Table of Contents

location

the signature chain used in the recovery procedure is the following:

  • operator.ini :
    • signature is the tail of the partition, last 384 bytes
    • public key is customisation.ini::BootSigning
  • SCF.xml :
    • signature is in recovery.ini
    • public key is operator.ini::SCF
  • standard-kernel.bin, rootfs.bin, ubiqfs.bin
    • signature is in SCF.xml
    • public key is operator.ini::BootSigning

sigcheck

all files are signed. the signatures are in different locations (even duplicates).

  • the signatures are verified using sigcheck, also used to verify the checksum
Usage: datafile filesize signature|sha1 [pubkey1 [pubkey2]]
signature is 128 colon-separated hex bytes,
sha1 is 20 hex bytes (no colons), and has no pubkeys
  • it uses RSA with SHA1, with the default exponent 0x10001/65537
  • apparently it uses GPL code (dixit K2)

openSSL

to verify the signatures with openSSL, we first have to create a DER (ASN1 based) :

  • create the ASN1 configuration file, you can either replace the public key here, or use the next step
tee public_key.cnf <<EOF
asn1=SEQUENCE:pubkeyinfo
[pubkeyinfo]
algorithm=SEQUENCE:rsa_alg
pubkey=BITWRAP,SEQUENCE:rsapubkey
[rsa_alg]
algorithm=OID:rsaEncryption
parameter=NULL
[rsapubkey]
n=INTEGER:0x<sig>
e=INTEGER:0x010001
EOF
  • replace the public key
PUBKEY=<pubkey>
PUBKEY=`echo $PUBKEY | sed 's/://g'`
sed -i 's/n=.*/n=INTEGER:0x'$PUBKEY'/g' public_key.cnf
  • encode the ASN1 conf file in ASN1 DER
openssl asn1parse -genconf public_key.cnf -out public_key.der
  • put the SHA1 signature in a file
SIG=<signature>
echo $SIG | sed 's/://g' | xxd -r -p > <image.bin.sha1>
  • check the signature
openssl dgst -sha1 -keyform DER -verify public_key.der -signature <image.bin.sha1> <image.bin>

to generate your own key pair :

openssl genrsa -f4 -out private_key.pem 1024
openssl rsa -in private_key.pem -inform PEM -pubout -out public_key.pem -outform PEM

pubkeys

here a list of default public keys, their origin, and use :

  • recovery kernel initramfs, /init, used to verify the signature of recovery rootfs if no pubkey in found in customisation.ini :
d1:e4:5c:89:27:65:52:02:e5:a8:60:3e:b4:47:77:5b:65:f7:c2:a6:02:99:ec:d6:77:11:18:23:d4:f5:1a:ad:86:63:d7:1b:75:26:64:55:4c:72:e5:e2:e0:cc:be:09:9e:6a:a4:a8:30:df:bf:41:07:25:22:d1:9e:29:95:b4:61:87:1a:f3:33:5c:11:6a:8a:50:b0:30:b1:b3:e1:b1:d3:00:05:c3:98:63:39:68:af:c2:5e:cf:c7:4c:10:5e:60:27:82:bb:2b:b7:6e:f2:d0:fb:33:90:75:3e:1e:c6:3e:a1:3a:eb:a1:34:45:d3:46:fc:a6:fb:06:17:61:1d
  • recovery rootfs, /etc/init.s/rcS :
9f:fb:64:64:73:e6:f3:5f:c5:8c:34:6f:2d:6a:12:5c:ef:ee:c9:bf:c9:e3:fa:d4:5d:63:71:ef:02:71:4a:3c:a2:b5:82:7c:bf:2b:57:28:55:0e:af:d2:e7:8c:5d:02:32:12:cc:1e:92:47:fd:99:ce:1a:8a:a9:c4:69:65:ab:91:b4:f4:d4:99:d7:c6:f8:67:7f:33:79:12:85:23:3a:b5:ba:96:ed:a1:b9:0f:96:6c:d5:69:f3:c4:70:67:43:b7:a6:87:f7:a9:09:85:17:49:47:f9:d9:01:bd:35:20:8e:4d:49:ae:9e:b9:c9:1f:68:88:0c:78:3a:d2:48:fb
  • customisation.ini, provided by Ubiquisys for SFR :
BE:73:A2:EE:C0:35:40:4A:9C:10:84:6C:82:D1:91:DE:12:9B:6F:F1:F9:2F:AF:5C:14:EA:0A:B8:45:D6:3F:18:3B:95:C6:76:4F:88:92:EE:EC:BB:84:DE:D4:4E:99:8C:F0:EB:98:76:CF:65:DA:39:D9:D1:0B:9B:84:A4:A6:62:30:9C:84:F9:6B:E4:99:B9:C8:F0:8C:55:E3:A3:54:5E:28:9B:B6:0E:0B:16:5A:CA:C9:BA:32:E3:38:29:04:DF:16:38:75:05:69:B8:0C:B7:5A:8C:1B:3A:22:26:59:AB:FB:5B:6B:A9:92:A3:49:12:EA:F3:3A:4A:48:FC:C1:47
  • operator.ini, provided by SFR :
EF:48:AA:A6:0B:7B:59:AB:96:BA:1E:BE:52:08:E0:97:76:52:3E:91:FE:33:A5:EB:B6:0B:3A:17:F9:7F:44:D5:3B:0F:D5:FA:A0:87:0C:00:D0:47:49:CE:73:44:04:55:B4:0C:D2:E3:5F:52:A7:CC:2A:DE:D2:A3:7D:19:AA:BB:22:CC:20:EE:3F:5F:10:B8:95:07:A0:CC:75:68:8B:2A:9B:26:14:F3:9B:DC:03:B7:F0:20:DB:BB:9A:54:EF:E2:A4:28:58:27:FB:F4:41:5C:BA:D6:0A:46:C7:DE:77:32:AD:99:FE:B8:9A:2E:D8:B4:C8:4D:60:A4:34:60:B8:53
  • standard-kernel intiramfs, /init :
c7:7d:f6:80:e3:b9:55:53:4a:ea:87:10:5c:e6:f3:03:93:62:03:6f:6d:94:d1:cc:67:f1:2c:fe:25:67:1f:9e:f1:32:ea:97:32:e6:f4:65:02:96:30:17:ca:18:e4:88:b9:ad:a9:a9:01:f6:e2:79:d7:8d:1b:e4:d6:c9:d0:4e:a7:31:a6:a1:cb:8f:a0:51:4e:4f:f4:a7:34:18:5a:10:3b:a1:b5:3b:53:13:6e:8c:a1:c9:7b:d5:46:25:b8:7b:f3:8c:7b:76:6b:bf:92:5c:d1:51:49:9b:76:d5:3c:33:c3:cb:c4:d0:43:be:08:e3:e2:6a:08:56:e8:34:75:e3
signature.txt · Last modified: 2011/08/30 15:34 (external edit)
 
Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 3.0 Unported
Recent changes RSS feed Donate Powered by PHP Valid XHTML 1.0 Valid CSS Driven by DokuWiki