/* * Verification stuff. * * This Source Code Form is subject to the terms of the Mozilla Public * License, v. 2.0. If a copy of the MPL was not distributed with this * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ #include #include "cryptohi.h" #include "sechash.h" #include "keyhi.h" #include "secasn1.h" #include "secoid.h" #include "pk11func.h" #include "pkcs1sig.h" #include "secdig.h" #include "secerr.h" #include "keyi.h" #include "nss.h" #include "prenv.h" /* ** Recover the DigestInfo from an RSA PKCS#1 signature. ** ** If givenDigestAlg != SEC_OID_UNKNOWN, copy givenDigestAlg to digestAlgOut. ** Otherwise, parse the DigestInfo structure and store the decoded digest ** algorithm into digestAlgOut. ** ** Store the encoded DigestInfo into digestInfo. ** Store the DigestInfo length into digestInfoLen. ** ** This function does *not* verify that the AlgorithmIdentifier in the ** DigestInfo identifies givenDigestAlg or that the DigestInfo is encoded ** correctly; verifyPKCS1DigestInfo does that. ** ** XXX this is assuming that the signature algorithm has WITH_RSA_ENCRYPTION */ static SECStatus recoverPKCS1DigestInfo(SECOidTag givenDigestAlg, /*out*/ SECOidTag *digestAlgOut, /*out*/ unsigned char **digestInfo, /*out*/ unsigned int *digestInfoLen, SECKEYPublicKey *key, const SECItem *sig, void *wincx) { SGNDigestInfo *di = NULL; SECItem it; PRBool rv = SECSuccess; PORT_Assert(digestAlgOut); PORT_Assert(digestInfo); PORT_Assert(digestInfoLen); PORT_Assert(key); PORT_Assert(key->keyType == rsaKey); PORT_Assert(sig); it.data = NULL; it.len = SECKEY_PublicKeyStrength(key); if (it.len != 0) { it.data = (unsigned char *)PORT_Alloc(it.len); } if (it.len == 0 || it.data == NULL) { rv = SECFailure; } if (rv == SECSuccess) { /* decrypt the block */ rv = PK11_VerifyRecover(key, sig, &it, wincx); } if (rv == SECSuccess) { if (givenDigestAlg != SEC_OID_UNKNOWN) { /* We don't need to parse the DigestInfo if the caller gave us the * digest algorithm to use. Later verifyPKCS1DigestInfo will verify * that the DigestInfo identifies the given digest algorithm and * that the DigestInfo is encoded absolutely correctly. */ *digestInfoLen = it.len; *digestInfo = (unsigned char *)it.data; *digestAlgOut = givenDigestAlg; return SECSuccess; } } if (rv == SECSuccess) { /* The caller didn't specify a digest algorithm to use, so choose the * digest algorithm by parsing the AlgorithmIdentifier within the * DigestInfo. */ di = SGN_DecodeDigestInfo(&it); if (!di) { rv = SECFailure; } } if (rv == SECSuccess) { *digestAlgOut = SECOID_GetAlgorithmTag(&di->digestAlgorithm); if (*digestAlgOut == SEC_OID_UNKNOWN) { rv = SECFailure; } } if (di) { SGN_DestroyDigestInfo(di); } if (rv == SECSuccess) { *digestInfoLen = it.len; *digestInfo = (unsigned char *)it.data; } else { if (it.data) { PORT_Free(it.data); } *digestInfo = NULL; *digestInfoLen = 0; PORT_SetError(SEC_ERROR_BAD_SIGNATURE); } return rv; } struct VFYContextStr { SECOidTag hashAlg; /* the hash algorithm */ SECKEYPublicKey *key; /* * This buffer holds either the digest or the full signature * depending on the type of the signature (key->keyType). It is * defined as a union to make sure it always has enough space. * * Use the "buffer" union member to reference the buffer. * Note: do not take the size of the "buffer" union member. Take * the size of the union or some other union member instead. */ union { unsigned char buffer[1]; /* the full DSA signature... 40 bytes */ unsigned char dsasig[DSA_MAX_SIGNATURE_LEN]; /* the full ECDSA signature */ unsigned char ecdsasig[2 * MAX_ECKEY_LEN]; /* the full RSA signature, only used in RSA-PSS */ unsigned char rsasig[(RSA_MAX_MODULUS_BITS + 7) / 8]; unsigned char gensig[MAX_SIGNATURE_LEN]; } u; unsigned int signatureLen; unsigned int pkcs1RSADigestInfoLen; /* the encoded DigestInfo from a RSA PKCS#1 signature */ unsigned char *pkcs1RSADigestInfo; void *wincx; void *hashcx; const SECHashObject *hashobj; PK11Context *vfycx; SECOidTag encAlg; /* enc alg */ CK_MECHANISM_TYPE mech; PRBool hasSignature; /* true if the signature was provided in the * VFY_CreateContext call. If false, the * signature must be provided with a * VFY_EndWithSignature call. */ SECItem mechparams; }; static