VirtualBox

source: vbox/trunk/src/VBox/Runtime/common/crypto/pkix-sign.cpp@ 73670

最後變更 在這個檔案從73670是 73670,由 vboxsync 提交於 7 年 前

IPRT,SUP,Main: Working on new crypto key handling and rsa signing. bugref:9152 [build fix]

  • 屬性 svn:eol-style 設為 native
  • 屬性 svn:keywords 設為 Author Date Id Revision
檔案大小: 10.8 KB
 
1/* $Id: pkix-sign.cpp 73670 2018-08-14 17:59:29Z vboxsync $ */
2/** @file
3 * IPRT - Crypto - Public Key Infrastructure API, Verification.
4 */
5
6/*
7 * Copyright (C) 2006-2017 Oracle Corporation
8 *
9 * This file is part of VirtualBox Open Source Edition (OSE), as
10 * available from http://www.alldomusa.eu.org. This file is free software;
11 * you can redistribute it and/or modify it under the terms of the GNU
12 * General Public License (GPL) as published by the Free Software
13 * Foundation, in version 2 as it comes in the "COPYING" file of the
14 * VirtualBox OSE distribution. VirtualBox OSE is distributed in the
15 * hope that it will be useful, but WITHOUT ANY WARRANTY of any kind.
16 *
17 * The contents of this file may alternatively be used under the terms
18 * of the Common Development and Distribution License Version 1.0
19 * (CDDL) only, as it comes in the "COPYING.CDDL" file of the
20 * VirtualBox OSE distribution, in which case the provisions of the
21 * CDDL are applicable instead of those of the GPL.
22 *
23 * You may elect to license modified versions of this file under the
24 * terms and conditions of either the GPL or the CDDL or both.
25 */
26
27
28/*********************************************************************************************************************************
29* Header Files *
30*********************************************************************************************************************************/
31#include "internal/iprt.h"
32#include <iprt/crypto/pkix.h>
33
34#include <iprt/alloca.h>
35#include <iprt/err.h>
36#include <iprt/mem.h>
37#include <iprt/string.h>
38#include <iprt/crypto/digest.h>
39#include <iprt/crypto/key.h>
40
41#ifdef IPRT_WITH_OPENSSL
42# include "internal/iprt-openssl.h"
43# include "openssl/evp.h"
44# include "openssl/rsa.h"
45# ifndef OPENSSL_VERSION_NUMBER
46# error "Missing OPENSSL_VERSION_NUMBER!"
47# endif
48#endif
49
50
51#if 0
52RTDECL(int) RTCrPkixPubKeySignData(PCRTASN1OBJID pAlgorithm, PCRTASN1DYNTYPE pParameters, PCRTASN1BITSTRING pPrivateKey,
53 PCRTASN1BITSTRING pSignatureValue, const void *pvData, size_t cbData, PRTERRINFO pErrInfo)
54{
55 /*
56 * Validate the digest related inputs.
57 */
58 AssertPtrReturn(pAlgorithm, VERR_INVALID_POINTER);
59 AssertReturn(RTAsn1ObjId_IsPresent(pAlgorithm), VERR_INVALID_POINTER);
60
61 AssertPtrReturn(pvData, VERR_INVALID_POINTER);
62 AssertReturn(cbData > 0, VERR_INVALID_PARAMETER);
63
64 /*
65 * Digest the data and call the other API.
66 */
67 RTCRDIGEST hDigest;
68 int rc = RTCrDigestCreateByObjId(&hDigest, pAlgorithm);
69 if (RT_SUCCESS(rcIprt))
70 {
71 rc = RTCrDigestUpdate(hDigest, pvData, cbData);
72 if (RT_SUCCESS(rcIprt))
73 rc = RTCrPkixPubKeySignDigest(pAlgorithm, pParameters, pPrivateKey, pvSignedDigest, cbSignedDigest, hDigest, pErrInfo);
74 else
