2 * Copyright (C) 2014 The Android Open Source Project
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
17 #define _LARGEFILE64_SOURCE
24 #include <sys/types.h>
29 #include <openssl/asn1.h>
30 #include <openssl/asn1t.h>
31 #include <openssl/err.h>
32 #include <openssl/evp.h>
33 #include <openssl/rsa.h>
34 #include <openssl/x509.h>
38 #define FORMAT_VERSION 1
39 #define BUFFER_SIZE (1024 * 1024)
46 ASN1_SEQUENCE(AuthAttrs) = {
47 ASN1_SIMPLE(AuthAttrs, target, ASN1_PRINTABLE),
48 ASN1_SIMPLE(AuthAttrs, length, ASN1_INTEGER)
49 } ASN1_SEQUENCE_END(AuthAttrs)
51 IMPLEMENT_ASN1_FUNCTIONS(AuthAttrs)
54 ASN1_INTEGER *formatVersion;
56 X509_ALGOR *algorithmIdentifier;
57 AuthAttrs *authenticatedAttributes;
58 ASN1_OCTET_STRING *signature;
61 ASN1_SEQUENCE(BootSignature) = {
62 ASN1_SIMPLE(BootSignature, formatVersion, ASN1_INTEGER),
63 ASN1_SIMPLE(BootSignature, certificate, X509),
64 ASN1_SIMPLE(BootSignature, algorithmIdentifier, X509_ALGOR),
65 ASN1_SIMPLE(BootSignature, authenticatedAttributes, AuthAttrs),
66 ASN1_SIMPLE(BootSignature, signature, ASN1_OCTET_STRING)
67 } ASN1_SEQUENCE_END(BootSignature)
69 IMPLEMENT_ASN1_FUNCTIONS(BootSignature)
71 static BIO *g_error = NULL;
73 #if defined(OPENSSL_IS_BORINGSSL)
74 /* In BoringSSL, ERR_print_errors has been moved to the BIO functions in order
75 * to avoid the incorrect dependency of ERR on BIO. */
76 static void ERR_print_errors(BIO *bio) {
77 BIO_print_errors(bio);
82 * Rounds n up to the nearest multiple of page_size
83 * @param n The value to round
84 * @param page_size Page size
86 static uint64_t page_align(uint64_t n, uint64_t page_size)
88 return (((n + page_size - 1) / page_size) * page_size);
92 * Calculates the offset to the beginning of the BootSignature block
93 * based on the boot image header. The signature will start after the
94 * the boot image contents.
95 * @param fd File descriptor to the boot image
96 * @param offset Receives the offset in bytes
98 static int get_signature_offset(int fd, off64_t *offset)
101 struct boot_img_hdr hdr;
107 if (read(fd, &hdr, sizeof(hdr)) != sizeof(hdr)) {
111 if (memcmp(BOOT_MAGIC, hdr.magic, BOOT_MAGIC_SIZE) != 0) {
112 printf("Invalid boot image: missing magic\n");
116 if (!hdr.page_size) {
117 printf("Invalid boot image: page size must be non-zero\n");
121 *offset = page_align(hdr.page_size
122 + page_align(hdr.kernel_size, hdr.page_size)
123 + page_align(hdr.ramdisk_size, hdr.page_size)
124 + page_align(hdr.second_size, hdr.page_size),
131 * Reads and parses the ASN.1 BootSignature block from the given offset
132 * @param fd File descriptor to the boot image
133 * @param offset Offset from the beginning of file to the signature
134 * @param bs Pointer to receive the BootImage structure
136 static int read_signature(int fd, off64_t offset, BootSignature **bs)
144 if (lseek64(fd, offset, SEEK_SET) == -1) {
148 if ((in = BIO_new_fd(fd, BIO_NOCLOSE)) == NULL) {
149 ERR_print_errors(g_error);
153 if ((*bs = ASN1_item_d2i_bio(ASN1_ITEM_rptr(BootSignature), in, bs)) == NULL) {
154 ERR_print_errors(g_error);
164 * Validates the format of the boot signature block, and checks that
165 * the length in authenticated attributes matches the actual length of
167 * @param bs The boot signature block to validate
168 * @param length The actual length of the boot image without the signature
170 static int validate_signature_block(const BootSignature *bs, uint64_t length)
183 /* Confirm that formatVersion matches our supported version */
184 if (!BN_set_word(&expected, FORMAT_VERSION)) {
185 ERR_print_errors(g_error);
189 ASN1_INTEGER_to_BN(bs->formatVersion, &value);
191 if (BN_cmp(&expected, &value) != 0) {
192 printf("Unsupported signature version\n");
199 /* Confirm that the length of the image matches with the length in
200 the authenticated attributes */
201 length = htobe64(length);
202 BN_bin2bn((const unsigned char *) &length, sizeof(length), &expected);
204 ASN1_INTEGER_to_BN(bs->authenticatedAttributes->length, &value);
206 if (BN_cmp(&expected, &value) != 0) {
207 printf("Image length doesn't match signature attributes\n");
221 * Creates a SHA-256 hash from the boot image contents and the encoded
222 * authenticated attributes.
