| # Copyright (c) 2013 The Chromium OS Authors. All rights reserved. |
| # Use of this source code is governed by a BSD-style license that can be |
| # found in the LICENSE file. |
| |
| import os |
| import urlparse |
| |
| from autotest_lib.client.common_lib import error |
| from autotest_lib.client.common_lib.cros import dev_server |
| from autotest_lib.server import autotest, test |
| |
| def _split_url(url): |
| """Splits a URL into the URL base and path.""" |
| split_url = urlparse.urlsplit(url) |
| url_base = urlparse.urlunsplit( |
| (split_url.scheme, split_url.netloc, '', '', '')) |
| url_path = split_url.path |
| return url_base, url_path.lstrip('/') |
| |
| |
| class autoupdate_CatchBadSignatures(test.test): |
| """This is a test to verify that update_engine correctly checks |
| signatures in the metadata hash and the update payload |
| itself. This is achieved by feeding updates to update_engine where |
| the private key used to make the signature, intentionally does not |
| match with the public key used for verification. |
| |
| By its very nature, this test requires an image signed with a |
| well-known key. Since payload-generation is a resource-intensive |
| process, we prepare the image ahead of time. Also, since the image |
| is never successfully applied, we can get away with not caring that |
| the image is built for one board but used on another. |
| |
| If you ever need to replace the test image, follow these eight |
| simple steps: |
| |
| 1. Build a test image: |
| |
| $ cd ~/trunk/src/scripts |
| $ ./build_packages --board=${BOARD} |
| $ ./build_image --board=${BOARD} --noenable_rootfs_verification test |
| |
| 2. Serve the image the DUT like this: |
| |
| $ cd ~/trunk/src/platform/dev |
| $ ./devserver.py --test_image \ |
| --private_key \ |
| ../../aosp/system/update_engine/unittest_key.pem \ |
| --private_key_for_metadata_hash_signature \ |
| ../../aosp/system/update_engine/unittest_key.pem \ |
| --public_key \ |
| ../../aosp/system/update_engine/unittest_key2.pub.pem |
| |
| Note that unittest_key2.pub.pem can be generated via |
| $ openssl rsa \ |
| -in ../../aosp/system/update_engine/unittest_key2.pem -pubout \ |
| -out ../../aosp/system/update_engine/unittest_key2.pub.pem |
| |
| 3. Update the DUT - the update should fail at the metadata |
| verification stage. |
| |
| 4. From the update_engine logs (stored in /var/log/update_engine/) |
| on the DUT, find the Omaha response sent to the DUT and update |
| the following constants with values from the XML: |
| |
| _IMAGE_SHA256: set it to the 'sha256' |
| _IMAGE_METADATA_SIZE: set it to the 'MetadataSize' |
| _IMAGE_PUBLIC_KEY2: set it to the 'PublicKeyRsa' |
| _IMAGE_METADATA_SIGNATURE_WITH_KEY1: set it to 'MetadataSignatureRsa' |
| |
| Also download the image payload (follow 'url' and 'codebase' tags for |
| directory then 'package' for the file name and its size), |
| upload it to Google Storage and update the _IMAGE_GS_URL and |
| _IMAGE_SIZE constants with the resulting URL and the size. |
| |
| 5. Serve the image to the DUT again and note the slightly different |
| parameters this time. Note that the image served is the same, |
| however the Omaha response will be different. |
| |
| $ cd ~/trunk/src/platform/dev |
| $ ./devserver.py --test_image \ |
| --private_key \ |
