| // Copyright 2016 The Chromium OS Authors. All rights reserved. |
| // Use of this source code is governed by a BSD-style license that can be |
| // found in the LICENSE file. |
| |
| #include "component.h" |
| |
| #include <fcntl.h> |
| |
| #include <algorithm> |
| #include <string> |
| #include <utility> |
| #include <vector> |
| |
| #include <base/files/file.h> |
| #include <base/files/file_enumerator.h> |
| #include <base/files/file_path.h> |
| #include <base/files/file_util.h> |
| #include <base/files/scoped_file.h> |
| #include <base/json/json_string_value_serializer.h> |
| #include <base/logging.h> |
| #include <base/numerics/safe_conversions.h> |
| #include <base/posix/eintr_wrapper.h> |
| #include <base/strings/string_number_conversions.h> |
| #include <base/strings/string_util.h> |
| #include <crypto/secure_hash.h> |
| #include <crypto/sha2.h> |
| #include <crypto/signature_verifier.h> |
| |
| #include "helper_process.h" |
| |
| namespace imageloader { |
| |
| namespace { |
| |
| // The name of the imageloader manifest file. |
| constexpr char kManifestName[] = "imageloader.json"; |
| // The name of the fingerprint file. |
| constexpr char kFingerprintName[] = "manifest.fingerprint"; |
| // The manifest signature. |
| constexpr char kManifestSignatureNamePattern[] = "imageloader.sig.[1-2]"; |
| // The current version of the manifest file. |
| constexpr int kCurrentManifestVersion = 1; |
| // The name of the version field in the manifest. |
| constexpr char kManifestVersionField[] = "manifest-version"; |
| // The name of the component version field in the manifest. |
| constexpr char kVersionField[] = "version"; |
| // The name of the field containing the image hash. |
| constexpr char kImageHashField[] = "image-sha256-hash"; |
| // The name of the bool field indicating whether component is removable. |
| constexpr char kIsRemovableField[] = "is-removable"; |
| // The name of the metadata field. |
| constexpr char kMetadataField[] = "metadata"; |
| // The name of the image file (squashfs). |
| constexpr char kImageFileNameSquashFS[] = "image.squash"; |
| // The name of the image file (ext4). |
| constexpr char kImageFileNameExt4[] = "image.ext4"; |
| // The name of the field containing the table hash. |
| constexpr char kTableHashField[] = "table-sha256-hash"; |
| // The name of the optional field containing the file system type. |
| constexpr char kFSType[] = "fs-type"; |
| // The name of the table file. |
| constexpr char kTableFileName[] = "table"; |
| // The maximum size of any file to read into memory. |
| constexpr size_t kMaximumFilesize = 4096 * 10; |
| |
| base::FilePath GetManifestPath(const base::FilePath& component_dir) { |
| return component_dir.Append(kManifestName); |
| } |
| |
| bool GetSignaturePath(const base::FilePath& component_dir, |
| base::FilePath* signature_path, |
| size_t* key_number) { |
| DCHECK(signature_path); |
| DCHECK(key_number); |
| |
| base::FileEnumerator files(component_dir, |
| false, |
| base::FileEnumerator::FileType::FILES, |
| kManifestSignatureNamePattern); |
| for (base::FilePath path = files.Next(); !path.empty(); path = files.Next()) { |
| // Extract the key number. |
| std::string key_ext = path.FinalExtension(); |
| if (key_ext.empty()) |
| continue; |
| |
| size_t ext_number; |
| if (!base::StringToSizeT(key_ext.substr(1), &ext_number)) |
| continue; |
| |
| *signature_path = path; |
| *key_number = ext_number; |
| return true; |
| } |
| return false; |
| } |
| |
| base::FilePath GetSignaturePathForKey(const base::FilePath& component_dir, |
| size_t key_number) { |
| std::string signature_name(kManifestSignatureNamePattern); |
| signature_name = |
| signature_name.substr(0, signature_name.find_last_of('.') + 1); |
| return component_dir.Append(signature_name + base::SizeTToString(key_number)); |
| } |
| |
| base::FilePath GetFingerprintPath(const base::FilePath& component_dir) { |
| return component_dir.Append(kFingerprintName); |
| } |
| |
| base::FilePath GetTablePath(const base::FilePath& component_dir) { |
| return component_dir.Append(kTableFileName); |
| } |
| |
