Implement VerifySignedData() for ECDSA, RSA PKCS#1 and RSA PSS.

net/cert/internal/verify_signed_data.cc

+// Copyright 2015 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "net/cert/internal/verify_signed_data.h"
+
+#include "net/cert/internal/signature_algorithm.h"
+
+// TODO(eroman): There is no intention to implement this for non-OpenSSL. Remove
+// this branch once the migration is complete. This could have been done as a
+// conditional file (_openssl.cc) in the build file instead, but that is likely
+// not worth the effort at this point.

[Ryan Sleevi, 2015/07/16 04:05:23]

iOS is still affected by this at present.

[eroman, 2015/07/16 17:34:07]

Would you prefer I designate this file _openssl and add the necessary build
rules?

+
+#if !defined(USE_OPENSSL)
+
+namespace net {
+
+bool VerifySignedData(const SignatureAlgorithm& signature_algorithm,
+                      const der::Input& signed_data,
+                      const der::Input& signature_value,
+                      const der::Input& public_key) {
+  // Not implemented
+  return false;
+}
+
+}  // namespace net
+
+#else
+
+#include <openssl/evp.h>
+#include <openssl/x509.h>
+
+#include "crypto/openssl_util.h"
+#include "crypto/scoped_openssl_types.h"
+#include "net/der/input.h"
+#include "net/der/parser.h"
+
+namespace net {
+
+namespace {
+
+// Converts a DigestAlgorithm to an equivalent EVP_MD*.
+WARN_UNUSED_RESULT bool GetDigest(DigestAlgorithm digest, const EVP_MD** out) {
+  switch (digest) {
+    case DigestAlgorithm::Sha1:
+      *out = EVP_sha1();
+      break;
+    case DigestAlgorithm::Sha256:
+      *out = EVP_sha256();
+      break;
+    case DigestAlgorithm::Sha384:
+      *out = EVP_sha384();
+      break;
+    case DigestAlgorithm::Sha512:
+      *out = EVP_sha512();
+      break;
+  }
+
+  return *out != nullptr;
+}
+
+// Sets the RSASSA-PSS parameters on |pctx|. Returns true on success.
+WARN_UNUSED_RESULT bool ApplyRsaPssOptions(const RsaPssParameters* params,
+                                           EVP_PKEY_CTX* pctx) {
+  // BoringSSL takes a signed int for the salt length, and interprets
+  // negative values in a special manner. Make sure not to silently underflow.
+  base::CheckedNumeric<int> salt_length_bytes_int(params->salt_length());
+  if (!salt_length_bytes_int.IsValid())
+    return false;
+
+  const EVP_MD* mgf1_hash;
+  if (!GetDigest(params->mgf1_hash(), &mgf1_hash))
+    return false;
+
+  return (1 == EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING) &&
+          1 == EVP_PKEY_CTX_set_rsa_mgf1_md(pctx, mgf1_hash) &&
+          1 == EVP_PKEY_CTX_set_rsa_pss_saltlen(
+                   pctx, salt_length_bytes_int.ValueOrDie()));
+}
+
+// Parses an RSA public key from SPKI to an EVP_PKEY.
+//
+// Returns true on success.
+//
+// There are two flavors of RSA public key that this function recognizes from
+// RFC 5912:
+//
+//     pk-rsa PUBLIC-KEY ::= {
+//      IDENTIFIER rsaEncryption
+//      KEY RSAPublicKey
+//      PARAMS TYPE NULL ARE absent
+//      -- Private key format not in this module --
+//      CERT-KEY-USAGE {digitalSignature, nonRepudiation,
+//      keyEncipherment, dataEncipherment, keyCertSign, cRLSign}
+//     }
+//
+//  ...
+//
+//     pk-rsaSSA-PSS PUBLIC-KEY ::= {
+//         IDENTIFIER id-RSASSA-PSS
+//         KEY RSAPublicKey
+//         PARAMS TYPE RSASSA-PSS-params ARE optional
+//          -- Private key format not in this module --
+//         CERT-KEY-USAGE { nonRepudiation, digitalSignature,
+//                              keyCertSign, cRLSign }
+//     }
+//
+// Any RSA signature algorithm can accept a "pk-rsa" (rsaEncryption). However a
+// "pk-rsaSSA-PSS" key is only accepted if the signature algorithm was for PSS
+// mode:
+//
+//     sa-rsaSSA-PSS SIGNATURE-ALGORITHM ::= {
+//         IDENTIFIER id-RSASSA-PSS
+//         PARAMS TYPE RSASSA-PSS-params ARE required
+//         HASHES { mda-sha1 | mda-sha224 | mda-sha256 | mda-sha384
+//                      | mda-sha512 }
+//         PUBLIC-KEYS { pk-rsa | pk-rsaSSA-PSS }
+//         SMIME-CAPS { IDENTIFIED BY id-RSASSA-PSS }
+//     }
+//
+// Moreover, if a "pk-rsaSSA-PSS" key was used and it optionally provided
+// parameters for the algorithm, they must match those of the signature
+// algorithm.
+//
+// COMPATIBILITY NOTE: RFC 5912 specifies that the algorithm parameters for
+// pk-rsa (rsaEncryption) are absent. However in practice though it is common
+// for these to be present and NULL.
+WARN_UNUSED_RESULT bool ParseRsaKeyFromSpki(const der::Input& public_key_spki,
+                                            crypto::ScopedEVP_PKEY* pkey) {
+  crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE);
+
+  const uint8_t* ptr = public_key_spki.UnsafeData();
+  crypto::ScopedRSA rsa(
+      d2i_RSA_PUBKEY(nullptr, &ptr, public_key_spki.Length()));
+
+  if (!rsa || ptr != public_key_spki.UnsafeData() + public_key_spki.Length())
+    return false;
+
+  // Create a corresponding EVP_PKEY.
+  pkey->reset(EVP_PKEY_new());
+  if (!pkey || !EVP_PKEY_set1_RSA(pkey->get(), rsa.get()))
+    return false;
+
+  return true;
+}
+
+WARN_UNUSED_RESULT bool RsaVerify(const SignatureAlgorithm& algorithm,
+                                  const der::Input& signed_data,
+                                  const der::Input& signature_value,
+                                  const der::Input& public_key_spki) {
+  crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE);
+
+  // TODO(eroman): This does not enforce that the SPKI's algorithm matches the
+  // signature algorithm. For instance it would not
+  // forbid a key with PSS parameters being used
+  // with PKCS1 padding.
+  crypto::ScopedEVP_PKEY public_key;
+  if (!ParseRsaKeyFromSpki(public_key_spki, &public_key))
+    return false;
+
+  crypto::ScopedEVP_MD_CTX ctx(EVP_MD_CTX_create());
+  EVP_PKEY_CTX* pctx = NULL;  // Owned by |ctx|.

