diff --git a/README.md b/README.md index 6ca2444..79b2155 100644 --- a/README.md +++ b/README.md @@ -426,6 +426,28 @@ avbroot ota extract \ --all ``` +### Signing with an external program + +avbroot supports delegating all RSA signing operations to an external program with the `--signing-helper` option. When using this option, the `--key-avb` and `--key-ota` options should be given a public key instead of a private key. + +For each signing operation, avbroot will invoke the program with: + +```bash + +``` + +The algorithm is one of `SHA{256,512}_RSA{2048,4096}` and the public key is what was passed to avbroot. The program can use the public key to find the corresponding private key (eg. on a hardware security module). avbroot will write the digest to be signed to `stdin` in PKCS#1 v1.5 encoding. The helper program is expected to write the raw signature to `stdout` with no special encoding. + +By default, this behavior is compatible with the `--signing_helper` option in AOSP's avbtool. However, avbroot additionally extends the arguments to support non-interactive use. If `--pass-{avb,ota}-file` or `--pass-{avb,ota}-env-var` are used, then the helper program will be invoked with two additional arguments that point to the password file or environment variable. + +```bash + file +# or + env +``` + +Note that avbroot will verify the signature returned by helper program against the public key. This ensures that the patching process will fail appropriately if the wrong private key was used. + ## Building from source Make sure the [Rust toolchain](https://www.rust-lang.org/) is installed. Then run: diff --git a/avbroot/src/cli/avb.rs b/avbroot/src/cli/avb.rs index c057273..3d34008 100644 --- a/avbroot/src/cli/avb.rs +++ b/avbroot/src/cli/avb.rs @@ -25,7 +25,7 @@ use serde::{Deserialize, Serialize}; use tracing::{debug_span, info, warn, Span}; use crate::{ - crypto::{self, PassphraseSource}, + crypto::{self, PassphraseSource, RsaSigningKey}, format::avb::{ self, AlgorithmType, AppendedDescriptorMut, AppendedDescriptorRef, Descriptor, Footer, HashTreeDescriptor, Header, KernelCmdlineDescriptor, @@ -383,12 +383,26 @@ fn sign_or_clear(info: &mut AvbInfo, orig_header: &Header, key_group: &KeyGroup) key_group.pass_file.as_deref(), key_group.pass_env_var.as_deref(), ); - let private_key = crypto::read_pem_key_file(key_path, &source) - .with_context(|| format!("Failed to load key: {key_path:?}"))?; + let signing_key = if let Some(helper) = &key_group.signing_helper { + let public_key = crypto::read_pem_public_key_file(key_path) + .with_context(|| format!("Failed to load key: {key_path:?}"))?; + + RsaSigningKey::External { + program: helper.clone(), + public_key_file: key_path.clone(), + public_key, + passphrase_source: source, + } + } else { + let private_key = crypto::read_pem_key_file(key_path, &source) + .with_context(|| format!("Failed to load key: {key_path:?}"))?; + + RsaSigningKey::Internal(private_key) + }; - info.header.set_algo_for_key(&private_key)?; + info.header.set_algo_for_key(&signing_key)?; info.header - .sign(&private_key) + .sign(&signing_key) .context("Failed to sign new AVB header")?; } SignAction::Clear => { @@ -743,12 +757,15 @@ struct DisplayGroup { #[derive(Debug, Args)] struct KeyGroup { - /// Path to private key for signing. + /// Path to signing key. /// - /// A private key is needed if packing an image where the original header + /// A signing key is needed if packing an image where the original header /// was signed and the header needs to be modified (eg. for a new checksum). - /// If the header was originally not signed, then the private key is not + /// If the header was originally not signed, then the signing key is not /// used, unless --force is specified. + /// + /// This should normally be a private key. However, if --signing-helper is + /// used, then it should be a public key instead. #[arg(short, long, value_name = "FILE", value_parser)] key: Option, @@ -768,6 +785,15 @@ struct KeyGroup { /// File containing private key passphrase. #[arg(long, value_name = "FILE", value_parser, group = "pass")] pass_file: Option, + + /// External program for signing. + /// + /// If this option is specified, then --key must refer to a public key. The + /// program will be invoked as: + /// + /// [file |env ] + #[arg(long, value_name = "PROGRAM", value_parser)] + signing_helper: Option, } /// Unpack an AVB image. diff --git a/avbroot/src/cli/ota.rs b/avbroot/src/cli/ota.rs index 3e9bee8..be7e7e3 100644 --- a/avbroot/src/cli/ota.rs +++ b/avbroot/src/cli/ota.rs @@ -21,7 +21,6 @@ use cap_std::{ambient_authority, fs::Dir}; use cap_tempfile::TempDir; use clap::{value_parser, ArgAction, Args, Parser, Subcommand}; use rayon::{iter::IntoParallelRefIterator, prelude::ParallelIterator}; -use rsa::RsaPrivateKey; use tempfile::NamedTempFile; use topological_sort::TopologicalSort; use tracing::{debug_span, info, warn}; @@ -30,7 +29,7 @@ use zip::{write::FileOptions, CompressionMethod, ZipArchive, ZipWriter}; use crate::{ cli, - crypto::{self, PassphraseSource}, + crypto::{self, PassphraseSource, RsaSigningKey}, format::{ avb::{self, Descriptor, Header}, ota::{self, SigningWriter, ZipEntry}, @@ -197,7 +196,7 @@ fn patch_boot_images<'a, 'b: 'a>( required_images: &'b RequiredImages, input_files: &mut HashMap, boot_patchers: Vec>, - key_avb: &RsaPrivateKey, + key_avb: &RsaSigningKey, cancel_signal: &AtomicBool, ) -> Result<()> { let input_files = Mutex::new(input_files); @@ -241,7 +240,7 @@ fn patch_system_image<'a, 'b: 'a>( required_images: &'b RequiredImages, input_files: &mut HashMap, cert_ota: &Certificate, - key_avb: &RsaPrivateKey, + key_avb: &RsaSigningKey, cancel_signal: &AtomicBool, ) -> Result<(&'b str, Vec>)> { let Some(target) = required_images.iter_system().next() else { @@ -565,7 +564,7 @@ fn update_vbmeta_headers( headers: &mut HashMap, order: &mut [(String, HashSet)], clear_vbmeta_flags: bool, - key: &RsaPrivateKey, + key: &RsaSigningKey, block_size: u64, ) -> Result<()> { for (name, deps) in order { @@ -722,8 +721,8 @@ fn patch_ota_payload( external_images: &HashMap, boot_patchers: Vec>, clear_vbmeta_flags: bool, - key_avb: &RsaPrivateKey, - key_ota: &RsaPrivateKey, + key_avb: &RsaSigningKey, + key_ota: &RsaSigningKey, cert_ota: &Certificate, cancel_signal: &AtomicBool, ) -> Result<(String, u64)> { @@ -916,8 +915,8 @@ fn patch_ota_zip( external_images: &HashMap, mut boot_patchers: Vec>, clear_vbmeta_flags: bool, - key_avb: &RsaPrivateKey, - key_ota: &RsaPrivateKey, + key_avb: &RsaSigningKey, + key_ota: &RsaSigningKey, cert_ota: &Certificate, cancel_signal: &AtomicBool, ) -> Result<(OtaMetadata, u64)> { @@ -1218,10 +1217,38 @@ pub fn patch_subcommand(cli: &PatchCli, cancel_signal: &AtomicBool) -> Result<() cli.pass_ota_env_var.as_deref(), ); - let key_avb = crypto::read_pem_key_file(&cli.key_avb, &source_avb) - .with_context(|| format!("Failed to load key: {:?}", cli.key_avb))?; - let key_ota = crypto::read_pem_key_file(&cli.key_ota, &source_ota) - .with_context(|| format!("Failed to load key: {:?}", cli.key_ota))?; + let (key_avb, key_ota) = if let Some(helper) = &cli.signing_helper { + let public_key_avb = crypto::read_pem_public_key_file(&cli.key_avb) + .with_context(|| format!("Failed to load key: {:?}", cli.key_avb))?; + let public_key_ota = crypto::read_pem_public_key_file(&cli.key_ota) + .with_context(|| format!("Failed to load key: {:?}", cli.key_ota))?; + + let key_avb = RsaSigningKey::External { + program: helper.clone(), + public_key_file: cli.key_avb.clone(), + public_key: public_key_avb, + passphrase_source: source_avb, + }; + let key_ota = RsaSigningKey::External { + program: helper.clone(), + public_key_file: cli.key_ota.clone(), + public_key: public_key_ota, + passphrase_source: source_ota, + }; + + (key_avb, key_ota) + } else { + let private_key_avb = crypto::read_pem_key_file(&cli.key_avb, &source_avb) + .with_context(|| format!("Failed to load key: {:?}", cli.key_avb))?; + let private_key_ota = crypto::read_pem_key_file(&cli.key_ota, &source_ota) + .with_context(|| format!("Failed to load key: {:?}", cli.key_ota))?; + + let key_avb = RsaSigningKey::Internal(private_key_avb); + let key_ota = RsaSigningKey::Internal(private_key_ota); + + (key_avb, key_ota) + }; + let cert_ota = crypto::read_pem_cert_file(&cli.cert_ota) .with_context(|| format!("Failed to load certificate: {:?}", cli.cert_ota))?; @@ -1748,7 +1775,10 @@ pub struct PatchCli { #[arg(short, long, value_name = "FILE", value_parser, help_heading = HEADING_PATH)] pub output: Option, - /// Private key for signing vbmeta images. + /// Signing key for vbmeta headers. + /// + /// This should normally be a private key. However, if --signing-helper is + /// used, then it should be a public key instead. #[arg( long, alias = "privkey-avb", @@ -1758,7 +1788,10 @@ pub struct PatchCli { )] pub key_avb: PathBuf, - /// Private key for signing the OTA. + /// Signing key for the OTA. + /// + /// This should normally be a private key. However, if --signing-helper is + /// used, then it should be a public key instead. #[arg( long, alias = "privkey-ota", @@ -1816,6 +1849,15 @@ pub struct PatchCli { )] pub pass_ota_file: Option, + /// External program for signing. + /// + /// If this option is specified, then --key-avb and --key-ota must refer to + /// public keys. The program will be invoked as: + /// + /// [file |env ] + #[arg(long, value_name = "PROGRAM", value_parser, help_heading = HEADING_KEY)] + pub signing_helper: Option, + /// Use partition image from a file instead of the original payload. #[arg( long, diff --git a/avbroot/src/crypto.rs b/avbroot/src/crypto.rs index ba16abf..f1fd3fc 100644 --- a/avbroot/src/crypto.rs +++ b/avbroot/src/crypto.rs @@ -1,5 +1,5 @@ /* - * SPDX-FileCopyrightText: 2023 Andrew Gunnerson + * SPDX-FileCopyrightText: 2023-2024 Andrew Gunnerson * SPDX-License-Identifier: GPL-3.0-only */ @@ -9,6 +9,7 @@ use std::{ fs::{self, File, OpenOptions}, io::{self, BufReader, BufWriter, Read, Write}, path::{Path, PathBuf}, + process::{Command, ExitStatus, Stdio}, time::Duration, }; @@ -22,12 +23,16 @@ use cms::{ }; use pkcs8::{ pkcs5::{pbes2, scrypt}, - DecodePrivateKey, EncodePrivateKey, EncodePublicKey, EncryptedPrivateKeyInfo, LineEnding, - PrivateKeyInfo, + DecodePrivateKey, DecodePublicKey, EncodePrivateKey, EncodePublicKey, EncryptedPrivateKeyInfo, + LineEnding, PrivateKeyInfo, }; use rand::RngCore; -use rsa::{pkcs1v15::SigningKey, Pkcs1v15Sign, RsaPrivateKey, RsaPublicKey}; -use sha2::Sha256; +use rsa::{ + pkcs1v15::SigningKey, traits::PublicKeyParts, Pkcs1v15Sign, RsaPrivateKey, RsaPublicKey, +}; +use serde::{Deserialize, Serialize}; +use sha1::Sha1; +use sha2::{Digest, Sha256, Sha512}; use thiserror::Error; use x509_cert::{ builder::{Builder, CertificateBuilder, Profile}, @@ -40,6 +45,20 @@ use x509_cert::{ #[derive(Debug, Error)] pub enum Error { + #[error("Signature algorithm not supported: {0:?}")] + UnsupportedAlgorithm(SignatureAlgorithm), + #[error("RSA key size ({}) not supported", .0 * 8)] + UnsupportedKey(usize), + #[error("Invalid digest length ({0} bytes) for {1:?}")] + InvalidDigestLength(usize, SignatureAlgorithm), + #[error("Invalid signature length ({0} bytes) for {1:?}")] + InvalidSignatureLength(usize, SignatureAlgorithm), + #[error("Failed to run command: {0}")] + CommandSpawnFailed(String, #[source] io::Error), + #[error("Command failed with status: {1}: {0}")] + CommandExecutionFailed(String, ExitStatus), + #[error("Signature from signing helper does not match public key: {0:?}")] + SigningHelperBadSignature(PathBuf), #[error("Passphrases do not match")] ConfirmPassphrase, #[error("Failed to read environment variable: {0:?}")] @@ -54,6 +73,10 @@ pub enum Error { SaveKeyEncrypted(#[source] pkcs8::Error), #[error("Failed to save unencrypted private key")] SaveKeyUnencrypted(#[source] pkcs8::Error), + #[error("Failed to RSA sign digest")] + RsaSign(#[source] rsa::Error), + #[error("Failed to RSA verify signature")] + RsaVerify(#[source] rsa::Error), #[error("X509 error")] X509(#[from] x509_cert::builder::Error), #[error("SPKI error")] @@ -68,6 +91,34 @@ pub enum Error { type Result = std::result::Result; +#[derive(Clone, Copy, Debug, Eq, PartialEq, Deserialize, Serialize)] +pub enum SignatureAlgorithm { + Sha1WithRsa, + Sha256WithRsa, + Sha512WithRsa, +} + +impl SignatureAlgorithm { + /// Length of digest required by the signing algorithm. + pub fn digest_len(self) -> usize { + match self { + Self::Sha1WithRsa => Sha1::output_size(), + Self::Sha256WithRsa => Sha256::output_size(), + Self::Sha512WithRsa => Sha512::output_size(), + } + } + + /// Compute the digest of the specified data. + pub fn hash(self, data: &[u8]) -> Vec { + match self { + Self::Sha1WithRsa => Sha1::digest(data).to_vec(), + Self::Sha256WithRsa => Sha256::digest(data).to_vec(), + Self::Sha512WithRsa => Sha512::digest(data).to_vec(), + } + } +} + +#[derive(Clone)] pub enum PassphraseSource { Prompt(String), EnvVar(OsString), @@ -110,6 +161,169 @@ impl PassphraseSource { } } +fn check_key_size(size: usize) -> Result<()> { + // RustCrypto does not support 8192-bit keys. + if size > 4096 / 8 { + return Err(Error::UnsupportedKey(size)); + } + + Ok(()) +} + +#[derive(Clone)] +pub enum RsaSigningKey { + Internal(RsaPrivateKey), + External { + program: PathBuf, + public_key_file: PathBuf, + public_key: RsaPublicKey, + passphrase_source: PassphraseSource, + }, +} + +impl RsaSigningKey { + /// Size of key in bytes. + pub fn size(&self) -> usize { + match self { + Self::Internal(key) => key.size(), + Self::External { public_key, .. } => public_key.size(), + } + } + + /// Get the public key portion of the signing key. + pub fn to_public_key(&self) -> RsaPublicKey { + match self { + RsaSigningKey::Internal(key) => key.to_public_key(), + RsaSigningKey::External { public_key, .. } => public_key.clone(), + } + } + + /// Sign the digest with the specified signature algorithm. + pub fn sign(&self, algo: SignatureAlgorithm, digest: &[u8]) -> Result> { + if digest.len() != algo.digest_len() { + return Err(Error::InvalidDigestLength(digest.len(), algo)); + } + + check_key_size(self.size())?; + + match self { + Self::Internal(key) => { + match algo { + // We don't support signing with insecure algorithms. + SignatureAlgorithm::Sha1WithRsa => Err(Error::UnsupportedAlgorithm(algo)), + SignatureAlgorithm::Sha256WithRsa => { + let scheme = Pkcs1v15Sign::new::(); + Ok(key.sign(scheme, digest).map_err(Error::RsaSign)?) + } + SignatureAlgorithm::Sha512WithRsa => { + let scheme = Pkcs1v15Sign::new::(); + Ok(key.sign(scheme, digest).map_err(Error::RsaSign)?) + } + } + } + Self::External { + program, + public_key, + public_key_file, + passphrase_source, + } => { + let key_size = public_key.size(); + let algo_str = match algo { + // We don't support signing with insecure algorithms. + SignatureAlgorithm::Sha1WithRsa => { + return Err(Error::UnsupportedAlgorithm(algo)) + } + SignatureAlgorithm::Sha256WithRsa => format!("SHA256_RSA{key_size}"), + SignatureAlgorithm::Sha512WithRsa => format!