VirtualBox

source: vbox/trunk/src/VBox/Runtime/common/crypto/pkix-sign.cpp@ 78183

Last change on this file since 78183 was 76553, checked in by vboxsync, 6 years ago

scm --update-copyright-year
  • Property svn:eol-style set to native
  • Property svn:keywords set to Author Date Id Revision
File size: 10.9 KB
Line 
1/* $Id: pkix-sign.cpp 76553 2019-01-01 01:45:53Z vboxsync $ */
2/** @file
3 * IPRT - Crypto - Public Key Infrastructure API, Verification.
4 */
5
6/*
7 * Copyright (C) 2006-2019 Oracle Corporation
8 *
9 * This file is part of VirtualBox Open Source Edition (OSE), as
10 * available from http://www.virtualbox.org. This file is free software;
11 * you can redistribute it and/or modify it under the terms of the GNU
12 * General Public License (GPL) as published by the Free Software
13 * Foundation, in version 2 as it comes in the "COPYING" file of the
14 * VirtualBox OSE distribution. VirtualBox OSE is distributed in the
15 * hope that it will be useful, but WITHOUT ANY WARRANTY of any kind.
16 *
17 * The contents of this file may alternatively be used under the terms
18 * of the Common Development and Distribution License Version 1.0
19 * (CDDL) only, as it comes in the "COPYING.CDDL" file of the
20 * VirtualBox OSE distribution, in which case the provisions of the
21 * CDDL are applicable instead of those of the GPL.
22 *
23 * You may elect to license modified versions of this file under the
24 * terms and conditions of either the GPL or the CDDL or both.
25 */
26
27
28/*********************************************************************************************************************************
29* Header Files *
30*********************************************************************************************************************************/
31#include "internal/iprt.h"
32#include <iprt/crypto/pkix.h>
33
34#include <iprt/alloca.h>
35#include <iprt/err.h>
36#include <iprt/mem.h>
37#include <iprt/string.h>
38#include <iprt/crypto/digest.h>
39#include <iprt/crypto/key.h>
40
41#ifdef IPRT_WITH_OPENSSL
42# include "internal/iprt-openssl.h"
43# include "openssl/evp.h"
44# include "openssl/rsa.h"
45# ifndef OPENSSL_VERSION_NUMBER
46# error "Missing OPENSSL_VERSION_NUMBER!"
47# endif
48#endif
49
50
51#if 0
52RTDECL(int) RTCrPkixPubKeySignData(PCRTASN1OBJID pAlgorithm, PCRTASN1DYNTYPE pParameters, PCRTASN1BITSTRING pPrivateKey,
53 PCRTASN1BITSTRING pSignatureValue, const void *pvData, size_t cbData, PRTERRINFO pErrInfo)
54{
55 /*
56 * Validate the digest related inputs.
57 */
58 AssertPtrReturn(pAlgorithm, VERR_INVALID_POINTER);
59 AssertReturn(RTAsn1ObjId_IsPresent(pAlgorithm), VERR_INVALID_POINTER);
60
61 AssertPtrReturn(pvData, VERR_INVALID_POINTER);
62 AssertReturn(cbData > 0, VERR_INVALID_PARAMETER);
63
64 /*
65 * Digest the data and call the other API.
66 */
67 RTCRDIGEST hDigest;
68 int rc = RTCrDigestCreateByObjId(&hDigest, pAlgorithm);
69 if (RT_SUCCESS(rcIprt))
70 {
71 rc = RTCrDigestUpdate(hDigest, pvData, cbData);
72 if (RT_SUCCESS(rcIprt))
73 rc = RTCrPkixPubKeySignDigest(pAlgorithm, pParameters, pPrivateKey, pvSignedDigest, cbSignedDigest, hDigest, pErrInfo);
74 else
75 RTErrInfoSet(pErrInfo, rcIprt, "RTCrDigestUpdate failed");
76 RTCrDigestRelease(hDigest);
77 }
78 else
79 RTErrInfoSetF(pErrInfo, rcIprt, "Unknown digest algorithm [IPRT]: %s", pAlgorithm->szObjId);
80 return rc;
81}
82#endif
83
84
85RTDECL(int) RTCrPkixPubKeySignDigest(PCRTASN1OBJID pAlgorithm, RTCRKEY hPrivateKey, PCRTASN1DYNTYPE pParameters,
86 RTCRDIGEST hDigest, uint32_t fFlags,
87 void *pvSignature, size_t *pcbSignature, PRTERRINFO pErrInfo)
88{
89 /*
90 * Valid input.
