blob: 7f165860e59afb904884b7266e407cbb23898371 [file] [log] [blame]
The Android Open Source Projectc24a8e62009-03-03 19:28:42 -08001/*
2 * Copyright (C) 2008 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
Tao Baoac9d94d2016-11-03 11:37:15 -070017#include "verifier.h"
18
Doug Zongker54e2e862009-08-17 13:21:04 -070019#include <errno.h>
Elliott Hughes26dbad22015-01-28 12:09:05 -080020#include <stdio.h>
Tao Baoac9d94d2016-11-03 11:37:15 -070021#include <stdlib.h>
Elliott Hughes26dbad22015-01-28 12:09:05 -080022#include <string.h>
The Android Open Source Projectc24a8e62009-03-03 19:28:42 -080023
Elliott Hughes8febafa2016-04-13 16:39:56 -070024#include <algorithm>
Tao Baod7bf82e2017-03-18 09:24:11 -070025#include <functional>
Elliott Hughes8febafa2016-04-13 16:39:56 -070026#include <memory>
Tao Bao76fdb242017-03-20 17:09:13 -070027#include <vector>
Elliott Hughes8febafa2016-04-13 16:39:56 -070028
Tianjie Xu7b0ad9c2016-08-05 18:00:04 -070029#include <android-base/logging.h>
David Benjamina86392e2016-04-15 20:22:09 -040030#include <openssl/bn.h>
Elliott Hughes8febafa2016-04-13 16:39:56 -070031#include <openssl/ecdsa.h>
32#include <openssl/obj_mac.h>
33
34#include "asn1_decoder.h"
Tao Baoe1792762016-04-19 22:31:01 -070035#include "print_sha1.h"
Doug Zongker211aebc2011-10-28 15:13:10 -070036
Elliott Hughes8febafa2016-04-13 16:39:56 -070037static constexpr size_t MiB = 1024 * 1024;
38
Kenny Root7a4adb52013-10-09 10:14:35 -070039/*
40 * Simple version of PKCS#7 SignedData extraction. This extracts the
41 * signature OCTET STRING to be used for signature verification.
42 *
43 * For full details, see http://www.ietf.org/rfc/rfc3852.txt
44 *
45 * The PKCS#7 structure looks like:
46 *
47 * SEQUENCE (ContentInfo)
48 * OID (ContentType)
49 * [0] (content)
50 * SEQUENCE (SignedData)
51 * INTEGER (version CMSVersion)
52 * SET (DigestAlgorithmIdentifiers)
53 * SEQUENCE (EncapsulatedContentInfo)
54 * [0] (CertificateSet OPTIONAL)
55 * [1] (RevocationInfoChoices OPTIONAL)
56 * SET (SignerInfos)
57 * SEQUENCE (SignerInfo)
58 * INTEGER (CMSVersion)
59 * SEQUENCE (SignerIdentifier)
60 * SEQUENCE (DigestAlgorithmIdentifier)
61 * SEQUENCE (SignatureAlgorithmIdentifier)
62 * OCTET STRING (SignatureValue)
63 */
Tao Bao76fdb242017-03-20 17:09:13 -070064static bool read_pkcs7(const uint8_t* pkcs7_der, size_t pkcs7_der_len,
65 std::vector<uint8_t>* sig_der) {
66 CHECK(sig_der != nullptr);
67 sig_der->clear();
Kenny Root7a4adb52013-10-09 10:14:35 -070068
Tao Bao76fdb242017-03-20 17:09:13 -070069 asn1_context_t* ctx = asn1_context_new(pkcs7_der, pkcs7_der_len);
70 if (ctx == NULL) {
71 return false;
72 }
73
74 asn1_context_t* pkcs7_seq = asn1_sequence_get(ctx);
75 if (pkcs7_seq != NULL && asn1_sequence_next(pkcs7_seq)) {
