RTDECL(int) RTCrX509Certificate_VerifySignature(PCRTCRX509CERTIFICATE pThis, PCRTASN1OBJID pAlgorithm,
PCRTASN1DYNTYPE pParameters, PCRTASN1BITSTRING pPublicKey,
PRTERRINFO pErrInfo)
{
/*
* Validate the input a little.
*/
AssertPtrReturn(pThis, VERR_INVALID_POINTER);
AssertReturn(RTCrX509Certificate_IsPresent(pThis), VERR_INVALID_PARAMETER);
AssertPtrReturn(pAlgorithm, VERR_INVALID_POINTER);
AssertReturn(RTAsn1ObjId_IsPresent(pAlgorithm), VERR_INVALID_POINTER);
if (pParameters)
{
AssertPtrReturn(pParameters, VERR_INVALID_POINTER);
if (pParameters->enmType == RTASN1TYPE_NULL)
pParameters = NULL;
}
AssertPtrReturn(pPublicKey, VERR_INVALID_POINTER);
AssertReturn(RTAsn1BitString_IsPresent(pPublicKey), VERR_INVALID_POINTER);
/*
* Check if the algorithm matches.
*/
const char *pszCipherOid = RTCrPkixGetCiperOidFromSignatureAlgorithm(&pThis->SignatureAlgorithm.Algorithm);
if (!pszCipherOid)
return RTErrInfoSetF(pErrInfo, VERR_CR_X509_UNKNOWN_CERT_SIGN_ALGO,
"Certificate signature algorithm not known: %s",
pThis->SignatureAlgorithm.Algorithm.szObjId);
if (RTAsn1ObjId_CompareWithString(pAlgorithm, pszCipherOid) != 0)
return RTErrInfoSetF(pErrInfo, VERR_CR_X509_CERT_SIGN_ALGO_MISMATCH,
"Certificate signature cipher algorithm mismatch: cert uses %s (%s) while key uses %s",
pszCipherOid, pThis->SignatureAlgorithm.Algorithm.szObjId, pAlgorithm->szObjId);
/*
* Here we should recode the to-be-signed part as DER, but we'll ASSUME
* that it's already in DER encoding. This is safe.
*/
return RTCrPkixPubKeyVerifySignature(&pThis->SignatureAlgorithm.Algorithm, pParameters, pPublicKey, &pThis->SignatureValue,
RTASN1CORE_GET_RAW_ASN1_PTR(&pThis->TbsCertificate.SeqCore.Asn1Core),
RTASN1CORE_GET_RAW_ASN1_SIZE(&pThis->TbsCertificate.SeqCore.Asn1Core),
pErrInfo);
}
RTDECL(int) RTCrPkixPubKeyVerifySignature(PCRTASN1OBJID pAlgorithm, PCRTASN1DYNTYPE pParameters, PCRTASN1BITSTRING pPublicKey,
PCRTASN1BITSTRING pSignatureValue, const void *pvData, size_t cbData,
PRTERRINFO pErrInfo)
{
/*
* Valid input.
*/
AssertPtrReturn(pAlgorithm, VERR_INVALID_POINTER);
AssertReturn(RTAsn1ObjId_IsPresent(pAlgorithm), VERR_INVALID_POINTER);
if (pParameters)
{
AssertPtrReturn(pParameters, VERR_INVALID_POINTER);
if (pParameters->enmType == RTASN1TYPE_NULL)
pParameters = NULL;
}
AssertPtrReturn(pPublicKey, VERR_INVALID_POINTER);
AssertReturn(RTAsn1BitString_IsPresent(pPublicKey), VERR_INVALID_POINTER);
AssertPtrReturn(pSignatureValue, VERR_INVALID_POINTER);
AssertReturn(RTAsn1BitString_IsPresent(pSignatureValue), VERR_INVALID_POINTER);
AssertPtrReturn(pvData, VERR_INVALID_POINTER);
AssertReturn(cbData > 0, VERR_INVALID_PARAMETER);
/*
* Parameters are not currently supported (openssl code path).
*/
if (pParameters)
return RTErrInfoSet(pErrInfo, VERR_CR_PKIX_CIPHER_ALGO_PARAMS_NOT_IMPL,
"Cipher algorithm parameters are not yet supported.");
/*
* Validate using IPRT.
