andre@0: /* andre@0: * Verification stuff. andre@0: * andre@0: * This Source Code Form is subject to the terms of the Mozilla Public andre@0: * License, v. 2.0. If a copy of the MPL was not distributed with this andre@0: * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ andre@0: andre@0: #include andre@0: #include "cryptohi.h" andre@0: #include "sechash.h" andre@0: #include "keyhi.h" andre@0: #include "secasn1.h" andre@0: #include "secoid.h" andre@0: #include "pk11func.h" andre@0: #include "secdig.h" andre@0: #include "secerr.h" andre@0: #include "keyi.h" andre@0: andre@0: /* andre@0: ** Decrypt signature block using public key andre@0: ** Store the hash algorithm oid tag in *tagp andre@0: ** Store the digest in the digest buffer andre@0: ** Store the digest length in *digestlen andre@0: ** XXX this is assuming that the signature algorithm has WITH_RSA_ENCRYPTION andre@0: */ andre@0: static SECStatus andre@0: DecryptSigBlock(SECOidTag *tagp, unsigned char *digest, andre@0: unsigned int *digestlen, unsigned int maxdigestlen, andre@0: SECKEYPublicKey *key, const SECItem *sig, char *wincx) andre@0: { andre@0: SGNDigestInfo *di = NULL; andre@0: unsigned char *buf = NULL; andre@0: SECStatus rv; andre@0: SECOidTag tag; andre@0: SECItem it; andre@0: andre@0: if (key == NULL) goto loser; andre@0: andre@0: it.len = SECKEY_PublicKeyStrength(key); andre@0: if (!it.len) goto loser; andre@0: it.data = buf = (unsigned char *)PORT_Alloc(it.len); andre@0: if (!buf) goto loser; andre@0: andre@0: /* decrypt the block */ andre@0: rv = PK11_VerifyRecover(key, (SECItem *)sig, &it, wincx); andre@0: if (rv != SECSuccess) goto loser; andre@0: andre@0: di = SGN_DecodeDigestInfo(&it); andre@0: if (di == NULL) goto sigloser; andre@0: andre@0: /* andre@0: ** Finally we have the digest info; now we can extract the algorithm andre@0: ** ID and the signature block andre@0: */ andre@0: tag = SECOID_GetAlgorithmTag(&di->digestAlgorithm); andre@0: /* Check that tag is an appropriate algorithm */ andre@0: if (tag == SEC_OID_UNKNOWN) { andre@0: goto sigloser; andre@0: } andre@0: /* make sure the "parameters" are not too bogus. */ andre@0: if (di->digestAlgorithm.parameters.len > 2) { andre@0: goto sigloser; andre@0: } andre@0: if (di->digest.len > maxdigestlen) { andre@0: PORT_SetError(SEC_ERROR_OUTPUT_LEN); andre@0: goto loser; andre@0: } andre@0: PORT_Memcpy(digest, di->digest.data, di->digest.len); andre@0: *tagp = tag; andre@0: *digestlen = di->digest.len; andre@0: goto done; andre@0: andre@0: sigloser: andre@0: PORT_SetError(SEC_ERROR_BAD_SIGNATURE); andre@0: andre@0: loser: andre@0: rv = SECFailure; andre@0: andre@0: done: andre@0: if (di != NULL) SGN_DestroyDigestInfo(di); andre@0: if (buf != NULL) PORT_Free(buf); andre@0: andre@0: return rv; andre@0: } andre@0: andre@0: andre@0: struct VFYContextStr { andre@0: SECOidTag hashAlg; /* the hash algorithm */ andre@0: SECKEYPublicKey *key; andre@0: /* andre@0: * This buffer holds either the digest or the full signature andre@0: * depending on the type of the signature (key->keyType). It is andre@0: * defined as a union to make sure it always has enough space. andre@0: * andre@0: * Use the "buffer" union member to reference the buffer. andre@0: * Note: do not take the size of the "buffer" union member. Take andre@0: * the size of the union or some other union member instead. andre@0: */ andre@0: union { andre@0: unsigned char buffer[1]; andre@0: andre@0: /* the digest in the decrypted RSA signature */ andre@0: unsigned char rsadigest[HASH_LENGTH_MAX]; andre@0: /* the full DSA signature... 