SECStatus verifyPKCS1DigestInfo(const VFYContext *cx, const SECItem *digest) { SECItem pkcs1DigestInfo; pkcs1DigestInfo.data = cx->pkcs1RSADigestInfo; pkcs1DigestInfo.len = cx->pkcs1RSADigestInfoLen; return _SGN_VerifyPKCS1DigestInfo( cx->hashAlg, digest, &pkcs1DigestInfo, PR_FALSE /*XXX: unsafeAllowMissingParameters*/); } static unsigned int checkedSignatureLen(const SECKEYPublicKey *pubk) { unsigned int sigLen = SECKEY_SignatureLen(pubk); if (sigLen == 0) { /* Error set by SECKEY_SignatureLen */ return sigLen; } unsigned int maxSigLen; switch (pubk->keyType) { case rsaKey: case rsaPssKey: maxSigLen = (RSA_MAX_MODULUS_BITS + 7) / 8; break; case dsaKey: maxSigLen = DSA_MAX_SIGNATURE_LEN; break; case ecKey: maxSigLen = 2 * MAX_ECKEY_LEN; break; default: PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG); return 0; } PORT_Assert(maxSigLen <= MAX_SIGNATURE_LEN); if (sigLen > maxSigLen) { PORT_SetError(SEC_ERROR_INVALID_KEY); return 0; } return sigLen; } /* * decode the ECDSA or DSA signature from it's DER wrapping. * The unwrapped/raw signature is placed in the buffer pointed * to by dsig and has enough room for len bytes. */ static SECStatus decodeECorDSASignature(SECOidTag algid, const SECItem *sig, unsigned char *dsig, unsigned int len) { SECItem *dsasig = NULL; /* also used for ECDSA */ /* Safety: Ensure algId is as expected and that signature size is within maxmimums */ if (algid == SEC_OID_ANSIX9_DSA_SIGNATURE) { if (len > DSA_MAX_SIGNATURE_LEN) { goto loser; } } else if (algid == SEC_OID_ANSIX962_EC_PUBLIC_KEY) { if (len > MAX_ECKEY_LEN * 2) { goto loser; } } else { goto loser; } /* Decode and pad to length */ dsasig = DSAU_DecodeDerSigToLen((SECItem *)sig, len); if (dsasig == NULL) { goto loser; } if (dsasig->len != len) { SECITEM_FreeItem(dsasig, PR_TRUE); goto loser; } PORT_Memcpy(dsig, dsasig->data, len); SECITEM_FreeItem(dsasig, PR_TRUE); return SECSuccess; loser: PORT_SetError(SEC_ERROR_BAD_DER); return SECFailure; } const SEC_ASN1Template hashParameterTemplate[] = { { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(SECItem) }, { SEC_ASN1_OBJECT_ID, 0 }, { SEC_ASN1_SKIP_REST }, { 0 } }; /* * Get just the encryption algorithm from the signature algorithm */ SECOidTag sec_GetEncAlgFromSigAlg(SECOidTag sigAlg) { /* get the "encryption" algorithm */ switch (sigAlg) { case SEC_OID_PKCS1_RSA_ENCRYPTION: case SEC_OID_PKCS1_MD2_WITH_RSA_ENCRYPTION: case SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION: case SEC_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION: case SEC_OID_ISO_SHA_WITH_RSA_SIGNATURE: case SEC_OID_ISO_SHA1_WITH_RSA_SIGNATURE: case SEC_OID_PKCS1_SHA224_WITH_RSA_ENCRYPTION: case SEC_OID_PKCS1_SHA256_WITH_RSA_ENCRYPTION: case SEC_OID_PKCS1_SHA384_WITH_RSA_ENCRYPTION: case SEC_OID_PKCS1_SHA512_WITH_RSA_ENCRYPTION: return SEC_OID_PKCS1_RSA_ENCRYPTION; case SEC_OID_PKCS1_RSA_PSS_SIGNATURE: return SEC_OID_PKCS1_RSA_PSS_SIGNATURE; /* what about normal DSA? */ case SEC_OID_ANSIX9_DSA_SIGNATURE_WITH_SHA1_DIGEST: case SEC_OID_BOGUS_DSA_SIGNATURE_WITH_SHA1_DIGEST: case SEC_OID_NIST_DSA_SIGNATURE_WITH_SHA224_DIGEST: case SEC_OID_NIST_DSA_SIGNATURE_WITH_SHA256_DIGEST: return SEC_OID_ANSIX9_DSA_SIGNATURE; case SEC_OID_MISSI_DSS: case SEC_OID_MISSI_KEA_DSS: case SEC_OID_MISSI_KEA_DSS_OLD: case SEC_OID_MISSI_DSS_OLD: return SEC_OID_MISSI_DSS; case SEC_OID_ANSIX962_ECDSA_SHA1_SIGNATURE: case SEC_OID_ANSIX962_ECDSA_SHA224_SIGNATURE: case SEC_OID_ANSIX962_ECDSA_SHA256_SIGNATURE: case SEC_OID_ANSIX962_ECDSA_SHA384_SIGNATURE: case SEC_OID_ANSIX962_ECDSA_SHA512_SIGNATURE: case SEC_OID_ANSIX962_ECDSA_SIGNATURE_RECOMMENDED_DIGEST: case SEC_OID_ANSIX962_ECDSA_SIGNATURE_SPECIFIED_DIGEST: return SEC_OID_ANSIX962_EC_PUBLIC_KEY; /* we don't implement MD4 hashes */ case SEC_OID_PKCS1_MD4_WITH_RSA_ENCRYPTION: default: PORT_SetError(SEC_ERROR_INVALID_ALGORITHM); break; } return SEC_OID_UNKNOWN; } static CK_MECHANISM_TYPE sec_RSAPKCS1GetCombinedMech(SECOidTag hashalg) { switch (hashalg) { case SEC_OID_MD5: return CKM_MD5_RSA_PKCS; case SEC_OID_MD2: return CKM_MD2_RSA_PKCS; case SEC_OID_SHA1: return CKM_SHA1_RSA_PKCS; case SEC_OID_SHA224: return CKM_SHA224_RSA_PKCS; case SEC_OID_SHA256: return CKM_SHA256_RSA_PKCS; case SEC_OID_SHA384: