blob: 1d6cf811a6e638b0e700d8dd9416751b7fe46fdd [file] [log] [blame]
The Android Open Source Projectc24a8e62009-03-03 19:28:42 -08001/*
2 * Copyright (C) 2008 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
Doug Zongker54e2e862009-08-17 13:21:04 -070017#include <errno.h>
Elliott Hughes26dbad22015-01-28 12:09:05 -080018#include <malloc.h>
19#include <stdio.h>
20#include <string.h>
The Android Open Source Projectc24a8e62009-03-03 19:28:42 -080021
Mattias Nissler452df6d2016-04-04 16:17:01 +020022#include <algorithm>
23#include <memory>
24
David Benjamina86392e2016-04-15 20:22:09 -040025#include <openssl/bn.h>
Mattias Nissler452df6d2016-04-04 16:17:01 +020026#include <openssl/ecdsa.h>
27#include <openssl/obj_mac.h>
28
29#include "asn1_decoder.h"
30#include "common.h"
31#include "ui.h"
32#include "verifier.h"
33
Doug Zongker211aebc2011-10-28 15:13:10 -070034extern RecoveryUI* ui;
35
Kenny Root7a4adb52013-10-09 10:14:35 -070036/*
37 * Simple version of PKCS#7 SignedData extraction. This extracts the
38 * signature OCTET STRING to be used for signature verification.
39 *
40 * For full details, see http://www.ietf.org/rfc/rfc3852.txt
41 *
42 * The PKCS#7 structure looks like:
43 *
44 * SEQUENCE (ContentInfo)
45 * OID (ContentType)
46 * [0] (content)
47 * SEQUENCE (SignedData)
48 * INTEGER (version CMSVersion)
49 * SET (DigestAlgorithmIdentifiers)
50 * SEQUENCE (EncapsulatedContentInfo)
51 * [0] (CertificateSet OPTIONAL)
52 * [1] (RevocationInfoChoices OPTIONAL)
53 * SET (SignerInfos)
54 * SEQUENCE (SignerInfo)
55 * INTEGER (CMSVersion)
56 * SEQUENCE (SignerIdentifier)
57 * SEQUENCE (DigestAlgorithmIdentifier)
58 * SEQUENCE (SignatureAlgorithmIdentifier)
59 * OCTET STRING (SignatureValue)
60 */
61static bool read_pkcs7(uint8_t* pkcs7_der, size_t pkcs7_der_len, uint8_t** sig_der,
62 size_t* sig_der_length) {
63 asn1_context_t* ctx = asn1_context_new(pkcs7_der, pkcs7_der_len);
64 if (ctx == NULL) {
65 return false;
66 }
67
68 asn1_context_t* pkcs7_seq = asn1_sequence_get(ctx);
69 if (pkcs7_seq != NULL && asn1_sequence_next(pkcs7_seq)) {
70 asn1_context_t *signed_data_app = asn1_constructed_get(pkcs7_seq);
71 if (signed_data_app != NULL) {
72 asn1_context_t* signed_data_seq = asn1_sequence_get(signed_data_app);
73 if (signed_data_seq != NULL
74 && asn1_sequence_next(signed_data_seq)
75 && asn1_sequence_next(signed_data_seq)
76 && asn1_sequence_next(signed_data_seq)
77 && asn1_constructed_skip_all(signed_data_seq)) {
78 asn1_context_t *sig_set = asn1_set_get(signed_data_seq);
79 if (sig_set != NULL) {
80 asn1_context_t* sig_seq = asn1_sequence_get(sig_set);
81 if (sig_seq != NULL
82 && asn1_sequence_next(sig_seq)
83 && asn1_sequence_next(sig_seq)
84 && asn1_sequence_next(sig_seq)
85 && asn1_sequence_next(sig_seq)) {
86 uint8_t* sig_der_ptr;
87 if (asn1_octet_string_get(sig_seq, &sig_der_ptr, sig_der_length)) {
88 *sig_der = (uint8_t*) malloc(*sig_der_length);
89 if (*sig_der != NULL) {
90 memcpy(*sig_der, sig_der_ptr, *sig_der_length);
91 }
92 }
93 asn1_context_free(sig_seq);
94 }
95 asn1_context_free(sig_set);
96 }
97 asn1_context_free(signed_data_seq);
98 }
99 asn1_context_free(signed_data_app);
100 }
101 asn1_context_free(pkcs7_seq);
102 }
103 asn1_context_free(ctx);
104
105 return *sig_der != NULL;
106}
107
Doug Zongker54e2e862009-08-17 13:21:04 -0700108// Look for an RSA signature embedded in the .ZIP file comment given
109// the path to the zip. Verify it matches one of the given public
110// keys.
