Use BoringSSL instead of mincrypt to speed up package verification.

This changes the verification code in bootable/recovery to use
BoringSSL instead of mincrypt.

Cherry-pick of 452df6d99c81c4eeee3d2c7b2171901e8b7bc54a, with
merge conflict resolution, extra logging in verifier.cpp, and
an increase in the hash chunk size from 4KiB to 1MiB.

Bug: http://b/28135231
Change-Id: I1ed7efd52223dd6f6a4629cad187cbc383d5aa84
diff --git a/Android.mk b/Android.mk
index 6c3ce56..65d123a 100644
--- a/Android.mk
+++ b/Android.mk
@@ -23,7 +23,7 @@
 
 LOCAL_MODULE := libfusesideload
 
-LOCAL_STATIC_LIBRARIES := libcutils libc libmincrypt
+LOCAL_STATIC_LIBRARIES := libcutils libc libcrypto_static
 include $(BUILD_STATIC_LIBRARY)
 
 include $(CLEAR_VARS)
@@ -71,12 +71,12 @@
     libminzip \
     libz \
     libmtdutils \
-    libmincrypt \
     libminadbd \
     libfusesideload \
     libminui \
     libpng \
     libfs_mgr \
+    libcrypto_static \
     libbase \
     libcutils \
     libutils \
@@ -136,6 +136,7 @@
     asn1_decoder.cpp \
     verifier.cpp \
     ui.cpp
+LOCAL_STATIC_LIBRARIES := libcrypto_static
 include $(BUILD_STATIC_LIBRARY)
 
 include $(LOCAL_PATH)/minui/Android.mk \
diff --git a/fuse_sideload.cpp b/fuse_sideload.cpp
index 9c3e75f..1725e88 100644
--- a/fuse_sideload.cpp
+++ b/fuse_sideload.cpp
@@ -61,7 +61,8 @@
 #include <sys/uio.h>
 #include <unistd.h>
 
-#include "mincrypt/sha256.h"
+#include <openssl/sha.h>
+
 #include "fuse_sideload.h"
 
 #define PACKAGE_FILE_ID   (FUSE_ROOT_ID+1)
@@ -269,22 +270,22 @@
     //   block).
     // - Otherwise, return -EINVAL for the read.
 
-    uint8_t hash[SHA256_DIGEST_SIZE];
-    SHA256_hash(fd->block_data, fd->block_size, hash);
-    uint8_t* blockhash = fd->hashes + block * SHA256_DIGEST_SIZE;
-    if (memcmp(hash, blockhash, SHA256_DIGEST_SIZE) == 0) {
+    uint8_t hash[SHA256_DIGEST_LENGTH];
+    SHA256(fd->block_data, fd->block_size, hash);
+    uint8_t* blockhash = fd->hashes + block * SHA256_DIGEST_LENGTH;
+    if (memcmp(hash, blockhash, SHA256_DIGEST_LENGTH) == 0) {
         return 0;
     }
 
     int i;
-    for (i = 0; i < SHA256_DIGEST_SIZE; ++i) {
+    for (i = 0; i < SHA256_DIGEST_LENGTH; ++i) {
         if (blockhash[i] != 0) {
             fd->curr_block = -1;
             return -EIO;
         }
     }
 
-    memcpy(blockhash, hash, SHA256_DIGEST_SIZE);
+    memcpy(blockhash, hash, SHA256_DIGEST_LENGTH);
     return 0;
 }
 
@@ -393,10 +394,10 @@
         goto done;
     }
 
-    fd.hashes = (uint8_t*)calloc(fd.file_blocks, SHA256_DIGEST_SIZE);
+    fd.hashes = (uint8_t*)calloc(fd.file_blocks, SHA256_DIGEST_LENGTH);
     if (fd.hashes == NULL) {
         fprintf(stderr, "failed to allocate %d bites for hashes\n",
-                fd.file_blocks * SHA256_DIGEST_SIZE);
+                fd.file_blocks * SHA256_DIGEST_LENGTH);
         result = -1;
         goto done;
     }
diff --git a/install.cpp b/install.cpp
index 8a82d7b..d009513 100644
--- a/install.cpp
+++ b/install.cpp
@@ -23,19 +23,19 @@
 #include <sys/wait.h>
 #include <unistd.h>
 
+#include <chrono>
 #include <vector>
 
 #include "common.h"
 #include "install.h"
-#include "mincrypt/rsa.h"
 #include "minui/minui.h"
 #include "minzip/SysUtil.h"
 #include "minzip/Zip.h"
 #include "mtdutils/mounts.h"
 #include "mtdutils/mtdutils.h"
 #include "roots.h"
-#include "verifier.h"
 #include "ui.h"
+#include "verifier.h"
 
 extern RecoveryUI* ui;
 
@@ -229,6 +229,7 @@
         return INSTALL_CORRUPT;
     }
 
+    // Load keys.
     std::vector<Certificate> loadedKeys;
     if (!load_keys(PUBLIC_KEYS_FILE, loadedKeys)) {
         LOGE("Failed to load keys\n");
@@ -236,18 +237,19 @@
     }
     LOGI("%zu key(s) loaded from %s\n", loadedKeys.size(), PUBLIC_KEYS_FILE);
 
