blob: 57ac327c8ad0d0728cb2b20f8c7207fac3e1305c [file] [log] [blame]
// Copyright 2016 The Chromium OS Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#include "component.h"
#include <fcntl.h>
#include <algorithm>
#include <string>
#include <utility>
#include <vector>
#include <base/files/file.h>
#include <base/files/file_enumerator.h>
#include <base/files/file_path.h>
#include <base/files/file_util.h>
#include <base/files/scoped_file.h>
#include <base/json/json_string_value_serializer.h>
#include <base/logging.h>
#include <base/numerics/safe_conversions.h>
#include <base/posix/eintr_wrapper.h>
#include <base/strings/string_number_conversions.h>
#include <base/strings/string_util.h>
#include <crypto/secure_hash.h>
#include <crypto/sha2.h>
#include <crypto/signature_verifier.h>
#include "helper_process.h"
namespace imageloader {
namespace {
// The name of the imageloader manifest file.
constexpr char kManifestName[] = "imageloader.json";
// The name of the fingerprint file.
constexpr char kFingerprintName[] = "manifest.fingerprint";
// The manifest signature.
constexpr char kManifestSignatureNamePattern[] = "imageloader.sig.[1-2]";
// The current version of the manifest file.
constexpr int kCurrentManifestVersion = 1;
// The name of the version field in the manifest.
constexpr char kManifestVersionField[] = "manifest-version";
// The name of the component version field in the manifest.
constexpr char kVersionField[] = "version";
// The name of the field containing the image hash.
constexpr char kImageHashField[] = "image-sha256-hash";
// The name of the bool field indicating whether component is removable.
constexpr char kIsRemovableField[] = "is-removable";
// The name of the metadata field.
constexpr char kMetadataField[] = "metadata";
// The name of the image file (squashfs).
constexpr char kImageFileNameSquashFS[] = "image.squash";
// The name of the image file (ext4).
constexpr char kImageFileNameExt4[] = "image.ext4";
// The name of the field containing the table hash.
constexpr char kTableHashField[] = "table-sha256-hash";
// The name of the optional field containing the file system type.
constexpr char kFSType[] = "fs-type";
// The name of the table file.
constexpr char kTableFileName[] = "table";
// The maximum size of any file to read into memory.
constexpr size_t kMaximumFilesize = 4096 * 10;
base::FilePath GetManifestPath(const base::FilePath& component_dir) {
return component_dir.Append(kManifestName);
bool GetSignaturePath(const base::FilePath& component_dir,
base::FilePath* signature_path,
size_t* key_number) {
base::FileEnumerator files(component_dir,
for (base::FilePath path = files.Next(); !path.empty(); path = files.Next()) {
// Extract the key number.
std::string key_ext = path.FinalExtension();
if (key_ext.empty())
size_t ext_number;
if (!base::StringToSizeT(key_ext.substr(1), &ext_number))
*signature_path = path;
*key_number = ext_number;
return true;
return false;
base::FilePath GetSignaturePathForKey(const base::FilePath& component_dir,
size_t key_number) {
std::string signature_name(kManifestSignatureNamePattern);
signature_name =
signature_name.substr(0, signature_name.find_last_of('.') + 1);
return component_dir.Append(signature_name + base::SizeTToString(key_number));
base::FilePath GetFingerprintPath(const base::FilePath& component_dir) {
return component_dir.Append(kFingerprintName);
base::FilePath GetTablePath(const base::FilePath& component_dir) {
return component_dir.Append(kTableFileName);
base::FilePath GetImagePath(const base::FilePath& component_dir,
FileSystem fs_type) {
if (fs_type == FileSystem::kExt4)
return component_dir.Append(kImageFileNameExt4);
else if (fs_type == FileSystem::kSquashFS)
return component_dir.Append(kImageFileNameSquashFS);
else {
return base::FilePath();
bool WriteFileToDisk(const base::FilePath& path, const std::string& contents) {
base::ScopedFD fd(HANDLE_EINTR(open(path.value().c_str(),
if (!fd.is_valid()) {
PLOG(ERROR) << "Error creating file for " << path.value();
return false;
base::File file(fd.release());
int size = base::checked_cast<int>(contents.size());
return file.Write(0,, contents.size()) == size;
bool GetSHA256FromString(const std::string& hash_str,
std::vector<uint8_t>* bytes) {
if (!base::HexStringToBytes(hash_str, bytes))
return false;
return bytes->size() == crypto::kSHA256Length;
bool GetAndVerifyTable(const base::FilePath& path,
const std::vector<uint8_t>& hash,
std::string* out_table) {
std::string table;
if (!base::ReadFileToStringWithMaxSize(path, &table, kMaximumFilesize)) {
return false;
std::vector<uint8_t> table_hash(crypto::kSHA256Length);
crypto::SHA256HashString(table,, table_hash.size());
if (table_hash != hash) {
LOG(ERROR) << "dm-verity table file has the wrong hash.";
return false;
return true;
// Ensure the metadata entry is a dictionary mapping strings to strings and
// parse it into |out_metadata| and return true if so.
