--- /dev/null
+/*
+ * Copyright (c) 2000-2001 Apple Computer, Inc. All Rights Reserved.
+ *
+ * The contents of this file constitute Original Code as defined in and are
+ * subject to the Apple Public Source License Version 1.2 (the 'License').
+ * You may not use this file except in compliance with the License. Please obtain
+ * a copy of the License at http://www.apple.com/publicsource and read it before
+ * using this file.
+ *
+ * This Original Code and all software distributed under the License are
+ * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS
+ * OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, INCLUDING WITHOUT
+ * LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
+ * PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. Please see the License for the
+ * specific language governing rights and limitations under the License.
+ */
+
+
+/*
+ * RSA_DSA_signature.cpp - openssl-based signature classes.
+ */
+
+#include "RSA_DSA_signature.h"
+#include "RSA_DSA_utils.h"
+#include <stdexcept>
+#include <assert.h>
+#include <security_utilities/debugging.h>
+#include <security_cdsa_utilities/cssmdata.h>
+#include <opensslUtils/opensslUtils.h>
+#include <opensslUtils/opensslAsn1.h>
+
+#define rsaSigDebug(args...) secdebug("rsaSig", ## args)
+
+static ModuleNexus<Mutex> gMutex;
+
+RSASigner::~RSASigner()
+{
+ StLock<Mutex> _(gMutex());
+ if(mWeMallocdRsaKey) {
+ assert(mRsaKey != NULL);
+ RSA_free(mRsaKey);
+ mRsaKey = NULL;
+ mWeMallocdRsaKey = false;
+ }
+}
+
+/* reusable init */
+void RSASigner::signerInit(
+ const Context &context,
+ bool isSigning)
+{
+ StLock<Mutex> _(gMutex());
+
+ setIsSigning(isSigning);
+ keyFromContext(context);
+
+ /* optional padding attribute */
+ uint32 padding;
+ bool padPresent = context.getInt(CSSM_ATTRIBUTE_PADDING, padding);
+ if(padPresent) {
+ /* padding specified in context, convert to openssl style */
+ switch(padding) {
+ case CSSM_PADDING_NONE:
+ mPadding = RSA_NO_PADDING;
+ break;
+ case CSSM_PADDING_PKCS1:
+ mPadding = RSA_PKCS1_PADDING;
+ break;
+ default:
+ CssmError::throwMe(CSSMERR_CSP_INVALID_ATTR_PADDING);
+ }
+ }
+
+ /* optional blinding attribute */
+ uint32 blinding = context.getInt(CSSM_ATTRIBUTE_RSA_BLINDING);
+ if(blinding) {
+ if(RSA_blinding_on(mRsaKey, NULL) <= 0) {
+ /* actually no legit failures */
+ CssmError::throwMe(CSSMERR_CSP_INTERNAL_ERROR);
+ }
+ }
+ else {
+ RSA_blinding_off(mRsaKey);
+ }
+
+ setInitFlag(true);
+}
+
+/* sign */
+void RSASigner::sign(
+ const void *data,
+ size_t dataLen,
+ void *sig,
+ size_t *sigLen) /* IN/OUT */
+{
+ StLock<Mutex> _(gMutex());
+
+ if(mRsaKey == NULL) {
+ CssmError::throwMe(CSSMERR_CSP_INTERNAL_ERROR);
+ }
+
+ /* get encoded digest info */
+ CssmAutoData encodedInfo(alloc());
+ int irtn = generateDigestInfo(data,
+ dataLen,
+ digestAlg(),
+ encodedInfo,
+ RSA_size(mRsaKey));
+ if(irtn) {
+ rsaSigDebug("***digestInfo error\n");
+ throwOpensslErr(irtn);
+ }
+
+ /* signature := encrypted digest info */
+ irtn = RSA_private_encrypt(encodedInfo.length(),
