Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(558)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: base/crypto/signature_verifier_win.cc

Issue 63089: Implement the signature verification API. (Closed) Base URL: svn://chrome-svn/chrome/trunk/src/
Patch Set: Upload before checkin Created 11 years, 8 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch | Annotate | Revision Log
« no previous file with comments | « base/crypto/signature_verifier_unittest.cc ('k') | no next file » | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
(Empty)
1 // Copyright (c) 2009 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include "base/crypto/signature_verifier.h"
6
7 #include "base/logging.h"
8
9 #pragma comment(lib, "crypt32.lib")
10
11 namespace {
12
13 // Wrappers of malloc and free for CRYPT_DECODE_PARA, which requires the
14 // WINAPI calling convention.
15 void* WINAPI MyCryptAlloc(size_t size) {
16 return malloc(size);
17 }
18
19 void WINAPI MyCryptFree(void* p) {
20 free(p);
21 }
22
23 } // namespace
24
25 namespace base {
26
27 SignatureVerifier::SignatureVerifier() : hash_object_(0), public_key_(0) {
28 if (!CryptAcquireContext(&provider_, NULL, NULL,
29 PROV_RSA_FULL, CRYPT_VERIFYCONTEXT))
30 provider_ = 0;
31 }
32
33 SignatureVerifier::~SignatureVerifier() {
34 Reset();
35 if (provider_) {
36 BOOL ok = CryptReleaseContext(provider_, 0);
37 DCHECK(ok);
38 }
39 }
40
41 bool SignatureVerifier::VerifyInit(const uint8* signature_algorithm,
42 int signature_algorithm_len,
43 const uint8* signature,
44 int signature_len,
45 const uint8* public_key_info,
46 int public_key_info_len) {
47 signature_.reserve(signature_len);
48 // CryptoAPI uses big integers in the little-endian byte order, so we need
49 // to first swap the order of signature bytes.
50 for (int i = signature_len - 1; i >= 0; --i)
51 signature_.push_back(signature[i]);
52
53 CRYPT_DECODE_PARA decode_para;
54 decode_para.cbSize = sizeof(decode_para);
55 decode_para.pfnAlloc = MyCryptAlloc;
56 decode_para.pfnFree = MyCryptFree;
57 CERT_PUBLIC_KEY_INFO* cert_public_key_info = NULL;
58 DWORD struct_len = 0;
59 BOOL ok;
60 ok = CryptDecodeObjectEx(X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,
61 X509_PUBLIC_KEY_INFO,
62 public_key_info,
63 public_key_info_len,
64 CRYPT_DECODE_ALLOC_FLAG | CRYPT_DECODE_NOCOPY_FLAG,
65 &decode_para,
66 &cert_public_key_info,
67 &struct_len);
68 if (!ok)
69 return false;
70
71 ok = CryptImportPublicKeyInfo(provider_,
72 X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,
73 cert_public_key_info, &public_key_);
74 free(cert_public_key_info);
75 if (!ok)
76 return false;
77
78 CRYPT_ALGORITHM_IDENTIFIER* signature_algorithm_id;
79 struct_len = 0;
80 ok = CryptDecodeObjectEx(X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,
81 X509_ALGORITHM_IDENTIFIER,
82 signature_algorithm,
83 signature_algorithm_len,
84 CRYPT_DECODE_ALLOC_FLAG | CRYPT_DECODE_NOCOPY_FLAG,
85 &decode_para,
86 &signature_algorithm_id,
87 &struct_len);
88 DCHECK(ok || GetLastError() == ERROR_FILE_NOT_FOUND);
89 ALG_ID hash_alg_id;
90 if (ok) {
91 hash_alg_id = CALG_MD4; // Initialize to a weak hash algorithm that we
92 // don't support.
93 if (!strcmp(signature_algorithm_id->pszObjId, szOID_RSA_SHA1RSA))
94 hash_alg_id = CALG_SHA1;
95 else if (!strcmp(signature_algorithm_id->pszObjId, szOID_RSA_MD5RSA))
96 hash_alg_id = CALG_MD5;
97 free(signature_algorithm_id);
98 DCHECK(hash_alg_id != CALG_MD4);
99 if (hash_alg_id == CALG_MD4)
100 return false; // Unsupported hash algorithm.
101 } else if (GetLastError() == ERROR_FILE_NOT_FOUND) {
102 // TODO(wtc): X509_ALGORITHM_IDENTIFIER isn't supported on XP SP2. We
103 // may be able to encapsulate signature_algorithm in a dummy SignedContent
104 // and decode it with X509_CERT into a CERT_SIGNED_CONTENT_INFO. For now,
105 // just hardcode the hash algorithm to be SHA-1.
106 hash_alg_id = CALG_SHA1;
107 } else {
108 return false;
109 }
110
111 ok = CryptCreateHash(provider_, hash_alg_id, 0, 0, &hash_object_);
112 if (!ok)
113 return false;
114 return true;
115 }
116
117 void SignatureVerifier::VerifyUpdate(const uint8* data_part,
118 int data_part_len) {
119 BOOL ok = CryptHashData(hash_object_, data_part, data_part_len, 0);
120 DCHECK(ok) << "CryptHashData failed: " << GetLastError();
121 }
122
123 bool SignatureVerifier::VerifyFinal() {
124 BOOL ok = CryptVerifySignature(hash_object_, &signature_[0],
125 signature_.size(), public_key_, NULL, 0);
126 Reset();
127 if (!ok)
128 return false;
129 return true;
130 }
131
132 void SignatureVerifier::Reset() {
133 BOOL ok;
134 if (hash_object_) {
135 ok = CryptDestroyHash(hash_object_);
136 DCHECK(ok);
137 hash_object_ = 0;
138 }
139 if (public_key_) {
140 ok = CryptDestroyKey(public_key_);
141 DCHECK(ok);
142 public_key_ = 0;
143 }
144 signature_.clear();
145 }
146
147 } // namespace base
148
OLDNEW
« no previous file with comments | « base/crypto/signature_verifier_unittest.cc ('k') | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698