104 lines
3.1 KiB
C
104 lines
3.1 KiB
C
/*
|
|
* Copyright (C) 2007-2010 Apple Inc. All rights reserved.
|
|
*
|
|
* This document is the property of Apple Inc.
|
|
* It is considered confidential and proprietary.
|
|
*
|
|
* This document may not be reproduced or transmitted in any form,
|
|
* in whole or in part, without the express written permission of
|
|
* Apple Inc.
|
|
*/
|
|
#include <debug.h>
|
|
#include <sys/menu.h>
|
|
#include <lib/pki.h>
|
|
#include <drivers/sha1.h>
|
|
|
|
#if defined(WITH_MENU) && WITH_MENU
|
|
|
|
int do_pki(int argc, struct cmd_arg *args)
|
|
{
|
|
int ret_val;
|
|
|
|
if (!security_allow_modes(kSecurityModeDebugCmd)) {
|
|
printf("Permission Denied\n");
|
|
return -1;
|
|
}
|
|
|
|
if (argc < 2) {
|
|
printf("not enough arguments.\n");
|
|
usage:
|
|
printf("%s verify <cert-chain-as-concatenated-der-blobs-data> <length> "
|
|
"<signature-blob-data> <length> <hash-blob-data> <length>\n", args[0].str);
|
|
printf("\tverify-image <8900-1.0-image-data> <length>\n");
|
|
return -1;
|
|
}
|
|
|
|
void *chain_data, *sig_blob, *hash_blob, *spec_blob;
|
|
size_t chain_len, sig_blob_len, hash_blob_len, spec_blob_len;
|
|
chain_data = sig_blob = hash_blob = spec_blob = NULL;
|
|
chain_len = sig_blob_len = hash_blob_len = spec_blob_len = 0;
|
|
|
|
if (!strcmp("verify", args[1].str)) {
|
|
|
|
if (argc < 8) {
|
|
printf("not enough arguments.\n");
|
|
goto usage;
|
|
}
|
|
|
|
chain_data = (void *)args[2].u;
|
|
chain_len = args[3].u;
|
|
|
|
sig_blob = (void *)args[4].u;
|
|
sig_blob_len = args[5].u;
|
|
|
|
hash_blob = (void *)args[6].u;
|
|
hash_blob_len = args[7].u;
|
|
|
|
} else if (!strcmp("verify-image", args[1].str)) {
|
|
|
|
if (argc < 4) {
|
|
printf ("not enough arguments.\n");
|
|
goto usage;
|
|
}
|
|
|
|
if (!strcmp("89001.0", (void*)args[2].u)) {
|
|
printf ("invalid image (only 8900 1.0 images)\n");
|
|
return -1;
|
|
}
|
|
|
|
uint8_t *payload = (uint8_t*)(args[2].u + 0x800);
|
|
uint8_t *signature = payload + *(uint32_t*)(args[2].u + 16);
|
|
uint8_t *chain = payload + *(uint32_t*)(args[2].u + 20);
|
|
|
|
chain_data = chain;
|
|
chain_len = args[2].u + args[3].u - (size_t)chain;
|
|
|
|
sig_blob = signature;
|
|
sig_blob_len = chain - signature;
|
|
|
|
/* abuse part of header as scratch */
|
|
uint8_t sha1_buf[20];
|
|
/* header + image are hashed for rsa verification */
|
|
sha1_calculate((uint8_t*)args[2].u, (size_t)signature - args[2].u, sha1_buf);
|
|
//sha1_calculate(payload, signature - payload, sha1_buf);
|
|
|
|
hash_blob = sha1_buf;
|
|
hash_blob_len = sizeof(sha1_buf);
|
|
|
|
} else
|
|
return -1;
|
|
|
|
ret_val = verify_signature_with_chain(chain_data, chain_len,
|
|
sig_blob, sig_blob_len, hash_blob, hash_blob_len,
|
|
&spec_blob, &spec_blob_len, NULL, NULL);
|
|
|
|
printf("signature verification returned: %d\n", ret_val);
|
|
|
|
return 0;
|
|
}
|
|
|
|
// Turned off to save space, enable as needed
|
|
// MENU_COMMAND_DEBUG(pki, do_pki, "PKI", NULL);
|
|
|
|
#endif
|