Add signature validation to TMD

This commit is contained in:
Pengfei
2021-07-29 23:27:13 +08:00
parent 502e05dc2b
commit 15b1af7dd1
6 changed files with 75 additions and 7 deletions
+2
View File
@@ -158,6 +158,7 @@ set(cryptopp_SOURCES
cryptopp/neon-simd.cpp
cryptopp/oaep.cpp
cryptopp/osrng.cpp
cryptopp/pkcspad.cpp
cryptopp/pubkey.cpp
cryptopp/queue.cpp
cryptopp/randpool.cpp
@@ -165,6 +166,7 @@ set(cryptopp_SOURCES
cryptopp/rijndael-simd.cpp
cryptopp/rijndael.cpp
cryptopp/rng.cpp
cryptopp/rsa.cpp
cryptopp/sha-simd.cpp
cryptopp/sha.cpp
cryptopp/sse-simd.cpp
+22 -2
View File
@@ -4,8 +4,9 @@
#include <cstring>
#include <unordered_map>
#include <cryptopp/sha.h>
#include <cryptopp/integer.h>
#include "common/alignment.h"
#include "common/assert.h"
#include "common/file_util.h"
#include "common/logging/log.h"
#include "common/string_util.h"
@@ -94,6 +95,18 @@ bool Certificate::Save(FileUtil::IOFile& file) const {
return true;
}
std::pair<CryptoPP::Integer, CryptoPP::Integer> Certificate::GetRSAPublicKey() const {
if (body.key_type == PublicKeyType::RSA_2048) {
return {CryptoPP::Integer(public_key.data(), 0x100),
CryptoPP::Integer(public_key.data() + 0x100, 0x4)};
} else if (body.key_type == PublicKeyType::RSA_4096) {
return {CryptoPP::Integer(public_key.data(), 0x200),
CryptoPP::Integer(public_key.data() + 0x200, 0x4)};
} else {
UNREACHABLE_MSG("Certificate is not RSA");
}
}
namespace Certs {
static std::unordered_map<std::string, Certificate> g_certs;
@@ -131,9 +144,12 @@ bool Load(const std::string& path) {
return false;
}
const auto issuer = Common::StringFromFixedZeroTerminatedBuffer(cert.body.issuer.data(),
cert.body.issuer.size());
const auto name = Common::StringFromFixedZeroTerminatedBuffer(cert.body.name.data(),
cert.body.name.size());
g_certs.emplace(name, std::move(cert));
const auto full_name = issuer + "-" + name;
g_certs.emplace(full_name, std::move(cert));
pos += size;
}
@@ -157,6 +173,10 @@ const Certificate& Get(const std::string& name) {
return g_certs.at(name);
}
bool Exists(const std::string& name) {
return g_certs.count(name);
}
} // namespace Certs
} // namespace Core
+8
View File
@@ -10,6 +10,10 @@
#include "common/common_funcs.h"
#include "common/swap.h"
namespace CryptoPP {
class Integer;
}
namespace FileUtil {
class IOFile;
}
@@ -36,6 +40,9 @@ public:
std::size_t Load(std::vector<u8> file_data, std::size_t offset = 0);
bool Save(FileUtil::IOFile& file) const;
/// (modulus, exponent)
std::pair<CryptoPP::Integer, CryptoPP::Integer> GetRSAPublicKey() const;
u32_be signature_type;
std::vector<u8> signature;
Body body;
@@ -55,6 +62,7 @@ namespace Certs {
bool Load(const std::string& path);
bool IsLoaded();
const Certificate& Get(const std::string& name);
bool Exists(const std::string& name);
} // namespace Certs
+4 -3
View File
@@ -37,10 +37,11 @@ inline u32 GetSignatureSize(u32 signature_type) {
return 0;
}
/// Full names of the certificates contained in a CIA.
constexpr std::array<const char*, 3> CIACertNames{{
"CA00000003",
"XS0000000c",
"CP0000000b",
"Root-CA00000003",
"Root-CA00000003-XS0000000c",
"Root-CA00000003-CP0000000b",
}};
} // namespace Core
+36
View File
@@ -4,11 +4,14 @@
#include <algorithm>
#include <cinttypes>
#include <cryptopp/rsa.h>
#include <cryptopp/sha.h>
#include "common/alignment.h"
#include "common/assert.h"
#include "common/file_util.h"
#include "common/logging/log.h"
#include "common/string_util.h"
#include "core/ncch/certificate.h"
#include "core/ncch/cia_common.h"
#include "core/ncch/title_metadata.h"
@@ -120,6 +123,39 @@ ResultStatus TitleMetadata::Save(const std::string& file_path) {
return Save(file);
}
bool TitleMetadata::ValidateSignature() const {
if (!Certs::IsLoaded()) {
LOG_ERROR(Core, "Certificates not available");
return false;
}
const auto cert_name =
Common::StringFromFixedZeroTerminatedBuffer(tmd_body.issuer.data(), tmd_body.issuer.size());
if (!Certs::Exists(cert_name)) {
LOG_ERROR(Core, "Cert {} does not exist", cert_name);
return false;
}
const auto& cert = Certs::Get(cert_name);
if (signature_type != TMDSignatureType::Rsa2048Sha256 ||
cert.body.key_type != PublicKeyType::RSA_2048) {
LOG_ERROR(Core, "Unsupported TMD signature type or cert public key type");
return false;
}
const auto [modulus, exponent] = Certs::Get(cert_name).GetRSAPublicKey();
CryptoPP::RSASS<CryptoPP::PKCS1v15, CryptoPP::SHA256>::Verifier verifier(modulus, exponent);
auto* message = verifier.NewVerificationAccumulator();
message->Update(reinterpret_cast<const u8*>(&tmd_body), sizeof(tmd_body));
message->Update(reinterpret_cast<const u8*>(tmd_chunks.data()),
tmd_chunks.size() * sizeof(ContentChunk));
verifier.InputSignature(*message, tmd_signature.data(), tmd_signature.size());
return verifier.Verify(message);
}
std::size_t TitleMetadata::GetSize() const {
const std::size_t body_start =
Common::AlignUp(GetSignatureSize(signature_type) + sizeof(u32), 0x40);
+3 -2
View File
@@ -51,7 +51,7 @@ public:
#pragma pack(push, 1)
struct Body {
std::array<u8, 0x40> issuer;
std::array<char, 0x40> issuer;
u8 version;
u8 ca_crl_version;
u8 signer_crl_version;
@@ -82,8 +82,9 @@ public:
ResultStatus Save(FileUtil::IOFile& file);
ResultStatus Save(const std::string& file_path);
std::size_t GetSize() const;
bool ValidateSignature() const;
std::size_t GetSize() const;
u64 GetTitleID() const;
u32 GetTitleType() const;
u16 GetTitleVersion() const;