75 RTErrInfoSet(pErrInfo, rcIprt, "RTCrDigestUpdate failed");
76 RTCrDigestRelease(hDigest);
77 }
78 else
79 RTErrInfoSetF(pErrInfo, rcIprt, "Unknown digest algorithm [IPRT]: %s", pAlgorithm->szObjId);
80 return rc;
81}
82#endif
83
84
85RTDECL(int) RTCrPkixPubKeySignDigest(PCRTASN1OBJID pAlgorithm, RTCRKEY hPrivateKey, PCRTASN1DYNTYPE pParameters,
86 RTCRDIGEST hDigest, uint32_t fFlags,
87 void *pvSignature, size_t *pcbSignature, PRTERRINFO pErrInfo)
88{
89 /*
90 * Valid input.
91 */
92 AssertPtrReturn(pAlgorithm, VERR_INVALID_POINTER);
93 AssertReturn(RTAsn1ObjId_IsPresent(pAlgorithm), VERR_INVALID_POINTER);
94
95 if (pParameters)
96 {
97 AssertPtrReturn(pParameters, VERR_INVALID_POINTER);
98 if (pParameters->enmType == RTASN1TYPE_NULL)
99 pParameters = NULL;
100 }
101
102 AssertPtrReturn(hPrivateKey, VERR_INVALID_POINTER);
103 Assert(RTCrKeyHasPrivatePart(hPrivateKey));
104
105 AssertPtrReturn(pcbSignature, VERR_INVALID_PARAMETER);
106 size_t cbSignature = *pcbSignature;
107 if (cbSignature)
108 AssertPtrReturn(pvSignature, VERR_INVALID_POINTER);
109 else
110 pvSignature = NULL;
111
112 AssertPtrReturn(hDigest, VERR_INVALID_HANDLE);
113
114 AssertReturn(fFlags == 0, VERR_INVALID_FLAGS);
115
116 /*
117 * Parameters are not currently supported (openssl code path).
118 */
119 if (pParameters)
120 return RTErrInfoSet(pErrInfo, VERR_CR_PKIX_CIPHER_ALGO_PARAMS_NOT_IMPL,
121 "Cipher algorithm parameters are not yet supported.");
122
123 /*
124 * Sign using IPRT.
125 */
126 RTCRPKIXSIGNATURE hSignature;
127 int rcIprt = RTCrPkixSignatureCreateByObjId(&hSignature, pAlgorithm, hPrivateKey, pParameters, true /*fSigning*/);
128 if (RT_FAILURE(rcIprt))
129 return RTErrInfoSetF(pErrInfo, VERR_CR_PKIX_CIPHER_ALGO_NOT_KNOWN,
130 "Unknown private key algorithm [IPRT]: %s", pAlgorithm->szObjId);
131
132 rcIprt = RTCrPkixSignatureSign(hSignature, hDigest, pvSignature, pcbSignature);
133 if (RT_FAILURE(rcIprt))
134 RTErrInfoSet(pErrInfo, rcIprt, "RTCrPkixSignatureSign failed");
135
136 RTCrPkixSignatureRelease(hSignature);
137
138 /*
139 * Sign using OpenSSL EVP if we can.
140 */
141#if defined(IPRT_WITH_OPENSSL) \
142 && (OPENSSL_VERSION_NUMBER > 0x10000000L) /* 0.9.8 doesn't seem to have EVP_PKEY_CTX_set_signature_md. */
143
144 /* Make sure the algorithm includes the digest and isn't just RSA. */
145 const char *pszAlgObjId = pAlgorithm->szObjId;
146 if (!strcmp(pszAlgObjId, RTCRX509ALGORITHMIDENTIFIERID_RSA))
147 {
148 pszAlgObjId = RTCrX509AlgorithmIdentifier_CombineEncryptionOidAndDigestOid(pszAlgObjId,
149 RTCrDigestGetAlgorithmOid(hDigest));
150 AssertMsgStmt(pszAlgObjId, ("enc=%s hash=%s\n", pAlgorithm->szObjId, RTCrDigestGetAlgorithmOid(hDigest)),
151 pszAlgObjId = RTCrDigestGetAlgorithmOid(hDigest));
152 }
153
154 /* Create an EVP private key. */
155 EVP_PKEY *pEvpPrivateKey = NULL;
156 const EVP_MD *pEvpMdType = NULL;
157 int rcOssl = rtCrKeyToOpenSslKey(hPrivateKey, false /*fNeedPublic*/, pszAlgObjId, &pEvpPrivateKey, &pEvpMdType, pErrInfo);
158 if (RT_SUCCESS(rcOssl))
159 {
160 /* Create an EVP Private key context we can use to validate the digest. */
161 EVP_PKEY_CTX *pEvpPKeyCtx = EVP_PKEY_CTX_new(pEvpPrivateKey, NULL);
