sign.c

// SPDX-License-Identifier: GPL-2.0+
/*
 * Signature support for 'fsverity setup'
 *
 * Copyright (C) 2018 Google LLC
 *
 * Written by Eric Biggers.
 */

#include <fcntl.h>
#include <limits.h>
#include <openssl/bio.h>
#include <openssl/err.h>
#include <openssl/pem.h>
#include <openssl/pkcs7.h>
#include <stdlib.h>
#include <string.h>

#include "fsverity_uapi.h"
#include "fsveritysetup.h"
#include "hash_algs.h"

static void __printf(1, 2) __cold
error_msg_openssl(const char *format, ...)
{
	va_list va;

	va_start(va, format);
	do_error_msg(format, va, 0);
	va_end(va);

	if (ERR_peek_error() == 0)
		return;

	fprintf(stderr, "OpenSSL library errors:\n");
	ERR_print_errors_fp(stderr);
}

/* Read a PEM PKCS#8 formatted private key */
static EVP_PKEY *read_private_key(const char *keyfile)
{
	BIO *bio;
	EVP_PKEY *pkey;

	bio = BIO_new_file(keyfile, "r");
	if (!bio) {
		error_msg_openssl("can't open '%s' for reading", keyfile);
		return NULL;
	}

	pkey = PEM_read_bio_PrivateKey(bio, NULL, NULL, NULL);
	if (!pkey) {
		error_msg_openssl("Failed to parse private key file '%s'.\n"
				  "       Note: it must be in PEM PKCS#8 format.",
				  keyfile);
	}
	BIO_free(bio);
	return pkey;
}

/* Read a PEM X.509 formatted certificate */
static X509 *read_certificate(const char *certfile)
{
	BIO *bio;
	X509 *cert;

	bio = BIO_new_file(certfile, "r");
	if (!bio) {
		error_msg_openssl("can't open '%s' for reading", certfile);
		return NULL;
	}
	cert = PEM_read_bio_X509(bio, NULL, NULL, NULL);
	if (!cert) {
		error_msg_openssl("Failed to parse X.509 certificate file '%s'.\n"
				  "       Note: it must be in PEM format.",
				  certfile);
	}
	BIO_free(bio);
	return cert;
}

/*
 * Check that the given data is a valid 'struct fsverity_digest_disk' that
 * matches the given @expected_digest and @hash_alg.
 *
 * Return: NULL if the digests match, else a string describing the difference.
 */
static const char *
compare_fsverity_digest(const void *data, size_t size,
			const u8 *expected_digest,
			const struct fsverity_hash_alg *hash_alg)
{
	const struct fsverity_digest_disk *d = data;

	if (size != sizeof(*d) + hash_alg->digest_size)
		return "unexpected length";

	if (le16_to_cpu(d->digest_algorithm) != hash_alg - fsverity_hash_algs)
		return "unexpected hash algorithm";

	if (le16_to_cpu(d->digest_size) != hash_alg->digest_size)
		return "wrong digest size for hash algorithm";

	if (memcmp(expected_digest, d->digest, hash_alg->digest_size))
		return "wrong digest";

	return NULL;
}

#ifdef OPENSSL_IS_BORINGSSL

static bool sign_pkcs7(const void *data_to_sign, size_t data_size,
		       EVP_PKEY *pkey, X509 *cert, const EVP_MD *md,
		       void **sig_ret, int *sig_size_ret)
{
	CBB out, outer_seq, wrapped_seq, seq, digest_algos_set, digest_algo,
		null, content_info, issuer_and_serial, signed_data,
		wrapped_signed_data, signer_infos, signer_info, sign_algo,
		signature;
	EVP_MD_CTX md_ctx;
	u8 *name_der = NULL, *sig = NULL, *pkcs7_data = NULL;
	size_t pkcs7_data_len, sig_len;
	int name_der_len, sig_nid;
	bool ok = false;

