1 // Copyright (c) 2011 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include "crypto/signature_verifier.h"
6
7 #include <cryptohi.h>
8 #include <keyhi.h>
9 #include <pk11pub.h>
10 #include <secerr.h>
11 #include <sechash.h>
12 #include <stdlib.h>
13
14 #include "base/logging.h"
15 #include "crypto/nss_util.h"
16 #include "crypto/third_party/nss/chromium-nss.h"
17
18 namespace crypto {
19
20 namespace {
21
ToNSSHashType(SignatureVerifier::HashAlgorithm hash_alg)22 HASH_HashType ToNSSHashType(SignatureVerifier::HashAlgorithm hash_alg) {
23 switch (hash_alg) {
24 case SignatureVerifier::SHA1:
25 return HASH_AlgSHA1;
26 case SignatureVerifier::SHA256:
27 return HASH_AlgSHA256;
28 }
29 return HASH_AlgNULL;
30 }
31
VerifyRSAPSS_End(SECKEYPublicKey * public_key,HASHContext * hash_context,HASH_HashType mask_hash_alg,unsigned int salt_len,const unsigned char * signature,unsigned int signature_len)32 SECStatus VerifyRSAPSS_End(SECKEYPublicKey* public_key,
33 HASHContext* hash_context,
34 HASH_HashType mask_hash_alg,
35 unsigned int salt_len,
36 const unsigned char* signature,
37 unsigned int signature_len) {
38 unsigned int hash_len = HASH_ResultLenContext(hash_context);
39 std::vector<unsigned char> hash(hash_len);
40 HASH_End(hash_context, &hash[0], &hash_len, hash.size());
41
42 unsigned int modulus_len = SECKEY_PublicKeyStrength(public_key);
43 if (signature_len != modulus_len) {
44 PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
45 return SECFailure;
46 }
47 std::vector<unsigned char> enc(signature_len);
48 SECStatus rv = PK11_PubEncryptRaw(public_key, &enc[0],
49 const_cast<unsigned char*>(signature),
50 signature_len, NULL);
51 if (rv != SECSuccess) {
52 LOG(WARNING) << "PK11_PubEncryptRaw failed";
53 return rv;
54 }
55 return emsa_pss_verify(&hash[0], &enc[0], enc.size(),
56 HASH_GetType(hash_context), mask_hash_alg,
57 salt_len);
58 }
59
60 } // namespace
61
SignatureVerifier()62 SignatureVerifier::SignatureVerifier()
63 : vfy_context_(NULL),
64 hash_alg_(SHA1),
65 mask_hash_alg_(SHA1),
66 salt_len_(0),
67 public_key_(NULL),
68 hash_context_(NULL) {
69 EnsureNSSInit();
70 }
71
~SignatureVerifier()72 SignatureVerifier::~SignatureVerifier() {
73 Reset();
74 }
75
VerifyInit(const uint8 * signature_algorithm,int signature_algorithm_len,const uint8 * signature,int signature_len,const uint8 * public_key_info,int public_key_info_len)76 bool SignatureVerifier::VerifyInit(const uint8* signature_algorithm,
77 int signature_algorithm_len,
78 const uint8* signature,
79 int signature_len,
80 const uint8* public_key_info,
81 int public_key_info_len) {
82 if (vfy_context_ || hash_context_)
83 return false;
84
85 signature_.assign(signature, signature + signature_len);
86
87 SECKEYPublicKey* public_key = DecodePublicKeyInfo(public_key_info,
88 public_key_info_len);
89 if (!public_key)
90 return false;
91
92 PLArenaPool* arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
93 if (!arena) {
94 SECKEY_DestroyPublicKey(public_key);
95 return false;
96 }
97
98 SECItem sig_alg_der;
99 sig_alg_der.type = siBuffer;
100 sig_alg_der.data = const_cast<uint8*>(signature_algorithm);
101 sig_alg_der.len = signature_algorithm_len;
102 SECAlgorithmID sig_alg_id;
103 SECStatus rv;
104 rv = SEC_QuickDERDecodeItem(arena, &sig_alg_id,
105 SEC_ASN1_GET(SECOID_AlgorithmIDTemplate),
106 &sig_alg_der);
107 if (rv != SECSuccess) {
108 SECKEY_DestroyPublicKey(public_key);
109 PORT_FreeArena(arena, PR_TRUE);
110 return false;
111 }
112
113 SECItem sig;
114 sig.type = siBuffer;
115 sig.data = const_cast<uint8*>(signature);
116 sig.len = signature_len;
117 SECOidTag hash_alg_tag;
118 vfy_context_ = VFY_CreateContextWithAlgorithmID(public_key, &sig,
119 &sig_alg_id, &hash_alg_tag,
120 NULL);
121 SECKEY_DestroyPublicKey(public_key); // Done with public_key.
122 PORT_FreeArena(arena, PR_TRUE); // Done with sig_alg_id.
123 if (!vfy_context_) {
124 // A corrupted RSA signature could be detected without the data, so
125 // VFY_CreateContextWithAlgorithmID may fail with SEC_ERROR_BAD_SIGNATURE
126 // (-8182).