*/
RTCRPKIXSIGNATURE hSignature;
int rcIprt = RTCrPkixSignatureCreateByObjId(&hSignature, pAlgorithm, false /*fSigning*/, pPublicKey, pParameters);
if (RT_FAILURE(rcIprt))
return RTErrInfoSetF(pErrInfo, VERR_CR_PKIX_CIPHER_ALGO_NOT_KNOWN,
"Unknown public key algorithm [IPRT]: %s", pAlgorithm->szObjId);
RTCRDIGEST hDigest;
rcIprt = RTCrDigestCreateByObjId(&hDigest, pAlgorithm);
if (RT_SUCCESS(rcIprt))
{
/* Calculate the digest. */
rcIprt = RTCrDigestUpdate(hDigest, pvData, cbData);
if (RT_SUCCESS(rcIprt))
{
rcIprt = RTCrPkixSignatureVerifyBitString(hSignature, hDigest, pSignatureValue);
if (RT_FAILURE(rcIprt))
RTErrInfoSet(pErrInfo, rcIprt, "RTCrPkixSignatureVerifyBitString failed");
}
else
RTErrInfoSet(pErrInfo, rcIprt, "RTCrDigestUpdate failed");
RTCrDigestRelease(hDigest);
}
else
RTErrInfoSetF(pErrInfo, rcIprt, "Unknown digest algorithm [IPRT]: %s", pAlgorithm->szObjId);
RTCrPkixSignatureRelease(hSignature);
#ifdef IPRT_WITH_OPENSSL
/*
* Validate using OpenSSL EVP.
*/
rtCrOpenSslInit();
/* Translate the algorithm ID into a EVP message digest type pointer. */
int iAlgoNid = OBJ_txt2nid(pAlgorithm->szObjId);
if (iAlgoNid == NID_undef)
return RTErrInfoSetF(pErrInfo, VERR_CR_PKIX_OSSL_CIPHER_ALGO_NOT_KNOWN,
"Unknown public key algorithm [OpenSSL]: %s", pAlgorithm->szObjId);
const char *pszAlogSn = OBJ_nid2sn(iAlgoNid);
const EVP_MD *pEvpMdType = EVP_get_digestbyname(pszAlogSn);
if (!pEvpMdType)
return RTErrInfoSetF(pErrInfo, VERR_CR_PKIX_OSSL_CIPHER_ALGO_NOT_KNOWN_EVP,
"EVP_get_digestbyname failed on %s (%s)", pszAlogSn, pAlgorithm->szObjId);
/* Initialize the EVP message digest context. */
EVP_MD_CTX EvpMdCtx;
EVP_MD_CTX_init(&EvpMdCtx);
if (!EVP_VerifyInit_ex(&EvpMdCtx, pEvpMdType, NULL /*engine*/))
return RTErrInfoSetF(pErrInfo, VERR_CR_PKIX_OSSL_CIPHER_ALOG_INIT_FAILED,
"EVP_VerifyInit_ex failed (algorithm type is %s / %s)", pszAlogSn, pAlgorithm->szObjId);
/* Create an EVP public key. */
int rcOssl;
EVP_PKEY *pEvpPublicKey = EVP_PKEY_new();
if (pEvpPublicKey)
{
pEvpPublicKey->type = EVP_PKEY_type(pEvpMdType->required_pkey_type[0]);
if (pEvpPublicKey->type != NID_undef)
{
const unsigned char *puchPublicKey = RTASN1BITSTRING_GET_BIT0_PTR(pPublicKey);
if (d2i_PublicKey(pEvpPublicKey->type, &pEvpPublicKey, &puchPublicKey, RTASN1BITSTRING_GET_BYTE_SIZE(pPublicKey)))
{
/* Digest the data. */
EVP_VerifyUpdate(&EvpMdCtx, pvData, cbData);
/* Verify the signature. */
if (EVP_VerifyFinal(&EvpMdCtx,
RTASN1BITSTRING_GET_BIT0_PTR(pSignatureValue),
RTASN1BITSTRING_GET_BYTE_SIZE(pSignatureValue),
pEvpPublicKey) > 0)
rcOssl = VINF_SUCCESS;
else
rcOssl = RTErrInfoSet(pErrInfo, VERR_CR_PKIX_OSSL_VERIFY_FINAL_FAILED, "EVP_VerifyFinal failed");
}
else
rcOssl = RTErrInfoSet(pErrInfo, VERR_CR_PKIX_OSSL_D2I_PUBLIC_KEY_FAILED, "d2i_PublicKey failed");
}
else
rcOssl = RTErrInfoSetF(pErrInfo, VERR_CR_PKIX_OSSL_EVP_PKEY_TYPE_ERROR,
"EVP_PKEY_type(%d) failed", pEvpMdType->required_pkey_type[0]);
/* Cleanup and return.*/
EVP_PKEY_free(pEvpPublicKey);
}
else
rcOssl = RTErrInfoSetF(pErrInfo, VERR_NO_MEMORY, "EVP_PKEY_new(%d) failed", pEvpMdType->required_pkey_type[0]);
EVP_MD_CTX_cleanup(&EvpMdCtx);
/*
* Check the result.
