MikroTik RouterOS 授权签名验证分析

MikroTik 软路由

百科https://baike.baidu.com/item/mikrotik/9776775官网https://mikrotik.com/

授权文件分析

-----BEGIN MIKROTIK SOFTWARE KEY------------
mr3jH5qhn9irtF53ZICFTN7Tk7wIx7ZkxdAxJ19ydASY
ShhFteHMntBTyaS8wuNdIJJPidJxbuNPLTvCsv7zLA==
-----END MIKROTIK SOFTWARE KEY--------------

采用自定义的Base64编码，自定义Base64的转换如下：

MIKRO_BASE64_CHARACTER_TABLE = b'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/'
def mikro_base64_encode(data:bytes, pad = False)->str:encoded = ''left = 0for i in range(0, len(data)):if left == 0:encoded += chr(MIKRO_BASE64_CHARACTER_TABLE[data[i] & 0x3F])left = 2else:if left == 6:encoded += chr(MIKRO_BASE64_CHARACTER_TABLE[data[i - 1] >> 2])encoded += chr(MIKRO_BASE64_CHARACTER_TABLE[data[i] & 0x3F])left = 2else:index1 = data[i - 1] >> (8 - left)index2 = data[i] << (left)encoded += chr(MIKRO_BASE64_CHARACTER_TABLE[(index1 | index2) & 0x3F])left += 2if left != 0:encoded += chr(MIKRO_BASE64_CHARACTER_TABLE[data[len(data) - 1] >> (8 - left)])if pad:for i in range(0, (4 - len(encoded) % 4) % 4):encoded += '='return encoded
def mikro_base64_decode(data:str)->bytes:ret = b""data = data.replace("=", "").encode()left = 0for i in range(0, len(data)):if left == 0:left = 6else:value1 = MIKRO_BASE64_CHARACTER_TABLE.index(data[i - 1]) >> (6 - left)value2 = MIKRO_BASE64_CHARACTER_TABLE.index(data[i]) & (2 ** (8 - left) - 1)value = value1 | (value2 << left)ret += bytes([value])left -= 2return ret

Base64解码后为固定64字节长度的数据，其中16字节授权内容、16字节随机数、32字节签名。

16字节授权内容通过如下方式加密解密

def mikro_encode(s:bytes)->bytes:s = list(struct.unpack('>' + 'I' * (len(s) // 4), s))for i in reversed(range(16)):s[(i+0) % 4] = to32bits(rotl(s[(i+3) % 4], MIKRO_SHA256_K[i*4+3] & 0x0F) ^ (s[(i+0) % 4] - s[(i+3) % 4]))s[(i+3) % 4] = to32bits(s[(i+3) % 4] + s[(i+1) % 4] + MIKRO_SHA256_K[i*4+3])s[(i+1) % 4] = to32bits(rotl(s[(i+2) % 4], MIKRO_SHA256_K[i*4+2] & 0x0F) ^ (s[(i+1) % 4] - s[(i+2) % 4]))s[(i+0) % 4] = to32bits(s[(i+0) % 4] + s[(i+2) % 4] + MIKRO_SHA256_K[i*4+2])s[(i+2) % 4] = to32bits(rotl(s[(i+1) % 4], MIKRO_SHA256_K[i*4+1] & 0x0F) ^ (s[(i+2) % 4] - s[(i+1) % 4]))s[(i+1) % 4] = to32bits(s[(i+1) % 4] + s[(i+3) % 4] + MIKRO_SHA256_K[i*4+1])s[(i+3) % 4] = to32bits(rotl(s[(i+0) % 4], MIKRO_SHA256_K[i*4+0] & 0x0F) ^ (s[(i+3) % 4] - s[(i+0) % 4]))s[(i+2) % 4] = to32bits(s[(i+2) % 4] + s[(i+0) % 4] + MIKRO_SHA256_K[i*4+0])encodedLicensePayload = b''for x in s:encodedLicensePayload += x.to_bytes(4, 'big')return encodedLicensePayloaddef mikro_decode(s:bytes)->bytes:s = list(struct.unpack('>'+'I'*(len(s) // 4), s))for i in range(16):s[(i+2) % 4] = to32bits(s[(i+2) % 4] - s[(i+0) % 4] - MIKRO_SHA256_K[i*4+0])s[(i+3) % 4] = to32bits((rotl(s[(i+0) % 4], MIKRO_SHA256_K[i*4+0] & 0x0F) ^ s[(i+3) % 4]) + s[(i+0) % 4])s[(i+1) % 4] = to32bits(s[(i+1) % 4] - s[(i+3) % 4] - MIKRO_SHA256_K[i*4+1])s[(i+2) % 4] = to32bits((rotl(s[(i+1) % 4], MIKRO_SHA256_K[i*4+1] & 0x0F) ^ s[(i+2) % 4]) + s[(i+1) % 4])s[(i+0) % 4] = to32bits(s[(i+0) % 4] - s[(i+2) % 4] - MIKRO_SHA256_K[i*4+2])s[(i+1) % 4] = to32bits((rotl(s[(i+2) % 4], MIKRO_SHA256_K[i*4+2] & 0x0F) ^ s[(i+1) % 4]) + s[(i+2) % 4])s[(i+3) % 4] = to32bits(s[(i+3) % 4] - s[(i+1) % 4] - MIKRO_SHA256_K[i*4+3])s[(i+0) % 4] = to32bits((rotl(s[(i+3) % 4], MIKRO_SHA256_K[i*4+3] & 0x0F) ^ s[(i+0) % 4]) + s[(i+3) % 4])ret = b''for x in s:ret += x.to_bytes(4, 'big')return ret

