Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 0dd96853 authored by Tianjie Xu's avatar Tianjie Xu
Browse files

Load X509 keys from ziparchive 

Add a function to parse the zip archive and load the certificate from
all the zip entries with the suffix "x509.pem".

Bug: 116655889
Test: unittests pass
Change-Id: I93bf7aef7462c0623e89fc2d466d7af2d3a758bc
parent 06b1a89d

Android.bp

+1 −0
Original line number Diff line number Diff line
@@ -201,6 +201,7 @@ cc_library_static { 
        "libbase",

        "libcrypto",

        "libcrypto_utils",

        "libziparchive",

    ],



    static_libs: [

tests/component/verifier_test.cpp

+84 −7
Original line number Diff line number Diff line
@@ -26,9 +26,11 @@ 


#include <android-base/file.h>

#include <android-base/stringprintf.h>

#include <android-base/strings.h>

#include <android-base/test_utils.h>

#include <android-base/unique_fd.h>

#include <gtest/gtest.h>

#include <ziparchive/zip_writer.h>



#include "common/test_constants.h"

#include "otautil/sysutil.h"
@@ -43,16 +45,43 @@ static void LoadKeyFromFile(const std::string& file_name, Certificate* cert) { 
      std::vector<uint8_t>(testkey_string.begin(), testkey_string.end()), cert));

}



static void VerifyPackageWithCertificate(const std::string& name, Certificate&& cert) {

static void VerifyPackageWithCertificates(const std::string& name,

                                          const std::vector<Certificate>& certs) {

  std::string package = from_testdata_base(name);

  MemMapping memmap;

  if (!memmap.MapFile(package)) {

    FAIL() << "Failed to mmap " << package << ": " << strerror(errno) << "\n";

  }



  ASSERT_EQ(VERIFY_SUCCESS, verify_file(memmap.addr, memmap.length, certs));

}



static void VerifyPackageWithSingleCertificate(const std::string& name, Certificate&& cert) {

  std::vector<Certificate> certs;

  certs.emplace_back(std::move(cert));

  ASSERT_EQ(VERIFY_SUCCESS, verify_file(memmap.addr, memmap.length, certs));

  VerifyPackageWithCertificates(name, certs);

}



static void BuildCertificateArchive(const std::vector<std::string>& file_names, int fd) {

  FILE* zip_file_ptr = fdopen(fd, "wb");

  ZipWriter zip_writer(zip_file_ptr);



  for (const auto& name : file_names) {

    std::string content;

    ASSERT_TRUE(android::base::ReadFileToString(name, &content));



    // Makes sure the zip entry name has the correct suffix.

    std::string entry_name = name;

    if (!android::base::EndsWith(entry_name, "x509.pem")) {

      entry_name += "x509.pem";

    }

    ASSERT_EQ(0, zip_writer.StartEntry(entry_name.c_str(), ZipWriter::kCompress));

    ASSERT_EQ(0, zip_writer.WriteBytes(content.data(), content.size()));

    ASSERT_EQ(0, zip_writer.FinishEntry());

  }



  ASSERT_EQ(0, zip_writer.Finish());

  ASSERT_EQ(0, fclose(zip_file_ptr));

}



TEST(VerifierTest, LoadCertificateFromBuffer_failure) {
@@ -72,7 +101,7 @@ TEST(VerifierTest, LoadCertificateFromBuffer_sha1_exponent3) { 
  ASSERT_EQ(Certificate::KEY_TYPE_RSA, cert.key_type);

  ASSERT_EQ(nullptr, cert.ec);



  VerifyPackageWithCertificate("otasigned_v1.zip", std::move(cert));

  VerifyPackageWithSingleCertificate("otasigned_v1.zip", std::move(cert));

}



TEST(VerifierTest, LoadCertificateFromBuffer_sha1_exponent65537) {
@@ -83,7 +112,7 @@ TEST(VerifierTest, LoadCertificateFromBuffer_sha1_exponent65537) { 
  ASSERT_EQ(Certificate::KEY_TYPE_RSA, cert.key_type);

