feat: support RPMs with a payload digest but no SIG_MD5 (#28)

Co-authored-by: Elliot Peele <elliot@bentlogic.net>

Author: mtharp

header.go

@@ -18,8 +18,9 @@ package rpmutils
 
 import (
 	"bytes"
-	"crypto/sha1"
+	"crypto"
 	"encoding/binary"
+	"encoding/hex"
 	"errors"
 	"fmt"
 	"io"
@@ -38,7 +39,7 @@ type entry struct {
 type rpmHeader struct {
 	entries  map[int]entry
 	isSource bool
-	origSize int
+	orig     []byte
 }
 
 type headerIntro struct {
@@ -71,19 +72,24 @@ func readExact(f io.Reader, n int) ([]byte, error) {
 	return buf, err
 }
 
-func readHeader(f io.Reader, hash string, isSource bool, sigBlock bool) (*rpmHeader, error) {
+func readHeader(f io.Reader, hash string, hashType crypto.Hash, isSource bool, sigBlock bool) (*rpmHeader, error) {
+	// save original header
+	var origBuf bytes.Buffer
+	f = io.TeeReader(f, &origBuf)
+	// verify intro
 	var intro headerIntro
 	if err := binary.Read(f, binary.BigEndian, &intro); err != nil {
 		return nil, fmt.Errorf("error reading RPM header: %s", err.Error())
 	}
 	if intro.Magic != introMagic {
 		return nil, fmt.Errorf("bad magic for header")
 	}
+	// read entries
 	entryTable, err := readExact(f, int(intro.Entries*16))
 	if err != nil {
 		return nil, fmt.Errorf("error reading RPM header table: %s", err.Error())
 	}
-
+	// read data
 	size := intro.Size
 	if sigBlock {
 		// signature block is padded to 8 byte alignment
@@ -93,24 +99,16 @@ func readHeader(f io.Reader, hash string, isSource bool, sigBlock bool) (*rpmHea
 	if err != nil {
 		return nil, fmt.Errorf("error reading RPM header data: %s", err.Error())
 	}
-
-	// Check sha1 if it was specified
+	// Check hash if it was specified
 	if len(hash) > 1 {
-		h := sha1.New()
-		if err = binary.Write(h, binary.BigEndian, &intro); err != nil {
-			return nil, err
-		}
-		if _, err = h.Write(entryTable); err != nil {
-			return nil, err
-		}
-		if _, err = h.Write(data); err != nil {
-			return nil, err
-		}
-		if fmt.Sprintf("%x", h.Sum(nil)) != hash {
-			return nil, fmt.Errorf("bad header sha1")
+		h := hashType.New()
+		h.Write(origBuf.Bytes())
+		calculated := hex.EncodeToString(h.Sum(nil))
+		if calculated != hash {
+			return nil, fmt.Errorf("%s mismatch in signature header", hashType)
 		}
 	}
-
+	// parse entries
 	ents := make(map[int]entry)
 	buf := bytes.NewReader(entryTable)
 	for i := 0; i < int(intro.Entries); i++ {
@@ -143,7 +141,7 @@ func readHeader(f io.Reader, hash string, isSource bool, sigBlock bool) (*rpmHea
 	return &rpmHeader{
 		entries:  ents,
 		isSource: isSource,
-		origSize: 16 + len(entryTable) + len(data),
+		orig:     origBuf.Bytes(),
 	}, nil
 }
 

rpmutils.go

@@ -100,7 +100,8 @@ func ReadHeader(f io.Reader) (*RpmHeader, error) {
 		return nil, err
 	}
 
-	genHeader, err := readHeader(f, getSha1(sigHeader), sigHeader.isSource, false)
+	hash, hashType := getHashAndType(sigHeader)
+	genHeader, err := readHeader(f, hash, hashType, sigHeader.isSource, false)
 	if err != nil {
 		return nil, err
 	}
@@ -130,7 +131,7 @@ func readSignatureHeader(f io.Reader) ([]byte, *rpmHeader, error) {
 	isSource := binary.BigEndian.Uint16(lead[6:8]) == 1
 
 	// Return signature header
-	hdr, err := readHeader(f, "", isSource, true)
+	hdr, err := readHeader(f, "", 0, isSource, true)
 	return lead, hdr, err
 }
 
@@ -144,8 +145,8 @@ type HeaderRange struct {
 
 // GetRange returns the byte offsets that the RPM header spans within the original RPM file
 func (hdr *RpmHeader) GetRange() HeaderRange {
-	start := 96 + hdr.sigHeader.origSize
-	end := start + hdr.genHeader.origSize
+	start := 96 + len(hdr.sigHeader.orig)
+	end := start + len(hdr.genHeader.orig)
 	return HeaderRange{
 		Start: start,
 		End:   end,

signatures.go

@@ -19,11 +19,8 @@ package rpmutils
 import (
 	"bytes"
 	"crypto"
-	"crypto/md5"
-	"errors"
 	"hash"
 	"io"
-	"io/ioutil"
 	"os"
 	"path"
 	"time"
@@ -54,21 +51,16 @@ func (opts *SignatureOptions) creationTime() time.Time {
 	return time.Now()
 }
 