+    // Verify package.
     ui->Print("Verifying update package...\n");
-
+    auto t0 = std::chrono::system_clock::now();
     int err = verify_file(map.addr, map.length, loadedKeys);
-    LOGI("verify_file returned %d\n", err);
+    std::chrono::duration<double> duration = std::chrono::system_clock::now() - t0;
+    ui->Print("Update package verification took %.1f s (result %d).\n", duration.count(), err);
     if (err != VERIFY_SUCCESS) {
         LOGE("signature verification failed\n");
         sysReleaseMap(&map);
         return INSTALL_CORRUPT;
     }
 
-    /* Try to open the package.
-     */
+    // Try to open the package.
     ZipArchive zip;
     err = mzOpenZipArchive(map.addr, map.length, &zip);
     if (err != 0) {
@@ -256,8 +258,7 @@
         return INSTALL_CORRUPT;
     }
 
-    /* Verify and install the contents of the package.
-     */
+    // Verify and install the contents of the package.
     ui->Print("Installing update...\n");
     ui->SetEnableReboot(false);
     int result = try_update_binary(path, &zip, wipe_cache);
diff --git a/tests/Android.mk b/tests/Android.mk
index eac3581..2da19d7 100644
--- a/tests/Android.mk
+++ b/tests/Android.mk
@@ -45,7 +45,6 @@
     libmtdutils \
     libbase \
     libverifier \
-    libmincrypt \
     libcrypto_static \
     libminui \
     libminzip \
diff --git a/tests/component/verifier_test.cpp b/tests/component/verifier_test.cpp
index 73f6ac9..9ac9657 100644
--- a/tests/component/verifier_test.cpp
+++ b/tests/component/verifier_test.cpp
@@ -19,19 +19,19 @@
 #include <gtest/gtest.h>
 #include <stdio.h>
 #include <stdlib.h>
-#include <sys/types.h>
 #include <sys/stat.h>
+#include <sys/types.h>
 
 #include <memory>
 #include <string>
 #include <vector>
 
+#include <openssl/sha.h>
+
 #include <android-base/stringprintf.h>
 
 #include "common.h"
 #include "common/test_constants.h"
-#include "mincrypt/sha.h"
-#include "mincrypt/sha256.h"
 #include "minzip/SysUtil.h"
 #include "ui.h"
 #include "verifier.h"
@@ -39,94 +39,6 @@
 static const char* DATA_PATH = getenv("ANDROID_DATA");
 static const char* TESTDATA_PATH = "/recovery/testdata/";
 