111//
112// Return VERIFY_SUCCESS, VERIFY_FAILURE (if any error is encountered
113// or no key matches the signature).
114
Doug Zongker99916f02014-01-13 14:16:58 -0800115int verify_file(unsigned char* addr, size_t length,
Tao Bao71e3e092016-02-02 14:02:27 -0800116 const std::vector<Certificate>& keys) {
Doug Zongker211aebc2011-10-28 15:13:10 -0700117 ui->SetProgress(0.0);
Doug Zongker54e2e862009-08-17 13:21:04 -0700118
Doug Zongker54e2e862009-08-17 13:21:04 -0700119 // An archive with a whole-file signature will end in six bytes:
120 //
Doug Zongker73ae31c2009-12-09 17:01:45 -0800121 // (2-byte signature start) $ff $ff (2-byte comment size)
Doug Zongker54e2e862009-08-17 13:21:04 -0700122 //
123 // (As far as the ZIP format is concerned, these are part of the
124 // archive comment.) We start by reading this footer, this tells
125 // us how far back from the end we have to start reading to find
126 // the whole comment.
127
128#define FOOTER_SIZE 6
129
Doug Zongker99916f02014-01-13 14:16:58 -0800130 if (length < FOOTER_SIZE) {
131 LOGE("not big enough to contain footer\n");
Doug Zongker54e2e862009-08-17 13:21:04 -0700132 return VERIFY_FAILURE;
The Android Open Source Projectc24a8e62009-03-03 19:28:42 -0800133 }
134
Doug Zongker99916f02014-01-13 14:16:58 -0800135 unsigned char* footer = addr + length - FOOTER_SIZE;
The Android Open Source Projectc24a8e62009-03-03 19:28:42 -0800136
Doug Zongker54e2e862009-08-17 13:21:04 -0700137 if (footer[2] != 0xff || footer[3] != 0xff) {
Doug Zongker30362a62013-04-10 11:32:17 -0700138 LOGE("footer is wrong\n");
Doug Zongker54e2e862009-08-17 13:21:04 -0700139 return VERIFY_FAILURE;
The Android Open Source Projectc24a8e62009-03-03 19:28:42 -0800140 }
141
Doug Zongker28ce47c2011-10-28 10:33:05 -0700142 size_t comment_size = footer[4] + (footer[5] << 8);
143 size_t signature_start = footer[0] + (footer[1] << 8);
Mark Salyzynf3bb31c2014-03-14 09:39:48 -0700144 LOGI("comment is %zu bytes; signature %zu bytes from end\n",
Doug Zongker54e2e862009-08-17 13:21:04 -0700145 comment_size, signature_start);
The Android Open Source Projectc24a8e62009-03-03 19:28:42 -0800146
Kenny Root7a4adb52013-10-09 10:14:35 -0700147 if (signature_start <= FOOTER_SIZE) {
148 LOGE("Signature start is in the footer");
Doug Zongker54e2e862009-08-17 13:21:04 -0700149 return VERIFY_FAILURE;
150 }
The Android Open Source Projectc24a8e62009-03-03 19:28:42 -0800151
Doug Zongker54e2e862009-08-17 13:21:04 -0700152#define EOCD_HEADER_SIZE 22
The Android Open Source Projectc24a8e62009-03-03 19:28:42 -0800153
Doug Zongker54e2e862009-08-17 13:21:04 -0700154 // The end-of-central-directory record is 22 bytes plus any
155 // comment length.
156 size_t eocd_size = comment_size + EOCD_HEADER_SIZE;
The Android Open Source Projectc24a8e62009-03-03 19:28:42 -0800157
Doug Zongker99916f02014-01-13 14:16:58 -0800158 if (length < eocd_size) {
159 LOGE("not big enough to contain EOCD\n");
Doug Zongker54e2e862009-08-17 13:21:04 -0700160 return VERIFY_FAILURE;
161 }
The Android Open Source Projectc24a8e62009-03-03 19:28:42 -0800162
Doug Zongker54e2e862009-08-17 13:21:04 -0700163 // Determine how much of the file is covered by the signature.
