//
// Copyright (C) 2013 The Android Open Source Project
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
//
#include <unistd.h>
#include <limits>
#include <string>
#include <vector>
#include <base/command_line.h>
#include <base/logging.h>
#include <base/posix/eintr_wrapper.h>
#include <brillo/syslog_logging.h>
#include <openssl/bio.h>
#include <openssl/conf.h>
#include <openssl/err.h>
#include <openssl/evp.h>
#include <openssl/pem.h>
#include <openssl/rsa.h>
#include <openssl/sha.h>
#include <openssl/x509.h>
#include "shill/shims/protos/crypto_util.pb.h"
using shill_protos::EncryptDataMessage;
using shill_protos::EncryptDataResponse;
using shill_protos::VerifyCredentialsMessage;
using shill_protos::VerifyCredentialsResponse;
using std::numeric_limits;
using std::string;
using std::vector;
namespace {
const char kTrustedCAModulus[] =
"BC2280BD80F63A21003BAE765E357F3DC3645C559486342F058728CDF7698C17B350A7B8"
"82FADFC7432DD67EABA06FB7137280A44715C1209950CDEC1462095BA498CDD241B6364E"
"FFE82E32304A81A842A36C9B336ECAB2F55366E02753861A851EA7393F4A778EFB546666"
"FB5854C05E39C7F550060BE08AD4CEE16A551F8B1700E669A327E60825693C129D8D052C"
"D62EA231DEB45250D62049DE71A0F9AD204012F1DD25EBD5E6B836F4D68F7FCA43DCD710"
"5BE63F518A85B3F3FFF6032DCB234F9CAD18E793058CAC529AF74CE9997ABE6E7E4D0AE3"
"C61CA993FA3AA5915D1CBD66EBCC60DC8674CACFF8921C987D57FA61479EAB80B7E44880"
"2A92C51B";
const char kCommandVerify[] = "verify";
const char kCommandEncrypt[] = "encrypt";
const size_t kMacLength = 12;
// Encrypt |data| with |public_key|. |public_key| is the raw bytes of a key in
// RSAPublicKey format. |data| is some string of bytes smaller than the
// maximum length permissable for encryption with a key of |public_key| size.
// |rsa_ptr| should point to NULL (but should not be NULL). This function may
// set *|rsa_ptr| to an RSA object which should be freed in the caller.
// Returns the encrypted result in |encrypted_output| and returns true on
// success. Returns false on failure.
bool EncryptByteStringImpl(const string& public_key,
const string& data,
RSA** rsa_ptr,
string* encrypted_output) {
CHECK(rsa_ptr);
CHECK(!*rsa_ptr);
CHECK(encrypted_output);
// This pointer will be incremented internally by the parsing routine.
const unsigned char* throwaway_ptr =
reinterpret_cast<const unsigned char*>(public_key.data());
*rsa_ptr = d2i_RSAPublicKey(NULL, &throwaway_ptr, public_key.length());
RSA* rsa = *rsa_ptr;
if (!rsa) {
LOG(ERROR) << "Failed to parse public key.";
return false;
}
vector<unsigned char> rsa_output(RSA_size(rsa));
LOG(INFO) << "Encrypting data with public key.";
const int encrypted_length = RSA_public_encrypt(
data.length(),
// The API helpfully tells us that this operation will treat this buffer
// as read only, but fails to mark the parameter const.
reinterpret_cast<unsigned char*>(const_cast<char*>(data.data())),
rsa_output.data(),
rsa,
RSA_PKCS1_PADDING);
if (encrypted_length <= 0) {
LOG(ERROR) << "Error during encryption.";
return false;
}
encrypted_output->assign(reinterpret_cast<char*>(rsa_output.data()),
encrypted_length);
return true;
}
// Parse the EncryptDataMessage contained in |raw_input| and return an
// EncryptDataResponse in output on success. Returns true on success and
// false otherwise.
bool EncryptByteString(const string& raw_input, string* output) {
EncryptDataMessage message;
if (!message.ParseFromString(raw_input)) {
LOG(ERROR) << "Failed to read VerifyCredentialsMessage from stdin.";
return false;
}
if (!message.has_public_key() || !message.has_data()) {
LOG(ERROR) << "Request lacked necessary fields.";
return false;
}
RSA* rsa = NULL;
string encrypted_output;
bool operation_successful = EncryptByteStringImpl(
message.public_key(), message.data(), &rsa, &encrypted_output);
if (rsa) {
RSA_free(rsa);
rsa = NULL;
}
if (operation_successful) {
LOG(INFO) << "Filling out protobuf.";
EncryptDataResponse response;
response.set_encrypted_data(encrypted_output);
response.set_ret(shill_protos::OK);
output->clear();
LOG(INFO) << "Serializing protobuf.";
if (!response.SerializeToString(output)) {
LOG(ERROR) << "Failed while writing encrypted data.";
return false;
}
LOG(INFO) << "Encoding finished successfully.";
}
return operation_successful;
}
// Verify that the destination described by |certificate| is valid.