-// This is build/target/product/security/testkey.x509.pem after being
-// dumped out by dumpkey.jar.
-RSAPublicKey test_key =
-    { 64, 0xc926ad21,
-      { 0x6afee91fu, 0x7fa31d5bu, 0x38a0b217u, 0x99df9baeu,
-        0xfe72991du, 0x727d3c04u, 0x20943f99u, 0xd08e7826u,
-        0x69e7c8a2u, 0xdeeccc8eu, 0x6b9af76fu, 0x553311c4u,
-        0x07b9e247u, 0x54c8bbcau, 0x6a540d81u, 0x48dbf567u,
-        0x98c92877u, 0x134fbfdeu, 0x01b32564u, 0x24581948u,
-        0x6cddc3b8u, 0x0cd444dau, 0xfe0381ccu, 0xf15818dfu,
-        0xc06e6d42u, 0x2e2f6412u, 0x093a6737u, 0x94d83b31u,
-        0xa466c87au, 0xb3f284a0u, 0xa694ec2cu, 0x053359e6u,
-        0x9717ee6au, 0x0732e080u, 0x220d5008u, 0xdc4af350u,
-        0x93d0a7c3u, 0xe330c9eau, 0xcac3da1eu, 0x8ebecf8fu,
-        0xc2be387fu, 0x38a14e89u, 0x211586f0u, 0x18b846f5u,
-        0x43be4c72u, 0xb578c204u, 0x1bbfb230u, 0xf1e267a8u,
-        0xa2d3e656u, 0x64b8e4feu, 0xe7e83d4bu, 0x3e77a943u,
-        0x3559ffd9u, 0x0ebb0f99u, 0x0aa76ce6u, 0xd3786ea7u,
-        0xbca8cd6bu, 0x068ca8e8u, 0xeb1de2ffu, 0x3e3ecd6cu,
-        0xe0d9d825u, 0xb1edc762u, 0xdec60b24u, 0xd6931904u},
-      { 0xccdcb989u, 0xe19281f9u, 0xa6e80accu, 0xb7f40560u,
-        0x0efb0bccu, 0x7f12b0bbu, 0x1e90531au, 0x136d95d0u,
-        0x9e660665u, 0x7d54918fu, 0xe3b93ea2u, 0x2f415d10u,
-        0x3d2df6e6u, 0x7a627ecfu, 0xa6f22d70u, 0xb995907au,
-        0x09de16b2u, 0xfeb8bd61u, 0xf24ec294u, 0x716a427fu,
-        0x2e12046fu, 0xeaf3d56au, 0xd9b873adu, 0x0ced340bu,
-        0xbc9cec09u, 0x73c65903u, 0xee39ce9bu, 0x3eede25au,
-        0x397633b7u, 0x2583c165u, 0x8514f97du, 0xe9166510u,
-        0x0b6fae99u, 0xa47139fdu, 0xdb8352f0u, 0xb2ad7f2cu,
-        0xa11552e2u, 0xd4d490a7u, 0xe11e8568u, 0xe9e484dau,
-        0xd3ef8449u, 0xa47055dau, 0x4edd9557u, 0x03a78ba1u,
-        0x770e130du, 0x16762facu, 0x0cbdfcc4u, 0xf3070540u,
-        0x008b6515u, 0x60e7e1b7u, 0xa72cf7f9u, 0xaff86e39u,
-        0x4296faadu, 0xfc90430eu, 0x6cc8f377u, 0xb398fd43u,
-        0x423c5997u, 0x991d59c4u, 0x6464bf73u, 0x96431575u,
-        0x15e3d207u, 0x30532a7au, 0x8c4be618u, 0x460a4d76u },
-      3
-    };
-
-RSAPublicKey test_f4_key =
-    { 64, 0xc9bd1f21,
-      { 0x1178db1fu, 0xbf5d0e55u, 0x3393a165u, 0x0ef4c287u,
-        0xbc472a4au, 0x383fc5a1u, 0x4a13b7d2u, 0xb1ff2ac3u,
-        0xaf66b4d9u, 0x9280acefu, 0xa2165bdbu, 0x6a4d6e5cu,
-        0x08ea676bu, 0xb7ac70c7u, 0xcd158139u, 0xa635ccfeu,
-        0xa46ab8a8u, 0x445a3e8bu, 0xdc81d9bbu, 0x91ce1a20u,
-        0x68021cdeu, 0x4516eda9u, 0x8d43c30cu, 0xed1eff14u,
-        0xca387e4cu, 0x58adc233u, 0x4657ab27u, 0xa95b521eu,
-        0xdfc0e30cu, 0x394d64a1u, 0xc6b321a1u, 0x2ca22cb8u,
-        0xb1892d5cu, 0x5d605f3eu, 0x6025483cu, 0x9afd5181u,
-        0x6e1a7105u, 0x03010593u, 0x70acd304u, 0xab957cbfu,
-        0x8844abbbu, 0x53846837u, 0x24e98a43u, 0x2ba060c1u,
-        0x8b88b88eu, 0x44eea405u, 0xb259fc41u, 0x0907ad9cu,
-        0x13003adau, 0xcf79634eu, 0x7d314ec9u, 0xfbbe4c2bu,
-        0xd84d0823u, 0xfd30fd88u, 0x68d8a909u, 0xfb4572d9u,
-        0xa21301c2u, 0xd00a4785u, 0x6862b50cu, 0xcfe49796u,
-        0xdaacbd83u, 0xfb620906u, 0xdf71e0ccu, 0xbbc5b030u },
-      { 0x69a82189u, 0x1a8b22f4u, 0xcf49207bu, 0x68cc056au,
-        0xb206b7d2u, 0x1d449bbdu, 0xe9d342f2u, 0x29daea58u,
-        0xb19d011au, 0xc62f15e4u, 0x9452697au, 0xb62bb87eu,
-        0x60f95cc2u, 0x279ebb2du, 0x17c1efd8u, 0xec47558bu,
-        0xc81334d1u, 0x88fe7601u, 0x79992eb1u, 0xb4555615u,
-        0x2022ac8cu, 0xc79a4b8cu, 0xb288b034u, 0xd6b942f0u,
-        0x0caa32fbu, 0xa065ba51u, 0x4de9f154u, 0x29f64f6cu,
-        0x7910af5eu, 0x3ed4636au, 0xe4c81911u, 0x9183f37du,
-        0x5811e1c4u, 0x29c7a58cu, 0x9715d4d3u, 0xc7e2dce3u,
-        0x140972ebu, 0xf4c8a69eu, 0xa104d424u, 0x5dabbdfbu,
-        0x41cb4c6bu, 0xd7f44717u, 0x61785ff7u, 0x5e0bc273u,
-        0x36426c70u, 0x2aa6f08eu, 0x083badbfu, 0x3cab941bu,
-        0x8871da23u, 0x1ab3dbaeu, 0x7115a21du, 0xf5aa0965u,
-        0xf766f562u, 0x7f110225u, 0x86d96a04u, 0xc50a120eu,
-        0x3a751ca3u, 0xc21aa186u, 0xba7359d0u, 0x3ff2b257u,
-        0xd116e8bbu, 0xfc1318c0u, 0x070e5b1du, 0x83b759a6u },
-      65537
-    };
-
-ECPublicKey test_ec_key =
-    {
-       {
-         {0xd656fa24u, 0x931416cau, 0x1c0278c6u, 0x174ebe4cu,
-          0x6018236au, 0x45ba1656u, 0xe8c05d84u, 0x670ed500u}
-      },
-      {
-        {0x0d179adeu, 0x4c16827du, 0x9f8cb992u, 0x8f69ff8au,
-         0x481b1020u, 0x798d91afu, 0x184db8e9u, 0xb5848dd9u}
-      }
-    };
-
 RecoveryUI* ui = NULL;
 