	EVP_MD_CTX_init(&md_ctx);
	BIGNUM *serial = ASN1_INTEGER_to_BN(X509_get_serialNumber(cert), NULL);

	if (!CBB_init(&out, 1024)) {
		error_msg("out of memory");
		goto out;
	}

	name_der_len = i2d_X509_NAME(X509_get_subject_name(cert), &name_der);
	if (name_der_len < 0) {
		error_msg_openssl("i2d_X509_NAME failed");
		goto out;
	}

	if (!EVP_DigestSignInit(&md_ctx, NULL, md, NULL, pkey)) {
		error_msg_openssl("EVP_DigestSignInit failed");
		goto out;
	}

	sig_len = EVP_PKEY_size(pkey);
	sig = xmalloc(sig_len);
	if (!EVP_DigestSign(&md_ctx, sig, &sig_len, data_to_sign, data_size)) {
		error_msg_openssl("EVP_DigestSign failed");
		goto out;
	}

	sig_nid = EVP_PKEY_id(pkey);
	/* To mirror OpenSSL behaviour, always use |NID_rsaEncryption| with RSA
	 * rather than the combined hash+pkey NID. */
	if (sig_nid != NID_rsaEncryption) {
		OBJ_find_sigid_by_algs(&sig_nid, EVP_MD_type(md),
				       EVP_PKEY_id(pkey));
	}

	// See https://tools.ietf.org/html/rfc2315#section-7
	if (!CBB_add_asn1(&out, &outer_seq, CBS_ASN1_SEQUENCE) ||
	    !OBJ_nid2cbb(&outer_seq, NID_pkcs7_signed) ||
	    !CBB_add_asn1(&outer_seq, &wrapped_seq, CBS_ASN1_CONTEXT_SPECIFIC |
			  CBS_ASN1_CONSTRUCTED | 0) ||
	    // See https://tools.ietf.org/html/rfc2315#section-9.1
	    !CBB_add_asn1(&wrapped_seq, &seq, CBS_ASN1_SEQUENCE) ||
	    !CBB_add_asn1_uint64(&seq, 1 /* version */) ||
	    !CBB_add_asn1(&seq, &digest_algos_set, CBS_ASN1_SET) ||
	    !CBB_add_asn1(&digest_algos_set, &digest_algo, CBS_ASN1_SEQUENCE) ||
	    !OBJ_nid2cbb(&digest_algo, EVP_MD_type(md)) ||
	    !CBB_add_asn1(&digest_algo, &null, CBS_ASN1_NULL) ||
	    !CBB_add_asn1(&seq, &content_info, CBS_ASN1_SEQUENCE) ||
	    !OBJ_nid2cbb(&content_info, NID_pkcs7_data) ||
	    !CBB_add_asn1(
		&content_info, &signed_data,
		CBS_ASN1_CONTEXT_SPECIFIC | CBS_ASN1_CONSTRUCTED | 0) ||
	    !CBB_add_asn1(&signed_data, &wrapped_signed_data,
			  CBS_ASN1_OCTETSTRING) ||
	    !CBB_add_bytes(&wrapped_signed_data, (const u8 *)data_to_sign,
			   data_size) ||
	    !CBB_add_asn1(&seq, &signer_infos, CBS_ASN1_SET) ||
	    !CBB_add_asn1(&signer_infos, &signer_info, CBS_ASN1_SEQUENCE) ||
	    !CBB_add_asn1_uint64(&signer_info, 1 /* version */) ||
	    !CBB_add_asn1(&signer_info, &issuer_and_serial,
			  CBS_ASN1_SEQUENCE) ||
	    !CBB_add_bytes(&issuer_and_serial, name_der, name_der_len) ||
	    !BN_marshal_asn1(&issuer_and_serial, serial) ||
	    !CBB_add_asn1(&signer_info, &digest_algo, CBS_ASN1_SEQUENCE) ||
	    !OBJ_nid2cbb(&digest_algo, EVP_MD_type(md)) ||
	    !CBB_add_asn1(&digest_algo, &null, CBS_ASN1_NULL) ||
	    !CBB_add_asn1(&signer_info, &sign_algo, CBS_ASN1_SEQUENCE) ||
	    !OBJ_nid2cbb(&sign_algo, sig_nid) ||
	    !CBB_add_asn1(&sign_algo, &null, CBS_ASN1_NULL) ||
	    !CBB_add_asn1(&signer_info, &signature, CBS_ASN1_OCTETSTRING) ||
	    !CBB_add_bytes(&signature, sig, sig_len) ||
	    !CBB_finish(&out, &pkcs7_data, &pkcs7_data_len)) {
		error_msg_openssl("failed to construct PKCS#7 data");
		goto out;
	}

