void CPKCSDemoDlg::OnBtnVerify()
{
StartOP();
CK_RV rv;
rv = C_VerifyInit(m_hSession, &ckMechanism, m_hPubKey);
if(CKR_OK != rv)
{
ShowErr(NEWLINE"Failed to call VerifyInit!Error code 0x%08X."NEWLINE, rv);
return;
}
rv = C_Verify(m_hSession,
pbMsg, ulMsgLen,
m_pSignature, m_ulSignatureLen);
if(CKR_OK != rv)
ShowErr(NEWLINE"Failed to call verify!Error code 0x%08X."NEWLINE, rv);
else
ShowMsg(NEWLINE"Verify Successfully!"NEWLINE);
}
HRESULT Library_security_pkcs11_native_Microsoft_SPOT_Cryptoki_CryptokiVerify::VerifyInit___VOID__MicrosoftSPOTCryptokiSession__MicrosoftSPOTCryptokiMechanism__SystemSecurityCryptographyCryptoKey( CLR_RT_StackFrame& stack )
{
TINYCLR_HEADER();
CLR_RT_HeapBlock* pSession = stack.Arg1().Dereference();
CLR_RT_HeapBlock* pMech = stack.Arg2().Dereference();
CLR_RT_HeapBlock* pKeyHandle = stack.Arg3().Dereference();
CLR_RT_HeapBlock_Array* pArrParam;
CK_MECHANISM mech;
CK_OBJECT_HANDLE hKey;
CK_SESSION_HANDLE hSession;
FAULT_ON_NULL_ARG(pSession);
FAULT_ON_NULL_ARG(pMech);
FAULT_ON_NULL_ARG(pKeyHandle);
hSession = (CK_SESSION_HANDLE)pSession[Library_security_pkcs11_native_Microsoft_SPOT_Cryptoki_Session::FIELD__m_handle].NumericByRef().s4;
if(hSession == CK_SESSION_HANDLE_INVALID) TINYCLR_SET_AND_LEAVE(CLR_E_OBJECT_DISPOSED);
mech.mechanism = pMech[Library_security_pkcs11_native_Microsoft_SPOT_Cryptoki_Mechanism::FIELD__Type].NumericByRef().u4;
pArrParam = pMech[Library_security_pkcs11_native_Microsoft_SPOT_Cryptoki_Mechanism::FIELD__Parameter].DereferenceArray();
if(pArrParam != NULL && pArrParam->m_numOfElements > 0)
{
mech.pParameter = pArrParam->GetFirstElement();
mech.ulParameterLen = pArrParam->m_numOfElements;
}
else
{
mech.pParameter = NULL;
mech.ulParameterLen = 0;
}
hKey = (CK_OBJECT_HANDLE)pKeyHandle[Library_security_pkcs11_native_Microsoft_SPOT_Cryptoki_CryptokiObject::FIELD__m_handle].NumericByRef().s4;
CRYPTOKI_CHECK_RESULT(stack, C_VerifyInit(hSession, &mech, hKey));
TINYCLR_NOCLEANUP();
}
BOOL UpdateValidationX509::ValidateUpdate( MFUpdate* pUpdate, UINT8* pValidation, INT32 validationLen )
{
CK_MECHANISM_TYPE mechs[] = { CKM_RSA_PKCS };
CK_SLOT_ID slotID;
CK_SESSION_HANDLE session;
CK_OBJECT_CLASS ckoCert = CKO_CERTIFICATE;
CK_OBJECT_HANDLE hCACert;
CK_MECHANISM_TYPE sha1Mech = CKM_SHA_1;
CK_MECHANISM mech = { CKM_RSA_PKCS, &sha1Mech, sizeof(sha1Mech) };
BOOL retVal = FALSE;
UINT8* caCert;
UINT32 certLen = 0;
if(g_DebuggerPortSslConfig.GetCertificateAuthority == NULL)
{
return FALSE;
}
g_DebuggerPortSslConfig.GetCertificateAuthority( &caCert, &certLen );
CK_ATTRIBUTE attribs[] =
{
{ CKA_CLASS , &ckoCert, sizeof(ckoCert) },
{ CKA_VALUE , caCert , certLen }
};
if(pUpdate->Providers->Storage == NULL) return FALSE;
if(certLen == 0 || caCert == NULL ) return FALSE;
if(pValidation == NULL ) return FALSE;
C_Initialize(NULL);
slotID = Cryptoki_FindSlot(NULL, mechs, ARRAYSIZE(mechs)); if(CK_SLOT_ID_INVALID == slotID) return FALSE;
if(CKR_OK == C_OpenSession(slotID, CKF_SERIAL_SESSION, NULL, NULL, &session) && (CK_SESSION_HANDLE_INVALID != session))
{
if(CKR_OK == C_CreateObject(session, attribs, ARRAYSIZE(attribs), &hCACert) && hCACert != CK_OBJECT_HANDLE_INVALID)
{
if(CKR_OK == C_VerifyInit(session, &mech, hCACert))
{
UINT8 buff[512];
INT32 len = sizeof(buff);
INT32 updateSize = pUpdate->Header.UpdateSize;
INT32 offset = 0;
while(offset < updateSize)
{
if((offset + len) > updateSize)
{
len = updateSize - offset;
}
if(!pUpdate->Providers->Storage->Read(pUpdate->StorageHandle, offset, buff, len)) break;
C_VerifyUpdate(session, buff, len);
offset += len;
}
retVal = CKR_OK == C_VerifyFinal(session, pValidation, (CK_ULONG)validationLen);
}
C_DestroyObject(session, hCACert);
}
C_CloseSession(session);
}
return retVal;
}
/*
* Utility routine for verifying generic data using
* the cryptographic framework (PKCS#11).
