commit 6cf830b8913e741d7d3c7ed047b2cbdbb222034e
author Tianjie Xu <xunchang@google.com> Mon Sep 30 11:31:49 2019 -0700
committer Tianjie Xu <xunchang@google.com> Fri Oct 04 18:29:37 2019 +0000
tree 834340d818e6604ef8b944b3ce31a0388ed28935
parent c288d5ba2182a0b2742fa93d04db3e024b00e98e

Factor out the RSA verification in payload verifier

Right now, the payload is always signed with a RSA key, and the payload
verifier takes the public key as a PEM encoded string.

As we want to support payload signing with EC keys, we need to figure
out the key types first in the verifier. So, add an overload function in
payload verifier to accept EVP_PKEY as the public key.

Bug: 141244025
Test: unittests pass
Change-Id: Ibbdac5a7a3de48347100861aeac0013bff43da6f

payload_consumer/payload_metadata.cc

diff --git a/payload_consumer/payload_metadata.cc b/payload_consumer/payload_metadata.cc
index 3739767..c81d3a9 100644
--- a/payload_consumer/payload_metadata.cc
+++ b/payload_consumer/payload_metadata.cc
@@ -201,32 +201,26 @@
     return ErrorCode::kDownloadMetadataSignatureVerificationError;
   }
 
+  auto payload_verifier = PayloadVerifier::CreateInstance(pem_public_key);
+  if (!payload_verifier) {
+    LOG(ERROR) << "Failed to create the payload verifier from "
+               << pem_public_key;
+    return ErrorCode::kDownloadMetadataSignatureVerificationError;
+  }
+
   if (!metadata_signature_blob.empty()) {
-    brillo::Blob expected_metadata_hash;
-    if (!PayloadVerifier::GetRawHashFromSignature(
-            metadata_signature_blob, pem_public_key, &expected_metadata_hash)) {
-      LOG(ERROR) << "Unable to compute expected hash from metadata signature";
-      return ErrorCode::kDownloadMetadataSignatureError;
-    }
-
-    brillo::Blob padded_metadata_hash = metadata_hash;
-    if (!PayloadVerifier::PadRSASHA256Hash(&padded_metadata_hash,
-                                           expected_metadata_hash.size())) {
-      LOG(ERROR) << "Failed to pad the SHA256 hash to "
-                 << expected_metadata_hash.size() << " bytes.";
-      return ErrorCode::kDownloadMetadataSignatureVerificationError;
-    }
-
-    if (padded_metadata_hash != expected_metadata_hash) {
-      LOG(ERROR) << "Manifest hash verification failed. Expected hash = ";
-      utils::HexDumpVector(expected_metadata_hash);
-      LOG(ERROR) << "Calculated hash = ";
-      utils::HexDumpVector(padded_metadata_hash);
+    brillo::Blob decrypted_signature;
+    if (!payload_verifier->VerifyRawSignature(
+            metadata_signature_blob, metadata_hash, &decrypted_signature)) {
+      LOG(ERROR) << "Manifest hash verification failed. Decrypted hash = ";
+      utils::HexDumpVector(decrypted_signature);
+      LOG(ERROR) << "Calculated hash before padding = ";
+      utils::HexDumpVector(metadata_hash);
       return ErrorCode::kDownloadMetadataSignatureMismatch;
     }
   } else {
-    if (!PayloadVerifier::VerifySignature(
-            metadata_signature_protobuf, pem_public_key, metadata_hash)) {
+    if (!payload_verifier->VerifySignature(metadata_signature_protobuf,
+                                           metadata_hash)) {
       LOG(ERROR) << "Manifest hash verification failed.";
       return ErrorCode::kDownloadMetadataSignatureMismatch;
     }