mfg/verify.go

/**
 * Licensed to the Apache Software Foundation (ASF) under one
 * or more contributor license agreements.  See the NOTICE file
 * distributed with this work for additional information
 * regarding copyright ownership.  The ASF licenses this file
 * to you under the Apache License, Version 2.0 (the
 * "License"); you may not use this file except in compliance
 * with the License.  You may obtain a copy of the License at
 *
 *  http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing,
 * software distributed under the License is distributed on an
 * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
 * KIND, either express or implied.  See the License for the
 * specific language governing permissions and limitations
 * under the License.
 */

package mfg

import (
	"bytes"
	"encoding/hex"

	"github.com/apache/mynewt-artifact/errors"
	"github.com/apache/mynewt-artifact/flash"
	"github.com/apache/mynewt-artifact/manifest"
	"github.com/apache/mynewt-artifact/sec"
)

func (m *Mfg) validateManFlashMap(man manifest.MfgManifest) error {
	idAreaMap := map[int]flash.FlashArea{}
	for _, area := range man.FlashAreas {
		if _, dup := idAreaMap[area.Id]; dup {
			return errors.Errorf(
				"mfg manifest contains duplicate flash area: %d", area.Id)
		}

		idAreaMap[area.Id] = area
	}

	seen := map[int]struct{}{}

	mmrHasFlash := man.Meta != nil && man.Meta.FlashMap

	for _, t := range m.Tlvs() {
		if t.Header.Type == META_TLV_TYPE_FLASH_AREA {
			if !mmrHasFlash {
				return errors.Errorf(
					"mmr contains flash map; manifest indicates otherwise")
			}

			body, err := t.StructuredBody()
			if err != nil {
				return err
			}
			flashBody := body.(*MetaTlvBodyFlashArea)
			if _, ok := idAreaMap[int(flashBody.Area)]; !ok {
				return errors.Errorf(
					"flash area %d missing from mfg manifest", flashBody.Area)
			}

			seen[int(flashBody.Area)] = struct{}{}
		}
	}

	if mmrHasFlash {
		for _, area := range man.FlashAreas {
			if _, ok := seen[area.Id]; !ok {
				return errors.Errorf("flash area %d missing from mmr", area.Id)
			}
		}
	}

	return nil
}

func (m *Mfg) validateManMmrs(man manifest.MfgManifest) error {
	areaMap := map[int]struct{}{}
	if man.Meta != nil {
		for _, mmr := range man.Meta.Mmrs {
			fa := man.FindFlashAreaName(mmr.Area)
			if fa == nil {
				return errors.Errorf(
					"flash area %s missing from mfg manifest", mmr.Area)
			}

			if _, dup := areaMap[fa.Id]; dup {
				return errors.Errorf(
					"mfg manifest contains duplicate mmr ref: %s", mmr.Area)
			}

			areaMap[fa.Id] = struct{}{}
		}
	}

	seen := map[int]struct{}{}
	for _, t := range m.Tlvs() {
		if t.Header.Type == META_TLV_TYPE_MMR_REF {
			body, err := t.StructuredBody()
			if err != nil {
				return err
			}

			mmrBody := body.(*MetaTlvBodyMmrRef)
			if _, ok := areaMap[int(mmrBody.Area)]; !ok {
				return errors.Errorf(
					"mmr ref %d missing from mfg manifest", mmrBody.Area)
			}

			seen[int(mmrBody.Area)] = struct{}{}
		}
	}

	for area, _ := range areaMap {
		if _, ok := seen[area]; !ok {
			return errors.Errorf("mmr ref %d missing from mmr", area)
		}
	}

	return nil
}

// VerifyStructure checks an mfgimage's structure and internal consistency.  It
// returns an error if the mfgimage is incorrect.
func (m *Mfg) VerifyStructure(eraseVal byte) error {
	for _, t := range m.Tlvs() {
		// Verify that TLV has a valid `type` field.
		body, err := t.StructuredBody()
		if err != nil {
			return err
		}

		// Verify contents of hash TLV.
		switch t.Header.Type {
		case META_TLV_TYPE_HASH:
			hashBody := body.(*MetaTlvBodyHash)

			hash, err := m.RecalcHash(eraseVal)
			if err != nil {
				return err
			}

			if !bytes.Equal(hash, hashBody.Hash[:]) {
				return errors.Errorf(
					"mmr contains incorrect hash: have=%s want=%s",
					hex.EncodeToString(hashBody.Hash[:]),
					hex.EncodeToString(hash))
			}
		}
	}

	return nil
}

// VerifyManifest compares an mfgimage's structure to its manifest.  It returns
// an error if the mfgimage doesn't match the manifest.
func (m *Mfg) VerifyManifest(man manifest.MfgManifest) error {
	if man.Format != 2 {
		return errors.Errorf(
			"only mfgimage format 2 supported (have=%d)", man.Format)
	}

	mfgHash, err := m.Hash(man.EraseVal)
	if err != nil {
		return err
	}
	hashStr := hex.EncodeToString(mfgHash)
	if hashStr != man.MfgHash {
		return errors.Errorf(
			"manifest mfg hash different from mmr: man=%s mfg=%s",
			man.MfgHash, hashStr)
	}

	if err := m.validateManFlashMap(man); err != nil {
		return err
	}

	if err := m.validateManMmrs(man); err != nil {
		return err
	}

	// Make sure each target is fully present.
	for _, t := range man.Targets {
		if man.FindFlashAreaDevOff(man.Device, t.Offset) == nil {
			return errors.Errorf(
				"no flash area in mfgimage corresponding to target \"%s\"",
				t.Name)
		}
	}

	return nil
}

// VerifySigs checks an mfgimage's signatures against the provided set of keys.
// It succeeds if the mfgimage has no signatures or if any signature can be
// verified.  An error is returned if there is at least one signature and they
// all fail the check.
func VerifySigs(man manifest.MfgManifest, keys []sec.PubSignKey) (int, error) {
	sigs, err := man.SecSigs()
	if err != nil {
		return -1, err
	}

	hash, err := hex.DecodeString(man.MfgHash)
	if err != nil {
		return -1, errors.Wrapf(err,
			"mfg manifest contains invalid hash: %s", man.MfgHash)
	}

	for keyIdx, k := range keys {
		sigIdx, err := sec.VerifySigs(k, sigs, hash)
		if err != nil {
			return -1, errors.Wrapf(err, "failed to verify mfgimg signatures")
		}

		if sigIdx != -1 {
			return keyIdx, nil
		}
	}

	return -1, errors.Errorf("mfg signatures do not match provided keys")
}