*/
if (RT_SUCCESS(rcIprt) && RT_SUCCESS(rcOssl))
return VINF_SUCCESS;
if (RT_FAILURE_NP(rcIprt) && RT_FAILURE_NP(rcOssl))
return rcIprt;
AssertMsgFailed(("rcIprt=%Rrc rcOssl=%Rrc\n", rcIprt, rcOssl));
if (RT_FAILURE_NP(rcOssl))
return rcOssl;
#endif /* IPRT_WITH_OPENSSL */
return rcIprt;
}
RTDECL(int) RTCrX509Certificate_VerifySignature(PCRTCRX509CERTIFICATE pThis, PCRTASN1OBJID pAlgorithm,
PCRTASN1DYNTYPE pParameters, PCRTASN1BITSTRING pPublicKey,
PRTERRINFO pErrInfo)
{
/*
* Validate the input a little.
*/
AssertPtrReturn(pThis, VERR_INVALID_POINTER);
AssertReturn(RTCrX509Certificate_IsPresent(pThis), VERR_INVALID_PARAMETER);
AssertPtrReturn(pAlgorithm, VERR_INVALID_POINTER);
AssertReturn(RTAsn1ObjId_IsPresent(pAlgorithm), VERR_INVALID_POINTER);
if (pParameters)
{
AssertPtrReturn(pParameters, VERR_INVALID_POINTER);
if (pParameters->enmType == RTASN1TYPE_NULL)
pParameters = NULL;
}
AssertPtrReturn(pPublicKey, VERR_INVALID_POINTER);
AssertReturn(RTAsn1BitString_IsPresent(pPublicKey), VERR_INVALID_POINTER);
/*
* Check if the algorithm matches.
*/
const char *pszCipherOid = RTCrPkixGetCiperOidFromSignatureAlgorithm(&pThis->SignatureAlgorithm.Algorithm);
if (!pszCipherOid)
return RTErrInfoSetF(pErrInfo, VERR_CR_X509_UNKNOWN_CERT_SIGN_ALGO,
"Certificate signature algorithm not known: %s",
pThis->SignatureAlgorithm.Algorithm.szObjId);
if (RTAsn1ObjId_CompareWithString(pAlgorithm, pszCipherOid) != 0)
return RTErrInfoSetF(pErrInfo, VERR_CR_X509_CERT_SIGN_ALGO_MISMATCH,
"Certificate signature cipher algorithm mismatch: cert uses %s (%s) while key uses %s",
pszCipherOid, pThis->SignatureAlgorithm.Algorithm.szObjId, pAlgorithm->szObjId);
/*
* Here we should recode the to-be-signed part as DER, but we'll ASSUME
* that it's already in DER encoding and only does this if there the
* encoded bits are missing.
*/
if ( pThis->TbsCertificate.SeqCore.Asn1Core.uData.pu8
&& pThis->TbsCertificate.SeqCore.Asn1Core.cb > 0)
return RTCrPkixPubKeyVerifySignature(&pThis->SignatureAlgorithm.Algorithm, pParameters, pPublicKey, &pThis->SignatureValue,
RTASN1CORE_GET_RAW_ASN1_PTR(&pThis->TbsCertificate.SeqCore.Asn1Core),
RTASN1CORE_GET_RAW_ASN1_SIZE(&pThis->TbsCertificate.SeqCore.Asn1Core),
pErrInfo);
uint32_t cbEncoded;
int rc = RTAsn1EncodePrepare((PRTASN1CORE)&pThis->TbsCertificate.SeqCore.Asn1Core, RTASN1ENCODE_F_DER, &cbEncoded, pErrInfo);
if (RT_SUCCESS(rc))
{
void *pvTbsBits = RTMemTmpAlloc(cbEncoded);
if (pvTbsBits)
{
rc = RTAsn1EncodeToBuffer(&pThis->TbsCertificate.SeqCore.Asn1Core, RTASN1ENCODE_F_DER,
pvTbsBits, cbEncoded, pErrInfo);
if (RT_SUCCESS(rc))
rc = RTCrPkixPubKeyVerifySignature(&pThis->SignatureAlgorithm.Algorithm, pParameters, pPublicKey,
&pThis->SignatureValue, pvTbsBits, cbEncoded, pErrInfo);
else
AssertRC(rc);
RTMemTmpFree(pvTbsBits);
}
else
rc = VERR_NO_TMP_MEMORY;
}
return rc;
}
