Skip to content

Commit a3a5e66

Browse files
committed
Add hash OID to signature verification (esp8266#6201)
1 parent 6272e89 commit a3a5e66

File tree

4 files changed

+10
-5
lines changed

4 files changed

+10
-5
lines changed

cores/esp8266/Updater.h

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -38,6 +38,7 @@ class UpdaterHashClass {
3838
virtual void end() = 0;
3939
virtual int len() = 0;
4040
virtual const void *hash() = 0;
41+
virtual const unsigned char *oid() = 0;
4142
};
4243

4344
// Abstract class to implement a signature verifier

libraries/ESP8266WiFi/src/BearSSLHelpers.cpp

Lines changed: 6 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -848,6 +848,10 @@ const void *HashSHA256::hash() {
848848
return (const void*) _sha256;
849849
}
850850

851+
const unsigned char *HashSHA256::oid() {
852+
return BR_HASH_OID_SHA256;
853+
}
854+
851855
// SHA256 verifier
852856
uint32_t SigningVerifier::length()
853857
{
@@ -869,7 +873,7 @@ bool SigningVerifier::verify(UpdaterHashClass *hash, const void *signature, uint
869873
bool ret;
870874
unsigned char vrf[hash->len()];
871875
br_rsa_pkcs1_vrfy vrfy = br_rsa_pkcs1_vrfy_get_default();
872-
ret = vrfy((const unsigned char *)signature, signatureLen, NULL, sizeof(vrf), _pubKey->getRSA(), vrf);
876+
ret = vrfy((const unsigned char *)signature, signatureLen, hash->oid(), sizeof(vrf), _pubKey->getRSA(), vrf);
873877
if (!ret || memcmp(vrf, hash->hash(), sizeof(vrf)) ) {
874878
return false;
875879
} else {
@@ -896,4 +900,4 @@ make_stack_thunk(br_ssl_engine_sendrec_buf);
896900

897901
#endif
898902

899-
};
903+
};

libraries/ESP8266WiFi/src/BearSSLHelpers.h

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -146,6 +146,7 @@ class HashSHA256 : public UpdaterHashClass {
146146
virtual void end() override;
147147
virtual int len() override;
148148
virtual const void *hash() override;
149+
virtual const unsigned char *oid() override;
149150
private:
150151
br_sha256_context _cc;
151152
unsigned char _sha256[32];

tools/signing.py

Lines changed: 2 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -51,10 +51,9 @@ def main():
5151
try:
5252
with open(args.bin, "rb") as b:
5353
bin = b.read()
54-
sha256 = hashlib.sha256(bin)
55-
signcmd = [ 'openssl', 'rsautl', '-sign', '-inkey', args.privatekey ]
54+
signcmd = [ 'openssl', 'dgst', '-sha256', '-sign', args.privatekey ]
5655
proc = subprocess.Popen(signcmd, stdout=subprocess.PIPE, stdin=subprocess.PIPE, stderr=subprocess.PIPE)
57-
signout, signerr = proc.communicate(input=sha256.digest())
56+
signout, signerr = proc.communicate(input=bin)
5857
if proc.returncode:
5958
sys.stderr.write("OpenSSL returned an error signing the binary: " + str(proc.returncode) + "\nSTDERR: " + str(signerr))
6059
else:

0 commit comments

Comments
 (0)