 class MockUI : public RecoveryUI {
@@ -177,31 +89,34 @@
 
     virtual void SetUp() {
         std::vector<std::string> args = GetParam();
-        std::string package = android::base::StringPrintf("%s%s%s%s", DATA_PATH, NATIVE_TEST_PATH,
-                TESTDATA_PATH, args[0].c_str());
+        std::string package =
+            android::base::StringPrintf("%s%s%s%s", DATA_PATH, NATIVE_TEST_PATH,
+                                        TESTDATA_PATH, args[0].c_str());
+        if (sysMapFile(package.c_str(), &memmap) != 0) {
+            FAIL() << "Failed to mmap " << package << ": " << strerror(errno)
+                   << "\n";
+        }
+
         for (auto it = ++(args.cbegin()); it != args.cend(); ++it) {
             if (it->substr(it->length() - 3, it->length()) == "256") {
                 if (certs.empty()) {
                     FAIL() << "May only specify -sha256 after key type\n";
                 }
-                certs.back().hash_len = SHA256_DIGEST_SIZE;
-            } else if (*it == "ec") {
-                certs.emplace_back(SHA_DIGEST_SIZE, Certificate::EC,
-                        nullptr, std::unique_ptr<ECPublicKey>(new ECPublicKey(test_ec_key)));
-            } else if (*it == "e3") {
-                certs.emplace_back(SHA_DIGEST_SIZE, Certificate::RSA,
-                        std::unique_ptr<RSAPublicKey>(new RSAPublicKey(test_key)), nullptr);
-            } else if (*it == "f4") {
-                certs.emplace_back(SHA_DIGEST_SIZE, Certificate::RSA,
-                        std::unique_ptr<RSAPublicKey>(new RSAPublicKey(test_f4_key)), nullptr);
+                certs.back().hash_len = SHA256_DIGEST_LENGTH;
+            } else {
+                std::string public_key_file = android::base::StringPrintf(
+                    "%s%s%stest_key_%s.txt", DATA_PATH, NATIVE_TEST_PATH,
+                    TESTDATA_PATH, it->c_str());
+                ASSERT_TRUE(load_keys(public_key_file.c_str(), certs));
+                certs.back().hash_len = SHA_DIGEST_LENGTH;
             }
         }
         if (certs.empty()) {
-            certs.emplace_back(SHA_DIGEST_SIZE, Certificate::RSA,
-                    std::unique_ptr<RSAPublicKey>(new RSAPublicKey(test_key)), nullptr);
-        }
-        if (sysMapFile(package.c_str(), &memmap) != 0) {
-            FAIL() << "Failed to mmap " << package << ": " << strerror(errno) << "\n";
+            std::string public_key_file = android::base::StringPrintf(
+                "%s%s%stest_key_e3.txt", DATA_PATH, NATIVE_TEST_PATH,
+                TESTDATA_PATH);
+            ASSERT_TRUE(load_keys(public_key_file.c_str(), certs));
+            certs.back().hash_len = SHA_DIGEST_LENGTH;
         }
     }
 
diff --git a/tests/testdata/test_key_e3.txt b/tests/testdata/test_key_e3.txt
new file mode 100644
index 0000000..53f5297
--- /dev/null
+++ b/tests/testdata/test_key_e3.txt
@@ -0,0 +1 @@
+{64,0xc926ad21,{1795090719,2141396315,950055447,2581568430,4268923165,1920809988,546586521,3498997798,1776797858,3740060814,1805317999,1429410244,129622599,1422441418,1783893377,1222374759,2563319927,323993566,28517732,609753416,1826472888,215237850,4261642700,4049082591,3228462402,774857746,154822455,2497198897,2758199418,3019015328,2794777644,87251430,2534927978,120774784,571297800,3695899472,2479925187,3811625450,3401832990,2394869647,3267246207,950095497,555058928,414729973,1136544882,3044590084,465547824,4058146728,2731796054,1689838846,3890756939,1048029507,895090649,247140249,178744550,3547885223,3165179243,109881576,3944604415,1044303212,3772373029,2985150306,3737520932,3599964420},{3437017481,3784475129,2800224972,3086222688,251333580,2131931323,512774938,325948880,2657486437,2102694287,3820568226,792812816,1026422502,2053275343,2800889200,3113586810,165549746,4273519969,4065247892,1902789247,772932719,3941848426,3652744109,216871947,3164400649,1942378755,3996765851,1055777370,964047799,629391717,2232744317,3910558992,191868569,2758883837,3682816752,2997714732,2702529250,3570700455,3776873832,3924067546,3555689545,2758825434,1323144535,61311905,1997411085,376844204,213777604,4077323584,9135381,1625809335,2804742137,2952293945,1117190829,4237312782,1825108855,3013147971,1111251351,2568837572,1684324211,2520978805,367251975,810756730,2353784344,1175080310}}
diff --git a/tests/testdata/test_key_ec.txt b/tests/testdata/test_key_ec.txt
new file mode 100644
index 0000000..72b4395
--- /dev/null
+++ b/tests/testdata/test_key_ec.txt
@@ -0,0 +1 @@
+v5 {32,{36,250,86,214,202,22,20,147,198,120,2,28,76,190,78,23,106,35,24,96,86,22,186,69,132,93,192,232,0,213,14,103},{222,154,23,13,125,130,22,76,146,185,140,159,138,255,105,143,32,16,27,72,175,145,141,121,233,184,77,24,217,141,132,181}}
diff --git a/tests/testdata/test_key_f4.txt b/tests/testdata/test_key_f4.txt
new file mode 100644
index 0000000..54ddbba
--- /dev/null
+++ b/tests/testdata/test_key_f4.txt
@@ -0,0 +1 @@
+v2 {64,0xc9bd1f21,{293133087,3210546773,865313125,250921607,3158780490,943703457,1242806226,2986289859,2942743769,2457906415,2719374299,1783459420,149579627,3081531591,3440738617,2788543742,2758457512,1146764939,3699497403,2446203424,1744968926,1159130537,2370028300,3978231572,3392699980,1487782451,1180150567,2841334302,3753960204,961373345,3333628321,748825784,2978557276,1566596926,1613056060,2600292737,1847226629,50398611,1890374404,2878700735,2286201787,1401186359,619285059,731930817,2340993166,1156490245,2992241729,151498140,318782170,3480838990,2100383433,4223552555,3628927011,4247846280,1759029513,4215632601,2719154626,3490334597,1751299340,3487864726,3668753795,4217506054,3748782284,3150295088},{1772626313,445326068,3477676155,1758201194,2986784722,491035581,3922936562,702212696,2979856666,3324974564,2488428922,3056318590,1626954946,664714029,398585816,3964097931,3356701905,2298377729,2040082097,3025491477,539143308,3348777868,2995302452,3602465520,212480763,2691021393,1307177300,704008044,2031136606,1054106474,3838318865,2441343869,1477566916,700949900,2534790355,3353533667,336163563,4106790558,2701448228,1571536379,1103842411,3623110423,1635278839,1577828979,910322800,715583630,138128831,1017877531,2289162787,447994798,1897243165,4121561445,4150719842,2131821093,2262395396,3305771534,980753571,3256525190,3128121808,1072869975,3507939515,4229109952,118381341,2209831334}}
diff --git a/verifier.cpp b/verifier.cpp
index 9a2d60c..4004b02 100644
--- a/verifier.cpp
+++ b/verifier.cpp
@@ -14,25 +14,26 @@
  * limitations under the License.
  */
 