("SHA512_RSA{key_size}"), + }; + + let mut command = Command::new(program); + command.arg(algo_str); + command.arg(public_key_file); + + match passphrase_source { + PassphraseSource::Prompt(_) => {} + PassphraseSource::EnvVar(v) => { + command.arg("env"); + command.arg(v); + } + PassphraseSource::File(p) => { + command.arg("file"); + command.arg(p); + } + } + + command.stdin(Stdio::piped()); + command.stdout(Stdio::piped()); + command.stderr(Stdio::inherit()); + + let mut child = command + .spawn() + .map_err(|e| Error::CommandSpawnFailed(format!("{command:?}"), e))?; + + // We don't bother with spawning a thread. The pipe capacity on + // all major OSs is significantly larger than the digest, so we + // don't risk deadlocking even if the process doesn't read from + // stdin. + // + // Pipe capacities: + // * Linux: 64 KiB + // * macOS: 4 KiB, 16 KiB (usually), or 64 KiB + // * Windows: 4 KiB + child.stdin.as_mut().unwrap().write_all(digest)?; + + let child = child.wait_with_output()?; + + if !child.status.success() { + return Err(Error::CommandExecutionFailed( + format!("{command:?}"), + child.status, + )); + } else if child.stdout.len() != self.size() { + return Err(Error::InvalidSignatureLength(child.stdout.len(), algo)); + } + + // Check that the helper signed with the proper key. + if let Err(e) = self.to_public_key().verify_sig(algo, digest, &child.stdout) { + return match e { + Error::RsaVerify(_) => { + Err(Error::SigningHelperBadSignature(public_key_file.clone())) + } + e => Err(e), + }; + } + + Ok(child.stdout) + } + } + } +} + +pub trait RsaPublicKeyExt { + fn verify_sig(&self, algo: SignatureAlgorithm, digest: &[u8], signature: &[u8]) -> Result<()>; +} + +impl RsaPublicKeyExt for RsaPublicKey { + /// Verify the signature against the specified key. + fn verify_sig(&self, algo: SignatureAlgorithm, digest: &[u8], signature: &[u8]) -> Result<()> { + // Check this explicitly so we can provide a better error message. + if digest.len() != algo.digest_len() { + return Err(Error::InvalidDigestLength(digest.len(), algo)); + } + + check_key_size(self.size())?; + + let scheme = match algo { + SignatureAlgorithm::Sha1WithRsa => Pkcs1v15Sign::new::(), + SignatureAlgorithm::Sha256WithRsa => Pkcs1v15Sign::new::(), + SignatureAlgorithm::Sha512WithRsa => Pkcs1v15Sign::new::(), + }; + + self.verify(scheme, digest, signature) + .map_err(Error::RsaVerify) + } +} + /// Generate an 4096-bit RSA key pair. pub fn generate_rsa_key_pair() -> Result { let mut rng = rand::thread_rng(); @@ -228,6 +442,16 @@ pub fn write_pem_cert_file(path: &Path, cert: &Certificate) -> Result<()> { write_pem_cert(writer, cert) } +/// Read PEM-encoded PKCS8 public key from a reader. +pub fn read_pem_public_key(mut reader: impl Read) -> Result { + let mut data = String::new(); + reader.read_to_string(&mut data)?; + + let key = RsaPublicKey::from_public_key_pem(&data)?; + + Ok(key) +} + /// Write PEM-encoded PKCS8 public key to a writer. pub fn write_pem_public_key(mut writer: impl Write, key: &RsaPublicKey) -> Result<()> { let data = key.to_public_key_pem(LineEnding::LF)?; @@ -237,6 +461,14 @@ pub fn write_pem_public_key(mut writer: impl Write, key: &RsaPublicKey) -> Resul Ok(()) } +/// Read PEM-encoded PKCS8 public key from a file. +pub fn read_pem_public_key_file(path: &Path) -> Result { + let file = File::open(path)?; + let reader = BufReader::new(file); + + read_pem_public_key(reader) +} + /// Write PEM-encoded PKCS8 public key to a file. pub fn write_pem_public_key_file(path: &Path, key: &RsaPublicKey) -> Result<()> { let file = File::create(path)?; @@ -351,7 +583,7 @@ pub fn get_public_key(cert: &Certificate) -> Result { } /// Check if a certificate matches a private key. -pub fn cert_matches_key(cert: &Certificate, key: &RsaPrivateKey) -> Result { +pub fn cert_matches_key(cert: &Certificate, key: &RsaSigningKey) -> Result { let public_key = get_public_key(cert)?; Ok(key.to_public_key() == public_key) @@ -389,12 +621,11 @@ pub fn get_cms_certs(sd: &SignedData) -> Vec { /// a transport mechanism for a raw signature. Thus, we need to ensure that the /// signature covers nothing but the raw data. pub fn cms_sign_external( - key: &RsaPrivateKey, + key: &RsaSigningKey, cert: &Certificate, digest: &[u8], ) -> Result { - let scheme = Pkcs1v15Sign::new::(); - let signature = key.sign(scheme, digest)?; + let signature = key.sign(SignatureAlgorithm::Sha256WithRsa, digest)?; let digest_algorithm = AlgorithmIdentifierOwned { oid: const_oid::db::rfc5912::ID_SHA_256, diff --git a/avbroot/src/format/avb.rs b/avbroot/src/format/avb.rs index 814e393..1082742 100644 --- a/avbroot/src/format/avb.rs +++ b/avbroot/src/format/avb.rs @@ -16,12 +16,12 @@ use byteorder::{BigEndian, ReadBytesExt, WriteBytesExt}; use num_bigint_dig::{ModInverse, ToBigInt}; use num_traits::{Pow, ToPrimitive}; use ring::digest::{Algorithm, Context}; -use rsa::{traits::PublicKeyParts, BigUint, Pkcs1v15Sign, RsaPrivateKey, RsaPublicKey}; +use rsa::{traits::PublicKeyParts, BigUint, RsaPublicKey}; use serde::{Deserialize, Serialize}; -use sha2::{Digest, Sha256, Sha512}; use thiserror::Error; use crate::{ + crypto::{self, RsaPublicKeyExt, RsaSigningKey, SignatureAlgorithm}, escape, format::{ fec::{self, Fec}, @@ -103,12 +103,9 @@ pub enum Error { UnsupportedAlgorithm(AlgorithmType), #[error("Hashing algorithm not supported: {0:?