76 asn1_context_t *signed_data_app = asn1_constructed_get(pkcs7_seq);
77 if (signed_data_app != NULL) {
78 asn1_context_t* signed_data_seq = asn1_sequence_get(signed_data_app);
79 if (signed_data_seq != NULL
80 && asn1_sequence_next(signed_data_seq)
81 && asn1_sequence_next(signed_data_seq)
82 && asn1_sequence_next(signed_data_seq)
83 && asn1_constructed_skip_all(signed_data_seq)) {
84 asn1_context_t *sig_set = asn1_set_get(signed_data_seq);
85 if (sig_set != NULL) {
86 asn1_context_t* sig_seq = asn1_sequence_get(sig_set);
87 if (sig_seq != NULL
88 && asn1_sequence_next(sig_seq)
89 && asn1_sequence_next(sig_seq)
90 && asn1_sequence_next(sig_seq)
91 && asn1_sequence_next(sig_seq)) {
92 const uint8_t* sig_der_ptr;
93 size_t sig_der_length;
94 if (asn1_octet_string_get(sig_seq, &sig_der_ptr, &sig_der_length)) {
95 sig_der->resize(sig_der_length);
96 std::copy(sig_der_ptr, sig_der_ptr + sig_der_length, sig_der->begin());
Kenny Root7a4adb52013-10-09 10:14:35 -070097 }
Tao Bao76fdb242017-03-20 17:09:13 -070098 asn1_context_free(sig_seq);
99 }
100 asn1_context_free(sig_set);
Kenny Root7a4adb52013-10-09 10:14:35 -0700101 }
Tao Bao76fdb242017-03-20 17:09:13 -0700102 asn1_context_free(signed_data_seq);
103 }
104 asn1_context_free(signed_data_app);
Kenny Root7a4adb52013-10-09 10:14:35 -0700105 }
Tao Bao76fdb242017-03-20 17:09:13 -0700106 asn1_context_free(pkcs7_seq);
107 }
108 asn1_context_free(ctx);
Kenny Root7a4adb52013-10-09 10:14:35 -0700109
Tao Bao76fdb242017-03-20 17:09:13 -0700110 return !sig_der->empty();
Kenny Root7a4adb52013-10-09 10:14:35 -0700111}
112
Tao Bao5e535012017-03-16 17:37:38 -0700113/*
114 * Looks for an RSA signature embedded in the .ZIP file comment given the path to the zip. Verifies
115 * that it matches one of the given public keys. A callback function can be optionally provided for
116 * posting the progress.
117 *
118 * Returns VERIFY_SUCCESS or VERIFY_FAILURE (if any error is encountered or no key matches the
119 * signature).
120 */
Tao Bao76fdb242017-03-20 17:09:13 -0700121int verify_file(const unsigned char* addr, size_t length, const std::vector<Certificate>& keys,
Tao Bao5e535012017-03-16 17:37:38 -0700122 const std::function<void(float)>& set_progress) {
123 if (set_progress) {
124 set_progress(0.0);
125 }
Doug Zongker54e2e862009-08-17 13:21:04 -0700126
Tao Bao5e535012017-03-16 17:37:38 -0700127 // An archive with a whole-file signature will end in six bytes:
128 //
129 // (2-byte signature start) $ff $ff (2-byte comment size)
130 //
131 // (As far as the ZIP format is concerned, these are part of the archive comment.) We start by
132 // reading this footer, this tells us how far back from the end we have to start reading to find
133 // the whole comment.
