1*5b69db07SJason Zhu /* 2*5b69db07SJason Zhu * Copyright (C) 2016 The Android Open Source Project 3*5b69db07SJason Zhu * 4*5b69db07SJason Zhu * Permission is hereby granted, free of charge, to any person 5*5b69db07SJason Zhu * obtaining a copy of this software and associated documentation 6*5b69db07SJason Zhu * files (the "Software"), to deal in the Software without 7*5b69db07SJason Zhu * restriction, including without limitation the rights to use, copy, 8*5b69db07SJason Zhu * modify, merge, publish, distribute, sublicense, and/or sell copies 9*5b69db07SJason Zhu * of the Software, and to permit persons to whom the Software is 10*5b69db07SJason Zhu * furnished to do so, subject to the following conditions: 11*5b69db07SJason Zhu * 12*5b69db07SJason Zhu * The above copyright notice and this permission notice shall be 13*5b69db07SJason Zhu * included in all copies or substantial portions of the Software. 14*5b69db07SJason Zhu * 15*5b69db07SJason Zhu * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, 16*5b69db07SJason Zhu * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF 17*5b69db07SJason Zhu * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND 18*5b69db07SJason Zhu * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS 19*5b69db07SJason Zhu * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN 20*5b69db07SJason Zhu * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN 21*5b69db07SJason Zhu * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 22*5b69db07SJason Zhu * SOFTWARE. 23*5b69db07SJason Zhu */ 24*5b69db07SJason Zhu 25*5b69db07SJason Zhu /* 26*5b69db07SJason Zhu #if !defined(AVB_INSIDE_LIBAVB_H) && !defined(AVB_COMPILATION) 27*5b69db07SJason Zhu #error "Never include this file directly, include libavb.h instead." 28*5b69db07SJason Zhu #endif 29*5b69db07SJason Zhu */ 30*5b69db07SJason Zhu 31*5b69db07SJason Zhu #ifndef AVB_CRYPTO_H_ 32*5b69db07SJason Zhu #define AVB_CRYPTO_H_ 33*5b69db07SJason Zhu 34*5b69db07SJason Zhu #include <android_avb/avb_sysdeps.h> 35*5b69db07SJason Zhu 36*5b69db07SJason Zhu #ifdef __cplusplus 37*5b69db07SJason Zhu extern "C" { 38*5b69db07SJason Zhu #endif 39*5b69db07SJason Zhu 40*5b69db07SJason Zhu /* Size of a RSA-2048 signature. */ 41*5b69db07SJason Zhu #define AVB_RSA2048_NUM_BYTES 256 42*5b69db07SJason Zhu 43*5b69db07SJason Zhu /* Size of a RSA-4096 signature. */ 44*5b69db07SJason Zhu #define AVB_RSA4096_NUM_BYTES 512 45*5b69db07SJason Zhu 46*5b69db07SJason Zhu /* Size of a RSA-8192 signature. */ 47*5b69db07SJason Zhu #define AVB_RSA8192_NUM_BYTES 1024 48*5b69db07SJason Zhu 49*5b69db07SJason Zhu /* Size in bytes of a SHA-256 digest. */ 50*5b69db07SJason Zhu #define AVB_SHA256_DIGEST_SIZE 32 51*5b69db07SJason Zhu 52*5b69db07SJason Zhu /* Size in bytes of a SHA-512 digest. */ 53*5b69db07SJason Zhu #define AVB_SHA512_DIGEST_SIZE 64 54*5b69db07SJason Zhu 55*5b69db07SJason Zhu /* Algorithms that can be used in the vbmeta image for 56*5b69db07SJason Zhu * verification. An algorithm consists of a hash type and a signature 57*5b69db07SJason Zhu * type. 58*5b69db07SJason Zhu * 59*5b69db07SJason Zhu * The data used to calculate the hash is the three blocks mentioned 60*5b69db07SJason Zhu * in the documentation for |AvbVBMetaImageHeader| except for the data 61*5b69db07SJason Zhu * in the "Authentication data" block. 