Use BoringSSL instead of mincrypt to speed up package verification.
This changes the verification code in bootable/recovery to use
BoringSSL instead of mincrypt.
Cherry-pick of 452df6d99c81c4eeee3d2c7b2171901e8b7bc54a, with
merge conflict resolution, extra logging in verifier.cpp, and
an increase in the hash chunk size from 4KiB to 1MiB.
Bug: http://b/28135231
Change-Id: I1ed7efd52223dd6f6a4629cad187cbc383d5aa84
diff --git a/Android.mk b/Android.mk
index 6c3ce56..65d123a 100644
--- a/Android.mk
+++ b/Android.mk
@@ -23,7 +23,7 @@
LOCAL_MODULE := libfusesideload
-LOCAL_STATIC_LIBRARIES := libcutils libc libmincrypt
+LOCAL_STATIC_LIBRARIES := libcutils libc libcrypto_static
include $(BUILD_STATIC_LIBRARY)
include $(CLEAR_VARS)
@@ -71,12 +71,12 @@
libminzip \
libz \
libmtdutils \
- libmincrypt \
libminadbd \
libfusesideload \
libminui \
libpng \
libfs_mgr \
+ libcrypto_static \
libbase \
libcutils \
libutils \
@@ -136,6 +136,7 @@
asn1_decoder.cpp \
verifier.cpp \
ui.cpp
+LOCAL_STATIC_LIBRARIES := libcrypto_static
include $(BUILD_STATIC_LIBRARY)
include $(LOCAL_PATH)/minui/Android.mk \
diff --git a/fuse_sideload.cpp b/fuse_sideload.cpp
index 9c3e75f..1725e88 100644
--- a/fuse_sideload.cpp
+++ b/fuse_sideload.cpp
@@ -61,7 +61,8 @@
#include <sys/uio.h>
#include <unistd.h>
-#include "mincrypt/sha256.h"
+#include <openssl/sha.h>
+
#include "fuse_sideload.h"
#define PACKAGE_FILE_ID (FUSE_ROOT_ID+1)
@@ -269,22 +270,22 @@
// block).
// - Otherwise, return -EINVAL for the read.
- uint8_t hash[SHA256_DIGEST_SIZE];
- SHA256_hash(fd->block_data, fd->block_size, hash);
- uint8_t* blockhash = fd->hashes + block * SHA256_DIGEST_SIZE;
- if (memcmp(hash, blockhash, SHA256_DIGEST_SIZE) == 0) {
+ uint8_t hash[SHA256_DIGEST_LENGTH];
+ SHA256(fd->block_data, fd->block_size, hash);
+ uint8_t* blockhash = fd->hashes + block * SHA256_DIGEST_LENGTH;
+ if (memcmp(hash, blockhash, SHA256_DIGEST_LENGTH) == 0) {
return 0;
}
int i;
- for (i = 0; i < SHA256_DIGEST_SIZE; ++i) {
+ for (i = 0; i < SHA256_DIGEST_LENGTH; ++i) {
if (blockhash[i] != 0) {
fd->curr_block = -1;
return -EIO;
}
}
- memcpy(blockhash, hash, SHA256_DIGEST_SIZE);
+ memcpy(blockhash, hash, SHA256_DIGEST_LENGTH);
return 0;
}
@@ -393,10 +394,10 @@
goto done;
}
- fd.hashes = (uint8_t*)calloc(fd.file_blocks, SHA256_DIGEST_SIZE);
+ fd.hashes = (uint8_t*)calloc(fd.file_blocks, SHA256_DIGEST_LENGTH);
if (fd.hashes == NULL) {
fprintf(stderr, "failed to allocate %d bites for hashes\n",
- fd.file_blocks * SHA256_DIGEST_SIZE);
+ fd.file_blocks * SHA256_DIGEST_LENGTH);
result = -1;
goto done;
}
diff --git a/install.cpp b/install.cpp
index 8a82d7b..d009513 100644
--- a/install.cpp
+++ b/install.cpp
@@ -23,19 +23,19 @@
#include <sys/wait.h>
#include <unistd.h>
+#include <chrono>
#include <vector>
#include "common.h"
#include "install.h"
-#include "mincrypt/rsa.h"
#include "minui/minui.h"
#include "minzip/SysUtil.h"
#include "minzip/Zip.h"
#include "mtdutils/mounts.h"
#include "mtdutils/mtdutils.h"
#include "roots.h"
-#include "verifier.h"
#include "ui.h"
+#include "verifier.h"
extern RecoveryUI* ui;
@@ -229,6 +229,7 @@
return INSTALL_CORRUPT;
}
+ // Load keys.
std::vector<Certificate> loadedKeys;
if (!load_keys(PUBLIC_KEYS_FILE, loadedKeys)) {
LOGE("Failed to load keys\n");
@@ -236,18 +237,19 @@
}
LOGI("%zu key(s) loaded from %s\n", loadedKeys.size(), PUBLIC_KEYS_FILE);
+ // Verify package.
ui->Print("Verifying update package...\n");
-
+ auto t0 = std::chrono::system_clock::now();
int err = verify_file(map.addr, map.length, loadedKeys);
- LOGI("verify_file returned %d\n", err);
+ std::chrono::duration<double> duration = std::chrono::system_clock::now() - t0;
+ ui->Print("Update package verification took %.1f s (result %d).\n", duration.count(), err);
if (err != VERIFY_SUCCESS) {
LOGE("signature verification failed\n");
sysReleaseMap(&map);
return INSTALL_CORRUPT;
}
- /* Try to open the package.