162 if (pEvpPKeyCtx)
163 {
164 rcOssl = EVP_PKEY_sign_init(pEvpPKeyCtx);
165 if (rcOssl > 0)
166 {
167 rcOssl = EVP_PKEY_CTX_set_rsa_padding(pEvpPKeyCtx, RSA_PKCS1_PADDING);
168 if (rcOssl > 0)
169 {
170 rcOssl = EVP_PKEY_CTX_set_signature_md(pEvpPKeyCtx, pEvpMdType);
171 if (rcOssl > 0)
172 {
173 /* Allocate a signature buffer. */
174 unsigned char *pbOsslSignature = NULL;
175 void *pvOsslSignatureFree = NULL;
176 size_t cbOsslSignature = cbSignature;
177 if (cbOsslSignature > 0)
178 {
179 if (cbOsslSignature < _1K)
180 pbOsslSignature = (unsigned char *)alloca(cbOsslSignature);
181 else
182 {
183 pbOsslSignature = (unsigned char *)RTMemTmpAlloc(cbOsslSignature);
184 pvOsslSignatureFree = pbOsslSignature;
185 }
186 }
187 if (cbOsslSignature == 0 || pbOsslSignature != NULL)
188 {
189 /* Get the digest from hDigest and sign it. */
190 rcOssl = EVP_PKEY_sign(pEvpPKeyCtx,
191 pbOsslSignature,
192 &cbOsslSignature,
193 (const unsigned char *)RTCrDigestGetHash(hDigest),
194 RTCrDigestGetHashSize(hDigest));
195 if (rcOssl > 0)
196 {
197 /* Compare the result. The memcmp assums no random padding bits. */
198 rcOssl = VINF_SUCCESS;
199 AssertMsgStmt(cbOsslSignature == *pcbSignature,
200 ("cbOsslSignature=%#x, iprt %#x\n", cbOsslSignature, *pcbSignature),
201 rcOssl = VERR_CR_PKIX_OSSL_VS_IPRT_SIGNATURE_SIZE);
202 AssertMsgStmt( pbOsslSignature == NULL
203 || rcOssl != VINF_SUCCESS
204 || memcmp(pbOsslSignature, pvSignature, cbOsslSignature) == 0,
205 ("OpenSSL: %.*Rhxs\n"
206 "IPRT: %.*Rhxs\n",
207 cbOsslSignature, pbOsslSignature, *pcbSignature, pvSignature),
208 rcOssl = VERR_CR_PKIX_OSSL_VS_IPRT_SIGNATURE);
209 if (!pbOsslSignature && rcOssl == VINF_SUCCESS)
210 rcOssl = VERR_BUFFER_OVERFLOW;
211 }
212 else
213 rcOssl = RTErrInfoSetF(pErrInfo, VERR_CR_PKIX_OSSL_SIGN_FINAL_FAILED,
214 "EVP_PKEY_sign failed (%d)", rcOssl);
215 if (pvOsslSignatureFree)
216 RTMemTmpFree(pvOsslSignatureFree);
217 }
218 else
219 rcOssl = VERR_NO_TMP_MEMORY;
220 }
221 else
222 rcOssl = RTErrInfoSetF(pErrInfo, VERR_CR_PKIX_OSSL_EVP_PKEY_TYPE_ERROR,
223 "EVP_PKEY_CTX_set_signature_md failed (%d)", rcOssl);
224 }
225 else
226 rcOssl = RTErrInfoSetF(pErrInfo, VERR_CR_PKIX_OSSL_EVP_PKEY_RSA_PAD_ERROR,
227 "EVP_PKEY_CTX_set_rsa_padding failed (%d)", rcOssl);
228 }
229 else
230 rcOssl = RTErrInfoSetF(pErrInfo, VERR_CR_PKIX_OSSL_EVP_PKEY_TYPE_ERROR,
231 "EVP_PKEY_verify_init failed (%d)", rcOssl);
232 EVP_PKEY_CTX_free(pEvpPKeyCtx);
233 }
234 else
235 rcOssl = RTErrInfoSet(pErrInfo, VERR_CR_PKIX_OSSL_EVP_PKEY_TYPE_ERROR, "EVP_PKEY_CTX_new failed");
236 EVP_PKEY_free(pEvpPrivateKey);
237 }
238
239 /*
240 * Check the result.
241 */
242 if (RT_SUCCESS(rcIprt) && RT_SUCCESS(rcOssl))
243 return VINF_SUCCESS;
244 if (RT_FAILURE_NP(rcIprt) && RT_FAILURE_NP(rcOssl))
245 return rcIprt;
246 AssertMsgFailed(("rcIprt=%Rrc rcOssl=%Rrc\n", rcIprt, rcOssl));
247 if (RT_FAILURE_NP(rcOssl))
248 return rcOssl;
249#endif /* IPRT_WITH_OPENSSL */
250
251 return rcIprt;
252}
253
注意: 瀏覽 TracBrowser 來幫助您使用儲存庫瀏覽器

© 2025 Oracle Support Privacy / Do Not Sell My Info Terms of Use Trademark Policy Automated Access Etiquette