| ../../aosp/system/update_engine/unittest_key.pem \ |
| --private_key_for_metadata_hash_signature \ |
| ../../aosp/system/update_engine/unittest_key2.pem \ |
| --public_key \ |
| ../../aosp/system/update_engine/unittest_key2.pub.pem |
| |
| 6. Update the DUT - the update should fail at the payload |
| verification stage. |
| |
| 7. Like in step 4., examine the update_engine logs and update the |
| following constants: |
| |
| _IMAGE_METADATA_SIGNATURE_WITH_KEY2: set to 'MetadataSignatureRsa' |
| |
| 8. Now run the test and ensure that it passes |
| |
| $ cd ~/trunk/src/scripts |
| $ test_that -b ${BOARD} --fast <DUT_IP> autoupdate_CatchBadSignatures |
| |
| """ |
| version = 1 |
| |
| # The test image to use and the values associated with it. |
| _IMAGE_GS_URL='gs://chromiumos-test-assets-public/autoupdate/autoupdate_CatchBadSignatures-payload-sentry-R54-8719.0.2016_08_18_2057-a1' |
| _IMAGE_SIZE=405569018 |
| _IMAGE_METADATA_SIZE=49292 |
| _IMAGE_SHA256='PHjzsTdCRMvMM7s+8f7K8ZegKoFnAf1UNhG6qc7zjRU=' |
| _IMAGE_PUBLIC_KEY1='LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUF4NmhxUytIYmM3ak44MmVrK09CawpISk52bFdYa3R5UzJYQ3VRdEd0bkhqRVY3T3U1aEhORjk2czV3RW44UkR0cmRMb2NtMGErU3FYWGY3S3ljRlJUClp4TGREYnFXQU1VbFBYT2FQSStQWkxXa0I3L0tWN0NkajZ2UEdiZXE3ZWx1K2FUL2J1ZGh6VHZxMnN0WXJyQWwKY3IvMjF0T1ZEUGlXdGZDZHlraDdGQ1hpNkZhWUhvTnk1QTZFS1FMZkxCdUpvVS9Rb0N1ZmxkbXdsRmFGREtsKwpLb29zNlIxUVlKZkNOWmZnb2NyVzFQSWgrOHQxSkl2dzZJem84K2ZUbWU3bmV2N09sMllaaU1XSnBSWUt4OE1nCnhXMlVnVFhsUnBtUU41NnBjOUxVc25WQThGTkRCTjU3K2dNSmorWG1kRG1idE1wT3N5WGZTTkVnbnV3TVBjRWMKbXdJREFRQUIKLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tCg==' |
| _IMAGE_METADATA_SIGNATURE_WITH_KEY1='RH0QkJErsz9T6u5/0nNYKRjVPfH08+j/zdBU2BimU2jAa4zn7HElhIk4v7l92qtHJAdAfH8JzTCCUQcqxfBL0CLxoXClKbnFjb4DKKp5z4GHJ4Be7q5hq+OVFFTMs+WV6rVP+VPWfirKN3RQy2CaUnkcoaBsa9pgU3SfZYGK4EkgSY7Fwnjzeu1oCUb8v+VrY93Hia8vJgKRG1EBtK2a9qLy/2uZ9twHyKnykt5VeLXMUL7x2ChdY1IzJaPDfGMyneoUQ2k1Yr/ROuVaYWI08lZfM0W2Abj6uCCHNu/K2oPHevJs1yyy4lmRRr2aWDnZ93GA17Jb7XwJO4JgNUHQgQ==' |
| _IMAGE_PUBLIC_KEY2='LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUFxZE03Z25kNDNjV2ZRenlydDE2UQpESEUrVDB5eGcxOE9aTys5c2M4aldwakMxekZ0b01Gb2tFU2l1OVRMVXArS1VDMjc0ZitEeElnQWZTQ082VTVECkpGUlBYVXp2ZTF2YVhZZnFsalVCeGMrSlljR2RkNlBDVWw0QXA5ZjAyRGhrckduZi9ya0hPQ0VoRk5wbTUzZG8Kdlo5QTZRNUtCZmNnMUhlUTA4OG9wVmNlUUd0VW1MK2JPTnE1dEx2TkZMVVUwUnUwQW00QURKOFhtdzRycHZxdgptWEphRm1WdWYvR3g3K1RPbmFKdlpUZU9POUFKSzZxNlY4RTcrWlppTUljNUY0RU9zNUFYL2xaZk5PM1JWZ0cyCk83RGh6emErbk96SjNaSkdLNVI0V3daZHVobjlRUllvZ1lQQjBjNjI4NzhxWHBmMkJuM05wVVBpOENmL1JMTU0KbVFJREFRQUIKLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tCg==' |
| _IMAGE_METADATA_SIGNATURE_WITH_KEY2='TWzj+aki+yS0nKCzy0/t+pTdHMh0N9ffjNbwIJhSx9bQ3813oYaF3vQsky29o0PuDWih1363uEHOoCjYrzxLnwuk1NK7/6Psb88kAYjc7gk1IgW/xuFTybxSL0bbOAN4p1QI6oRMPYrf5mZCE+VHhbSaMazK0AebFEg0fwvXkaoo/pQQWRWCH0u0GCqDBfGZlQATe/79inXda4mD19E9EvvMqm2ZStys7MMPCkkYyEsZWFmm6AFykiWtVMNyc6JWSTKh6ZKsme+l2Rr5orTubFbdwMuItcb6KySnsgOj5MAQ+HVFfjgJuEs4eRsP/Tfjn213v4bJVUSt6DwABg7/gw==' |
| |
| @staticmethod |
| def _string_has_strings(haystack, needles): |
| """Returns True iff all the strings in the list |needles| are |
| present in the string |haystack|.""" |
| for n in needles: |
| if haystack.find(n) == -1: |
| return False |
| return True |
| |
| def _check_signature(self, metadata_signature, public_key, |