return CKM_SHA384_RSA_PKCS; case SEC_OID_SHA512: return CKM_SHA512_RSA_PKCS; default: break; } return CKM_INVALID_MECHANISM; } static CK_MECHANISM_TYPE sec_RSAPSSGetCombinedMech(SECOidTag hashalg) { switch (hashalg) { case SEC_OID_SHA1: return CKM_SHA1_RSA_PKCS_PSS; case SEC_OID_SHA224: return CKM_SHA224_RSA_PKCS_PSS; case SEC_OID_SHA256: return CKM_SHA256_RSA_PKCS_PSS; case SEC_OID_SHA384: return CKM_SHA384_RSA_PKCS_PSS; case SEC_OID_SHA512: return CKM_SHA512_RSA_PKCS_PSS; default: break; } return CKM_INVALID_MECHANISM; } static CK_MECHANISM_TYPE sec_DSAGetCombinedMech(SECOidTag hashalg) { switch (hashalg) { case SEC_OID_SHA1: return CKM_DSA_SHA1; case SEC_OID_SHA224: return CKM_DSA_SHA224; case SEC_OID_SHA256: return CKM_DSA_SHA256; case SEC_OID_SHA384: return CKM_DSA_SHA384; case SEC_OID_SHA512: return CKM_DSA_SHA512; default: break; } return CKM_INVALID_MECHANISM; } static CK_MECHANISM_TYPE sec_ECDSAGetCombinedMech(SECOidTag hashalg) { switch (hashalg) { case SEC_OID_SHA1: return CKM_ECDSA_SHA1; case SEC_OID_SHA224: return CKM_ECDSA_SHA224; case SEC_OID_SHA256: return CKM_ECDSA_SHA256; case SEC_OID_SHA384: return CKM_ECDSA_SHA384; case SEC_OID_SHA512: return CKM_ECDSA_SHA512; default: break; } return CKM_INVALID_MECHANISM; } static CK_MECHANISM_TYPE sec_GetCombinedMech(SECOidTag encalg, SECOidTag hashalg) { switch (encalg) { case SEC_OID_PKCS1_RSA_ENCRYPTION: return sec_RSAPKCS1GetCombinedMech(hashalg); case SEC_OID_PKCS1_RSA_PSS_SIGNATURE: return sec_RSAPSSGetCombinedMech(hashalg); case SEC_OID_ANSIX962_EC_PUBLIC_KEY: return sec_ECDSAGetCombinedMech(hashalg); case SEC_OID_ANSIX9_DSA_SIGNATURE: return sec_DSAGetCombinedMech(hashalg); default: break; } return CKM_INVALID_MECHANISM; } /* * Pulls the hash algorithm, signing algorithm, and key type out of a * composite algorithm. * * key: pointer to the public key. Should be NULL if called for a sign operation. * sigAlg: the composite algorithm to dissect. * hashalg: address of a SECOidTag which will be set with the hash algorithm. * encalg: address of a SECOidTag which will be set with the signing alg. * mechp: address of a PCKS #11 Mechanism which will be set to the * combined hash/encrypt mechanism. If set to CKM_INVALID_MECHANISM, the code * will fall back to external hashing. * mechparams: address of a SECItem will set to the parameters for the combined * hash/encrypt mechanism. * * Returns: SECSuccess if the algorithm was acceptable, SECFailure if the * algorithm was not found or was not a signing algorithm. */ SECStatus sec_DecodeSigAlg(const SECKEYPublicKey *key, SECOidTag sigAlg, const SECItem *param, SECOidTag *encalgp, SECOidTag *hashalg, CK_MECHANISM_TYPE *mechp, SECItem *mechparamsp) { unsigned int len; PLArenaPool *arena; SECStatus rv; SECItem oid; SECOidTag encalg; char *evp; PR_ASSERT(hashalg != NULL); PR_ASSERT(encalgp != NULL); PR_ASSERT(mechp != NULL); /* Get the expected combined mechanism from the signature OID * We'll override it in the table below if necessary */ *mechp = PK11_AlgtagToMechanism(sigAlg); if (mechparamsp) { mechparamsp->data = NULL; mechparamsp->len = 0; } switch (sigAlg) { /* We probably shouldn't be generating MD2 signatures either */ case SEC_OID_PKCS1_MD2_WITH_RSA_ENCRYPTION: *hashalg = SEC_OID_MD2; break; case SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION: *hashalg = SEC_OID_MD5; break; case SEC_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION: case SEC_OID_ISO_SHA_WITH_RSA_SIGNATURE: case SEC_OID_ISO_SHA1_WITH_RSA_SIGNATURE: *hashalg = SEC_OID_SHA1; break; case SEC_OID_PKCS1_RSA_ENCRYPTION: /* SEC_OID_PKCS1_RSA_ENCRYPTION returns the generic * CKM_RSA_PKCS mechanism, which isn't a combined mechanism. * We don't have a hash, so we need to fall back to the old * code which gets the hashalg by decoding the signature */ *mechp = CKM_INVALID_MECHANISM; *hashalg = SEC_OID_UNKNOWN; /* get it from the RSA signature */ break; case SEC_OID_PKCS1_RSA_PSS_SIGNATURE: /* SEC_OID_PKCS1_RSA_PSS_SIGNATURE returns the generic * CKM_RSA_PSS_PKCS mechanism, which isn't a combined mechanism. * If successful, we'll select the mechanism below, set it to * invalid here incase we aren't successful */ *mechp = CKM_INVALID_MECHANISM; CK_RSA_PKCS_PSS_PARAMS *rsapssmechparams = NULL; CK_RSA_PKCS_PSS_PARAMS space; /* if we don't have a mechanism parameter to put the data in * we don't need to return it, just use a stack buffer */ if (mechparamsp == NULL) { rsapssmechparams = &space; } else { rsapssmechparams = PORT_ZNew(CK_RSA_PKCS_PSS_PARAMS); } if (rsapssmechparams == NULL) { return SECFailure; } if (param && param->data) { PORTCheapArenaPool tmpArena; PORT_InitCheapArena(&tmpArena, DER_DEFAULT_CHUNKSIZE); rv = sec_DecodeRSAPSSParamsToMechanism(&tmpArena.arena, param, rsapssmechparams, hashalg); PORT_DestroyCheapArena(&tmpArena); /* only accept hash algorithms */ if (rv != SECSuccess || HASH_GetHashTypeByOidTag(*hashalg) == HASH_AlgNULL) { /* error set by sec_DecodeRSAPSSParams or HASH_GetHashTypeByOidTag */ if (mechparamsp) PORT_Free(rsapssmechparams); return SECFailure; } } else { *hashalg = SEC_OID_SHA1; /* default, SHA-1 */ rsapssmechparams->hashAlg = CKM_SHA_1; rsapssmechparams->mgf = CKG_MGF1_SHA1; rsapssmechparams->sLen = SHA1_LENGTH; } *mechp = sec_RSAPSSGetCombinedMech(*hashalg); if (mechparamsp) { mechparamsp->data = (unsigned char *)rsapssmechparams; mechparamsp->len = sizeof(*rsapssmechparams); } break; case SEC_OID_ANSIX962_ECDSA_SHA224_SIGNATURE: case SEC_OID_PKCS1_SHA224_WITH_RSA_ENCRYPTION: case SEC_OID_NIST_DSA_SIGNATURE_WITH_SHA224_DIGEST: *hashalg = SEC_OID_SHA224; break; case SEC_OID_ANSIX962_ECDSA_SHA256_SIGNATURE: case SEC_OID_PKCS1_SHA256_WITH_RSA_ENCRYPTION: case SEC_OID_NIST_DSA_SIGNATURE_WITH_SHA256_DIGEST: *hashalg = SEC_OID_SHA256; break; case SEC_OID_ANSIX962_ECDSA_SHA384_SIGNATURE: case SEC_OID_PKCS1_SHA384_WITH_RSA_ENCRYPTION: *hashalg = SEC_OID_SHA384; break; case SEC_OID_ANSIX962_ECDSA_SHA512_SIGNATURE: case SEC_OID_PKCS1_SHA512_WITH_RSA_ENCRYPTION: *hashalg = SEC_OID_SHA512; break; /* what about normal DSA? */ case SEC_OID_ANSIX9_DSA_SIGNATURE_WITH_SHA1_DIGEST: case SEC_OID_BOGUS_DSA_SIGNATURE_WITH_SHA1_DIGEST: case SEC_OID_ANSIX962_ECDSA_SHA1_SIGNATURE: *hashalg = SEC_OID_SHA1; break; case SEC_OID_MISSI_DSS: case SEC_OID_MISSI_KEA_DSS: case SEC_OID_MISSI_KEA_DSS_OLD: case SEC_OID_MISSI_DSS_OLD: *mechp = CKM_DSA_SHA1; *hashalg = SEC_OID_SHA1; break; case SEC_OID_ANSIX962_ECDSA_SIGNATURE_RECOMMENDED_DIGEST: /* This is an EC algorithm. Recommended means the largest * hash algorithm that is not reduced by the keysize of * the EC algorithm. Note that key strength is in bytes and * algorithms are specified in bits. Never use an algorithm * weaker than sha1. */ len = SECKEY_PublicKeyStrength(key); if (len < 28) { /* 28 bytes == 224 bits */ *hashalg = SEC_OID_SHA1; } else if (len < 32) { /* 32 bytes == 256 bits */ *hashalg = SEC_OID_SHA224; } else if (len < 48) { /* 48 bytes == 384 bits */ *hashalg = SEC_OID_SHA256; } else if (len < 64) { /* 48 bytes == 512 bits */ *hashalg = SEC_OID_SHA384; } else { /* use the largest in this case */ *hashalg = SEC_OID_SHA512; } *mechp = sec_ECDSAGetCombinedMech(*hashalg); break; case SEC_OID_ANSIX962_ECDSA_SIGNATURE_SPECIFIED_DIGEST: if (param == NULL) { PORT_SetError(SEC_ERROR_INVALID_ALGORITHM); return SECFailure; } arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); if (arena == NULL) { return SECFailure; } rv = SEC_QuickDERDecodeItem(arena, &oid, hashParameterTemplate, param); if (rv == SECSuccess) { *hashalg = SECOID_FindOIDTag(&oid); } PORT_FreeArena(arena, PR_FALSE); if (rv != SECSuccess) { return rv; } /* only accept hash algorithms */ if (HASH_GetHashTypeByOidTag(*hashalg) == HASH_AlgNULL) { /* error set by HASH_GetHashTypeByOidTag */ return SECFailure; } *mechp = sec_ECDSAGetCombinedMech(*hashalg); break; /* we don't implement MD4 hashes */ case SEC_OID_PKCS1_MD4_WITH_RSA_ENCRYPTION: default: *mechp = CKM_INVALID_MECHANISM; PORT_SetError(SEC_ERROR_INVALID_ALGORITHM); return SECFailure; } encalg = sec_GetEncAlgFromSigAlg(sigAlg); if (encalg == SEC_OID_UNKNOWN) { *mechp = CKM_INVALID_MECHANISM; SECITEM_FreeItem(mechparamsp, PR_FALSE); return SECFailure; } *encalgp = encalg; /* for testing, we want to be able to turn off combo signatures to * 1) make sure the fallback code is working correctly so we know * we can handle cases where the fallback doesn't work. * 2) make sure that the combo code is compatible