+ (unsigned char *)encodedInfo.data(),
+ (unsigned char *)sig,
+ mRsaKey,
+ mPadding);
+ if(irtn < 0) {
+ throwRsaDsa("RSA_private_encrypt");
+ }
+ if((unsigned)irtn > *sigLen) {
+ rsaSigDebug("RSA_private_encrypt: sig overflow");
+ CssmError::throwMe(CSSMERR_CSP_OUTPUT_LENGTH_ERROR);
+ }
+ *sigLen = (unsigned)irtn;
+}
+
+/* verify */
+void RSASigner::verify(
+ const void *data,
+ size_t dataLen,
+ const void *sig,
+ size_t sigLen)
+{
+ StLock<Mutex> _(gMutex());
+
+ const char *op = NULL;
+ bool throwSigVerify = false;
+
+ if(mRsaKey == NULL) {
+ CssmError::throwMe(CSSMERR_CSP_INTERNAL_ERROR);
+ }
+
+ /* get encoded digest info */
+ CssmAutoData encodedInfo(alloc());
+ int irtn = generateDigestInfo(data,
+ dataLen,
+ digestAlg(),
+ encodedInfo,
+ RSA_size(mRsaKey));
+ if(irtn) {
+ rsaSigDebug("***digestInfo error\n");
+ CssmError::throwMe(/* FIXME */CSSMERR_CSP_INTERNAL_ERROR);
+ }
+
+ /* malloc decrypted signature */
+ unsigned char *decryptSig =
+ (unsigned char *)alloc().malloc(RSA_size(mRsaKey));
+ unsigned decryptSigLen;
+
+ /* signature should be encrypted digest info; decrypt the signature */
+ irtn = RSA_public_decrypt(sigLen,
+ (unsigned char *)sig,
+ decryptSig,
+ mRsaKey,
+ mPadding);
+ if(irtn < 0) {
+ op = "RSA_public_decrypt";
+ throwSigVerify = true;
+ goto abort;
+ }
+ decryptSigLen = (unsigned)irtn;
+ if(decryptSigLen != encodedInfo.length()) {
+ rsaSigDebug("***Decrypted signature length error (exp %ld, got %d)\n",
+ encodedInfo.length(), decryptSigLen);
+ throwSigVerify = true;
+ op = "RSA Sig length check";
+ goto abort;
+ }
+ if(memcmp(decryptSig, encodedInfo.data(), decryptSigLen)) {
+ rsaSigDebug("***Signature miscompare\n");
+ throwSigVerify = true;
+ op = "RSA Sig miscompare";
+ goto abort;
+ }
+ else {
+ irtn = 0;
+ }
+abort:
+ if(decryptSig != NULL) {
+ alloc().free(decryptSig);
+ }
+ if(throwSigVerify) {
+ clearOpensslErrors();
+ CssmError::throwMe(CSSMERR_CSP_VERIFY_FAILED);
+ }
+}
+
+/* works for both, but only used for signing */
+size_t RSASigner::maxSigSize()
+{
+ StLock<Mutex> _(gMutex());
+ if(mRsaKey == NULL) {
+ return 0;
+ }
+ return RSA_size(mRsaKey);
+}
+
+/*
+ * obtain key from context, validate, convert to native RSA key
+ */
+void RSASigner::keyFromContext(
+ const Context &context)
+{
+ if(initFlag() && (mRsaKey != NULL)) {
+ /* reusing context, OK */
+ return;
+ }
+
+ CSSM_KEYCLASS keyClass;
+ CSSM_KEYUSE keyUse;
+ if(isSigning()) {
+ /* signing with private key */
+ keyClass = CSSM_KEYCLASS_PRIVATE_KEY;
+ keyUse = CSSM_KEYUSE_SIGN;
+ }
+ else {
+ /* verifying with public key */
+ keyClass = CSSM_KEYCLASS_PUBLIC_KEY;
+ keyUse = CSSM_KEYUSE_VERIFY;
+ }
+ if(mRsaKey == NULL) {
+ CSSM_DATA label = {0, NULL};
+ mRsaKey = contextToRsaKey(context,
+ mSession,
+ keyClass,
+ keyUse,
+ mWeMallocdRsaKey,
+ label);
+ /* cannot have label param for signing */
+ assert(label.Data == NULL);
+ }
+}
+
+DSASigner::~DSASigner()
+{
+ if(mWeMallocdDsaKey) {
+ assert(mDsaKey != NULL);
+ DSA_free(mDsaKey);
+ mDsaKey = NULL;