- */
+ // Try to open the package.
ZipArchive zip;
err = mzOpenZipArchive(map.addr, map.length, &zip);
if (err != 0) {
@@ -256,8 +258,7 @@
return INSTALL_CORRUPT;
}
- /* Verify and install the contents of the package.
- */
+ // Verify and install the contents of the package.
ui->Print("Installing update...\n");
ui->SetEnableReboot(false);
int result = try_update_binary(path, &zip, wipe_cache);
diff --git a/tests/Android.mk b/tests/Android.mk
index eac3581..2da19d7 100644
--- a/tests/Android.mk
+++ b/tests/Android.mk
@@ -45,7 +45,6 @@
libmtdutils \
libbase \
libverifier \
- libmincrypt \
libcrypto_static \
libminui \
libminzip \
diff --git a/tests/component/verifier_test.cpp b/tests/component/verifier_test.cpp
index 73f6ac9..9ac9657 100644
--- a/tests/component/verifier_test.cpp
+++ b/tests/component/verifier_test.cpp
@@ -19,19 +19,19 @@
#include <gtest/gtest.h>
#include <stdio.h>
#include <stdlib.h>
-#include <sys/types.h>
#include <sys/stat.h>
+#include <sys/types.h>
#include <memory>
#include <string>
#include <vector>
+#include <openssl/sha.h>
+
#include <android-base/stringprintf.h>
#include "common.h"
#include "common/test_constants.h"
-#include "mincrypt/sha.h"
-#include "mincrypt/sha256.h"
#include "minzip/SysUtil.h"
#include "ui.h"
#include "verifier.h"
@@ -39,94 +39,6 @@
static const char* DATA_PATH = getenv("ANDROID_DATA");
static const char* TESTDATA_PATH = "/recovery/testdata/";
-// This is build/target/product/security/testkey.x509.pem after being
-// dumped out by dumpkey.jar.
-RSAPublicKey test_key =
- { 64, 0xc926ad21,
- { 0x6afee91fu, 0x7fa31d5bu, 0x38a0b217u, 0x99df9baeu,
- 0xfe72991du, 0x727d3c04u, 0x20943f99u, 0xd08e7826u,
- 0x69e7c8a2u, 0xdeeccc8eu, 0x6b9af76fu, 0x553311c4u,
- 0x07b9e247u, 0x54c8bbcau, 0x6a540d81u, 0x48dbf567u,
- 0x98c92877u, 0x134fbfdeu, 0x01b32564u, 0x24581948u,
- 0x6cddc3b8u, 0x0cd444dau, 0xfe0381ccu, 0xf15818dfu,
- 0xc06e6d42u, 0x2e2f6412u, 0x093a6737u, 0x94d83b31u,
- 0xa466c87au, 0xb3f284a0u, 0xa694ec2cu, 0x053359e6u,
- 0x9717ee6au, 0x0732e080u, 0x220d5008u, 0xdc4af350u,
- 0x93d0a7c3u, 0xe330c9eau, 0xcac3da1eu, 0x8ebecf8fu,
- 0xc2be387fu, 0x38a14e89u, 0x211586f0u, 0x18b846f5u,
- 0x43be4c72u, 0xb578c204u, 0x1bbfb230u, 0xf1e267a8u,
- 0xa2d3e656u, 0x64b8e4feu, 0xe7e83d4bu, 0x3e77a943u,
- 0x3559ffd9u, 0x0ebb0f99u, 0x0aa76ce6u, 0xd3786ea7u,
- 0xbca8cd6bu, 0x068ca8e8u, 0xeb1de2ffu, 0x3e3ecd6cu,
- 0xe0d9d825u, 0xb1edc762u, 0xdec60b24u, 0xd6931904u},
- { 0xccdcb989u, 0xe19281f9u, 0xa6e80accu, 0xb7f40560u,
- 0x0efb0bccu, 0x7f12b0bbu, 0x1e90531au, 0x136d95d0u,
- 0x9e660665u, 0x7d54918fu, 0xe3b93ea2u, 0x2f415d10u,
- 0x3d2df6e6u, 0x7a627ecfu, 0xa6f22d70u, 0xb995907au,
- 0x09de16b2u, 0xfeb8bd61u, 0xf24ec294u, 0x716a427fu,
- 0x2e12046fu, 0xeaf3d56au, 0xd9b873adu, 0x0ced340bu,
- 0xbc9cec09u, 0x73c65903u, 0xee39ce9bu, 0x3eede25au,
- 0x397633b7u, 0x2583c165u, 0x8514f97du, 0xe9166510u,
- 0x0b6fae99u, 0xa47139fdu, 0xdb8352f0u, 0xb2ad7f2cu,
- 0xa11552e2u, 0xd4d490a7u, 0xe11e8568u, 0xe9e484dau,
- 0xd3ef8449u, 0xa47055dau, 0x4edd9557u, 0x03a78ba1u,
- 0x770e130du, 0x16762facu, 0x0cbdfcc4u, 0xf3070540u,
- 0x008b6515u, 0x60e7e1b7u, 0xa72cf7f9u, 0xaff86e39u,
- 0x4296faadu, 0xfc90430eu, 0x6cc8f377u, 0xb398fd43u,
- 0x423c5997u, 0x991d59c4u, 0x6464bf73u, 0x96431575u,
- 0x15e3d207u, 0x30532a7au, 0x8c4be618u, 0x460a4d76u },
- 3
- };
-
-RSAPublicKey test_f4_key =
- { 64, 0xc9bd1f21,
- { 0x1178db1fu, 0xbf5d0e55u, 0x3393a165u, 0x0ef4c287u,
- 0xbc472a4au, 0x383fc5a1u, 0x4a13b7d2u, 0xb1ff2ac3u,
- 0xaf66b4d9u, 0x9280acefu, 0xa2165bdbu, 0x6a4d6e5cu,
