1 /* 2 * Copyright (C) 2016 The Android Open Source Project 3 * 4 * SPDX-License-Identifier: MIT 5 */ 6 7 #if !defined(AVB_INSIDE_LIBAVB_H) && !defined(AVB_COMPILATION) 8 #error "Never include this file directly, include libavb.h instead." 9 #endif 10 11 #ifndef AVB_CRYPTO_H_ 12 #define AVB_CRYPTO_H_ 13 14 #include "avb_sysdeps.h" 15 16 #ifdef __cplusplus 17 extern "C" { 18 #endif 19 20 /* Size of a RSA-2048 signature. */ 21 #define AVB_RSA2048_NUM_BYTES 256 22 23 /* Size of a RSA-4096 signature. */ 24 #define AVB_RSA4096_NUM_BYTES 512 25 26 /* Size of a RSA-8192 signature. */ 27 #define AVB_RSA8192_NUM_BYTES 1024 28 29 /* Size in bytes of a SHA-1 digest. */ 30 #define AVB_SHA1_DIGEST_SIZE 20 31 32 /* Size in bytes of a SHA-256 digest. */ 33 #define AVB_SHA256_DIGEST_SIZE 32 34 35 /* Size in bytes of a SHA-512 digest. */ 36 #define AVB_SHA512_DIGEST_SIZE 64 37 38 /* Possible digest types supported by libavb routines. */ 39 typedef enum { 40 AVB_DIGEST_TYPE_SHA256, 41 AVB_DIGEST_TYPE_SHA512, 42 } AvbDigestType; 43 44 /* Algorithms that can be used in the vbmeta image for 45 * verification. An algorithm consists of a hash type and a signature 46 * type. 47 * 48 * The data used to calculate the hash is the three blocks mentioned 49 * in the documentation for |AvbVBMetaImageHeader| except for the data 50 * in the "Authentication data" block. 51 * 52 * For signatures with RSA keys, PKCS v1.5 padding is used. The public 53 * key data is stored in the auxiliary data block, see 54 * |AvbRSAPublicKeyHeader| for the serialization format. 55 * 56 * Each algorithm type is described below: 57 * 58 * AVB_ALGORITHM_TYPE_NONE: There is no hash, no signature of the 59 * data, and no public key. The data cannot be verified. The fields 60 * |hash_size|, |signature_size|, and |public_key_size| must be zero. 61 * 62 * AVB_ALGORITHM_TYPE_SHA256_RSA2048: The hash function used is 63 * SHA-256, resulting in 32 bytes of hash digest data. This hash is 64 * signed with a 2048-bit RSA key. The field |hash_size| must be 32, 65 * |signature_size| must be 256, and the public key data must have 66 * |key_num_bits| set to 2048. 67 * 68 * AVB_ALGORITHM_TYPE_SHA256_RSA4096: Like above, but only with 69 * a 4096-bit RSA key and |signature_size| set to 512. 70 * 71 * AVB_ALGORITHM_TYPE_SHA256_RSA8192: Like above, but only with 72 * a 8192-bit RSA key and |signature_size| set to 1024. 73 * 74 * AVB_ALGORITHM_TYPE_SHA512_RSA2048: The hash function used is 75 * SHA-512, resulting in 64 bytes of hash digest data. This hash is 76 * signed with a 2048-bit RSA key. The field |hash_size| must be 64, 77 * |signature_size| must be 256, and the public key data must have 78 * |key_num_bits| set to 2048. 79 * 80 * AVB_ALGORITHM_TYPE_SHA512_RSA4096: Like above, but only with 81 * a 4096-bit RSA key and |signature_size| set to 512. 82 * 83 * AVB_ALGORITHM_TYPE_SHA512_RSA8192: Like above, but only with 84 * a 8192-bit RSA key and |signature_size| set to 1024. 85 */ 86 typedef enum { 87 AVB_ALGORITHM_TYPE_NONE, 88 AVB_ALGORITHM_TYPE_SHA256_RSA2048, 89 AVB_ALGORITHM_TYPE_SHA256_RSA4096, 90 AVB_ALGORITHM_TYPE_SHA256_RSA8192, 91 AVB_ALGORITHM_TYPE_SHA512_RSA2048, 92 AVB_ALGORITHM_TYPE_SHA512_RSA4096, 93 AVB_ALGORITHM_TYPE_SHA512_RSA8192, 94 _AVB_ALGORITHM_NUM_TYPES 95 } AvbAlgorithmType; 96 97 /* Holds algorithm-specific data. The |padding| is needed by avb_rsa_verify. */ 98 typedef struct { 99 const uint8_t* padding; 100 size_t padding_len; 101 size_t hash_len; 102 } AvbAlgorithmData; 103 104 /* Provides algorithm-specific data for a given |algorithm|. Returns NULL if 105 * |algorithm| is invalid. 106 */ 107 const AvbAlgorithmData* avb_get_algorithm_data(AvbAlgorithmType algorithm) 108 AVB_ATTR_WARN_UNUSED_RESULT; 109 110 /* The header for a serialized RSA public key. 111 * 112 * The size of the key is given by |key_num_bits|, for example 2048 113 * for a RSA-2048 key. By definition, a RSA public key is the pair (n, 114 * e) where |n| is the modulus (which can be represented in 115 * |key_num_bits| bits) and |e| is the public exponent. The exponent 116 * is not stored since it's assumed to always be 65537. 117 * 118 * To optimize verification, the key block includes two precomputed 119 * values, |n0inv| (fits in 32 bits) and |rr| and can always be 120 * represented in |key_num_bits|. 121 122 * The value |n0inv| is the value -1/n[0] (mod 2^32). The value |rr| 123 * is (2^key_num_bits)^2 (mod n). 124 * 125 * Following this header is |key_num_bits| bits of |n|, then 126 * |key_num_bits| bits of |rr|. Both values are stored with most 127 * significant bit first. Each serialized number takes up 128 * |key_num_bits|/8 bytes. 129 * 130 * All fields in this struct are stored in network byte order when 131 * serialized. To generate a copy with fields swapped to native byte 132 * order, use the function avb_rsa_public_key_header_validate_and_byteswap(). 133 * 134 * The avb_rsa_verify() function expects a key in this serialized 135 * format. 136 * 137 * The 'avbtool extract_public_key' command can be used to generate a 138 * serialized RSA public key. 139 */ 140 typedef struct AvbRSAPublicKeyHeader { 141 uint32_t key_num_bits; 142 uint32_t n0inv; 143 } AVB_ATTR_PACKED AvbRSAPublicKeyHeader; 144 145 /* Copies |src| to |dest| and validates, byte-swapping fields in the 146 * process if needed. Returns true if valid, false if invalid. 147 */ 148 bool avb_rsa_public_key_header_validate_and_byteswap( 149 const AvbRSAPublicKeyHeader* src, 150 AvbRSAPublicKeyHeader* dest) AVB_ATTR_WARN_UNUSED_RESULT; 151 152 #ifdef __cplusplus 153 } 154 #endif 155 156 #endif /* AVB_CRYPTO_H_ */ 157