| base::FilePath GetImagePath(const base::FilePath& component_dir, |
| FileSystem fs_type) { |
| if (fs_type == FileSystem::kExt4) |
| return component_dir.Append(kImageFileNameExt4); |
| else if (fs_type == FileSystem::kSquashFS) |
| return component_dir.Append(kImageFileNameSquashFS); |
| else { |
| NOTREACHED(); |
| return base::FilePath(); |
| } |
| } |
| |
| bool WriteFileToDisk(const base::FilePath& path, const std::string& contents) { |
| base::ScopedFD fd(HANDLE_EINTR(open(path.value().c_str(), |
| O_CREAT | O_WRONLY | O_EXCL, |
| kComponentFilePerms))); |
| if (!fd.is_valid()) { |
| PLOG(ERROR) << "Error creating file for " << path.value(); |
| return false; |
| } |
| |
| base::File file(fd.release()); |
| int size = base::checked_cast<int>(contents.size()); |
| return file.Write(0, contents.data(), contents.size()) == size; |
| } |
| |
| bool GetSHA256FromString(const std::string& hash_str, |
| std::vector<uint8_t>* bytes) { |
| if (!base::HexStringToBytes(hash_str, bytes)) |
| return false; |
| return bytes->size() == crypto::kSHA256Length; |
| } |
| |
| bool GetAndVerifyTable(const base::FilePath& path, |
| const std::vector<uint8_t>& hash, |
| std::string* out_table) { |
| std::string table; |
| if (!base::ReadFileToStringWithMaxSize(path, &table, kMaximumFilesize)) { |
| return false; |
| } |
| |
| std::vector<uint8_t> table_hash(crypto::kSHA256Length); |
| crypto::SHA256HashString(table, table_hash.data(), table_hash.size()); |
| if (table_hash != hash) { |
| LOG(ERROR) << "dm-verity table file has the wrong hash."; |
| return false; |
| } |
| |
| out_table->assign(table); |
| return true; |
| } |
| |
| // Ensure the metadata entry is a dictionary mapping strings to strings and |
| // parse it into |out_metadata| and return true if so. |
| bool ParseMetadata(const base::Value* metadata_element, |
| std::map<std::string, std::string>* out_metadata) { |
| DCHECK(out_metadata); |
| |
| const base::DictionaryValue* metadata_dict = nullptr; |
| if (!metadata_element->GetAsDictionary(&metadata_dict)) |
| return false; |
| |
| base::DictionaryValue::Iterator it(*metadata_dict); |
| for (; !it.IsAtEnd(); it.Advance()) { |
| std::string parsed_value; |
| if (!it.value().GetAsString(&parsed_value)) { |
| LOG(ERROR) << "Key \"" << it.key() << "\" did not map to string value"; |
| return false; |
| } |
| |
| (*out_metadata)[it.key()] = std::move(parsed_value); |
| } |
| |
| return true; |
| } |
| |
| } // namespace |
| |
| Component::Component(const base::FilePath& component_dir, int key_number) |
| : component_dir_(component_dir), key_number_(key_number) {} |
| |
| std::unique_ptr<Component> Component::Create( |
| const base::FilePath& component_dir, |
| const Keys& public_keys) { |
| base::FilePath signature_path; |
| size_t key_number; |
| if (!GetSignaturePath(component_dir, &signature_path, &key_number)) { |
| LOG(ERROR) << "Could not find manifest signature"; |
| return nullptr; |
| } |
| if (key_number < 1 || key_number > public_keys.size()) { |
| LOG(ERROR) << "Invalid key number"; |
| return nullptr; |
| } |
| |
| std::unique_ptr<Component> component( |
| new Component(component_dir, key_number)); |
| if (!component->LoadManifest(public_keys[key_number - 1])) |
| return nullptr; |
| return component; |
| } |
| |
| const Component::Manifest& Component::manifest() { |
| return manifest_; |
| } |
| |
| bool Component::Mount(HelperProcess* mounter, const base::FilePath& dest_dir) { |
| // Read the table in and verify the hash. |
| std::string table; |
| if (!GetAndVerifyTable(GetTablePath(component_dir_), manifest_.table_sha256, |
| &table)) { |
| LOG(ERROR) << "Could not read and verify dm-verity table."; |
| return false; |
| } |
| |
| base::FilePath image_path(GetImagePath(component_dir_, manifest_.fs_type)); |
| base::File image(image_path, base::File::FLAG_OPEN | base::File::FLAG_READ); |
| if (!image.IsValid()) { |
| LOG(ERROR) << "Could not open image file."; |
| return false; |
| } |
| base::ScopedFD image_fd(image.TakePlatformFile()); |
| |
| return mounter->SendMountCommand(image_fd.get(), dest_dir.value(), |
| manifest_.fs_type, table); |