with the non-combo * versions. * We know if we are signing or verifying based on the value of 'key'. * Since key is a public key, then it's set to NULL for signing */ evp = PR_GetEnvSecure("NSS_COMBO_SIGNATURES"); if (evp) { if (PORT_Strcasecmp(evp, "none") == 0) { *mechp = CKM_INVALID_MECHANISM; } else if (key && (PORT_Strcasecmp(evp, "signonly") == 0)) { *mechp = CKM_INVALID_MECHANISM; } else if (!key && (PORT_Strcasecmp(evp, "vfyonly") == 0)) { *mechp = CKM_INVALID_MECHANISM; } /* anything else we take as use combo, which is the default */ } return SECSuccess; } SECStatus vfy_ImportPublicKey(VFYContext *cx) { PK11SlotInfo *slot; CK_OBJECT_HANDLE objID; if (cx->key->pkcs11Slot && PK11_DoesMechanismFlag(cx->key->pkcs11Slot, cx->mech, CKF_VERIFY)) { return SECSuccess; } slot = PK11_GetBestSlotWithAttributes(cx->mech, CKF_VERIFY, 0, cx->wincx); if (slot == NULL) { return SECFailure; /* can't find a slot, fall back to * normal processing */ } objID = PK11_ImportPublicKey(slot, cx->key, PR_FALSE); PK11_FreeSlot(slot); return objID == CK_INVALID_HANDLE ? SECFailure : SECSuccess; } /* Sometimes there are differences between how DER encodes a * signature and how it's encoded in PKCS #11. This function converts the * DER form to the PKCS #11 form. it also verify signature length based * on the key, and verifies that length will fit in our buffer. */ static SECStatus vfy_SetPKCS11SigFromX509Sig(VFYContext *cx, const SECItem *sig) { unsigned int sigLen; /* skip the legacy RSA PKCS #11 case, it's always handled separately */ if ((cx->key->keyType == rsaKey) && (cx->mech == CKM_INVALID_MECHANISM) && (cx->encAlg != SEC_OID_PKCS1_RSA_PSS_SIGNATURE)) { return SECSuccess; } sigLen = checkedSignatureLen(cx->key); /* Check signature length is within limits */ if (sigLen == 0) { /* error set by checkedSignatureLen */ return SECFailure; } if (sigLen > sizeof(cx->u)) { PORT_SetError(SEC_ERROR_BAD_SIGNATURE); return SECFailure; } /* save the authenticated length */ cx->signatureLen = sigLen; switch (cx->encAlg) { case SEC_OID_ANSIX9_DSA_SIGNATURE: case SEC_OID_ANSIX962_EC_PUBLIC_KEY: /* decodeECorDSASignature will check sigLen == sig->len after padding */ return decodeECorDSASignature(cx->encAlg, sig, cx->u.buffer, sigLen); default: break; } /* all other cases, no transform needed, just copy the signature */ if (sig->len != sigLen) { PORT_SetError(SEC_ERROR_BAD_SIGNATURE); return SECFailure; } PORT_Memcpy(cx->u.buffer, sig->data, sigLen); return SECSuccess; } /* * we can verify signatures that come from 2 different sources: * one in with the signature contains a signature oid, and the other * in which the signature is managed by a Public key (encAlg) oid * and a hash oid. The latter is the more basic, so that's what * our base vfyCreate function takes. * * Modern signature algorithms builds the hashing into the algorithm, and * some tokens (like smart cards), purposefully only export hash & sign * combo mechanisms (which gives stronger guarrentees on key type usage * for RSA operations). If mech is set to a PKCS #11 mechanism, we assume * we can do the combined operations, otherwise we fall back to manually * hashing then signing. * * This function adopts the mechparamsp parameter, so if we fail before * setting up the context, we need to free any space associated with it * before we return. * * There is one noteworthy corner case, if we are using an RSA key, and the * signature block is provided, then the hashAlg can be specified as * SEC_OID_UNKNOWN. In this case, verify will use the hash oid supplied * in the RSA signature block. */ static VFYContext * vfy_CreateContext(const SECKEYPublicKey *key, const SECItem *sig, SECOidTag encAlg, SECOidTag hashAlg, CK_MECHANISM_TYPE mech, SECItem *mechparamsp, SECOidTag *hash, PRBool prehash, void *wincx) { VFYContext *cx; SECStatus rv; KeyType type; PRUint32 policyFlags; PRInt32 optFlags; /* make sure the encryption algorithm matches the key type */ /* RSA-PSS algorithm can be used with both rsaKey and rsaPssKey */ type = seckey_GetKeyType(encAlg); if ((key->keyType != type) && ((key->keyType != rsaKey) || (type != rsaPssKey))) { SECITEM_FreeItem(mechparamsp, PR_FALSE); PORT_SetError(SEC_ERROR_PKCS7_KEYALG_MISMATCH); return NULL; } if (NSS_OptionGet(NSS_KEY_SIZE_POLICY_FLAGS, &optFlags) != SECFailure) { if (optFlags & NSS_KEY_SIZE_POLICY_VERIFY_FLAG) { rv = SECKEY_EnforceKeySize(key->keyType, SECKEY_PublicKeyStrengthInBits(key), SEC_ERROR_SIGNATURE_ALGORITHM_DISABLED); if (rv != SECSuccess) { SECITEM_FreeItem(mechparamsp, PR_FALSE); return NULL; } } } /* check the policy on the encryption algorithm */ if ((NSS_GetAlgorithmPolicy(encAlg, &policyFlags) == SECFailure) || !