void CPKCSDemoDlg::OnBtnVerify() { StartOP(); CK_RV rv; rv = C_VerifyInit(m_hSession, &ckMechanism, m_hPubKey); if(CKR_OK != rv) { ShowErr(NEWLINE"Failed to call VerifyInit!Error code 0x%08X."NEWLINE, rv); return; } rv = C_Verify(m_hSession, pbMsg, ulMsgLen, m_pSignature, m_ulSignatureLen); if(CKR_OK != rv) ShowErr(NEWLINE"Failed to call verify!Error code 0x%08X."NEWLINE, rv); else ShowMsg(NEWLINE"Verify Successfully!"NEWLINE); }
HRESULT Library_security_pkcs11_native_Microsoft_SPOT_Cryptoki_CryptokiVerify::VerifyInit___VOID__MicrosoftSPOTCryptokiSession__MicrosoftSPOTCryptokiMechanism__SystemSecurityCryptographyCryptoKey( CLR_RT_StackFrame& stack ) { TINYCLR_HEADER(); CLR_RT_HeapBlock* pSession = stack.Arg1().Dereference(); CLR_RT_HeapBlock* pMech = stack.Arg2().Dereference(); CLR_RT_HeapBlock* pKeyHandle = stack.Arg3().Dereference(); CLR_RT_HeapBlock_Array* pArrParam; CK_MECHANISM mech; CK_OBJECT_HANDLE hKey; CK_SESSION_HANDLE hSession; FAULT_ON_NULL_ARG(pSession); FAULT_ON_NULL_ARG(pMech); FAULT_ON_NULL_ARG(pKeyHandle); hSession = (CK_SESSION_HANDLE)pSession[Library_security_pkcs11_native_Microsoft_SPOT_Cryptoki_Session::FIELD__m_handle].NumericByRef().s4; if(hSession == CK_SESSION_HANDLE_INVALID) TINYCLR_SET_AND_LEAVE(CLR_E_OBJECT_DISPOSED); mech.mechanism = pMech[Library_security_pkcs11_native_Microsoft_SPOT_Cryptoki_Mechanism::FIELD__Type].NumericByRef().u4; pArrParam = pMech[Library_security_pkcs11_native_Microsoft_SPOT_Cryptoki_Mechanism::FIELD__Parameter].DereferenceArray(); if(pArrParam != NULL && pArrParam->m_numOfElements > 0) { mech.pParameter = pArrParam->GetFirstElement(); mech.ulParameterLen = pArrParam->m_numOfElements; } else { mech.pParameter = NULL; mech.ulParameterLen = 0; } hKey = (CK_OBJECT_HANDLE)pKeyHandle[Library_security_pkcs11_native_Microsoft_SPOT_Cryptoki_CryptokiObject::FIELD__m_handle].NumericByRef().s4; CRYPTOKI_CHECK_RESULT(stack, C_VerifyInit(hSession, &mech, hKey)); TINYCLR_NOCLEANUP(); }
BOOL UpdateValidationX509::ValidateUpdate( MFUpdate* pUpdate, UINT8* pValidation, INT32 validationLen ) { CK_MECHANISM_TYPE mechs[] = { CKM_RSA_PKCS }; CK_SLOT_ID slotID; CK_SESSION_HANDLE session; CK_OBJECT_CLASS ckoCert = CKO_CERTIFICATE; CK_OBJECT_HANDLE hCACert; CK_MECHANISM_TYPE sha1Mech = CKM_SHA_1; CK_MECHANISM mech = { CKM_RSA_PKCS, &sha1Mech, sizeof(sha1Mech) }; BOOL retVal = FALSE; UINT8* caCert; UINT32 certLen = 0; if(g_DebuggerPortSslConfig.GetCertificateAuthority == NULL) { return FALSE; } g_DebuggerPortSslConfig.GetCertificateAuthority( &caCert, &certLen ); CK_ATTRIBUTE attribs[] = { { CKA_CLASS , &ckoCert, sizeof(ckoCert) }, { CKA_VALUE , caCert , certLen } }; if(pUpdate->Providers->Storage == NULL) return FALSE; if(certLen == 0 || caCert == NULL ) return FALSE; if(pValidation == NULL ) return FALSE; C_Initialize(NULL); slotID = Cryptoki_FindSlot(NULL, mechs, ARRAYSIZE(mechs)); if(CK_SLOT_ID_INVALID == slotID) return FALSE; if(CKR_OK == C_OpenSession(slotID, CKF_SERIAL_SESSION, NULL, NULL, &session) && (CK_SESSION_HANDLE_INVALID != session)) { if(CKR_OK == C_CreateObject(session, attribs, ARRAYSIZE(attribs), &hCACert) && hCACert != CK_OBJECT_HANDLE_INVALID) { if(CKR_OK == C_VerifyInit(session, &mech, hCACert)) { UINT8 buff[512]; INT32 len = sizeof(buff); INT32 updateSize = pUpdate->Header.UpdateSize; INT32 offset = 0; while(offset < updateSize) { if((offset + len) > updateSize) { len = updateSize - offset; } if(!pUpdate->Providers->Storage->Read(pUpdate->StorageHandle, offset, buff, len)) break; C_VerifyUpdate(session, buff, len); offset += len; } retVal = CKR_OK == C_VerifyFinal(session, pValidation, (CK_ULONG)validationLen); } C_DestroyObject(session, hCACert); } C_CloseSession(session); } return retVal; }
