1 // Copyright 2011 The Chromium Authors
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #ifdef UNSAFE_BUFFERS_BUILD
6 // TODO(crbug.com/351564777): Remove this and convert code to safer constructs.
7 #pragma allow_unsafe_buffers
8 #endif
9
10 #include "crypto/signature_verifier.h"
11
12 #include <memory>
13
14 #include "base/check_op.h"
15 #include "crypto/openssl_util.h"
16 #include "third_party/boringssl/src/include/openssl/bytestring.h"
17 #include "third_party/boringssl/src/include/openssl/digest.h"
18 #include "third_party/boringssl/src/include/openssl/evp.h"
19 #include "third_party/boringssl/src/include/openssl/rsa.h"
20
21 namespace crypto {
22
23 struct SignatureVerifier::VerifyContext {
24 bssl::ScopedEVP_MD_CTX ctx;
25 };
26
27 SignatureVerifier::SignatureVerifier() = default;
28
29 SignatureVerifier::~SignatureVerifier() = default;
30
VerifyInit(SignatureAlgorithm signature_algorithm,base::span<const uint8_t> signature,base::span<const uint8_t> public_key_info)31 bool SignatureVerifier::VerifyInit(SignatureAlgorithm signature_algorithm,
32 base::span<const uint8_t> signature,
33 base::span<const uint8_t> public_key_info) {
34 OpenSSLErrStackTracer err_tracer(FROM_HERE);
35
36 int pkey_type = EVP_PKEY_NONE;
37 const EVP_MD* digest = nullptr;
38 switch (signature_algorithm) {
39 case RSA_PKCS1_SHA1:
40 pkey_type = EVP_PKEY_RSA;
41 digest = EVP_sha1();
42 break;
43 case RSA_PKCS1_SHA256:
44 case RSA_PSS_SHA256:
45 pkey_type = EVP_PKEY_RSA;
46 digest = EVP_sha256();
47 break;
48 case ECDSA_SHA256:
49 pkey_type = EVP_PKEY_EC;
50 digest = EVP_sha256();
51 break;
52 }
53 DCHECK_NE(EVP_PKEY_NONE, pkey_type);
54 DCHECK(digest);
55
56 if (verify_context_)
57 return false;
58
59 verify_context_ = std::make_unique<VerifyContext>();
60 signature_.assign(signature.data(), signature.data() + signature.size());
61
62 CBS cbs;
63 CBS_init(&cbs, public_key_info.data(), public_key_info.size());
64 bssl::UniquePtr<EVP_PKEY> public_key(EVP_parse_public_key(&cbs));
65 if (!public_key || CBS_len(&cbs) != 0 ||
66 EVP_PKEY_id(public_key.get()) != pkey_type) {
67 return false;
68 }
69
70 EVP_PKEY_CTX* pkey_ctx;
71 if (!EVP_DigestVerifyInit(verify_context_->ctx.get(), &pkey_ctx, digest,
72 nullptr, public_key.get())) {
73 return false;
74 }
75
76 if (signature_algorithm == RSA_PSS_SHA256) {
77 if (!EVP_PKEY_CTX_set_rsa_padding(pkey_ctx, RSA_PKCS1_PSS_PADDING) ||
78 !EVP_PKEY_CTX_set_rsa_mgf1_md(pkey_ctx, digest) ||
79 !EVP_PKEY_CTX_set_rsa_pss_saltlen(
80 pkey_ctx, -1 /* match digest and salt length */)) {
81 return false;
82 }
83 }
84
85 return true;
86 }
87
VerifyUpdate(base::span<const uint8_t> data_part)88 void SignatureVerifier::VerifyUpdate(base::span<const uint8_t> data_part) {
89 DCHECK(verify_context_);
90 OpenSSLErrStackTracer err_tracer(FROM_HERE);
91 int rv = EVP_DigestVerifyUpdate(verify_context_->ctx.get(), data_part.data(),
92 data_part.size());
93 DCHECK_EQ(rv, 1);
94 }
95
VerifyFinal()96 bool SignatureVerifier::VerifyFinal() {
97 DCHECK(verify_context_);
98 OpenSSLErrStackTracer err_tracer(FROM_HERE);
99 int rv = EVP_DigestVerifyFinal(verify_context_->ctx.get(), signature_.data(),
100 signature_.size());
101 DCHECK_EQ(static_cast<int>(!!rv), rv);
102 Reset();
103 return rv == 1;
104 }
105
Reset()106 void SignatureVerifier::Reset() {
107 verify_context_.reset();
108 signature_.clear();
109 }
110
111 } // namespace crypto
112