summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorTianjie Xu <xunchang@google.com>2019-03-27 18:57:38 +0100
committerGerrit Code Review <noreply-gerritcodereview@google.com>2019-03-27 18:57:38 +0100
commit3168ddf79dee2b7256eb43b404dad5c3a0d71af2 (patch)
tree2be8560dae4dfc7cf748d295d7c57da9a8973de7
parentMerge "Move out the code to parse block map in MemMap" (diff)
parentAllow RSA 4096 key in package verification (diff)
downloadandroid_bootable_recovery-3168ddf79dee2b7256eb43b404dad5c3a0d71af2.tar
android_bootable_recovery-3168ddf79dee2b7256eb43b404dad5c3a0d71af2.tar.gz
android_bootable_recovery-3168ddf79dee2b7256eb43b404dad5c3a0d71af2.tar.bz2
android_bootable_recovery-3168ddf79dee2b7256eb43b404dad5c3a0d71af2.tar.lz
android_bootable_recovery-3168ddf79dee2b7256eb43b404dad5c3a0d71af2.tar.xz
android_bootable_recovery-3168ddf79dee2b7256eb43b404dad5c3a0d71af2.tar.zst
android_bootable_recovery-3168ddf79dee2b7256eb43b404dad5c3a0d71af2.zip
-rw-r--r--tests/component/verifier_test.cpp11
-rw-r--r--tests/testdata/otasigned_4096bits.zipbin0 -> 4055 bytes
-rw-r--r--tests/testdata/testkey_4096bits.x509.pem35
-rw-r--r--verifier.cpp4
-rw-r--r--verifier.h3
5 files changed, 50 insertions, 3 deletions
diff --git a/tests/component/verifier_test.cpp b/tests/component/verifier_test.cpp
index c904cd038..bdb8af231 100644
--- a/tests/component/verifier_test.cpp
+++ b/tests/component/verifier_test.cpp
@@ -158,6 +158,17 @@ TEST(VerifierTest, LoadCertificateFromBuffer_sha256_ec256bits) {
VerifyPackageWithSingleCertificate("otasigned_v5.zip", std::move(cert));
}
+TEST(VerifierTest, LoadCertificateFromBuffer_sha256_rsa4096_bits) {
+ Certificate cert(0, Certificate::KEY_TYPE_RSA, nullptr, nullptr);
+ LoadKeyFromFile(from_testdata_base("testkey_4096bits.x509.pem"), &cert);
+
+ ASSERT_EQ(SHA256_DIGEST_LENGTH, cert.hash_len);
+ ASSERT_EQ(Certificate::KEY_TYPE_RSA, cert.key_type);
+ ASSERT_EQ(nullptr, cert.ec);
+
+ VerifyPackageWithSingleCertificate("otasigned_4096bits.zip", std::move(cert));
+}
+
TEST(VerifierTest, LoadCertificateFromBuffer_check_rsa_keys) {
std::unique_ptr<RSA, RSADeleter> rsa(RSA_new());
std::unique_ptr<BIGNUM, decltype(&BN_free)> exponent(BN_new(), BN_free);
diff --git a/tests/testdata/otasigned_4096bits.zip b/tests/testdata/otasigned_4096bits.zip
new file mode 100644
index 000000000..5016dfc9a
--- /dev/null
+++ b/tests/testdata/otasigned_4096bits.zip
Binary files differ
diff --git a/tests/testdata/testkey_4096bits.x509.pem b/tests/testdata/testkey_4096bits.x509.pem
new file mode 100644
index 000000000..cba30d61b
--- /dev/null
+++ b/tests/testdata/testkey_4096bits.x509.pem
@@ -0,0 +1,35 @@
+-----BEGIN CERTIFICATE-----
+MIIGADCCA+igAwIBAgIJAJiRMVvanGUaMA0GCSqGSIb3DQEBCwUAMIGUMQswCQYD
+VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNTW91bnRhaW4g
+VmlldzEQMA4GA1UECgwHQW5kcm9pZDEQMA4GA1UECwwHQW5kcm9pZDEQMA4GA1UE
+AwwHQW5kcm9pZDEiMCAGCSqGSIb3DQEJARYTYW5kcm9pZEBhbmRyb2lkLmNvbTAe
+Fw0xODEwMzAxMjEzNTFaFw00NjAzMTcxMjEzNTFaMIGUMQswCQYDVQQGEwJVUzET
+MBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNTW91bnRhaW4gVmlldzEQMA4G