}")] UnsupportedHashAlgorithm(String), - #[error("Incorrect key size ({key_size} bytes) for algorithm {algo:?} ({} bytes)", algo.public_key_len())] - IncorrectKeySize { - key_size: usize, - algo: AlgorithmType, - }, - #[error("RSA key size (0) is not compatible with any AVB signing algorithm")] + #[error("Incorrect key size ({}) for algorithm {1:?}", .0 * 8)] + IncorrectKeySize(usize, AlgorithmType), + #[error("RSA key size ({}) is not compatible with any AVB signing algorithm", .0 * 8)] UnsupportedKey(usize), #[error("Hash tree does not immediately follow image data")] HashTreeGap, @@ -120,18 +117,18 @@ pub enum Error { MismatchedFecBlockSizes { data: u32, hash: u32 }, #[error("Must have exactly one hash or hash tree descriptor")] NoAppendedDescriptor, - #[error("Failed to RSA sign digest")] - RsaSign(#[source] rsa::Error), - #[error("Failed to RSA verify signature")] - RsaVerify(#[source] rsa::Error), #[error("{0} byte image size is too small to fit header")] TooSmallForHeader(u64), #[error("{0} byte image size is too small to fit footer")] TooSmallForFooter(u64), + #[error("Crypto error")] + Crypto(#[from] crypto::Error), #[error("Hash tree error")] HashTree(#[from] hashtree::Error), #[error("FEC error")] Fec(#[from] fec::Error), + #[error("RSA error")] + Rsa(#[from] rsa::Error), #[error("I/O error")] Io(#[from] io::Error), } @@ -156,6 +153,7 @@ pub enum AlgorithmType { Sha512Rsa2048, Sha512Rsa4096, Sha512Rsa8192, + #[serde(untagged)] Unknown(u32), } @@ -186,18 +184,24 @@ impl AlgorithmType { } } - pub fn hash_len(self) -> usize { + pub fn to_digest_algorithm(self) -> Option { match self { - Self::None | Self::Unknown(_) => 0, Self::Sha256Rsa2048 | Self::Sha256Rsa4096 | Self::Sha256Rsa8192 => { - Sha256::output_size() + Some(SignatureAlgorithm::Sha256WithRsa) } Self::Sha512Rsa2048 | Self::Sha512Rsa4096 | Self::Sha512Rsa8192 => { - Sha512::output_size() + Some(SignatureAlgorithm::Sha512WithRsa) } + _ => None, } } + pub fn digest_len(self) -> usize { + self.to_digest_algorithm() + .map(|a| a.digest_len()) + .unwrap_or_default() + } + pub fn signature_len(self) -> usize { match self { Self::None | Self::Unknown(_) => 0, @@ -217,47 +221,36 @@ impl AlgorithmType { } pub fn hash(self, data: &[u8]) -> Vec { - match self { - Self::None | Self::Unknown(_) => vec![], - Self::Sha256Rsa2048 | Self::Sha256Rsa4096 | Self::Sha256Rsa8192 => { - Sha256::digest(data).to_vec() - } - Self::Sha512Rsa2048 | Self::Sha512Rsa4096 | Self::Sha512Rsa8192 => { - Sha512::digest(data).to_vec() - } - } + let Some(algo) = self.to_digest_algorithm() else { + return vec![]; + }; + + algo.hash(data) } - pub fn sign(self, key: &RsaPrivateKey, digest: &[u8]) -> Result> { - match self { - Self::None => Ok(vec![]), - Self::Unknown(_) => Err(Error::UnsupportedAlgorithm(self)), - Self::Sha256Rsa2048 | Self::Sha256Rsa4096 | Self::Sha256Rsa8192 => { - let scheme = Pkcs1v15Sign::new::(); - Ok(key.sign(scheme, digest).map_err(Error::RsaSign)?) - } - Self::Sha512Rsa2048 | Self::Sha512Rsa4096 | Self::Sha512Rsa8192 => { - let scheme = Pkcs1v15Sign::new::(); - Ok(key.sign(scheme, digest).map_err(Error::RsaSign)?) - } - } + pub fn sign(self, key: &RsaSigningKey, digest: &[u8]) -> Result> { + let Some(algo) = self.to_digest_algorithm() else { + return if self == Self::None { + Ok(vec![]) + } else { + Err(Error::UnsupportedAlgorithm(self)) + }; + }; + + key.sign(algo, digest).map_err(|e| e.into()) } pub fn verify(self, key: &RsaPublicKey, digest: &[u8], signature: &[u8]) -> Result<()> { - match self { - Self::None => Ok(()), - Self::Unknown(_) => Err(Error::UnsupportedAlgorithm(self)), - Self::Sha256Rsa2048 | Self::Sha256Rsa4096 | Self::Sha256Rsa8192 => { - let scheme = Pkcs1v15Sign::new::(); - key.verify(scheme, digest, signature) - .map_err(Error::RsaVerify) - } - Self::Sha512Rsa2048 | Self::Sha512Rsa4096 | Self::Sha512Rsa8192 => { - let scheme = Pkcs1v15Sign::new::(); - key.verify(scheme, digest, signature) - .map_err(Error::RsaVerify) - } - } + let Some(algo) = self.to_digest_algorithm() else { + return if self == Self::None { + Ok(()) + } else { + Err(Error::UnsupportedAlgorithm(self)) + }; + }; + + key.verify_sig(algo, digest, signature) + .map_err(|e| e.into()) } } @@ -1459,7 +1452,7 @@ impl Header { result.ok_or(Error::NoAppendedDescriptor) } - pub fn set_algo_for_key(&mut self, key: &RsaPrivateKey) -> Result<()> { + pub fn set_algo_for_key(&mut self, key: &RsaSigningKey) -> Result<()> { let key_raw = encode_public_key(&key.to_public_key())?; for algo in [AlgorithmType::Sha256Rsa2048, AlgorithmType::Sha256Rsa4096] { @@ -1479,30 +1472,17 @@ impl Header { self.public_key_metadata.clear(); } - pub fn sign(&mut self, key: &RsaPrivateKey) -> Result<()> { + pub fn sign(&mut self, key: &RsaSigningKey) -> Result<()> { let key_raw = encode_public_key(&key.to_public_key())?; - // RustCrypto