summaryrefslogtreecommitdiffstats
path: root/install/verifier.cpp (unfollow)
Commit message (Collapse)AuthorFilesLines
2020-09-18Check for overflow before allocating memory fore decompression.Kelvin Zhang1-0/+6
On 32bit devices, an ZipEntry64 may have size > 2^32, we should check for such cases before attempting to allocate memory. Test: mm -j Change-Id: I0f916ef4b2a692f167719a74bd6ff2e887c6c2ce
2020-09-16Switch to zip64 in recoveryKelvin Zhang1-1/+1
There's already library support for zip64 in libziparchive. We just need to start using the new APIs. Bug: 167951876 Test: Sideload a large ota package in recovery Change-Id: I652741965f28de079d873c6822317ee9fa855201
2019-06-12Use the new ziparchive Next std::string_view overload.Elliott Hughes1-1/+1
Bug: http://b/129068177 Test: treehugger Change-Id: Ieec83126e36b330da33092a172e365376cd04dfe
2019-05-23Move off the Next ZipString overload.Elliott Hughes1-4/+3
Bug: http://b/129068177 Test: treehugger Change-Id: I3c8f70b0d8cc5dc6b3b4439dbe0b9a5bd85003c4
2019-05-09Track libziparchive API change.Elliott Hughes1-2/+1
Bug: http://b/129068177 Test: treehugger Change-Id: I618bbcf38914dd81e042e0cfd1976ff26274dc30
2019-03-29Move install to separate modulexunchang1-19/+18
Build libinstall as a shared library. Also drop the dependency on the global variables in common.h. Test: unit tests pass, sideload an OTA Change-Id: I30a20047768ce00689fc0e7851c1c5d712a365a0
2019-03-26Allow RSA 4096 key in package verificationxunchang1-2/+2
The RSA_verify sitll works for 4096 bits keys. And we just need to loose the check on modulus. Sample commands to generate the key & package: 1. openssl genrsa -out keypair.pem 4096 2. openssl pkcs8 -topk8 -inform PEM -outform DER -nocrypt \ -in keypair.pem -out private.pk8 3. openssl req -new -x509 -key keypair.pem -out public.x509.pem \ -days 365 4. java -Djava.library.path=prebuilts/sdk/tools/linux/lib64 -jar \ prebuilts/sdk/tools/lib/signapk.jar -w public.x509.pem private.pk8 \ unsigned.zip signed.zip Bug: 129163830 Test: unit tests pass Change-Id: I5a5ff539c9ff1955c02ec2ce4b17563cb92808a4
2019-03-14Implement FilePackage classxunchang1-2/+0
This is another implementation of the Package class. And we will later need it when reading the package from FUSE. Bug: 127071893 Test: unit tests pass, sideload a file package on sailfish Change-Id: I3de5d5ef60b29c8b73517d6de3498459d7d95975
2019-03-11Create a wrapper class for update packagexunchang1-32/+36
Creates a new class handle the package in memory and package read from fd. Define the new interface functions, and make approximate changes to the verify and install functions. Bug: 127071893 Test: unit tests pass, sideload a package Change-Id: I66ab00654df92471184536fd147b237a86e9c5b5
2018-10-25Remove the load_keys functionTianjie Xu1-249/+0
This function is used to parse the result of dumpKeys. It's no longer needed as we are now parsing the public keys from the zipfile. Bug: 116655889 Test: unit tests pass Change-Id: I817906e451664058c644f4329ff499bbe4587ebb
2018-10-25Add sanity check when loading public keys for OTA packageTianjie Xu1-6/+46
For RSA keys, check if it has a 2048 bits modulus, and its public exponent is 3 or 65537. For EC keys, check if the field size is 256 bits for its curve. Bug: 116655889 Test: unit tests pass Change-Id: I5c00f4d2b61c98c434f0b49db232155d5d0770ec
2018-10-18Load X509 keys from ziparchiveTianjie Xu1-0/+55
Add a function to parse the zip archive and load the certificate from all the zip entries with the suffix "x509.pem". Bug: 116655889 Test: unittests pass Change-Id: I93bf7aef7462c0623e89fc2d466d7af2d3a758bc
2018-10-12Add function to load the key from x509.pem fileTianjie Xu1-0/+68
We used to convert a pem certificate file to some intermediate plain text format; and parse that format under recovery mode. This is uncessary since the x509.pem can be directly parsed with openssl functions. Add the function to load the public key from one x509.pem file and corresponding unit tests. And we will add more cls to extract the pem files from otacert.zip later. Bug: 116655889 Test: verify package with 5 supported certficate versions Change-Id: Ibc6c696c534567f005db75143cc4ef8d4bdea6a0
