[3/3] crypto: define RSA signature verification function
diff mbox series

Message ID 20190718212949.29121-4-erichte@linux.ibm.com
State New
Headers show
Series
  • Add crypto support via mbed TLS
Related show

Checks

Context Check Description
snowpatch_ozlabs/apply_patch fail Failed to apply to any branch

Commit Message

Eric Richter July 18, 2019, 9:29 p.m. UTC
From: Nayna Jain <nayna@linux.ibm.com>

In order to verify the signature to authenticate the key update
command submitted by the user, this patch defines the signature
verification function using mbedtls as the underlying crypto API.

Signed-off-by: Nayna Jain <nayna@linux.ibm.com>
Signed-off-by: Eric Richter <erichte@linux.ibm.com>
---
 libstb/crypto/include/verify_sig.h | 34 ++++++++++++++++
 libstb/crypto/pkcs7/Makefile.inc   |  2 +-
 libstb/crypto/pkcs7/verify_sig.c   | 65 ++++++++++++++++++++++++++++++
 3 files changed, 100 insertions(+), 1 deletion(-)
 create mode 100644 libstb/crypto/include/verify_sig.h
 create mode 100644 libstb/crypto/pkcs7/verify_sig.c

Comments

Stewart Smith Aug. 1, 2019, 11:55 p.m. UTC | #1
Eric Richter <erichte@linux.ibm.com> writes:
> From: Nayna Jain <nayna@linux.ibm.com>
>
> In order to verify the signature to authenticate the key update
> command submitted by the user, this patch defines the signature
> verification function using mbedtls as the underlying crypto API.
>
> Signed-off-by: Nayna Jain <nayna@linux.ibm.com>
> Signed-off-by: Eric Richter <erichte@linux.ibm.com>
> ---
>  libstb/crypto/include/verify_sig.h | 34 ++++++++++++++++
>  libstb/crypto/pkcs7/Makefile.inc   |  2 +-
>  libstb/crypto/pkcs7/verify_sig.c   | 65 ++++++++++++++++++++++++++++++
>  3 files changed, 100 insertions(+), 1 deletion(-)
>  create mode 100644 libstb/crypto/include/verify_sig.h
>  create mode 100644 libstb/crypto/pkcs7/verify_sig.c
>
> diff --git a/libstb/crypto/include/verify_sig.h b/libstb/crypto/include/verify_sig.h
> new file mode 100644
> index 00000000..3f1dcc94
> --- /dev/null
> +++ b/libstb/crypto/include/verify_sig.h
> @@ -0,0 +1,34 @@
> +/* Copyright 2013-2016 IBM Corp.

Was this really written all in 2016?

> + */
> +
> +#ifndef VERIFY_SIG_H
> +#define VERIFY_SIG_H
> +
> +#include <stdio.h>
> +#include <stdlib.h>
> +#include <string.h>
> +#include <mbedtls/asn1.h>
> +#include <mbedtls/config.h>
> +#include <mbedtls/x509.h>
> +#include <mbedtls/x509_crt.h>
> +#include <mbedtls/rsa.h>
> +#include <mbedtls/pk.h>
> +#include <mbedtls/md.h>
> +
> +int verify_buf(unsigned char *cert_buf, int certlen, unsigned char *data_buf,
> +	       int datalen, unsigned char *sig_buf, int siglen);
> +
> +#endif
> diff --git a/libstb/crypto/pkcs7/Makefile.inc b/libstb/crypto/pkcs7/Makefile.inc
> index 8f9bcd90..80ac08fb 100644
> --- a/libstb/crypto/pkcs7/Makefile.inc
> +++ b/libstb/crypto/pkcs7/Makefile.inc
> @@ -4,7 +4,7 @@ PKCS7_DIR = libstb/crypto/pkcs7
>  
>  SUBDIRS += $(PKCS7_DIR)
>  
> -PKCS7_SRCS = pkcs7.c
> +PKCS7_SRCS = pkcs7.c verify_sig.c
>  PKCS7_OBJS = $(PKCS7_SRCS:%.c=%.o)
>  PKCS7 = $(PKCS7_DIR)/built-in.a
>  
> diff --git a/libstb/crypto/pkcs7/verify_sig.c b/libstb/crypto/pkcs7/verify_sig.c
> new file mode 100644
> index 00000000..da5a0669
> --- /dev/null
> +++ b/libstb/crypto/pkcs7/verify_sig.c
> @@ -0,0 +1,65 @@
> +/* Copyright 2013-2016 IBM Corp.
> + *
> + * Licensed under the Apache License, Version 2.0 (the "License");
> + * you may not use this file except in compliance with the License.
> + * You may obtain a copy of the License at
> + *
> + *      http://www.apache.org/licenses/LICENSE-2.0
> + *
> + * Unless required by applicable law or agreed to in writing, software
> + * distributed under the License is distributed on an "AS IS" BASIS,
> + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
> + * implied.
> + * See the License for the specific language governing permissions and
> + * limitations under the License.
> + */
> +
> +#include<stdio.h>
> +#include<stdlib.h>
> +#include<string.h>
> +#include<mbedtls/asn1.h>
> +#include<mbedtls/config.h>
> +#include<mbedtls/x509.h>
> +#include<mbedtls/x509_crt.h>
> +#include<mbedtls/rsa.h>
> +#include<mbedtls/pk.h>
> +#include<mbedtls/md.h>
> +#include<verify_sig.h>
> +
> +static int verify(mbedtls_x509_crt *cert, const unsigned char *data,
> +		  int datalen, const unsigned char *sig, int siglen)
> +{
> +	int rc;
> +	unsigned char hash[32];
> +	mbedtls_pk_context pk_cxt = cert->pk;
> +	const mbedtls_md_info_t *md_info =
> +		mbedtls_md_info_from_type(MBEDTLS_MD_SHA256);
> +
> +	mbedtls_md(md_info, data, datalen, hash);
> +	rc = mbedtls_pk_verify(&pk_cxt, MBEDTLS_MD_SHA256,hash, 32, sig,
> +			       siglen);
> +	printf("rc is %02x\n", rc);
> +
> +	return rc;
> +}
> +
> +
> +int verify_buf(unsigned char *cert_buf, int certlen, unsigned char *data_buf,
> +	       int datalen, unsigned char *sig_buf, int siglen)
> +{
> +	int rc;
> +	mbedtls_x509_crt cert;
> +
> +	printf("Load certificate file\n");
> +	mbedtls_x509_crt_init(&cert);
> +
> +	rc = mbedtls_x509_crt_parse(&cert, cert_buf, certlen);
> +	if (rc) {
> +		printf("rc is %04x\n", rc);
> +		return rc;
> +	}
> +
> +	rc = verify(&cert, data_buf, datalen, sig_buf, siglen);
> +
> +	return rc;
> +}