(policyFlags & NSS_USE_ALG_IN_ANY_SIGNATURE)) { SECITEM_FreeItem(mechparamsp, PR_FALSE); PORT_SetError(SEC_ERROR_SIGNATURE_ALGORITHM_DISABLED); return NULL; } cx = (VFYContext *)PORT_ZAlloc(sizeof(VFYContext)); if (cx == NULL) { /* after this point mechparamsp is 'owned' by the context and will be * freed by Destroy context for any other failures here */ SECITEM_FreeItem(mechparamsp, PR_FALSE); goto loser; } cx->wincx = wincx; cx->hasSignature = (sig != NULL); cx->encAlg = encAlg; cx->hashAlg = hashAlg; cx->mech = mech; if (mechparamsp) { cx->mechparams = *mechparamsp; } else { /* probably needs to have a call to set the default * paramseters based on hashAlg and encAlg */ cx->mechparams.data = NULL; cx->mechparams.len = 0; } cx->key = SECKEY_CopyPublicKey(key); cx->pkcs1RSADigestInfo = NULL; if (mech != CKM_INVALID_MECHANISM) { rv = vfy_ImportPublicKey(cx); /* if we can't import the key, then we probably can't * support the requested combined mechanism, fallback * to the non-combined method */ if (rv != SECSuccess) { cx->mech = mech = CKM_INVALID_MECHANISM; } } if (sig) { /* sigh, if we are prehashing, we still need to do verifyRecover * recover for RSA PKCS #1 */ if ((mech == CKM_INVALID_MECHANISM || prehash) && (type == rsaKey)) { /* in traditional rsa PKCS #1, we use verify recover to get * the encoded RSADigestInfo. In all other cases we just * stash the signature encoded in PKCS#11 in our context */ rv = recoverPKCS1DigestInfo(hashAlg, &cx->hashAlg, &cx->pkcs1RSADigestInfo, &cx->pkcs1RSADigestInfoLen, cx->key, sig, wincx); } else { /* at this point hashAlg should be known. Only the RSA case * enters here with hashAlg unknown, and it's found out * above */ PORT_Assert(hashAlg != SEC_OID_UNKNOWN); rv = vfy_SetPKCS11SigFromX509Sig(cx, sig); } if (rv != SECSuccess) { goto loser; } } /* check hash alg again, RSA may have changed it.*/ if (HASH_GetHashTypeByOidTag(cx->hashAlg) == HASH_AlgNULL) { /* error set by HASH_GetHashTypeByOidTag */ goto loser; } /* check the policy on the hash algorithm. Do this after * the rsa decode because some uses of this function get hash implicitly * from the RSA signature itself. */ if ((NSS_GetAlgorithmPolicy(cx->hashAlg, &policyFlags) == SECFailure) || !(policyFlags & NSS_USE_ALG_IN_ANY_SIGNATURE)) { PORT_SetError(SEC_ERROR_SIGNATURE_ALGORITHM_DISABLED); goto loser; } if (hash) { *hash = cx->hashAlg; } return cx; loser: if (cx) { VFY_DestroyContext(cx, PR_TRUE); } return 0; } VFYContext * VFY_CreateContext(SECKEYPublicKey *key, SECItem *sig, SECOidTag sigAlg, void *wincx) { SECOidTag encAlg, hashAlg; CK_MECHANISM_TYPE mech; SECItem mechparams; SECStatus rv = sec_DecodeSigAlg(key, sigAlg, NULL, &encAlg, &hashAlg, &mech, &mechparams); if (rv != SECSuccess) { return NULL; } return vfy_CreateContext(key, sig, encAlg, hashAlg, mech, &mechparams, NULL, PR_FALSE, wincx); } VFYContext * VFY_CreateContextDirect(const SECKEYPublicKey *key, const SECItem *sig, SECOidTag encAlg, SECOidTag hashAlg, SECOidTag *hash, void *wincx) { CK_MECHANISM_TYPE mech = sec_GetCombinedMech(encAlg, hashAlg); return vfy_CreateContext(key, sig, encAlg, hashAlg, mech, NULL, hash, PR_FALSE, wincx); } VFYContext * VFY_CreateContextWithAlgorithmID(const SECKEYPublicKey *key, const SECItem *sig, const SECAlgorithmID *sigAlgorithm, SECOidTag *hash, void *wincx) { SECOidTag encAlg, hashAlg; CK_MECHANISM_TYPE mech; SECItem mechparams; SECStatus rv = sec_DecodeSigAlg(key, SECOID_GetAlgorithmTag((SECAlgorithmID *)sigAlgorithm), &sigAlgorithm->parameters, &encAlg, &hashAlg, &mech, &mechparams); if (rv != SECSuccess) { return NULL; } return vfy_CreateContext(key, sig, encAlg, hashAlg, mech, &mechparams, hash, PR_FALSE, wincx); } void VFY_DestroyContext(VFYContext *cx, PRBool freeit) { if (cx) { if (cx->hashcx != NULL) { (*cx->hashobj->destroy)(cx->hashcx, PR_TRUE); cx->hashcx = NULL; } if (cx->vfycx != NULL) { (void)PK11_DestroyContext(cx->vfycx, PR_TRUE); cx->vfycx = NULL; } if (cx->key) { SECKEY_DestroyPublicKey(cx->key); } if (cx->pkcs1RSADigestInfo) { PORT_Free(cx->pkcs1RSADigestInfo); } SECITEM_FreeItem(&cx->mechparams, PR_FALSE); if (freeit) { PORT_ZFree(cx, sizeof(VFYContext)); } } } SECStatus VFY_Begin(VFYContext *cx) { if (cx->hashcx != NULL) { (*cx->hashobj->destroy)(cx->hashcx, PR_TRUE); cx->hashcx = NULL; } if (cx->vfycx != NULL) { (void)PK11_DestroyContext(cx->vfycx, PR_TRUE); cx->vfycx = NULL; } if (cx->mech != CKM_INVALID_MECHANISM) { cx->vfycx = PK11_CreateContextByPubKey(cx->mech, CKA_VERIFY, cx->key, &cx->mechparams, cx->wincx); if (!cx->vfycx) return SECFailure; return SECSuccess; } cx->hashobj = HASH_GetHashObjectByOidTag(cx->hashAlg); if (!cx->hashobj) return SECFailure; /* error code is set */ cx->hashcx = (*cx->hashobj->create)(); if (cx->hashcx == NULL) return SECFailure; (*cx->hashobj->begin)(cx->hashcx); return SECSuccess; } SECStatus VFY_Update(VFYContext *cx, const unsigned char *input, unsigned inputLen) { if (cx->hashcx == NULL) { if (cx->vfycx == NULL) { PORT_SetError(SEC_ERROR_INVALID_ARGS); return SECFailure; } return PK11_DigestOp(cx->vfycx, input, inputLen); } (*cx->hashobj->update)(cx->hashcx, input, inputLen); return SECSuccess; } static SECStatus vfy_SingleShot(VFYContext *cx, const unsigned char *buf, int len) { SECStatus rv; /* if we have the combo mechanism, do a direct verify */ if (cx->mech != CKM_INVALID_MECHANISM) { SECItem sig = { siBuffer, cx->u.gensig, cx->signatureLen }; SECItem data = { siBuffer, (unsigned char *)buf, len }; return PK11_VerifyWithMechanism(cx->key, cx->mech, &cx->mechparams, &sig, &data, cx->wincx); } rv = VFY_Begin(cx); if (rv != SECSuccess) { return rv; } rv = VFY_Update(cx, (unsigned char *)buf, len); if (rv != SECSuccess) { return rv; } return VFY_End(cx); } SECStatus VFY_EndWithSignature(VFYContext *cx, SECItem *sig) { unsigned char final[HASH_LENGTH_MAX]; unsigned part; SECStatus rv; /* make sure our signature is set (either previously nor now) */ if (sig) { rv = vfy_SetPKCS11SigFromX509Sig(cx, sig); if (rv != SECSuccess) { return SECFailure; } } else if (cx->hasSignature == PR_FALSE) { PORT_SetError(SEC_ERROR_INVALID_ARGS); return SECFailure; } if (cx->hashcx == NULL) { unsigned int dummy; if (cx->vfycx == NULL) { PORT_SetError(SEC_ERROR_INVALID_ARGS); return SECFailure; } return PK11_DigestFinal(cx->vfycx, cx->u.gensig, &dummy, cx->signatureLen); } (*cx->hashobj->end)(cx->hashcx, final, &part, sizeof(final)); SECItem gensig = { siBuffer, cx->u.gensig, cx->signatureLen }; SECItem hash = { siBuffer, final, part }; PORT_Assert(part <= sizeof(final)); /* handle the algorithm specific final call */ switch (cx->key->keyType) { case ecKey: case dsaKey: if (PK11_Verify(cx->key, &gensig, &hash, cx->wincx) != SECSuccess) { PORT_SetError(SEC_ERROR_BAD_SIGNATURE); return SECFailure; } break; case rsaKey: if (cx->encAlg == SEC_OID_PKCS1_RSA_PSS_SIGNATURE) { if (PK11_VerifyWithMechanism(cx->key, CKM_RSA_PKCS_PSS, &cx->mechparams, &gensig, &hash, cx->wincx) != SECSuccess) { PORT_SetError(SEC_ERROR_BAD_SIGNATURE); return SECFailure; } } else { if (sig) { SECOidTag hashid; PORT_Assert(cx->hashAlg != SEC_OID_UNKNOWN); rv = recoverPKCS1DigestInfo(cx->hashAlg, &hashid, &cx->pkcs1RSADigestInfo, &cx->pkcs1RSADigestInfoLen, cx->key, sig, cx->wincx); if (rv != SECSuccess) { return SECFailure; } PORT_Assert(cx->hashAlg == hashid); } return verifyPKCS1DigestInfo(cx, &hash); } break; default: PORT_SetError(SEC_ERROR_BAD_SIGNATURE); return SECFailure; /* shouldn't happen */ } return SECSuccess; } SECStatus VFY_End(VFYContext *cx) { return VFY_EndWithSignature(cx, NULL); } /************************************************************************/ /* * Verify that a previously-computed digest matches a signature. */ static SECStatus vfy_VerifyDigest(const SECItem *digest, const SECKEYPublicKey *key, const SECItem *sig, SECOidTag encAlg, SECOidTag hashAlg, CK_MECHANISM_TYPE mech, SECItem *mechparamsp, void *wincx) { SECStatus rv; VFYContext *cx; SECItem dsasig; /* also used for ECDSA */ rv = SECFailure; cx = vfy_CreateContext(key, sig, encAlg, hashAlg, mech, mechparamsp, NULL, PR_TRUE, wincx); if (cx != NULL) { switch (key->keyType) { case rsaKey: /* PSS isn't handled here for VerifyDigest. SSL * calls PK11_Verify directly */ rv = verifyPKCS1DigestInfo(cx, digest); /* Error (if any) set by verifyPKCS1DigestInfo */ break; case ecKey: case dsaKey: dsasig.data = cx->u.buffer; dsasig.len = checkedSignatureLen(cx->key); if (dsasig.len == 0) { /* Error set by checkedSignatureLen */ rv = SECFailure; break; } if (dsasig.len > sizeof(cx->u)) { PORT_SetError(SEC_ERROR_BAD_SIGNATURE); rv = SECFailure; break; } rv = PK11_Verify(cx->key, &dsasig, (SECItem *)digest, cx->wincx); if (rv != SECSuccess) { PORT_SetError(SEC_ERROR_BAD_SIGNATURE); } break; default: break; } VFY_DestroyContext(cx, PR_TRUE); } return rv; } SECStatus VFY_VerifyDigestDirect(const SECItem *digest, const SECKEYPublicKey *key, const SECItem *sig, SECOidTag encAlg, SECOidTag hashAlg, void *wincx) { CK_MECHANISM_TYPE mech = sec_GetCombinedMech(encAlg, hashAlg); return vfy_VerifyDigest(digest, key, sig, encAlg, hashAlg, mech, NULL, wincx); } SECStatus VFY_VerifyDigest(SECItem *digest, SECKEYPublicKey *key, SECItem *sig, SECOidTag algid, void *wincx) { SECOidTag encAlg, hashAlg; CK_MECHANISM_TYPE mech; SECItem mechparams; SECStatus rv = sec_DecodeSigAlg(key, algid, NULL, &encAlg, &hashAlg, &mech, &mechparams); if (rv != SECSuccess) { return SECFailure; } return vfy_VerifyDigest(digest, key, sig, encAlg, hashAlg, mech, &mechparams, wincx); } /* * this function takes an optional hash oid, which the digest function * will be compared with our target hash value. */ SECStatus VFY_VerifyDigestWithAlgorithmID(const SECItem *digest, const SECKEYPublicKey *key, const SECItem *sig, const SECAlgorithmID *sigAlgorithm, SECOidTag hashCmp, void *wincx) { SECOidTag encAlg, hashAlg; CK_MECHANISM_TYPE mech; SECItem mechparams; SECStatus rv = sec_DecodeSigAlg(key, SECOID_GetAlgorithmTag((SECAlgorithmID *)sigAlgorithm), &sigAlgorithm->parameters, &encAlg, &hashAlg, &mech, &mechparams); if (rv != SECSuccess) { return rv; } if (hashCmp != SEC_OID_UNKNOWN && hashAlg != SEC_OID_UNKNOWN && hashCmp != hashAlg) { if (mechparams.data != NULL) { PORT_Free(mechparams.data); } PORT_SetError(SEC_ERROR_BAD_SIGNATURE); return SECFailure; } return vfy_VerifyDigest(digest, key, sig, encAlg, hashAlg, mech, &mechparams, wincx); } static SECStatus vfy_VerifyData(const unsigned char *buf, int len, const SECKEYPublicKey *key, const SECItem *sig, SECOidTag encAlg, SECOidTag hashAlg, CK_MECHANISM_TYPE mech, SECItem *mechparamsp, SECOidTag *hash, void *wincx) { SECStatus rv; VFYContext *cx; cx = vfy_CreateContext(key, sig, encAlg, hashAlg, mech, mechparamsp, hash, PR_FALSE, wincx); if (cx == NULL) return SECFailure; rv = vfy_SingleShot(cx, buf, len); VFY_DestroyContext(cx, PR_TRUE); return rv; } SECStatus VFY_VerifyDataDirect(const unsigned char *buf, int len, const SECKEYPublicKey *key, const SECItem *sig, SECOidTag encAlg, SECOidTag hashAlg, SECOidTag *hash, void *wincx) { CK_MECHANISM_TYPE mech = sec_GetCombinedMech(encAlg, hashAlg); return vfy_VerifyData(buf, len, key, sig, encAlg, hashAlg, mech, NULL, hash, wincx); } SECStatus VFY_VerifyData(const unsigned char *buf, int len, const SECKEYPublicKey *key, const SECItem *sig, SECOidTag algid, void *wincx) { SECOidTag encAlg, hashAlg; CK_MECHANISM_TYPE mech; SECItem mechparams; SECStatus rv = sec_DecodeSigAlg(key, algid, NULL, &encAlg, &hashAlg, &mech, &mechparams); if (rv != SECSuccess) { return rv; } return vfy_VerifyData(buf, len, key, sig, encAlg, hashAlg, mech, &mechparams, NULL, wincx); } SECStatus VFY_VerifyDataWithAlgorithmID(const unsigned char *buf, int len, const SECKEYPublicKey *key, const SECItem *sig, const SECAlgorithmID *sigAlgorithm, SECOidTag *hash, void *wincx) { SECOidTag encAlg, hashAlg; SECOidTag sigAlg = SECOID_GetAlgorithmTag((SECAlgorithmID *)sigAlgorithm); CK_MECHANISM_TYPE mech; SECItem mechparams; SECStatus rv = sec_DecodeSigAlg(key, sigAlg, &sigAlgorithm->parameters, &encAlg, &hashAlg, &mech, &mechparams); if (rv != SECSuccess) { return rv; } return vfy_VerifyData(buf, len, key, sig, encAlg, hashAlg, mech, &mechparams, hash, wincx); }