2017-10-11Move rangeset.h and print_sha1.h into otautil.Tao Bao1-1/+1
Also drop the "bootable/recovery" path in LOCAL_C_INCLUDES from applypatch modules. Test: lunch aosp_{angler,bullhead,fugu,dragon,sailfish}-userdebug; mmma bootable/recovery Change-Id: Idd602a796894f971ee4f8fa3eafe36c42d9de986
2017-07-19Fix the android-cloexec-* warnings in bootable/recoveryTianjie Xu1-72/+71
Add the O_CLOEXEC or 'e' accordingly. Bug: 63510015 Test: recovery tests pass Change-Id: I7094bcc6af22c9687eb535116b2ca6a59178b303
2017-03-23Const modifiersMikhail Lappo1-1/+1
This functions do not change class variables Would be good to mark them as const, so class variables are not changed by coincidence Change-Id: Iea34f6d26dbd1bde813035160e07ff2a681989e6
2017-03-21Refactor asn1_decoder functions into a class.Tao Bao1-37/+39
Test: mmma bootable/recovery Test: recovery_unit_test passes. Test: recovery_component_test passes. Change-Id: If0bf25993158eaebeedff55ba4f4dd0f6e5f937d
2017-03-21verify_file: Add constness to a few addresses.Tao Bao1-54/+53
We should not touch any data while verifying packages (or parsing the in-memory ASN.1 structures). Test: mmma bootable/recovery Test: recovery_component_test passes. Test: recovery_unit_test passes. Change-Id: Ie990662c6451ec066a1807b3081c9296afbdb0bf
2017-03-18Remove the dead #include's in verifier.cpp.Tao Bao1-3/+1
A follow-up to commit 5e535014dd7961fbf812abeaa27f3339775031f1. Also clean up Android.mk, since libverifier no longer needs anything from libminui. Test: mmma bootable/recovery Test: recovery_component_test passes. Change-Id: I1c11e4bbeef67ca34a2054debf1f5b280d509217
2017-03-17Drop the dependency on 'ui' in verify_file().Tao Bao1-173/+166
verify_file() has a dependency on the global variable of 'ui' for posting the verification progress, which requires the users of libverifier to provide a UI instance. This CL adds an optional argument to verify_file() so that it can post the progress through the provided callback function. As a result, we can drop the MockUI class in verifier_test.cpp. Test: recovery_component_test passes. Test: verify_file() posts progress update when installing an OTA. Change-Id: I8b87d0f0d99777ea755d33d6dbbe2b6d44243bf1 (cherry picked from commit 5e535014dd7961fbf812abeaa27f3339775031f1)
2017-03-17Drop the dependency on 'ui' in verify_file().Tao Bao1-168/+161
verify_file() has a dependency on the global variable of 'ui' for posting the verification progress, which requires the users of libverifier to provide a UI instance. This CL adds an optional argument to verify_file() so that it can post the progress through the provided callback function. As a result, we can drop the MockUI class in verifier_test.cpp. Test: recovery_component_test passes. Test: verify_file() posts progress update when installing an OTA. Change-Id: I8b87d0f0d99777ea755d33d6dbbe2b6d44243bf1
2017-01-20DO NOT MERGE: resolve merge conflicts of 5346da02 to klp-modular-devTianjie Xu1-0/+7
Change-Id: Ie52a9abae416bbb84ddc61bb7159a531de778c15
2017-01-19resolve build error when merging 0f7f7e21Tianjie Xu1-2/+2
Test: mma Change-Id: Ibdcf7b47e54d3739fb922f66996365763d2acfef
2016-12-20DO NOT MERGE: Add a checker for signature boundary in verifierTianjie Xu1-0/+7
The 'signature_start' variable marks the location of the signature from the end of a zip archive. And a boundary check is missing where 'signature_start' should be within the EOCD comment field. This causes problems when sideloading a malicious package. Also add a corresponding test. Bug: 31914369 Test: Verification fails correctly when sideloading recovery_test.zip on angler. Change-Id: I6ea96bf04dac5d8d4d6719e678d504f957b4d5c1 (cherry-picked from f69e6a9475983b2ad46729e44ab58d2b22cd74d0) (cherry picked from commit 54ea136fded56810bf475885eb4bd7bf1b11f09c)
2016-12-17Add a checker for signature boundary in verifierTianjie Xu1-0/+6
