I previously refactored some of the signature generation code to directly use the OpenSSL library instead of invoking the "openssl" command line utility. The signature_digest command line utility got lost in the process. This restores the utility which in turn fixes the RSA verification test.
Review URL: http://codereview.chromium.org/669040
This CL does the following:
1) It adds a SignatureBuf function which uses the OpenSSL library to generate RSA signature. This is more robust than the previous way of invoking the command line "openssl" utility and capturing its output. No more unnecessary temporary files for signature operations.
2) It adds functions that allow direct manipulation of binary verified Firmware and Kernel Image blobs in memory.
3) It changes the structure field members for FirmwareImage to make it consistent with KernelImage. Now it's clearer which key is used when.
4) Minor bug fixes and slightly improved API for dealing verified boot firmware and kernel images.
5) Renames the RSA_verify function to prevent conflicts with OpenSSL since it's linked into the firmware utility binary.
Review URL: http://codereview.chromium.org/661353
BUG=670
TEST=Adds kernel_image_test which tests the new functions.
The kernel image verification pretty much exactly mirror the already existing firmware image verification functions except with a few different/additional fields in a signed kernel image. The firmware signing key is the root key equivalent for kernel images.
This CL also moves the image verification tests to a different script. There's some additional cleanup of the code that I will be submitting separately after this and another pending patches get LGTMed and land.
Review URL: http://codereview.chromium.org/660161
This is a first cut at what I envision as a utility we can use to manage our firmware/kernel signing needs. Currently, it implements firmware signing (given a binary image, create a verified boot header) and verification (given a verified boot image, verify it using the given public root key).
This CL also fixes the ReadFirmwareImage function from firmware_image to make it more consistent and fixes some bugs.
Review URL: http://codereview.chromium.org/652216
This test checks that signatures with improper padding do not get accepted by the RSA signature verification implementation.
Review URL: http://codereview.chromium.org/661038
The old VerifyFirmware function (now called VerifyFirmwareImage) works on the FirmwareImage structure. This CL adds a verification function which can be used directly on packed binary verified boot firmware blobs. This function can be used as the reference implementation for verified boot in firmware. In addition, all functions that work on FirmwareImage structure have been renames to distinguish them from those which work on binary firmware blobs.
In addition, this adds some new crypto utility functions and refactors old ones.
BUG=670
TEST=Added tests for the new function and they pass.
Review URL: http://codereview.chromium.org/650105
In addtion, add test cases and a script to generate them for benchmarking. Also fixes a path problem with the run_rsa_tests.sh script.
Review URL: http://codereview.chromium.org/626011
Also rename and modify run_tests.sh to only run the RSA verification tests. The SHA message digest tests must now be invoked separately.
Review URL: http://codereview.chromium.org/596080
Also remove the len parameter to read_RSAkey since it's not used or required any more.
BUG=none
TEST=none
Review URL: http://codereview.chromium.org/579009
A DigestContext structure now wraps state for all the SHA* algorithms. Replaced the old SHA*_file functions to use these new wrappers. Also moved the digest utility functions from tests/ to crypto/.
BUG=670
TEST=Modified existing tests to use the new wrappers and they pass.
Review URL: http://codereview.chromium.org/579007
The current stable version of OpenSSL(0.9.8d) does not support RSA signature with SHA-256 and SHA-512 message digests. This utility outputs the hash of file data in a format suitable for use with the "openssl" command-line tool fir generating RSA signatures.
Also modified the tests to use this to generate RSA signature rather than "openssl pkeyutl" which is not supported on current stable version of OpenSSL.
Review URL: http://codereview.chromium.org/552227