[Ryan Sleevi, 2015/07/16 04:05:23]

nullptr?

+
+  const EVP_MD* digest;
+  if (!GetDigest(algorithm.digest(), &digest))
+    return false;
+
+  if (!EVP_DigestVerifyInit(ctx.get(), &pctx, digest, NULL, public_key.get()))

[Ryan Sleevi, 2015/07/16 04:05:24]

nullptr

+    return false;
+
+  // Set the RSASSA-PSS specific options.
+  if (algorithm.algorithm() == SignatureAlgorithmId::RsaPss &&
+      !ApplyRsaPssOptions(algorithm.ParamsForRsaPss(), pctx)) {
+    return false;
+  }
+
+  if (!EVP_DigestVerifyUpdate(ctx.get(), signed_data.UnsafeData(),
+                              signed_data.Length())) {
+    return false;
+  }
+
+  return 1 == EVP_DigestVerifyFinal(ctx.get(), signature_value.UnsafeData(),
+                                    signature_value.Length());
+}
+
+// Returns true if the given curve is allowed for ECDSA. The input is a
+// BoringSSL NID.
+//
+// TODO(eroman): Extract policy decisions such as allowed curves, hashes, RSA
+// modulus size, to somewhere more central.
+WARN_UNUSED_RESULT bool IsAllowedCurveName(int curve_nid) {
+  switch (curve_nid) {
+    case NID_X9_62_prime256v1:
+    case NID_secp384r1:
+    case NID_secp521r1:
+      return true;
+  }
+  return false;
+}
+
+// Parses an EC public key from SPKI to an EVP_PKEY.
+//
+// Returns true on success.
+//
+// RFC 5912 describes all the ECDSA signature algorithms as requiring a public
+// key of type "pk-ec":
+//
+//     pk-ec PUBLIC-KEY ::= {
+//      IDENTIFIER id-ecPublicKey
+//      KEY ECPoint
+//      PARAMS TYPE ECParameters ARE required
+//      -- Private key format not in this module --
+//      CERT-KEY-USAGE { digitalSignature, nonRepudiation, keyAgreement,
+//                           keyCertSign, cRLSign }
+//     }
+//
+// Moreover RFC 5912 stipulates what curves are allowed. The ECParameters
+// MUST NOT use an implicitCurve or specificCurve for PKIX:
+//
+//     ECParameters ::= CHOICE {
+//      namedCurve      CURVE.&id({NamedCurve})
+//      -- implicitCurve   NULL
+//        -- implicitCurve MUST NOT be used in PKIX
+//      -- specifiedCurve  SpecifiedCurve
+//        -- specifiedCurve MUST NOT be used in PKIX
+//        -- Details for specifiedCurve can be found in [X9.62]
+//        -- Any future additions to this CHOICE should be coordinated
+//        -- with ANSI X.9.
+//     }
+//     -- If you need to be able to decode ANSI X.9 parameter structures,
+//     -- uncomment the implicitCurve and specifiedCurve above, and also
+//     -- uncomment the following:
+//     --(WITH COMPONENTS {namedCurve PRESENT})
+//
+// The namedCurves are extensible. The ones described by RFC 5912 are:
+//
+//     NamedCurve CURVE ::= {
+//     { ID secp192r1 } | { ID sect163k1 } | { ID sect163r2 } |
+//     { ID secp224r1 } | { ID sect233k1 } | { ID sect233r1 } |
+//     { ID secp256r1 } | { ID sect283k1 } | { ID sect283r1 } |
+//     { ID secp384r1 } | { ID sect409k1 } | { ID sect409r1 } |
+//     { ID secp521r1 } | { ID sect571k1 } | { ID sect571r1 },
+//     ... -- Extensible
+//     }
+WARN_UNUSED_RESULT bool ParseEcKeyFromSpki(const der::Input& public_key_spki,