| expected_log_messages, failure_message): |
| """Helper function for updating with a Canned Omaha response.""" |
| |
| # Runs the update on the DUT and expect it to fail. |
| client_host = autotest.Autotest(self._host) |
| client_host.run_test( |
| 'autoupdate_CannedOmahaUpdate', |
| image_url=self._staged_payload_url, |
| image_size=self._IMAGE_SIZE, |
| image_sha256=self._IMAGE_SHA256, |
| allow_failure=True, |
| metadata_size=self._IMAGE_METADATA_SIZE, |
| metadata_signature=metadata_signature, |
| public_key=public_key) |
| |
| cmdresult = self._host.run('cat /var/log/update_engine.log') |
| if not self._string_has_strings(cmdresult.stdout, |
| expected_log_messages): |
| raise error.TestFail(failure_message) |
| |
| |
| def _check_bad_metadata_signature(self): |
| """Checks that update_engine rejects updates where the payload |
| and Omaha response do not agree on the metadata signature.""" |
| |
| expected_log_messages = [ |
| 'Mandating payload hash checks since Omaha Response for ' |
| 'unofficial build includes public RSA key', |
| 'Mandatory metadata signature validation failed'] |
| |
| self._check_signature( |
| metadata_signature=self._IMAGE_METADATA_SIGNATURE_WITH_KEY1, |
| public_key=self._IMAGE_PUBLIC_KEY2, |
| expected_log_messages=expected_log_messages, |
| failure_message='Check for bad metadata signature failed.') |
| |
| |
| def _check_bad_payload_signature(self): |
| """Checks that update_engine rejects updates where the payload |
| signature does not match what is expected.""" |
| |
| expected_log_messages = [ |
| 'Mandating payload hash checks since Omaha Response for ' |
| 'unofficial build includes public RSA key', |
| 'Metadata hash signature matches value in Omaha response.', |
| 'Public key verification failed, thus update failed'] |
| |
| self._check_signature( |
| metadata_signature=self._IMAGE_METADATA_SIGNATURE_WITH_KEY2, |
| public_key=self._IMAGE_PUBLIC_KEY2, |
| expected_log_messages=expected_log_messages, |
| failure_message='Check for payload signature failed.') |
| |
| |
| def _stage_image(self, image_url): |
| """Requests an image server from the lab to stage the image |
| specified by |image_url| (typically a Google Storage |
| URL). Returns the URL to the staged image.""" |
| |
| # We don't have a build so just fake the string. |
| build = 'x86-fake-release/R42-4242.0.0-a1-bFAKE' |
| image_server = dev_server.ImageServer.resolve(build, |
| self._host.hostname) |
| archive_url = os.path.dirname(image_url) |
| filename = os.path.basename(image_url) |
| # ImageServer expects an image parameter, but we don't have one. |
| image_server.stage_artifacts(image='fake_image', |
| files=[filename], |
| archive_url=archive_url) |
| |
| # ImageServer has no way to give us the URL of the staged file... |
| base, name = _split_url(image_url) |
| staged_url = '%s/static/%s' % (image_server.url(), name) |
| return staged_url |
| |
| |
| def cleanup(self): |
| if self._host: |
| self._host.reboot() |
| |
| |
| def run_once(self, host): |
| """Runs the test on the DUT represented by |host|.""" |
| |
| self._host = host |
| |
| # First, stage the image. |
| self._staged_payload_url = self._stage_image(self._IMAGE_GS_URL) |
| |
| # Then run the tests. |
| self._check_bad_metadata_signature() |
| self._check_bad_payload_signature() |
| |
