Alexandru Gagniuc | 3ebd200 | 2021-02-19 12:45:12 -0600 | [diff] [blame] | 1 | // SPDX-License-Identifier: GPL-2.0+ |
| 2 | /* |
| 3 | * ECDSA image signing implementation using libcrypto backend |
| 4 | * |
| 5 | * The signature is a binary representation of the (R, S) points, padded to the |
| 6 | * key size. The signature will be (2 * key_size_bits) / 8 bytes. |
| 7 | * |
| 8 | * Deviations from behavior of RSA equivalent: |
| 9 | * - Verification uses private key. This is not technically required, but a |
| 10 | * limitation on how clumsy the openssl API is to use. |
| 11 | * - Handling of keys and key paths: |
| 12 | * - The '-K' key directory option must contain path to the key file, |
| 13 | * instead of the key directory. |
| 14 | * - No assumptions are made about the file extension of the key |
| 15 | * - The 'key-name-hint' property is only used for naming devicetree nodes, |
| 16 | * but is not used for looking up keys on the filesystem. |
| 17 | * |
| 18 | * Copyright (c) 2020,2021, Alexandru Gagniuc <mr.nuke.me@gmail.com> |
| 19 | */ |
| 20 | |
| 21 | #include <u-boot/ecdsa.h> |
| 22 | #include <u-boot/fdt-libcrypto.h> |
| 23 | #include <openssl/ssl.h> |
| 24 | #include <openssl/ec.h> |
| 25 | #include <openssl/bn.h> |
| 26 | |
| 27 | /* Image signing context for openssl-libcrypto */ |
| 28 | struct signer { |
| 29 | EVP_PKEY *evp_key; /* Pointer to EVP_PKEY object */ |
| 30 | EC_KEY *ecdsa_key; /* Pointer to EC_KEY object */ |
| 31 | void *hash; /* Pointer to hash used for verification */ |
| 32 | void *signature; /* Pointer to output signature. Do not free()!*/ |
| 33 | }; |
| 34 | |
| 35 | static int alloc_ctx(struct signer *ctx, const struct image_sign_info *info) |
| 36 | { |
| 37 | memset(ctx, 0, sizeof(*ctx)); |
| 38 | |
| 39 | if (!OPENSSL_init_ssl(0, NULL)) { |
| 40 | fprintf(stderr, "Failure to init SSL library\n"); |
| 41 | return -1; |
| 42 | } |
| 43 | |
| 44 | ctx->hash = malloc(info->checksum->checksum_len); |
| 45 | ctx->signature = malloc(info->crypto->key_len * 2); |
| 46 | |
| 47 | if (!ctx->hash || !ctx->signature) |
| 48 | return -ENOMEM; |
| 49 | |
| 50 | return 0; |
| 51 | } |
| 52 | |
| 53 | static void free_ctx(struct signer *ctx) |
| 54 | { |
| 55 | if (ctx->ecdsa_key) |
| 56 | EC_KEY_free(ctx->ecdsa_key); |
| 57 | |
| 58 | if (ctx->evp_key) |
| 59 | EVP_PKEY_free(ctx->evp_key); |
| 60 | |
| 61 | if (ctx->hash) |
| 62 | free(ctx->hash); |
| 63 | } |
| 64 | |
| 65 | /* |
| 66 | * Convert an ECDSA signature to raw format |
| 67 | * |
| 68 | * openssl DER-encodes 'binary' signatures. We want the signature in a raw |
| 69 | * (R, S) point pair. So we have to dance a bit. |
| 70 | */ |
| 71 | static void ecdsa_sig_encode_raw(void *buf, const ECDSA_SIG *sig, size_t order) |
| 72 | { |