91 */
92 AssertPtrReturn(pAlgorithm, VERR_INVALID_POINTER);
93 AssertReturn(RTAsn1ObjId_IsPresent(pAlgorithm), VERR_INVALID_POINTER);
94
95 if (pParameters)
96 {
97 AssertPtrReturn(pParameters, VERR_INVALID_POINTER);
98 if (pParameters->enmType == RTASN1TYPE_NULL)
99 pParameters = NULL;
100 }
101
102 AssertPtrReturn(hPrivateKey, VERR_INVALID_POINTER);
103 Assert(RTCrKeyHasPrivatePart(hPrivateKey));
104
105 AssertPtrReturn(pcbSignature, VERR_INVALID_PARAMETER);
106 size_t cbSignature = *pcbSignature;
107 if (cbSignature)
108 AssertPtrReturn(pvSignature, VERR_INVALID_POINTER);
109 else
110 pvSignature = NULL;
111
112 AssertPtrReturn(hDigest, VERR_INVALID_HANDLE);
113
114 AssertReturn(fFlags == 0, VERR_INVALID_FLAGS);
115
116 /*
117 * Parameters are not currently supported (openssl code path).
118 */
119 if (pParameters)
120 return RTErrInfoSet(pErrInfo, VERR_CR_PKIX_CIPHER_ALGO_PARAMS_NOT_IMPL,
121 "Cipher algorithm parameters are not yet supported.");
122
123 /*
124 * Sign using IPRT.
125 */
126 RTCRPKIXSIGNATURE hSignature;
127 int rcIprt = RTCrPkixSignatureCreateByObjId(&hSignature, pAlgorithm, hPrivateKey, pParameters, true /*fSigning*/);
128 if (RT_FAILURE(rcIprt))
129 return RTErrInfoSetF(pErrInfo, VERR_CR_PKIX_CIPHER_ALGO_NOT_KNOWN,
130 "Unknown private key algorithm [IPRT]: %s", pAlgorithm->szObjId);
131
132 rcIprt = RTCrPkixSignatureSign(hSignature, hDigest, pvSignature, pcbSignature);
133 if (RT_FAILURE(rcIprt))
134 RTErrInfoSet(pErrInfo, rcIprt, "RTCrPkixSignatureSign failed");
135
136 RTCrPkixSignatureRelease(hSignature);
137
138 /*
139 * Sign using OpenSSL EVP if we can.
140 */
141#if defined(IPRT_WITH_OPENSSL) \
142 && (OPENSSL_VERSION_NUMBER > 0x10000000L) /* 0.9.8 doesn't seem to have EVP_PKEY_CTX_set_signature_md. */
143
144 /* Make sure the algorithm includes the digest and isn't just RSA. */
145 const char *pszAlgObjId = pAlgorithm->szObjId;
146 if (!strcmp(pszAlgObjId, RTCRX509ALGORITHMIDENTIFIERID_RSA))
147 {
148 pszAlgObjId = RTCrX509AlgorithmIdentifier_CombineEncryptionOidAndDigestOid(pszAlgObjId,
149 RTCrDigestGetAlgorithmOid(hDigest));
150 AssertMsgStmt(pszAlgObjId, ("enc=%s hash=%s\n", pAlgorithm->szObjId, RTCrDigestGetAlgorithmOid(hDigest)),
151 pszAlgObjId = RTCrDigestGetAlgorithmOid(hDigest));
152 }
153
154 /* Create an EVP private key. */
155 EVP_PKEY *pEvpPrivateKey = NULL;
156 const EVP_MD *pEvpMdType = NULL;
157 int rcOssl = rtCrKeyToOpenSslKey(hPrivateKey, false /*fNeedPublic*/, pszAlgObjId,
158 (void **)&pEvpPrivateKey, (const void **)&pEvpMdType, pErrInfo);
159 if (RT_SUCCESS(rcOssl))
160 {
161 /* Create an EVP Private key context we can use to validate the digest. */
162 EVP_PKEY_CTX *pEvpPKeyCtx = EVP_PKEY_CTX_new(pEvpPrivateKey, NULL);
163 if (pEvpPKeyCtx)
164 {
165 rcOssl = EVP_PKEY_sign_init(pEvpPKeyCtx);
166 if (rcOssl > 0)
167 {
168 rcOssl = EVP_PKEY_CTX_set_rsa_padding(pEvpPKeyCtx, RSA_PKCS1_PADDING);
169 if (rcOssl > 0)
170 {
171 rcOssl = EVP_PKEY_CTX_set_signature_md(pEvpPKeyCtx, pEvpMdType);