40 bytes */ andre@0: unsigned char dsasig[DSA_MAX_SIGNATURE_LEN]; andre@0: /* the full ECDSA signature */ andre@0: unsigned char ecdsasig[2 * MAX_ECKEY_LEN]; andre@0: } u; andre@0: unsigned int rsadigestlen; andre@0: void * wincx; andre@0: void *hashcx; andre@0: const SECHashObject *hashobj; andre@0: SECOidTag encAlg; /* enc alg */ andre@0: PRBool hasSignature; /* true if the signature was provided in the andre@0: * VFY_CreateContext call. If false, the andre@0: * signature must be provided with a andre@0: * VFY_EndWithSignature call. */ andre@0: }; andre@0: andre@0: /* andre@0: * decode the ECDSA or DSA signature from it's DER wrapping. andre@0: * The unwrapped/raw signature is placed in the buffer pointed andre@0: * to by dsig and has enough room for len bytes. andre@0: */ andre@0: static SECStatus andre@0: decodeECorDSASignature(SECOidTag algid, const SECItem *sig, unsigned char *dsig, andre@0: unsigned int len) { andre@0: SECItem *dsasig = NULL; /* also used for ECDSA */ andre@0: SECStatus rv=SECSuccess; andre@0: andre@0: if ((algid != SEC_OID_ANSIX9_DSA_SIGNATURE) && andre@0: (algid != SEC_OID_ANSIX962_EC_PUBLIC_KEY) ) { andre@0: if (sig->len != len) { andre@0: PORT_SetError(SEC_ERROR_BAD_DER); andre@0: return SECFailure; andre@0: } andre@0: andre@0: PORT_Memcpy(dsig, sig->data, sig->len); andre@0: return SECSuccess; andre@0: } andre@0: andre@0: if (algid == SEC_OID_ANSIX962_EC_PUBLIC_KEY) { andre@0: if (len > MAX_ECKEY_LEN * 2) { andre@0: PORT_SetError(SEC_ERROR_BAD_DER); andre@0: return SECFailure; andre@0: } andre@0: } andre@0: dsasig = DSAU_DecodeDerSigToLen((SECItem *)sig, len); andre@0: andre@0: if ((dsasig == NULL) || (dsasig->len != len)) { andre@0: rv = SECFailure; andre@0: } else { andre@0: PORT_Memcpy(dsig, dsasig->data, dsasig->len); andre@0: } andre@0: andre@0: if (dsasig != NULL) SECITEM_FreeItem(dsasig, PR_TRUE); andre@0: if (rv == SECFailure) PORT_SetError(SEC_ERROR_BAD_DER); andre@0: return rv; andre@0: } andre@0: andre@0: const SEC_ASN1Template hashParameterTemplate[] = andre@0: { andre@0: { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(SECItem) }, andre@0: { SEC_ASN1_OBJECT_ID, 0 }, andre@0: { SEC_ASN1_SKIP_REST }, andre@0: { 0, } andre@0: }; andre@0: andre@0: /* andre@0: * Pulls the hash algorithm, signing algorithm, and key type out of a andre@0: * composite algorithm. andre@0: * andre@0: * sigAlg: the composite algorithm to dissect. andre@0: * hashalg: address of a SECOidTag which will be set with the hash algorithm. andre@0: * encalg: address of a SECOidTag which will be set with the signing alg. andre@0: * andre@0: * Returns: SECSuccess if the algorithm was acceptable, SECFailure if the andre@0: * algorithm was not found or was not a signing algorithm. andre@0: */ andre@0: SECStatus andre@0: sec_DecodeSigAlg(const SECKEYPublicKey *key, SECOidTag sigAlg, andre@0: const SECItem *param, SECOidTag *encalg, SECOidTag *hashalg) andre@0: { andre@0: int len; andre@0: PLArenaPool *arena; andre@0: SECStatus rv; andre@0: SECItem oid; andre@0: andre@0: PR_ASSERT(hashalg!