.size()); } else if (key_type == EVP_PKEY_EC) { EC_KEY* ec_key = EVP_PKEY_get0_EC_KEY(private_key.get()); TEST_AND_RETURN_FALSE(ec_key != nullptr); signature.resize(ECDSA_size(ec_key)); unsigned int signature_size; if (ECDSA_sign(0, hash.data(), hash.size(), signature.data(), &signature_size, ec_key) != 1) { LOG(ERROR) << "Signing hash failed: " << ERR_error_string(ERR_get_error(), nullptr); return false; } // NIST P-256 LOG(ERROR) << "signature max size " << signature.size() << " size " << signature_size; TEST_AND_RETURN_FALSE(signature.size() >= signature_size); signature.resize(signature_size); } else { LOG(ERROR) << "key_type " << key_type << " isn't supported for signing"; return false; } out_signature->swap(signature); return true; } bool PayloadSigner::SignHashWithKeys(const brillo::Blob& hash_data, const vector& private_key_paths, string* out_serialized_signature) { vector signatures; vector padded_signature_sizes; for (const string& path : private_key_paths) { brillo::Blob signature; TEST_AND_RETURN_FALSE(SignHash(hash_data, path, &signature)); signatures.push_back(signature); size_t padded_signature_size; TEST_AND_RETURN_FALSE( GetMaximumSignatureSize(path, &padded_signature_size)); padded_signature_sizes.push_back(padded_signature_size); } TEST_AND_RETURN_FALSE(ConvertSignaturesToProtobuf( signatures, padded_signature_sizes, out_serialized_signature)); return true; } bool PayloadSigner::SignPayload(const string& unsigned_payload_path, const vector& private_key_paths, const uint64_t metadata_size, const uint32_t metadata_signature_size, const uint64_t signatures_offset, string* out_serialized_signature) { brillo::Blob payload; TEST_AND_RETURN_FALSE(utils::ReadFile(unsigned_payload_path, &payload)); brillo::Blob hash_data; TEST_AND_RETURN_FALSE(CalculateHashFromPayload(payload, metadata_size, metadata_signature_size, signatures_offset, &hash_data, nullptr)); TEST_AND_RETURN_FALSE( SignHashWithKeys(hash_data, private_key_paths, out_serialized_signature)); return true; } bool PayloadSigner::SignatureBlobLength(const vector& private_key_paths, uint64_t* out_length) { DCHECK(out_length); brillo::Blob hash_blob; TEST_AND_RETURN_FALSE(HashCalculator::RawHashOfData({'x'}, &hash_blob)); string sig_blob; TEST_AND_RETURN_FALSE( SignHashWithKeys(hash_blob, private_key_paths, &sig_blob)); *out_length = sig_blob.size(); return true; } bool PayloadSigner::HashPayloadForSigning(const string& payload_path, const vector& signature_sizes, brillo::Blob* out_payload_hash_data, brillo::Blob* out_metadata_hash) { // Create a signature blob with signatures filled with 0. // Will be used for both payload signature and metadata signature. vector signatures; for (int signature_size : signature_sizes) { signatures.emplace_back(signature_size, 0); } string signature; TEST_AND_RETURN_FALSE( ConvertSignaturesToProtobuf(signatures, signature_sizes, &signature)); brillo::Blob payload; uint64_t metadata_size, signatures_offset; uint32_t metadata_signature_size; // Prepare payload for hashing. TEST_AND_RETURN_FALSE(AddSignatureBlobToPayload(payload_path, signature, signature, &payload, &metadata_size, &metadata_signature_size, &signatures_offset)); TEST_AND_RETURN_FALSE(CalculateHashFromPayload(payload, metadata_size, metadata_signature_size, signatures_offset, out_payload_hash_data, out_metadata_hash)); return true; } bool PayloadSigner::AddSignatureToPayload( const string& payload_path, const vector& padded_signature_sizes, const vector& payload_signatures, const vector& metadata_signatures, const string& signed_payload_path, uint64_t* out_metadata_size) { // TODO(petkov): Reduce memory usage -- the payload is manipulated in memory. // Loads the payload and adds the signature op to it. string payload_signature, metadata_signature; TEST_AND_RETURN_FALSE(ConvertSignaturesToProtobuf( payload_signatures, padded_signature_sizes, &payload_signature)); if (!metadata_signatures.empty()) { TEST_AND_RETURN_FALSE(ConvertSignaturesToProtobuf( metadata_signatures, padded_signature_sizes, &metadata_signature)); } brillo::Blob payload; uint64_t signatures_offset; uint32_t metadata_signature_size; TEST_AND_RETURN_FALSE(AddSignatureBlobToPayload(payload_path, payload_signature, metadata_signature, &payload, out_metadata_size, &metadata_signature_size, &signatures_offset)); LOG(INFO) << "Signed payload size: " << payload.size(); TEST_AND_RETURN_FALSE(utils::WriteFile( signed_payload_path.c_str(), payload.data(), payload.size())); return true; } bool PayloadSigner::GetMetadataSignature(const void* const metadata, size_t metadata_size, const string& private_key_path, string* out_signature) { // Calculates the hash on the updated payload. Note that the payload includes // the signature op but doesn't include the signature blob at the end. brillo::Blob metadata_hash; TEST_AND_RETURN_FALSE( HashCalculator::RawHashOfBytes(metadata, metadata_size, &metadata_hash)); brillo::Blob signature; TEST_AND_RETURN_FALSE(SignHash(metadata_hash, private_key_path, &signature)); *out_signature = brillo::data_encoding::Base64Encode(signature); return true; } } // namespace chromeos_update_engine