RTDECL(PCRTCRDIGESTDESC) RTCrDigestFindByObjIdString(const char *pszObjId, void **ppvOpaque)
{
if (ppvOpaque)
*ppvOpaque = NULL;
/*
* Primary OIDs.
*/
uint32_t i = RT_ELEMENTS(g_apDigestOps);
while (i-- > 0)
if (strcmp(g_apDigestOps[i]->pszObjId, pszObjId) == 0)
return g_apDigestOps[i];
/*
* Alias OIDs.
*/
i = RT_ELEMENTS(g_apDigestOps);
while (i-- > 0)
{
const char * const *ppszAliases = g_apDigestOps[i]->papszObjIdAliases;
if (ppszAliases)
for (; *ppszAliases; ppszAliases++)
if (strcmp(*ppszAliases, pszObjId) == 0)
return g_apDigestOps[i];
}
#ifdef IPRT_WITH_OPENSSL
/*
* Try EVP and see if it knows the algorithm.
*/
if (ppvOpaque)
{
rtCrOpenSslInit();
int iAlgoNid = OBJ_txt2nid(pszObjId);
if (iAlgoNid != NID_undef)
{
const char *pszAlogSn = OBJ_nid2sn(iAlgoNid);
const EVP_MD *pEvpMdType = EVP_get_digestbyname(pszAlogSn);
if (pEvpMdType)
{
/*
* Return the OpenSSL provider descriptor and the EVP_MD address.
*/
# if OPENSSL_VERSION_NUMBER >= 0x10100000 && !defined(LIBRESSL_VERSION_NUMBER)
Assert(EVP_MD_block_size(pEvpMdType));
# else
Assert(pEvpMdType->md_size);
# endif
*ppvOpaque = (void *)pEvpMdType;
return &g_rtCrDigestOpenSslDesc;
}
}
}
#endif
return NULL;
}
PCRTCRPKIXSIGNATUREDESC RTCrPkixSignatureFindByObjIdString(const char *pszObjId, void **ppvOpaque)
{
if (ppvOpaque)
*ppvOpaque = NULL;
/*
* Primary OIDs.
*/
uint32_t i = RT_ELEMENTS(g_apPkixSignatureDescriptors);
while (i-- > 0)
if (strcmp(g_apPkixSignatureDescriptors[i]->pszObjId, pszObjId) == 0)
return g_apPkixSignatureDescriptors[i];
/*
* Alias OIDs.
*/
i = RT_ELEMENTS(g_apPkixSignatureDescriptors);
while (i-- > 0)
{
const char * const *ppszAliases = g_apPkixSignatureDescriptors[i]->papszObjIdAliases;
if (ppszAliases)
for (; *ppszAliases; ppszAliases++)
if (strcmp(*ppszAliases, pszObjId) == 0)
return g_apPkixSignatureDescriptors[i];
}
#if 0//def IPRT_WITH_OPENSSL
/*
* Try EVP and see if it knows the algorithm.
*/
if (ppvOpaque)
{
rtCrOpenSslInit();
int iAlgoNid = OBJ_txt2nid(pszObjId);
if (iAlgoNid != NID_undef)
{
const char *pszAlogSn = OBJ_nid2sn(iAlgoNid);
const EVP_MD *pEvpMdType = EVP_get_digestbyname(pszAlogSn);
if (pEvpMdType)
{
/*
* Return the OpenSSL provider descriptor and the EVP_MD address.
*/
Assert(pEvpMdType->md_size);
*ppvOpaque = (void *)pEvpMdType;
return &g_rtCrPkixSignatureOpenSslDesc;
}
}
}
#endif
return NULL;
}
RTDECL(int) RTCrPkixPubKeyVerifySignature(PCRTASN1OBJID pAlgorithm, PCRTASN1DYNTYPE pParameters, PCRTASN1BITSTRING pPublicKey,
PCRTASN1BITSTRING pSignatureValue, const void *pvData, size_t cbData,
PRTERRINFO pErrInfo)
{
/*
* Valid input.
*/
AssertPtrReturn(pAlgorithm, VERR_INVALID_POINTER);
AssertReturn(RTAsn1ObjId_IsPresent(pAlgorithm), VERR_INVALID_POINTER);
if (pParameters)
{
AssertPtrReturn(pParameters, VERR_INVALID_POINTER);
if (pParameters->enmType == RTASN1TYPE_NULL)
pParameters = NULL;
}
AssertPtrReturn(pPublicKey, VERR_INVALID_POINTER);
AssertReturn(RTAsn1BitString_IsPresent(pPublicKey), VERR_INVALID_POINTER);
AssertPtrReturn(pSignatureValue, VERR_INVALID_POINTER);
AssertReturn(RTAsn1BitString_IsPresent(pSignatureValue), VERR_INVALID_POINTER);
AssertPtrReturn(pvData, VERR_INVALID_POINTER);
AssertReturn(cbData > 0, VERR_INVALID_PARAMETER);
/*
* Parameters are not currently supported (openssl code path).