	*sig_ret = xmemdup(pkcs7_data, pkcs7_data_len);
	*sig_size_ret = pkcs7_data_len;
	ok = true;
out:
	BN_free(serial);
	EVP_MD_CTX_cleanup(&md_ctx);
	CBB_cleanup(&out);
	free(sig);
	OPENSSL_free(name_der);
	OPENSSL_free(pkcs7_data);
	return ok;
}

static const char *
compare_fsverity_digest_pkcs7(const void *sig, size_t sig_len,
			      const u8 *expected_measurement,
			      const struct fsverity_hash_alg *hash_alg)
{
	CBS in, content_info, content_type, wrapped_signed_data, signed_data,
		content, wrapped_data, data;
	u64 version;

	CBS_init(&in, sig, sig_len);
	if (!CBS_get_asn1(&in, &content_info, CBS_ASN1_SEQUENCE) ||
	    !CBS_get_asn1(&content_info, &content_type, CBS_ASN1_OBJECT) ||
	    (OBJ_cbs2nid(&content_type) != NID_pkcs7_signed) ||
	    !CBS_get_asn1(
		&content_info, &wrapped_signed_data,
		CBS_ASN1_CONTEXT_SPECIFIC | CBS_ASN1_CONSTRUCTED | 0) ||
	    !CBS_get_asn1(&wrapped_signed_data, &signed_data,
			  CBS_ASN1_SEQUENCE) ||
	    !CBS_get_asn1_uint64(&signed_data, &version) ||
	    (version < 1) ||
	    !CBS_get_asn1(&signed_data, NULL /* digests */, CBS_ASN1_SET) ||
	    !CBS_get_asn1(&signed_data, &content, CBS_ASN1_SEQUENCE) ||
	    !CBS_get_asn1(&content, &content_type, CBS_ASN1_OBJECT) ||
	    (OBJ_cbs2nid(&content_type) != NID_pkcs7_data) ||
	    !CBS_get_asn1(&content, &wrapped_data, CBS_ASN1_CONTEXT_SPECIFIC |
						   CBS_ASN1_CONSTRUCTED | 0) ||
	    !CBS_get_asn1(&wrapped_data, &data, CBS_ASN1_OCTETSTRING)) {
		return "invalid PKCS#7 data";
	}

	return compare_fsverity_digest(CBS_data(&data), CBS_len(&data),
				       expected_measurement, hash_alg);
}

#else /* OPENSSL_IS_BORINGSSL */

static BIO *new_mem_buf(const void *buf, size_t size)
{
	BIO *bio;

	ASSERT(size <= INT_MAX);
	/*
	 * Prior to OpenSSL 1.1.0, BIO_new_mem_buf() took a non-const pointer,
	 * despite still marking the resulting bio as read-only.  So cast away
	 * the const to avoid a compiler warning with older OpenSSL versions.
	 */
	bio = BIO_new_mem_buf((void *)buf, size);
	if (!bio)
		error_msg_openssl("out of memory");
	return bio;
}

static bool sign_pkcs7(const void *data_to_sign, size_t data_size,
		       EVP_PKEY *pkey, X509 *cert, const EVP_MD *md,
		       void **sig_ret, int *sig_size_ret)
{
	/*
	 * PKCS#7 signing flags:
	 *
	 * - PKCS7_BINARY	signing binary data, so skip MIME translation
	 *
	 * - PKCS7_NOATTR	omit extra authenticated attributes, such as
	 *			SMIMECapabilities
	 *
	 * - PKCS7_NOCERTS	omit the signer's certificate
	 *
	 * - PKCS7_PARTIAL	PKCS7_sign() creates a handle only, then
	 *			PKCS7_sign_add_signer() can add a signer later.
	 *			This is necessary to change the message digest
	 *			algorithm from the default of SHA-1.  Requires
	 *			OpenSSL 1.0.0 or later.
	 */
	int pkcs7_flags = PKCS7_BINARY | PKCS7_NOATTR | PKCS7_NOCERTS |
			  PKCS7_PARTIAL;
	void *sig;
	int sig_size;
	BIO *bio = NULL;
	PKCS7 *p7 = NULL;
	bool ok = false;