does not support 8192-bit keys. - match self.algorithm_type { - AlgorithmType::Sha256Rsa8192 - | AlgorithmType::Sha512Rsa8192 - | AlgorithmType::Unknown(_) => { - return Err(Error::UnsupportedAlgorithm(self.algorithm_type)); - } - _ => {} - } - if key_raw.len() != self.algorithm_type.public_key_len() { - return Err(Error::IncorrectKeySize { - key_size: key_raw.len(), - algo: self.algorithm_type, - }); + return Err(Error::IncorrectKeySize(key.size(), self.algorithm_type)); } // The public key and the sizes of the hash and signature are included // in the data that's about to be signed. self.public_key = key_raw; - self.hash.resize(self.algorithm_type.hash_len(), 0); + self.hash.resize(self.algorithm_type.digest_len(), 0); self.signature .resize(self.algorithm_type.signature_len(), 0); @@ -1523,18 +1503,16 @@ impl Header { /// and return the public key. If the header is not signed, then `None` is /// returned. pub fn verify(&self) -> Result> { - // RustCrypto does not support 8192-bit keys. - match self.algorithm_type { - AlgorithmType::None => return Ok(None), - a @ AlgorithmType::Sha256Rsa8192 - | a @ AlgorithmType::Sha512Rsa8192 - | a @ AlgorithmType::Unknown(_) => return Err(Error::UnsupportedAlgorithm(a)), - _ => {} - } - // Reconstruct the public key. let public_key = decode_public_key(&self.public_key)?; + if self.public_key.len() != self.algorithm_type.public_key_len() { + return Err(Error::IncorrectKeySize( + public_key.size(), + self.algorithm_type, + )); + } + let mut without_auth_writer = Cursor::new(Vec::new()); self.to_writer_internal(&mut without_auth_writer, true)?; let without_auth = without_auth_writer.into_inner(); @@ -1823,8 +1801,7 @@ pub fn decode_public_key(data: &[u8]) -> Result { reader.read_exact(&mut modulus_raw)?; let modulus = BigUint::from_bytes_be(&modulus_raw); - let public_key = - RsaPublicKey::new(modulus, BigUint::from(65537u32)).map_err(Error::RsaVerify)?; + let public_key = RsaPublicKey::new(modulus, BigUint::from(65537u32))?; Ok(public_key) } diff --git a/avbroot/src/format/bootimage.rs b/avbroot/src/format/bootimage.rs index e68c60e..39afcca 100644 --- a/avbroot/src/format/bootimage.rs +++ b/avbroot/src/format/bootimage.rs @@ -1,5 +1,5 @@ /* - * SPDX-FileCopyrightText: 2023 Andrew Gunnerson + * SPDX-FileCopyrightText: 2023-2024 Andrew Gunnerson * SPDX-License-Identifier: GPL-3.0-only */ @@ -12,11 +12,11 @@ use std::{ use byteorder::{LittleEndian, ReadBytesExt, WriteBytesExt}; use num_traits::ToPrimitive; use ring::digest::Context; -use rsa::RsaPrivateKey; use serde::{Deserialize, Serialize}; use thiserror::Error; use crate::{ + crypto::RsaSigningKey, format::{ avb::{self, Descriptor, Header}, padding, @@ -765,7 +765,7 @@ impl BootImageV3Through4 { /// Sign the boot image with a legacy VTS signature. Returns true if the /// image was successfully signed. Returns false if there's no vbmeta /// structure to sign in [`V4Extra::signature`]. - pub fn sign(&mut self, key: &RsaPrivateKey) -> Result { + pub fn sign(&mut self, key: &RsaSigningKey) -> Result { let mut context = Context::new(&ring::digest::SHA256); let image_size; diff --git a/avbroot/src/format/ota.rs b/avbroot/src/format/ota.rs index 5bdd775..0498168 100644 --- a/avbroot/src/format/ota.rs +++ b/avbroot/src/format/ota.rs @@ -15,15 +15,12 @@ use const_oid::{db::rfc5912, ObjectIdentifier}; use memchr::memmem; use prost::Message; use ring::digest::Context; -use rsa::{Pkcs1v15Sign, RsaPrivateKey}; -use sha1::Sha1; -use sha2::Sha256; use thiserror::Error; use x509_cert::{der::Encode, Certificate}; use zip::{result::ZipError, write::FileOptions, CompressionMethod, ZipArchive, ZipWriter}; use crate::{ - crypto, + crypto::{self, RsaPublicKeyExt, RsaSigningKey, SignatureAlgorithm}, format::payload::{self, PayloadHeader}, protobuf::build::tools::releasetools::{ota_metadata::OtaType, OtaMetadata}, stream::{self, FromReader, HashingReader, HashingWriter}, @@ -88,8 +85,6 @@ pub enum Error { Spki(#[from] pkcs8::spki::Error), #[error("x509 DER error")] Der(#[from] x509_cert::der::Error), - #[error("RSA error")] - Rsa(#[from] rsa::Error), #[error("Zip error")] Zip(#[from] ZipError), #[error("I/O error")] @@ -586,12 +581,12 @@ pub fn verify_ota(mut reader: impl Read + Seek, cancel_signal: &AtomicBool) -> R reader.seek(SeekFrom::Start(0))?; // We support SHA1 for verification only. - let (algorithm, scheme) = if signer.digest_alg.oid == rfc5912::ID_SHA_256 { - (&ring::digest::SHA256, Pkcs1v15Sign::new::()) + let (algorithm, algo) = if signer.digest_alg.oid == rfc5912::ID_SHA_256 { + (&ring::digest::SHA256, SignatureAlgorithm::Sha256WithRsa) } else { ( &ring::digest::SHA1_FOR_LEGACY_USE_ONLY, - Pkcs1v15Sign::new::(), + SignatureAlgorithm::Sha1WithRsa, ) }; @@ -603,7 +598,7 @@ pub fn verify_ota(mut reader: impl Read + Seek, cancel_signal: &AtomicBool) -> R let digest = context.finish(); // Verify the signature against the public key. - public_key.verify(scheme, digest.as_ref(), signer.signature.as_bytes())?; + public_key.verify_sig(algo, digest.as_ref(), signer.signature.as_bytes())?; Ok(cert.clone()) } @@ -661,7 +656,7 @@ impl SigningWriter { } } - pub fn finish(mut self, key: &RsaPrivateKey, cert: &Certificate) -> Result { + pub fn finish(mut self, key: &RsaSigningKey, cert: &Certificate) -> Result { if self.used < self.queue.len() { return Err( io::Error::new(io::ErrorKind::InvalidData, "Too small to contain EOCD").into(), diff --git a/avbroot/src/format/payload.rs b/avbroot/src/format/payload.rs index c5eb050..0d39ecc 100644 --- a/avbroot/src/format/payload.rs +++ b/avbroot/src/format/payload.rs @@ -1,5 +1,5 @@ /* - * SPDX-FileCopyrightText: 2022-2023 Andrew Gunnerson + * SPDX-FileCopyrightText: 2022-2024 Andrew Gunnerson * SPDX-License-Identifier: GPL-3.0-only */ @@ -26,13 +26,11 @@ use rayon::{ prelude::{IntoParallelIterator, IntoParallelRefIterator, ParallelIterator}, }; use ring::digest::{Context, Digest}; -use rsa::{traits::PublicKeyParts, Pkcs1v15Sign, RsaPrivateKey}; -use sha2::Sha256; use thiserror::Error; use x509_cert::Certificate; use crate::{ - crypto, + crypto::{self, RsaPublicKeyExt, RsaSigningKey, SignatureAlgorithm}, protobuf::chromeos_update_engine::{ install_operation::Type, signatures::Signature, DeltaArchiveManifest, Extent, InstallOperation, PartitionInfo, PartitionUpdate, Signatures, @@ -100,8 +98,6 @@ pub enum Error { ProtobufDecode(#[from] prost::DecodeError), #[error("XZ stream error")] XzStream(#[from] liblzma::stream::Error), - #[error("RSA error")] - Rsa(#[from] rsa::Error), #[error("I/O error")] Io(#[from] io::Error), } @@ -175,9 +171,8 @@ impl FromReader for PayloadHeader { /// Sign `digest` with `key` and return a [`Signatures`] protobuf struct with /// the signature padded to the maximum size. -fn sign_digest(digest: &[u8], key: &RsaPrivateKey) -> Result { - let scheme = Pkcs1v15Sign::new::(); - let mut digest_signed = key.sign(scheme, digest)?; +fn sign_digest(digest: &[u8], key: &RsaSigningKey) -> Result { + let mut digest_signed = key.sign(SignatureAlgorithm::Sha256WithRsa, digest)?; assert!( digest_signed.len() <= key.size(), "Signature exceeds maximum size", @@ -214,8 +209,7 @@ fn verify_digest(digest: &[u8], signatures: &Signatures, cert: &Certificate) -> }; let without_padding = &data[..size as usize]; - let scheme = Pkcs1v15Sign::new::(); - match public_key.verify(scheme, digest, without_padding) { + match public_key.verify_sig(SignatureAlgorithm::Sha256WithRsa, digest, without_padding) { Ok(_) => return Ok(()), Err(e) => last_error = Some(e), } @@ -292,7 +286,7 @@ pub struct PayloadWriter { h_partial: Context, /// Includes signatures (hashes are for properties file). h_full: Context, - key: RsaPrivateKey, + key: RsaSigningKey, } /// Write data to a writer and one or more hashers. @@ -315,7 +309,7 @@ impl PayloadWriter { /// fields are ignored and internally recomputed to guarantee that there are /// no gaps. All partitions' install operation data is written to the blob /// section in order. - pub fn new(mut inner: W, mut header: PayloadHeader, key: RsaPrivateKey) -> Result { + pub fn new(mut inner: W, mut header: PayloadHeader, key: RsaSigningKey) -> Result { let mut blob_size = 0; // The blob must contain all data in sequential order with no gaps. diff --git a/avbroot/src/patch/boot.rs b/avbroot/src/patch/boot.rs index a811255..ca7a732 100644 --- a/avbroot/src/patch/boot.rs +++ b/avbroot/src/patch/boot.rs @@ -23,14 +23,14 @@ use liblzma::{ use rayon::iter::{IntoParallelRefIterator, IntoParallelRefMutIterator, ParallelIterator}; use regex::bytes::Regex; use ring::digest::Context; -use rsa::{RsaPrivateKey, RsaPublicKey}; +use rsa::RsaPublicKey; use thiserror::Error; use tracing::{debug, debug_span, trace, warn, Span}; use x509_cert::Certificate; use zip::{result::ZipError, ZipArchive}; use crate::{ - crypto, + crypto::{self, RsaSigningKey}, format::{ avb::{self, AppendedDescriptorMut, Footer, Header}, bootimage::{self, BootImage, BootImageExt, RamdiskMeta}, @@ -1122,7 +1122,7 @@ pub fn patch_boot_images<'a>( names: &[&'a str], open_input: impl Fn(&str) -> io::Result> + Sync, open_output: impl Fn(&str) -> io::Result> + Sync, - key: &RsaPrivateKey, + key: &RsaSigningKey, patchers: &[Box], cancel_signal: &AtomicBool, ) -> Result> { diff --git a/avbroot/src/patch/system.rs b/avbroot/src/patch/system.rs index 3811332..a8bd49c 100644 --- a/avbroot/src/patch/system.rs +++ b/avbroot/src/patch/system.rs @@ -11,13 +11,13 @@ use std::{ use memchr::memmem; use rayon::iter::{IntoParallelIterator, ParallelIterator}; -use rsa::RsaPrivateKey; use thiserror::Error; use tracing::{debug, debug_span, trace, Span}; use x509_cert::Certificate; use zip::ZipArchive; use crate::{ + crypto::RsaSigningKey, format::{ avb::{self, AppendedDescriptorMut, Footer}, ota, @@ -111,7 +111,7 @@ pub fn patch_system_image( input: &(dyn ReadSeekReopen + Sync), output: &(dyn WriteSeekReopen + Sync), certificate: &Certificate, - key: &RsaPrivateKey, + key: &RsaSigningKey, cancel_signal: &AtomicBool, ) -> Result<(Vec>, Vec>)> { // This must be a multiple of normal filesystem block sizes (eg. 4 KiB). diff --git a/avbroot/tests/avb.rs b/avbroot/tests/avb.rs index 2d27bdb..35a8dde 100644 --- a/avbroot/tests/avb.rs +++ b/avbroot/tests/avb.rs @@ -14,6 +14,7 @@ use rsa::RsaPrivateKey; use avbroot::{ self, + crypto::RsaSigningKey, format::avb::{ self, AlgorithmType, AppendedDescriptorMut, AppendedDescriptorRef, ChainPartitionDescriptor, Descriptor, Footer, HashDescriptor, HashTreeDescriptor, Header, @@ -22,7 +23,7 @@ use avbroot::{ stream::SharedCursor, }; -fn get_test_key() -> RsaPrivateKey { +fn get_test_key() -> RsaSigningKey { let data = include_str!