| 73 | int point_bytes = order; |
| 74 | const BIGNUM *r, *s; |
| 75 | uintptr_t s_buf; |
| 76 | |
| 77 | ECDSA_SIG_get0(sig, &r, &s); |
| 78 | s_buf = (uintptr_t)buf + point_bytes; |
| 79 | BN_bn2binpad(r, buf, point_bytes); |
| 80 | BN_bn2binpad(s, (void *)s_buf, point_bytes); |
| 81 | } |
| 82 | |
| 83 | /* Get a signature from a raw encoding */ |
| 84 | static ECDSA_SIG *ecdsa_sig_from_raw(void *buf, size_t order) |
| 85 | { |
| 86 | int point_bytes = order; |
| 87 | uintptr_t s_buf; |
| 88 | ECDSA_SIG *sig; |
| 89 | BIGNUM *r, *s; |
| 90 | |
| 91 | sig = ECDSA_SIG_new(); |
| 92 | if (!sig) |
| 93 | return NULL; |
| 94 | |
| 95 | s_buf = (uintptr_t)buf + point_bytes; |
| 96 | r = BN_bin2bn(buf, point_bytes, NULL); |
| 97 | s = BN_bin2bn((void *)s_buf, point_bytes, NULL); |
| 98 | ECDSA_SIG_set0(sig, r, s); |
| 99 | |
| 100 | return sig; |
| 101 | } |
| 102 | |
| 103 | /* ECDSA key size in bytes */ |
| 104 | static size_t ecdsa_key_size_bytes(const EC_KEY *key) |
| 105 | { |
| 106 | const EC_GROUP *group; |
| 107 | |
| 108 | group = EC_KEY_get0_group(key); |
| 109 | return EC_GROUP_order_bits(group) / 8; |
| 110 | } |
| 111 | |
| 112 | static int read_key(struct signer *ctx, const char *key_name) |
| 113 | { |
| 114 | FILE *f = fopen(key_name, "r"); |
| 115 | |
| 116 | if (!f) { |
| 117 | fprintf(stderr, "Can not get key file '%s'\n", key_name); |
| 118 | return -ENOENT; |
| 119 | } |
| 120 | |
| 121 | ctx->evp_key = PEM_read_PrivateKey(f, NULL, NULL, NULL); |
| 122 | fclose(f); |
| 123 | if (!ctx->evp_key) { |
| 124 | fprintf(stderr, "Can not read key from '%s'\n", key_name); |
| 125 | return -EIO; |
| 126 | } |
| 127 | |
| 128 | if (EVP_PKEY_id(ctx->evp_key) != EVP_PKEY_EC) { |
| 129 | fprintf(stderr, "'%s' is not an ECDSA key\n", key_name); |
| 130 | return -EINVAL; |
| 131 | } |
| 132 | |
| 133 | ctx->ecdsa_key = EVP_PKEY_get1_EC_KEY(ctx->evp_key); |
| 134 | if (!ctx->ecdsa_key) |
| 135 | fprintf(stderr, "Can not extract ECDSA key\n"); |
| 136 | |
| 137 | return (ctx->ecdsa_key) ? 0 : -EINVAL; |
| 138 | } |
| 139 | |
| 140 | /* Prepare a 'signer' context that's ready to sign and verify. */ |
| 141 | static int prepare_ctx(struct signer *ctx, const struct image_sign_info *info) |
| 142 | { |
Alexandru Gagniuc | 3ebd200 | 2021-02-19 12:45:12 -0600 | [diff] [blame] | 143 | int key_len_bytes, ret; |
Alexandru Gagniuc | 80c81a3 | 2021-02-19 12:45:19 -0600 | [diff] [blame] | 144 | char kname[1024]; |
| 145 | |
| 146 | memset(ctx, 0, sizeof(*ctx)); |
| 147 | |
| 148 | if (info->keyfile) { |
| 149 | snprintf(kname, sizeof(kname), "%s", info->keyfile); |
| 150 | } else if (info->keydir && info->keyname) { |
| 151 | snprintf(kname, sizeof(kname), "%s/%s.pem", info->keydir, |
| 152 | info->keyname); |
| 153 | } else { |
