From patchwork Thu Jul 18 21:29:49 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Eric Richter <erichte@linux.ibm.com>
X-Patchwork-Id: 1133856
Return-Path: <skiboot-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Received: from lists.ozlabs.org (lists.ozlabs.org [203.11.71.2])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	key-exchange X25519 server-signature RSA-PSS (4096 bits))
	(No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 45qS5x6ykQz9s3l
	for <incoming@patchwork.ozlabs.org>;
	Fri, 19 Jul 2019 07:32:37 +1000 (AEST)
Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none)
	header.from=linux.ibm.com
Received: from lists.ozlabs.org (lists.ozlabs.org [IPv6:2401:3900:2:1::3])
	by lists.ozlabs.org (Postfix) with ESMTP id 45qS5x63mQzDqhR
	for <incoming@patchwork.ozlabs.org>;
	Fri, 19 Jul 2019 07:32:37 +1000 (AEST)
X-Original-To: skiboot@lists.ozlabs.org
Delivered-To: skiboot@lists.ozlabs.org
Authentication-Results: lists.ozlabs.org;
	spf=pass (mailfrom) smtp.mailfrom=linux.ibm.com
	(client-ip=148.163.156.1; helo=mx0a-001b2d01.pphosted.com;
	envelope-from=erichte@linux.ibm.com; receiver=<UNKNOWN>)
Authentication-Results: lists.ozlabs.org;
	dmarc=none (p=none dis=none) header.from=linux.ibm.com
Received: from mx0a-001b2d01.pphosted.com (mx0a-001b2d01.pphosted.com
	[148.163.156.1])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256
	bits)) (No client certificate requested)
	by lists.ozlabs.org (Postfix) with ESMTPS id 45qS324G6FzDqDy
	for <skiboot@lists.ozlabs.org>; Fri, 19 Jul 2019 07:30:06 +1000 (AEST)
Received: from pps.filterd (m0098394.ppops.net [127.0.0.1])
	by mx0a-001b2d01.pphosted.com (8.16.0.27/8.16.0.27) with SMTP id
	x6ILN3cf064458
	for <skiboot@lists.ozlabs.org>; Thu, 18 Jul 2019 17:30:04 -0400
Received: from e06smtp07.uk.ibm.com (e06smtp07.uk.ibm.com [195.75.94.103])
	by mx0a-001b2d01.pphosted.com with ESMTP id 2tu0c7gqrf-1
	(version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=NOT)
	for <skiboot@lists.ozlabs.org>; Thu, 18 Jul 2019 17:30:04 -0400
Received: from localhost
	by e06smtp07.uk.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use
	Only! Violators will be prosecuted
	for <skiboot@lists.ozlabs.org> from <erichte@linux.ibm.com>;
	Thu, 18 Jul 2019 22:30:02 +0100
Received: from b06cxnps3074.portsmouth.uk.ibm.com (9.149.109.194)
	by e06smtp07.uk.ibm.com (192.168.101.137) with IBM ESMTP SMTP
	Gateway: Authorized Use Only! Violators will be prosecuted;
	(version=TLSv1/SSLv3 cipher=AES256-GCM-SHA384 bits=256/256)
	Thu, 18 Jul 2019 22:30:00 +0100
Received: from d06av23.portsmouth.uk.ibm.com (d06av23.portsmouth.uk.ibm.com
	[9.149.105.59])
	by b06cxnps3074.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with
	ESMTP id x6ILTwGm51380422
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256
	verify=OK); Thu, 18 Jul 2019 21:29:58 GMT
Received: from d06av23.portsmouth.uk.ibm.com (unknown [127.0.0.1])
	by IMSVA (Postfix) with ESMTP id 93DF4A4055;
	Thu, 18 Jul 2019 21:29:58 +0000 (GMT)
Received: from d06av23.portsmouth.uk.ibm.com (unknown [127.0.0.1])
	by IMSVA (Postfix) with ESMTP id CA3A3A4051;
	Thu, 18 Jul 2019 21:29:57 +0000 (GMT)
Received: from yorha.ibmuc.com (unknown [9.80.231.223])
	by d06av23.portsmouth.uk.ibm.com (Postfix) with ESMTP;
	Thu, 18 Jul 2019 21:29:57 +0000 (GMT)
From: Eric Richter <erichte@linux.ibm.com>
To: skiboot@lists.ozlabs.org
Date: Thu, 18 Jul 2019 16:29:49 -0500
X-Mailer: git-send-email 2.20.1
In-Reply-To: <20190718212949.29121-1-erichte@linux.ibm.com>
References: <20190718212949.29121-1-erichte@linux.ibm.com>
MIME-Version: 1.0
X-TM-AS-GCONF: 00
x-cbid: 19071821-0028-0000-0000-00000385CDB7
X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused
x-cbparentid: 19071821-0029-0000-0000-00002445F8F0
Message-Id: <20190718212949.29121-4-erichte@linux.ibm.com>
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, ,
	definitions=2019-07-18_11:, , signatures=0
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0
	priorityscore=1501
	malwarescore=0 suspectscore=1 phishscore=0 bulkscore=0 spamscore=0
	clxscore=1015 lowpriorityscore=0 mlxscore=0 impostorscore=0
	mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx
	scancount=1 engine=8.0.1-1810050000 definitions=main-1907180218
Subject: [Skiboot] [PATCH 3/3] crypto: define RSA signature verification
	function
X-BeenThere: skiboot@lists.ozlabs.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Mailing list for skiboot development <skiboot.lists.ozlabs.org>
List-Unsubscribe: <https://lists.ozlabs.org/options/skiboot>,
	<mailto:skiboot-request@lists.ozlabs.org?subject=unsubscribe>
List-Archive: <http://lists.ozlabs.org/pipermail/skiboot/>
List-Post: <mailto:skiboot@lists.ozlabs.org>
List-Help: <mailto:skiboot-request@lists.ozlabs.org?subject=help>
List-Subscribe: <https://lists.ozlabs.org/listinfo/skiboot>,
	<mailto:skiboot-request@lists.ozlabs.org?subject=subscribe>
Cc: Nayna Jain <nayna@linux.ibm.com>
Errors-To: skiboot-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org
Sender: "Skiboot"
	<skiboot-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org>

