From 3bdaced140f89da12f97fc7c680cad89d3e35595 Mon Sep 17 00:00:00 2001 From: Kai Lueke Date: Mon, 30 Oct 2023 22:32:48 +0900 Subject: [PATCH] [WIP] decode_payload: Skip over signature entries that cause errors Either the printf escaping gives wrong binary data or the random dummy key signature is really broken for the oem-ami.gz 3745.1.0 amd64 payload. The error reported is: RSA operation error 007E9295D47F0000:error:02000084:rsa routines:rsa_ossl_public_decrypt:data too large for modulus:crypto/rsa/rsa_ossl.c:661: 007E9295D47F0000:error:1C880004:Provider routines:rsa_verify_recover:RSA lib:providers/implementations/signature/rsa_sig.c:748: --- decode_payload | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/decode_payload b/decode_payload index 5b5745f..743ba2f 100755 --- a/decode_payload +++ b/decode_payload @@ -142,7 +142,7 @@ while IFS= read -r LINE; do "data:"*) SIGDATA=$(echo "${LINE}" | cut -d '"' -f 2- | head -c-2 | sed 's/%/%%/g') # This is a workaround for the dev-key vs prod-key case: sed '/signatures {/d' | sed '/ version: 2/d' - SIGHEX=$(printf -- "${SIGDATA}" | sed '/signatures {/d' | sed '/ version: 2/d' | openssl rsautl -verify -pubin -inkey "${PUBKEY}" -raw | tail -c 32 | od -An -vtx1 -w1024 | tr -d ' ') + SIGHEX=$(printf -- "${SIGDATA}" | sed '/signatures {/d' | sed '/ version: 2/d' | openssl rsautl -verify -pubin -inkey "${PUBKEY}" -raw | tail -c 32 | od -An -vtx1 -w1024 | tr -d ' ' || true) # The raw output instead of asn1parse is used to easily extract the sha256 checksum (done by tail -c 32) # We also calculate the payload hash that the signature was done for, note that it's of course not the whole file but only up to the attached signature itself PAYLOADHASH=$(head -c "$((20 + MLEN + SIGOFFSET))" "${FILE}" | sha256sum | cut -d ' ' -f 1)