Doug Zongker54e2e862009-08-17 13:21:04 -0700134
135#define FOOTER_SIZE 6
136
Tao Bao5e535012017-03-16 17:37:38 -0700137 if (length < FOOTER_SIZE) {
138 LOG(ERROR) << "not big enough to contain footer";
139 return VERIFY_FAILURE;
140 }
The Android Open Source Projectc24a8e62009-03-03 19:28:42 -0800141
Tao Bao76fdb242017-03-20 17:09:13 -0700142 const unsigned char* footer = addr + length - FOOTER_SIZE;
The Android Open Source Projectc24a8e62009-03-03 19:28:42 -0800143
Tao Bao5e535012017-03-16 17:37:38 -0700144 if (footer[2] != 0xff || footer[3] != 0xff) {
145 LOG(ERROR) << "footer is wrong";
146 return VERIFY_FAILURE;
147 }
The Android Open Source Projectc24a8e62009-03-03 19:28:42 -0800148
Tao Bao5e535012017-03-16 17:37:38 -0700149 size_t comment_size = footer[4] + (footer[5] << 8);
150 size_t signature_start = footer[0] + (footer[1] << 8);
151 LOG(INFO) << "comment is " << comment_size << " bytes; signature is " << signature_start
152 << " bytes from end";
The Android Open Source Projectc24a8e62009-03-03 19:28:42 -0800153
Tao Bao553c7bd2017-03-18 07:33:26 -0700154 if (signature_start > comment_size) {
155 LOG(ERROR) << "signature start: " << signature_start << " is larger than comment size: "
156 << comment_size;
157 return VERIFY_FAILURE;
158 }
Tianjie Xu54ea1362016-12-16 16:24:09 -0800159
Tao Bao5e535012017-03-16 17:37:38 -0700160 if (signature_start <= FOOTER_SIZE) {
161 LOG(ERROR) << "Signature start is in the footer";
162 return VERIFY_FAILURE;
163 }
The Android Open Source Projectc24a8e62009-03-03 19:28:42 -0800164
Doug Zongker54e2e862009-08-17 13:21:04 -0700165#define EOCD_HEADER_SIZE 22
The Android Open Source Projectc24a8e62009-03-03 19:28:42 -0800166
Tao Bao5e535012017-03-16 17:37:38 -0700167 // The end-of-central-directory record is 22 bytes plus any comment length.
168 size_t eocd_size = comment_size + EOCD_HEADER_SIZE;
The Android Open Source Projectc24a8e62009-03-03 19:28:42 -0800169
Tao Bao5e535012017-03-16 17:37:38 -0700170 if (length < eocd_size) {
171 LOG(ERROR) << "not big enough to contain EOCD";
Doug Zongker54e2e862009-08-17 13:21:04 -0700172 return VERIFY_FAILURE;
Tao Bao5e535012017-03-16 17:37:38 -0700173 }
174
175 // Determine how much of the file is covered by the signature. This is everything except the
176 // signature data and length, which includes all of the EOCD except for the comment length field
177 // (2 bytes) and the comment data.
178 size_t signed_len = length - eocd_size + EOCD_HEADER_SIZE - 2;
179
Tao Bao76fdb242017-03-20 17:09:13 -0700180 const unsigned char* eocd = addr + length - eocd_size;
Tao Bao5e535012017-03-16 17:37:38 -0700181
182 // If this is really is the EOCD record, it will begin with the magic number $50 $4b $05 $06.
183 if (eocd[0] != 0x50 || eocd[1] != 0x4b || eocd[2] != 0x05 || eocd[3] != 0x06) {
184 LOG(ERROR) << "signature length doesn't match EOCD marker";
185 return VERIFY_FAILURE;
186 }
187
188 for (size_t i = 4; i < eocd_size-3; ++i) {
Tao Bao76fdb242017-03-20 17:09:13 -0700189 if (eocd[i] == 0x50 && eocd[i+1] == 0x4b && eocd[i+2] == 0x05 && eocd[i+3] == 0x06) {
Tao Bao5e535012017-03-16 17:37:38 -0700190 // If the sequence $50 $4b $05 $06 appears anywhere after the real one, libziparchive will
191 // find the later (wrong) one, which could be exploitable. Fail the verification if this
192 // sequence occurs anywhere after the real one.
193 LOG(ERROR) << "EOCD marker occurs after start of EOCD";
194 return VERIFY_FAILURE;
195 }
196 }
197
198 bool need_sha1 = false;
199 bool need_sha256 = false;
200 for (const auto& key : keys) {
201 switch (key.hash_len) {
202 case SHA_DIGEST_LENGTH: need_sha1 = true; break;
203 case SHA256_DIGEST_LENGTH: need_sha256 = true; break;
204 }
205 }
206
207 SHA_CTX sha1_ctx;
208 SHA256_CTX sha256_ctx;
209 SHA1_Init(&sha1_ctx);
210 SHA256_Init(&sha256_ctx);
211
212 double frac = -1.0;
213 size_t so_far = 0;
214 while (so_far < signed_len) {
215 // On a Nexus 5X, experiment showed 16MiB beat 1MiB by 6% faster for a
216 // 1196MiB full OTA and 60% for an 89MiB incremental OTA.
217 // http://b/28135231.