//
// 1) The MAC address listed in the certificate matches |connected_mac|.
// 2) The certificate is a valid PEM encoded certificate signed by our
// trusted CA.
// 3) |signed_data| matches the hashed |unsigned_data| encrypted with
// the public key in |certificate|.
//
// All pointers should be valid, but point to NULL values. Sets* ptr to
// NULL or a valid object which should be freed with the appropriate destructor
// upon completion.
bool VerifyCredentialsImpl(const string& certificate,
const string& signed_data,
const string& unsigned_data,
const string& connected_mac,
RSA** rsa_ptr,
EVP_PKEY** pkey_ptr,
BIO** raw_certificate_bio_ptr,
X509** x509_ptr) {
CHECK(rsa_ptr);
CHECK(pkey_ptr);
CHECK(raw_certificate_bio_ptr);
CHECK(x509_ptr);
CHECK(!*rsa_ptr);
CHECK(!*pkey_ptr);
CHECK(!*raw_certificate_bio_ptr);
CHECK(!*x509_ptr);
*rsa_ptr = RSA_new();
RSA* rsa = *rsa_ptr;
*pkey_ptr = EVP_PKEY_new();
EVP_PKEY* pkey = *pkey_ptr;
if (!rsa || !pkey) {
LOG(ERROR) << "Failed to allocate key.";
return false;
}
rsa->e = BN_new();
rsa->n = BN_new();
if (!rsa->e || !rsa->n ||
!BN_set_word(rsa->e, RSA_F4) ||
!BN_hex2bn(&rsa->n, kTrustedCAModulus)) {
LOG(ERROR) << "Failed to allocate key pieces.";
return false;
}
if (!EVP_PKEY_assign_RSA(pkey, rsa)) {
LOG(ERROR) << "Failed to assign RSA to PKEY.";
return false;
}
*rsa_ptr = NULL; // pkey took ownership
// Another helpfully unmarked const interface.
*raw_certificate_bio_ptr = BIO_new_mem_buf(
const_cast<char*>(certificate.data()), certificate.length());
BIO* raw_certificate_bio = *raw_certificate_bio_ptr;
if (!raw_certificate_bio) {
LOG(ERROR) << "Failed to allocate openssl certificate buffer.";
return false;
}
// No callback for a passphrase, and no passphrase either.
*x509_ptr = PEM_read_bio_X509(raw_certificate_bio, NULL, NULL, NULL);
X509* x509 = *x509_ptr;
if (!x509) {
LOG(ERROR) << "Failed to parse certificate.";
return false;
}
if (X509_verify(x509, pkey) <= 0) {
LOG(ERROR) << "Failed to verify certificate.";
return false;
}
// Check that the device listed in the certificate is correct.
char device_name[100]; // A longer CN will truncate.
const int device_name_length = X509_NAME_get_text_by_NID(
x509->cert_info->subject,
NID_commonName,
device_name,
arraysize(device_name));
if (device_name_length == -1) {
LOG(ERROR) << "Subject invalid.";
return false;
}
// Something like evt_e161 001a11ffacdf
string device_cn(device_name, device_name_length);
const size_t space_idx = device_cn.rfind(' ');
if (space_idx == string::npos) {
LOG(ERROR) << "Badly formatted subject";
return false;
}
string device_mac;
for (size_t i = space_idx + 1; i < device_cn.length(); ++i) {
device_mac.push_back(tolower(device_cn[i]));
}
if (connected_mac != device_mac) {
LOG(ERROR) << "MAC addresses don't match.";
return false;
}
// Excellent, the certificate checks out, now make sure that the certificate
// matches the unsigned data presented.
// We're going to verify that hash(unsigned_data) == public(signed_data)
EVP_PKEY* cert_pubkey = X509_get_pubkey(x509);
if (!cert_pubkey) {
LOG(ERROR) << "Unable to extract public key from certificate.";
return false;
}
RSA* cert_rsa = EVP_PKEY_get1_RSA(cert_pubkey);
if (!cert_rsa) {
LOG(ERROR) << "Failed to extract RSA key from certificate.";
return false;
}
const unsigned char* signature =
reinterpret_cast<const unsigned char*>(signed_data.data());
const size_t signature_len = signed_data.length();
unsigned char* unsigned_data_bytes =
reinterpret_cast<unsigned char*>(const_cast<char*>(
unsigned_data.data()));
const size_t unsigned_data_len = unsigned_data.length();
unsigned char digest[SHA_DIGEST_LENGTH];
if (signature_len > numeric_limits<unsigned int>::max()) {
LOG(ERROR) << "Arguments to signature match were too large.";
return false;
}
SHA1(unsigned_data_bytes, unsigned_data_len, digest);
if (RSA_verify(NID_sha1, digest, arraysize(digest),
signature, signature_len, cert_rsa) != 1) {
LOG(ERROR) << "Signed blobs did not match.";
return false;
}
return true;
}
// Verify the credentials of the destination described in |raw_input|. Takes
// a serialized VerifyCredentialsMessage protobuffer in |raw_input|, returns a
// serialized VerifyCredentialsResponse protobuffer in |output| on success.