	bio = new_mem_buf(data_to_sign, data_size);
	if (!bio)
		goto out;

	p7 = PKCS7_sign(NULL, NULL, NULL, bio, pkcs7_flags);
	if (!p7) {
		error_msg_openssl("failed to initialize PKCS#7 signature object");
		goto out;
	}

	if (!PKCS7_sign_add_signer(p7, cert, pkey, md, pkcs7_flags)) {
		error_msg_openssl("failed to add signer to PKCS#7 signature object");
		goto out;
	}

	if (PKCS7_final(p7, bio, pkcs7_flags) != 1) {
		error_msg_openssl("failed to finalize PKCS#7 signature");
		goto out;
	}

	BIO_free(bio);
	bio = BIO_new(BIO_s_mem());
	if (!bio) {
		error_msg_openssl("out of memory");
		goto out;
	}

	if (i2d_PKCS7_bio(bio, p7) != 1) {
		error_msg_openssl("failed to DER-encode PKCS#7 signature object");
		goto out;
	}

	sig_size = BIO_get_mem_data(bio, &sig);
	*sig_ret = xmemdup(sig, sig_size);
	*sig_size_ret = sig_size;
	ok = true;
out:
	PKCS7_free(p7);
	BIO_free(bio);
	return ok;
}

static const char *
compare_fsverity_digest_pkcs7(const void *sig, size_t sig_len,
			      const u8 *expected_measurement,
			      const struct fsverity_hash_alg *hash_alg)
{
	BIO *bio = NULL;
	PKCS7 *p7 = NULL;
	const char *reason = NULL;

	bio = new_mem_buf(sig, sig_len);
	if (!bio)
		return "out of memory";

	p7 = d2i_PKCS7_bio(bio, NULL);
	if (!p7) {
		reason = "failed to decode PKCS#7 signature";
		goto out;
	}

	if (OBJ_obj2nid(p7->type) != NID_pkcs7_signed ||
	    OBJ_obj2nid(p7->d.sign->contents->type) != NID_pkcs7_data) {
		reason = "unexpected PKCS#7 content type";
	} else {
		const ASN1_OCTET_STRING *o = p7->d.sign->contents->d.data;

		reason = compare_fsverity_digest(o->data, o->length,
						 expected_measurement,
						 hash_alg);
	}
out:
	BIO_free(bio);
	PKCS7_free(p7);
	return reason;
}

#endif /* !OPENSSL_IS_BORINGSSL */

/*
 * Sign the specified @data_to_sign of length @data_size bytes using the private
 * key in @keyfile, the certificate in @certfile, and the hash algorithm
 * @hash_alg.  Returns the DER-formatted PKCS#7 signature, with the signed data
 * included (not detached), in @sig_ret and @sig_size_ret.
 */
static bool sign_data(const void *data_to_sign, size_t data_size,
		      const char *keyfile, const char *certfile,
		      const struct fsverity_hash_alg *hash_alg,
		      void **sig_ret, int *sig_size_ret)
{
	EVP_PKEY *pkey = NULL;
	X509 *cert = NULL;
	const EVP_MD *md;
	bool ok = false;

	pkey = read_private_key(keyfile);
	if (!pkey)
		goto out;

	cert = read_certificate(certfile);
	if (!cert)
		goto out;

	OpenSSL_add_all_digests();
	ASSERT(hash_alg->cryptographic);
	md = EVP_get_digestbyname(hash_alg->name);
	if (!md) {
		fprintf(stderr,
			"Warning: '%s' algorithm not found in OpenSSL library.\n"
			"         Falling back to SHA-256 signature.\n",
			hash_alg->name);
		md = EVP_sha256();
	}

	ok = sign_pkcs7(data_to_sign, data_size, pkey, cert, md,
			sig_ret, sig_size_ret);
out:
	EVP_PKEY_free(pkey);
	X509_free(cert);
	return ok;
}