218 size_t size = std::min(signed_len - so_far, 16 * MiB);
219
220 if (need_sha1) SHA1_Update(&sha1_ctx, addr + so_far, size);
221 if (need_sha256) SHA256_Update(&sha256_ctx, addr + so_far, size);
222 so_far += size;
223
224 if (set_progress) {
225 double f = so_far / (double)signed_len;
226 if (f > frac + 0.02 || size == so_far) {
227 set_progress(f);
228 frac = f;
229 }
230 }
231 }
232
233 uint8_t sha1[SHA_DIGEST_LENGTH];
234 SHA1_Final(sha1, &sha1_ctx);
235 uint8_t sha256[SHA256_DIGEST_LENGTH];
236 SHA256_Final(sha256, &sha256_ctx);
237
Tao Bao76fdb242017-03-20 17:09:13 -0700238 const uint8_t* signature = eocd + eocd_size - signature_start;
Tao Bao5e535012017-03-16 17:37:38 -0700239 size_t signature_size = signature_start - FOOTER_SIZE;
240
241 LOG(INFO) << "signature (offset: " << std::hex << (length - signature_start) << ", length: "
242 << signature_size << "): " << print_hex(signature, signature_size);
243
Tao Bao76fdb242017-03-20 17:09:13 -0700244 std::vector<uint8_t> sig_der;
245 if (!read_pkcs7(signature, signature_size, &sig_der)) {
Tao Bao5e535012017-03-16 17:37:38 -0700246 LOG(ERROR) << "Could not find signature DER block";
247 return VERIFY_FAILURE;
248 }
249
250 // Check to make sure at least one of the keys matches the signature. Since any key can match,
251 // we need to try each before determining a verification failure has happened.
252 size_t i = 0;
253 for (const auto& key : keys) {
254 const uint8_t* hash;
255 int hash_nid;
256 switch (key.hash_len) {
257 case SHA_DIGEST_LENGTH:
258 hash = sha1;
259 hash_nid = NID_sha1;
260 break;
261 case SHA256_DIGEST_LENGTH:
262 hash = sha256;
263 hash_nid = NID_sha256;
264 break;
265 default:
266 continue;
267 }
268
269 // The 6 bytes is the "(signature_start) $ff $ff (comment_size)" that the signing tool appends
270 // after the signature itself.
271 if (key.key_type == Certificate::KEY_TYPE_RSA) {
Tao Bao76fdb242017-03-20 17:09:13 -0700272 if (!RSA_verify(hash_nid, hash, key.hash_len, sig_der.data(), sig_der.size(),
273 key.rsa.get())) {
Tao Bao5e535012017-03-16 17:37:38 -0700274 LOG(INFO) << "failed to verify against RSA key " << i;
275 continue;
276 }
277
278 LOG(INFO) << "whole-file signature verified against RSA key " << i;
Tao Bao5e535012017-03-16 17:37:38 -0700279 return VERIFY_SUCCESS;
280 } else if (key.key_type == Certificate::KEY_TYPE_EC && key.hash_len == SHA256_DIGEST_LENGTH) {
Tao Bao76fdb242017-03-20 17:09:13 -0700281 if (!ECDSA_verify(0, hash, key.hash_len, sig_der.data(), sig_der.size(), key.ec.get())) {
Tao Bao5e535012017-03-16 17:37:38 -0700282 LOG(INFO) << "failed to verify against EC key " << i;
283 continue;
284 }
285
286 LOG(INFO) << "whole-file signature verified against EC key " << i;
Tao Bao5e535012017-03-16 17:37:38 -0700287 return VERIFY_SUCCESS;
288 } else {
289 LOG(INFO) << "Unknown key type " << key.key_type;
290 }
291 i++;
292 }
293
294 if (need_sha1) {
295 LOG(INFO) << "SHA-1 digest: " << print_hex(sha1, SHA_DIGEST_LENGTH);
296 }
297 if (need_sha256) {
298 LOG(INFO) << "SHA-256 digest: " << print_hex(sha256, SHA256_DIGEST_LENGTH);
299 }
Tao Bao5e535012017-03-16 17:37:38 -0700300 LOG(ERROR) << "failed to verify whole-file signature";
301 return VERIFY_FAILURE;
The Android Open Source Projectc24a8e62009-03-03 19:28:42 -0800302}
Doug Zongker6c249f72012-11-02 15:04:05 -0700303
Elliott Hughes8febafa2016-04-13 16:39:56 -0700304std::unique_ptr<RSA, RSADeleter> parse_rsa_key(FILE* file, uint32_t exponent) {
305 // Read key length in words and n0inv. n0inv is a precomputed montgomery
306 // parameter derived from the modulus and can be used to speed up
307 // verification. n0inv is 32 bits wide here, assuming the verification logic
308 // uses 32 bit arithmetic. However, BoringSSL may use a word size of 64 bits
309 // internally, in which case we don't have a valid n0inv. Thus, we just
310 // ignore the montgomery parameters and have BoringSSL recompute them
311 // internally. If/When the speedup from using the montgomery parameters
312 // becomes relevant, we can add more sophisticated code here to obtain a
313 // 64-bit n0inv and initialize the montgomery parameters in the key object.
