1 // Copyright (c) 2011 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4 
5 #include "crypto/signature_verifier.h"
6 
7 #include <cryptohi.h>
8 #include <keyhi.h>
9 #include <pk11pub.h>
10 #include <secerr.h>
11 #include <sechash.h>
12 #include <stdint.h>
13 #include <stdlib.h>
14 
15 #include "base/logging.h"
16 #include "crypto/nss_util.h"
17 #include "crypto/third_party/nss/chromium-nss.h"
18 
19 namespace crypto {
20 
21 namespace {
22 
ToNSSHashType(SignatureVerifier::HashAlgorithm hash_alg)23 HASH_HashType ToNSSHashType(SignatureVerifier::HashAlgorithm hash_alg) {
24   switch (hash_alg) {
25     case SignatureVerifier::SHA1:
26       return HASH_AlgSHA1;
27     case SignatureVerifier::SHA256:
28       return HASH_AlgSHA256;
29   }
30   return HASH_AlgNULL;
31 }
32 
VerifyRSAPSS_End(SECKEYPublicKey * public_key,HASHContext * hash_context,HASH_HashType mask_hash_alg,unsigned int salt_len,const unsigned char * signature,unsigned int signature_len)33 SECStatus VerifyRSAPSS_End(SECKEYPublicKey* public_key,
34                            HASHContext* hash_context,
35                            HASH_HashType mask_hash_alg,
36                            unsigned int salt_len,
37                            const unsigned char* signature,
38                            unsigned int signature_len) {
39   unsigned int hash_len = HASH_ResultLenContext(hash_context);
40   std::vector<unsigned char> hash(hash_len);
41   HASH_End(hash_context, &hash[0], &hash_len, hash.size());
42 
43   unsigned int modulus_len = SECKEY_PublicKeyStrength(public_key);
44   if (signature_len != modulus_len) {
45     PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
46     return SECFailure;
47   }
48   std::vector<unsigned char> enc(signature_len);
49   SECStatus rv = PK11_PubEncryptRaw(public_key, &enc[0],
50                                     const_cast<unsigned char*>(signature),
51                                     signature_len, NULL);
52   if (rv != SECSuccess) {
53     LOG(WARNING) << "PK11_PubEncryptRaw failed";
54     return rv;
55   }
56   return emsa_pss_verify(&hash[0], &enc[0], enc.size(),
57                          HASH_GetType(hash_context), mask_hash_alg,
58                          salt_len);
59 }
60 
61 }  // namespace
62 
SignatureVerifier()63 SignatureVerifier::SignatureVerifier()
64     : vfy_context_(NULL),
65       hash_alg_(SHA1),
66       mask_hash_alg_(SHA1),
67       salt_len_(0),
68       public_key_(NULL),
69       hash_context_(NULL) {
70   EnsureNSSInit();
71 }
72 
~SignatureVerifier()73 SignatureVerifier::~SignatureVerifier() {
74   Reset();
75 }
76 
VerifyInit(const uint8_t * signature_algorithm,int signature_algorithm_len,const uint8_t * signature,int signature_len,const uint8_t * public_key_info,int public_key_info_len)77 bool SignatureVerifier::VerifyInit(const uint8_t* signature_algorithm,
78                                    int signature_algorithm_len,
79                                    const uint8_t* signature,
80                                    int signature_len,
81                                    const uint8_t* public_key_info,
82                                    int public_key_info_len) {
83   if (vfy_context_ || hash_context_)
84     return false;
85 
86   signature_.assign(signature, signature + signature_len);
87 
88   SECKEYPublicKey* public_key = DecodePublicKeyInfo(public_key_info,
89                                                     public_key_info_len);
90   if (!public_key)
91     return false;
92 
93   PLArenaPool* arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
94   if (!arena) {
95     SECKEY_DestroyPublicKey(public_key);
96     return false;
97   }
98 
99   SECItem sig_alg_der;
100   sig_alg_der.type = siBuffer;
101   sig_alg_der.data = const_cast<uint8_t*>(signature_algorithm);
102   sig_alg_der.len = signature_algorithm_len;
103   SECAlgorithmID sig_alg_id;
104   SECStatus rv;
105   rv = SEC_QuickDERDecodeItem(arena, &sig_alg_id,
106                               SEC_ASN1_GET(SECOID_AlgorithmIDTemplate),
107                               &sig_alg_der);
108   if (rv != SECSuccess) {
109     SECKEY_DestroyPublicKey(public_key);
110     PORT_FreeArena(arena, PR_TRUE);
111     return false;
112   }
113 
114   SECItem sig;
115   sig.type = siBuffer;
116   sig.data = const_cast<uint8_t*>(signature);
117   sig.len = signature_len;
118   SECOidTag hash_alg_tag;
119   vfy_context_ = VFY_CreateContextWithAlgorithmID(public_key, &sig,
120                                                   &sig_alg_id, &hash_alg_tag,
