__attribute__((visibility("default"))) int openssl_verify_data(
const keymaster0_device_t*, const void* params, const uint8_t* keyBlob,
const size_t keyBlobLength, const uint8_t* signedData, const size_t signedDataLength,
const uint8_t* signature, const size_t signatureLength) {
if (signedData == NULL || signature == NULL) {
ALOGW("data or signature buffers == NULL");
return -1;
}
Unique_EVP_PKEY pkey(unwrap_key(keyBlob, keyBlobLength));
if (pkey.get() == NULL) {
return -1;
}
int type = EVP_PKEY_type(pkey->type);
if (type == EVP_PKEY_DSA) {
const keymaster_dsa_sign_params_t* sign_params =
reinterpret_cast<const keymaster_dsa_sign_params_t*>(params);
return verify_dsa(pkey.get(), const_cast<keymaster_dsa_sign_params_t*>(sign_params),
signedData, signedDataLength, signature, signatureLength);
} else if (type == EVP_PKEY_RSA) {
const keymaster_rsa_sign_params_t* sign_params =
reinterpret_cast<const keymaster_rsa_sign_params_t*>(params);
return verify_rsa(pkey.get(), const_cast<keymaster_rsa_sign_params_t*>(sign_params),
signedData, signedDataLength, signature, signatureLength);
} else if (type == EVP_PKEY_EC) {
const keymaster_ec_sign_params_t* sign_params =
reinterpret_cast<const keymaster_ec_sign_params_t*>(params);
return verify_ec(pkey.get(), const_cast<keymaster_ec_sign_params_t*>(sign_params),
signedData, signedDataLength, signature, signatureLength);
} else {
ALOGW("Unsupported key type %d", type);
return -1;
}
}
int main(int argc, char **argv) {
set_parameters(argc, argv);
char *b64;
key_metainfo_t *info;
key_share_t **shares = tc_generate_keys(&info, key_size, k, l, NULL);
bytes_t *doc = tc_init_bytes(message, strlen(message));
b64 = tc_bytes_b64(doc);
printf("Document: %s\n", b64);
free(b64);
bytes_t *doc_pkcs1 = prepare_doc(doc, info);
b64 = tc_bytes_b64(doc_pkcs1);
printf("Prepared Document: %s\n", b64);
free(b64);
signature_share_t *signatures[l];
for (int i = 0; i < l; i++) {
signatures[i] = tc_node_sign(shares[i], doc_pkcs1, info);
int verify = tc_verify_signature(signatures[i], doc_pkcs1, info);
assert(verify);
}
bytes_t *signature = tc_join_signatures((const signature_share_t **) signatures, doc_pkcs1, info);
bool verify = verify_rsa(doc, signature, info);
printf("Verify RSA: %d\n", verify);
b64 = tc_bytes_b64(signature);
printf("Signature: %s\n", b64);
free(b64);
tc_clear_bytes_n(doc, doc_pkcs1, signature, NULL);
for (int i = 0; i < l; i++) {
tc_clear_signature_share(signatures[i]);
}
tc_clear_key_shares(shares, info);
tc_clear_key_metainfo(info);
}
/**
* @brief
* verify a signature and return content of signed file
*
* @param[in] sigfile
* file containing signature
* we derrive path of signed file and certificate change from
* this.
*
* @param[in] flags
* only bit 1 significant so far
*
* @return NULL on error otherwise content of signed file
*/
unsigned char *
verify_sig(const char *sigfile, int flags)
{
br_x509_pkey *pk;
br_name_element cn;
char cn_buf[80];
unsigned char cn_oid[4];
char pbuf[MAXPATHLEN];
char *cp;
unsigned char *ucp;
size_t n;
DEBUG_PRINTF(5, ("verify_sig: %s\n", sigfile));
n = strlcpy(pbuf, sigfile, sizeof(pbuf));
if (n > (sizeof(pbuf) - 5) || strcmp(&sigfile[n - 3], "sig") != 0)
return (NULL);
cp = strcpy(&pbuf[n - 3], "certs");
/*
* We want the commonName field
* the OID we want is 2,5,4,3 - but DER encoded
*/
cn_oid[0] = 3;
cn_oid[1] = 0x55;
cn_oid[2] = 4;
cn_oid[3] = 3;
cn.oid = cn_oid;
cn.buf = cn_buf;
cn.len = sizeof(cn_buf);
pk = verify_signer(pbuf, &cn, 1);
if (!pk) {
printf("cannot verify: %s: %s\n", pbuf, ve_error_get());
return (NULL);
}
for (; cp > pbuf; cp--) {
if (*cp == '.') {
*cp = '\0';
break;
}
}
switch (pk->key_type) {
#ifdef VE_ECDSA_SUPPORT
case BR_KEYTYPE_EC:
ucp = verify_ec(pk, pbuf, sigfile);
break;
#endif
#ifdef VE_RSA_SUPPORT
case BR_KEYTYPE_RSA:
ucp = verify_rsa(pk, pbuf, sigfile);
break;
#endif
default:
ucp = NULL; /* not supported */
}
xfreepkey(pk);
if (!ucp) {
printf("Unverified %s (%s)\n", pbuf,
cn.status ? cn_buf : "unknown");
} else if ((flags & 1) != 0) {
printf("Verified %s signed by %s\n", pbuf,
cn.status ? cn_buf : "someone we trust");
}
return (ucp);
}