// Returns false if the credentials fail to meet a check, and true on success.
bool VerifyCredentials(const string& raw_input, string* output) {
VerifyCredentialsMessage message;
if (!message.ParseFromString(raw_input)) {
LOG(ERROR) << "Failed to read VerifyCredentialsMessage from stdin.";
return false;
}
if (!message.has_certificate() || !message.has_signed_data() ||
!message.has_unsigned_data() || !message.has_mac_address()) {
LOG(ERROR) << "Request lacked necessary fields.";
return false;
}
string connected_mac;
for (size_t i = 0; i < message.mac_address().length(); ++i) {
const char c = message.mac_address()[i];
if (c != ':') {
connected_mac.push_back(tolower(c));
}
}
if (connected_mac.length() != kMacLength) {
LOG(ERROR) << "shill gave us a bad MAC?";
return false;
}
RSA* rsa = NULL;
EVP_PKEY* pkey = NULL;
BIO* raw_certificate_bio = NULL;
X509* x509 = NULL;
bool operation_successful = VerifyCredentialsImpl(message.certificate(),
message.signed_data(), message.unsigned_data(), connected_mac,
&rsa, &pkey, &raw_certificate_bio, &x509);
if (x509) {
X509_free(x509);
x509 = NULL;
}
if (raw_certificate_bio) {
BIO_free(raw_certificate_bio);
raw_certificate_bio = NULL;
}
if (pkey) {
EVP_PKEY_free(pkey);
pkey = NULL;
}
if (rsa) {
RSA_free(rsa);
rsa = NULL;
}
if (operation_successful) {
LOG(INFO) << "Filling out protobuf.";
VerifyCredentialsResponse response;
response.set_ret(shill_protos::OK);
output->clear();
LOG(INFO) << "Serializing protobuf.";
if (!response.SerializeToString(output)) {
LOG(ERROR) << "Failed while writing encrypted data.";
return false;
}
LOG(INFO) << "Encoding finished successfully.";
}
return operation_successful;
}
// Read the full stdin stream into a buffer, and execute the operation
// described in |command| with the contends of the stdin buffer. Write
// the serialized protocol buffer output of the command to stdout.
bool ParseAndExecuteCommand(const string& command) {
string raw_input;
char input_buffer[512];
LOG(INFO) << "Reading input for command " << command << ".";
while (true) {
const ssize_t bytes_read = HANDLE_EINTR(read(STDIN_FILENO,
input_buffer,
arraysize(input_buffer)));
if (bytes_read < 0) {
// Abort abort abort.
LOG(ERROR) << "Failed while reading from stdin.";
return false;
} else if (bytes_read > 0) {
raw_input.append(input_buffer, bytes_read);
} else {
break;
}
}
LOG(INFO) << "Read " << raw_input.length() << " bytes.";
ERR_clear_error();
string raw_output;
bool ret = false;
if (command == kCommandVerify) {
ret = VerifyCredentials(raw_input, &raw_output);
} else if (command == kCommandEncrypt) {
ret = EncryptByteString(raw_input, &raw_output);
} else {
LOG(ERROR) << "Invalid usage.";
return false;
}
if (!ret) {
LOG(ERROR) << "Last OpenSSL error: "
<< ERR_reason_error_string(ERR_get_error());
}
size_t total_bytes_written = 0;
while (total_bytes_written < raw_output.length()) {
const ssize_t bytes_written = HANDLE_EINTR(write(
STDOUT_FILENO,
raw_output.data() + total_bytes_written,
raw_output.length() - total_bytes_written));
if (bytes_written < 0) {
LOG(ERROR) << "Result write failed with: " << errno;
return false;
}
total_bytes_written += bytes_written;
}
return ret;
}
} // namespace
int main(int argc, char** argv) {
base::CommandLine::Init(argc, argv);
brillo::InitLog(brillo::kLogToStderr | brillo::kLogHeader);
LOG(INFO) << "crypto-util in action";
if (argc != 2) {
LOG(ERROR) << "Invalid usage";
return EXIT_FAILURE;
}
const char* command = argv[1];
if (strcmp(kCommandVerify, command) && strcmp(kCommandEncrypt, command)) {
LOG(ERROR) << "Invalid command";
return EXIT_FAILURE;
}
CRYPTO_malloc_init();
ERR_load_crypto_strings();
OpenSSL_add_all_algorithms();
int return_code = EXIT_FAILURE;
if (ParseAndExecuteCommand(command)) {
return_code = EXIT_SUCCESS;
}
close(STDOUT_FILENO);
close(STDIN_FILENO);
CONF_modules_unload(1);
OBJ_cleanup();
EVP_cleanup();
CRYPTO_cleanup_all_ex_data();
ERR_remove_thread_state(NULL);
ERR_free_strings();
return return_code;
}