| 154 | fprintf(stderr, "keyfile, keyname, or key-name-hint missing\n"); |
| 155 | return -EINVAL; |
| 156 | } |
Alexandru Gagniuc | 3ebd200 | 2021-02-19 12:45:12 -0600 | [diff] [blame] | 157 | |
| 158 | ret = alloc_ctx(ctx, info); |
| 159 | if (ret) |
| 160 | return ret; |
| 161 | |
| 162 | ret = read_key(ctx, kname); |
| 163 | if (ret) |
| 164 | return ret; |
| 165 | |
| 166 | key_len_bytes = ecdsa_key_size_bytes(ctx->ecdsa_key); |
| 167 | if (key_len_bytes != info->crypto->key_len) { |
| 168 | fprintf(stderr, "Expected a %u-bit key, got %u-bit key\n", |
| 169 | info->crypto->key_len * 8, key_len_bytes * 8); |
| 170 | return -EINVAL; |
| 171 | } |
| 172 | |
| 173 | return 0; |
| 174 | } |
| 175 | |
| 176 | static int do_sign(struct signer *ctx, struct image_sign_info *info, |
| 177 | const struct image_region region[], int region_count) |
| 178 | { |
| 179 | const struct checksum_algo *algo = info->checksum; |
| 180 | ECDSA_SIG *sig; |
| 181 | |
| 182 | algo->calculate(algo->name, region, region_count, ctx->hash); |
| 183 | sig = ECDSA_do_sign(ctx->hash, algo->checksum_len, ctx->ecdsa_key); |
| 184 | |
| 185 | ecdsa_sig_encode_raw(ctx->signature, sig, info->crypto->key_len); |
| 186 | |
| 187 | return 0; |
| 188 | } |
| 189 | |
| 190 | static int ecdsa_check_signature(struct signer *ctx, struct image_sign_info *info) |
| 191 | { |
| 192 | ECDSA_SIG *sig; |
| 193 | int okay; |
| 194 | |
| 195 | sig = ecdsa_sig_from_raw(ctx->signature, info->crypto->key_len); |
| 196 | if (!sig) |
| 197 | return -ENOMEM; |
| 198 | |
| 199 | okay = ECDSA_do_verify(ctx->hash, info->checksum->checksum_len, |
| 200 | sig, ctx->ecdsa_key); |
| 201 | if (!okay) |
| 202 | fprintf(stderr, "WARNING: Signature is fake news!\n"); |
| 203 | |
| 204 | ECDSA_SIG_free(sig); |
| 205 | return !okay; |
| 206 | } |
| 207 | |
| 208 | static int do_verify(struct signer *ctx, struct image_sign_info *info, |
| 209 | const struct image_region region[], int region_count, |
| 210 | uint8_t *raw_sig, uint sig_len) |
| 211 | { |
| 212 | const struct checksum_algo *algo = info->checksum; |
| 213 | |
| 214 | if (sig_len != info->crypto->key_len * 2) { |
| 215 | fprintf(stderr, "Signature has wrong length\n"); |
| 216 | return -EINVAL; |
| 217 | } |
| 218 | |
| 219 | memcpy(ctx->signature, raw_sig, sig_len); |
| 220 | algo->calculate(algo->name, region, region_count, ctx->hash); |
| 221 | |
| 222 | return ecdsa_check_signature(ctx, info); |
| 223 | } |
| 224 | |
| 225 | int ecdsa_sign(struct image_sign_info *info, const struct image_region region[], |
| 226 | int region_count, uint8_t **sigp, uint *sig_len) |
| 227 | { |
| 228 | struct signer ctx; |
| 229 | int ret; |
| 230 | |
| 231 | ret = prepare_ctx(&ctx, info); |
| 232 | if (ret >= 0) { |
| 233 | do_sign(&ctx, info, region, region_count); |
| 234 | *sigp = ctx.signature; |