- 0x08ea676bu, 0xb7ac70c7u, 0xcd158139u, 0xa635ccfeu,
- 0xa46ab8a8u, 0x445a3e8bu, 0xdc81d9bbu, 0x91ce1a20u,
- 0x68021cdeu, 0x4516eda9u, 0x8d43c30cu, 0xed1eff14u,
- 0xca387e4cu, 0x58adc233u, 0x4657ab27u, 0xa95b521eu,
- 0xdfc0e30cu, 0x394d64a1u, 0xc6b321a1u, 0x2ca22cb8u,
- 0xb1892d5cu, 0x5d605f3eu, 0x6025483cu, 0x9afd5181u,
- 0x6e1a7105u, 0x03010593u, 0x70acd304u, 0xab957cbfu,
- 0x8844abbbu, 0x53846837u, 0x24e98a43u, 0x2ba060c1u,
- 0x8b88b88eu, 0x44eea405u, 0xb259fc41u, 0x0907ad9cu,
- 0x13003adau, 0xcf79634eu, 0x7d314ec9u, 0xfbbe4c2bu,
- 0xd84d0823u, 0xfd30fd88u, 0x68d8a909u, 0xfb4572d9u,
- 0xa21301c2u, 0xd00a4785u, 0x6862b50cu, 0xcfe49796u,
- 0xdaacbd83u, 0xfb620906u, 0xdf71e0ccu, 0xbbc5b030u },
- { 0x69a82189u, 0x1a8b22f4u, 0xcf49207bu, 0x68cc056au,
- 0xb206b7d2u, 0x1d449bbdu, 0xe9d342f2u, 0x29daea58u,
- 0xb19d011au, 0xc62f15e4u, 0x9452697au, 0xb62bb87eu,
- 0x60f95cc2u, 0x279ebb2du, 0x17c1efd8u, 0xec47558bu,
- 0xc81334d1u, 0x88fe7601u, 0x79992eb1u, 0xb4555615u,
- 0x2022ac8cu, 0xc79a4b8cu, 0xb288b034u, 0xd6b942f0u,
- 0x0caa32fbu, 0xa065ba51u, 0x4de9f154u, 0x29f64f6cu,
- 0x7910af5eu, 0x3ed4636au, 0xe4c81911u, 0x9183f37du,
- 0x5811e1c4u, 0x29c7a58cu, 0x9715d4d3u, 0xc7e2dce3u,
- 0x140972ebu, 0xf4c8a69eu, 0xa104d424u, 0x5dabbdfbu,
- 0x41cb4c6bu, 0xd7f44717u, 0x61785ff7u, 0x5e0bc273u,
- 0x36426c70u, 0x2aa6f08eu, 0x083badbfu, 0x3cab941bu,
- 0x8871da23u, 0x1ab3dbaeu, 0x7115a21du, 0xf5aa0965u,
- 0xf766f562u, 0x7f110225u, 0x86d96a04u, 0xc50a120eu,
- 0x3a751ca3u, 0xc21aa186u, 0xba7359d0u, 0x3ff2b257u,
- 0xd116e8bbu, 0xfc1318c0u, 0x070e5b1du, 0x83b759a6u },
- 65537
- };
-
-ECPublicKey test_ec_key =
- {
- {
- {0xd656fa24u, 0x931416cau, 0x1c0278c6u, 0x174ebe4cu,
- 0x6018236au, 0x45ba1656u, 0xe8c05d84u, 0x670ed500u}
- },
- {
- {0x0d179adeu, 0x4c16827du, 0x9f8cb992u, 0x8f69ff8au,
- 0x481b1020u, 0x798d91afu, 0x184db8e9u, 0xb5848dd9u}
- }
- };
-
RecoveryUI* ui = NULL;
class MockUI : public RecoveryUI {
@@ -177,31 +89,34 @@
virtual void SetUp() {
std::vector<std::string> args = GetParam();
- std::string package = android::base::StringPrintf("%s%s%s%s", DATA_PATH, NATIVE_TEST_PATH,
- TESTDATA_PATH, args[0].c_str());
+ std::string package =
+ android::base::StringPrintf("%s%s%s%s", DATA_PATH, NATIVE_TEST_PATH,
+ TESTDATA_PATH, args[0].c_str());
+ if (sysMapFile(package.c_str(), &memmap) != 0) {
+ FAIL() << "Failed to mmap " << package << ": " << strerror(errno)
+ << "\n";
+ }
+
for (auto it = ++(args.cbegin()); it != args.cend(); ++it) {
if (it->substr(it->length() - 3, it->length()) == "256") {
if (certs.empty()) {
FAIL() << "May only specify -sha256 after key type\n";
}
- certs.back().hash_len = SHA256_DIGEST_SIZE;
- } else if (*it == "ec") {
- certs.emplace_back(SHA_DIGEST_SIZE, Certificate::EC,
- nullptr, std::unique_ptr<ECPublicKey>(new ECPublicKey(test_ec_key)));
- } else if (*it == "e3") {
- certs.emplace_back(SHA_DIGEST_SIZE, Certificate::RSA,
- std::unique_ptr<RSAPublicKey>(new RSAPublicKey(test_key)), nullptr);
- } else if (*it == "f4") {
- certs.emplace_back(SHA_DIGEST_SIZE, Certificate::RSA,
- std::unique_ptr<RSAPublicKey>(new RSAPublicKey(test_f4_key)), nullptr);
+ certs.back().hash_len = SHA256_DIGEST_LENGTH;
+ } else {
+ std::string public_key_file = android::base::StringPrintf(
+ "%s%s%stest_key_%s.txt", DATA_PATH, NATIVE_TEST_PATH,
+ TESTDATA_PATH, it->c_str());
+ ASSERT_TRUE(load_keys(public_key_file.c_str(), certs));
+ certs.back().hash_len = SHA_DIGEST_LENGTH;
}
}
if (certs.empty()) {
- certs.emplace_back(SHA_DIGEST_SIZE, Certificate::RSA,