  ASSERT_EQ(nullptr, cert.ec);



  VerifyPackageWithCertificate("otasigned_v2.zip", std::move(cert));

  VerifyPackageWithSingleCertificate("otasigned_v2.zip", std::move(cert));

}



TEST(VerifierTest, LoadCertificateFromBuffer_sha256_exponent3) {
@@ -94,7 +123,7 @@ TEST(VerifierTest, LoadCertificateFromBuffer_sha256_exponent3) { 
  ASSERT_EQ(Certificate::KEY_TYPE_RSA, cert.key_type);

  ASSERT_EQ(nullptr, cert.ec);



  VerifyPackageWithCertificate("otasigned_v3.zip", std::move(cert));

  VerifyPackageWithSingleCertificate("otasigned_v3.zip", std::move(cert));

}



TEST(VerifierTest, LoadCertificateFromBuffer_sha256_exponent65537) {
@@ -105,7 +134,7 @@ TEST(VerifierTest, LoadCertificateFromBuffer_sha256_exponent65537) { 
  ASSERT_EQ(Certificate::KEY_TYPE_RSA, cert.key_type);

  ASSERT_EQ(nullptr, cert.ec);



  VerifyPackageWithCertificate("otasigned_v4.zip", std::move(cert));

  VerifyPackageWithSingleCertificate("otasigned_v4.zip", std::move(cert));

}



TEST(VerifierTest, LoadCertificateFromBuffer_sha256_ec256bits) {
@@ -116,7 +145,55 @@ TEST(VerifierTest, LoadCertificateFromBuffer_sha256_ec256bits) { 
  ASSERT_EQ(Certificate::KEY_TYPE_EC, cert.key_type);

  ASSERT_EQ(nullptr, cert.rsa);



  VerifyPackageWithCertificate("otasigned_v5.zip", std::move(cert));

  VerifyPackageWithSingleCertificate("otasigned_v5.zip", std::move(cert));

}



TEST(VerifierTest, LoadKeysFromZipfile_empty_archive) {

  TemporaryFile otacerts;

  BuildCertificateArchive({}, otacerts.release());

  std::vector<Certificate> certs = LoadKeysFromZipfile(otacerts.path);

  ASSERT_TRUE(certs.empty());

}



TEST(VerifierTest, LoadKeysFromZipfile_single_key) {

  TemporaryFile otacerts;

  BuildCertificateArchive({ from_testdata_base("testkey_v1.x509.pem") }, otacerts.release());

  std::vector<Certificate> certs = LoadKeysFromZipfile(otacerts.path);

  ASSERT_EQ(1, certs.size());



  VerifyPackageWithCertificates("otasigned_v1.zip", certs);

}



TEST(VerifierTest, LoadKeysFromZipfile_corrupted_key) {

  TemporaryFile corrupted_key;

  std::string content;

  ASSERT_TRUE(android::base::ReadFileToString(from_testdata_base("testkey_v1.x509.pem"), &content));

  content = "random-contents" + content;

  ASSERT_TRUE(android::base::WriteStringToFd(content, corrupted_key.release()));



  TemporaryFile otacerts;

  BuildCertificateArchive({ from_testdata_base("testkey_v2.x509.pem"), corrupted_key.path },

                          otacerts.release());

  std::vector<Certificate> certs = LoadKeysFromZipfile(otacerts.path);

  ASSERT_EQ(0, certs.size());

}



TEST(VerifierTest, LoadKeysFromZipfile_multiple_key) {

  TemporaryFile otacerts;

  BuildCertificateArchive(

      {

          from_testdata_base("testkey_v3.x509.pem"),

          from_testdata_base("testkey_v4.x509.pem"),

          from_testdata_base("testkey_v5.x509.pem"),



      },

      otacerts.release());

  std::vector<Certificate> certs = LoadKeysFromZipfile(otacerts.path);