164 // This is everything except the signature data and length, which
165 // includes all of the EOCD except for the comment length field (2
166 // bytes) and the comment data.
Doug Zongker99916f02014-01-13 14:16:58 -0800167 size_t signed_len = length - eocd_size + EOCD_HEADER_SIZE - 2;
The Android Open Source Projectc24a8e62009-03-03 19:28:42 -0800168
Doug Zongker99916f02014-01-13 14:16:58 -0800169 unsigned char* eocd = addr + length - eocd_size;
The Android Open Source Projectc24a8e62009-03-03 19:28:42 -0800170
Doug Zongker54e2e862009-08-17 13:21:04 -0700171 // If this is really is the EOCD record, it will begin with the
172 // magic number $50 $4b $05 $06.
173 if (eocd[0] != 0x50 || eocd[1] != 0x4b ||
174 eocd[2] != 0x05 || eocd[3] != 0x06) {
175 LOGE("signature length doesn't match EOCD marker\n");
Doug Zongker54e2e862009-08-17 13:21:04 -0700176 return VERIFY_FAILURE;
177 }
The Android Open Source Projectc24a8e62009-03-03 19:28:42 -0800178
Tao Bao71e3e092016-02-02 14:02:27 -0800179 for (size_t i = 4; i < eocd_size-3; ++i) {
Doug Zongker54e2e862009-08-17 13:21:04 -0700180 if (eocd[i ] == 0x50 && eocd[i+1] == 0x4b &&
Doug Zongkerc652e412009-12-08 15:30:09 -0800181 eocd[i+2] == 0x05 && eocd[i+3] == 0x06) {
Doug Zongker54e2e862009-08-17 13:21:04 -0700182 // if the sequence $50 $4b $05 $06 appears anywhere after
183 // the real one, minzip will find the later (wrong) one,
184 // which could be exploitable. Fail verification if
185 // this sequence occurs anywhere after the real one.
186 LOGE("EOCD marker occurs after start of EOCD\n");
Doug Zongker54e2e862009-08-17 13:21:04 -0700187 return VERIFY_FAILURE;
The Android Open Source Projectc24a8e62009-03-03 19:28:42 -0800188 }
189 }
190
Doug Zongker54e2e862009-08-17 13:21:04 -0700191#define BUFFER_SIZE 4096
The Android Open Source Projectc24a8e62009-03-03 19:28:42 -0800192
Doug Zongker30362a62013-04-10 11:32:17 -0700193 bool need_sha1 = false;
194 bool need_sha256 = false;
Tao Bao71e3e092016-02-02 14:02:27 -0800195 for (const auto& key : keys) {
196 switch (key.hash_len) {
Mattias Nissler452df6d2016-04-04 16:17:01 +0200197 case SHA_DIGEST_LENGTH: need_sha1 = true; break;
198 case SHA256_DIGEST_LENGTH: need_sha256 = true; break;
Doug Zongker30362a62013-04-10 11:32:17 -0700199 }
200 }
201
202 SHA_CTX sha1_ctx;
203 SHA256_CTX sha256_ctx;
Mattias Nissler452df6d2016-04-04 16:17:01 +0200204 SHA1_Init(&sha1_ctx);
205 SHA256_Init(&sha256_ctx);
The Android Open Source Projectc24a8e62009-03-03 19:28:42 -0800206
Doug Zongker54e2e862009-08-17 13:21:04 -0700207 double frac = -1.0;
208 size_t so_far = 0;
Doug Zongker54e2e862009-08-17 13:21:04 -0700209 while (so_far < signed_len) {
Doug Zongker99916f02014-01-13 14:16:58 -0800210 size_t size = signed_len - so_far;
211 if (size > BUFFER_SIZE) size = BUFFER_SIZE;
212
Mattias Nissler452df6d2016-04-04 16:17:01 +0200213 if (need_sha1) SHA1_Update(&sha1_ctx, addr + so_far, size);
214 if (need_sha256) SHA256_Update(&sha256_ctx, addr + so_far, size);
Doug Zongker54e2e862009-08-17 13:21:04 -0700215 so_far += size;
Doug Zongker99916f02014-01-13 14:16:58 -0800216
Doug Zongker54e2e862009-08-17 13:21:04 -0700217 double f = so_far / (double)signed_len;
218 if (f > frac + 0.02 || size == so_far) {
Doug Zongker211aebc2011-10-28 15:13:10 -0700219 ui->SetProgress(f);
Doug Zongker54e2e862009-08-17 13:21:04 -0700220 frac = f;