62*5b69db07SJason Zhu * 63*5b69db07SJason Zhu * For signatures with RSA keys, PKCS v1.5 padding is used. The public 64*5b69db07SJason Zhu * key data is stored in the auxiliary data block, see 65*5b69db07SJason Zhu * |AvbRSAPublicKeyHeader| for the serialization format. 66*5b69db07SJason Zhu * 67*5b69db07SJason Zhu * Each algorithm type is described below: 68*5b69db07SJason Zhu * 69*5b69db07SJason Zhu * AVB_ALGORITHM_TYPE_NONE: There is no hash, no signature of the 70*5b69db07SJason Zhu * data, and no public key. The data cannot be verified. The fields 71*5b69db07SJason Zhu * |hash_size|, |signature_size|, and |public_key_size| must be zero. 72*5b69db07SJason Zhu * 73*5b69db07SJason Zhu * AVB_ALGORITHM_TYPE_SHA256_RSA2048: The hash function used is 74*5b69db07SJason Zhu * SHA-256, resulting in 32 bytes of hash digest data. This hash is 75*5b69db07SJason Zhu * signed with a 2048-bit RSA key. The field |hash_size| must be 32, 76*5b69db07SJason Zhu * |signature_size| must be 256, and the public key data must have 77*5b69db07SJason Zhu * |key_num_bits| set to 2048. 78*5b69db07SJason Zhu * 79*5b69db07SJason Zhu * AVB_ALGORITHM_TYPE_SHA256_RSA4096: Like above, but only with 80*5b69db07SJason Zhu * a 4096-bit RSA key and |signature_size| set to 512. 81*5b69db07SJason Zhu * 82*5b69db07SJason Zhu * AVB_ALGORITHM_TYPE_SHA256_RSA8192: Like above, but only with 83*5b69db07SJason Zhu * a 8192-bit RSA key and |signature_size| set to 1024. 84*5b69db07SJason Zhu * 85*5b69db07SJason Zhu * AVB_ALGORITHM_TYPE_SHA512_RSA2048: The hash function used is 86*5b69db07SJason Zhu * SHA-512, resulting in 64 bytes of hash digest data. This hash is 87*5b69db07SJason Zhu * signed with a 2048-bit RSA key. The field |hash_size| must be 64, 88*5b69db07SJason Zhu * |signature_size| must be 256, and the public key data must have 89*5b69db07SJason Zhu * |key_num_bits| set to 2048. 90*5b69db07SJason Zhu * 91*5b69db07SJason Zhu * AVB_ALGORITHM_TYPE_SHA512_RSA4096: Like above, but only with 92*5b69db07SJason Zhu * a 4096-bit RSA key and |signature_size| set to 512. 93*5b69db07SJason Zhu * 94*5b69db07SJason Zhu * AVB_ALGORITHM_TYPE_SHA512_RSA8192: Like above, but only with 95*5b69db07SJason Zhu * a 8192-bit RSA key and |signature_size| set to 1024. 96*5b69db07SJason Zhu */ 97*5b69db07SJason Zhu typedef enum { 98*5b69db07SJason Zhu AVB_ALGORITHM_TYPE_NONE, 99*5b69db07SJason Zhu AVB_ALGORITHM_TYPE_SHA256_RSA2048, 100*5b69db07SJason Zhu AVB_ALGORITHM_TYPE_SHA256_RSA4096, 101*5b69db07SJason Zhu AVB_ALGORITHM_TYPE_SHA256_RSA8192, 102*5b69db07SJason Zhu AVB_ALGORITHM_TYPE_SHA512_RSA2048, 103*5b69db07SJason Zhu AVB_ALGORITHM_TYPE_SHA512_RSA4096, 104*5b69db07SJason Zhu AVB_ALGORITHM_TYPE_SHA512_RSA8192, 105*5b69db07SJason Zhu _AVB_ALGORITHM_NUM_TYPES 106*5b69db07SJason Zhu } AvbAlgorithmType; 107*5b69db07SJason Zhu 108*5b69db07SJason Zhu /* Holds algorithm-specific data. The |padding| is needed by avb_rsa_verify. */ 109*5b69db07SJason Zhu typedef struct { 110*5b69db07SJason Zhu const uint8_t* padding; 111*5b69db07SJason Zhu size_t padding_len; 112*5b69db07SJason Zhu size_t hash_len; 113*5b69db07SJason Zhu } AvbAlgorithmData; 114*5b69db07SJason Zhu 115*5b69db07SJason Zhu /* Provides algorithm-specific data for a given |algorithm|. Returns NULL if 116*5b69db07SJason Zhu * |algorithm| is invalid. 