1 /*
2  * Copyright (c) 2023 Huawei Device Co., Ltd.
3  * Licensed under the Apache License, Version 2.0 (the "License");
4  * you may not use this file except in compliance with the License.
5  * You may obtain a copy of the License at
6  *
7  *     http://www.apache.org/licenses/LICENSE-2.0
8  *
9  * Unless required by applicable law or agreed to in writing, software
10  * distributed under the License is distributed on an "AS IS" BASIS,
11  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12  * See the License for the specific language governing permissions and
13  * limitations under the License.
14  */
15 
16 #include "hash_data_verifier.h"
17 #include "log/dump.h"
18 #include "openssl_util.h"
19 #include "package/pkg_manager.h"
20 #include "pkcs7_signed_data.h"
21 #include "rust/hash_signed_data.h"
22 #include "updater/updater_const.h"
23 #include "zip_pkg_parse.h"
24 
25 namespace Hpackage {
26 using namespace Updater;
27 constexpr static std::size_t MAX_SIG_SIZE = 1024;
28 constexpr const char *UPDATER_HASH_SIGNED_DATA = "hash_signed_data";
29 
HashDataVerifier(PkgManager::PkgManagerPtr manager)30 HashDataVerifier::HashDataVerifier(PkgManager::PkgManagerPtr manager)
31     : manager_(manager), pkcs7_(std::make_unique<Pkcs7SignedData>()) {}
32 
~HashDataVerifier()33 HashDataVerifier::~HashDataVerifier()
34 {
35     ReleaseHashSignedData(hsd_);
36 }
37 
LoadHashDataAndPkcs7(const std::string & pkgPath)38 bool HashDataVerifier::LoadHashDataAndPkcs7(const std::string &pkgPath)
39 {
40     Updater::UPDATER_INIT_RECORD;
41     if (pkgPath == UPDATRE_SCRIPT_ZIP) {
42         isNeedVerify_ = false;
43         return true;
44     }
45     // only allow loading once
46     if (hsd_ != nullptr) {
47         PKG_LOGW("hash signed data has been loaded before");
48         return true;
49     }
50     if (manager_ == nullptr) {
51         PKG_LOGE("pkg manager is null");
52         UPDATER_LAST_WORD(false);
53         return false;
54     }
55     // load pkcs7 from package
56     if (!LoadPkcs7FromPackage(pkgPath)) {
57         PKG_LOGE("load pkcs7 from %s failed", pkgPath.c_str());
58         UPDATER_LAST_WORD(PKG_INVALID_FILE, pkgPath);
59         return false;
60     }
61     if (!LoadHashDataFromPackage()) {
62         PKG_LOGE("load pkcs7 from %s failed", pkgPath.c_str());
63         UPDATER_LAST_WORD(PKG_INVALID_FILE, pkgPath);
64         return false;
65     }
66     return true;
67 }
68 
LoadHashDataFromPackage(const std::string & buffer)69 bool HashDataVerifier::LoadHashDataFromPackage(const std::string &buffer)
70 {
71     if (buffer.length() == 0) {
72         PKG_LOGE("buffer is empty");
73         return false;
74     }
75     hsd_ = LoadHashSignedData(reinterpret_cast<const char *>(buffer.data()));
76     return true;
77 }
78 
LoadHashDataFromPackage(void)79 bool HashDataVerifier::LoadHashDataFromPackage(void)
80 {
81     Updater::UPDATER_INIT_RECORD;
82     PkgManager::StreamPtr outStream = nullptr;
83     auto info = manager_->GetFileInfo(UPDATER_HASH_SIGNED_DATA);
84     if (info == nullptr || info->unpackedSize == 0) {
85         PKG_LOGE("hash signed data not find in pkg manager");
86         UPDATER_LAST_WORD(false);
87         return false;
88     }
89     // 1 more byte bigger than unpacked size to ensure a ending '\0' in buffer
90     PkgBuffer buffer {info->unpackedSize + 1};
91     int32_t ret = manager_->CreatePkgStream(outStream, "", buffer);
92     if (ret != PKG_SUCCESS) {
93         PKG_LOGE("create stream fail");