/*
 * Read a file measurement signature in PKCS#7 DER format from @signature_file,
 * validate that the signed data matches the expected measurement, then return
 * the PKCS#7 DER message in @sig_ret and @sig_size_ret.
 */
static bool read_signature(const char *signature_file,
			   const u8 *expected_measurement,
			   const struct fsverity_hash_alg *hash_alg,
			   void **sig_ret, int *sig_size_ret)
{
	struct filedes file = { .fd = -1 };
	u64 filesize;
	void *sig = NULL;
	bool ok = false;
	const char *reason;

	if (!open_file(&file, signature_file, O_RDONLY, 0))
		goto out;
	if (!get_file_size(&file, &filesize))
		goto out;
	if (filesize <= 0) {
		error_msg("signature file '%s' is empty", signature_file);
		goto out;
	}
	if (filesize > 1000000) {
		error_msg("signature file '%s' is too large", signature_file);
		goto out;
	}
	sig = xmalloc(filesize);
	if (!full_read(&file, sig, filesize))
		goto out;

	reason = compare_fsverity_digest_pkcs7(sig, filesize,
					       expected_measurement, hash_alg);
	if (reason) {
		error_msg("signed file measurement from '%s' is invalid (%s)",
			  signature_file, reason);
		goto out;
	}

	printf("Using existing signed file measurement from '%s'\n",
	       signature_file);
	*sig_ret = sig;
	*sig_size_ret = filesize;
	sig = NULL;
	ok = true;
out:
	filedes_close(&file);
	free(sig);
	return ok;
}

static bool write_signature(const char *signature_file,
			    const void *sig, int sig_size)
{
	struct filedes file;
	bool ok;

	if (!open_file(&file, signature_file, O_WRONLY|O_CREAT|O_TRUNC, 0644))
		return false;
	ok = full_write(&file, sig, sig_size);
	ok &= filedes_close(&file);
	if (ok)
		printf("Wrote signed file measurement to '%s'\n",
		       signature_file);
	return ok;
}

/*
 * Append the signed file measurement to the output file as a PKCS7_SIGNATURE
 * extension item.
 *
 * Return: exit status code (0 on success, nonzero on failure)
 */
int append_signed_measurement(struct filedes *out,
			      const struct fsveritysetup_params *params,
			      const u8 *measurement)
{
	struct fsverity_digest_disk *data_to_sign = NULL;
	void *sig = NULL;
	void *extbuf = NULL;
	void *tmp;
	int sig_size;
	int status;

	if (params->signing_key_file) {
		size_t data_size = sizeof(*data_to_sign) +
				   params->hash_alg->digest_size;

		/* Sign the file measurement using the given key */

		data_to_sign = xzalloc(data_size);
		data_to_sign->digest_algorithm =
			cpu_to_le16(params->hash_alg - fsverity_hash_algs);
		data_to_sign->digest_size =
			cpu_to_le16(params->hash_alg->digest_size);
		memcpy(data_to_sign->digest, measurement,
		       params->hash_alg->digest_size);

		ASSERT(compare_fsverity_digest(data_to_sign, data_size,
					measurement, params->hash_alg) == NULL);

		if (!sign_data(data_to_sign, data_size,
			       params->signing_key_file,
			       params->signing_cert_file ?:
			       params->signing_key_file,
			       params->hash_alg,
			       &sig, &sig_size))
			goto out_err;

		if (params->signature_file &&
		    !write_signature(params->signature_file, sig, sig_size))
			goto out_err;
	} else {
		/* Using a signature that was already created */
		if (!read_signature(params->signature_file, measurement,
				    params->hash_alg, &sig, &sig_size))
			goto out_err;
	}

	tmp = extbuf = xzalloc(FSVERITY_EXTLEN(sig_size));
	fsverity_append_extension(&tmp, FS_VERITY_EXT_PKCS7_SIGNATURE,
				  sig, sig_size);
	ASSERT(tmp == extbuf + FSVERITY_EXTLEN(sig_size));
	if (!full_write(out, extbuf, FSVERITY_EXTLEN(sig_size)))
		goto out_err;
	status = 0;
out:
	free(data_to_sign);
	free(sig);
	free(extbuf);
	return status;

out_err:
	status = 1;
	goto out;
}