Changeset 63982 in vbox for trunk/src/VBox/Runtime/common
- Timestamp:
- Sep 23, 2016 6:02:01 PM (8 years ago)
- File:
-
- 1 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/src/VBox/Runtime/common/crypto/pkix-verify.cpp
r63853 r63982 118 118 return RTErrInfoSetF(pErrInfo, VERR_CR_PKIX_OSSL_CIPHER_ALGO_NOT_KNOWN, 119 119 "Unknown public key algorithm [OpenSSL]: %s", pAlgorithm->szObjId); 120 const char *pszAlogSn = OBJ_nid2sn(iAlgoNid); 121 const EVP_MD *pEvpMdType = EVP_get_digestbyname(pszAlogSn); 120 const char *pszAlgoSn = OBJ_nid2sn(iAlgoNid); 121 122 # if OPENSSL_VERSION_NUMBER >= 0x10001000 && !defined(LIBRESSL_VERSION_NUMBER) 123 int idAlgoPkey = 0; 124 int idAlgoMd = 0; 125 if (!OBJ_find_sigid_algs(iAlgoNid, &idAlgoMd, &idAlgoPkey)) 126 return RTErrInfoSetF(pErrInfo, VERR_CR_PKIX_OSSL_CIPHER_ALGO_NOT_KNOWN_EVP, 127 "OBJ_find_sigid_algs failed on %u (%s, %s)", iAlgoNid, pszAlgoSn, pAlgorithm->szObjId); 128 const EVP_MD *pEvpMdType = EVP_get_digestbynid(idAlgoMd); 122 129 if (!pEvpMdType) 123 130 return RTErrInfoSetF(pErrInfo, VERR_CR_PKIX_OSSL_CIPHER_ALGO_NOT_KNOWN_EVP, 124 "EVP_get_digestbyname failed on %s (%s)", pszAlogSn, pAlgorithm->szObjId); 125 126 # if OPENSSL_VERSION_NUMBER >= 0x10100000 && !defined(LIBRESSL_VERSION_NUMBER) 131 "EVP_get_digestbynid failed on %d (%s, %s)", idAlgoMd, pszAlgoSn, pAlgorithm->szObjId); 132 # else 133 const EVP_MD *pEvpMdType = EVP_get_digestbyname(pszAlgoSn); 134 if (!pEvpMdType) 135 return RTErrInfoSetF(pErrInfo, VERR_CR_PKIX_OSSL_CIPHER_ALGO_NOT_KNOWN_EVP, 136 "EVP_get_digestbyname failed on %s (%s)", pszAlgoSn, pAlgorithm->szObjId); 137 # endif 127 138 128 139 EVP_MD_CTX *pEvpMdCtx = EVP_MD_CTX_create(); 129 140 if (!pEvpMdCtx) 130 return RTErrInfoSetF(pErrInfo, VERR_CR_PKIX_OSSL_CIPHER_ALOG_INIT_FAILED, 131 "EVP_MD_CTX_create failed"); 132 if (!EVP_VerifyInit_ex(pEvpMdCtx, pEvpMdType, NULL /*engine*/)) 133 { 134 EVP_MD_CTX_destroy(pEvpMdCtx); 135 return RTErrInfoSetF(pErrInfo, VERR_CR_PKIX_OSSL_CIPHER_ALOG_INIT_FAILED, 136 "EVP_VerifyInit_ex failed (algorithm type is %s / %s)", pszAlogSn, pAlgorithm->szObjId); 137 } 138 139 /* Create an EVP public key. */ 141 return RTErrInfoSetF(pErrInfo, VERR_NO_MEMORY, "EVP_MD_CTX_create failed"); 140 142 int rcOssl; 141 EVP_PKEY *pEvpPublicKey = EVP_PKEY_new(); 142 if (pEvpPublicKey) 143 { 144 EVP_PKEY_set_type(pEvpPublicKey, iAlgoNid); 145 int keyType = EVP_PKEY_base_id(pEvpPublicKey); 146 if (keyType != NID_undef) 143 if (EVP_VerifyInit_ex(pEvpMdCtx, pEvpMdType, NULL /*engine*/)) 144 { 145 /* Create an EVP public key. */ 