94         UPDATER_LAST_WORD(false);
95         return false;
96     }
97     ret = manager_->ExtractFile(UPDATER_HASH_SIGNED_DATA, outStream);
98     if (ret != PKG_SUCCESS) {
99         manager_->ClosePkgStream(outStream);
100         PKG_LOGE("extract file failed");
101         UPDATER_LAST_WORD(false);
102         return false;
103     }
104     hsd_ = LoadHashSignedData(reinterpret_cast<const char *>(buffer.data.data()));
105     manager_->ClosePkgStream(outStream);
106     if (hsd_ == nullptr) {
107         PKG_LOGE("load hash signed data failed");
108         UPDATER_LAST_WORD(false);
109         return false;
110     }
111     return true;
112 }
113 
LoadPkcs7FromPackage(const std::string & pkgPath)114 bool HashDataVerifier::LoadPkcs7FromPackage(const std::string &pkgPath)
115 {
116     PkgManager::StreamPtr pkgStream = nullptr;
117     int32_t ret = manager_->CreatePkgStream(pkgStream, pkgPath, 0, PkgStream::PkgStreamType_Read);
118     if (ret != PKG_SUCCESS) {
119         PKG_LOGE("CreatePackage fail %s", pkgPath.c_str());
120         UPDATER_LAST_WORD(PKG_INVALID_FILE, pkgPath);
121         UPDATER_LAST_WORD(false);
122         return false;
123     }
124 
125     PkgVerifyUtil verifyUtil {};
126     size_t signatureSize = 0;
127     std::vector<uint8_t> signature {};
128     uint16_t commentTotalLenAll = 0;
129     ret = verifyUtil.GetSignature(PkgStreamImpl::ConvertPkgStream(pkgStream),
130         signatureSize, signature, commentTotalLenAll);
131     manager_->ClosePkgStream(pkgStream);
132     if (ret != PKG_SUCCESS) {
133         UPDATER_LAST_WORD(ret);
134         return false;
135     }
136     return pkcs7_ != nullptr && pkcs7_->ParsePkcs7Data(signature.data(), signature.size()) == 0;
137 }
138 
VerifyHashData(const std::string & preName,const std::string & fileName,PkgManager::StreamPtr stream) const139 bool HashDataVerifier::VerifyHashData(const std::string &preName,
140     const std::string &fileName, PkgManager::StreamPtr stream) const
141 {
142     if (!isNeedVerify_) {
143         return true;
144     }
145     Updater::UPDATER_INIT_RECORD;
146     if (stream == nullptr) {
147         PKG_LOGE("stream is null");
148         UPDATER_LAST_WORD(false);
149         return false;
150     }
151 
152     // get hash from stream
153     std::vector<uint8_t> hash {};
154     int32_t ret = CalcSha256Digest(PkgStreamImpl::ConvertPkgStream(stream), stream->GetFileLength(), hash);
155     if (ret != 0) {
156         PKG_LOGE("cal digest for pkg stream");
157         UPDATER_LAST_WORD(false, fileName);
158         return false;
159     }
160 
161     // get sig from hash data
162     std::string name = preName + fileName;
163     std::vector<uint8_t> sig(MAX_SIG_SIZE, 0);
164     auto sigLen = GetSigFromHashData(hsd_, sig.data(), sig.size(), name.c_str());
165     if (sigLen == 0 || sig.size() < sigLen) {
166         PKG_LOGE("get sig for %s failed", name.c_str());
167         UPDATER_LAST_WORD(PKG_INVALID_SIGNATURE, fileName, sigLen);
168         return false;
169     }
170     sig.resize(sigLen);
171 
172     // then using cert from pkcs7 to verify hash data
173     if (pkcs7_ == nullptr || pkcs7_->Verify(hash, sig, false) != 0) {
174         PKG_LOGE("verify hash signed data for %s failed", fileName.c_str());
175         UPDATER_LAST_WORD(PKG_INVALID_SIGNATURE, fileName);
176         return false;
177     }
178     PKG_LOGI("verify hash signed data for %s successfully", fileName.c_str());
179     return true;
180 }
181 } // namespace Hpackage
182