16字节解密后前6个字节为授权软件ID，第7个字节为授权软件版本号，第8个字节为授权等级

6字节转换为软件ID的方式如下：

SOFTWARE_ID_CHARACTER_TABLE = b'TN0BYX18S5HZ4IA67DGF3LPCJQRUK9MW2VE'
def mikro_softwareid_decode(software_id:str)->int:assert(isinstance(software_id, str))software_id = software_id.replace('-', '')ret = 0for i in reversed(range(len(software_id))):ret *= len(SOFTWARE_ID_CHARACTER_TABLE)ret += SOFTWARE_ID_CHARACTER_TABLE.index(ord(software_id[i]))return retdef mikro_softwareid_encode(id:int)->str:assert(isinstance(id, int))ret = ''for i in range(8):ret += chr(SOFTWARE_ID_CHARACTER_TABLE[id % 0x23])id //= 0x23if i == 3:ret += '-'return ret

16字节随机数和32字节校验码通过EC-KCDSA算法签名生成,采用toyecc库，其中sha256采用自定义的K和State表

自定义的sha256实现算法

MIKRO_SHA256_K = (0x0548D563, 0x98308EAB, 0x37AF7CCC, 0xDFBC4E3C,0xF125AAC9, 0xEC98ACB8, 0x8B540795, 0xD3E0EF0E,0x4904D6E5, 0x0DA84981, 0x9A1F8452, 0x00EB7EAA,0x96F8E3B3, 0xA6CDB655, 0xE7410F9E, 0x8EECB03D,0x9C6A7C25, 0xD77B072F, 0x6E8F650A, 0x124E3640,0x7E53785A, 0xE0150772, 0xC61EF4E0, 0xBC57E5E0,0xC0F9A285, 0xDB342856, 0x190834C7, 0xFBEB7D8E,0x251BED34, 0x0E9F2AAD, 0x256AB901, 0x0A5B7890,0x9F124F09, 0xD84A9151, 0x427AF67A, 0x8059C9AA,0x13EAB029, 0x3153CDF1, 0x262D405D, 0xA2105D87,0x9C745F15, 0xD1613847, 0x294CE135, 0x20FB0F3C,0x8424D8ED, 0x8F4201B6, 0x12CA1EA7, 0x2054B091,0x463D8288, 0xC83253C3, 0x33EA314A, 0x9696DC92,0xD041CE9A, 0xE5477160, 0xC7656BE8, 0x5179FE33,0x1F4726F1, 0x5F393AF0, 0x26E2D004, 0x6D020245,0x85FDF6D7, 0xB0237C56, 0xFF5FBD94, 0xA8B3F534
)
class MikroSHA256(SHA256):K = MIKRO_SHA256_KINITIAL_STATE = SHA256.State(0x5B653932, 0x7B145F8F, 0x71FFB291, 0x38EF925F,0x03E1AAF9, 0x4A2057CC, 0x4CAF4DD9, 0x643CC9EA)
def mikro_sha256(data:bytes)->bytes:return MikroSHA256(data).digest()

EC-KCDSA签名验证算法

from toyecc import AffineCurvePoint, getcurvebyname, FieldElement,ECPrivateKey,ECPublicKey,Tools
from toyecc.Random import secure_rand_int_between
def mikro_kcdsa_sign(data:bytes,private_key:bytes)->bytes:assert(isinstance(data, bytes))assert(isinstance(private_key, bytes))curve = getcurvebyname('Curve25519')private_key:ECPrivateKey = ECPrivateKey(Tools.bytestoint_le(private_key), curve)public_key:ECPublicKey = private_key.pubkeywhile True:nonce_secret = secure_rand_int_between(1, curve.n - 1)nonce_point = nonce_secret * curve.Gnonce = int(nonce_point.x) % curve.nnonce_hash = mikro_sha256(Tools.inttobytes_le(nonce,32))data_hash = bytearray(mikro_sha256(data))for i in range(16):data_hash[8+i] ^= nonce_hash[i] data_hash[0] &= 0xF8data_hash[31] &= 0x7Fdata_hash[31] |= 0x40data_hash = Tools.bytestoint_le(data_hash)signature = pow(private_key.scalar, -1, curve.n) * (nonce_secret - data_hash)signature %= curve.nif int((public_key.point * signature + curve.G * data_hash).x) == nonce:return bytes(nonce_hash[:16]+Tools.inttobytes_le(signature,32))def mikro_kcdsa_verify(data:bytes, signature:bytes, public_key:bytes)->bool:assert(isinstance(data, bytes))assert(isinstance(signature, bytes))assert(isinstance(public_key, bytes))curve = getcurvebyname('Curve25519')#y^2 = x^3 + ax^2 + xx = Tools.bytestoint_le(public_key)X_field = FieldElement(x, curve.p)YY = ((X_field**3) + (curve.a * X_field**2) + X_field).sqrt()public_keys = []for y in YY:public_keys += [AffineCurvePoint(x, int(y), curve)]data_hash = bytearray(mikro_sha256(data))nonce_hash = signature[:16]signature = signature[16:]for i in range(16):data_hash[8+i] ^= nonce_hash[i]data_hash[0] &= 0xF8data_hash[31] &= 0x7Fdata_hash[31] |= 0x40data_hash = Tools.bytestoint_le(data_hash)signature = Tools.bytestoint_le(signature)for public_key in public_keys:nonce = int((public_key * signature + curve.G * data_hash).x) if mikro_sha256(Tools.inttobytes_le(nonce,32))[:len(nonce_hash)] == nonce_hash:return Truereturn False

