__attribute__((visibility("default"))) int openssl_verify_data( const keymaster0_device_t*, const void* params, const uint8_t* keyBlob, const size_t keyBlobLength, const uint8_t* signedData, const size_t signedDataLength, const uint8_t* signature, const size_t signatureLength) { if (signedData == NULL || signature == NULL) { ALOGW("data or signature buffers == NULL"); return -1; } Unique_EVP_PKEY pkey(unwrap_key(keyBlob, keyBlobLength)); if (pkey.get() == NULL) { return -1; } int type = EVP_PKEY_type(pkey->type); if (type == EVP_PKEY_DSA) { const keymaster_dsa_sign_params_t* sign_params = reinterpret_cast<const keymaster_dsa_sign_params_t*>(params); return verify_dsa(pkey.get(), const_cast<keymaster_dsa_sign_params_t*>(sign_params), signedData, signedDataLength, signature, signatureLength); } else if (type == EVP_PKEY_RSA) { const keymaster_rsa_sign_params_t* sign_params = reinterpret_cast<const keymaster_rsa_sign_params_t*>(params); return verify_rsa(pkey.get(), const_cast<keymaster_rsa_sign_params_t*>(sign_params), signedData, signedDataLength, signature, signatureLength); } else if (type == EVP_PKEY_EC) { const keymaster_ec_sign_params_t* sign_params = reinterpret_cast<const keymaster_ec_sign_params_t*>(params); return verify_ec(pkey.get(), const_cast<keymaster_ec_sign_params_t*>(sign_params), signedData, signedDataLength, signature, signatureLength); } else { ALOGW("Unsupported key type %d", type); return -1; } }
int main(int argc, char **argv) { set_parameters(argc, argv); char *b64; key_metainfo_t *info; key_share_t **shares = tc_generate_keys(&info, key_size, k, l, NULL); bytes_t *doc = tc_init_bytes(message, strlen(message)); b64 = tc_bytes_b64(doc); printf("Document: %s\n", b64); free(b64); bytes_t *doc_pkcs1 = prepare_doc(doc, info); b64 = tc_bytes_b64(doc_pkcs1); printf("Prepared Document: %s\n", b64); free(b64); signature_share_t *signatures[l]; for (int i = 0; i < l; i++) { signatures[i] = tc_node_sign(shares[i], doc_pkcs1, info); int verify = tc_verify_signature(signatures[i], doc_pkcs1, info); assert(verify); } bytes_t *signature = tc_join_signatures((const signature_share_t **) signatures, doc_pkcs1, info); bool verify = verify_rsa(doc, signature, info); printf("Verify RSA: %d\n", verify); b64 = tc_bytes_b64(signature); printf("Signature: %s\n", b64); free(b64); tc_clear_bytes_n(doc, doc_pkcs1, signature, NULL); for (int i = 0; i < l; i++) { tc_clear_signature_share(signatures[i]); } tc_clear_key_shares(shares, info); tc_clear_key_metainfo(info); }
/** * @brief * verify a signature and return content of signed file * * @param[in] sigfile * file containing signature * we derrive path of signed file and certificate change from * this. * * @param[in] flags * only bit 1 significant so far * * @return NULL on error otherwise content of signed file */ unsigned char * verify_sig(const char *sigfile, int flags) { br_x509_pkey *pk; br_name_element cn; char cn_buf[80]; unsigned char cn_oid[4]; char pbuf[MAXPATHLEN]; char *cp; unsigned char *ucp; size_t n; DEBUG_PRINTF(5, ("verify_sig: %s\n", sigfile)); n = strlcpy(pbuf, sigfile, sizeof(pbuf)); if (n > (sizeof(pbuf) - 5) || strcmp(&sigfile[n - 3], "sig") != 0) return (NULL); cp = strcpy(&pbuf[n - 3], "certs"); /* * We want the commonName field * the OID we want is 2,5,4,3 - but DER encoded */ cn_oid[0] = 3; cn_oid[1] = 0x55; cn_oid[2] = 4; cn_oid[3] = 3; cn.oid = cn_oid; cn.buf = cn_buf; cn.len = sizeof(cn_buf); pk = verify_signer(pbuf, &cn, 1); if (!pk) { printf("cannot verify: %s: %s\n", pbuf, ve_error_get()); return (NULL); } for (; cp > pbuf; cp--) { if (*cp == '.') { *cp = '\0'; break; } } switch (pk->key_type) { #ifdef VE_ECDSA_SUPPORT case BR_KEYTYPE_EC: ucp = verify_ec(pk, pbuf, sigfile); break; #endif #ifdef VE_RSA_SUPPORT case BR_KEYTYPE_RSA: ucp = verify_rsa(pk, pbuf, sigfile); break; #endif default: ucp = NULL; /* not supported */ } xfreepkey(pk); if (!ucp) { printf("Unverified %s (%s)\n", pbuf, cn.status ? cn_buf : "unknown"); } else if ((flags & 1) != 0) { printf("Verified %s signed by %s\n", pbuf, cn.status ? cn_buf : "someone we trust"); } return (ucp); }