bool ParseMetadata(const base::Value* metadata_element,
std::map<std::string, std::string>* out_metadata) {
const base::DictionaryValue* metadata_dict = nullptr;
if (!metadata_element->GetAsDictionary(&metadata_dict))
return false;
base::DictionaryValue::Iterator it(*metadata_dict);
for (; !it.IsAtEnd(); it.Advance()) {
std::string parsed_value;
if (!it.value().GetAsString(&parsed_value)) {
LOG(ERROR) << "Key \"" << it.key() << "\" did not map to string value";
return false;
(*out_metadata)[it.key()] = std::move(parsed_value);
return true;
} // namespace
Component::Component(const base::FilePath& component_dir, int key_number)
: component_dir_(component_dir), key_number_(key_number) {}
std::unique_ptr<Component> Component::Create(
const base::FilePath& component_dir,
const Keys& public_keys) {
base::FilePath signature_path;
size_t key_number;
if (!GetSignaturePath(component_dir, &signature_path, &key_number)) {
LOG(ERROR) << "Could not find manifest signature";
return nullptr;
if (key_number < 1 || key_number > public_keys.size()) {
LOG(ERROR) << "Invalid key number";
return nullptr;
std::unique_ptr<Component> component(
new Component(component_dir, key_number));
if (!component->LoadManifest(public_keys[key_number - 1]))
return nullptr;
return component;
const Component::Manifest& Component::manifest() {
return manifest_;
bool Component::Mount(HelperProcess* mounter, const base::FilePath& dest_dir) {
// Read the table in and verify the hash.
std::string table;
if (!GetAndVerifyTable(GetTablePath(component_dir_), manifest_.table_sha256,
&table)) {
LOG(ERROR) << "Could not read and verify dm-verity table.";
return false;
base::FilePath image_path(GetImagePath(component_dir_, manifest_.fs_type));
base::File image(image_path, base::File::FLAG_OPEN | base::File::FLAG_READ);
if (!image.IsValid()) {
LOG(ERROR) << "Could not open image file.";
return false;
base::ScopedFD image_fd(image.TakePlatformFile());
return mounter->SendMountCommand(image_fd.get(), dest_dir.value(),
manifest_.fs_type, table);
bool Component::ParseManifest() {
// Now deserialize the manifest json and read out the rest of the component.
int error_code;
std::string error_message;
JSONStringValueDeserializer deserializer(manifest_raw_);
std::unique_ptr<base::Value> value =
deserializer.Deserialize(&error_code, &error_message);
if (!value) {
LOG(ERROR) << "Could not deserialize the manifest file. Error "
<< error_code << ": " << error_message;
return false;
base::DictionaryValue* manifest_dict = nullptr;
if (!value->GetAsDictionary(&manifest_dict)) {
LOG(ERROR) << "Could not parse manifest file as JSON.";
return false;
// This will have to be changed if the manifest version is bumped.
int version;
if (!manifest_dict->GetInteger(kManifestVersionField, &version)) {
LOG(ERROR) << "Could not parse manifest version field from manifest.";
return false;
if (version != kCurrentManifestVersion) {
LOG(ERROR) << "Unsupported version of the manifest.";
return false;
manifest_.manifest_version = version;
std::string image_hash_str;
if (!manifest_dict->GetString(kImageHashField, &image_hash_str)) {
LOG(ERROR) << "Could not parse image hash from manifest.";
return false;
if (!GetSHA256FromString(image_hash_str, &(manifest_.image_sha256))) {
LOG(ERROR) << "Could not convert image hash to bytes.";
return false;
std::string table_hash_str;
if (!manifest_dict->GetString(kTableHashField, &table_hash_str)) {
LOG(ERROR) << "Could not parse table hash from manifest.";
return false;
if (!GetSHA256FromString(table_hash_str, &(manifest_.table_sha256))) {
LOG(ERROR) << "Could not convert table hash to bytes.";
return false;
if (!manifest_dict->GetString(kVersionField, &(manifest_.version))) {
LOG(ERROR) << "Could not parse component version from manifest.";
return false;
// The fs_type field is optional, and squashfs by default.
manifest_.fs_type = FileSystem::kSquashFS;
std::string fs_type;
if (manifest_dict->GetString(kFSType, &fs_type)) {
if (fs_type == "ext4") {
manifest_.fs_type = FileSystem::kExt4;
} else if (fs_type == "squashfs") {
manifest_.fs_type = FileSystem::kSquashFS;
} else {
LOG(ERROR) << "Unsupported file system type: " << fs_type;
return false;
if (!manifest_dict->GetBoolean(kIsRemovableField,
&(manifest_.is_removable))) {
// If is_removable field does not exist, by default it is false.
manifest_.is_removable = false;
// Copy out the metadata, if it's there.