-func makeSignature(stream io.Reader, key *packet.PrivateKey, opts *SignatureOptions) ([]byte, error) {
-	hash := opts.hash()
+func makeSignature(h hash.Hash, key *packet.PrivateKey, opts *SignatureOptions) ([]byte, error) {
+	hashType := opts.hash()
 	sig := &packet.Signature{
 		SigType:      packet.SigTypeBinary,
 		CreationTime: opts.creationTime(),
 		PubKeyAlgo:   key.PublicKey.PubKeyAlgo,
-		Hash:         hash,
+		Hash:         hashType,
 		IssuerKeyId:  &key.KeyId,
 	}
-	h := hash.New()
-	_, err := io.Copy(h, stream)
-	if err != nil {
-		return nil, err
-	}
-	err = sig.Sign(h, key, nil)
+	err := sig.Sign(h, key, nil)
 	if err != nil {
 		return nil, err
 	}
@@ -103,43 +95,59 @@ func getSha1(sigHeader *rpmHeader) string {
 	return vals[0]
 }
 
-func checkMd5(sigHeader *rpmHeader, h hash.Hash) bool {
-	sigmd5, err := sigHeader.GetBytes(SIG_MD5 - _SIGHEADER_TAG_BASE)
+func getSha256(sigHeader *rpmHeader) string {
+	vals, err := sigHeader.GetStrings(SIG_SHA256)
 	if err != nil {
-		return true
+		return ""
 	}
-	return bytes.Equal(sigmd5, h.Sum(nil))
+	return vals[0]
+}
+
+func getHashAndType(sigHeader *rpmHeader) (string, crypto.Hash) {
+	// RPM v4 introduced SHA256 header signatures, prefer them over the
+	// previous SHA1
+	if h := getSha256(sigHeader); h != "" {
+		return h, crypto.SHA256
+	}
+	return getSha1(sigHeader), crypto.SHA1
+}
+
+func digestForSigning(sigHeader, genHeader *rpmHeader, payloadReader io.Reader, opts *SignatureOptions) (genHash, combinedHash hash.Hash, err error) {
+	genHash, combinedHash = opts.hash().New(), opts.hash().New()
+	// write header
+	genHash.Write(genHeader.orig)
+	combinedHash.Write(genHeader.orig)
+	// write and verify payload
+	err = digestPayload(sigHeader, genHeader, payloadReader, []io.Writer{combinedHash})
+	return genHash, combinedHash, err
 }
 
 // SignRpmStream reads an RPM and signs it, returning the set of headers updated with the new signature.
 func SignRpmStream(stream io.Reader, key *packet.PrivateKey, opts *SignatureOptions) (header *RpmHeader, err error) {
 	lead, sigHeader, err := readSignatureHeader(stream)
 	if err != nil {
-		return
+		return nil, err
 	}
-	// parse the general header and also tee it into a buffer
-	genHeaderBuf := new(bytes.Buffer)
-	headerTee := io.TeeReader(stream, genHeaderBuf)
-	genHeader, err := readHeader(headerTee, getSha1(sigHeader), sigHeader.isSource, false)
+	// parse the general header
+	headerDigestValue, headerDigestType := getHashAndType(sigHeader)
+	genHeader, err := readHeader(stream, headerDigestValue, headerDigestType, sigHeader.isSource, false)
 	if err != nil {
-		return
+		return nil, err
 	}
-	genHeaderBlob := genHeaderBuf.Bytes()
-	// chain the buffered general header to the rest of the payload, and digest the whole lot of it
-	genHeaderAndPayload := io.MultiReader(bytes.NewReader(genHeaderBlob), stream)
-	payloadDigest := md5.New()
-	payloadTee := io.TeeReader(genHeaderAndPayload, payloadDigest)
-	sigPgp, err := makeSignature(payloadTee, key, opts)
+	// hash and sign header
+	genHash, combinedHash, err := digestForSigning(sigHeader, genHeader, stream, opts)
 	if err != nil {
-		return
-	}
-	if !checkMd5(sigHeader, payloadDigest) {
-		return nil, errors.New("md5 digest mismatch")
+		return nil, err
 	}
-	sigRsa, err := makeSignature(bytes.NewReader(genHeaderBlob), key, opts)
+	// sign header and payload
+	sigPgp, err := makeSignature(combinedHash, key, opts)
 	if err != nil {
 		return
 	}
+	sigRsa, err := makeSignature(genHash, key, opts)
+	if err != nil {
+		return nil, err
+	}
 	insertSignatures(sigHeader, sigPgp, sigRsa)
 	return &RpmHeader{
 		lead:      lead,
@@ -149,6 +157,34 @@ func SignRpmStream(stream io.Reader, key *packet.PrivateKey, opts *SignatureOpti
 	}, nil
 }
 