| 235 | *sig_len = info->crypto->key_len * 2; |
| 236 | |
| 237 | ret = ecdsa_check_signature(&ctx, info); |
| 238 | } |
| 239 | |
| 240 | free_ctx(&ctx); |
| 241 | return ret; |
| 242 | } |
| 243 | |
| 244 | int ecdsa_verify(struct image_sign_info *info, |
| 245 | const struct image_region region[], int region_count, |
| 246 | uint8_t *sig, uint sig_len) |
| 247 | { |
| 248 | struct signer ctx; |
| 249 | int ret; |
| 250 | |
| 251 | ret = prepare_ctx(&ctx, info); |
| 252 | if (ret >= 0) |
| 253 | ret = do_verify(&ctx, info, region, region_count, sig, sig_len); |
| 254 | |
| 255 | free_ctx(&ctx); |
| 256 | return ret; |
| 257 | } |
| 258 | |
| 259 | static int do_add(struct signer *ctx, void *fdt, const char *key_node_name) |
| 260 | { |
| 261 | int signature_node, key_node, ret, key_bits; |
| 262 | const char *curve_name; |
| 263 | const EC_GROUP *group; |
| 264 | const EC_POINT *point; |
| 265 | BIGNUM *x, *y; |
| 266 | |
| 267 | signature_node = fdt_subnode_offset(fdt, 0, FIT_SIG_NODENAME); |
| 268 | if (signature_node < 0) { |
| 269 | fprintf(stderr, "Could not find 'signature node: %s\n", |
| 270 | fdt_strerror(signature_node)); |
| 271 | return signature_node; |
| 272 | } |
| 273 | |
| 274 | key_node = fdt_add_subnode(fdt, signature_node, key_node_name); |
| 275 | if (key_node < 0) { |
| 276 | fprintf(stderr, "Could not create '%s' node: %s\n", |
| 277 | key_node_name, fdt_strerror(key_node)); |
| 278 | return key_node; |
| 279 | } |
| 280 | |
| 281 | group = EC_KEY_get0_group(ctx->ecdsa_key); |
| 282 | key_bits = EC_GROUP_order_bits(group); |
| 283 | curve_name = OBJ_nid2sn(EC_GROUP_get_curve_name(group)); |
| 284 | /* Let 'x' and 'y' memory leak by not BN_free()'ing them. */ |
| 285 | x = BN_new(); |
| 286 | y = BN_new(); |
| 287 | point = EC_KEY_get0_public_key(ctx->ecdsa_key); |
| 288 | EC_POINT_get_affine_coordinates(group, point, x, y, NULL); |
| 289 | |
| 290 | ret = fdt_setprop_string(fdt, key_node, "ecdsa,curve", curve_name); |
| 291 | if (ret < 0) |
| 292 | return ret; |
| 293 | |
| 294 | ret = fdt_add_bignum(fdt, key_node, "ecdsa,x-point", x, key_bits); |
| 295 | if (ret < 0) |
| 296 | return ret; |
| 297 | |
| 298 | ret = fdt_add_bignum(fdt, key_node, "ecdsa,y-point", y, key_bits); |
| 299 | if (ret < 0) |
| 300 | return ret; |
| 301 | |
| 302 | return 0; |
| 303 | } |
| 304 | |
| 305 | int ecdsa_add_verify_data(struct image_sign_info *info, void *fdt) |
| 306 | { |
| 307 | const char *fdt_key_name; |
| 308 | struct signer ctx; |
| 309 | int ret; |
| 310 | |
| 311 | fdt_key_name = info->keyname ? info->keyname : "default-key"; |
| 312 | ret = prepare_ctx(&ctx, info); |
| 313 | if (ret >= 0) |
| 314 | do_add(&ctx, fdt, fdt_key_name); |
| 315 | |
| 316 | free_ctx(&ctx); |
| 317 | return ret; |
| 318 | } |