| } |
| |
| bool Component::ParseManifest() { |
| // Now deserialize the manifest json and read out the rest of the component. |
| int error_code; |
| std::string error_message; |
| JSONStringValueDeserializer deserializer(manifest_raw_); |
| std::unique_ptr<base::Value> value = |
| deserializer.Deserialize(&error_code, &error_message); |
| |
| if (!value) { |
| LOG(ERROR) << "Could not deserialize the manifest file. Error " |
| << error_code << ": " << error_message; |
| return false; |
| } |
| |
| base::DictionaryValue* manifest_dict = nullptr; |
| if (!value->GetAsDictionary(&manifest_dict)) { |
| LOG(ERROR) << "Could not parse manifest file as JSON."; |
| return false; |
| } |
| |
| // This will have to be changed if the manifest version is bumped. |
| int version; |
| if (!manifest_dict->GetInteger(kManifestVersionField, &version)) { |
| LOG(ERROR) << "Could not parse manifest version field from manifest."; |
| return false; |
| } |
| if (version != kCurrentManifestVersion) { |
| LOG(ERROR) << "Unsupported version of the manifest."; |
| return false; |
| } |
| manifest_.manifest_version = version; |
| |
| std::string image_hash_str; |
| if (!manifest_dict->GetString(kImageHashField, &image_hash_str)) { |
| LOG(ERROR) << "Could not parse image hash from manifest."; |
| return false; |
| } |
| |
| if (!GetSHA256FromString(image_hash_str, &(manifest_.image_sha256))) { |
| LOG(ERROR) << "Could not convert image hash to bytes."; |
| return false; |
| } |
| |
| std::string table_hash_str; |
| if (!manifest_dict->GetString(kTableHashField, &table_hash_str)) { |
| LOG(ERROR) << "Could not parse table hash from manifest."; |
| return false; |
| } |
| |
| if (!GetSHA256FromString(table_hash_str, &(manifest_.table_sha256))) { |
| LOG(ERROR) << "Could not convert table hash to bytes."; |
| return false; |
| } |
| |
| if (!manifest_dict->GetString(kVersionField, &(manifest_.version))) { |
| LOG(ERROR) << "Could not parse component version from manifest."; |
| return false; |
| } |
| |
| // The fs_type field is optional, and squashfs by default. |
| manifest_.fs_type = FileSystem::kSquashFS; |
| std::string fs_type; |
| if (manifest_dict->GetString(kFSType, &fs_type)) { |
| if (fs_type == "ext4") { |
| manifest_.fs_type = FileSystem::kExt4; |
| } else if (fs_type == "squashfs") { |
| manifest_.fs_type = FileSystem::kSquashFS; |
| } else { |
| LOG(ERROR) << "Unsupported file system type: " << fs_type; |
| return false; |
| } |
| } |
| |
| if (!manifest_dict->GetBoolean(kIsRemovableField, |
| &(manifest_.is_removable))) { |
| // If is_removable field does not exist, by default it is false. |
| manifest_.is_removable = false; |
| } |
| |
| // Copy out the metadata, if it's there. |
| const base::Value* metadata = nullptr; |
| if (manifest_dict->Get(kMetadataField, &metadata)) { |
| if (!ParseMetadata(metadata, &(manifest_.metadata))) { |
| LOG(ERROR) << "Manifest metadata was malformed"; |
| return false; |
| } |
| } |
| |
| return true; |
| } |
| |
| bool Component::LoadManifest(const std::vector<uint8_t>& public_key) { |
| if (!base::ReadFileToStringWithMaxSize(GetManifestPath(component_dir_), |
| &manifest_raw_, kMaximumFilesize)) { |
| LOG(ERROR) << "Could not read manifest file."; |
| return false; |
| } |
| if (!base::ReadFileToStringWithMaxSize( |
| GetSignaturePathForKey(component_dir_, key_number_), |
| &manifest_sig_, kMaximumFilesize)) { |
| LOG(ERROR) << "Could not read signature file."; |
| return false; |
| } |
| |
| crypto::SignatureVerifier verifier; |
| |
| if (!verifier.VerifyInit( |
| crypto::SignatureVerifier::ECDSA_SHA256, |
| reinterpret_cast<const uint8_t*>(manifest_sig_.data()), |
| base::checked_cast<int>(manifest_sig_.size()), public_key.data(), |
| base::checked_cast<int>(public_key.size()))) { |
| LOG(ERROR) << "Failed to initialize signature verification."; |
| return false; |
| } |
| |
| verifier.VerifyUpdate(reinterpret_cast<const uint8_t*>(manifest_raw_.data()), |
| base::checked_cast<int>(manifest_raw_.size())); |
| |
| if (!verifier.VerifyFinal()) { |
| LOG(ERROR) << "Manifest failed signature verification."; |