The Android Open Source Projectc24a8e62009-03-03 19:28:42 -0800221 }
222 }
223
Mattias Nissler452df6d2016-04-04 16:17:01 +0200224 uint8_t sha1[SHA_DIGEST_LENGTH];
225 SHA1_Final(sha1, &sha1_ctx);
226 uint8_t sha256[SHA256_DIGEST_LENGTH];
227 SHA256_Final(sha256, &sha256_ctx);
Doug Zongker30362a62013-04-10 11:32:17 -0700228
Tao Bao71e3e092016-02-02 14:02:27 -0800229 uint8_t* sig_der = nullptr;
Kenny Root7a4adb52013-10-09 10:14:35 -0700230 size_t sig_der_length = 0;
231
232 size_t signature_size = signature_start - FOOTER_SIZE;
233 if (!read_pkcs7(eocd + eocd_size - signature_start, signature_size, &sig_der,
234 &sig_der_length)) {
235 LOGE("Could not find signature DER block\n");
Kenny Root7a4adb52013-10-09 10:14:35 -0700236 return VERIFY_FAILURE;
237 }
Kenny Root7a4adb52013-10-09 10:14:35 -0700238
239 /*
240 * Check to make sure at least one of the keys matches the signature. Since
241 * any key can match, we need to try each before determining a verification
242 * failure has happened.
243 */
Tao Bao71e3e092016-02-02 14:02:27 -0800244 size_t i = 0;
245 for (const auto& key : keys) {
Doug Zongker30362a62013-04-10 11:32:17 -0700246 const uint8_t* hash;
Mattias Nissler452df6d2016-04-04 16:17:01 +0200247 int hash_nid;
Tao Bao71e3e092016-02-02 14:02:27 -0800248 switch (key.hash_len) {
Mattias Nissler452df6d2016-04-04 16:17:01 +0200249 case SHA_DIGEST_LENGTH:
250 hash = sha1;
251 hash_nid = NID_sha1;
252 break;
253 case SHA256_DIGEST_LENGTH:
254 hash = sha256;
255 hash_nid = NID_sha256;
256 break;
257 default:
258 continue;
Doug Zongker30362a62013-04-10 11:32:17 -0700259 }
260
Doug Zongker73ae31c2009-12-09 17:01:45 -0800261 // The 6 bytes is the "(signature_start) $ff $ff (comment_size)" that
Doug Zongker54e2e862009-08-17 13:21:04 -0700262 // the signing tool appends after the signature itself.
Mattias Nissler452df6d2016-04-04 16:17:01 +0200263 if (key.key_type == Certificate::KEY_TYPE_RSA) {
264 if (!RSA_verify(hash_nid, hash, key.hash_len, sig_der,
265 sig_der_length, key.rsa.get())) {
Mark Salyzynf3bb31c2014-03-14 09:39:48 -0700266 LOGI("failed to verify against RSA key %zu\n", i);
Kenny Root7a4adb52013-10-09 10:14:35 -0700267 continue;
268 }
269
Mark Salyzynf3bb31c2014-03-14 09:39:48 -0700270 LOGI("whole-file signature verified against RSA key %zu\n", i);
Kenny Root7a4adb52013-10-09 10:14:35 -0700271 free(sig_der);
272 return VERIFY_SUCCESS;
Mattias Nissler452df6d2016-04-04 16:17:01 +0200273 } else if (key.key_type == Certificate::KEY_TYPE_EC
274 && key.hash_len == SHA256_DIGEST_LENGTH) {
275 if (!ECDSA_verify(0, hash, key.hash_len, sig_der,
276 sig_der_length, key.ec.get())) {
Mark Salyzynf3bb31c2014-03-14 09:39:48 -0700277 LOGI("failed to verify against EC key %zu\n", i);
Kenny Root7a4adb52013-10-09 10:14:35 -0700278 continue;
279 }
280
Mark Salyzynf3bb31c2014-03-14 09:39:48 -0700281 LOGI("whole-file signature verified against EC key %zu\n", i);
Kenny Root7a4adb52013-10-09 10:14:35 -0700282 free(sig_der);
Doug Zongker54e2e862009-08-17 13:21:04 -0700283 return VERIFY_SUCCESS;
Doug Zongker6c249f72012-11-02 15:04:05 -0700284 } else {
Tao Bao71e3e092016-02-02 14:02:27 -0800285 LOGI("Unknown key type %d\n", key.key_type);
The Android Open Source Projectc24a8e62009-03-03 19:28:42 -0800286 }
Tao Bao71e3e092016-02-02 14:02:27 -0800287 i++;