*/
if (pParameters)
return RTErrInfoSet(pErrInfo, VERR_CR_PKIX_CIPHER_ALGO_PARAMS_NOT_IMPL,
"Cipher algorithm parameters are not yet supported.");
/*
* Validate using IPRT.
*/
RTCRPKIXSIGNATURE hSignature;
int rcIprt = RTCrPkixSignatureCreateByObjId(&hSignature, pAlgorithm, false /*fSigning*/, pPublicKey, pParameters);
if (RT_FAILURE(rcIprt))
return RTErrInfoSetF(pErrInfo, VERR_CR_PKIX_CIPHER_ALGO_NOT_KNOWN,
"Unknown public key algorithm [IPRT]: %s", pAlgorithm->szObjId);
RTCRDIGEST hDigest;
rcIprt = RTCrDigestCreateByObjId(&hDigest, pAlgorithm);
if (RT_SUCCESS(rcIprt))
{
/* Calculate the digest. */
rcIprt = RTCrDigestUpdate(hDigest, pvData, cbData);
if (RT_SUCCESS(rcIprt))
{
rcIprt = RTCrPkixSignatureVerifyBitString(hSignature, hDigest, pSignatureValue);
if (RT_FAILURE(rcIprt))
RTErrInfoSet(pErrInfo, rcIprt, "RTCrPkixSignatureVerifyBitString failed");
}
else
RTErrInfoSet(pErrInfo, rcIprt, "RTCrDigestUpdate failed");
RTCrDigestRelease(hDigest);
}
else
RTErrInfoSetF(pErrInfo, rcIprt, "Unknown digest algorithm [IPRT]: %s", pAlgorithm->szObjId);
RTCrPkixSignatureRelease(hSignature);
#ifdef IPRT_WITH_OPENSSL
/*
* Validate using OpenSSL EVP.
*/
rtCrOpenSslInit();
/* Translate the algorithm ID into a EVP message digest type pointer. */
int iAlgoNid = OBJ_txt2nid(pAlgorithm->szObjId);
if (iAlgoNid == NID_undef)
return RTErrInfoSetF(pErrInfo, VERR_CR_PKIX_OSSL_CIPHER_ALGO_NOT_KNOWN,
"Unknown public key algorithm [OpenSSL]: %s", pAlgorithm->szObjId);
const char *pszAlogSn = OBJ_nid2sn(iAlgoNid);
const EVP_MD *pEvpMdType = EVP_get_digestbyname(pszAlogSn);
if (!pEvpMdType)
return RTErrInfoSetF(pErrInfo, VERR_CR_PKIX_OSSL_CIPHER_ALGO_NOT_KNOWN_EVP,
"EVP_get_digestbyname failed on %s (%s)", pszAlogSn, pAlgorithm->szObjId);
/* Initialize the EVP message digest context. */
EVP_MD_CTX EvpMdCtx;
EVP_MD_CTX_init(&EvpMdCtx);
if (!EVP_VerifyInit_ex(&EvpMdCtx, pEvpMdType, NULL /*engine*/))
return RTErrInfoSetF(pErrInfo, VERR_CR_PKIX_OSSL_CIPHER_ALOG_INIT_FAILED,
"EVP_VerifyInit_ex failed (algorithm type is %s / %s)", pszAlogSn, pAlgorithm->szObjId);
/* Create an EVP public key. */
int rcOssl;
EVP_PKEY *pEvpPublicKey = EVP_PKEY_new();
if (pEvpPublicKey)
{
pEvpPublicKey->type = EVP_PKEY_type(pEvpMdType->required_pkey_type[0]);
if (pEvpPublicKey->type != NID_undef)
{
const unsigned char *puchPublicKey = RTASN1BITSTRING_GET_BIT0_PTR(pPublicKey);
if (d2i_PublicKey(pEvpPublicKey->type, &pEvpPublicKey, &puchPublicKey, RTASN1BITSTRING_GET_BYTE_SIZE(pPublicKey)))
{
/* Digest the data. */
EVP_VerifyUpdate(&EvpMdCtx, pvData, cbData);
/* Verify the signature. */
if (EVP_VerifyFinal(&EvpMdCtx,
RTASN1BITSTRING_GET_BIT0_PTR(pSignatureValue),
RTASN1BITSTRING_GET_BYTE_SIZE(pSignatureValue),
pEvpPublicKey) > 0)
rcOssl = VINF_SUCCESS;
else
rcOssl = RTErrInfoSet(pErrInfo, VERR_CR_PKIX_OSSL_VERIFY_FINAL_FAILED, "EVP_VerifyFinal failed");
}
else
rcOssl = RTErrInfoSet(pErrInfo, VERR_CR_PKIX_OSSL_D2I_PUBLIC_KEY_FAILED, "d2i_PublicKey failed");
}
else
rcOssl = RTErrInfoSetF(pErrInfo, VERR_CR_PKIX_OSSL_EVP_PKEY_TYPE_ERROR,
"EVP_PKEY_type(%d) failed", pEvpMdType->required_pkey_type[0]);
/* Cleanup and return.*/
EVP_PKEY_free(pEvpPublicKey);
}
else
rcOssl = RTErrInfoSetF(pErrInfo, VERR_NO_MEMORY, "EVP_PKEY_new(%d) failed", pEvpMdType->required_pkey_type[0]);
EVP_MD_CTX_cleanup(&EvpMdCtx);
/*
* Check the result.
