[Skiboot] [PATCH 3/3] crypto: define RSA signature verification function

Stewart Smith stewart at linux.ibm.com
Fri Aug 2 09:55:33 AEST 2019


Eric Richter <erichte at linux.ibm.com> writes:
> From: Nayna Jain <nayna at linux.ibm.com>
>
> In order to verify the signature to authenticate the key update
> command submitted by the user, this patch defines the signature
> verification function using mbedtls as the underlying crypto API.
>
> Signed-off-by: Nayna Jain <nayna at linux.ibm.com>
> Signed-off-by: Eric Richter <erichte at linux.ibm.com>
> ---
>  libstb/crypto/include/verify_sig.h | 34 ++++++++++++++++
>  libstb/crypto/pkcs7/Makefile.inc   |  2 +-
>  libstb/crypto/pkcs7/verify_sig.c   | 65 ++++++++++++++++++++++++++++++
>  3 files changed, 100 insertions(+), 1 deletion(-)
>  create mode 100644 libstb/crypto/include/verify_sig.h
>  create mode 100644 libstb/crypto/pkcs7/verify_sig.c
>
> diff --git a/libstb/crypto/include/verify_sig.h b/libstb/crypto/include/verify_sig.h
> new file mode 100644
> index 00000000..3f1dcc94
> --- /dev/null
> +++ b/libstb/crypto/include/verify_sig.h
> @@ -0,0 +1,34 @@
> +/* Copyright 2013-2016 IBM Corp.

Was this really written all in 2016?

> + */
> +
> +#ifndef VERIFY_SIG_H
> +#define VERIFY_SIG_H
> +
> +#include <stdio.h>
> +#include <stdlib.h>
> +#include <string.h>
> +#include <mbedtls/asn1.h>
> +#include <mbedtls/config.h>
> +#include <mbedtls/x509.h>
> +#include <mbedtls/x509_crt.h>
> +#include <mbedtls/rsa.h>
> +#include <mbedtls/pk.h>
> +#include <mbedtls/md.h>
> +
> +int verify_buf(unsigned char *cert_buf, int certlen, unsigned char *data_buf,
> +	       int datalen, unsigned char *sig_buf, int siglen);
> +
> +#endif
> diff --git a/libstb/crypto/pkcs7/Makefile.inc b/libstb/crypto/pkcs7/Makefile.inc
> index 8f9bcd90..80ac08fb 100644
> --- a/libstb/crypto/pkcs7/Makefile.inc
> +++ b/libstb/crypto/pkcs7/Makefile.inc
> @@ -4,7 +4,7 @@ PKCS7_DIR = libstb/crypto/pkcs7
>  
>  SUBDIRS += $(PKCS7_DIR)
>  
> -PKCS7_SRCS = pkcs7.c
> +PKCS7_SRCS = pkcs7.c verify_sig.c
>  PKCS7_OBJS = $(PKCS7_SRCS:%.c=%.o)
>  PKCS7 = $(PKCS7_DIR)/built-in.a
>  
> diff --git a/libstb/crypto/pkcs7/verify_sig.c b/libstb/crypto/pkcs7/verify_sig.c
> new file mode 100644
> index 00000000..da5a0669
> --- /dev/null
> +++ b/libstb/crypto/pkcs7/verify_sig.c
> @@ -0,0 +1,65 @@
> +/* Copyright 2013-2016 IBM Corp.
> + *
> + * Licensed under the Apache License, Version 2.0 (the "License");
> + * you may not use this file except in compliance with the License.
> + * You may obtain a copy of the License at
> + *
> + *      http://www.apache.org/licenses/LICENSE-2.0
> + *
> + * Unless required by applicable law or agreed to in writing, software
> + * distributed under the License is distributed on an "AS IS" BASIS,
> + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
> + * implied.
> + * See the License for the specific language governing permissions and
> + * limitations under the License.
> + */
> +
> +#include<stdio.h>
> +#include<stdlib.h>
> +#include<string.h>
> +#include<mbedtls/asn1.h>
> +#include<mbedtls/config.h>
> +#include<mbedtls/x509.h>
> +#include<mbedtls/x509_crt.h>
> +#include<mbedtls/rsa.h>
> +#include<mbedtls/pk.h>
> +#include<mbedtls/md.h>
> +#include<verify_sig.h>
> +
> +static int verify(mbedtls_x509_crt *cert, const unsigned char *data,
> +		  int datalen, const unsigned char *sig, int siglen)
> +{
> +	int rc;
> +	unsigned char hash[32];
> +	mbedtls_pk_context pk_cxt = cert->pk;
> +	const mbedtls_md_info_t *md_info =
> +		mbedtls_md_info_from_type(MBEDTLS_MD_SHA256);
> +
> +	mbedtls_md(md_info, data, datalen, hash);
> +	rc = mbedtls_pk_verify(&pk_cxt, MBEDTLS_MD_SHA256,hash, 32, sig,
> +			       siglen);
> +	printf("rc is %02x\n", rc);
> +
> +	return rc;
> +}
> +
> +
> +int verify_buf(unsigned char *cert_buf, int certlen, unsigned char *data_buf,
> +	       int datalen, unsigned char *sig_buf, int siglen)
> +{
> +	int rc;
> +	mbedtls_x509_crt cert;
> +
> +	printf("Load certificate file\n");
> +	mbedtls_x509_crt_init(&cert);
> +
> +	rc = mbedtls_x509_crt_parse(&cert, cert_buf, certlen);
> +	if (rc) {
> +		printf("rc is %04x\n", rc);
> +		return rc;
> +	}
> +
> +	rc = verify(&cert, data_buf, datalen, sig_buf, siglen);
> +
> +	return rc;
> +}

I think this code needs unit tests, and likely near 100% code coverage
at the least.

-- 
Stewart Smith
OPAL Architect, IBM.


More information about the Skiboot mailing list