The Android Open Source Projectc24a8e62009-03-03 19:28:42 -0800288 }
Kenny Root7a4adb52013-10-09 10:14:35 -0700289 free(sig_der);
Doug Zongker54e2e862009-08-17 13:21:04 -0700290 LOGE("failed to verify whole-file signature\n");
291 return VERIFY_FAILURE;
The Android Open Source Projectc24a8e62009-03-03 19:28:42 -0800292}
Doug Zongker6c249f72012-11-02 15:04:05 -0700293
Mattias Nissler452df6d2016-04-04 16:17:01 +0200294std::unique_ptr<RSA, RSADeleter> parse_rsa_key(FILE* file, uint32_t exponent) {
295 // Read key length in words and n0inv. n0inv is a precomputed montgomery
296 // parameter derived from the modulus and can be used to speed up
297 // verification. n0inv is 32 bits wide here, assuming the verification logic
298 // uses 32 bit arithmetic. However, BoringSSL may use a word size of 64 bits
299 // internally, in which case we don't have a valid n0inv. Thus, we just
300 // ignore the montgomery parameters and have BoringSSL recompute them
301 // internally. If/When the speedup from using the montgomery parameters
302 // becomes relevant, we can add more sophisticated code here to obtain a
303 // 64-bit n0inv and initialize the montgomery parameters in the key object.
304 uint32_t key_len_words = 0;
305 uint32_t n0inv = 0;
306 if (fscanf(file, " %i , 0x%x", &key_len_words, &n0inv) != 2) {
307 return nullptr;
308 }
309
310 if (key_len_words > 8192 / 32) {
311 LOGE("key length (%d) too large\n", key_len_words);
312 return nullptr;
313 }
314
315 // Read the modulus.
316 std::unique_ptr<uint32_t[]> modulus(new uint32_t[key_len_words]);
317 if (fscanf(file, " , { %u", &modulus[0]) != 1) {
318 return nullptr;
319 }
320 for (uint32_t i = 1; i < key_len_words; ++i) {
321 if (fscanf(file, " , %u", &modulus[i]) != 1) {
322 return nullptr;
323 }
324 }
325
326 // Cconvert from little-endian array of little-endian words to big-endian
327 // byte array suitable as input for BN_bin2bn.
328 std::reverse((uint8_t*)modulus.get(),
329 (uint8_t*)(modulus.get() + key_len_words));
330
331 // The next sequence of values is the montgomery parameter R^2. Since we
332 // generally don't have a valid |n0inv|, we ignore this (see comment above).
333 uint32_t rr_value;
334 if (fscanf(file, " } , { %u", &rr_value) != 1) {
335 return nullptr;
336 }
337 for (uint32_t i = 1; i < key_len_words; ++i) {
338 if (fscanf(file, " , %u", &rr_value) != 1) {
339 return nullptr;
340 }
341 }
342 if (fscanf(file, " } } ") != 0) {
343 return nullptr;
344 }
345
346 // Initialize the key.
347 std::unique_ptr<RSA, RSADeleter> key(RSA_new());
348 if (!key) {
349 return nullptr;
350 }
351
352 key->n = BN_bin2bn((uint8_t*)modulus.get(),
353 key_len_words * sizeof(uint32_t), NULL);
354 if (!key->n) {
355 return nullptr;
356 }
357
358 key->e = BN_new();
359 if (!key->e || !BN_set_word(key->e, exponent)) {
360 return nullptr;
361 }
362
363 return key;
364}
365
366struct BNDeleter {
367 void operator()(BIGNUM* bn) {
368 BN_free(bn);
369 }
370};
371
372std::unique_ptr<EC_KEY, ECKEYDeleter> parse_ec_key(FILE* file) {
373 uint32_t key_len_bytes = 0;
374 if (fscanf(file, " %i", &key_len_bytes) != 1) {
375 return nullptr;
376 }
377
378 std::unique_ptr<EC_GROUP, void (*)(EC_GROUP*)> group(
379 EC_GROUP_new_by_curve_name(NID_X9_62_prime256v1), EC_GROUP_free);
380 if (!group) {
381 return nullptr;
382 }
383
384 // Verify that |key_len| matches the group order.