授权文件解析

通过分析/nova/bin/keyman可以获取授权文件验证签名的公钥为

MIKRO_LICENSE_PUBLIC_KEY = bytes.fromhex('8E1067E4305FCDC0CFBF95C10F96E5DFE8C49AEF486BD1A4E2E96C27F01E3E32')

因此可以解析验证授权文件是否有效

def prase_license(lic:str,public_key:bytes):assert(isinstance(public_key, bytes))slic = lic.replace(MIKRO_LICENSE_HEADER, '').replace(MIKRO_LICENSE_FOOTER, '').replace('\n', '').replace(' ','')lic:bytes = mikro_base64_decode(slic)licVal = mikro_decode(lic[:16])software_id = int.from_bytes(licVal[:6], 'little')print(f"Software ID: {mikro_softwareid_encode(software_id)}({hex(software_id)})")print(f"RouterOS Version: {licVal[6]}")print(f"License Level: {licVal[7]}")nonce_hash = lic[16:32]print(f"Nonce Hash: {nonce_hash.hex()}")signature = lic[32:64]print(f"Signature: {signature.hex()}")print(f'License valid:{mikro_kcdsa_verify(licVal, nonce_hash+signature,public_key)}')

解析后的输出

Software ID: TI09-7WK3(0x137f8e8673d)
RouterOS Version: 6
License Level: 6
Nonce Hash: b34fe40e23f19e917107c449ddcb1d20
Signature: 61521816ad7730671b4cb226f1b0db7448923c6297c49bdb3ccbf40aecbbcf0b
License valid:True

授权文件生成

生成秘钥对，通过私钥对授权内容进行签名即可。

MIKRO_LICENSE_HEADER = '-----BEGIN MIKROTIK SOFTWARE KEY------------'
MIKRO_LICENSE_FOOTER = '-----END MIKROTIK SOFTWARE KEY--------------' 
def generate_license(software_id,private_key:bytes,version:int=7, level:int=6):assert(isinstance(private_key, bytes))if isinstance(software_id, str):software_id = mikro_softwareid_decode(software_id)lic = software_id.to_bytes(6, 'little')lic += version.to_bytes(1, 'little')lic += level.to_bytes(1, 'little')lic += b'\0'*8sig = mikro_kcdsa_sign(lic, private_key)lic = mikro_base64_encode(mikro_encode(lic)+sig,True)return MIKRO_LICENSE_HEADER + '\n' + lic[:len(lic)//2] + '\n' + lic[len(lic)//2:] + '\n' + MIKRO_LICENSE_FOOTER

替换公钥

用生成的秘钥对的公钥替换原先官方的公钥

squashfs-root/nova/bin/loader public key patched 8E1067E4305FCDC0CFBF95C10F96E5DF...

squashfs-root/nova/bin/keyman public key patched 8E1067E4305FCDC0CFBF95C10F96E5DF...

squashfs-root/nova/bin/mode public key patched 8E1067E4305FCDC0CFBF95C10F96E5DF...

initramfs/init public key patched 8E1067E4305FCDC0CFBF95C10F96E5DF...

initramfs/setup public key patched 8E1067E4305FCDC0CFBF95C10F96E5DF...

但是routeros的npk文件也是验证签名的，因此直接替换公钥，系统启动的时候验证npk的文件的签名是不通过的，所以还得对npk文件重新签名

NPK文件签名分析

npk文件的签名由132个字节组成，其中20字节sha1,48字节EC-KCDSA签名，64字节EDDSA签名

同理生成自定义秘钥对替换原来的官方公钥，用自定义的私钥对npk重新签名即可。

squashfs-root/nova/bin/installer public key patched C293CED638A2A33C681FC8DE98EE26C5...

squashfs-root/nova/bin/sys2 public key patched C293CED638A2A33C681FC8DE98EE26C5...

initramfs/init public key patched C293CED638A2A33C681FC8DE98EE26C5...

initramfs/setup public key patched C293CED638A2A33C681FC8DE98EE26C5...