futility: show sha1sums for private keys too

Because all of our private key structs carry around the openssl
struct rsa_st data blobs, we can use those blobs to extract the
corresponding public key and generate a digest of it.

This lets us match our public and private keys without having to
rely on the filenames. There's no crypto verification without
actually *using* them, of course, but it's handy for quick reference.

BUG=chromium:231574
BRANCH=none
TEST=make runtests

This also adds a test to ensure that all the public and private
keys generated from the same .pem file have the same sha1sums.

Change-Id: If83492437e3ef37f7c4ebca4675336b75f631901
Signed-off-by: Bill Richardson <wfrichar@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/246768
Reviewed-by: Randall Spangler <rspangler@chromium.org>

2 files changed, 40 insertions, 2 deletions

diff --git a/futility/cmd_show.c b/futility/cmd_show.c
index f5f841c1..f4681f37 100644
--- a/futility/cmd_show.c
+++ b/futility/cmd_show.c
@@ -3,6 +3,10 @@
  * Use of this source code is governed by a BSD-style license that can be
  * found in the LICENSE file.
  */
+
+#define OPENSSL_NO_SHA
+#include <openssl/rsa.h>
+
 #include <errno.h>
 #include <fcntl.h>
 #include <getopt.h>
@@ -109,15 +113,27 @@ int futil_cb_show_pubkey(struct futil_traverse_state_s *state)
 int futil_cb_show_privkey(struct futil_traverse_state_s *state)
 {
 	VbPrivateKey key;
-	int alg_okay;
+	const unsigned char *start;
+	int len, alg_okay;
 
 	key.algorithm = *(typeof(key.algorithm) *)state->my_area->buf;
+	start = state->my_area->buf + sizeof(key.algorithm);
+	len = state->my_area->len - sizeof(key.algorithm);
+	key.rsa_private_key = d2i_RSAPrivateKey(NULL, &start, len);
 
 	printf("Private Key file:      %s\n", state->in_filename);
 	printf("  Vboot API:           1.0\n");
 	alg_okay = key.algorithm < kNumAlgorithms;
 	printf("  Algorithm:           %" PRIu64 " %s\n", key.algorithm,
 	       alg_okay ? algo_strings[key.algorithm] : "(unknown)");
+	printf("  Key sha1sum:         ");
+	if (key.rsa_private_key) {
+		PrintPrivKeySha1Sum(&key);
+		RSA_free(key.rsa_private_key);
+	} else {
+		printf("<error>");
+	}
+	printf("\n");
 
 	if (alg_okay)
 		state->my_area->_flags |= AREA_IS_VALID;
diff --git a/futility/vb2_helper.c b/futility/vb2_helper.c
index 10aa6097..35541617 100644
--- a/futility/vb2_helper.c
+++ b/futility/vb2_helper.c
@@ -8,6 +8,7 @@
 #include "2common.h"
 #include "2guid.h"
 #include "2rsa.h"
+#include "util_misc.h"
 #include "vb2_common.h"
 #include "vb2_struct.h"
 
@@ -91,6 +92,25 @@ int futil_cb_show_vb2_pubkey(struct futil_traverse_state_s *state)
 	return 0;
 }
 
+static void vb2_print_private_key_sha1sum(struct vb2_private_key *key)
+{
+	uint8_t *buf, *digest;
+	uint32_t buflen;
+	int i;
+
+	if (vb_keyb_from_rsa(key->rsa_private_key, &buf, &buflen)) {
+		printf("<error>");
+		return;
+	}
+
+	digest = DigestBuf(buf, buflen, SHA1_DIGEST_ALGORITHM);
+	for (i = 0; i < SHA1_DIGEST_SIZE; i++)
+		printf("%02x", digest[i]);
+
+	free(digest);
+	free(buf);
+}
+
 int futil_cb_show_vb2_privkey(struct futil_traverse_state_s *state)
 {
 	struct vb2_private_key *key = 0;
@@ -118,7 +138,9 @@ int futil_cb_show_vb2_privkey(struct futil_traverse_state_s *state)
 	printf("  Hash Algorithm:      %d %s\n", key->hash_alg,
 	       entry ? entry->name : "(invalid)");
 	printf("  GUID:                %s\n", guid_str);
-
+	printf("  Key sha1sum:         ");
+	vb2_print_private_key_sha1sum(key);
+	printf("\n");
 
 	vb2_private_key_free(key);
 	return 0;