-#include "asn1_decoder.h"
-#include "common.h"
-#include "ui.h"
-#include "verifier.h"
-
-#include "mincrypt/dsa_sig.h"
-#include "mincrypt/p256.h"
-#include "mincrypt/p256_ecdsa.h"
-#include "mincrypt/rsa.h"
-#include "mincrypt/sha.h"
-#include "mincrypt/sha256.h"
-
 #include <errno.h>
 #include <malloc.h>
 #include <stdio.h>
 #include <string.h>
 
+#include <algorithm>
+#include <memory>
+
+#include <openssl/ecdsa.h>
+#include <openssl/obj_mac.h>
+
+#include "asn1_decoder.h"
+#include "common.h"
+#include "ui.h"
+#include "verifier.h"
+
 extern RecoveryUI* ui;
 
+static constexpr size_t MiB = 1024 * 1024;
+
 /*
  * Simple version of PKCS#7 SignedData extraction. This extracts the
  * signature OCTET STRING to be used for signature verification.
@@ -188,30 +189,30 @@
         }
     }
 
-#define BUFFER_SIZE 4096
-
     bool need_sha1 = false;
     bool need_sha256 = false;
     for (const auto& key : keys) {
         switch (key.hash_len) {
-            case SHA_DIGEST_SIZE: need_sha1 = true; break;
-            case SHA256_DIGEST_SIZE: need_sha256 = true; break;
+            case SHA_DIGEST_LENGTH: need_sha1 = true; break;
+            case SHA256_DIGEST_LENGTH: need_sha256 = true; break;
         }
     }
 
     SHA_CTX sha1_ctx;
     SHA256_CTX sha256_ctx;
-    SHA_init(&sha1_ctx);
-    SHA256_init(&sha256_ctx);
+    SHA1_Init(&sha1_ctx);
+    SHA256_Init(&sha256_ctx);
 
     double frac = -1.0;
     size_t so_far = 0;
     while (so_far < signed_len) {
-        size_t size = signed_len - so_far;
-        if (size > BUFFER_SIZE) size = BUFFER_SIZE;
+        // On a Nexus 9, experiment didn't show any performance improvement with
+        // larger sizes past 1MiB, and they reduce the granularity of the progress
+        // bar. http://b/28135231.
+        size_t size = std::min(signed_len - so_far, 1 * MiB);
 
-        if (need_sha1) SHA_update(&sha1_ctx, addr + so_far, size);
-        if (need_sha256) SHA256_update(&sha256_ctx, addr + so_far, size);
+        if (need_sha1) SHA1_Update(&sha1_ctx, addr + so_far, size);
+        if (need_sha256) SHA256_Update(&sha256_ctx, addr + so_far, size);
         so_far += size;
 
         double f = so_far / (double)signed_len;
@@ -221,8 +222,10 @@
         }
     }
 
-    const uint8_t* sha1 = SHA_final(&sha1_ctx);
-    const uint8_t* sha256 = SHA256_final(&sha256_ctx);
+    uint8_t sha1[SHA_DIGEST_LENGTH];
+    SHA1_Final(sha1, &sha1_ctx);
+    uint8_t sha256[SHA256_DIGEST_LENGTH];
+    SHA256_Final(sha256, &sha256_ctx);
 
     uint8_t* sig_der = nullptr;
     size_t sig_der_length = 0;
@@ -242,23 +245,25 @@
     size_t i = 0;
     for (const auto& key : keys) {
         const uint8_t* hash;
+        int hash_nid;
         switch (key.hash_len) {
-            case SHA_DIGEST_SIZE: hash = sha1; break;
-            case SHA256_DIGEST_SIZE: hash = sha256; break;
-            default: continue;
+            case SHA_DIGEST_LENGTH:
+                hash = sha1;
+                hash_nid = NID_sha1;
+                break;
+            case SHA256_DIGEST_LENGTH:
+                hash = sha256;
+                hash_nid = NID_sha256;
+                break;
+            default:
+                continue;
         }
 
