1 /* LibTomCrypt, modular cryptographic library -- Tom St Denis 2 * 3 * LibTomCrypt is a library that provides various cryptographic 4 * algorithms in a highly modular and flexible manner. 5 * 6 * The library is free for all purposes without any express 7 * guarantee it works. 8 * 9 * Tom St Denis, tomstdenis (at) gmail.com, http://libtomcrypt.com 10 */ 11 #include "tomcrypt.h" 12 13 /** 14 @file rsa_verify_hash.c 15 RSA PKCS #1 v1.5 or v2 PSS signature verification, Tom St Denis and Andreas Lange 16 */ 17 18 #ifdef MRSA 19 20 /** 21 PKCS #1 de-sign then v1.5 or PSS depad 22 @param sig The signature data 23 @param siglen The length of the signature data (octets) 24 @param hash The hash of the message that was signed 25 @param hashlen The length of the hash of the message that was signed (octets) 26 @param padding Type of padding (LTC_PKCS_1_PSS or LTC_PKCS_1_V1_5) 27 @param hash_idx The index of the desired hash 28 @param saltlen The length of the salt used during signature 29 @param stat [out] The result of the signature comparison, 1==valid, 0==invalid 30 @param key The public RSA key corresponding to the key that performed the signature 31 @return CRYPT_OK on success (even if the signature is invalid) 32 */ 33 int rsa_verify_hash_ex(const unsigned char *sig, unsigned long siglen, 34 const unsigned char *hash, unsigned long hashlen, 35 int padding, 36 int hash_idx, unsigned long saltlen, 37 int *stat, rsa_key *key) 38 { 39 unsigned long modulus_bitlen, modulus_bytelen, x; 40 int err; 41 unsigned char *tmpbuf; 42 43 LTC_ARGCHK(hash != NULL); 44 LTC_ARGCHK(sig != NULL); 45 LTC_ARGCHK(stat != NULL); 46 LTC_ARGCHK(key != NULL); 47 48 /* default to invalid */ 49 *stat = 0; 50 51 /* valid padding? */ 52 53 if ((padding != LTC_PKCS_1_V1_5) && 54 (padding != LTC_PKCS_1_PSS)) { 55 return CRYPT_PK_INVALID_PADDING; 56 } 57 58 if (padding == LTC_PKCS_1_PSS) { 59 /* valid hash ? */ 60 if ((err = hash_is_valid(hash_idx)) != CRYPT_OK) { 61 return err; 62 } 63 } 64 65 /* get modulus len in bits */ 66 modulus_bitlen = mp_count_bits( (key->N)); 67 68 /* outlen must be at least the size of the modulus */ 69 modulus_bytelen = mp_unsigned_bin_size( (key->N)); 70 if (modulus_bytelen != siglen) { 71 return CRYPT_INVALID_PACKET; 72 } 73 74 /* allocate temp buffer for decoded sig */ 75 tmpbuf = XMALLOC(siglen); 76 if (tmpbuf == NULL) { 77 return CRYPT_MEM; 78 } 79 80 /* RSA decode it */ 81 x = siglen; 82 if ((err = ltc_mp.rsa_me(sig, siglen, tmpbuf, &x, PK_PUBLIC, key)) != CRYPT_OK) { 83 XFREE(tmpbuf); 84 return err; 85 } 86 87 /* make sure the output is the right size */ 88 if (x != siglen) { 89 XFREE(tmpbuf); 90 return CRYPT_INVALID_PACKET; 91 } 92 93 if (padding == LTC_PKCS_1_PSS) { 94 /* PSS decode and verify it */ 95 err = pkcs_1_pss_decode(hash, hashlen, tmpbuf, x, saltlen, hash_idx, modulus_bitlen, stat); 96 } else { 97 /* PKCS #1 v1.5 decode it */ 98 unsigned char *out; 99 unsigned long outlen, loid[16]; 100 int decoded; 101 ltc_asn1_list digestinfo[2], siginfo[2]; 102 103 /* not all hashes have OIDs... so sad */ 104 if (hash_descriptor[hash_idx].OIDlen == 0) { 105 err = CRYPT_INVALID_ARG; 106 goto bail_2; 107 } 108 109 /* allocate temp buffer for decoded hash */ 110 outlen = ((modulus_bitlen >> 3) + (modulus_bitlen & 7 ? 1 : 0)) - 3; 111 out = XMALLOC(outlen); 112 if (out == NULL) { 113 err = CRYPT_MEM; 114 goto bail_2; 115 } 116 117 if ((err = pkcs_1_v1_5_decode(tmpbuf, x, LTC_PKCS_1_EMSA, modulus_bitlen, out, &outlen, &decoded)) != CRYPT_OK) { 118 XFREE(out); 119 goto bail_2; 120 } 121 122 /* now we must decode out[0...outlen-1] using ASN.1, test the OID and then test the hash */ 123 /* construct the SEQUENCE 124 SEQUENCE { 125 SEQUENCE {hashoid OID 126 blah NULL 127 } 128 hash OCTET STRING 129 } 130 */ 131 LTC_SET_ASN1(digestinfo, 0, LTC_ASN1_OBJECT_IDENTIFIER, loid, sizeof(loid)/sizeof(loid[0])); 132 LTC_SET_ASN1(digestinfo, 1, LTC_ASN1_NULL, NULL, 0); 133 LTC_SET_ASN1(siginfo, 0, LTC_ASN1_SEQUENCE, digestinfo, 2); 134 LTC_SET_ASN1(siginfo, 1, LTC_ASN1_OCTET_STRING, tmpbuf, siglen); 135 136 if ((err = der_decode_sequence(out, outlen, siginfo, 2)) != CRYPT_OK) { 137 XFREE(out); 138 goto bail_2; 139 } 140 141 /* test OID */ 142 if ((digestinfo[0].size == hash_descriptor[hash_idx].OIDlen) && 143 (XMEMCMP(digestinfo[0].data, hash_descriptor[hash_idx].OID, sizeof(unsigned long) * hash_descriptor[hash_idx].OIDlen) == 0) && 144 (siginfo[1].size == hashlen) && 145 (XMEMCMP(siginfo[1].data, hash, hashlen) == 0)) { 146 *stat = 1; 147 } 148 149 #ifdef LTC_CLEAN_STACK 150 zeromem(out, outlen); 151 #endif 152 XFREE(out); 153 } 154 155 bail_2: 156 #ifdef LTC_CLEAN_STACK 157 zeromem(tmpbuf, siglen); 158 #endif 159 XFREE(tmpbuf); 160 return err; 161 } 162 163 #endif /* MRSA */ 164 165 /* $Source: /cvs/libtom/libtomcrypt/src/pk/rsa/rsa_verify_hash.c,v $ */ 166 /* $Revision: 1.11 $ */ 167 /* $Date: 2006/12/04 03:09:28 $ */ 168