I think this code needs unit tests, and likely near 100% code coverage
at the least.

Patch
diff mbox series

diff --git a/libstb/crypto/include/verify_sig.h b/libstb/crypto/include/verify_sig.h
new file mode 100644
index 00000000..3f1dcc94
--- /dev/null
+++ b/libstb/crypto/include/verify_sig.h
@@ -0,0 +1,34 @@ 
+/* Copyright 2013-2016 IBM Corp.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+ * implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#ifndef VERIFY_SIG_H
+#define VERIFY_SIG_H
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <mbedtls/asn1.h>
+#include <mbedtls/config.h>
+#include <mbedtls/x509.h>
+#include <mbedtls/x509_crt.h>
+#include <mbedtls/rsa.h>
+#include <mbedtls/pk.h>
+#include <mbedtls/md.h>
+
+int verify_buf(unsigned char *cert_buf, int certlen, unsigned char *data_buf,
+	       int datalen, unsigned char *sig_buf, int siglen);
+
+#endif
diff --git a/libstb/crypto/pkcs7/Makefile.inc b/libstb/crypto/pkcs7/Makefile.inc
index 8f9bcd90..80ac08fb 100644
--- a/libstb/crypto/pkcs7/Makefile.inc
+++ b/libstb/crypto/pkcs7/Makefile.inc
@@ -4,7 +4,7 @@  PKCS7_DIR = libstb/crypto/pkcs7
 
 SUBDIRS += $(PKCS7_DIR)
 
-PKCS7_SRCS = pkcs7.c
+PKCS7_SRCS = pkcs7.c verify_sig.c
 PKCS7_OBJS = $(PKCS7_SRCS:%.c=%.o)
 PKCS7 = $(PKCS7_DIR)/built-in.a
 
diff --git a/libstb/crypto/pkcs7/verify_sig.c b/libstb/crypto/pkcs7/verify_sig.c
new file mode 100644
index 00000000..da5a0669
--- /dev/null
+++ b/libstb/crypto/pkcs7/verify_sig.c
@@ -0,0 +1,65 @@ 
+/* Copyright 2013-2016 IBM Corp.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+ * implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include<stdio.h>
+#include<stdlib.h>
+#include<string.h>
+#include<mbedtls/asn1.h>
+#include<mbedtls/config.h>
+#include<mbedtls/x509.h>
+#include<mbedtls/x509_crt.h>
+#include<mbedtls/rsa.h>
+#include<mbedtls/pk.h>
+#include<mbedtls/md.h>
+#include<verify_sig.h>
+
+static int verify(mbedtls_x509_crt *cert, const unsigned char *data,
+		  int datalen, const unsigned char *sig, int siglen)
+{
+	int rc;
+	unsigned char hash[32];
+	mbedtls_pk_context pk_cxt = cert->pk;
+	const mbedtls_md_info_t *md_info =
+		mbedtls_md_info_from_type(MBEDTLS_MD_SHA256);
+
+	mbedtls_md(md_info, data, datalen, hash);
+	rc = mbedtls_pk_verify(&pk_cxt, MBEDTLS_MD_SHA256,hash, 32, sig,
+			       siglen);
+	printf("rc is %02x\n", rc);
+
+	return rc;
+}
+
+
+int verify_buf(unsigned char *cert_buf, int certlen, unsigned char *data_buf,
+	       int datalen, unsigned char *sig_buf, int siglen)
+{
+	int rc;
+	mbedtls_x509_crt cert;
+
+	printf("Load certificate file\n");
+	mbedtls_x509_crt_init(&cert);
+
+	rc = mbedtls_x509_crt_parse(&cert, cert_buf, certlen);
+	if (rc) {
+		printf("rc is %04x\n", rc);
+		return rc;
+	}
+
+	rc = verify(&cert, data_buf, datalen, sig_buf, siglen);
+
+	return rc;
+}