         // The 6 bytes is the "(signature_start) $ff $ff (comment_size)" that
         // the signing tool appends after the signature itself.
-        if (key.key_type == Certificate::RSA) {
-            if (sig_der_length < RSANUMBYTES) {
-                // "signature" block isn't big enough to contain an RSA block.
-                LOGI("signature is too short for RSA key %zu\n", i);
-                continue;
-            }
-
-            if (!RSA_verify(key.rsa.get(), sig_der, RSANUMBYTES,
-                            hash, key.hash_len)) {
+        if (key.key_type == Certificate::KEY_TYPE_RSA) {
+            if (!RSA_verify(hash_nid, hash, key.hash_len, sig_der,
+                            sig_der_length, key.rsa.get())) {
                 LOGI("failed to verify against RSA key %zu\n", i);
                 continue;
             }
@@ -266,18 +271,10 @@
             LOGI("whole-file signature verified against RSA key %zu\n", i);
             free(sig_der);
             return VERIFY_SUCCESS;
-        } else if (key.key_type == Certificate::EC
-                && key.hash_len == SHA256_DIGEST_SIZE) {
-            p256_int r, s;
-            if (!dsa_sig_unpack(sig_der, sig_der_length, &r, &s)) {
-                LOGI("Not a DSA signature block for EC key %zu\n", i);
-                continue;
-            }
-
-            p256_int p256_hash;
-            p256_from_bin(hash, &p256_hash);
-            if (!p256_ecdsa_verify(&(key.ec->x), &(key.ec->y),
-                                   &p256_hash, &r, &s)) {
+        } else if (key.key_type == Certificate::KEY_TYPE_EC
+                && key.hash_len == SHA256_DIGEST_LENGTH) {
+            if (!ECDSA_verify(0, hash, key.hash_len, sig_der,
+                              sig_der_length, key.ec.get())) {
                 LOGI("failed to verify against EC key %zu\n", i);
                 continue;
             }
@@ -295,6 +292,144 @@
     return VERIFY_FAILURE;
 }
 
+std::unique_ptr<RSA, RSADeleter> parse_rsa_key(FILE* file, uint32_t exponent) {
+    // Read key length in words and n0inv. n0inv is a precomputed montgomery
+    // parameter derived from the modulus and can be used to speed up
+    // verification. n0inv is 32 bits wide here, assuming the verification logic
+    // uses 32 bit arithmetic. However, BoringSSL may use a word size of 64 bits
+    // internally, in which case we don't have a valid n0inv. Thus, we just
+    // ignore the montgomery parameters and have BoringSSL recompute them
+    // internally. If/When the speedup from using the montgomery parameters
+    // becomes relevant, we can add more sophisticated code here to obtain a
+    // 64-bit n0inv and initialize the montgomery parameters in the key object.
+    uint32_t key_len_words = 0;
+    uint32_t n0inv = 0;
+    if (fscanf(file, " %i , 0x%x", &key_len_words, &n0inv) != 2) {
+        return nullptr;
+    }
+
+    if (key_len_words > 8192 / 32) {
+        LOGE("key length (%d) too large\n", key_len_words);
+        return nullptr;
+    }
+
+    // Read the modulus.
+    std::unique_ptr<uint32_t[]> modulus(new uint32_t[key_len_words]);
+    if (fscanf(file, " , { %u", &modulus[0]) != 1) {
+        return nullptr;
+    }
+    for (uint32_t i = 1; i < key_len_words; ++i) {
+        if (fscanf(file, " , %u", &modulus[i]) != 1) {
+            return nullptr;
+        }
+    }
+
+    // Cconvert from little-endian array of little-endian words to big-endian
+    // byte array suitable as input for BN_bin2bn.
+    std::reverse((uint8_t*)modulus.get(),
+                 (uint8_t*)(modulus.get() + key_len_words));
+
+    // The next sequence of values is the montgomery parameter R^2. Since we
+    // generally don't have a valid |n0inv|, we ignore this (see comment above).
+    uint32_t rr_value;
+    if (fscanf(file, " } , { %u", &rr_value) != 1) {
+        return nullptr;
+    }
+    for (uint32_t i = 1; i < key_len_words; ++i) {
+        if (fscanf(file, " , %u", &rr_value) != 1) {
+            return nullptr;
+        }
+    }
+    if (fscanf(file, " } } ") != 0) {
+        return nullptr;
+    }
+
+    // Initialize the key.
+    std::unique_ptr<RSA, RSADeleter> key(RSA_new());
+    if (!key) {
+      return nullptr;
+    }
+
+    key->n = BN_bin2bn((uint8_t*)modulus.get(),
+                       key_len_words * sizeof(uint32_t), NULL);
+    if (!key->n) {
+      return nullptr;
+    }
+
+    key->e = BN_new();
+    if (!key->e || !BN_set_word(key->e, exponent)) {
+      return nullptr;
+    }
+
+    return key;
+}
+
+struct BNDeleter {
+  void operator()(BIGNUM* bn) {
+    BN_free(bn);
+  }
+};
+
+std::unique_ptr<EC_KEY, ECKEYDeleter> parse_ec_key(FILE* file) {
+    uint32_t key_len_bytes = 0;
+    if (fscanf(file, " %i", &key_len_bytes) != 1) {
+        return nullptr;
+    }
+
+    std::unique_ptr<EC_GROUP, void (*)(EC_GROUP*)> group(
+        EC_GROUP_new_by_curve_name(NID_X9_62_prime256v1), EC_GROUP_free);
+    if (!group) {
+        return nullptr;
+    }
+
+    // Verify that |key_len| matches the group order.
+    if (key_len_bytes != BN_num_bytes(EC_GROUP_get0_order(group.get()))) {
+        return nullptr;
+    }
+
+    // Read the public key coordinates. Note that the byte order in the file is
+    // little-endian, so we convert to big-endian here.
+    std::unique_ptr<uint8_t[]> bytes(new uint8_t[key_len_bytes]);
+    std::unique_ptr<BIGNUM, BNDeleter> point[2];
+    for (int i = 0; i < 2; ++i) {
+        unsigned int byte = 0;
+        if (fscanf(file, " , { %u", &byte) != 1) {
+            return nullptr;
+        }
+        bytes[key_len_bytes - 1] = byte;
+
+        for (size_t i = 1; i < key_len_bytes; ++i) {
+            if (fscanf(file, " , %u", &byte) != 1) {
+                return nullptr;
+            }
+            bytes[key_len_bytes - i - 1] = byte;
+        }
+
+        point[i].reset(BN_bin2bn(bytes.get(), key_len_bytes, nullptr));
+        if (!point[i]) {
+            return nullptr;
+        }
+
+        if (fscanf(file, " }") != 0) {
+            return nullptr;
+        }
+    }
+
+    if (fscanf(file, " } ") != 0) {
+        return nullptr;
+    }
+
+    // Create and initialize the key.
+    std::unique_ptr<EC_KEY, ECKEYDeleter> key(EC_KEY_new());
+    if (!key || !EC_KEY_set_group(key.get(), group.get()) ||
+        !EC_KEY_set_public_key_affine_coordinates(key.get(), point[0].get(),
+                                                  point[1].get())) {
+        return nullptr;
+    }
+
+    return key;
+}
+
 // Reads a file containing one or more public keys as produced by
 // DumpPublicKey:  this is an RSAPublicKey struct as it would appear
 // as a C source literal, eg:
@@ -335,94 +470,57 @@
     }
 
