OpenWRT (ucert) signature check during upgrade

Daniel Golle daniel at makrotopia.org
Fri Aug 7 09:25:27 EDT 2020


On Fri, Aug 07, 2020 at 03:47:57PM +0300, Andrii Voloshyn wrote:
> Hi there,
> 
> I'd like to use signature verification during sysupgrade, but at the moment I get "Image check failed" message.
> Similar to what guys mentioned here: https://forum.openwrt.org/t/possible-bug-in-ucert/57704
> By digging around, I found out that:
> 
> fwtool -q -T -s /dev/null /tmp/sysupgrade.bin | ucert -V -m - -c "/tmp/sysupgrade.ucert" -P /etc/opkg/keys
> 
> command fails, with the following message "cert_verify: cannot parse cert".
> My assumption is that it is because of a signature of the upgrade file that we add at the end of the certificate, while appending metadata to the upgrade file. line below (ucert -A -c "$@.ucert" -x "$@.sig")
> 
> define Build/append-metadata
> >---$(if $(SUPPORTED_DEVICES),-echo $(call metadata_json,$(SUPPORTED_DEVICES)) | fwtool -I - $@)
> >---[ ! -s "$(BUILD_KEY)" -o ! -s "$(BUILD_KEY).ucert" -o ! -s "$@" ] || { \
> >--->---cp "$(BUILD_KEY).ucert" "$@.ucert" ;\
> >--->---usign -S -m "$@" -s "$(BUILD_KEY)" -x "$@.sig" ;\
> >--->---ucert -A -c "$@.ucert" -x "$@.sig" ;\
> >--->---fwtool -S "$@.ucert" "$@" ;\
> >---}
> endef
> 
> Would (ucert -V -m) expect appended upgrade image file signature in the certificate passed with -c?
> Or this functionality has not been implemented yet?
> In other words how to check upgtade file signature prior to upgrade with ucert tool?

Yes, this is exactly how it is supposed to work.
There has been a bug caused by libubox security improvements which made
ucert always fail to parse certificates, it should have been fixed by

commit 96c42c5ed3207b8ad1ce836a4426c8700c13b655
Author: Matthias Schiffer <mschiffer at universe-factory.net>
Date:   Sat May 16 22:29:24 2020 +0200

    Fix length checks in cert_load()


Please verify manually if ucert can parse the certificate, ie.
extract it into a file /tmp/sysupgrade.ucert using fwtool, then install
ucert-full and use `ucert -D -c /tmp/sysupgrade.ucert` and see what
happends.


Cheers


Daniel



> 
> 
> Cheers,
> Andrew
> 
> 
> 
> _______________________________________________
> openwrt-devel mailing list
> openwrt-devel at lists.openwrt.org
> https://lists.openwrt.org/mailman/listinfo/openwrt-devel



More information about the openwrt-devel mailing list