AU: Switch to 2048 bit RSA keys; Pad SHA256 hashes appropriately.

payload_signer.cc

 // Copyright (c) 2010 The Chromium OS Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "update_engine/payload_signer.h"
 
 #include <base/logging.h>
 #include <base/string_util.h>
 #include <openssl/pem.h>
 
 #include "update_engine/delta_diff_generator.h"
 #include "update_engine/delta_performer.h"
 #include "update_engine/omaha_hash_calculator.h"
 #include "update_engine/subprocess.h"
 #include "update_engine/update_metadata.pb.h"
 #include "update_engine/utils.h"
 
 using std::string;
 using std::vector;
 
 namespace chromeos_update_engine {
 
 const uint32_t kSignatureMessageVersion = 1;
 
 namespace {
+
+const char kRSA2048SHA256Padding[] = {
+  0x00, 0x01, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00, 0x30, 0x31, 0x30,
+  0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05,
+  0x00, 0x04, 0x20
+};
+
 // Given a raw |signature|, packs it into a protobuf and serializes it into a
 // binary blob. Returns true on success, false otherwise.
 bool ConvertSignatureToProtobufBlob(const vector<char> signature,
                                     vector<char>* out_signature_blob) {
   // Pack it into a protobuf
   Signatures out_message;
   Signatures_Signature* sig_message = out_message.add_signatures();
   sig_message->set_version(kSignatureMessageVersion);
   sig_message->set_data(signature.data(), signature.size());
 
@@ skipping 70 matching lines @@
                              vector<char>* out_signature) {
   string sig_path;
   TEST_AND_RETURN_FALSE(
       utils::MakeTempFile("/tmp/signature.XXXXXX", &sig_path, NULL));
   ScopedPathUnlinker sig_path_unlinker(sig_path);
 
   string hash_path;
   TEST_AND_RETURN_FALSE(
       utils::MakeTempFile("/tmp/hash.XXXXXX", &hash_path, NULL));
   ScopedPathUnlinker hash_path_unlinker(hash_path);
+  // We expect unpadded SHA256 hash coming in
+  vector<char> padded_hash(hash);

[gauravsh, 2011/03/29 23:04:50]

should you check here that this is indeed the size that you expect?

[adlr, 2011/03/30 19:40:14]

Done.

+  PadRSA2048SHA256Hash(&padded_hash);
   TEST_AND_RETURN_FALSE(utils::WriteFile(hash_path.c_str(),
-                                         hash.data(),
-                                         hash.size()));
+                                         padded_hash.data(),
+                                         padded_hash.size()));
 
   // This runs on the server, so it's okay to cop out and call openssl
   // executable rather than properly use the library
   vector<string> cmd;
-  SplitString("/usr/bin/openssl rsautl -pkcs -sign -inkey x -in x -out x",
+  SplitString("/usr/bin/openssl rsautl -raw -sign -inkey x -in x -out x",
               ' ',
               &cmd);
   cmd[cmd.size() - 5] = private_key_path;
   cmd[cmd.size() - 3] = hash_path;
   cmd[cmd.size() - 1] = sig_path;
 
   int return_code = 0;
   TEST_AND_RETURN_FALSE(Subprocess::SynchronousExec(cmd, &return_code));
   TEST_AND_RETURN_FALSE(return_code == 0);
 
@@ skipping 79 matching lines @@
     return false;
   }
 
   // Decrypts the signature.
   vector<char> hash_data(keysize);
   int decrypt_size = RSA_public_decrypt(
       sig_data.size(),
       reinterpret_cast<const unsigned char*>(sig_data.data()),
       reinterpret_cast<unsigned char*>(hash_data.data()),
       rsa,
-      RSA_PKCS1_PADDING);
+      RSA_NO_PADDING);
   RSA_free(rsa);
   TEST_AND_RETURN_FALSE(decrypt_size > 0 &&
                         decrypt_size <= static_cast<int>(hash_data.size()));
   hash_data.resize(decrypt_size);
   out_hash_data->swap(hash_data);
   return true;
 }
 
 bool PayloadSigner::VerifySignedPayload(const std::string& payload_path,
                                         const std::string& public_key_path) {
@@ skipping 10 matching lines @@
   vector<char> signature_blob(
       payload.begin() + metadata_size + manifest.signatures_offset(),
       payload.end());
   vector<char> signed_hash;
   TEST_AND_RETURN_FALSE(VerifySignature(
       signature_blob, public_key_path, &signed_hash));
   TEST_AND_RETURN_FALSE(!signed_hash.empty());
   vector<char> hash;
   TEST_AND_RETURN_FALSE(OmahaHashCalculator::RawHashOfBytes(
       payload.data(), metadata_size + manifest.signatures_offset(), &hash));
+  PadRSA2048SHA256Hash(&hash);
   TEST_AND_RETURN_FALSE(hash == signed_hash);
   return true;
 }
 
 bool PayloadSigner::HashPayloadForSigning(const std::string& payload_path,
                                           int signature_size,
                                           vector<char>* out_hash_data) {
   // TODO(petkov): Reduce memory usage -- the payload is manipulated in memory.
 
   // Loads the payload and adds the signature op to it.
@@ skipping 28 matching lines @@
   // Appends the signature blob to the end of the payload and writes the new
   // payload.
   payload.insert(payload.end(), signature_blob.begin(), signature_blob.end());
   LOG(INFO) << "Signed payload size: " << payload.size();
   TEST_AND_RETURN_FALSE(utils::WriteFile(signed_payload_path.c_str(),
                                          payload.data(),
                                          payload.size()));
   return true;
 }
 
+bool PayloadSigner::PadRSA2048SHA256Hash(std::vector<char>* hash) {
+  TEST_AND_RETURN_FALSE(hash->size() == 32);
+  hash->insert(hash->begin(),
+               kRSA2048SHA256Padding,
+               kRSA2048SHA256Padding + sizeof(kRSA2048SHA256Padding));
+  TEST_AND_RETURN_FALSE(hash->size() == 256);
+  return true;
+}
+
 }  // namespace chromeos_update_engine