Regarding the issue with the malfunctioning of the BASE64 decoding

Question

Regarding the issue with the malfunctioning of the BASE64 decoding

JamesLebron opened this issue a year ago · 1 comments

Dear author,

Greetings.

We are currently testing and using the "Firmware Update" module. Here are the details:

Firstly, we used OpenSSL commands to create the necessary digital signature for secure firmware updates:

public.pem: Public key certificate
public_public.pem: Public key information extracted from the public key
firmware.bin: Firmware name
signature.bin: Signature
verify_result: Verification result
Commands:

[1] openssl x509 -in certificate/public.pem -pubkey -noout > public_public.pem
[2] openssl dgst -sha256 -sign certificate/private.pem -out signature.bin certificate/firmware.bin
[3] openssl dgst -sha256 -verify public_public.pem -signature signature.bin -out verify_result firmware.bin

Next, we configured the relevant public key and signature in the CSMS and tested the secure firmware use case.
By printing the values in MaintenanceManager::handleMessage(const ocpp::messages::SignedUpdateFirmwareReq& request, ocpp::messages::SignedUpdateFirmwareConf& response), we confirmed that signingCertificate and signature are correct.
However, the signing_certificate.verify function returned false, causing the process to fail:

std::vector<uint8_t> decoded_signature = base64::decode(signature);
success = signing_certificate.verify(decoded_signature, local_firmware_file, Sha2::Type::SHA256);

We performed the following analysis to investigate the issue:

5.1 Firstly, when printing std::vector<uint8_t> decoded_signature = base64::decode(signature), we noticed that the returned value had two additional zeros compared to the original data (signature.bin).

Original data:

6e0a79e7b492c0a71ed74a39fa77b94c4074abb1b14604a002f29a3a0e29e1a96f70d2710524d731fa850a07742db58536ec24303f1371859ea9f0eff0358f23363f02d097dce939a2aeac429f44bd79c4a6cd1445c58ceffe1fcf52e5beb1a93e15e1e503e64eb59fc867f6af73bf53c40b0da2ee998d5a441368a0872b38a2f4efe1ae2ff4c4aa4b49a75b9839f3eb8096e423207fbd3456ebe7c77564628370de86cd67c4b0c825803d25c3b4764e29280ec56533bd8e925f31e63cd0dbbe92fb2e92ca9968af88a938d5fab7459eca9149e104cd941f1e96e14b980a93b82c54b2fe6b689e84a97d54249660b8930fca8fe5dacd956f323f2b35fa2c039e

Actual returned data:
6e0a79e7b492c0a71ed74a39fa77b94c4074abb1b14604a002f29a3a0e29e1a96f70d2710524d731fa850a07742db58536ec24303f1371859ea9f0eff0358f23363f02d097dce939a2aeac429f44bd79c4a6cd1445c58ceffe1fcf52e5beb1a93e15e1e503e64eb59fc867f6af73bf53c40b0da2ee998d5a441368a0872b38a2f4efe1ae2ff4c4aa4b49a75b9839f3eb8096e423207fbd3456ebe7c77564628370de86cd67c4b0c825803d25c3b4764e29280ec56533bd8e925f31e63cd0dbbe92fb2e92ca9968af88a938d5fab7459eca9149e104cd941f1e96e14b980a93b82c54b2fe6b689e84a97d54249660b8930fca8fe5dacd956f323f2b35fa2c039e00

We attempted to remove these two zeros and found that the verification passed.

5.2 The issue is likely with the base64::decode(signature) function.

Regarding the modification of the base64::decode(signature) function, can you provide some suggestions?

Answer 1 · 2023-09-18T20:04:54.000Z

Hi,
Thank you for your findings.
I added more checks in the base64 encode/decode functions and it shall solve your problem => See #149
Regards