+func getPayloadDigest(header *rpmHeader) (string, crypto.Hash) {
+	digests, err := header.GetStrings(PAYLOADDIGEST)
+	if err != nil || len(digests) == 0 {
+		// no payload digest
+		return "", 0
+	}
+	digest := digests[0]
+	algos, err := header.GetUint32s(PAYLOADDIGESTALGO)
+	if err != nil || len(algos) == 0 {
+		return "", 0
+	}
+	switch algos[0] {
+	case HASH_MD5:
+		return digest, crypto.MD5
+	case HASH_SHA1:
+		return digest, crypto.SHA1
+	case HASH_SHA256:
+		return digest, crypto.SHA256
+	case HASH_SHA384:
+		return digest, crypto.SHA384
+	case HASH_SHA512:
+		return digest, crypto.SHA512
+	case HASH_SHA224:
+		return digest, crypto.SHA224
+	}
+	return "", 0
+}
+
 func canOverwrite(ininfo, outinfo os.FileInfo) bool {
 	if !outinfo.Mode().IsRegular() {
 		return false
@@ -216,7 +252,7 @@ func rewriteRpm(infile *os.File, outpath string, header *RpmHeader) error {
 		}
 		if outstream == nil {
 			// write-rename
-			tempfile, err := ioutil.TempFile(path.Dir(outpath), path.Base(outpath))
+			tempfile, err := os.CreateTemp(path.Dir(outpath), path.Base(outpath))
 			if err != nil {
 				return err
 			}
@@ -275,7 +311,7 @@ func writeRpm(infile io.ReadSeeker, outstream io.Writer, sigHeader *rpmHeader) e
 	if err = sigHeader.WriteTo(outstream, RPMTAG_HEADERSIGNATURES); err != nil {
 		return err
 	}
-	if _, err := infile.Seek(int64(len(lead)+sigHeader.origSize), 0); err != nil {
+	if _, err := infile.Seek(int64(len(lead)+len(sigHeader.orig)), 0); err != nil {
 		return err
 	}
 	_, err = io.Copy(outstream, infile)

signatures_test.go

@@ -21,6 +21,7 @@ import (
 	"io"
 	"os"
 	"testing"
+	"testing/iotest"
 
 	"golang.org/x/crypto/openpgp"
 )
@@ -104,3 +105,83 @@ bCw9mwgJ2r0mQLqjrXjEYBhaE49I8A==
 =+d52
 -----END PGP PRIVATE KEY BLOCK-----
 `
+
+func TestSHA256HeaderAndPayload(t *testing.T) {
+	keyring, err := openpgp.ReadArmoredKeyRing(bytes.NewReader([]byte(testkey)))
+	if err != nil {
+		t.Fatal("failed to parse test key:", err)
+	}
+	entity := keyring[0]
+
+	f, err := os.Open("./testdata/nfpm/test-1.0.0.x86_64.rpm")
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer f.Close()
+
+	h, err := SignRpmStream(f, entity.PrivateKey, nil)
+	if err != nil {
+		t.Fatal("error signing rpm:", err)
+	}
+	sigblob, err := h.DumpSignatureHeader(false)
+	if err != nil {
+		t.Fatal("error writing sig header:", err)
+	}
+	if len(sigblob)%8 != 0 {
+		t.Fatalf("incorrect padding: got %d bytes, expected a multiple of 8", len(sigblob))
+	}
+	// verify by merging the new sig header with the original file
+	if _, err = f.Seek(int64(h.OriginalSignatureHeaderSize()), io.SeekStart); err != nil {
+		t.Fatal("error seeking:", err)
+	}
+	signed := io.MultiReader(bytes.NewReader(sigblob), f)
+	_, sigs, err := Verify(signed, keyring)
+	if err != nil {
+		t.Fatal("error verifying signature:", err)
+	}
+	if len(sigs) != 2 || sigs[0].Signer != entity || sigs[1].Signer != entity {
+		t.Fatalf("error verifying signature: incorrect signers. found: %#v", sigs)
+	}
+	// check padding for odd sized signature tags
+	h.sigHeader.entries[1234] = entry{dataType: RPM_BIN_TYPE, count: 3, contents: []byte("foo")}
+	sigblob, err = h.DumpSignatureHeader(false)
+	if err != nil {
+		t.Fatal("error writing sig header:", err)
+	}
+	if len(sigblob)%8 != 0 {
+		t.Fatalf("incorrect padding: got %d bytes, expected a multiple of 8", len(sigblob))
+	}
+
+}
+
+func TestReadSha256PayloadHeader(t *testing.T) {
+	f, err := os.Open("./testdata/nfpm/test-1.0.0.x86_64.rpm")
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer f.Close()
+
+	rpm, err := ReadRpm(iotest.HalfReader(f))
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	hashType, err := rpm.Header.GetInt(PAYLOADDIGESTALGO)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if hashType != HASH_SHA256 {
+		t.Fatalf("expected hash type of %d, got %d", HASH_SHA256, hashType)
+	}
+
+	digest, err := rpm.Header.GetString(PAYLOADDIGEST)
+	if err != nil {
+		t.Fatal(err)
+	}
+	expected := "0ba72025da7d469c62e03d2dcec072c4ea6b8fecbede01d01f4f620a162f8309"
+	if digest != expected {
+		t.Fatalf("expected digest of '%s', got %s", expected, digest)
+	}
+
+}