146 EVP_PKEY *pEvpPublicKey = EVP_PKEY_new(); 147 if (pEvpPublicKey) 147 148 { 148 const unsigned char *puchPublicKey = RTASN1BITSTRING_GET_BIT0_PTR(pPublicKey); 149 if ( d2i_PublicKey(keyType, &pEvpPublicKey, &puchPublicKey, RTASN1BITSTRING_GET_BYTE_SIZE(pPublicKey)))149 # if OPENSSL_VERSION_NUMBER >= 0x10001000 && !defined(LIBRESSL_VERSION_NUMBER) 150 if (EVP_PKEY_set_type(pEvpPublicKey, idAlgoPkey)) 150 151 { 151 /* Digest the data. */ 152 EVP_VerifyUpdate(pEvpMdCtx, pvData, cbData); 153 154 /* Verify the signature. */ 155 if (EVP_VerifyFinal(pEvpMdCtx, 156 RTASN1BITSTRING_GET_BIT0_PTR(pSignatureValue), 157 RTASN1BITSTRING_GET_BYTE_SIZE(pSignatureValue), 158 pEvpPublicKey) > 0) 159 rcOssl = VINF_SUCCESS; 152 int idKeyType = EVP_PKEY_base_id(pEvpPublicKey); 153 # else 154 int idKeyType = pEvpPublicKey->type = EVP_PKEY_type(pEvpMdType->required_pkey_type[0]); 155 # endif 156 if (idKeyType != NID_undef) 157 { 158 const unsigned char *puchPublicKey = RTASN1BITSTRING_GET_BIT0_PTR(pPublicKey); 159 if (d2i_PublicKey(idKeyType, &pEvpPublicKey, &puchPublicKey, RTASN1BITSTRING_GET_BYTE_SIZE(pPublicKey))) 160 { 161 /* Digest the data. */ 162 EVP_VerifyUpdate(pEvpMdCtx, pvData, cbData); 163 164 /* Verify the signature. */ 165 if (EVP_VerifyFinal(pEvpMdCtx, 166 RTASN1BITSTRING_GET_BIT0_PTR(pSignatureValue), 167 RTASN1BITSTRING_GET_BYTE_SIZE(pSignatureValue), 168 pEvpPublicKey) > 0) 169 rcOssl = VINF_SUCCESS; 170 else 171 rcOssl = RTErrInfoSet(pErrInfo, VERR_CR_PKIX_OSSL_VERIFY_FINAL_FAILED, "EVP_VerifyFinal failed"); 172 } 173 else 174 rcOssl = RTErrInfoSet(pErrInfo, VERR_CR_PKIX_OSSL_D2I_PUBLIC_KEY_FAILED, "d2i_PublicKey failed"); 175 } 160 176 else 161 rcOssl = RTErrInfoSet(pErrInfo, VERR_CR_PKIX_OSSL_VERIFY_FINAL_FAILED, "EVP_VerifyFinal failed"); 177 # if OPENSSL_VERSION_NUMBER < 0x10001000 || defined(LIBRESSL_VERSION_NUMBER) 178 rcOssl = RTErrInfoSetF(pErrInfo, VERR_CR_PKIX_OSSL_EVP_PKEY_TYPE_ERROR, "EVP_PKEY_type() failed"); 179 # else 180 rcOssl = RTErrInfoSetF(pErrInfo, VERR_CR_PKIX_OSSL_EVP_PKEY_TYPE_ERROR, "EVP_PKEY_base_id() failed"); 162 181 } 163 182 else 164 rcOssl = RTErrInfoSet(pErrInfo, VERR_CR_PKIX_OSSL_D2I_PUBLIC_KEY_FAILED, "d2i_PublicKey failed"); 183 rcOssl = RTErrInfoSetF(pErrInfo, VERR_CR_PKIX_OSSL_EVP_PKEY_TYPE_ERROR, 184 "EVP_PKEY_set_type(%u) failed (sig algo %s)", idAlgoPkey, pszAlgoSn); 185 # endif 186 /* Cleanup and return.*/ 187 EVP_PKEY_free(pEvpPublicKey); 165 188 } 166 189 else 167 rcOssl = RTErrInfoSetF(pErrInfo, VERR_CR_PKIX_OSSL_EVP_PKEY_TYPE_ERROR, 168 "EVP_PKEY_type(%d) failed", iAlgoNid); 169 /* Cleanup and return.