const base::Value* metadata = nullptr;
if (manifest_dict->Get(kMetadataField, &metadata)) {
if (!ParseMetadata(metadata, &(manifest_.metadata))) {
LOG(ERROR) << "Manifest metadata was malformed";
return false;
return true;
bool Component::LoadManifest(const std::vector<uint8_t>& public_key) {
if (!base::ReadFileToStringWithMaxSize(GetManifestPath(component_dir_),
&manifest_raw_, kMaximumFilesize)) {
LOG(ERROR) << "Could not read manifest file.";
return false;
if (!base::ReadFileToStringWithMaxSize(
GetSignaturePathForKey(component_dir_, key_number_),
&manifest_sig_, kMaximumFilesize)) {
LOG(ERROR) << "Could not read signature file.";
return false;
crypto::SignatureVerifier verifier;
if (!verifier.VerifyInit(
reinterpret_cast<const uint8_t*>(,
base::checked_cast<int>(public_key.size()))) {
LOG(ERROR) << "Failed to initialize signature verification.";
return false;
verifier.VerifyUpdate(reinterpret_cast<const uint8_t*>(,
if (!verifier.VerifyFinal()) {
LOG(ERROR) << "Manifest failed signature verification.";
return false;
return ParseManifest();
bool Component::CopyTo(const base::FilePath& dest_dir) {
if (!WriteFileToDisk(GetManifestPath(dest_dir), manifest_raw_) ||
!WriteFileToDisk(GetSignaturePathForKey(dest_dir, key_number_),
manifest_sig_)) {
LOG(ERROR) << "Could not write manifest and signature to disk.";
return false;
base::FilePath table_src(GetTablePath(component_dir_));
base::FilePath table_dest(GetTablePath(dest_dir));
if (!CopyComponentFile(table_src, table_dest, manifest_.table_sha256)) {
LOG(ERROR) << "Could not copy table file.";
return false;
base::FilePath image_src(GetImagePath(component_dir_, manifest_.fs_type));
base::FilePath image_dest(GetImagePath(dest_dir, manifest_.fs_type));
if (!CopyComponentFile(image_src, image_dest, manifest_.image_sha256)) {
LOG(ERROR) << "Could not copy image file.";
return false;
if (!CopyFingerprintFile(component_dir_, dest_dir)) {
LOG(ERROR) << "Could not copy manifest.fingerprint file.";
return false;
return true;
bool Component::CopyComponentFile(const base::FilePath& src,
const base::FilePath& dest_path,
const std::vector<uint8_t>& expected_hash) {
base::File file(src, base::File::FLAG_OPEN | base::File::FLAG_READ);
if (!file.IsValid())
return false;
base::ScopedFD dest(
HANDLE_EINTR(open(dest_path.value().c_str(), O_CREAT | O_WRONLY | O_EXCL,
if (!dest.is_valid())
return false;
base::File out_file(dest.release());
std::unique_ptr<crypto::SecureHash> sha256(
std::vector<uint8_t> file_hash(crypto::kSHA256Length);
if (!ReadHashAndCopyFile(&file, &file_hash, &out_file)) {
LOG(ERROR) << "Failed to read image file.";
return false;
if (expected_hash != file_hash) {
LOG(ERROR) << "Image is corrupt or modified.";
return false;
return true;
bool Component::ReadHashAndCopyFile(base::File* file,
std::vector<uint8_t>* file_hash,
base::File* out_file) {
std::unique_ptr<crypto::SecureHash> sha256(
int size = file->GetLength();
if (size <= 0)
return false;
int rv = 0, bytes_read = 0;
char buf[4096];
do {
int remaining = size - bytes_read;
int bytes_to_read =
std::min(remaining, base::checked_cast<int>(sizeof(buf)));
rv = file->ReadAtCurrentPos(buf, bytes_to_read);
if (rv <= 0) break;
bytes_read += rv;
sha256->Update(buf, rv);
if (out_file) {
out_file->WriteAtCurrentPos(buf, rv);
} while (bytes_read <= size);
sha256->Finish(file_hash->data(), file_hash->size());
return bytes_read == size;
bool Component::CopyFingerprintFile(const base::FilePath& src,
const base::FilePath& dest) {
base::FilePath fingerprint_path(GetFingerprintPath(src));
if (base::PathExists(fingerprint_path)) {
std::string fingerprint_contents;
if (!base::ReadFileToStringWithMaxSize(
fingerprint_path, &fingerprint_contents, kMaximumFilesize)) {
return false;
if (!IsValidFingerprintFile(fingerprint_contents))
return false;
if (!WriteFileToDisk(GetFingerprintPath(dest), fingerprint_contents)) {
return false;
return true;
// The client inserts manifest.fingerprint into components after unpacking the
// CRX. The file is used for delta updates. Since Chrome OS doesn't rely on it
// for security of the disk image, we are fine with sanity checking the contents
// and then preserving the unsigned file.
bool Component::IsValidFingerprintFile(const std::string& contents) {
return contents.size() <= 256 &&
std::find_if_not(contents.begin(), contents.end(), [](char ch) {
return base::IsAsciiAlpha(ch) || base::IsAsciiDigit(ch) || ch == '.';
}) == contents.end();
} // namespace imageloader