127 return false;
128 }
129
130 rv = VFY_Begin(vfy_context_);
131 if (rv != SECSuccess) {
132 NOTREACHED();
133 return false;
134 }
135 return true;
136 }
137
VerifyInitRSAPSS(HashAlgorithm hash_alg,HashAlgorithm mask_hash_alg,int salt_len,const uint8 * signature,int signature_len,const uint8 * public_key_info,int public_key_info_len)138 bool SignatureVerifier::VerifyInitRSAPSS(HashAlgorithm hash_alg,
139 HashAlgorithm mask_hash_alg,
140 int salt_len,
141 const uint8* signature,
142 int signature_len,
143 const uint8* public_key_info,
144 int public_key_info_len) {
145 if (vfy_context_ || hash_context_)
146 return false;
147
148 signature_.assign(signature, signature + signature_len);
149
150 SECKEYPublicKey* public_key = DecodePublicKeyInfo(public_key_info,
151 public_key_info_len);
152 if (!public_key)
153 return false;
154
155 public_key_ = public_key;
156 hash_alg_ = hash_alg;
157 mask_hash_alg_ = mask_hash_alg;
158 salt_len_ = salt_len;
159 hash_context_ = HASH_Create(ToNSSHashType(hash_alg_));
160 if (!hash_context_)
161 return false;
162 HASH_Begin(hash_context_);
163 return true;
164 }
165
VerifyUpdate(const uint8 * data_part,int data_part_len)166 void SignatureVerifier::VerifyUpdate(const uint8* data_part,
167 int data_part_len) {
168 if (vfy_context_) {
169 SECStatus rv = VFY_Update(vfy_context_, data_part, data_part_len);
170 DCHECK_EQ(SECSuccess, rv);
171 } else {
172 HASH_Update(hash_context_, data_part, data_part_len);
173 }
174 }
175
VerifyFinal()176 bool SignatureVerifier::VerifyFinal() {
177 SECStatus rv;
178 if (vfy_context_) {
179 rv = VFY_End(vfy_context_);
180 } else {
181 rv = VerifyRSAPSS_End(public_key_, hash_context_,
182 ToNSSHashType(mask_hash_alg_), salt_len_,
183 signature_.data(),
184 signature_.size());
185 }
186 Reset();
187
188 // If signature verification fails, the error code is
189 // SEC_ERROR_BAD_SIGNATURE (-8182).
190 return (rv == SECSuccess);
191 }
192
193 // static
DecodePublicKeyInfo(const uint8 * public_key_info,int public_key_info_len)194 SECKEYPublicKey* SignatureVerifier::DecodePublicKeyInfo(
195 const uint8* public_key_info,
196 int public_key_info_len) {
197 CERTSubjectPublicKeyInfo* spki = NULL;
198 SECItem spki_der;
199 spki_der.type = siBuffer;
200 spki_der.data = const_cast<uint8*>(public_key_info);
201 spki_der.len = public_key_info_len;
202 spki = SECKEY_DecodeDERSubjectPublicKeyInfo(&spki_der);
203 if (!spki)
204 return NULL;
205 SECKEYPublicKey* public_key = SECKEY_ExtractPublicKey(spki);
206 SECKEY_DestroySubjectPublicKeyInfo(spki); // Done with spki.
207 return public_key;
208 }
209
Reset()210 void SignatureVerifier::Reset() {
211 if (vfy_context_) {
212 VFY_DestroyContext(vfy_context_, PR_TRUE);
213 vfy_context_ = NULL;
214 }
215 if (hash_context_) {
216 HASH_Destroy(hash_context_);
217 hash_context_ = NULL;
218 }
219 if (public_key_) {
220 SECKEY_DestroyPublicKey(public_key_);
221 public_key_ = NULL;
222 }
223 signature_.clear();
224 }
225
226 } // namespace crypto
227