314 uint32_t key_len_words = 0;
315 uint32_t n0inv = 0;
316 if (fscanf(file, " %i , 0x%x", &key_len_words, &n0inv) != 2) {
317 return nullptr;
318 }
319
320 if (key_len_words > 8192 / 32) {
Tianjie Xu7b0ad9c2016-08-05 18:00:04 -0700321 LOG(ERROR) << "key length (" << key_len_words << ") too large";
Elliott Hughes8febafa2016-04-13 16:39:56 -0700322 return nullptr;
323 }
324
325 // Read the modulus.
326 std::unique_ptr<uint32_t[]> modulus(new uint32_t[key_len_words]);
327 if (fscanf(file, " , { %u", &modulus[0]) != 1) {
328 return nullptr;
329 }
330 for (uint32_t i = 1; i < key_len_words; ++i) {
331 if (fscanf(file, " , %u", &modulus[i]) != 1) {
332 return nullptr;
333 }
334 }
335
336 // Cconvert from little-endian array of little-endian words to big-endian
337 // byte array suitable as input for BN_bin2bn.
338 std::reverse((uint8_t*)modulus.get(),
339 (uint8_t*)(modulus.get() + key_len_words));
340
341 // The next sequence of values is the montgomery parameter R^2. Since we
342 // generally don't have a valid |n0inv|, we ignore this (see comment above).
343 uint32_t rr_value;
344 if (fscanf(file, " } , { %u", &rr_value) != 1) {
345 return nullptr;
346 }
347 for (uint32_t i = 1; i < key_len_words; ++i) {
348 if (fscanf(file, " , %u", &rr_value) != 1) {
349 return nullptr;
350 }
351 }
352 if (fscanf(file, " } } ") != 0) {
353 return nullptr;
354 }
355
356 // Initialize the key.
357 std::unique_ptr<RSA, RSADeleter> key(RSA_new());
358 if (!key) {
359 return nullptr;
360 }
361
362 key->n = BN_bin2bn((uint8_t*)modulus.get(),
363 key_len_words * sizeof(uint32_t), NULL);
364 if (!key->n) {
365 return nullptr;
366 }
367
368 key->e = BN_new();
369 if (!key->e || !BN_set_word(key->e, exponent)) {
370 return nullptr;
371 }
372
373 return key;
374}
375
376struct BNDeleter {
377 void operator()(BIGNUM* bn) {
378 BN_free(bn);
379 }
380};
381
382std::unique_ptr<EC_KEY, ECKEYDeleter> parse_ec_key(FILE* file) {
383 uint32_t key_len_bytes = 0;
384 if (fscanf(file, " %i", &key_len_bytes) != 1) {
385 return nullptr;
386 }
387
388 std::unique_ptr<EC_GROUP, void (*)(EC_GROUP*)> group(
389 EC_GROUP_new_by_curve_name(NID_X9_62_prime256v1), EC_GROUP_free);
390 if (!group) {
391 return nullptr;
392 }
393
394 // Verify that |key_len| matches the group order.
395 if (key_len_bytes != BN_num_bytes(EC_GROUP_get0_order(group.get()))) {
396 return nullptr;
397 }
398
399 // Read the public key coordinates. Note that the byte order in the file is
400 // little-endian, so we convert to big-endian here.