*/ 170 EVP_PKEY_free(pEvpPublicKey); 190 rcOssl = RTErrInfoSetF(pErrInfo, VERR_NO_MEMORY, "EVP_PKEY_new(%d) failed", iAlgoNid); 171 191 } 172 192 else 173 rcOssl = RTErrInfoSetF(pErrInfo, VERR_NO_MEMORY, "EVP_PKEY_new(%d) failed", iAlgoNid); 193 rcOssl = RTErrInfoSetF(pErrInfo, VERR_CR_PKIX_OSSL_CIPHER_ALOG_INIT_FAILED, 194 "EVP_VerifyInit_ex failed (algorithm type is %s / %s)", pszAlgoSn, pAlgorithm->szObjId); 174 195 EVP_MD_CTX_destroy(pEvpMdCtx); 175 176 # else /* OPENSSL_VERSION_NUMBER < 0x1010000 || defined(LIBRESSL_VERSION_NUMBER) */177 178 /* Initialize the EVP message digest context. */179 EVP_MD_CTX EvpMdCtx;180 EVP_MD_CTX_init(&EvpMdCtx);181 if (!EVP_VerifyInit_ex(&EvpMdCtx, pEvpMdType, NULL /*engine*/))182 return RTErrInfoSetF(pErrInfo, VERR_CR_PKIX_OSSL_CIPHER_ALOG_INIT_FAILED,183 "EVP_VerifyInit_ex failed (algorithm type is %s / %s)", pszAlogSn, pAlgorithm->szObjId);184 185 /* Create an EVP public key. */186 int rcOssl;187 EVP_PKEY *pEvpPublicKey = EVP_PKEY_new();188 if (pEvpPublicKey)189 {190 pEvpPublicKey->type = EVP_PKEY_type(pEvpMdType->required_pkey_type[0]);191 if (pEvpPublicKey->type != NID_undef)192 {193 const unsigned char *puchPublicKey = RTASN1BITSTRING_GET_BIT0_PTR(pPublicKey);194 if (d2i_PublicKey(pEvpPublicKey->type, &pEvpPublicKey, &puchPublicKey, RTASN1BITSTRING_GET_BYTE_SIZE(pPublicKey)))195 {196 /* Digest the data. */197 EVP_VerifyUpdate(&EvpMdCtx, pvData, cbData);198 199 /* Verify the signature. */200 if (EVP_VerifyFinal(&EvpMdCtx,201 RTASN1BITSTRING_GET_BIT0_PTR(pSignatureValue),202 RTASN1BITSTRING_GET_BYTE_SIZE(pSignatureValue),203 pEvpPublicKey) > 0)204 rcOssl = VINF_SUCCESS;205 else206 rcOssl = RTErrInfoSet(pErrInfo, VERR_CR_PKIX_OSSL_VERIFY_FINAL_FAILED, "EVP_VerifyFinal failed");207 }208 else209 rcOssl = RTErrInfoSet(pErrInfo, VERR_CR_PKIX_OSSL_D2I_PUBLIC_KEY_FAILED, "d2i_PublicKey failed");210 }211 else212 rcOssl = RTErrInfoSetF(pErrInfo, VERR_CR_PKIX_OSSL_EVP_PKEY_TYPE_ERROR,213 "EVP_PKEY_type(%d) failed", pEvpMdType->required_pkey_type[0]);214 /* Cleanup and return.*/215 EVP_PKEY_free(pEvpPublicKey);216 }217 else218 rcOssl = RTErrInfoSetF(pErrInfo, VERR_NO_MEMORY, "EVP_PKEY_new(%d) failed", pEvpMdType->required_pkey_type[0]);219 EVP_MD_CTX_cleanup(&EvpMdCtx);220 221 # endif /* OPENSSL_VERSION_NUMBER < 0x10100000 || defined(LIBRESSL_VERSION_NUMBER) */222 196 223 197 /* … … 305 279 return RTErrInfoSetF(pErrInfo, VERR_CR_PKIX_OSSL_CIPHER_ALGO_NOT_KNOWN, 306 280 "Unknown public key algorithm [OpenSSL]: %s", pszAlgObjId); 307 const char *pszAlogSn = OBJ_nid2sn(iAlgoNid); 308 const EVP_MD *pEvpMdType = EVP_get_digestbyname(pszAlogSn); 281 const char *pszAlgoSn = OBJ_nid2sn(iAlgoNid); 282 283 # if OPENSSL_VERSION_NUMBER >= 0x10001000 && !defined(LIBRESSL_VERSION_NUMBER) 284 int idAlgoPkey = 0; 285 int idAlgoMd = 0; 286 if (!OBJ_find_sigid_algs(iAlgoNid, &idAlgoMd, &idAlgoPkey)) 287 return RTErrInfoSetF(pErrInfo, VERR_CR_PKIX_OSSL_CIPHER_ALGO_NOT_KNOWN_EVP, 288 "OBJ_find_sigid_algs failed on %u (%s, %s)", iAlgoNid, pszAlgoSn, pAlgorithm->szObjId); 289 const EVP_MD *pEvpMdType = EVP_get_digestbynid(idAlgoMd); 309 290 if (!pEvpMdType) 310 291 return RTErrInfoSetF(pErrInfo, VERR_CR_PKIX_OSSL_CIPHER_ALGO_NOT_KNOWN_EVP, 311 "EVP_get_digestbyname failed on %s (%s)", pszAlogSn, pszAlgObjId); 312 313 # if OPENSSL_VERSION_NUMBER >= 0x10100000 && !defined(LIBRESSL_VERSION_NUMBER) 292 "EVP_get_digestbynid failed on %d (%s, %s)", idAlgoMd, pszAlgoSn, pAlgorithm->szObjId); 293 # else 294 const EVP_MD *pEvpMdType = EVP_get_digestbyname(pszAlgoSn); 295 if (!pEvpMdType) 296 return RTErrInfoSetF(pErrInfo, VERR_CR_PKIX_OSSL_CIPHER_ALGO_NOT_KNOWN_EVP, 297 "EVP_get_digestbyname failed on %s (%s)", pszAlgoSn, pszAlgObjId); 298 # endif 314 299 315 300 /* Create an EVP public key. */ … … 318 303 if (pEvpPublicKey) 319 304 { 320 EVP_PKEY_set_type(pEvpPublicKey, iAlgoNid); 321 int keyType = EVP_PKEY_base_id(pEvpPublicKey); 322 if (keyType != NID_undef) 305 # if OPENSSL_VERSION_NUMBER >= 0x10001000 && !defined(LIBRESSL_VERSION_NUMBER) 306 if (EVP_PKEY_set_type(pEvpPublicKey, idAlgoPkey)) 323 307 { 324 const unsigned char *puchPublicKey = RTASN1BITSTRING_GET_BIT0_PTR(pPublicKey); 325 if (d2i_PublicKey(keyType, &pEvpPublicKey, &puchPublicKey, RTASN1BITSTRING_GET_BYTE_SIZE(pPublicKey))) 308 int idKeyType = EVP_PKEY_base_id(pEvpPublicKey); 309 # else 310 int idKeyType = pEvpPublicKey->type = EVP_PKEY_type(pEvpMdType->required_pkey_type[0]); 311 # endif 312 if (idKeyType != NID_undef) 313 326 314 { 327 /* Create an EVP public key context we can use to validate the digest. */ 328 EVP_PKEY_CTX *pEvpPKeyCtx = EVP_PKEY_CTX_new(pEvpPublicKey, NULL); 329 if (pEvpPKeyCtx) 315 const unsigned char *puchPublicKey = RTASN1BITSTRING_GET_BIT0_PTR(pPublicKey); 316 if (d2i_PublicKey(idKeyType, &pEvpPublicKey, &puchPublicKey, RTASN1BITSTRING_GET_BYTE_SIZE(pPublicKey))) 330 317 { 331 rcOssl = EVP_PKEY_verify_init(pEvpPKeyCtx); 332 if (rcOssl > 0) 318 /* Create an EVP public key context we can use to validate the digest. */ 319 EVP_PKEY_CTX *pEvpPKeyCtx = EVP_PKEY_CTX_new(pEvpPublicKey, NULL); 320 if (pEvpPKeyCtx) 333 321 { 334 rcOssl = EVP_PKEY_ CTX_set_signature_md(pEvpPKeyCtx, pEvpMdType);322 rcOssl = EVP_PKEY_verify_init(pEvpPKeyCtx); 335 323 if (rcOssl > 0) 336 324 { 337 /* Get the digest from hDigest and verify it. */ 338 rcOssl = EVP_PKEY_verify(pEvpPKeyCtx, 339 (uint8_t const *)pvSignedDigest, 340 cbSignedDigest, 341 RTCrDigestGetHash(hDigest), 342 RTCrDigestGetHashSize(hDigest)); 325 rcOssl = EVP_PKEY_CTX_set_signature_md(pEvpPKeyCtx, pEvpMdType); 343 326 if (rcOssl > 0) 344 rcOssl = VINF_SUCCESS; 327 { 328 /* Get the digest from hDigest and verify it. */ 329 rcOssl = EVP_PKEY_verify(pEvpPKeyCtx, 330 (uint8_t const *)pvSignedDigest, 331 cbSignedDigest, 332 RTCrDigestGetHash(hDigest), 333 RTCrDigestGetHashSize(hDigest)); 334 if (rcOssl > 0) 335 rcOssl = VINF_SUCCESS; 336 else 337 rcOssl = RTErrInfoSetF(pErrInfo, VERR_CR_PKIX_OSSL_VERIFY_FINAL_FAILED, 338 "EVP_PKEY_verify failed (%d)", rcOssl); 339 } 345 340 else 346 rcOssl = RTErrInfoSetF(pErrInfo, VERR_CR_PKIX_OSSL_ VERIFY_FINAL_FAILED,347 "EVP_PKEY_ verifyfailed (%d)", rcOssl);341 rcOssl = RTErrInfoSetF(pErrInfo, VERR_CR_PKIX_OSSL_EVP_PKEY_TYPE_ERROR, 342 "EVP_PKEY_CTX_set_signature_md failed (%d)", rcOssl); 348 343 } 349 344 else 350 345 rcOssl = RTErrInfoSetF(pErrInfo, VERR_CR_PKIX_OSSL_EVP_PKEY_TYPE_ERROR, 351 "EVP_PKEY_CTX_set_signature_md failed (%d)", rcOssl); 346 "EVP_PKEY_verify_init failed (%d)", rcOssl); 347 EVP_PKEY_CTX_free(pEvpPKeyCtx); 352 348 } 353 349 else 354 rcOssl = RTErrInfoSetF(pErrInfo, VERR_CR_PKIX_OSSL_EVP_PKEY_TYPE_ERROR, 355 "EVP_PKEY_verify_init failed (%d)", rcOssl); 356 EVP_PKEY_CTX_free(pEvpPKeyCtx); 350 rcOssl = RTErrInfoSet(pErrInfo, VERR_CR_PKIX_OSSL_EVP_PKEY_TYPE_ERROR, "EVP_PKEY_CTX_new failed"); 357 351 } 358 352 else 359 rcOssl = RTErrInfoSet(pErrInfo, VERR_CR_PKIX_OSSL_ EVP_PKEY_TYPE_ERROR, "EVP_PKEY_CTX_newfailed");353 rcOssl = RTErrInfoSet(pErrInfo, VERR_CR_PKIX_OSSL_D2I_PUBLIC_KEY_FAILED, "d2i_PublicKey failed"); 360 354 } 361 355 else 362 rcOssl = RTErrInfoSet(pErrInfo, VERR_CR_PKIX_OSSL_D2I_PUBLIC_KEY_FAILED, "d2i_PublicKey failed"); 356 # if OPENSSL_VERSION_NUMBER < 0x10001000 || defined(LIBRESSL_VERSION_NUMBER) 357 rcOssl = RTErrInfoSetF(pErrInfo, VERR_CR_PKIX_OSSL_EVP_PKEY_TYPE_ERROR, "EVP_PKEY_type() failed"); 358 # else 359 rcOssl = RTErrInfoSetF(pErrInfo, VERR_CR_PKIX_OSSL_EVP_PKEY_TYPE_ERROR, "EVP_PKEY_base_id() failed"); 363 360 } 364 361 else 365 362 rcOssl = RTErrInfoSetF(pErrInfo, VERR_CR_PKIX_OSSL_EVP_PKEY_TYPE_ERROR, 366 "EVP_PKEY_type(%d) failed", iAlgoNid); 363 "EVP_PKEY_set_type(%u) failed (sig algo %s)", idAlgoPkey, pszAlgoSn); 364 # endif 365 367 366 /* Cleanup and return.