+                                           crypto::ScopedEVP_PKEY* pkey) {
+  crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE);
+
+  const uint8_t* ptr = public_key_spki.UnsafeData();
+  crypto::ScopedEC_KEY ec(
+      d2i_EC_PUBKEY(nullptr, &ptr, public_key_spki.Length()));
+
+  if (!ec || ptr != public_key_spki.UnsafeData() + public_key_spki.Length())
+    return false;
+
+  // Enforce policy on allowed curves in case d2i_EC_PUBKEY() were to recognize
+  // and allow use of a weak curve.
+  if (!IsAllowedCurveName(EC_GROUP_get_curve_name(EC_KEY_get0_group(ec.get()))))
+    return false;
+
+  // Create a corresponding EVP_PKEY.
+  pkey->reset(EVP_PKEY_new());
+  if (!pkey || !EVP_PKEY_set1_EC_KEY(pkey->get(), ec.get()))
+    return false;
+
+  return true;
+}
+
+WARN_UNUSED_RESULT bool EcdsaVerify(const SignatureAlgorithm& algorithm,
+                                    const der::Input& signed_data,
+                                    const der::Input& signature_value,
+                                    const der::Input& public_key_spki) {
+  crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE);
+
+  crypto::ScopedEVP_PKEY public_key;
+  if (!ParseEcKeyFromSpki(public_key_spki, &public_key))
+    return false;
+
+  crypto::ScopedEVP_MD_CTX ctx(EVP_MD_CTX_create());

[Ryan Sleevi, 2015/07/16 04:05:24]

From here through 292, it seems the same as RsaVerify. Should we align those two
more into a single helper function? Why split - it seems the only split needed
is for key parsing?

[eroman, 2015/07/16 17:34:07]

The RSA version is somewhat different, in that it associates a EVP_PKEY_CTX, and
then sets some parameters on it in the PSS case.

I can merge them if I do a if/else for the key import, and then test for PSS.
I will try it out see how I like the result.

[eroman, 2015/07/18 22:44:23]

Done.

+
+  const EVP_MD* digest;
+  if (!GetDigest(algorithm.digest(), &digest))
+    return false;
+
+  if (!EVP_DigestVerifyInit(ctx.get(), NULL, digest, NULL, public_key.get()) ||

[Ryan Sleevi, 2015/07/16 04:05:24]

nullptr

[eroman, 2015/07/18 22:44:23]

Done (throughout)

+      !EVP_DigestVerifyUpdate(ctx.get(), signed_data.UnsafeData(),
+                              signed_data.Length())) {
+    return false;
+  }
+
+  return 1 == EVP_DigestVerifyFinal(ctx.get(), signature_value.UnsafeData(),
+                                    signature_value.Length());
+}
+
+}  // namespace
+
+bool VerifySignedData(const SignatureAlgorithm& signature_algorithm,
+                      const der::Input& signed_data,
+                      const der::Input& signature_value,
+                      const der::Input& public_key_spki) {
+  switch (signature_algorithm.algorithm()) {
+    case SignatureAlgorithmId::RsaPkcs1:
+    case SignatureAlgorithmId::RsaPss:
+      return RsaVerify(signature_algorithm, signed_data, signature_value,
+                       public_key_spki);
+    case SignatureAlgorithmId::Ecdsa:
+      return EcdsaVerify(signature_algorithm, signed_data, signature_value,
+                         public_key_spki);
+  }
+
+  return false;  // Unsupported algorithm.
+}
+
+}  // namespace net
+
+#endif