     while (true) {
-        certs.emplace_back(0, Certificate::RSA, nullptr, nullptr);
+        certs.emplace_back(0, Certificate::KEY_TYPE_RSA, nullptr, nullptr);
         Certificate& cert = certs.back();
+        uint32_t exponent = 0;
 
         char start_char;
         if (fscanf(f.get(), " %c", &start_char) != 1) return false;
         if (start_char == '{') {
             // a version 1 key has no version specifier.
-            cert.key_type = Certificate::RSA;
-            cert.rsa = std::unique_ptr<RSAPublicKey>(new RSAPublicKey);
-            cert.rsa->exponent = 3;
-            cert.hash_len = SHA_DIGEST_SIZE;
+            cert.key_type = Certificate::KEY_TYPE_RSA;
+            exponent = 3;
+            cert.hash_len = SHA_DIGEST_LENGTH;
         } else if (start_char == 'v') {
             int version;
             if (fscanf(f.get(), "%d {", &version) != 1) return false;
             switch (version) {
                 case 2:
-                    cert.key_type = Certificate::RSA;
-                    cert.rsa = std::unique_ptr<RSAPublicKey>(new RSAPublicKey);
-                    cert.rsa->exponent = 65537;
-                    cert.hash_len = SHA_DIGEST_SIZE;
+                    cert.key_type = Certificate::KEY_TYPE_RSA;
+                    exponent = 65537;
+                    cert.hash_len = SHA_DIGEST_LENGTH;
                     break;
                 case 3:
-                    cert.key_type = Certificate::RSA;
-                    cert.rsa = std::unique_ptr<RSAPublicKey>(new RSAPublicKey);
-                    cert.rsa->exponent = 3;
-                    cert.hash_len = SHA256_DIGEST_SIZE;
+                    cert.key_type = Certificate::KEY_TYPE_RSA;
+                    exponent = 3;
+                    cert.hash_len = SHA256_DIGEST_LENGTH;
                     break;
                 case 4:
-                    cert.key_type = Certificate::RSA;
-                    cert.rsa = std::unique_ptr<RSAPublicKey>(new RSAPublicKey);
-                    cert.rsa->exponent = 65537;
-                    cert.hash_len = SHA256_DIGEST_SIZE;
+                    cert.key_type = Certificate::KEY_TYPE_RSA;
+                    exponent = 65537;
+                    cert.hash_len = SHA256_DIGEST_LENGTH;
                     break;
                 case 5:
-                    cert.key_type = Certificate::EC;
-                    cert.ec = std::unique_ptr<ECPublicKey>(new ECPublicKey);
-                    cert.hash_len = SHA256_DIGEST_SIZE;
+                    cert.key_type = Certificate::KEY_TYPE_EC;
+                    cert.hash_len = SHA256_DIGEST_LENGTH;
                     break;
                 default:
                     return false;
             }
         }
 