The 'signature_start' variable marks the location of the signature from the end of a zip archive. And a boundary check is missing where 'signature_start' should be within the EOCD comment field. This causes problems when sideloading a malicious package. Also add a corresponding test. Bug: 31914369 Test: Verification fails correctly when sideloading recovery_test.zip on angler. Change-Id: I6ea96bf04dac5d8d4d6719e678d504f957b4d5c1 (cherry-picked from f69e6a9475983b2ad46729e44ab58d2b22cd74d0)
2016-12-17Add a checker for signature boundary in verifierTianjie Xu1-0/+6
The 'signature_start' variable marks the location of the signature from the end of a zip archive. And a boundary check is missing where 'signature_start' should be within the EOCD comment field. This causes problems when sideloading a malicious package. Also add a corresponding test. Bug: 31914369 Test: Verification fails correctly when sideloading recovery_test.zip on angler. Change-Id: I6ea96bf04dac5d8d4d6719e678d504f957b4d5c1
2016-11-03Revert "Revert "Some cleanups to recovery.""Tao Bao1-4/+3
This reverts commit 8584fcf677dd45b30121bd0490b06297e6be1871. This CL re-lands commit c0319b60f56d445c2d1c74f551e01f069b028fe6. The "stage" and "reason" variables are now declared as global by dropping the static qualifier, because they may be used by vendor recovery libraries. Test: lunch aosp_angler-userdebug; mmma bootable/recovery Test: lunch aosp_dragon-userdebug; mmma bootable/recovery Change-Id: I252c346f450079478cff22bbff01590b8ab2e2b3
2016-10-27Revert "Some cleanups to recovery."Dan Albert1-3/+4
This reverts commit c0319b60f56d445c2d1c74f551e01f069b028fe6. Reason for revert: Broke builds. Change-Id: I82aa880b83de5ae6c36fd7567cb001920559a972
2016-10-26Some cleanups to recovery.Tao Bao1-4/+3
- Remove the duplicate gCurrentUI variable in recovery.cpp; - Refactor the load/save of locale functions; - Clean up ui_print() to get rid of 256-byte buffer limit; - Declare ui in common.h; - Move the typedef of Volume into roots.h. Test: Build and boot into recovery image. Change-Id: Ia28c116858ca754133127a5ff9c722af67ad55b7
2016-10-18Replace minzip with libziparchiveTianjie Xu1-1/+1
Clean up the duplicated codes that handle the zip files in bootable/recovery; and rename the library of the remaining utility functions to libotautil. Test: Update package installed successfully on angler. Bug: 19472796 Change-Id: Iea8962fcf3004473cb0322b6bb3a9ea3ca7f679e
2016-09-01Switch recovery to libbase loggingTianjie Xu1-25/+25
Clean up the recovery image and switch to libbase logging. Bug: 28191554 Change-Id: Icd999c3cc832f0639f204b5c36cea8afe303ad35 (cherry picked from commit 747781433fb01f745529c7e9dd97c5599070ad0d)
2016-09-01Switch recovery to libbase loggingTianjie Xu1-25/+25
Clean up the recovery image and switch to libbase logging. Bug: 28191554 Change-Id: Icd999c3cc832f0639f204b5c36cea8afe303ad35 Merged-In: Icd999c3cc832f0639f204b5c36cea8afe303ad35
2016-09-01Switch recovery to libbase loggingTianjie Xu1-25/+25
Clean up the recovery image and switch to libbase logging. Bug: 28191554 Change-Id: Icd999c3cc832f0639f204b5c36cea8afe303ad35
2016-04-20recovery: Dump the signature in the zip package.Tao Bao1-2/+15
We have been occasionally seeing "signature verification failed" error message when applying an update. Make more verbose output to help debugging. Bug: 28246534 Change-Id: Id83633adc9b86b3fd36abbb504e430f0816f12e4
2016-04-20Decrease OTA package verification times further.Elliott Hughes1-4/+4
Timing from Nexus 5X: 89 MiB OTA update package: 1.4 s -> 0.6 s (decreased by 57%) 1196 MiB OTA update package: 8.0 s -> 7.5 s (decreased by 6%) Bug: http://b/28135231 Change-Id: Id91f2ad15df2bffb9f8a4b4ec5a57657a02847ec
2016-04-16Fix IWYU errors.David Benjamin1-0/+1
This fixes build errors with BoringSSL master. (The cpp file uses functions from bn.h and neither it nor the header includes it.) Change-Id: If7f38aa0b931aa7940079bc006c7283b31f3b774
2016-04-14Use BoringSSL instead of mincrypt to speed up package verification.Elliott Hughes1-111/+209
This changes the verification code in bootable/recovery to use BoringSSL instead of mincrypt. Cherry-pick of 452df6d99c81c4eeee3d2c7b2171901e8b7bc54a, with merge conflict resolution, extra logging in verifier.cpp, and an increase in the hash chunk size from 4KiB to 1MiB. Bug: http://b/28135231 Change-Id: I1ed7efd52223dd6f6a4629cad187cbc383d5aa84