(concat!( env!("CARGO_WORKSPACE_DIR"), "/e2e/keys/TEST_KEY_DO_NOT_USE_avb.key", @@ -32,7 +33,8 @@ fn get_test_key() -> RsaPrivateKey { "/e2e/keys/TEST_KEY_DO_NOT_USE_avb.passphrase", )); - RsaPrivateKey::from_pkcs8_encrypted_pem(data, passphrase.trim_end()).unwrap() + let key = RsaPrivateKey::from_pkcs8_encrypted_pem(data, passphrase.trim_end()).unwrap(); + RsaSigningKey::Internal(key) } fn repeat_str(s: &str, max_len: usize) -> String { diff --git a/avbroot/tests/bootimage.rs b/avbroot/tests/bootimage.rs index ce0ffea..cea6be5 100644 --- a/avbroot/tests/bootimage.rs +++ b/avbroot/tests/bootimage.rs @@ -7,6 +7,7 @@ use std::io::Cursor; use avbroot::{ self, + crypto::RsaSigningKey, format::{ avb::{AlgorithmType, Descriptor, HashDescriptor, Header}, bootimage::{ @@ -19,7 +20,7 @@ use avbroot::{ use pkcs8::DecodePrivateKey; use rsa::RsaPrivateKey; -fn get_test_key() -> RsaPrivateKey { +fn get_test_key() -> RsaSigningKey { let data = include_str!(concat!( env!("CARGO_WORKSPACE_DIR"), "/e2e/keys/TEST_KEY_DO_NOT_USE_avb.key", @@ -29,7 +30,8 @@ fn get_test_key() -> RsaPrivateKey { "/e2e/keys/TEST_KEY_DO_NOT_USE_avb.passphrase", )); - RsaPrivateKey::from_pkcs8_encrypted_pem(data, passphrase.trim_end()).unwrap() + let key = RsaPrivateKey::from_pkcs8_encrypted_pem(data, passphrase.trim_end()).unwrap(); + RsaSigningKey::Internal(key) } fn repeat(s: &str, max_len: usize) -> String { diff --git a/e2e/src/main.rs b/e2e/src/main.rs index 2cb4167..aef92f7 100644 --- a/e2e/src/main.rs +++ b/e2e/src/main.rs @@ -22,7 +22,7 @@ use std::{ use anyhow::{anyhow, bail, Context, Result}; use avbroot::{ cli::ota::{ExtractCli, PatchCli, VerifyCli}, - crypto::{self, PassphraseSource}, + crypto::{self, PassphraseSource, RsaSigningKey}, format::{ avb::{ self, AlgorithmType, ChainPartitionDescriptor, Descriptor, Footer, HashDescriptor, @@ -48,7 +48,6 @@ use avbroot::{ stream::{self, CountingWriter, HashingReader, PSeekFile, Reopen, ToWriter}, }; use clap::Parser; -use rsa::RsaPrivateKey; use tempfile::{NamedTempFile, TempDir}; use topological_sort::TopologicalSort; use tracing::{info, info_span}; @@ -100,7 +99,7 @@ fn append_avb( avb: &Avb, hash_tree: bool, ota_info: &OtaInfo, - key_avb: &RsaPrivateKey, + key_avb: &RsaSigningKey, cancel_signal: &AtomicBool, ) -> Result<()> { let image_size = file.seek(SeekFrom::End(0))?; @@ -298,7 +297,7 @@ fn create_boot_image( avb: &Avb, boot_data: &BootData, ota_info: &OtaInfo, - key_avb: &RsaPrivateKey, + key_avb: &RsaSigningKey, cert_ota: &Certificate, cancel_signal: &AtomicBool, ) -> Result<()> { @@ -425,7 +424,7 @@ fn create_dm_verity_image( avb: &Avb, dm_verity_data: &DmVerityData, ota_info: &OtaInfo, - key_avb: &RsaPrivateKey, + key_avb: &RsaSigningKey, cert_ota: &Certificate, cancel_signal: &AtomicBool, ) -> Result<()> { @@ -454,7 +453,7 @@ fn create_vbmeta_image( avb: &Avb, vbmeta_data: &VbmetaData, inputs: &BTreeMap, - key: &RsaPrivateKey, + key: &RsaSigningKey, ) -> Result<()> { let mut descriptors = Vec::new(); @@ -506,7 +505,7 @@ fn create_vbmeta_image( fn create_partition_images( partitions: &BTreeMap, ota_info: &OtaInfo, - key_avb: &RsaPrivateKey, + key_avb: &RsaSigningKey, cert_ota: &Certificate, cancel_signal: &AtomicBool, ) -> Result> { @@ -576,7 +575,7 @@ fn create_payload( partitions: &BTreeMap, inputs: &BTreeMap, ota_info: &OtaInfo, - key_ota: &RsaPrivateKey, + key_ota: &RsaSigningKey, cancel_signal: &AtomicBool, ) -> Result<(String, u64)> { let dynamic_partitions_names = partitions @@ -698,8 +697,8 @@ fn create_ota( output: &Path, ota_info: &OtaInfo, profile: &Profile, - key_avb: &RsaPrivateKey, - key_ota: &RsaPrivateKey, + key_avb: &RsaSigningKey, + key_ota: &RsaSigningKey, cert_ota: &Certificate, cancel_signal: &AtomicBool, ) -> Result<()> { @@ -850,8 +849,8 @@ fn create_fake_magisk(output: &Path) -> Result<()> { } struct KeySet { - avb_key: RsaPrivateKey, - ota_key: RsaPrivateKey, + avb_key: RsaSigningKey, + ota_key: RsaSigningKey, ota_cert: Certificate, avb_key_file: NamedTempFile, avb_pass_file: NamedTempFile, @@ -935,12 +934,14 @@ impl KeySet { avb_key_file.path(), &PassphraseSource::File(avb_pass_file.path().to_owned()), ) + .map(RsaSigningKey::Internal) .context("Failed to load AVB test key")?; let ota_key = crypto::read_pem_key_file( ota_key_file.path(), &PassphraseSource::File(ota_pass_file.path().to_owned()), ) + .map(RsaSigningKey::Internal) .context("Failed to load OTA test key")?; let ota_cert = crypto::read_pem_cert_file(ota_cert_file.path())