diff options
author | Mattias Nissler <mnissler@google.com> | 2016-03-31 16:29:37 +0200 |
---|---|---|
committer | Mattias Nissler <mnissler@google.com> | 2016-04-06 15:53:43 +0200 |
commit | c494733146710a0182b5bd7bdbcb4e7118326288 (patch) | |
tree | 5cfa19f2b9f59255074381fc5cfc0019683c5175 | |
parent | 05e61bec49233712091be9d40ee46962170a118d (diff) | |
download | extras-c494733146710a0182b5bd7bdbcb4e7118326288.tar.gz |
Switch to BoringSSL for crypto.
Adjust code and dependencies to use BoringSSL + libcrypto_utils
instead of libmincrypt.
Change-Id: Id1b4ee538923e9dac68a7db2521b70007119c268
-rw-r--r-- | libfec/Android.mk | 2 | ||||
-rw-r--r-- | libfec/fec_private.h | 12 | ||||
-rw-r--r-- | libfec/include/fec/io.h | 5 | ||||
-rw-r--r-- | libfec/test/Android.mk | 1 | ||||
-rw-r--r-- | verity/Android.mk | 2 | ||||
-rw-r--r-- | verity/fec/Android.mk | 2 | ||||
-rw-r--r-- | verity/generate_verity_key.c | 61 |
7 files changed, 18 insertions, 67 deletions
diff --git a/libfec/Android.mk b/libfec/Android.mk index 45fb19ec..7dcdb25c 100644 --- a/libfec/Android.mk +++ b/libfec/Android.mk @@ -17,7 +17,7 @@ common_src_files := \ fec_process.cpp common_static_libraries := \ - libmincrypt \ + libcrypto_utils_static \ libcrypto_static \ libcutils \ libbase diff --git a/libfec/fec_private.h b/libfec/fec_private.h index bde30bd8..c54b5b17 100644 --- a/libfec/fec_private.h +++ b/libfec/fec_private.h @@ -23,17 +23,17 @@ #include <new> #include <pthread.h> #include <stdio.h> -#include <string> #include <string.h> +#include <string> #include <sys/syscall.h> #include <unistd.h> #include <vector> -#include <utils/Compat.h> -#include <mincrypt/rsa.h> -#include <openssl/sha.h> -#include <fec/io.h> +#include <crypto_utils/android_pubkey.h> #include <fec/ecc.h> +#include <fec/io.h> +#include <openssl/sha.h> +#include <utils/Compat.h> /* processing parameters */ #define WORK_MIN_THREADS 1 @@ -59,7 +59,7 @@ struct verity_header { uint32_t magic; uint32_t version; - uint8_t signature[RSANUMBYTES]; + uint8_t signature[ANDROID_PUBKEY_MODULUS_SIZE]; uint32_t length; }; diff --git a/libfec/include/fec/io.h b/libfec/include/fec/io.h index 1a077f32..8c0759b4 100644 --- a/libfec/include/fec/io.h +++ b/libfec/include/fec/io.h @@ -24,7 +24,8 @@ #include <stdio.h> #include <sys/types.h> #include <unistd.h> -#include <mincrypt/rsa.h> + +#include <crypto_utils/android_pubkey.h> #ifdef __cplusplus extern "C" { @@ -70,7 +71,7 @@ struct fec_ecc_metadata { struct fec_verity_metadata { bool disabled; uint64_t data_size; - uint8_t signature[RSANUMBYTES]; + uint8_t signature[ANDROID_PUBKEY_MODULUS_SIZE]; const char *table; uint32_t table_length; }; diff --git a/libfec/test/Android.mk b/libfec/test/Android.mk index a2bba554..d78c6d21 100644 --- a/libfec/test/Android.mk +++ b/libfec/test/Android.mk @@ -11,6 +11,7 @@ LOCAL_MODULE_TAGS := optional LOCAL_STATIC_LIBRARIES := \ libfec_host \ libfec_rs_host \ + libcrypto_utils_static \ libcrypto_static \ libext4_utils_host \ libsquashfs_utils_host \ diff --git a/verity/Android.mk b/verity/Android.mk index 7b3d13f3..5f9df5e5 100644 --- a/verity/Android.mk +++ b/verity/Android.mk @@ -18,7 +18,7 @@ LOCAL_MODULE := generate_verity_key LOCAL_SRC_FILES := generate_verity_key.c LOCAL_MODULE_CLASS := EXECUTABLES LOCAL_MODULE_TAGS := optional -LOCAL_SHARED_LIBRARIES := libcrypto-host +LOCAL_SHARED_LIBRARIES := libcrypto_utils libcrypto-host include $(BUILD_HOST_EXECUTABLE) include $(CLEAR_VARS) diff --git a/verity/fec/Android.mk b/verity/fec/Android.mk index c13f5775..0b742c12 100644 --- a/verity/fec/Android.mk +++ b/verity/fec/Android.mk @@ -11,6 +11,7 @@ LOCAL_MODULE_TAGS := optional LOCAL_STATIC_LIBRARIES := \ libsparse_host \ libz \ + libcrypto_utils_static \ libcrypto_static \ libfec_host \ libfec_rs_host \ @@ -29,6 +30,7 @@ LOCAL_FORCE_STATIC_EXECUTABLE := true LOCAL_SRC_FILES := main.cpp image.cpp LOCAL_MODULE_TAGS := optional LOCAL_STATIC_LIBRARIES := \ + libcrypto_utils_static \ libcrypto_static \ libfec \ libfec_rs \ diff --git a/verity/generate_verity_key.c b/verity/generate_verity_key.c index 0da978fc..c598afbc 100644 --- a/verity/generate_verity_key.c +++ b/verity/generate_verity_key.c @@ -23,11 +23,7 @@ #include <sys/types.h> #include <unistd.h> -/* HACK: we need the RSAPublicKey struct - * but RSA_verify conflits with openssl */ -#define RSA_verify RSA_verify_mincrypt -#include "mincrypt/rsa.h" -#undef RSA_verify +#include <crypto_utils/android_pubkey.h> #include <openssl/evp.h> #include <openssl/objects.h> @@ -35,58 +31,9 @@ #include <openssl/rsa.h> #include <openssl/sha.h> -// Convert OpenSSL RSA private key to android pre-computed RSAPublicKey format. -// Lifted from secure adb's mincrypt key generation. -static int convert_to_mincrypt_format(RSA *rsa, RSAPublicKey *pkey) -{ - int ret = -1; - unsigned int i; - - if (RSA_size(rsa) != RSANUMBYTES) - goto out; - - BN_CTX* ctx = BN_CTX_new(); - BIGNUM* r32 = BN_new(); - BIGNUM* rr = BN_new(); - BIGNUM* r = BN_new(); - BIGNUM* rem = BN_new(); - BIGNUM* n = BN_new(); - BIGNUM* n0inv = BN_new(); - - BN_set_bit(r32, 32); - BN_copy(n, rsa->n); - BN_set_bit(r, RSANUMWORDS * 32); - BN_mod_sqr(rr, r, n, ctx); - BN_div(NULL, rem, n, r32, ctx); - BN_mod_inverse(n0inv, rem, r32, ctx); - - pkey->len = RSANUMWORDS; - pkey->n0inv = 0 - BN_get_word(n0inv); - for (i = 0; i < RSANUMWORDS; i++) { - BN_div(rr, rem, rr, r32, ctx); - pkey->rr[i] = BN_get_word(rem); - BN_div(n, rem, n, r32, ctx); - pkey->n[i] = BN_get_word(rem); - } - pkey->exponent = BN_get_word(rsa->e); - - ret = 0; - - BN_free(n0inv); - BN_free(n); - BN_free(rem); - BN_free(r); - BN_free(rr); - BN_free(r32); - BN_CTX_free(ctx); - -out: - return ret; -} - static int write_public_keyfile(RSA *private_key, const char *private_key_path) { - RSAPublicKey pkey; + uint8_t key_data[ANDROID_PUBKEY_ENCODED_SIZE]; BIO *bfile = NULL; char *path = NULL; int ret = -1; @@ -94,14 +41,14 @@ static int write_public_keyfile(RSA *private_key, const char *private_key_path) if (asprintf(&path, "%s.pub", private_key_path) < 0) goto out; - if (convert_to_mincrypt_format(private_key, &pkey) < 0) + if (!android_pubkey_encode(private_key, key_data, sizeof(key_data))) goto out; bfile = BIO_new_file(path, "w"); if (!bfile) goto out; - BIO_write(bfile, &pkey, sizeof(pkey)); + BIO_write(bfile, key_data, sizeof(key_data)); BIO_flush(bfile); ret = 0; |