| return false; |
| } |
| return ParseManifest(); |
| } |
| |
| bool Component::CopyTo(const base::FilePath& dest_dir) { |
| if (!WriteFileToDisk(GetManifestPath(dest_dir), manifest_raw_) || |
| !WriteFileToDisk(GetSignaturePathForKey(dest_dir, key_number_), |
| manifest_sig_)) { |
| LOG(ERROR) << "Could not write manifest and signature to disk."; |
| return false; |
| } |
| |
| base::FilePath table_src(GetTablePath(component_dir_)); |
| base::FilePath table_dest(GetTablePath(dest_dir)); |
| if (!CopyComponentFile(table_src, table_dest, manifest_.table_sha256)) { |
| LOG(ERROR) << "Could not copy table file."; |
| return false; |
| } |
| |
| base::FilePath image_src(GetImagePath(component_dir_, manifest_.fs_type)); |
| base::FilePath image_dest(GetImagePath(dest_dir, manifest_.fs_type)); |
| if (!CopyComponentFile(image_src, image_dest, manifest_.image_sha256)) { |
| LOG(ERROR) << "Could not copy image file."; |
| return false; |
| } |
| |
| if (!CopyFingerprintFile(component_dir_, dest_dir)) { |
| LOG(ERROR) << "Could not copy manifest.fingerprint file."; |
| return false; |
| } |
| |
| return true; |
| } |
| |
| bool Component::CopyComponentFile(const base::FilePath& src, |
| const base::FilePath& dest_path, |
| const std::vector<uint8_t>& expected_hash) { |
| base::File file(src, base::File::FLAG_OPEN | base::File::FLAG_READ); |
| if (!file.IsValid()) |
| return false; |
| |
| base::ScopedFD dest( |
| HANDLE_EINTR(open(dest_path.value().c_str(), O_CREAT | O_WRONLY | O_EXCL, |
| kComponentFilePerms))); |
| if (!dest.is_valid()) |
| return false; |
| |
| base::File out_file(dest.release()); |
| std::unique_ptr<crypto::SecureHash> sha256( |
| crypto::SecureHash::Create(crypto::SecureHash::SHA256)); |
| |
| std::vector<uint8_t> file_hash(crypto::kSHA256Length); |
| if (!ReadHashAndCopyFile(&file, &file_hash, &out_file)) { |
| LOG(ERROR) << "Failed to read image file."; |
| return false; |
| } |
| |
| if (expected_hash != file_hash) { |
| LOG(ERROR) << "Image is corrupt or modified."; |
| return false; |
| } |
| return true; |
| } |
| |
| bool Component::ReadHashAndCopyFile(base::File* file, |
| std::vector<uint8_t>* file_hash, |
| base::File* out_file) { |
| std::unique_ptr<crypto::SecureHash> sha256( |
| crypto::SecureHash::Create(crypto::SecureHash::SHA256)); |
| int size = file->GetLength(); |
| if (size <= 0) |
| return false; |
| |
| int rv = 0, bytes_read = 0; |
| char buf[4096]; |
| do { |
| int remaining = size - bytes_read; |
| int bytes_to_read = |
| std::min(remaining, base::checked_cast<int>(sizeof(buf))); |
| |
| rv = file->ReadAtCurrentPos(buf, bytes_to_read); |
| if (rv <= 0) break; |
| |
| bytes_read += rv; |
| sha256->Update(buf, rv); |
| if (out_file) { |
| out_file->WriteAtCurrentPos(buf, rv); |
| } |
| } while (bytes_read <= size); |
| |
| sha256->Finish(file_hash->data(), file_hash->size()); |
| return bytes_read == size; |
| } |
| |
| bool Component::CopyFingerprintFile(const base::FilePath& src, |
| const base::FilePath& dest) { |
| base::FilePath fingerprint_path(GetFingerprintPath(src)); |
| if (base::PathExists(fingerprint_path)) { |
| std::string fingerprint_contents; |
| if (!base::ReadFileToStringWithMaxSize( |
| fingerprint_path, &fingerprint_contents, kMaximumFilesize)) { |
| return false; |
| } |
| |
| if (!IsValidFingerprintFile(fingerprint_contents)) |
| return false; |
| |
| if (!WriteFileToDisk(GetFingerprintPath(dest), fingerprint_contents)) { |
| return false; |
| } |
| } |
| return true; |
| } |
| |
| // The client inserts manifest.fingerprint into components after unpacking the |
| // CRX. The file is used for delta updates. Since Chrome OS doesn't rely on it |
| // for security of the disk image, we are fine with sanity checking the contents |
| // and then preserving the unsigned file. |
| bool Component::IsValidFingerprintFile(const std::string& contents) { |
| return contents.size() <= 256 && |
| std::find_if_not(contents.begin(), contents.end(), [](char ch) { |
| return base::IsAsciiAlpha(ch) || base::IsAsciiDigit(ch) || ch == '.'; |
| }) == contents.end(); |
| } |
| |
| } // namespace imageloader |
