Merge "Support verifying the boot signature against the given pubkey."

author: Treehugger Robot <treehugger-gerrit@google.com> 2016-10-26 17:17:36 +0000
committer: Gerrit Code Review <noreply-gerritcodereview@google.com> 2016-10-26 17:17:37 +0000
commit: a422392dbd3627320d62f96575e6dd3cb9893470 (patch)
tree: 5f8d7953aa10ed4b25a93172de493458fb4a8fc1 /verity
parent: e7448f00cf02ebe92f41881cf9c4b198cadbb8af (diff)
parent: 2a75a61e2aeb241b6bd75e4d3c648f98cfc4d3be (diff)
download: extras-a422392dbd3627320d62f96575e6dd3cb9893470.tar.gz
1 files changed, 51 insertions, 16 deletions
diff --git a/verity/verify_boot_signature.c b/verity/verify_boot_signature.c
index b706e3ad..36760ad7 100644
--- a/verity/verify_boot_signature.c
+++ b/verity/verify_boot_signature.c
@@ -32,6 +32,7 @@
 #include <openssl/crypto.h>
 #include <openssl/err.h>
 #include <openssl/evp.h>
+#include <openssl/pem.h>
 #include <openssl/rsa.h>
 #include <openssl/x509.h>
 
@@ -305,16 +306,21 @@ hi_done:
 }
 
 /**
- * Verifies the RSA signature
+ * Verifies the RSA signature against the pubkey (certificate) in the
+ * BootSignature, and additionally against the pubkey file if provided.
  * @param fd File descriptor to the boot image
  * @param length Length of the boot image without the signature block
  * @param bs The boot signature block
+ * @param pkey The external pubkey file
  */
-static int verify_signature(int fd, uint64_t length, const BootSignature *bs)
+static int verify_signature(int fd, uint64_t length, const BootSignature *bs,
+        const char *pkey)
 {
     int rc = -1;
-    EVP_PKEY *pkey = NULL;
-    RSA *rsa = NULL;
+    EVP_PKEY *pkey_bs = NULL;
+    RSA *rsa_bs = NULL;
+    RSA *rsa_pkey = NULL;
+    BIO *bio_pkey = NULL;
     unsigned char digest[SHA256_DIGEST_LENGTH];
 
     if (!bs) {
@@ -325,31 +331,57 @@ static int verify_signature(int fd, uint64_t length, const BootSignature *bs)
         goto vs_done;
     }
 
-    if ((pkey = X509_get_pubkey(bs->certificate)) == NULL) {
+    if ((pkey_bs = X509_get_pubkey(bs->certificate)) == NULL) {
         ERR_print_errors(g_error);
         goto vs_done;
     }
 
-    if ((rsa = EVP_PKEY_get1_RSA(pkey)) == NULL) {
+    if ((rsa_bs = EVP_PKEY_get1_RSA(pkey_bs)) == NULL) {
         ERR_print_errors(g_error);
         goto vs_done;
     }
 
     if (!RSA_verify(NID_sha256, digest, SHA256_DIGEST_LENGTH,
-                bs->signature->data, bs->signature->length, rsa)) {
+                bs->signature->data, bs->signature->length, rsa_bs)) {
         ERR_print_errors(g_error);
         goto vs_done;
     }
 
+    if (pkey) {
+        if ((bio_pkey = BIO_new_file(pkey, "r")) == NULL) {
+            ERR_print_errors(g_error);
+            goto vs_done;
+         }
+
+        if ((rsa_pkey = PEM_read_bio_RSA_PUBKEY(bio_pkey, NULL, NULL, NULL)) == NULL) {
+            ERR_print_errors(g_error);
+            goto vs_done;
+        }
+
+        if (!RSA_verify(NID_sha256, digest, SHA256_DIGEST_LENGTH,
+                    bs->signature->data, bs->signature->length, rsa_pkey)) {
+            ERR_print_errors(g_error);
+            goto vs_done;
+        }
+    }
+
     rc = 0;
 
 vs_done:
-    if (pkey) {
-        EVP_PKEY_free(pkey);
+    if (pkey_bs) {
+        EVP_PKEY_free(pkey_bs);
+    }
+
+    if (rsa_bs) {
+        RSA_free(rsa_bs);
     }
 
-    if (rsa) {
-        RSA_free(rsa);
+    if (bio_pkey) {
+        BIO_free_all(bio_pkey);
+    }
+
+    if (rsa_pkey) {
+        RSA_free(rsa_pkey);
     }
 
     return rc;
@@ -359,7 +391,7 @@ vs_done:
  * Given the file name of a signed boot image, verifies the signature
  * @param image_file Name of the boot image file
  */
-static int verify(const char *image_file)
+static int verify(const char *image_file, const char *pkey)
 {
     BootSignature *bs = NULL;
     int fd = -1;
@@ -386,7 +418,7 @@ static int verify(const char *image_file)
         goto out;
     }
 
-    if (verify_signature(fd, offset, bs) == -1) {
+    if (verify_signature(fd, offset, bs, pkey) == -1) {
         goto out;
     }
 
@@ -407,12 +439,13 @@ out:
 
 static void usage()
 {
-    printf("Usage: verify_boot_signature <path-to-boot-image>\n");
+    printf("Usage: verify_boot_signature <path-to-boot-image>\n"
+           "       verify_boot_signature <path-to-boot-image> <pubkey>\n");
 }
 
 int main(int argc, char *argv[])
 {
-    if (argc != 2) {
+    if (argc != 2 && argc != 3) {
         usage();
         return 1;
     }
@@ -425,5 +458,7 @@ int main(int argc, char *argv[])
 
     ERR_load_crypto_strings();
 
-    return verify(argv[1]);
+    const char *pkey = (argc == 2) ? NULL : argv[2];
+
+    return verify(argv[1], pkey);
 }
author	Treehugger Robot <treehugger-gerrit@google.com>	2016-10-26 17:17:36 +0000
committer	Gerrit Code Review <noreply-gerritcodereview@google.com>	2016-10-26 17:17:37 +0000
commit	a422392dbd3627320d62f96575e6dd3cb9893470 (patch)
tree	5f8d7953aa10ed4b25a93172de493458fb4a8fc1 /verity
parent	e7448f00cf02ebe92f41881cf9c4b198cadbb8af (diff)
parent	2a75a61e2aeb241b6bd75e4d3c648f98cfc4d3be (diff)
download	extras-a422392dbd3627320d62f96575e6dd3cb9893470.tar.gz