401 std::unique_ptr<uint8_t[]> bytes(new uint8_t[key_len_bytes]);
402 std::unique_ptr<BIGNUM, BNDeleter> point[2];
403 for (int i = 0; i < 2; ++i) {
404 unsigned int byte = 0;
405 if (fscanf(file, " , { %u", &byte) != 1) {
406 return nullptr;
407 }
408 bytes[key_len_bytes - 1] = byte;
409
410 for (size_t i = 1; i < key_len_bytes; ++i) {
411 if (fscanf(file, " , %u", &byte) != 1) {
412 return nullptr;
413 }
414 bytes[key_len_bytes - i - 1] = byte;
415 }
416
417 point[i].reset(BN_bin2bn(bytes.get(), key_len_bytes, nullptr));
418 if (!point[i]) {
419 return nullptr;
420 }
421
422 if (fscanf(file, " }") != 0) {
423 return nullptr;
424 }
425 }
426
427 if (fscanf(file, " } ") != 0) {
428 return nullptr;
429 }
430
431 // Create and initialize the key.
432 std::unique_ptr<EC_KEY, ECKEYDeleter> key(EC_KEY_new());
433 if (!key || !EC_KEY_set_group(key.get(), group.get()) ||
434 !EC_KEY_set_public_key_affine_coordinates(key.get(), point[0].get(),
435 point[1].get())) {
436 return nullptr;
437 }
438
439 return key;
440}
441
Doug Zongker6c249f72012-11-02 15:04:05 -0700442// Reads a file containing one or more public keys as produced by
443// DumpPublicKey: this is an RSAPublicKey struct as it would appear
444// as a C source literal, eg:
445//
446// "{64,0xc926ad21,{1795090719,...,-695002876},{-857949815,...,1175080310}}"
447//
448// For key versions newer than the original 2048-bit e=3 keys
449// supported by Android, the string is preceded by a version
450// identifier, eg:
451//
452// "v2 {64,0xc926ad21,{1795090719,...,-695002876},{-857949815,...,1175080310}}"
453//
454// (Note that the braces and commas in this example are actual
455// characters the parser expects to find in the file; the ellipses
456// indicate more numbers omitted from this example.)
457//
458// The file may contain multiple keys in this format, separated by
459// commas. The last key must not be followed by a comma.
460//
Doug Zongker30362a62013-04-10 11:32:17 -0700461// A Certificate is a pair of an RSAPublicKey and a particular hash
462// (we support SHA-1 and SHA-256; we store the hash length to signify
463// which is being used). The hash used is implied by the version number.
464//
465// 1: 2048-bit RSA key with e=3 and SHA-1 hash
466// 2: 2048-bit RSA key with e=65537 and SHA-1 hash
467// 3: 2048-bit RSA key with e=3 and SHA-256 hash
468// 4: 2048-bit RSA key with e=65537 and SHA-256 hash
Kenny Root7a4adb52013-10-09 10:14:35 -0700469// 5: 256-bit EC key using the NIST P-256 curve parameters and SHA-256 hash
Doug Zongker30362a62013-04-10 11:32:17 -0700470//
Tao Bao71e3e092016-02-02 14:02:27 -0800471// Returns true on success, and appends the found keys (at least one) to certs.
472// Otherwise returns false if the file failed to parse, or if it contains zero
473// keys. The contents in certs would be unspecified on failure.
474bool load_keys(const char* filename, std::vector<Certificate>& certs) {
475 std::unique_ptr<FILE, decltype(&fclose)> f(fopen(filename, "r"), fclose);
476 if (!f) {
Tianjie Xu7b0ad9c2016-08-05 18:00:04 -0700477 PLOG(ERROR) << "error opening " << filename;
Tao Bao71e3e092016-02-02 14:02:27 -0800478 return false;
Doug Zongker6c249f72012-11-02 15:04:05 -0700479 }
480
Tao Bao71e3e092016-02-02 14:02:27 -0800481 while (true) {
Elliott Hughes8febafa2016-04-13 16:39:56 -0700482 certs.emplace_back(0, Certificate::KEY_TYPE_RSA, nullptr, nullptr);
Tao Bao71e3e092016-02-02 14:02:27 -0800483 Certificate& cert = certs.back();
Elliott Hughes8febafa2016-04-13 16:39:56 -0700484 uint32_t exponent = 0;
Doug Zongker6c249f72012-11-02 15:04:05 -0700485
Tao Bao71e3e092016-02-02 14:02:27 -0800486 char start_char;
487 if (fscanf(f.get(), " %c", &start_char) != 1) return false;
488 if (start_char == '{') {
489 // a version 1 key has no version specifier.