/* * Utility routine for verifying generic data using * the cryptographic framework (PKCS#11). * There are situations where we want to force this * operation to happen in a specific keystore. * For example: * libelfsign.so.1 verifies signatures on crypto libraries. * We must use pkcs11 functions to verify the pkcs11 * plugins in order to keep the validation within the * Cryptographic Framework's FIPS-140 boundary. To avoid * a circular dependency, pksc11_softtoken.so.1 is * interposed by libkcfd.so.1 via kcfd, which prevents * libpkcs11.so.1's interfaces from being used when libkmf.so.1 * is called from kcfd. * * This also saves code and time because verify operations * only use public keys and do not need acccess to any * keystore specific functions. */ KMF_RETURN PKCS_VerifyData(KMF_HANDLE_T handle, KMF_ALGORITHM_INDEX AlgorithmId, KMF_X509_SPKI *keyp, KMF_DATA *data, KMF_DATA *signature) { KMF_RETURN rv = KMF_OK; CK_RV ckRv; KMF_HANDLE *kmfh = (KMF_HANDLE *)handle; CK_MECHANISM ckMechanism; CK_MECHANISM_TYPE mechtype, hashmech; CK_OBJECT_HANDLE ckKeyHandle = 0; CK_KEY_TYPE pk11keytype; CK_SESSION_HANDLE ckSession = 0; CK_ATTRIBUTE subprime = { CKA_SUBPRIME, NULL, 0 }; CK_BYTE *dataptr; CK_ULONG datalen; KMF_DATA hashData = { 0, NULL }; uchar_t digest[1024]; if (AlgorithmId == KMF_ALGID_NONE) return (KMF_ERR_BAD_ALGORITHM); if (get_pk11_data(AlgorithmId, &pk11keytype, &mechtype, &hashmech, 1)) return (KMF_ERR_BAD_ALGORITHM); /* * Verify in metaslot/softtoken since only the public key is needed * and not all hardware tokens support the combined [hash]-RSA/DSA/EC * mechanisms. */ rv = kmf_create_pk11_session(&ckSession, mechtype, 0); if (rv != KMF_OK) return (rv); /* Fetch the verifying key */ rv = PKCS_AcquirePublicKeyHandle(ckSession, keyp, pk11keytype, &ckKeyHandle); if (rv != KMF_OK) { (void) C_CloseSession(ckSession); return (rv); } dataptr = data->Data; datalen = data->Length; /* * For some mechanisms, we must compute the hash separately * and then do the verify. */ if (hashmech != 0 && (mechtype == CKM_ECDSA || mechtype == CKM_DSA || mechtype == CKM_RSA_PKCS)) { hashData.Data = digest; hashData.Length = sizeof (digest); rv = PKCS_DigestData(handle, ckSession, hashmech, data, &hashData, (mechtype == CKM_RSA_PKCS)); if (rv) goto cleanup; dataptr = hashData.Data; datalen = hashData.Length; } if (mechtype == CKM_DSA && hashmech == CKM_SHA256) { /* * FIPS 186-3 says that when using DSA * the hash must be truncated to the size of the * subprime. */ ckRv = C_GetAttributeValue(ckSession, ckKeyHandle, &subprime, 1); if (ckRv != CKR_OK) { kmfh->lasterr.kstype = KMF_KEYSTORE_PK11TOKEN; kmfh->lasterr.errcode = ckRv; rv = KMF_ERR_INTERNAL; goto cleanup; } datalen = subprime.ulValueLen; } ckMechanism.mechanism = mechtype; ckMechanism.pParameter = NULL; ckMechanism.ulParameterLen = 0; ckRv = C_VerifyInit(ckSession, &ckMechanism, ckKeyHandle); if (ckRv != CKR_OK) { kmfh->lasterr.kstype = KMF_KEYSTORE_PK11TOKEN; kmfh->lasterr.errcode = ckRv; rv = KMF_ERR_INTERNAL; goto cleanup; } ckRv = C_Verify(ckSession, dataptr, datalen, (CK_BYTE *)signature->Data, (CK_ULONG)signature->Length); if (ckRv != CKR_OK) { kmfh->lasterr.kstype = KMF_KEYSTORE_PK11TOKEN; kmfh->lasterr.errcode = ckRv; rv = KMF_ERR_INTERNAL; } cleanup: if (ckKeyHandle != 0) (void) C_DestroyObject(ckSession, ckKeyHandle); (void) C_CloseSession(ckSession); return (rv); }