223 * @param fd File descriptor to the boot image
224 * @param length Length of the boot image without the signature block
225 * @param aa Pointer to AuthAttrs
226 * @param digest Pointer to a buffer where the hash is written
228 static int hash_image(int fd, uint64_t length, const AuthAttrs *aa,
229 unsigned char *digest)
231 EVP_MD_CTX *ctx = NULL;
235 unsigned char *attrs = NULL;
236 unsigned char *buffer = NULL;
237 unsigned char *p = NULL;
240 if (!aa || !digest) {
244 if ((buffer = malloc(BUFFER_SIZE)) == NULL) {
248 if (lseek64(fd, 0, SEEK_SET) != 0) {
252 if ((ctx = EVP_MD_CTX_create()) == NULL) {
253 ERR_print_errors(g_error);
257 EVP_DigestInit(ctx, EVP_sha256());
262 if ((length - total) < BUFFER_SIZE) {
263 bytes = length - total;
266 if ((bytes = read(fd, buffer, bytes)) == -1) {
267 printf("%s\n", strerror(errno));
271 EVP_DigestUpdate(ctx, buffer, bytes);
273 } while (total < length);
275 if ((bytes = i2d_AuthAttrs((AuthAttrs *) aa, NULL)) < 0) {
276 ERR_print_errors(g_error);
280 if ((attrs = OPENSSL_malloc(bytes)) == NULL) {
281 ERR_print_errors(g_error);
287 if (i2d_AuthAttrs((AuthAttrs *) aa, &p) < 0) {
288 ERR_print_errors(g_error);
292 EVP_DigestUpdate(ctx, attrs, bytes);
293 EVP_DigestFinal(ctx, digest, NULL);
303 EVP_MD_CTX_destroy(ctx);
314 * Verifies the RSA signature
315 * @param fd File descriptor to the boot image
316 * @param length Length of the boot image without the signature block
317 * @param bs The boot signature block
319 static int verify_signature(int fd, uint64_t length, const BootSignature *bs)
322 EVP_PKEY *pkey = NULL;
324 unsigned char digest[SHA256_DIGEST_LENGTH];
330 if (hash_image(fd, length, bs->authenticatedAttributes, digest) == -1) {
334 if ((pkey = X509_get_pubkey(bs->certificate)) == NULL) {
335 ERR_print_errors(g_error);
339 if ((rsa = EVP_PKEY_get1_RSA(pkey)) == NULL) {
340 ERR_print_errors(g_error);
344 if (!RSA_verify(NID_sha256, digest, SHA256_DIGEST_LENGTH,
345 bs->signature->data, bs->signature->length, rsa)) {
346 ERR_print_errors(g_error);
365 * Given the file name of a signed boot image, verifies the signature
366 * @param image_file Name of the boot image file
368 static int verify(const char *image_file)
370 BootSignature *bs = NULL;
379 if ((fd = open(image_file, O_RDONLY | O_LARGEFILE)) == -1) {
383 if (get_signature_offset(fd, &offset) == -1) {
387 if (read_signature(fd, offset, &bs) == -1) {
391 if (validate_signature_block(bs, offset) == -1) {
395 if (verify_signature(fd, offset, bs) == -1) {
399 printf("Signature is VALID\n");
404 BootSignature_free(bs);
416 printf("Usage: verify_boot_signature <path-to-boot-image>\n");
419 int main(int argc, char *argv[])
426 /* BIO descriptor for logging OpenSSL errors to stderr */
427 if ((g_error = BIO_new_fd(STDERR_FILENO, BIO_NOCLOSE)) == NULL) {
428 printf("Failed to allocate a BIO handle for error output\n");
432 ERR_load_crypto_strings();
434 return verify(argv[1]);