385 if (key_len_bytes != BN_num_bytes(EC_GROUP_get0_order(group.get()))) {
386 return nullptr;
387 }
388
389 // Read the public key coordinates. Note that the byte order in the file is
390 // little-endian, so we convert to big-endian here.
391 std::unique_ptr<uint8_t[]> bytes(new uint8_t[key_len_bytes]);
392 std::unique_ptr<BIGNUM, BNDeleter> point[2];
393 for (int i = 0; i < 2; ++i) {
394 unsigned int byte = 0;
395 if (fscanf(file, " , { %u", &byte) != 1) {
396 return nullptr;
397 }
398 bytes[key_len_bytes - 1] = byte;
399
400 for (size_t i = 1; i < key_len_bytes; ++i) {
401 if (fscanf(file, " , %u", &byte) != 1) {
402 return nullptr;
403 }
404 bytes[key_len_bytes - i - 1] = byte;
405 }
406
407 point[i].reset(BN_bin2bn(bytes.get(), key_len_bytes, nullptr));
408 if (!point[i]) {
409 return nullptr;
410 }
411
412 if (fscanf(file, " }") != 0) {
413 return nullptr;
414 }
415 }
416
417 if (fscanf(file, " } ") != 0) {
418 return nullptr;
419 }
420
421 // Create and initialize the key.
422 std::unique_ptr<EC_KEY, ECKEYDeleter> key(EC_KEY_new());
423 if (!key || !EC_KEY_set_group(key.get(), group.get()) ||
424 !EC_KEY_set_public_key_affine_coordinates(key.get(), point[0].get(),
425 point[1].get())) {
426 return nullptr;
427 }
428
429 return key;
430}
431
Doug Zongker6c249f72012-11-02 15:04:05 -0700432// Reads a file containing one or more public keys as produced by
433// DumpPublicKey: this is an RSAPublicKey struct as it would appear
434// as a C source literal, eg:
435//
436// "{64,0xc926ad21,{1795090719,...,-695002876},{-857949815,...,1175080310}}"
437//
438// For key versions newer than the original 2048-bit e=3 keys
439// supported by Android, the string is preceded by a version
440// identifier, eg:
441//
442// "v2 {64,0xc926ad21,{1795090719,...,-695002876},{-857949815,...,1175080310}}"
443//
444// (Note that the braces and commas in this example are actual
445// characters the parser expects to find in the file; the ellipses
446// indicate more numbers omitted from this example.)
447//
448// The file may contain multiple keys in this format, separated by
449// commas. The last key must not be followed by a comma.
450//
Doug Zongker30362a62013-04-10 11:32:17 -0700451// A Certificate is a pair of an RSAPublicKey and a particular hash
452// (we support SHA-1 and SHA-256; we store the hash length to signify
453// which is being used). The hash used is implied by the version number.
454//
455// 1: 2048-bit RSA key with e=3 and SHA-1 hash
456// 2: 2048-bit RSA key with e=65537 and SHA-1 hash
457// 3: 2048-bit RSA key with e=3 and SHA-256 hash
458// 4: 2048-bit RSA key with e=65537 and SHA-256 hash
Kenny Root7a4adb52013-10-09 10:14:35 -0700459// 5: 256-bit EC key using the NIST P-256 curve parameters and SHA-256 hash
Doug Zongker30362a62013-04-10 11:32:17 -0700460//
Tao Bao71e3e092016-02-02 14:02:27 -0800461// Returns true on success, and appends the found keys (at least one) to certs.
462// Otherwise returns false if the file failed to parse, or if it contains zero
463// keys. The contents in certs would be unspecified on failure.