=NULL); andre@0: PR_ASSERT(encalg!=NULL); andre@0: andre@0: switch (sigAlg) { andre@0: /* We probably shouldn't be generating MD2 signatures either */ andre@0: case SEC_OID_PKCS1_MD2_WITH_RSA_ENCRYPTION: andre@0: *hashalg = SEC_OID_MD2; andre@0: break; andre@0: case SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION: andre@0: *hashalg = SEC_OID_MD5; andre@0: break; andre@0: case SEC_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION: andre@0: case SEC_OID_ISO_SHA_WITH_RSA_SIGNATURE: andre@0: case SEC_OID_ISO_SHA1_WITH_RSA_SIGNATURE: andre@0: *hashalg = SEC_OID_SHA1; andre@0: break; andre@0: case SEC_OID_PKCS1_RSA_ENCRYPTION: andre@0: case SEC_OID_PKCS1_RSA_PSS_SIGNATURE: andre@0: *hashalg = SEC_OID_UNKNOWN; /* get it from the RSA signature */ andre@0: break; andre@0: andre@0: case SEC_OID_ANSIX962_ECDSA_SHA224_SIGNATURE: andre@0: case SEC_OID_PKCS1_SHA224_WITH_RSA_ENCRYPTION: andre@0: case SEC_OID_NIST_DSA_SIGNATURE_WITH_SHA224_DIGEST: andre@0: *hashalg = SEC_OID_SHA224; andre@0: break; andre@0: case SEC_OID_ANSIX962_ECDSA_SHA256_SIGNATURE: andre@0: case SEC_OID_PKCS1_SHA256_WITH_RSA_ENCRYPTION: andre@0: case SEC_OID_NIST_DSA_SIGNATURE_WITH_SHA256_DIGEST: andre@0: *hashalg = SEC_OID_SHA256; andre@0: break; andre@0: case SEC_OID_ANSIX962_ECDSA_SHA384_SIGNATURE: andre@0: case SEC_OID_PKCS1_SHA384_WITH_RSA_ENCRYPTION: andre@0: *hashalg = SEC_OID_SHA384; andre@0: break; andre@0: case SEC_OID_ANSIX962_ECDSA_SHA512_SIGNATURE: andre@0: case SEC_OID_PKCS1_SHA512_WITH_RSA_ENCRYPTION: andre@0: *hashalg = SEC_OID_SHA512; andre@0: break; andre@0: andre@0: /* what about normal DSA? */ andre@0: case SEC_OID_ANSIX9_DSA_SIGNATURE_WITH_SHA1_DIGEST: andre@0: case SEC_OID_BOGUS_DSA_SIGNATURE_WITH_SHA1_DIGEST: andre@0: case SEC_OID_ANSIX962_ECDSA_SHA1_SIGNATURE: andre@0: *hashalg = SEC_OID_SHA1; andre@0: break; andre@0: case SEC_OID_MISSI_DSS: andre@0: case SEC_OID_MISSI_KEA_DSS: andre@0: case SEC_OID_MISSI_KEA_DSS_OLD: andre@0: case SEC_OID_MISSI_DSS_OLD: andre@0: *hashalg = SEC_OID_SHA1; andre@0: break; andre@0: case SEC_OID_ANSIX962_ECDSA_SIGNATURE_RECOMMENDED_DIGEST: andre@0: /* This is an EC algorithm. Recommended means the largest andre@0: * hash algorithm that is not reduced by the keysize of andre@0: * the EC algorithm. Note that key strength is in bytes and andre@0: * algorithms are specified in bits. Never use an algorithm andre@0: * weaker than sha1. */ andre@0: len = SECKEY_PublicKeyStrength(key); andre@0: if (len < 28) { /* 28 bytes == 224 bits */ andre@0: *hashalg = SEC_OID_SHA1; andre@0: } else if (len < 32) { /* 32 bytes == 256 bits */ andre@0: *hashalg = SEC_OID_SHA224; andre@0: } else if (len < 48) { /* 48 bytes == 384 bits */ andre@0: *hashalg = SEC_OID_SHA256; andre@0: } else if (len < 64) { /* 48 bytes == 512 bits */ andre@0: *hashalg = SEC_OID_SHA384; andre@0: } else { andre@0: /* use the largest in this case */ andre@0: *hashalg = SEC_OID_SHA512; andre@0: } andre@0: break; andre@0: case SEC_OID_ANSIX962_ECDSA_SIGNATURE_SPECIFIED_DIGEST: andre@0: if (param == NULL) { andre@0: PORT_SetError(SEC_ERROR_INVALID_ALGORITHM); andre@0: return SECFailure; andre@0: } andre@0: arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); andre@0: if (arena == NULL) { andre@0: return SECFailure; andre@0: } andre@0: rv = SEC_QuickDERDecodeItem(arena, &oid, hashParameterTemplate, param); andre@0: if (rv == SECSuccess) { andre@0: *hashalg = SECOID_FindOIDTag(&oid); andre@0: } andre@0: PORT_FreeArena(arena, PR_FALSE); andre@0: if (rv != SECSuccess) { andre@0: return rv; andre@0: } andre@0: /* only accept hash algorithms */ andre@0: if (HASH_GetHashTypeByOidTag(*hashalg) == HASH_AlgNULL) { andre@0: /* error set by HASH_GetHashTypeByOidTag */ andre@0: return SECFailure; andre@0: } andre@0: break; andre@0: /* we don't implement MD4 hashes */ andre@0: case SEC_OID_PKCS1_MD4_WITH_RSA_ENCRYPTION: andre@0: default: andre@0: PORT_SetError(SEC_ERROR_INVALID_ALGORITHM); andre@0: return SECFailure; andre@0: } andre@0: /* get the "encryption" algorithm */ andre@0: switch (sigAlg) { andre@0: case SEC_OID_PKCS1_RSA_ENCRYPTION: andre@0: case SEC_OID_PKCS1_MD2_WITH_RSA_ENCRYPTION: andre@0: case SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION: andre@0: case SEC_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION: andre@0: case SEC_OID_ISO_SHA_WITH_RSA_SIGNATURE: andre@0: case SEC_OID_ISO_SHA1_WITH_RSA_SIGNATURE: andre@0: case SEC_OID_PKCS1_SHA224_WITH_RSA_ENCRYPTION: andre@0: case SEC_OID_PKCS1_SHA256_WITH_RSA_ENCRYPTION: andre@0: case SEC_OID_PKCS1_SHA384_WITH_RSA_ENCRYPTION: andre@0: case SEC_OID_PKCS1_SHA512_WITH_RSA_ENCRYPTION: andre@0: *encalg = SEC_OID_PKCS1_RSA_ENCRYPTION; andre@0: break; andre@0: case SEC_OID_PKCS1_RSA_PSS_SIGNATURE: andre@0: *encalg = SEC_OID_PKCS1_RSA_PSS_SIGNATURE; andre@0: break; andre@0: andre@0: /* what about normal DSA? */ andre@0: case SEC_OID_ANSIX9_DSA_SIGNATURE_WITH_SHA1_DIGEST: andre@0: case SEC_OID_BOGUS_DSA_SIGNATURE_WITH_SHA1_DIGEST: andre@0: case SEC_OID_NIST_DSA_SIGNATURE_WITH_SHA224_DIGEST: andre@0: case SEC_OID_NIST_DSA_SIGNATURE_WITH_SHA256_DIGEST: andre@0: *encalg = SEC_OID_ANSIX9_DSA_SIGNATURE; andre@0: break; andre@0: case SEC_OID_MISSI_DSS: andre@0: case SEC_OID_MISSI_KEA_DSS: andre@0: case SEC_OID_MISSI_KEA_DSS_OLD: andre@0: case SEC_OID_MISSI_DSS_OLD: andre@0: *encalg = SEC_OID_MISSI_DSS; andre@0: break; andre@0: case SEC_OID_ANSIX962_ECDSA_SHA1_SIGNATURE: andre@0: case SEC_OID_ANSIX962_ECDSA_SHA224_SIGNATURE: andre@0: case SEC_OID_ANSIX962_ECDSA_SHA256_SIGNATURE: andre@0: case SEC_OID_ANSIX962_ECDSA_SHA384_SIGNATURE: andre@0: case SEC_OID_ANSIX962_ECDSA_SHA512_SIGNATURE: andre@0: case SEC_OID_ANSIX962_ECDSA_SIGNATURE_RECOMMENDED_DIGEST: andre@0: case SEC_OID_ANSIX962_ECDSA_SIGNATURE_SPECIFIED_DIGEST: andre@0: *encalg = SEC_OID_ANSIX962_EC_PUBLIC_KEY; andre@0: break; andre@0: /* we don't implement MD4 hashes */ andre@0: case SEC_OID_PKCS1_MD4_WITH_RSA_ENCRYPTION: andre@0: default: andre@0: PORT_SetError(SEC_ERROR_INVALID_ALGORITHM); andre@0: return SECFailure; andre@0: } andre@0: return SECSuccess; andre@0: } andre@0: andre@0: /* andre@0: * we can verify signatures that come from 2 different sources: andre@0: * one in with the signature contains a signature oid, and the other andre@0: * in which the signature