From: Nayna Jain <nayna@linux.ibm.com>

In order to verify the signature to authenticate the key update
command submitted by the user, this patch defines the signature
verification function using mbedtls as the underlying crypto API.

Signed-off-by: Nayna Jain <nayna@linux.ibm.com>
Signed-off-by: Eric Richter <erichte@linux.ibm.com>
---
 libstb/crypto/include/verify_sig.h | 34 ++++++++++++++++
 libstb/crypto/pkcs7/Makefile.inc   |  2 +-
 libstb/crypto/pkcs7/verify_sig.c   | 65 ++++++++++++++++++++++++++++++
 3 files changed, 100 insertions(+), 1 deletion(-)
 create mode 100644 libstb/crypto/include/verify_sig.h
 create mode 100644 libstb/crypto/pkcs7/verify_sig.c

diff --git a/libstb/crypto/include/verify_sig.h b/libstb/crypto/include/verify_sig.h
new file mode 100644
index 00000000..3f1dcc94
--- /dev/null
+++ b/libstb/crypto/include/verify_sig.h
@@ -0,0 +1,34 @@
+/* Copyright 2013-2016 IBM Corp.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+ * implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#ifndef VERIFY_SIG_H
+#define VERIFY_SIG_H
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <mbedtls/asn1.h>
+#include <mbedtls/config.h>
+#include <mbedtls/x509.h>
+#include <mbedtls/x509_crt.h>
+#include <mbedtls/rsa.h>
+#include <mbedtls/pk.h>
+#include <mbedtls/md.h>
+
+int verify_buf(unsigned char *cert_buf, int certlen, unsigned char *data_buf,
+	       int datalen, unsigned char *sig_buf, int siglen);
+
+#endif
diff --git a/libstb/crypto/pkcs7/Makefile.inc b/libstb/crypto/pkcs7/Makefile.inc
index 8f9bcd90..80ac08fb 100644
--- a/libstb/crypto/pkcs7/Makefile.inc
+++ b/libstb/crypto/pkcs7/Makefile.inc
@@ -4,7 +4,7 @@ PKCS7_DIR = libstb/crypto/pkcs7
 
 SUBDIRS += $(PKCS7_DIR)
 
-PKCS7_SRCS = pkcs7.c
+PKCS7_SRCS = pkcs7.c verify_sig.c
 PKCS7_OBJS = $(PKCS7_SRCS:%.c=%.o)
 PKCS7 = $(PKCS7_DIR)/built-in.a
 
diff --git a/libstb/crypto/pkcs7/verify_sig.c b/libstb/crypto/pkcs7/verify_sig.c
new file mode 100644
index 00000000..da5a0669
--- /dev/null
+++ b/libstb/crypto/pkcs7/verify_sig.c
@@ -0,0 +1,65 @@
+/* Copyright 2013-2016 IBM Corp.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+ * implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include<stdio.h>
+#include<stdlib.h>
+#include<string.h>
+#include<mbedtls/asn1.h>
+#include<mbedtls/config.h>
+#include<mbedtls/x509.h>
+#include<mbedtls/x509_crt.h>
+#include<mbedtls/rsa.h>
+#include<mbedtls/pk.h>
+#include<mbedtls/md.h>
+#include<verify_sig.h>
+
+static int verify(mbedtls_x509_crt *cert, const unsigned char *data,
+		  int datalen, const unsigned char *sig, int siglen)
+{
+	int rc;
+	unsigned char hash[32];
+	mbedtls_pk_context pk_cxt = cert->pk;
+	const mbedtls_md_info_t *md_info =
+		mbedtls_md_info_from_type(MBEDTLS_MD_SHA256);
+
+	mbedtls_md(md_info, data, datalen, hash);
+	rc = mbedtls_pk_verify(&pk_cxt, MBEDTLS_MD_SHA256,hash, 32, sig,
+			       siglen);
+	printf("rc is %02x\n", rc);
+
+	return rc;
+}
+
+
+int verify_buf(unsigned char *cert_buf, int certlen, unsigned char *data_buf,
+	       int datalen, unsigned char *sig_buf, int siglen)
+{
+	int rc;
+	mbedtls_x509_crt cert;
+
+	printf("Load certificate file\n");
+	mbedtls_x509_crt_init(&cert);
+
+	rc = mbedtls_x509_crt_parse(&cert, cert_buf, certlen);
+	if (rc) {
+		printf("rc is %04x\n", rc);
+		return rc;
+	}
+
+	rc = verify(&cert, data_buf, datalen, sig_buf, siglen);
+
+	return rc;
+}