+A1UECgwHQW5kcm9pZDEQMA4GA1UECwwHQW5kcm9pZDEQMA4GA1UEAwwHQW5kcm9p
+ZDEiMCAGCSqGSIb3DQEJARYTYW5kcm9pZEBhbmRyb2lkLmNvbTCCAiIwDQYJKoZI
+hvcNAQEBBQADggIPADCCAgoCggIBAL3ghKA8Gz9qOORY8gMY4wlB2tCJLDUO2tFG
+LVK1UphtQMp+YEcz/0VQKVV7de7z6V4EMQ5P1HbxHOsjcKn/zXAl4YgFt7b5kZbC
+bpNK4CYHEfho3j6fpYtq5d9q8rIA2kI0uZkkqPy1zXKTl2C2PjOoAnLQRk5xBVQG
+M10/wYsf7yX36mSWoJJwKPp/EzVFpA+hX8HpljeIiZ6CFzKwJdqv9zO/xzfp6NsX
+Tv5EGdkDxmw3qQqKgyl8dLMTZ/2zNfvVOMeZDusEPDF7A/lbU1byLWrKQdCzVb40
+yc7BCSRGYwM29R/byOcgD+lslwKSGzgzNmQXICt1tXz9bSJR8qh4tlAaiRc3ZKBe
+hJWIFGkGtD/cDGtDE5DbNAOz6CdSDdE2XN0Qf0cfN1RHVE6fo2FtFicRRVuFBt8M
+2cbQ7bzmEvtHD6W6dsf120FH7gppXKmnhMx1WazpxR2QltbiYDTy2ZZi4paS/jDB
+fL9gMCWp3Ohg2y74NGfUw5CQWQsDpcki6I7RvwClBCyOV51LHn5LE/nY4DkVrZxk
+Pw0/YrTWz5J5PbdMetTuIunE4ec4lm8nZnh1ET+2MHx2+RoyF5vBs4rp1KHHRaEA
+veD2AfQOWxz7kOG9+akFot7n+QoWEGdwY0mJ9jsO/IITCjv3VbD7o0OoJv1R2AW5
+sK2KQ4PDAgMBAAGjUzBRMB0GA1UdDgQWBBT2EbrayXGhY6VCvSlLtRNyjW9ceDAf
+BgNVHSMEGDAWgBT2EbrayXGhY6VCvSlLtRNyjW9ceDAPBgNVHRMBAf8EBTADAQH/
+MA0GCSqGSIb3DQEBCwUAA4ICAQC7SsWap9zDKmuR0qMUZ6wlualnag0hUG1jZHQP
+t63KO6LmNNMSuXRX60Zcq6WWzgLOyoT4HqHZZ47Jamfb4XQQcnWMMW0tJ3pDtTkz
+dZILBInHJO8QPYI8Du6XWsDLSvMajq6ueBtO3NdcgsNL7eiHf3WoOtajLZxFM94Z
+MESkUQOIsqHolYeTMHLTsuGkX1CK2Zw3Xn18bUSTYwZCHa6mYH00ItUBfetGCnWh
+Y7bth/R15Cc+hocSB7ZsOa/R5kDyDdFDIKrnV5nH5Yd7CryrYC6Ac5UarYrxSJTq
+eKPwqUlJB/tJW/lvdLt8YaURbFGzf/ZqU12zZRafYjmMjcQvfpzMoDSnbvHTA9IR
+ZGO7dwhwykoSaL4/8LWde49xQUq6F2pQBRmEr+7mTzml1MaM5cWEk5emkCMXgLog
+k+c56CAk1EdM1teWik7wR0TIqkkYyYJHTSg61GkXUIXrZJ6iYx2ejDg1+QTPm9rU
+Yr7nP52gVkQuUAX1+xB6wKLSDizQJw8SNiUGXl5+2vwV6+0BI3/CXlQ8I/nRPBC1
+oqOIkRSbE+IF7DP9QvYuNG/3bZZQ8LUVeHxqI5Mq8K2VIJZd95AIwPNMH34SaDGz
+9xjG28Fq4ZkuDP0pCsHM9d2XEwK5PEVS18WW5fJ/QcJKMno4IPTB70ZBBjVzv6Y+
+MYjOrw==
+-----END CERTIFICATE-----
diff --git a/verifier.cpp b/verifier.cpp
index 68a011e0d..08d852b37 100644
--- a/verifier.cpp
+++ b/verifier.cpp
@@ -373,8 +373,8 @@ bool CheckRSAKey(const std::unique_ptr<RSA, RSADeleter>& rsa) {
const BIGNUM* out_e;
RSA_get0_key(rsa.get(), &out_n, &out_e, nullptr /* private exponent */);
auto modulus_bits = BN_num_bits(out_n);
- if (modulus_bits != 2048) {
- LOG(ERROR) << "Modulus should be 2048 bits long, actual: " << modulus_bits;
+ if (modulus_bits != 2048 && modulus_bits != 4096) {
+ LOG(ERROR) << "Modulus should be 2048 or 4096 bits long, actual: " << modulus_bits;
return false;
}
diff --git a/verifier.h b/verifier.h
index 106b86b85..ef9feaff0 100644
--- a/verifier.h
+++ b/verifier.h
@@ -88,7 +88,8 @@ class VerifierInterface {
// VERIFY_FAILURE (if any error is encountered or no key matches the signature).
int verify_file(VerifierInterface* package, const std::vector<Certificate>& keys);
-// Checks that the RSA key has a modulus of 2048 bits long, and public exponent is 3 or 65537.
+// Checks that the RSA key has a modulus of 2048 or 4096 bits long, and public exponent is 3 or
+// 65537.
bool CheckRSAKey(const std::unique_ptr<RSA, RSADeleter>& rsa);
// Checks that the field size of the curve for the EC key is 256 bits.