- std::unique_ptr<RSAPublicKey>(new RSAPublicKey(test_key)), nullptr);
- }
- if (sysMapFile(package.c_str(), &memmap) != 0) {
- FAIL() << "Failed to mmap " << package << ": " << strerror(errno) << "\n";
+ std::string public_key_file = android::base::StringPrintf(
+ "%s%s%stest_key_e3.txt", DATA_PATH, NATIVE_TEST_PATH,
+ TESTDATA_PATH);
+ ASSERT_TRUE(load_keys(public_key_file.c_str(), certs));
+ certs.back().hash_len = SHA_DIGEST_LENGTH;
}
}
diff --git a/tests/testdata/test_key_e3.txt b/tests/testdata/test_key_e3.txt
new file mode 100644
index 0000000..53f5297
--- /dev/null
+++ b/tests/testdata/test_key_e3.txt
@@ -0,0 +1 @@
+{64,0xc926ad21,{1795090719,2141396315,950055447,2581568430,4268923165,1920809988,546586521,3498997798,1776797858,3740060814,1805317999,1429410244,129622599,1422441418,1783893377,1222374759,2563319927,323993566,28517732,609753416,1826472888,215237850,4261642700,4049082591,3228462402,774857746,154822455,2497198897,2758199418,3019015328,2794777644,87251430,2534927978,120774784,571297800,3695899472,2479925187,3811625450,3401832990,2394869647,3267246207,950095497,555058928,414729973,1136544882,3044590084,465547824,4058146728,2731796054,1689838846,3890756939,1048029507,895090649,247140249,178744550,3547885223,3165179243,109881576,3944604415,1044303212,3772373029,2985150306,3737520932,3599964420},{3437017481,3784475129,2800224972,3086222688,251333580,2131931323,512774938,325948880,2657486437,2102694287,3820568226,792812816,1026422502,2053275343,2800889200,3113586810,165549746,4273519969,4065247892,1902789247,772932719,3941848426,3652744109,216871947,3164400649,1942378755,3996765851,1055777370,964047799,629391717,2232744317,3910558992,191868569,2758883837,3682816752,2997714732,2702529250,3570700455,3776873832,3924067546,3555689545,2758825434,1323144535,61311905,1997411085,376844204,213777604,4077323584,9135381,1625809335,2804742137,2952293945,1117190829,4237312782,1825108855,3013147971,1111251351,2568837572,1684324211,2520978805,367251975,810756730,2353784344,1175080310}}
diff --git a/tests/testdata/test_key_ec.txt b/tests/testdata/test_key_ec.txt
new file mode 100644
index 0000000..72b4395
--- /dev/null
+++ b/tests/testdata/test_key_ec.txt
@@ -0,0 +1 @@
+v5 {32,{36,250,86,214,202,22,20,147,198,120,2,28,76,190,78,23,106,35,24,96,86,22,186,69,132,93,192,232,0,213,14,103},{222,154,23,13,125,130,22,76,146,185,140,159,138,255,105,143,32,16,27,72,175,145,141,121,233,184,77,24,217,141,132,181}}
diff --git a/tests/testdata/test_key_f4.txt b/tests/testdata/test_key_f4.txt
new file mode 100644
index 0000000..54ddbba
--- /dev/null
+++ b/tests/testdata/test_key_f4.txt
@@ -0,0 +1 @@
+v2 {64,0xc9bd1f21,{293133087,3210546773,865313125,250921607,3158780490,943703457,1242806226,2986289859,2942743769,2457906415,2719374299,1783459420,149579627,3081531591,3440738617,2788543742,2758457512,1146764939,3699497403,2446203424,1744968926,1159130537,2370028300,3978231572,3392699980,1487782451,1180150567,2841334302,3753960204,961373345,3333628321,748825784,2978557276,1566596926,1613056060,2600292737,1847226629,50398611,1890374404,2878700735,2286201787,1401186359,619285059,731930817,2340993166,1156490245,2992241729,151498140,318782170,3480838990,2100383433,4223552555,3628927011,4247846280,1759029513,4215632601,2719154626,3490334597,1751299340,3487864726,3668753795,4217506054,3748782284,3150295088},{1772626313,445326068,3477676155,1758201194,2986784722,491035581,3922936562,702212696,2979856666,3324974564,2488428922,3056318590,1626954946,664714029,398585816,3964097931,3356701905,2298377729,2040082097,3025491477,539143308,3348777868,2995302452,3602465520,212480763,2691021393,1307177300,704008044,2031136606,1054106474,3838318865,2441343869,1477566916,700949900,2534790355,3353533667,336163563,4106790558,2701448228,1571536379,1103842411,3623110423,1635278839,1577828979,910322800,715583630,138128831,1017877531,2289162787,447994798,1897243165,4121561445,4150719842,2131821093,2262395396,3305771534,980753571,3256525190,3128121808,1072869975,3507939515,4229109952,118381341,2209831334}}