Elliott Hughes8febafa2016-04-13 16:39:56 -0700490 cert.key_type = Certificate::KEY_TYPE_RSA;
491 exponent = 3;
492 cert.hash_len = SHA_DIGEST_LENGTH;
Tao Bao71e3e092016-02-02 14:02:27 -0800493 } else if (start_char == 'v') {
494 int version;
495 if (fscanf(f.get(), "%d {", &version) != 1) return false;
496 switch (version) {
497 case 2:
Elliott Hughes8febafa2016-04-13 16:39:56 -0700498 cert.key_type = Certificate::KEY_TYPE_RSA;
499 exponent = 65537;
500 cert.hash_len = SHA_DIGEST_LENGTH;
Tao Bao71e3e092016-02-02 14:02:27 -0800501 break;
502 case 3:
Elliott Hughes8febafa2016-04-13 16:39:56 -0700503 cert.key_type = Certificate::KEY_TYPE_RSA;
504 exponent = 3;
505 cert.hash_len = SHA256_DIGEST_LENGTH;
Tao Bao71e3e092016-02-02 14:02:27 -0800506 break;
507 case 4:
Elliott Hughes8febafa2016-04-13 16:39:56 -0700508 cert.key_type = Certificate::KEY_TYPE_RSA;
509 exponent = 65537;
510 cert.hash_len = SHA256_DIGEST_LENGTH;
Tao Bao71e3e092016-02-02 14:02:27 -0800511 break;
512 case 5:
Elliott Hughes8febafa2016-04-13 16:39:56 -0700513 cert.key_type = Certificate::KEY_TYPE_EC;
514 cert.hash_len = SHA256_DIGEST_LENGTH;
Tao Bao71e3e092016-02-02 14:02:27 -0800515 break;
516 default:
517 return false;
Doug Zongker6c249f72012-11-02 15:04:05 -0700518 }
Tao Bao71e3e092016-02-02 14:02:27 -0800519 }
Doug Zongker6c249f72012-11-02 15:04:05 -0700520
Elliott Hughes8febafa2016-04-13 16:39:56 -0700521 if (cert.key_type == Certificate::KEY_TYPE_RSA) {
522 cert.rsa = parse_rsa_key(f.get(), exponent);
523 if (!cert.rsa) {
524 return false;
Doug Zongker6c249f72012-11-02 15:04:05 -0700525 }
Tao Bao71e3e092016-02-02 14:02:27 -0800526
Tianjie Xu7b0ad9c2016-08-05 18:00:04 -0700527 LOG(INFO) << "read key e=" << exponent << " hash=" << cert.hash_len;
Elliott Hughes8febafa2016-04-13 16:39:56 -0700528 } else if (cert.key_type == Certificate::KEY_TYPE_EC) {
529 cert.ec = parse_ec_key(f.get());
530 if (!cert.ec) {
531 return false;
Tao Bao71e3e092016-02-02 14:02:27 -0800532 }
Tao Bao71e3e092016-02-02 14:02:27 -0800533 } else {
Tianjie Xu7b0ad9c2016-08-05 18:00:04 -0700534 LOG(ERROR) << "Unknown key type " << cert.key_type;
Tao Bao71e3e092016-02-02 14:02:27 -0800535 return false;
536 }
537
538 // if the line ends in a comma, this file has more keys.
539 int ch = fgetc(f.get());
540 if (ch == ',') {
541 // more keys to come.
542 continue;
543 } else if (ch == EOF) {
544 break;
545 } else {
Tianjie Xu7b0ad9c2016-08-05 18:00:04 -0700546 LOG(ERROR) << "unexpected character between keys";
Tao Bao71e3e092016-02-02 14:02:27 -0800547 return false;
Doug Zongker6c249f72012-11-02 15:04:05 -0700548 }
549 }
550
Tao Bao71e3e092016-02-02 14:02:27 -0800551 return true;
Doug Zongker6c249f72012-11-02 15:04:05 -0700552}