From 825669802315fe11508f0e962490b77cfdfc6184 Mon Sep 17 00:00:00 2001 From: Tianjie Xu Date: Wed, 10 Oct 2018 15:44:17 -0700 Subject: Add function to load the key from x509.pem file We used to convert a pem certificate file to some intermediate plain text format; and parse that format under recovery mode. This is uncessary since the x509.pem can be directly parsed with openssl functions. Add the function to load the public key from one x509.pem file and corresponding unit tests. And we will add more cls to extract the pem files from otacert.zip later. Bug: 116655889 Test: verify package with 5 supported certficate versions Change-Id: Ibc6c696c534567f005db75143cc4ef8d4bdea6a0 --- verifier.cpp | 68 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 68 insertions(+) (limited to 'verifier.cpp') diff --git a/verifier.cpp b/verifier.cpp index 283e04300..1dc52a0ef 100644 --- a/verifier.cpp +++ b/verifier.cpp @@ -27,9 +27,13 @@ #include #include +#include #include #include +#include #include +#include +#include #include "asn1_decoder.h" #include "otautil/print_sha1.h" @@ -441,6 +445,70 @@ std::unique_ptr parse_ec_key(FILE* file) { return key; } +bool LoadCertificateFromBuffer(const std::vector& pem_content, Certificate* cert) { + std::unique_ptr content( + BIO_new_mem_buf(pem_content.data(), pem_content.size()), BIO_free); + + std::unique_ptr x509( + PEM_read_bio_X509(content.get(), nullptr, nullptr, nullptr), X509_free); + if (!x509) { + LOG(ERROR) << "Failed to read x509 certificate"; + return false; + } + + int nid = X509_get_signature_nid(x509.get()); + switch (nid) { + // SignApk has historically accepted md5WithRSA certificates, but treated them as + // sha1WithRSA anyway. Continue to do so for backwards compatibility. + case NID_md5WithRSA: + case NID_md5WithRSAEncryption: + case NID_sha1WithRSA: + case NID_sha1WithRSAEncryption: + cert->hash_len = SHA_DIGEST_LENGTH; + break; + case NID_sha256WithRSAEncryption: + case NID_ecdsa_with_SHA256: + cert->hash_len = SHA256_DIGEST_LENGTH; + break; + default: + LOG(ERROR) << "Unrecognized signature nid " << OBJ_nid2ln(nid); + return false; + } + + std::unique_ptr public_key(X509_get_pubkey(x509.get()), + EVP_PKEY_free); + if (!public_key) { + LOG(ERROR) << "Failed to extract the public key from x509 certificate"; + return false; + } + + int key_type = EVP_PKEY_id(public_key.get()); + // TODO(xunchang) check the rsa key has exponent 3 or 65537 with RSA_get0_key; and ec key is + // 256 bits. + if (key_type == EVP_PKEY_RSA) { + cert->key_type = Certificate::KEY_TYPE_RSA; + cert->ec.reset(); + cert->rsa.reset(EVP_PKEY_get1_RSA(public_key.get())); + if (!cert->rsa) { + LOG(ERROR) << "Failed to get the rsa key info from public key"; + return false; + } + } else if (key_type == EVP_PKEY_EC) { + cert->key_type = Certificate::KEY_TYPE_EC; + cert->rsa.reset(); + cert->ec.reset(EVP_PKEY_get1_EC_KEY(public_key.get())); + if (!cert->ec) { + LOG(ERROR) << "Failed to get the ec key info from the public key"; + return false; + } + } else { + LOG(ERROR) << "Unrecognized public key type " << OBJ_nid2ln(key_type); + return false; + } + + return true; +} + // Reads a file containing one or more public keys as produced by // DumpPublicKey: this is an RSAPublicKey struct as it would appear // as a C source literal, eg: -- cgit v1.2.3