diff --git a/verifier.cpp b/verifier.cpp
index 9a2d60c..4004b02 100644
--- a/verifier.cpp
+++ b/verifier.cpp
@@ -14,25 +14,26 @@
* limitations under the License.
*/
-#include "asn1_decoder.h"
-#include "common.h"
-#include "ui.h"
-#include "verifier.h"
-
-#include "mincrypt/dsa_sig.h"
-#include "mincrypt/p256.h"
-#include "mincrypt/p256_ecdsa.h"
-#include "mincrypt/rsa.h"
-#include "mincrypt/sha.h"
-#include "mincrypt/sha256.h"
-
#include <errno.h>
#include <malloc.h>
#include <stdio.h>
#include <string.h>
+#include <algorithm>
+#include <memory>
+
+#include <openssl/ecdsa.h>
+#include <openssl/obj_mac.h>
+
+#include "asn1_decoder.h"
+#include "common.h"
+#include "ui.h"
+#include "verifier.h"
+
extern RecoveryUI* ui;
+static constexpr size_t MiB = 1024 * 1024;
+
/*
* Simple version of PKCS#7 SignedData extraction. This extracts the
* signature OCTET STRING to be used for signature verification.
@@ -188,30 +189,30 @@
}
}
-#define BUFFER_SIZE 4096
-
bool need_sha1 = false;
bool need_sha256 = false;
for (const auto& key : keys) {
switch (key.hash_len) {
- case SHA_DIGEST_SIZE: need_sha1 = true; break;
- case SHA256_DIGEST_SIZE: need_sha256 = true; break;
+ case SHA_DIGEST_LENGTH: need_sha1 = true; break;
+ case SHA256_DIGEST_LENGTH: need_sha256 = true; break;
}
}
SHA_CTX sha1_ctx;
SHA256_CTX sha256_ctx;
- SHA_init(&sha1_ctx);
- SHA256_init(&sha256_ctx);
+ SHA1_Init(&sha1_ctx);
+ SHA256_Init(&sha256_ctx);
double frac = -1.0;
size_t so_far = 0;
while (so_far < signed_len) {
- size_t size = signed_len - so_far;
- if (size > BUFFER_SIZE) size = BUFFER_SIZE;
+ // On a Nexus 9, experiment didn't show any performance improvement with
+ // larger sizes past 1MiB, and they reduce the granularity of the progress
+ // bar. http://b/28135231.
+ size_t size = std::min(signed_len - so_far, 1 * MiB);
- if (need_sha1) SHA_update(&sha1_ctx, addr + so_far, size);
- if (need_sha256) SHA256_update(&sha256_ctx, addr + so_far, size);
+ if (need_sha1) SHA1_Update(&sha1_ctx, addr + so_far, size);
+ if (need_sha256) SHA256_Update(&sha256_ctx, addr + so_far, size);
so_far += size;
double f = so_far / (double)signed_len;
@@ -221,8 +222,10 @@
}
}
- const uint8_t* sha1 = SHA_final(&sha1_ctx);
- const uint8_t* sha256 = SHA256_final(&sha256_ctx);
+ uint8_t sha1[SHA_DIGEST_LENGTH];
+ SHA1_Final(sha1, &sha1_ctx);
+ uint8_t sha256[SHA256_DIGEST_LENGTH];
+ SHA256_Final(sha256, &sha256_ctx);
uint8_t* sig_der = nullptr;
size_t sig_der_length = 0;
@@ -242,23 +245,25 @@
size_t i = 0;
for (const auto& key : keys) {
const uint8_t* hash;
+ int hash_nid;
switch (key.hash_len) {
- case SHA_DIGEST_SIZE: hash = sha1; break;
- case SHA256_DIGEST_SIZE: hash = sha256; break;
- default: continue;
+ case SHA_DIGEST_LENGTH:
+ hash = sha1;
+ hash_nid = NID_sha1;
+ break;
+ case SHA256_DIGEST_LENGTH:
+ hash = sha256;
+ hash_nid = NID_sha256;
+ break;
+ default:
+ continue;
}
// The 6 bytes is the "(signature_start) $ff $ff (comment_size)" that
// the signing tool appends after the signature itself.