172 if (rcOssl > 0)
173 {
174 /* Allocate a signature buffer. */
175 unsigned char *pbOsslSignature = NULL;
176 void *pvOsslSignatureFree = NULL;
177 size_t cbOsslSignature = cbSignature;
178 if (cbOsslSignature > 0)
179 {
180 if (cbOsslSignature < _1K)
181 pbOsslSignature = (unsigned char *)alloca(cbOsslSignature);
182 else
183 {
184 pbOsslSignature = (unsigned char *)RTMemTmpAlloc(cbOsslSignature);
185 pvOsslSignatureFree = pbOsslSignature;
186 }
187 }
188 if (cbOsslSignature == 0 || pbOsslSignature != NULL)
189 {
190 /* Get the digest from hDigest and sign it. */
191 rcOssl = EVP_PKEY_sign(pEvpPKeyCtx,
192 pbOsslSignature,
193 &cbOsslSignature,
194 (const unsigned char *)RTCrDigestGetHash(hDigest),
195 RTCrDigestGetHashSize(hDigest));
196 if (rcOssl > 0)
197 {
198 /* Compare the result. The memcmp assums no random padding bits. */
199 rcOssl = VINF_SUCCESS;
200 AssertMsgStmt(cbOsslSignature == *pcbSignature,
201 ("cbOsslSignature=%#x, iprt %#x\n", cbOsslSignature, *pcbSignature),
202 rcOssl = VERR_CR_PKIX_OSSL_VS_IPRT_SIGNATURE_SIZE);
203 AssertMsgStmt( pbOsslSignature == NULL
204 || rcOssl != VINF_SUCCESS
205 || memcmp(pbOsslSignature, pvSignature, cbOsslSignature) == 0,
206 ("OpenSSL: %.*Rhxs\n"
207 "IPRT: %.*Rhxs\n",
208 cbOsslSignature, pbOsslSignature, *pcbSignature, pvSignature),
209 rcOssl = VERR_CR_PKIX_OSSL_VS_IPRT_SIGNATURE);
210 if (!pbOsslSignature && rcOssl == VINF_SUCCESS)
211 rcOssl = VERR_BUFFER_OVERFLOW;
212 }
213 else
214 rcOssl = RTErrInfoSetF(pErrInfo, VERR_CR_PKIX_OSSL_SIGN_FINAL_FAILED,
215 "EVP_PKEY_sign failed (%d)", rcOssl);
216 if (pvOsslSignatureFree)
217 RTMemTmpFree(pvOsslSignatureFree);
218 }
219 else
220 rcOssl = VERR_NO_TMP_MEMORY;
221 }
222 else
223 rcOssl = RTErrInfoSetF(pErrInfo, VERR_CR_PKIX_OSSL_EVP_PKEY_TYPE_ERROR,
224 "EVP_PKEY_CTX_set_signature_md failed (%d)", rcOssl);
225 }
226 else
227 rcOssl = RTErrInfoSetF(pErrInfo, VERR_CR_PKIX_OSSL_EVP_PKEY_RSA_PAD_ERROR,
228 "EVP_PKEY_CTX_set_rsa_padding failed (%d)", rcOssl);
229 }
230 else
231 rcOssl = RTErrInfoSetF(pErrInfo, VERR_CR_PKIX_OSSL_EVP_PKEY_TYPE_ERROR,
232 "EVP_PKEY_verify_init failed (%d)", rcOssl);
233 EVP_PKEY_CTX_free(pEvpPKeyCtx);
234 }
235 else
236 rcOssl = RTErrInfoSet(pErrInfo, VERR_CR_PKIX_OSSL_EVP_PKEY_TYPE_ERROR, "EVP_PKEY_CTX_new failed");
237 EVP_PKEY_free(pEvpPrivateKey);
238 }
239
240 /*
241 * Check the result.
242 */
243 if ( (RT_SUCCESS(rcIprt) && RT_SUCCESS(rcOssl))
244 || (RT_FAILURE_NP(rcIprt) && RT_FAILURE_NP(rcOssl))
245 || (RT_SUCCESS(rcIprt) && rcOssl == VERR_CR_PKIX_OSSL_CIPHER_ALGO_NOT_KNOWN_EVP) )
246 return rcIprt;
247 AssertMsgFailed(("rcIprt=%Rrc rcOssl=%Rrc\n", rcIprt, rcOssl));
248 if (RT_FAILURE_NP(rcOssl))
249 return rcOssl;
250#endif /* IPRT_WITH_OPENSSL */
251
252 return rcIprt;
253}
254
Note: See TracBrowser for help on using the repository browser.

© 2024 Oracle Support Privacy / Do Not Sell My Info Terms of Use Trademark Policy Automated Access Etiquette