diff options
author | Bill Richardson <wfrichar@chromium.org> | 2015-02-05 10:44:54 -0800 |
---|---|---|
committer | ChromeOS Commit Bot <chromeos-commit-bot@chromium.org> | 2015-03-10 23:45:26 +0000 |
commit | 3855e2e948f235c7e4725e5a33b06878fa7b3130 (patch) | |
tree | 3fc38f3a8f225d326ab481bd9919843fdea7ddfa | |
parent | add997fa941ef1a65207bee909a88e368a9b3d22 (diff) | |
download | vboot-3855e2e948f235c7e4725e5a33b06878fa7b3130.tar.gz |
futility: show sha1sums for private keys too
Because all of our private key structs carry around the openssl
struct rsa_st data blobs, we can use those blobs to extract the
corresponding public key and generate a digest of it.
This lets us match our public and private keys without having to
rely on the filenames. There's no crypto verification without
actually *using* them, of course, but it's handy for quick reference.
BUG=chromium:231574
BRANCH=none
TEST=make runtests
This also adds a test to ensure that all the public and private
keys generated from the same .pem file have the same sha1sums.
Change-Id: If83492437e3ef37f7c4ebca4675336b75f631901
Signed-off-by: Bill Richardson <wfrichar@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/246768
Reviewed-by: Randall Spangler <rspangler@chromium.org>
-rw-r--r-- | futility/cmd_show.c | 18 | ||||
-rw-r--r-- | futility/vb2_helper.c | 24 | ||||
-rw-r--r-- | host/lib/include/util_misc.h | 8 | ||||
-rw-r--r-- | host/lib/util_misc.c | 19 | ||||
-rwxr-xr-x | tests/futility/test_create.sh | 7 |
5 files changed, 72 insertions, 4 deletions
diff --git a/futility/cmd_show.c b/futility/cmd_show.c index f5f841c1..f4681f37 100644 --- a/futility/cmd_show.c +++ b/futility/cmd_show.c @@ -3,6 +3,10 @@ * Use of this source code is governed by a BSD-style license that can be * found in the LICENSE file. */ + +#define OPENSSL_NO_SHA +#include <openssl/rsa.h> + #include <errno.h> #include <fcntl.h> #include <getopt.h> @@ -109,15 +113,27 @@ int futil_cb_show_pubkey(struct futil_traverse_state_s *state) int futil_cb_show_privkey(struct futil_traverse_state_s *state) { VbPrivateKey key; - int alg_okay; + const unsigned char *start; + int len, alg_okay; key.algorithm = *(typeof(key.algorithm) *)state->my_area->buf; + start = state->my_area->buf + sizeof(key.algorithm); + len = state->my_area->len - sizeof(key.algorithm); + key.rsa_private_key = d2i_RSAPrivateKey(NULL, &start, len); printf("Private Key file: %s\n", state->in_filename); printf(" Vboot API: 1.0\n"); alg_okay = key.algorithm < kNumAlgorithms; printf(" Algorithm: %" PRIu64 " %s\n", key.algorithm, alg_okay ? algo_strings[key.algorithm] : "(unknown)"); + printf(" Key sha1sum: "); + if (key.rsa_private_key) { + PrintPrivKeySha1Sum(&key); + RSA_free(key.rsa_private_key); + } else { + printf("<error>"); + } + printf("\n"); if (alg_okay) state->my_area->_flags |= AREA_IS_VALID; diff --git a/futility/vb2_helper.c b/futility/vb2_helper.c index 10aa6097..35541617 100644 --- a/futility/vb2_helper.c +++ b/futility/vb2_helper.c @@ -8,6 +8,7 @@ #include "2common.h" #include "2guid.h" #include "2rsa.h" +#include "util_misc.h" #include "vb2_common.h" #include "vb2_struct.h" @@ -91,6 +92,25 @@ int futil_cb_show_vb2_pubkey(struct futil_traverse_state_s *state) return 0; } +static void vb2_print_private_key_sha1sum(struct vb2_private_key *key) +{ + uint8_t *buf, *digest; + uint32_t buflen; + int i; + + if (vb_keyb_from_rsa(key->rsa_private_key, &buf, &buflen)) { + printf("<error>"); + return; + } + + digest = DigestBuf(buf, buflen, SHA1_DIGEST_ALGORITHM); + for (i = 0; i < SHA1_DIGEST_SIZE; i++) + printf("%02x", digest[i]); + + free(digest); + free(buf); +} + int futil_cb_show_vb2_privkey(struct futil_traverse_state_s *state) { struct vb2_private_key *key = 0; @@ -118,7 +138,9 @@ int futil_cb_show_vb2_privkey(struct futil_traverse_state_s *state) printf(" Hash Algorithm: %d %s\n", key->hash_alg, entry ? entry->name : "(invalid)"); printf(" GUID: %s\n", guid_str); - + printf(" Key sha1sum: "); + vb2_print_private_key_sha1sum(key); + printf("\n"); vb2_private_key_free(key); return 0; diff --git a/host/lib/include/util_misc.h b/host/lib/include/util_misc.h index 0a6ed4c4..d5a08fe3 100644 --- a/host/lib/include/util_misc.h +++ b/host/lib/include/util_misc.h @@ -8,11 +8,15 @@ #ifndef VBOOT_REFERENCE_UTIL_MISC_H_ #define VBOOT_REFERENCE_UTIL_MISC_H_ +#include "host_key.h" #include "vboot_struct.h" struct rsa_st; -/* Prints the sha1sum of the given VbPublicKey to stdout. */ -void PrintPubKeySha1Sum(VbPublicKey* key); +/* Prints the sha1sum of a VbPublicKey to stdout. */ +void PrintPubKeySha1Sum(VbPublicKey *key); + +/* Prints the sha1sum of a VbPrivateKey to stdout. */ +void PrintPrivKeySha1Sum(VbPrivateKey *key); /* * Our packed RSBPublicKey buffer (historically in files ending with ".keyb", diff --git a/host/lib/util_misc.c b/host/lib/util_misc.c index d2c21f52..ecaf8ea3 100644 --- a/host/lib/util_misc.c +++ b/host/lib/util_misc.c @@ -29,6 +29,25 @@ void PrintPubKeySha1Sum(VbPublicKey *key) free(digest); } +void PrintPrivKeySha1Sum(VbPrivateKey *key) +{ + uint8_t *buf, *digest; + uint32_t buflen; + int i; + + if (vb_keyb_from_rsa(key->rsa_private_key, &buf, &buflen)) { + printf("<error>"); + return; + } + + digest = DigestBuf(buf, buflen, SHA1_DIGEST_ALGORITHM); + for (i = 0; i < SHA1_DIGEST_SIZE; i++) + printf("%02x", digest[i]); + + free(digest); + free(buf); +} + int vb_keyb_from_rsa(struct rsa_st *rsa_private_key, uint8_t **keyb_data, uint32_t *keyb_size) { diff --git a/tests/futility/test_create.sh b/tests/futility/test_create.sh index e1d8d334..3c1d38e2 100755 --- a/tests/futility/test_create.sh +++ b/tests/futility/test_create.sh @@ -34,6 +34,13 @@ for sig in rsa1024 rsa2048 rsa4096 rsa8192; do done done +# Demonstrate that the sha1sums are the same for all the keys created from the +# same .pem files, both public and private, vb1 and vb21. +for sig in rsa1024 rsa2048 rsa4096 rsa8192; do + num=$(${FUTILITY} show ${TMP}_key_${sig}.* | grep sha1sum | uniq | wc -l) + [ "$num" -eq "1" ] +done + # cleanup rm -rf ${TMP}* exit 0 |