- if (key.key_type == Certificate::RSA) {
- if (sig_der_length < RSANUMBYTES) {
- // "signature" block isn't big enough to contain an RSA block.
- LOGI("signature is too short for RSA key %zu\n", i);
- continue;
- }
-
- if (!RSA_verify(key.rsa.get(), sig_der, RSANUMBYTES,
- hash, key.hash_len)) {
+ if (key.key_type == Certificate::KEY_TYPE_RSA) {
+ if (!RSA_verify(hash_nid, hash, key.hash_len, sig_der,
+ sig_der_length, key.rsa.get())) {
LOGI("failed to verify against RSA key %zu\n", i);
continue;
}
@@ -266,18 +271,10 @@
LOGI("whole-file signature verified against RSA key %zu\n", i);
free(sig_der);
return VERIFY_SUCCESS;
- } else if (key.key_type == Certificate::EC
- && key.hash_len == SHA256_DIGEST_SIZE) {
- p256_int r, s;
- if (!dsa_sig_unpack(sig_der, sig_der_length, &r, &s)) {
- LOGI("Not a DSA signature block for EC key %zu\n", i);
- continue;
- }
-
- p256_int p256_hash;
- p256_from_bin(hash, &p256_hash);
- if (!p256_ecdsa_verify(&(key.ec->x), &(key.ec->y),
- &p256_hash, &r, &s)) {
+ } else if (key.key_type == Certificate::KEY_TYPE_EC
+ && key.hash_len == SHA256_DIGEST_LENGTH) {
+ if (!ECDSA_verify(0, hash, key.hash_len, sig_der,
+ sig_der_length, key.ec.get())) {
LOGI("failed to verify against EC key %zu\n", i);
continue;
}
@@ -295,6 +292,144 @@
return VERIFY_FAILURE;
}
+std::unique_ptr<RSA, RSADeleter> parse_rsa_key(FILE* file, uint32_t exponent) {
+ // Read key length in words and n0inv. n0inv is a precomputed montgomery
+ // parameter derived from the modulus and can be used to speed up
+ // verification. n0inv is 32 bits wide here, assuming the verification logic
+ // uses 32 bit arithmetic. However, BoringSSL may use a word size of 64 bits
+ // internally, in which case we don't have a valid n0inv. Thus, we just
+ // ignore the montgomery parameters and have BoringSSL recompute them
+ // internally. If/When the speedup from using the montgomery parameters
+ // becomes relevant, we can add more sophisticated code here to obtain a
+ // 64-bit n0inv and initialize the montgomery parameters in the key object.
+ uint32_t key_len_words = 0;
+ uint32_t n0inv = 0;
+ if (fscanf(file, " %i , 0x%x", &key_len_words, &n0inv) != 2) {
+ return nullptr;
+ }
+
+ if (key_len_words > 8192 / 32) {
+ LOGE("key length (%d) too large\n", key_len_words);
+ return nullptr;
+ }
+
+ // Read the modulus.
+ std::unique_ptr<uint32_t[]> modulus(new uint32_t[key_len_words]);
+ if (fscanf(file, " , { %u", &modulus[0]) != 1) {
+ return nullptr;
+ }
+ for (uint32_t i = 1; i < key_len_words; ++i) {
+ if (fscanf(file, " , %u", &modulus[i]) != 1) {
+ return nullptr;
+ }
+ }
+
+ // Cconvert from little-endian array of little-endian words to big-endian
+ // byte array suitable as input for BN_bin2bn.
+ std::reverse((uint8_t*)modulus.get(),
+ (uint8_t*)(modulus.get() + key_len_words));
+
+ // The next sequence of values is the montgomery parameter R^2. Since we
+ // generally don't have a valid |n0inv|, we ignore this (see comment above).
+ uint32_t rr_value;
+ if (fscanf(file, " } , { %u", &rr_value) != 1) {
+ return nullptr;
+ }
+ for (uint32_t i = 1; i < key_len_words; ++i) {
+ if (fscanf(file, " , %u", &rr_value) != 1) {
+ return nullptr;
+ }
+ }
+ if (fscanf(file, " } } ") != 0) {
+ return nullptr;
+ }
+
+ // Initialize the key.