117*5b69db07SJason Zhu */ 118*5b69db07SJason Zhu const AvbAlgorithmData* avb_get_algorithm_data(AvbAlgorithmType algorithm) 119*5b69db07SJason Zhu AVB_ATTR_WARN_UNUSED_RESULT; 120*5b69db07SJason Zhu 121*5b69db07SJason Zhu /* The header for a serialized RSA public key. 122*5b69db07SJason Zhu * 123*5b69db07SJason Zhu * The size of the key is given by |key_num_bits|, for example 2048 124*5b69db07SJason Zhu * for a RSA-2048 key. By definition, a RSA public key is the pair (n, 125*5b69db07SJason Zhu * e) where |n| is the modulus (which can be represented in 126*5b69db07SJason Zhu * |key_num_bits| bits) and |e| is the public exponent. The exponent 127*5b69db07SJason Zhu * is not stored since it's assumed to always be 65537. 128*5b69db07SJason Zhu * 129*5b69db07SJason Zhu * To optimize verification, the key block includes two precomputed 130*5b69db07SJason Zhu * values, |n0inv| (fits in 32 bits) and |rr| and can always be 131*5b69db07SJason Zhu * represented in |key_num_bits|. 132*5b69db07SJason Zhu 133*5b69db07SJason Zhu * The value |n0inv| is the value -1/n[0] (mod 2^32). The value |rr| 134*5b69db07SJason Zhu * is (2^key_num_bits)^2 (mod n). 135*5b69db07SJason Zhu * 136*5b69db07SJason Zhu * Following this header is |key_num_bits| bits of |n|, then 137*5b69db07SJason Zhu * |key_num_bits| bits of |rr|. Both values are stored with most 138*5b69db07SJason Zhu * significant bit first. Each serialized number takes up 139*5b69db07SJason Zhu * |key_num_bits|/8 bytes. 140*5b69db07SJason Zhu * 141*5b69db07SJason Zhu * All fields in this struct are stored in network byte order when 142*5b69db07SJason Zhu * serialized. To generate a copy with fields swapped to native byte 143*5b69db07SJason Zhu * order, use the function avb_rsa_public_key_header_validate_and_byteswap(). 144*5b69db07SJason Zhu * 145*5b69db07SJason Zhu * The avb_rsa_verify() function expects a key in this serialized 146*5b69db07SJason Zhu * format. 147*5b69db07SJason Zhu * 148*5b69db07SJason Zhu * The 'avbtool extract_public_key' command can be used to generate a 149*5b69db07SJason Zhu * serialized RSA public key. 150*5b69db07SJason Zhu */ 151*5b69db07SJason Zhu typedef struct AvbRSAPublicKeyHeader { 152*5b69db07SJason Zhu uint32_t key_num_bits; 153*5b69db07SJason Zhu uint32_t n0inv; 154*5b69db07SJason Zhu } AVB_ATTR_PACKED AvbRSAPublicKeyHeader; 155*5b69db07SJason Zhu 156*5b69db07SJason Zhu /* Copies |src| to |dest| and validates, byte-swapping fields in the 157*5b69db07SJason Zhu * process if needed. Returns true if valid, false if invalid. 158*5b69db07SJason Zhu */ 159*5b69db07SJason Zhu bool avb_rsa_public_key_header_validate_and_byteswap( 160*5b69db07SJason Zhu const AvbRSAPublicKeyHeader* src, 161*5b69db07SJason Zhu AvbRSAPublicKeyHeader* dest) AVB_ATTR_WARN_UNUSED_RESULT; 162*5b69db07SJason Zhu 163*5b69db07SJason Zhu #ifdef __cplusplus 164*5b69db07SJason Zhu } 165*5b69db07SJason Zhu #endif 166*5b69db07SJason Zhu 167*5b69db07SJason Zhu #endif /* AVB_CRYPTO_H_ */ 168