+ mWeMallocdDsaKey = false;
+ }
+}
+
+/* reusable init */
+void DSASigner::signerInit(
+ const Context &context,
+ bool isSigning)
+{
+ setIsSigning(isSigning);
+ keyFromContext(context);
+ setInitFlag(true);
+}
+
+/* sign */
+void DSASigner::sign(
+ const void *data,
+ size_t dataLen,
+ void *sig,
+ size_t *sigLen) /* IN/OUT */
+{
+ if(mDsaKey == NULL) {
+ CssmError::throwMe(CSSMERR_CSP_INTERNAL_ERROR);
+ }
+ if(mDsaKey->priv_key == NULL) {
+ CssmError::throwMe(CSSMERR_CSP_INVALID_KEY_CLASS);
+ }
+
+ /* get signature in internal format */
+ DSA_SIG *dsaSig = DSA_do_sign((unsigned char *)data, dataLen, mDsaKey);
+ if(dsaSig == NULL) {
+ throwRsaDsa("DSA_do_sign");
+ }
+
+ /* DER encode the signature */
+ CssmAutoData encodedSig(alloc());
+ int irtn = DSASigEncode(dsaSig, encodedSig);
+ if(irtn) {
+ throwRsaDsa("DSASigEncode");
+ }
+ if(encodedSig.length() > *sigLen) {
+ throwRsaDsa("DSA sign overflow");
+ }
+ memmove(sig, encodedSig.data(), encodedSig.length());
+ *sigLen = encodedSig.length();
+ DSA_SIG_free(dsaSig);
+}
+
+/* verify */
+void DSASigner::verify(
+ const void *data,
+ size_t dataLen,
+ const void *sig,
+ size_t sigLen)
+{
+ bool throwSigVerify = false;
+ DSA_SIG *dsaSig = NULL;
+ CSSM_RETURN crtn = CSSM_OK;
+ int irtn;
+
+ if(mDsaKey == NULL) {
+ CssmError::throwMe(CSSMERR_CSP_INTERNAL_ERROR);
+ }
+ if(mDsaKey->pub_key == NULL) {
+ CssmError::throwMe(CSSMERR_CSP_INVALID_KEY_CLASS);
+ }
+
+ /* incoming sig is DER encoded....decode into internal format */
+ dsaSig = DSA_SIG_new();
+ crtn = DSASigDecode(dsaSig, sig, sigLen);
+ if(crtn) {
+ goto abort;
+ }
+
+ irtn = DSA_do_verify((unsigned char *)data, dataLen, dsaSig, mDsaKey);
+ if(irtn != 1) {
+ throwSigVerify = true;
+ }
+
+abort:
+ if(dsaSig != NULL) {
+ DSA_SIG_free(dsaSig);
+ }
+ if(throwSigVerify) {
+ clearOpensslErrors();
+ CssmError::throwMe(CSSMERR_CSP_VERIFY_FAILED);
+ }
+ else if(crtn) {
+ CssmError::throwMe(crtn);
+ }
+}
+
+/*
+ * Works for both, but only used for signing.
+ * DSA sig is a sequence of two 160-bit integers.
+ */
+size_t DSASigner::maxSigSize()
+{
+ if(mDsaKey == NULL) {
+ return 0;
+ }
+ size_t outSize;
+ size_t sizeOfOneInt;
+
+ sizeOfOneInt = (160 / 8) + // the raw contents
+ 1 + // possible leading zero
+ 2; // tag + length (assume DER, not BER)
+ outSize = (2 * sizeOfOneInt) + 5;
+ return outSize;
+}
+
+/*
+ * obtain key from context, validate, convert to native DSA key
+ */
+void DSASigner::keyFromContext(
+ const Context &context)
+{
+ if(initFlag() && (mDsaKey != NULL)) {
+ /* reusing context, OK */
+ return;
+ }
+
+ CSSM_KEYCLASS keyClass;
+ CSSM_KEYUSE keyUse;
+ if(isSigning()) {
+ /* signing with private key */
+ keyClass = CSSM_KEYCLASS_PRIVATE_KEY;
+ keyUse = CSSM_KEYUSE_SIGN;
+ }
+ else {
+ /* verifying with public key */
+ keyClass = CSSM_KEYCLASS_PUBLIC_KEY;
+ keyUse = CSSM_KEYUSE_VERIFY;
+ }
+ if(mDsaKey == NULL) {
+ mDsaKey = contextToDsaKey(context,
+ mSession,
+ keyClass,
+ keyUse,
+ mWeMallocdDsaKey);
+ }
+}
projects / apple / security.git / blobdiff