+ std::unique_ptr<RSA, RSADeleter> key(RSA_new());
+ if (!key) {
+ return nullptr;
+ }
+
+ key->n = BN_bin2bn((uint8_t*)modulus.get(),
+ key_len_words * sizeof(uint32_t), NULL);
+ if (!key->n) {
+ return nullptr;
+ }
+
+ key->e = BN_new();
+ if (!key->e || !BN_set_word(key->e, exponent)) {
+ return nullptr;
+ }
+
+ return key;
+}
+
+struct BNDeleter {
+ void operator()(BIGNUM* bn) {
+ BN_free(bn);
+ }
+};
+
+std::unique_ptr<EC_KEY, ECKEYDeleter> parse_ec_key(FILE* file) {
+ uint32_t key_len_bytes = 0;
+ if (fscanf(file, " %i", &key_len_bytes) != 1) {
+ return nullptr;
+ }
+
+ std::unique_ptr<EC_GROUP, void (*)(EC_GROUP*)> group(
+ EC_GROUP_new_by_curve_name(NID_X9_62_prime256v1), EC_GROUP_free);
+ if (!group) {
+ return nullptr;
+ }
+
+ // Verify that |key_len| matches the group order.
+ if (key_len_bytes != BN_num_bytes(EC_GROUP_get0_order(group.get()))) {
+ return nullptr;
+ }
+
+ // Read the public key coordinates. Note that the byte order in the file is
+ // little-endian, so we convert to big-endian here.
+ std::unique_ptr<uint8_t[]> bytes(new uint8_t[key_len_bytes]);
+ std::unique_ptr<BIGNUM, BNDeleter> point[2];
+ for (int i = 0; i < 2; ++i) {
+ unsigned int byte = 0;
+ if (fscanf(file, " , { %u", &byte) != 1) {
+ return nullptr;
+ }
+ bytes[key_len_bytes - 1] = byte;
+
+ for (size_t i = 1; i < key_len_bytes; ++i) {
+ if (fscanf(file, " , %u", &byte) != 1) {
+ return nullptr;
+ }
+ bytes[key_len_bytes - i - 1] = byte;
+ }
+
+ point[i].reset(BN_bin2bn(bytes.get(), key_len_bytes, nullptr));
+ if (!point[i]) {
+ return nullptr;
+ }
+
+ if (fscanf(file, " }") != 0) {
+ return nullptr;
+ }
+ }
+
+ if (fscanf(file, " } ") != 0) {
+ return nullptr;
+ }
+
+ // Create and initialize the key.
+ std::unique_ptr<EC_KEY, ECKEYDeleter> key(EC_KEY_new());
+ if (!key || !EC_KEY_set_group(key.get(), group.get()) ||
+ !EC_KEY_set_public_key_affine_coordinates(key.get(), point[0].get(),
+ point[1].get())) {
+ return nullptr;
+ }
+
+ return key;
+}
+
// Reads a file containing one or more public keys as produced by
// DumpPublicKey: this is an RSAPublicKey struct as it would appear
// as a C source literal, eg:
@@ -335,94 +470,57 @@
}
while (true) {
- certs.emplace_back(0, Certificate::RSA, nullptr, nullptr);
+ certs.emplace_back(0, Certificate::KEY_TYPE_RSA, nullptr, nullptr);
Certificate& cert = certs.back();
+ uint32_t exponent = 0;
char start_char;
if (fscanf(f.get(), " %c", &start_char) != 1) return false;
if (start_char == '{') {
// a version 1 key has no version specifier.
- cert.key_type = Certificate::RSA;
- cert.rsa = std::unique_ptr<RSAPublicKey>(new RSAPublicKey);
- cert.rsa->exponent = 3;
- cert.hash_len = SHA_DIGEST_SIZE;
+ cert.key_type = Certificate::KEY_TYPE_RSA;
+ exponent = 3;
+ cert.hash_len = SHA_DIGEST_LENGTH;
} else if (start_char == 'v') {
int version;
if (fscanf(f.get(), "%d {", &version) != 1) return false;
switch (version) {
case 2:
- cert.key_type = Certificate::RSA;
- cert.rsa = std::unique_ptr<RSAPublicKey>(new RSAPublicKey);
- cert.rsa->exponent = 65537;
- cert.hash_len = SHA_DIGEST_SIZE;
+ cert.key_type = Certificate::KEY_TYPE_RSA;
+ exponent = 65537;
+ cert.hash_len = SHA_DIGEST_LENGTH;
break;
case 3:
- cert.key_type = Certificate::RSA;
- cert.rsa = std::unique_ptr<RSAPublicKey>(new RSAPublicKey);
- cert.rsa->exponent = 3;
- cert.hash_len = SHA256_DIGEST_SIZE;
+ cert.key_type = Certificate::KEY_TYPE_RSA;
+ exponent = 3;
+ cert.hash_len = SHA256_DIGEST_LENGTH;
break;
case 4:
- cert.key_type = Certificate::RSA;
- cert.rsa = std::unique_ptr<RSAPublicKey>(new RSAPublicKey);
- cert.rsa->exponent = 65537;
- cert.hash_len = SHA256_DIGEST_SIZE;
+ cert.key_type = Certificate::KEY_TYPE_RSA;
+ exponent = 65537;
+ cert.hash_len = SHA256_DIGEST_LENGTH;