*/
if (RT_SUCCESS(rcIprt) && RT_SUCCESS(rcOssl))
return VINF_SUCCESS;
if (RT_FAILURE_NP(rcIprt) && RT_FAILURE_NP(rcOssl))
return rcIprt;
AssertMsgFailed(("rcIprt=%Rrc rcOssl=%Rrc\n", rcIprt, rcOssl));
if (RT_FAILURE_NP(rcOssl))
return rcOssl;
#endif /* IPRT_WITH_OPENSSL */
return rcIprt;
}
static int rtCrPkcs7VerifySignedDataUsingOpenSsl(PCRTCRPKCS7CONTENTINFO pContentInfo, uint32_t fFlags,
RTCRSTORE hAdditionalCerts, RTCRSTORE hTrustedCerts,
void const *pvContent, uint32_t cbContent, PRTERRINFO pErrInfo)
{
/*
* Verify using OpenSSL.
*/
int rcOssl;
unsigned char const *pbRawContent = RTASN1CORE_GET_RAW_ASN1_PTR(&pContentInfo->SeqCore.Asn1Core);
PKCS7 *pOsslPkcs7 = NULL;
if (d2i_PKCS7(&pOsslPkcs7, &pbRawContent, RTASN1CORE_GET_RAW_ASN1_SIZE(&pContentInfo->SeqCore.Asn1Core)) == pOsslPkcs7)
{
STACK_OF(X509) *pAddCerts = NULL;
if (hAdditionalCerts != NIL_RTCRSTORE)
rcOssl = RTCrStoreConvertToOpenSslCertStack(hAdditionalCerts, 0, (void **)&pAddCerts);
else
{
pAddCerts = sk_X509_new_null();
rcOssl = RT_LIKELY(pAddCerts != NULL) ? VINF_SUCCESS : VERR_NO_MEMORY;
}
if (RT_SUCCESS(rcOssl))
{
PCRTCRPKCS7SETOFCERTS pCerts = &pContentInfo->u.pSignedData->Certificates;
for (uint32_t i = 0; i < pCerts->cItems; i++)
if (pCerts->paItems[i].enmChoice == RTCRPKCS7CERTCHOICE_X509)
rtCrOpenSslAddX509CertToStack(pAddCerts, pCerts->paItems[i].u.pX509Cert);
X509_STORE *pTrustedCerts = NULL;
if (hTrustedCerts != NIL_RTCRSTORE)
rcOssl = RTCrStoreConvertToOpenSslCertStore(hTrustedCerts, 0, (void **)&pTrustedCerts);
if (RT_SUCCESS(rcOssl))
{
rtCrOpenSslInit();
BIO *pBioContent = BIO_new_mem_buf((void *)pvContent, cbContent);
if (pBioContent)
{
uint32_t fOsslFlags = PKCS7_NOCHAIN;
fOsslFlags |= PKCS7_NOVERIFY; // temporary hack.
if (PKCS7_verify(pOsslPkcs7, pAddCerts, pTrustedCerts, pBioContent, NULL /*out*/, fOsslFlags))
rcOssl = VINF_SUCCESS;
else
{
rcOssl = RTErrInfoSet(pErrInfo, VERR_CR_PKCS7_OSSL_VERIFY_FAILED, "PKCS7_verify failed: ");
if (pErrInfo)
ERR_print_errors_cb(rtCrOpenSslErrInfoCallback, pErrInfo);
}
BIO_free(pBioContent);
}
if (pTrustedCerts)
X509_STORE_free(pTrustedCerts);
}
else
rcOssl = RTErrInfoSet(pErrInfo, rcOssl, "RTCrStoreConvertToOpenSslCertStack failed");
if (pAddCerts)
sk_X509_pop_free(pAddCerts, X509_free);
}
else
rcOssl = RTErrInfoSet(pErrInfo, rcOssl, "RTCrStoreConvertToOpenSslCertStack failed");
PKCS7_free(pOsslPkcs7);
}
else
rcOssl = RTErrInfoSet(pErrInfo, VERR_CR_PKCS7_OSSL_D2I_FAILED, "d2i_PKCS7 failed");
return rcOssl;
}