2016-04-06Convert recovery to use BoringSSL instead of mincrypt.Mattias Nissler1-107/+203
This changes the verification code in bootable/recovery to use BoringSSL instead of mincrypt. Change-Id: I37b37d84b22e81c32ac180cd1240c02150ddf3a7
2016-02-03recovery: Refactor verifier and verifier_test.Tao Bao1-141/+124
Move to using std::vector and std::unique_ptr to manage key certificates to stop memory leaks. Bug: 26908001 Change-Id: Ia5f799bc8dcc036a0ffae5eaa8d9f6e09abd031c
2015-01-28Add missing includes.Elliott Hughes1-2/+3
Change-Id: I0737456e0221ebe9cc854d65c95a7d37d0869d56
2014-03-14Recovery 64-bit compile issuesMark Salyzyn1-7/+7
Change-Id: I92d5abd1a628feab3b0246924fab7f97ba3b9d34
2014-01-16do verification and extraction on memory, not filesDoug Zongker1-55/+15
Changes minzip and recovery's file signature verification to work on memory regions, rather than files. For packages which are regular files, install.cpp now mmap()s them into memory and then passes the mapped memory to the verifier and to the minzip library. Support for files which are raw block maps (which will be used when we have packages written to encrypted data partitions) is present but largely untested so far. Bug: 12188746 Change-Id: I12cc3e809834745a489dd9d4ceb558cbccdc3f71
2013-10-10Add support for ECDSA signaturesKenny Root1-32/+198
This adds support for key version 5 which is an EC key using the NIST P-256 curve parameters. OTAs may be signed with these keys using the ECDSA signature algorithm with SHA-256. Change-Id: Id88672a3deb70681c78d5ea0d739e10f839e4567
2013-09-25verifier: update to support certificates using SHA-256Doug Zongker1-17/+63
(cherry picked from commit bac7fba02763ae5e78e8e4ba0bea727330ad953e) Change-Id: I01c38d7fea088622a8b0bbf2c833fa2d969417af
2013-04-10verifier: update to support certificates using SHA-256Doug Zongker1-17/+63
Change-Id: Ifd5a29d459acf101311fa1c220f728c3d0ac2e4e
2012-11-02move key loading to verifier codeDoug Zongker1-0/+102
Add an option to verifier_test to load keys from a file, the way the recovery does. Change-Id: Icba0e391164f2c1a9fefeab4b0bcb878e91d17b4
2011-10-31refactor ui functions into a classDoug Zongker1-2/+4
Move all the functions in ui.c to be members of a ScreenRecoveryUI class, which is a subclass of an abstract RecoveryUI class. Recovery then creates a global singleton instance of this class and then invoke the methods to drive the UI. We use this to allow substitution of a different RecoveryUI implementation for devices with radically different form factors (eg, that don't have a screen). Change-Id: I76bdd34eca506149f4cc07685df6a4890473f3d9
2011-10-31turn recovery into a C++ binaryDoug Zongker1-6/+7
Change-Id: I423a23581048d451d53eef46e5f5eac485b77555
2011-10-28turn recovery into a C++ binaryDoug Zongker1-184/+0
Change-Id: I68a67a4c8edec9a74463b3d4766005ce27b51316
2011-03-15log which key a package verified against in recoveryDoug Zongker1-1/+1
Change-Id: I0d91b715d1eb9e45e2fce54bb93ba0abef92727e
2010-01-13android-2.1_r1 snapshotThe Android Open Source Project1-1/+1
2009-12-10add a simple unit test for the OTA package verifierDoug Zongker1-2/+2
2009-12-09Security: Fix typo in recovery EOCD detection.Steve Kondik1-1/+1
This issue results in the ability to modify the contents of a signed OTA recovery image.
2009-12-09fix cut-and-paste error in verifierDoug Zongker1-1/+1
Oops.
2009-11-13eclair snapshotJean-Baptiste Queru1-308/+131
2009-08-17do not merge: cherry-picked 60151a295ccf726238dc47456d80b427db6d6a38 from master branchDoug Zongker1-308/+131
2009-08-15verify whole-file signature instead of jarsigner signaturesDoug Zongker1-308/+131
In recovery, verify a signature that covers the entire zip file, instead of using the jarsigner format to verify individual files. Bug: 1328985
2009-03-04auto import from //depot/cupcake/@135843The Android Open Source Project1-0/+361
2009-03-04auto import from //depot/cupcake/@135843The Android Open Source Project1-361/+0
2008-12-18Code drop from //branches/cupcake/...@124589The Android Open Source Project1-1/+3