break;
case 5:
- cert.key_type = Certificate::EC;
- cert.ec = std::unique_ptr<ECPublicKey>(new ECPublicKey);
- cert.hash_len = SHA256_DIGEST_SIZE;
+ cert.key_type = Certificate::KEY_TYPE_EC;
+ cert.hash_len = SHA256_DIGEST_LENGTH;
break;
default:
return false;
}
}
- if (cert.key_type == Certificate::RSA) {
- RSAPublicKey* key = cert.rsa.get();
- if (fscanf(f.get(), " %i , 0x%x , { %u", &(key->len), &(key->n0inv),
- &(key->n[0])) != 3) {
- return false;
+ if (cert.key_type == Certificate::KEY_TYPE_RSA) {
+ cert.rsa = parse_rsa_key(f.get(), exponent);
+ if (!cert.rsa) {
+ return false;
}
- if (key->len != RSANUMWORDS) {
- LOGE("key length (%d) does not match expected size\n", key->len);
- return false;
- }
- for (int i = 1; i < key->len; ++i) {
- if (fscanf(f.get(), " , %u", &(key->n[i])) != 1) return false;
- }
- if (fscanf(f.get(), " } , { %u", &(key->rr[0])) != 1) return false;
- for (int i = 1; i < key->len; ++i) {
- if (fscanf(f.get(), " , %u", &(key->rr[i])) != 1) return false;
- }
- fscanf(f.get(), " } } ");
- LOGI("read key e=%d hash=%d\n", key->exponent, cert.hash_len);
- } else if (cert.key_type == Certificate::EC) {
- ECPublicKey* key = cert.ec.get();
- int key_len;
- unsigned int byte;
- uint8_t x_bytes[P256_NBYTES];
- uint8_t y_bytes[P256_NBYTES];
- if (fscanf(f.get(), " %i , { %u", &key_len, &byte) != 2) return false;
- if (key_len != P256_NBYTES) {
- LOGE("Key length (%d) does not match expected size %d\n", key_len, P256_NBYTES);
- return false;
+ LOGI("read key e=%d hash=%d\n", exponent, cert.hash_len);
+ } else if (cert.key_type == Certificate::KEY_TYPE_EC) {
+ cert.ec = parse_ec_key(f.get());
+ if (!cert.ec) {
+ return false;
}
- x_bytes[P256_NBYTES - 1] = byte;
- for (int i = P256_NBYTES - 2; i >= 0; --i) {
- if (fscanf(f.get(), " , %u", &byte) != 1) return false;
- x_bytes[i] = byte;
- }
- if (fscanf(f.get(), " } , { %u", &byte) != 1) return false;
- y_bytes[P256_NBYTES - 1] = byte;
- for (int i = P256_NBYTES - 2; i >= 0; --i) {
- if (fscanf(f.get(), " , %u", &byte) != 1) return false;
- y_bytes[i] = byte;
- }
- fscanf(f.get(), " } } ");
- p256_from_bin(x_bytes, &key->x);
- p256_from_bin(y_bytes, &key->y);
} else {
LOGE("Unknown key type %d\n", cert.key_type);
return false;
diff --git a/verifier.h b/verifier.h
index 4eafc75..58083fe 100644
--- a/verifier.h
+++ b/verifier.h
@@ -20,32 +20,42 @@
#include <memory>
#include <vector>
-#include "mincrypt/p256.h"
-#include "mincrypt/rsa.h"
+#include <openssl/ec_key.h>
+#include <openssl/rsa.h>
+#include <openssl/sha.h>
-typedef struct {
- p256_int x;
- p256_int y;
-} ECPublicKey;
+struct RSADeleter {
+ void operator()(RSA* rsa) {
+ RSA_free(rsa);
+ }
+};
+
+struct ECKEYDeleter {
+ void operator()(EC_KEY* ec_key) {
+ EC_KEY_free(ec_key);
+ }
+};
struct Certificate {
typedef enum {
- RSA,
- EC,
+ KEY_TYPE_RSA,
+ KEY_TYPE_EC,
} KeyType;
- Certificate(int hash_len_, KeyType key_type_,
- std::unique_ptr<RSAPublicKey>&& rsa_,
- std::unique_ptr<ECPublicKey>&& ec_) :
- hash_len(hash_len_),
- key_type(key_type_),
- rsa(std::move(rsa_)),
- ec(std::move(ec_)) { }
+ Certificate(int hash_len_,
+ KeyType key_type_,
+ std::unique_ptr<RSA, RSADeleter>&& rsa_,
+ std::unique_ptr<EC_KEY, ECKEYDeleter>&& ec_)
+ : hash_len(hash_len_),
+ key_type(key_type_),
+ rsa(std::move(rsa_)),
+ ec(std::move(ec_)) {}
- int hash_len; // SHA_DIGEST_SIZE (SHA-1) or SHA256_DIGEST_SIZE (SHA-256)
+ // SHA_DIGEST_LENGTH (SHA-1) or SHA256_DIGEST_LENGTH (SHA-256)
+ int hash_len;
KeyType key_type;
- std::unique_ptr<RSAPublicKey> rsa;
- std::unique_ptr<ECPublicKey> ec;
+ std::unique_ptr<RSA, RSADeleter> rsa;
+ std::unique_ptr<EC_KEY, ECKEYDeleter> ec;
};
/* addr and length define a an update package file that has been