464bool load_keys(const char* filename, std::vector<Certificate>& certs) {
465 std::unique_ptr<FILE, decltype(&fclose)> f(fopen(filename, "r"), fclose);
466 if (!f) {
Doug Zongker6c249f72012-11-02 15:04:05 -0700467 LOGE("opening %s: %s\n", filename, strerror(errno));
Tao Bao71e3e092016-02-02 14:02:27 -0800468 return false;
Doug Zongker6c249f72012-11-02 15:04:05 -0700469 }
470
Tao Bao71e3e092016-02-02 14:02:27 -0800471 while (true) {
Mattias Nissler452df6d2016-04-04 16:17:01 +0200472 certs.emplace_back(0, Certificate::KEY_TYPE_RSA, nullptr, nullptr);
Tao Bao71e3e092016-02-02 14:02:27 -0800473 Certificate& cert = certs.back();
Mattias Nissler452df6d2016-04-04 16:17:01 +0200474 uint32_t exponent = 0;
Doug Zongker6c249f72012-11-02 15:04:05 -0700475
Tao Bao71e3e092016-02-02 14:02:27 -0800476 char start_char;
477 if (fscanf(f.get(), " %c", &start_char) != 1) return false;
478 if (start_char == '{') {
479 // a version 1 key has no version specifier.
Mattias Nissler452df6d2016-04-04 16:17:01 +0200480 cert.key_type = Certificate::KEY_TYPE_RSA;
481 exponent = 3;
482 cert.hash_len = SHA_DIGEST_LENGTH;
Tao Bao71e3e092016-02-02 14:02:27 -0800483 } else if (start_char == 'v') {
484 int version;
485 if (fscanf(f.get(), "%d {", &version) != 1) return false;
486 switch (version) {
487 case 2:
Mattias Nissler452df6d2016-04-04 16:17:01 +0200488 cert.key_type = Certificate::KEY_TYPE_RSA;
489 exponent = 65537;
490 cert.hash_len = SHA_DIGEST_LENGTH;
Tao Bao71e3e092016-02-02 14:02:27 -0800491 break;
492 case 3:
Mattias Nissler452df6d2016-04-04 16:17:01 +0200493 cert.key_type = Certificate::KEY_TYPE_RSA;
494 exponent = 3;
495 cert.hash_len = SHA256_DIGEST_LENGTH;
Tao Bao71e3e092016-02-02 14:02:27 -0800496 break;
497 case 4:
Mattias Nissler452df6d2016-04-04 16:17:01 +0200498 cert.key_type = Certificate::KEY_TYPE_RSA;
499 exponent = 65537;
500 cert.hash_len = SHA256_DIGEST_LENGTH;
Tao Bao71e3e092016-02-02 14:02:27 -0800501 break;
502 case 5:
Mattias Nissler452df6d2016-04-04 16:17:01 +0200503 cert.key_type = Certificate::KEY_TYPE_EC;
504 cert.hash_len = SHA256_DIGEST_LENGTH;
Tao Bao71e3e092016-02-02 14:02:27 -0800505 break;
506 default:
507 return false;
Doug Zongker6c249f72012-11-02 15:04:05 -0700508 }
Tao Bao71e3e092016-02-02 14:02:27 -0800509 }
Doug Zongker6c249f72012-11-02 15:04:05 -0700510
Mattias Nissler452df6d2016-04-04 16:17:01 +0200511 if (cert.key_type == Certificate::KEY_TYPE_RSA) {
512 cert.rsa = parse_rsa_key(f.get(), exponent);
513 if (!cert.rsa) {
514 return false;
Doug Zongker6c249f72012-11-02 15:04:05 -0700515 }
Tao Bao71e3e092016-02-02 14:02:27 -0800516
Mattias Nissler452df6d2016-04-04 16:17:01 +0200517 LOGI("read key e=%d hash=%d\n", exponent, cert.hash_len);
518 } else if (cert.key_type == Certificate::KEY_TYPE_EC) {
519 cert.ec = parse_ec_key(f.get());
520 if (!cert.ec) {
521 return false;
Tao Bao71e3e092016-02-02 14:02:27 -0800522 }
Tao Bao71e3e092016-02-02 14:02:27 -0800523 } else {
524 LOGE("Unknown key type %d\n", cert.key_type);
525 return false;
526 }
527
528 // if the line ends in a comma, this file has more keys.
529 int ch = fgetc(f.get());
530 if (ch == ',') {
531 // more keys to come.
532 continue;
533 } else if (ch == EOF) {
534 break;
535 } else {
536 LOGE("unexpected character between keys\n");
537 return false;
Doug Zongker6c249f72012-11-02 15:04:05 -0700538 }
539 }
540
Tao Bao71e3e092016-02-02 14:02:27 -0800541 return true;
Doug Zongker6c249f72012-11-02 15:04:05 -0700542}