*/ 368 367 EVP_PKEY_free(pEvpPublicKey); … … 370 369 else 371 370 rcOssl = RTErrInfoSetF(pErrInfo, VERR_NO_MEMORY, "EVP_PKEY_new(%d) failed", iAlgoNid); 372 373 # else /* OPENSSL_VERSION_NUMBER < 0x1010000 || defined(LIBRESSL_VERSION_NUMBER) */374 375 /* Create an EVP public key. */376 int rcOssl;377 EVP_PKEY *pEvpPublicKey = EVP_PKEY_new();378 if (pEvpPublicKey)379 {380 pEvpPublicKey->type = EVP_PKEY_type(pEvpMdType->required_pkey_type[0]);381 if (pEvpPublicKey->type != NID_undef)382 {383 const unsigned char *puchPublicKey = RTASN1BITSTRING_GET_BIT0_PTR(pPublicKey);384 if (d2i_PublicKey(pEvpPublicKey->type, &pEvpPublicKey, &puchPublicKey, RTASN1BITSTRING_GET_BYTE_SIZE(pPublicKey)))385 {386 /* Create an EVP public key context we can use to validate the digest. */387 EVP_PKEY_CTX *pEvpPKeyCtx = EVP_PKEY_CTX_new(pEvpPublicKey, NULL);388 if (pEvpPKeyCtx)389 {390 rcOssl = EVP_PKEY_verify_init(pEvpPKeyCtx);391 if (rcOssl > 0)392 {393 rcOssl = EVP_PKEY_CTX_set_signature_md(pEvpPKeyCtx, pEvpMdType);394 if (rcOssl > 0)395 {396 /* Get the digest from hDigest and verify it. */397 rcOssl = EVP_PKEY_verify(pEvpPKeyCtx,398 (uint8_t const *)pvSignedDigest,399 cbSignedDigest,400 RTCrDigestGetHash(hDigest),401 RTCrDigestGetHashSize(hDigest));402 if (rcOssl > 0)403 rcOssl = VINF_SUCCESS;404 else405 rcOssl = RTErrInfoSetF(pErrInfo, VERR_CR_PKIX_OSSL_VERIFY_FINAL_FAILED,406 "EVP_PKEY_verify failed (%d)", rcOssl);407 }408 else409 rcOssl = RTErrInfoSetF(pErrInfo, VERR_CR_PKIX_OSSL_EVP_PKEY_TYPE_ERROR,410 "EVP_PKEY_CTX_set_signature_md failed (%d)", rcOssl);411 }412 else413 rcOssl = RTErrInfoSetF(pErrInfo, VERR_CR_PKIX_OSSL_EVP_PKEY_TYPE_ERROR,414 "EVP_PKEY_verify_init failed (%d)", rcOssl);415 EVP_PKEY_CTX_free(pEvpPKeyCtx);416 }417 else418 rcOssl = RTErrInfoSet(pErrInfo, VERR_CR_PKIX_OSSL_EVP_PKEY_TYPE_ERROR, "EVP_PKEY_CTX_new failed");419 }420 else421 rcOssl = RTErrInfoSet(pErrInfo, VERR_CR_PKIX_OSSL_D2I_PUBLIC_KEY_FAILED, "d2i_PublicKey failed");422 }423 else424 rcOssl = RTErrInfoSetF(pErrInfo, VERR_CR_PKIX_OSSL_EVP_PKEY_TYPE_ERROR,425 "EVP_PKEY_type(%d) failed", pEvpMdType->required_pkey_type[0]);426 /* Cleanup and return.*/427 EVP_PKEY_free(pEvpPublicKey);428 }429 else430 rcOssl = RTErrInfoSetF(pErrInfo, VERR_NO_MEMORY, "EVP_PKEY_new(%d) failed", pEvpMdType->required_pkey_type[0]);431 432 # endif /* OPENSSL_VERSION_NUMBER < 0x1010000 || defined(LIBRESSL_VERSION_NUMBER) */433 371 434 372 /*
Note:
See TracChangeset
for help on using the changeset viewer.