121                                                   NULL);
122   SECKEY_DestroyPublicKey(public_key);  // Done with public_key.
123   PORT_FreeArena(arena, PR_TRUE);  // Done with sig_alg_id.
124   if (!vfy_context_) {
125     // A corrupted RSA signature could be detected without the data, so
126     // VFY_CreateContextWithAlgorithmID may fail with SEC_ERROR_BAD_SIGNATURE
127     // (-8182).
128     return false;
129   }
130 
131   rv = VFY_Begin(vfy_context_);
132   if (rv != SECSuccess) {
133     NOTREACHED();
134     return false;
135   }
136   return true;
137 }
138 
VerifyInitRSAPSS(HashAlgorithm hash_alg,HashAlgorithm mask_hash_alg,int salt_len,const uint8_t * signature,int signature_len,const uint8_t * public_key_info,int public_key_info_len)139 bool SignatureVerifier::VerifyInitRSAPSS(HashAlgorithm hash_alg,
140                                          HashAlgorithm mask_hash_alg,
141                                          int salt_len,
142                                          const uint8_t* signature,
143                                          int signature_len,
144                                          const uint8_t* public_key_info,
145                                          int public_key_info_len) {
146   if (vfy_context_ || hash_context_)
147     return false;
148 
149   signature_.assign(signature, signature + signature_len);
150 
151   SECKEYPublicKey* public_key = DecodePublicKeyInfo(public_key_info,
152                                                     public_key_info_len);
153   if (!public_key)
154     return false;
155 
156   public_key_ = public_key;
157   hash_alg_ = hash_alg;
158   mask_hash_alg_ = mask_hash_alg;
159   salt_len_ = salt_len;
160   hash_context_ = HASH_Create(ToNSSHashType(hash_alg_));
161   if (!hash_context_)
162     return false;
163   HASH_Begin(hash_context_);
164   return true;
165 }
166 
VerifyUpdate(const uint8_t * data_part,int data_part_len)167 void SignatureVerifier::VerifyUpdate(const uint8_t* data_part,
168                                      int data_part_len) {
169   if (vfy_context_) {
170     SECStatus rv = VFY_Update(vfy_context_, data_part, data_part_len);
171     DCHECK_EQ(SECSuccess, rv);
172   } else {
173     HASH_Update(hash_context_, data_part, data_part_len);
174   }
175 }
176 
VerifyFinal()177 bool SignatureVerifier::VerifyFinal() {
178   SECStatus rv;
179   if (vfy_context_) {
180     rv = VFY_End(vfy_context_);
181   } else {
182     rv = VerifyRSAPSS_End(public_key_, hash_context_,
183                           ToNSSHashType(mask_hash_alg_), salt_len_,
184                           signature_.data(),
185                           signature_.size());
186   }
187   Reset();
188 
189   // If signature verification fails, the error code is
190   // SEC_ERROR_BAD_SIGNATURE (-8182).
191   return (rv == SECSuccess);
192 }
193 
194 // static
DecodePublicKeyInfo(const uint8_t * public_key_info,int public_key_info_len)195 SECKEYPublicKey* SignatureVerifier::DecodePublicKeyInfo(
196     const uint8_t* public_key_info,
197     int public_key_info_len) {
198   CERTSubjectPublicKeyInfo* spki = NULL;
199   SECItem spki_der;
200   spki_der.type = siBuffer;
201   spki_der.data = const_cast<uint8_t*>(public_key_info);
202   spki_der.len = public_key_info_len;
203   spki = SECKEY_DecodeDERSubjectPublicKeyInfo(&spki_der);
204   if (!spki)
205     return NULL;
206   SECKEYPublicKey* public_key = SECKEY_ExtractPublicKey(spki);
207   SECKEY_DestroySubjectPublicKeyInfo(spki);  // Done with spki.
208   return public_key;
209 }
210 
Reset()211 void SignatureVerifier::Reset() {
212   if (vfy_context_) {
213     VFY_DestroyContext(vfy_context_, PR_TRUE);
214     vfy_context_ = NULL;
215   }
216   if (hash_context_) {
217     HASH_Destroy(hash_context_);
218     hash_context_ = NULL;
219   }
220   if (public_key_) {
221     SECKEY_DestroyPublicKey(public_key_);
222     public_key_ = NULL;
223   }
224   signature_.clear();
225 }
226 
227 }  // namespace crypto
228