* There are situations where we want to force this
* operation to happen in a specific keystore.
* For example:
* libelfsign.so.1 verifies signatures on crypto libraries.
* We must use pkcs11 functions to verify the pkcs11
* plugins in order to keep the validation within the
* Cryptographic Framework's FIPS-140 boundary. To avoid
* a circular dependency, pksc11_softtoken.so.1 is
* interposed by libkcfd.so.1 via kcfd, which prevents
* libpkcs11.so.1's interfaces from being used when libkmf.so.1
* is called from kcfd.
*
* This also saves code and time because verify operations
* only use public keys and do not need acccess to any
* keystore specific functions.
*/
KMF_RETURN
PKCS_VerifyData(KMF_HANDLE_T handle,
KMF_ALGORITHM_INDEX AlgorithmId,
KMF_X509_SPKI *keyp,
KMF_DATA *data,
KMF_DATA *signature)
{
KMF_RETURN rv = KMF_OK;
CK_RV ckRv;
KMF_HANDLE *kmfh = (KMF_HANDLE *)handle;
CK_MECHANISM ckMechanism;
CK_MECHANISM_TYPE mechtype, hashmech;
CK_OBJECT_HANDLE ckKeyHandle = 0;
CK_KEY_TYPE pk11keytype;
CK_SESSION_HANDLE ckSession = 0;
CK_ATTRIBUTE subprime = { CKA_SUBPRIME, NULL, 0 };
CK_BYTE *dataptr;
CK_ULONG datalen;
KMF_DATA hashData = { 0, NULL };
uchar_t digest[1024];
if (AlgorithmId == KMF_ALGID_NONE)
return (KMF_ERR_BAD_ALGORITHM);
if (get_pk11_data(AlgorithmId, &pk11keytype, &mechtype, &hashmech, 1))
return (KMF_ERR_BAD_ALGORITHM);
/*
* Verify in metaslot/softtoken since only the public key is needed
* and not all hardware tokens support the combined [hash]-RSA/DSA/EC
* mechanisms.
*/
rv = kmf_create_pk11_session(&ckSession, mechtype, 0);
if (rv != KMF_OK)
return (rv);
/* Fetch the verifying key */
rv = PKCS_AcquirePublicKeyHandle(ckSession, keyp,
pk11keytype, &ckKeyHandle);
if (rv != KMF_OK) {
(void) C_CloseSession(ckSession);
return (rv);
}
dataptr = data->Data;
datalen = data->Length;
/*
* For some mechanisms, we must compute the hash separately
* and then do the verify.
*/
if (hashmech != 0 &&
(mechtype == CKM_ECDSA ||
mechtype == CKM_DSA ||
mechtype == CKM_RSA_PKCS)) {
hashData.Data = digest;
hashData.Length = sizeof (digest);
rv = PKCS_DigestData(handle, ckSession,
hashmech, data, &hashData,
(mechtype == CKM_RSA_PKCS));
if (rv)
goto cleanup;
dataptr = hashData.Data;
datalen = hashData.Length;
}
if (mechtype == CKM_DSA &&
hashmech == CKM_SHA256) {
/*
* FIPS 186-3 says that when using DSA
* the hash must be truncated to the size of the
* subprime.
*/
ckRv = C_GetAttributeValue(ckSession,
ckKeyHandle, &subprime, 1);
if (ckRv != CKR_OK) {
kmfh->lasterr.kstype = KMF_KEYSTORE_PK11TOKEN;
kmfh->lasterr.errcode = ckRv;
rv = KMF_ERR_INTERNAL;
goto cleanup;
}
datalen = subprime.ulValueLen;
}
ckMechanism.mechanism = mechtype;
ckMechanism.pParameter = NULL;
ckMechanism.ulParameterLen = 0;
ckRv = C_VerifyInit(ckSession, &ckMechanism, ckKeyHandle);
if (ckRv != CKR_OK) {
kmfh->lasterr.kstype = KMF_KEYSTORE_PK11TOKEN;
kmfh->lasterr.errcode = ckRv;
rv = KMF_ERR_INTERNAL;
goto cleanup;
}
ckRv = C_Verify(ckSession,
dataptr, datalen,
(CK_BYTE *)signature->Data,
(CK_ULONG)signature->Length);
if (ckRv != CKR_OK) {
kmfh->lasterr.kstype = KMF_KEYSTORE_PK11TOKEN;
kmfh->lasterr.errcode = ckRv;
rv = KMF_ERR_INTERNAL;
}
cleanup:
if (ckKeyHandle != 0)
(void) C_DestroyObject(ckSession, ckKeyHandle);
(void) C_CloseSession(ckSession);
return (rv);
}