-        if (cert.key_type == Certificate::RSA) {
-            RSAPublicKey* key = cert.rsa.get();
-            if (fscanf(f.get(), " %i , 0x%x , { %u", &(key->len), &(key->n0inv),
-                    &(key->n[0])) != 3) {
-                return false;
+        if (cert.key_type == Certificate::KEY_TYPE_RSA) {
+            cert.rsa = parse_rsa_key(f.get(), exponent);
+            if (!cert.rsa) {
+              return false;
             }
-            if (key->len != RSANUMWORDS) {
-                LOGE("key length (%d) does not match expected size\n", key->len);
-                return false;
-            }
-            for (int i = 1; i < key->len; ++i) {
-                if (fscanf(f.get(), " , %u", &(key->n[i])) != 1) return false;
-            }
-            if (fscanf(f.get(), " } , { %u", &(key->rr[0])) != 1) return false;
-            for (int i = 1; i < key->len; ++i) {
-                if (fscanf(f.get(), " , %u", &(key->rr[i])) != 1) return false;
-            }
-            fscanf(f.get(), " } } ");
 
-            LOGI("read key e=%d hash=%d\n", key->exponent, cert.hash_len);
-        } else if (cert.key_type == Certificate::EC) {
-            ECPublicKey* key = cert.ec.get();
-            int key_len;
-            unsigned int byte;
-            uint8_t x_bytes[P256_NBYTES];
-            uint8_t y_bytes[P256_NBYTES];
-            if (fscanf(f.get(), " %i , { %u", &key_len, &byte) != 2) return false;
-            if (key_len != P256_NBYTES) {
-                LOGE("Key length (%d) does not match expected size %d\n", key_len, P256_NBYTES);
-                return false;
+            LOGI("read key e=%d hash=%d\n", exponent, cert.hash_len);
+        } else if (cert.key_type == Certificate::KEY_TYPE_EC) {
+            cert.ec = parse_ec_key(f.get());
+            if (!cert.ec) {
+              return false;
             }
-            x_bytes[P256_NBYTES - 1] = byte;
-            for (int i = P256_NBYTES - 2; i >= 0; --i) {
-                if (fscanf(f.get(), " , %u", &byte) != 1) return false;
-                x_bytes[i] = byte;
-            }
-            if (fscanf(f.get(), " } , { %u", &byte) != 1) return false;
-            y_bytes[P256_NBYTES - 1] = byte;
-            for (int i = P256_NBYTES - 2; i >= 0; --i) {
-                if (fscanf(f.get(), " , %u", &byte) != 1) return false;
-                y_bytes[i] = byte;
-            }
-            fscanf(f.get(), " } } ");
-            p256_from_bin(x_bytes, &key->x);
-            p256_from_bin(y_bytes, &key->y);
         } else {
             LOGE("Unknown key type %d\n", cert.key_type);
             return false;
diff --git a/verifier.h b/verifier.h
index 4eafc75..58083fe 100644
--- a/verifier.h
+++ b/verifier.h
@@ -20,32 +20,42 @@
 #include <memory>
 #include <vector>
 
-#include "mincrypt/p256.h"
-#include "mincrypt/rsa.h"
+#include <openssl/ec_key.h>
+#include <openssl/rsa.h>
+#include <openssl/sha.h>
 
-typedef struct {
-    p256_int x;
-    p256_int y;
-} ECPublicKey;
+struct RSADeleter {
+  void operator()(RSA* rsa) {
+    RSA_free(rsa);
+  }
+};
+
+struct ECKEYDeleter {
+  void operator()(EC_KEY* ec_key) {
+    EC_KEY_free(ec_key);
+  }
+};
 
 struct Certificate {
     typedef enum {
-        RSA,
-        EC,
+        KEY_TYPE_RSA,
+        KEY_TYPE_EC,
     } KeyType;
 
-    Certificate(int hash_len_, KeyType key_type_,
-            std::unique_ptr<RSAPublicKey>&& rsa_,
-            std::unique_ptr<ECPublicKey>&& ec_) :
-        hash_len(hash_len_),
-        key_type(key_type_),
-        rsa(std::move(rsa_)),
-        ec(std::move(ec_)) { }
+    Certificate(int hash_len_,
+                KeyType key_type_,
+                std::unique_ptr<RSA, RSADeleter>&& rsa_,
+                std::unique_ptr<EC_KEY, ECKEYDeleter>&& ec_)
+        : hash_len(hash_len_),
+          key_type(key_type_),
+          rsa(std::move(rsa_)),
+          ec(std::move(ec_)) {}
 
-    int hash_len;  // SHA_DIGEST_SIZE (SHA-1) or SHA256_DIGEST_SIZE (SHA-256)
+    // SHA_DIGEST_LENGTH (SHA-1) or SHA256_DIGEST_LENGTH (SHA-256)
+    int hash_len;
     KeyType key_type;
-    std::unique_ptr<RSAPublicKey> rsa;
-    std::unique_ptr<ECPublicKey> ec;
+    std::unique_ptr<RSA, RSADeleter> rsa;
+    std::unique_ptr<EC_KEY, ECKEYDeleter> ec;
 };
 
 /* addr and length define a an update package file that has been