  ASSERT_EQ(3, certs.size());



  VerifyPackageWithCertificates("otasigned_v3.zip", certs);

  VerifyPackageWithCertificates("otasigned_v4.zip", certs);

  VerifyPackageWithCertificates("otasigned_v5.zip", certs);

}



class VerifierTest : public testing::TestWithParam<std::vector<std::string>> {

verifier.cpp

+55 −0
Original line number Diff line number Diff line
@@ -34,6 +34,7 @@ 
#include <openssl/obj_mac.h>

#include <openssl/pem.h>

#include <openssl/rsa.h>

#include <ziparchive/zip_archive.h>



#include "asn1_decoder.h"

#include "otautil/print_sha1.h"
@@ -445,6 +446,60 @@ std::unique_ptr<EC_KEY, ECKEYDeleter> parse_ec_key(FILE* file) { 
    return key;

}



static std::vector<Certificate> IterateZipEntriesAndSearchForKeys(const ZipArchiveHandle& handle) {

  void* cookie;

  ZipString suffix("x509.pem");

  int32_t iter_status = StartIteration(handle, &cookie, nullptr, &suffix);

  if (iter_status != 0) {

    LOG(ERROR) << "Failed to iterate over entries in the certificate zipfile: "

               << ErrorCodeString(iter_status);

    return {};

  }



  std::vector<Certificate> result;



  ZipString name;

  ZipEntry entry;

  while ((iter_status = Next(cookie, &entry, &name)) == 0) {

    std::vector<uint8_t> pem_content(entry.uncompressed_length);

    if (int32_t extract_status =

            ExtractToMemory(handle, &entry, pem_content.data(), pem_content.size());

        extract_status != 0) {

      LOG(ERROR) << "Failed to extract " << std::string(name.name, name.name + name.name_length);

      return {};

    }



    Certificate cert(0, Certificate::KEY_TYPE_RSA, nullptr, nullptr);

    // Aborts the parsing if we fail to load one of the key file.

    if (!LoadCertificateFromBuffer(pem_content, &cert)) {

      LOG(ERROR) << "Failed to load keys from "

                 << std::string(name.name, name.name + name.name_length);

      return {};

    }



    result.emplace_back(std::move(cert));

  }



  if (iter_status != -1) {

    LOG(ERROR) << "Error while iterating over zip entries: " << ErrorCodeString(iter_status);

    return {};

  }



  return result;

}



std::vector<Certificate> LoadKeysFromZipfile(const std::string& zip_name) {

  ZipArchiveHandle handle;

  if (int32_t open_status = OpenArchive(zip_name.c_str(), &handle); open_status != 0) {

    LOG(ERROR) << "Failed to open " << zip_name << ": " << ErrorCodeString(open_status);

    return {};

  }



  std::vector<Certificate> result = IterateZipEntriesAndSearchForKeys(handle);

  CloseArchive(handle);

  return result;

}



bool LoadCertificateFromBuffer(const std::vector<uint8_t>& pem_content, Certificate* cert) {

  std::unique_ptr<BIO, decltype(&BIO_free)> content(

      BIO_new_mem_buf(pem_content.data(), pem_content.size()), BIO_free);

verifier.h

+4 −0
Original line number Diff line number Diff line
@@ -76,6 +76,10 @@ bool load_keys(const char* filename, std::vector<Certificate>& certs); 
// false if there is a parsing failure or the signature's encryption algorithm is not supported.

bool LoadCertificateFromBuffer(const std::vector<uint8_t>& pem_content, Certificate* cert);



// Iterates over the zip entries with the suffix "x509.pem" and returns a list of recognized

// certificates. Returns an empty list if we fail to parse any of the entries.

std::vector<Certificate> LoadKeysFromZipfile(const std::string& zip_name);



#define VERIFY_SUCCESS        0

#define VERIFY_FAILURE        1