is managed by a Public key (encAlg) oid andre@0: * and a hash oid. The latter is the more basic, so that's what andre@0: * our base vfyCreate function takes. andre@0: * andre@0: * There is one noteworthy corner case, if we are using an RSA key, and the andre@0: * signature block is provided, then the hashAlg can be specified as andre@0: * SEC_OID_UNKNOWN. In this case, verify will use the hash oid supplied andre@0: * in the RSA signature block. andre@0: */ andre@0: static VFYContext * andre@0: vfy_CreateContext(const SECKEYPublicKey *key, const SECItem *sig, andre@0: SECOidTag encAlg, SECOidTag hashAlg, SECOidTag *hash, void *wincx) andre@0: { andre@0: VFYContext *cx; andre@0: SECStatus rv; andre@0: unsigned int sigLen; andre@0: KeyType type; andre@0: andre@0: /* make sure the encryption algorithm matches the key type */ andre@0: /* RSA-PSS algorithm can be used with both rsaKey and rsaPssKey */ andre@0: type = seckey_GetKeyType(encAlg); andre@0: if ((key->keyType != type) && andre@0: ((key->keyType != rsaKey) || (type != rsaPssKey))) { andre@0: PORT_SetError(SEC_ERROR_PKCS7_KEYALG_MISMATCH); andre@0: return NULL; andre@0: } andre@0: andre@0: cx = (VFYContext*) PORT_ZAlloc(sizeof(VFYContext)); andre@0: if (cx == NULL) { andre@0: goto loser; andre@0: } andre@0: andre@0: cx->wincx = wincx; andre@0: cx->hasSignature = (sig != NULL); andre@0: cx->encAlg = encAlg; andre@0: cx->hashAlg = hashAlg; andre@0: cx->key = SECKEY_CopyPublicKey(key); andre@0: rv = SECSuccess; andre@0: if (sig) { andre@0: switch (type) { andre@0: case rsaKey: andre@0: rv = DecryptSigBlock(&cx->hashAlg, cx->u.buffer, &cx->rsadigestlen, andre@0: HASH_LENGTH_MAX, cx->key, sig, (char*)wincx); andre@0: if (cx->hashAlg != hashAlg && hashAlg != SEC_OID_UNKNOWN) { andre@0: PORT_SetError(SEC_ERROR_BAD_SIGNATURE); andre@0: rv = SECFailure; andre@0: } andre@0: break; andre@0: case dsaKey: andre@0: case ecKey: andre@0: sigLen = SECKEY_SignatureLen(key); andre@0: if (sigLen == 0) { andre@0: /* error set by SECKEY_SignatureLen */ andre@0: rv = SECFailure; andre@0: break; andre@0: } andre@0: rv = decodeECorDSASignature(encAlg, sig, cx->u.buffer, sigLen); andre@0: break; andre@0: default: andre@0: rv = SECFailure; andre@0: PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG); andre@0: break; andre@0: } andre@0: } andre@0: andre@0: if (rv) goto loser; andre@0: andre@0: /* check hash alg again, RSA may have changed it.*/ andre@0: if (HASH_GetHashTypeByOidTag(cx->hashAlg) == HASH_AlgNULL) { andre@0: /* error set by HASH_GetHashTypeByOidTag */ andre@0: goto loser; andre@0: } andre@0: andre@0: if (hash) { andre@0: *hash = cx->hashAlg; andre@0: } andre@0: return cx; andre@0: andre@0: loser: andre@0: if (cx) { andre@0: VFY_DestroyContext(cx, PR_TRUE); andre@0: } andre@0: return 0; andre@0: } andre@0: andre@0: VFYContext * andre@0: VFY_CreateContext(SECKEYPublicKey *key, SECItem *sig, SECOidTag sigAlg, andre@0: void *wincx) andre@0: { andre@0: SECOidTag encAlg, hashAlg; andre@0: SECStatus rv = sec_DecodeSigAlg(key, sigAlg, NULL, &encAlg, &hashAlg); andre@0: if (rv != SECSuccess) { andre@0: return NULL; andre@0: } andre@0: return vfy_CreateContext(key, sig, encAlg, hashAlg, NULL, wincx); andre@0: } andre@0: andre@0: VFYContext * andre@0: VFY_CreateContextDirect(const SECKEYPublicKey *key, const SECItem *sig, andre@0: SECOidTag encAlg, SECOidTag hashAlg, andre@0: SECOidTag *hash, void *wincx) andre@0: { andre@0: return vfy_CreateContext(key, sig, encAlg, hashAlg, hash, wincx); andre@0: } andre@0: andre@0: VFYContext * andre@0: VFY_CreateContextWithAlgorithmID(const SECKEYPublicKey *key, const SECItem *sig, andre@0: const SECAlgorithmID *sigAlgorithm, SECOidTag *hash, void *wincx) andre@0: { andre@0: SECOidTag encAlg, hashAlg; andre@0: SECStatus rv = sec_DecodeSigAlg(key, andre@0: SECOID_GetAlgorithmTag((SECAlgorithmID *)sigAlgorithm), andre@0: &sigAlgorithm->parameters, &encAlg, &hashAlg); andre@0: if (rv != SECSuccess) { andre@0: return NULL; andre@0: } andre@0: return vfy_CreateContext(key, sig, encAlg, hashAlg, hash, wincx); andre@0: } andre@0: andre@0: void andre@0: VFY_DestroyContext(VFYContext *cx, PRBool freeit) andre@0: { andre@0: if (cx) { andre@0: if (cx->hashcx != NULL) { andre@0: (*cx->hashobj->destroy)(cx->hashcx, PR_TRUE); andre@0: cx->hashcx = NULL; andre@0: } andre@0: if (cx->key) { andre@0: SECKEY_DestroyPublicKey(cx->key); andre@0: } andre@0: if (freeit) { andre@0: PORT_ZFree(cx, sizeof(VFYContext)); andre@0: } andre@0: } andre@0: } andre@0: andre@0: SECStatus andre@0: VFY_Begin(VFYContext *cx) andre@0: { andre@0: if (cx->hashcx != NULL) { andre@0: (*cx->hashobj->destroy)(cx->hashcx, PR_TRUE); andre@0: cx->hashcx = NULL; andre@0: } andre@0: andre@0: cx->hashobj = HASH_GetHashObjectByOidTag(cx->hashAlg); andre@0: if (!cx->hashobj) andre@0: return SECFailure; /* error code is set */ andre@0: andre@0: cx->hashcx = (*cx->hashobj->create)(); andre@0: if (cx->hashcx == NULL) andre@0: return SECFailure; andre@0: andre@0: (*cx->hashobj->begin)(cx->hashcx); andre@0: return SECSuccess; andre@0: } andre@0: andre@0: SECStatus andre@0: VFY_Update(VFYContext *cx, const unsigned char *input, unsigned inputLen) andre@0: { andre@0: if (cx->hashcx == NULL) { andre@0: PORT_SetError(SEC_ERROR_INVALID_ARGS); andre@0: return SECFailure; andre@0: } andre@0: (*cx->hashobj->update)(cx->hashcx, input, inputLen); andre@0: return SECSuccess; andre@0: } andre@0: andre@0: SECStatus andre@0: VFY_EndWithSignature(VFYContext *cx, SECItem *sig) andre@0: { andre@0: unsigned char final[HASH_LENGTH_MAX]; andre@0: unsigned part; andre@0: SECItem hash,dsasig; /* dsasig is also used for ECDSA */ andre@0: SECStatus rv; andre@0: andre@0: if ((cx->hasSignature == PR_FALSE) && (sig == NULL)) { andre@0: PORT_SetError(SEC_ERROR_INVALID_ARGS); andre@0: return SECFailure; andre@0: } andre@0: andre@0: if (cx->hashcx == NULL) { andre@0: PORT_SetError(SEC_ERROR_INVALID_ARGS); andre@0: return SECFailure; andre@0: } andre@0: (*cx->hashobj->end)(cx->hashcx, final, &part, sizeof(final)); andre@0: switch (cx->key->keyType) { andre@0: case ecKey: andre@0: case dsaKey: andre@0: dsasig.data = cx->u.buffer; andre@0: dsasig.len = SECKEY_SignatureLen(cx->key); andre@0: if (dsasig.len == 0) { andre@0: return SECFailure; andre@0: } andre@0: if (sig) { andre@0: rv = decodeECorDSASignature(cx->encAlg, sig, dsasig.data, andre@0: dsasig.len); andre@0: if (rv != SECSuccess) { andre@0: PORT_SetError(SEC_ERROR_BAD_SIGNATURE); andre@0: return SECFailure; andre@0: } andre@0: } andre@0: hash.data = final; andre@0: hash.len = part; andre@0: if (PK11_Verify(cx->key,&dsasig,&hash,cx->wincx) != SECSuccess) { andre@0: PORT_SetError(SEC_ERROR_BAD_SIGNATURE); andre@0: return SECFailure; andre@0: } andre@0: break; andre@0: case rsaKey: andre@0: if (sig) { andre@0: SECOidTag hashid = SEC_OID_UNKNOWN; andre@0: rv = DecryptSigBlock(&hashid, cx->u.buffer, &cx->rsadigestlen, andre@0: HASH_LENGTH_MAX, cx->key, sig, (char*)cx->wincx); andre@0: if ((rv != SECSuccess) || (hashid != cx->hashAlg)) { andre@0: PORT_SetError(SEC_ERROR_BAD_SIGNATURE); andre@0: return SECFailure; andre@0: } andre@0: } andre@0: if ((part != cx->rsadigestlen) || andre@0: PORT_Memcmp(final, cx->u.buffer, part)) { andre@0: PORT_SetError(SEC_ERROR_BAD_SIGNATURE); andre@0: return SECFailure; andre@0: } andre@0: break; andre@0: default: andre@0: PORT_SetError(SEC_ERROR_BAD_SIGNATURE); andre@0: return SECFailure; /* shouldn't happen */ andre@0: } andre@0: return SECSuccess; andre@0: } andre@0: andre@0: SECStatus andre@0: VFY_End(VFYContext *cx) andre@0: { andre@0: return VFY_EndWithSignature(cx,NULL); andre@0: } andre@0: andre@0: /************************************************************************/ andre@0: /* andre@0: * Verify that a previously-computed digest matches a signature. andre@0: */ andre@0: static SECStatus andre@0: vfy_VerifyDigest(const SECItem *digest, const SECKEYPublicKey *key, andre@0: const SECItem *sig, SECOidTag encAlg, SECOidTag hashAlg, andre@0: void *wincx) andre@0: { andre@0: SECStatus rv; andre@0: VFYContext *cx; andre@0: SECItem dsasig; /* also used for ECDSA */ andre@0: andre@0: rv = SECFailure; andre@0: andre@0: cx = vfy_CreateContext(key, sig, encAlg, hashAlg, NULL, wincx); andre@0: if (cx != NULL) { andre@0: switch (key->keyType) { andre@0: case rsaKey: andre@0: if ((digest->len != cx->rsadigestlen) || andre@0: PORT_Memcmp(digest->data, cx->u.buffer, digest->len)) { andre@0: PORT_SetError(SEC_ERROR_BAD_SIGNATURE); andre@0: } else { andre@0: rv = SECSuccess; andre@0: } andre@0: break; andre@0: case dsaKey: andre@0: case ecKey: andre@0: dsasig.data = cx->u.buffer; andre@0: dsasig.len = SECKEY_SignatureLen(cx->key); andre@0: if (dsasig.len == 0) { andre@0: break; andre@0: } andre@0: if (PK11_Verify(cx->key, &dsasig, (SECItem *)digest, cx->wincx) andre@0: != SECSuccess) { andre@0: PORT_SetError(SEC_ERROR_BAD_SIGNATURE); andre@0: } else { andre@0: rv = SECSuccess; andre@0: } andre@0: break; andre@0: default: andre@0: break; andre@0: } andre@0: VFY_DestroyContext(cx, PR_TRUE); andre@0: } andre@0: return rv; andre@0: } andre@0: andre@0: SECStatus andre@0: VFY_VerifyDigestDirect(const SECItem *digest, const SECKEYPublicKey *key, andre@0: const SECItem *sig, SECOidTag encAlg, andre@0: SECOidTag hashAlg, void *wincx) andre@0: { andre@0: return vfy_VerifyDigest(digest, key, sig, encAlg, hashAlg, wincx); andre@0: } andre@0: andre@0: SECStatus andre@0: VFY_VerifyDigest(SECItem *digest, SECKEYPublicKey *key, SECItem *sig, andre@0: SECOidTag algid, void *wincx) andre@0: { andre@0: SECOidTag encAlg, hashAlg; andre@0: SECStatus rv = sec_DecodeSigAlg(key, algid, NULL, &encAlg, &hashAlg); andre@0: if (rv != SECSuccess) { andre@0: return SECFailure; andre@0: } andre@0: return vfy_VerifyDigest(digest, key, sig, encAlg, hashAlg, wincx); andre@0: } andre@0: andre@0: /* andre@0: * this function takes an optional hash oid, which the digest function andre@0: * will be compared with our target hash value. andre@0: */ andre@0: SECStatus andre@0: VFY_VerifyDigestWithAlgorithmID(const SECItem *digest, andre@0: const SECKEYPublicKey *key, const SECItem *sig, andre@0: const SECAlgorithmID *sigAlgorithm, andre@0: SECOidTag hashCmp, void *wincx) andre@0: { andre@0: SECOidTag encAlg, hashAlg; andre@0: SECStatus rv = sec_DecodeSigAlg(key, andre@0: SECOID_GetAlgorithmTag((SECAlgorithmID *)sigAlgorithm), andre@0: &sigAlgorithm->parameters, &encAlg, &hashAlg); andre@0: if (rv != SECSuccess) { andre@0: return rv; andre@0: } andre@0: if ( hashCmp != SEC_OID_UNKNOWN && andre@0: hashAlg != SEC_OID_UNKNOWN && andre@0: hashCmp != hashAlg) { andre@0: PORT_SetError(SEC_ERROR_BAD_SIGNATURE); andre@0: return SECFailure; andre@0: } andre@0: return vfy_VerifyDigest(digest, key, sig, encAlg, hashAlg, wincx); andre@0: } andre@0: andre@0: static SECStatus andre@0: vfy_VerifyData(const unsigned char *buf, int len, const SECKEYPublicKey *key, andre@0: const SECItem *sig, SECOidTag encAlg, SECOidTag hashAlg, andre@0: SECOidTag *hash, void *wincx) andre@0: { andre@0: SECStatus rv; andre@0: VFYContext *cx; andre@0: andre@0: cx = vfy_CreateContext(key, sig, encAlg, hashAlg, hash, wincx); andre@0: if (cx == NULL) andre@0: return SECFailure; andre@0: andre@0: rv = VFY_Begin(cx); andre@0: if (rv == SECSuccess) { andre@0: rv = VFY_Update(cx, (unsigned char *)buf, len); andre@0: if (rv == SECSuccess) andre@0: rv = VFY_End(cx); andre@0: } andre@0: andre@0: VFY_DestroyContext(cx, PR_TRUE); andre@0: return rv; andre@0: } andre@0: andre@0: SECStatus andre@0: VFY_VerifyDataDirect(const unsigned char *buf, int len, andre@0: const SECKEYPublicKey *key, const SECItem *sig, andre@0: SECOidTag encAlg, SECOidTag hashAlg, andre@0: SECOidTag *hash, void *wincx) andre@0: { andre@0: return vfy_VerifyData(buf, len, key, sig, encAlg, hashAlg, hash, wincx); andre@0: } andre@0: andre@0: SECStatus andre@0: VFY_VerifyData(const unsigned char *buf, int len, const SECKEYPublicKey *key, andre@0: const SECItem *sig, SECOidTag algid, void *wincx) andre@0: { andre@0: SECOidTag encAlg, hashAlg; andre@0: SECStatus rv = sec_DecodeSigAlg(key, algid, NULL, &encAlg, &hashAlg); andre@0: if (rv != SECSuccess) { andre@0: return rv; andre@0: } andre@0: return vfy_VerifyData(buf, len, key, sig, encAlg, hashAlg, NULL, wincx); andre@0: } andre@0: andre@0: SECStatus andre@0: VFY_VerifyDataWithAlgorithmID(const unsigned char *buf, int len, andre@0: const SECKEYPublicKey *key, andre@0: const SECItem *sig, andre@0: const SECAlgorithmID *sigAlgorithm, andre@0: SECOidTag *hash, void *wincx) andre@0: { andre@0: SECOidTag encAlg, hashAlg; andre@0: SECOidTag sigAlg = SECOID_GetAlgorithmTag((SECAlgorithmID *)sigAlgorithm); andre@0: SECStatus rv = sec_DecodeSigAlg(key, sigAlg, andre@0: &sigAlgorithm->parameters, &encAlg, &hashAlg); andre@0: if (rv != SECSuccess) { andre@0: return rv; andre@0: } andre@0: return vfy_VerifyData(buf, len, key, sig, encAlg, hashAlg, hash, wincx); andre@0: }