[Skiboot] [PATCH 3/3] crypto: define RSA signature verification function

Fri Jul 19 07:29:49 AEST 2019

From: Nayna Jain <nayna at linux.ibm.com>

In order to verify the signature to authenticate the key update
command submitted by the user, this patch defines the signature
verification function using mbedtls as the underlying crypto API.

Signed-off-by: Nayna Jain <nayna at linux.ibm.com>
Signed-off-by: Eric Richter <erichte at linux.ibm.com>
---
 libstb/crypto/include/verify_sig.h | 34 ++++++++++++++++
 libstb/crypto/pkcs7/Makefile.inc   |  2 +-
 libstb/crypto/pkcs7/verify_sig.c   | 65 ++++++++++++++++++++++++++++++
 3 files changed, 100 insertions(+), 1 deletion(-)
 create mode 100644 libstb/crypto/include/verify_sig.h
 create mode 100644 libstb/crypto/pkcs7/verify_sig.c

diff --git a/libstb/crypto/include/verify_sig.h b/libstb/crypto/include/verify_sig.h
new file mode 100644
index 00000000..3f1dcc94
--- /dev/null
+++ b/libstb/crypto/include/verify_sig.h
@@ -0,0 +1,34 @@
+/* Copyright 2013-2016 IBM Corp.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+ * implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#ifndef VERIFY_SIG_H
+#define VERIFY_SIG_H
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <mbedtls/asn1.h>
+#include <mbedtls/config.h>
+#include <mbedtls/x509.h>
+#include <mbedtls/x509_crt.h>
+#include <mbedtls/rsa.h>
+#include <mbedtls/pk.h>
+#include <mbedtls/md.h>
+
+int verify_buf(unsigned char *cert_buf, int certlen, unsigned char *data_buf,
+	       int datalen, unsigned char *sig_buf, int siglen);
+
+#endif
diff --git a/libstb/crypto/pkcs7/Makefile.inc b/libstb/crypto/pkcs7/Makefile.inc
index 8f9bcd90..80ac08fb 100644
--- a/libstb/crypto/pkcs7/Makefile.inc
+++ b/libstb/crypto/pkcs7/Makefile.inc
@@ -4,7 +4,7 @@ PKCS7_DIR = libstb/crypto/pkcs7
 
 SUBDIRS += $(PKCS7_DIR)
 
-PKCS7_SRCS = pkcs7.c
+PKCS7_SRCS = pkcs7.c verify_sig.c
 PKCS7_OBJS = $(PKCS7_SRCS:%.c=%.o)
 PKCS7 = $(PKCS7_DIR)/built-in.a
 
diff --git a/libstb/crypto/pkcs7/verify_sig.c b/libstb/crypto/pkcs7/verify_sig.c
new file mode 100644
index 00000000..da5a0669
--- /dev/null
+++ b/libstb/crypto/pkcs7/verify_sig.c
@@ -0,0 +1,65 @@
+/* Copyright 2013-2016 IBM Corp.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+ * implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include<stdio.h>
+#include<stdlib.h>
+#include<string.h>
+#include<mbedtls/asn1.h>
+#include<mbedtls/config.h>
+#include<mbedtls/x509.h>
+#include<mbedtls/x509_crt.h>
+#include<mbedtls/rsa.h>
+#include<mbedtls/pk.h>
+#include<mbedtls/md.h>
+#include<verify_sig.h>
+
+static int verify(mbedtls_x509_crt *cert, const unsigned char *data,
+		  int datalen, const unsigned char *sig, int siglen)
+{
+	int rc;
+	unsigned char hash[32];
+	mbedtls_pk_context pk_cxt = cert->pk;
+	const mbedtls_md_info_t *md_info =
+		mbedtls_md_info_from_type(MBEDTLS_MD_SHA256);
+
+	mbedtls_md(md_info, data, datalen, hash);
+	rc = mbedtls_pk_verify(&pk_cxt, MBEDTLS_MD_SHA256,hash, 32, sig,
+			       siglen);
+	printf("rc is %02x\n", rc);
+
+	return rc;
+}
+
+
+int verify_buf(unsigned char *cert_buf, int certlen, unsigned char *data_buf,
+	       int datalen, unsigned char *sig_buf, int siglen)
+{
+	int rc;
+	mbedtls_x509_crt cert;
+
+	printf("Load certificate file\n");
+	mbedtls_x509_crt_init(&cert);
+
+	rc = mbedtls_x509_crt_parse(&cert, cert_buf, certlen);
+	if (rc) {
+		printf("rc is %04x\n", rc);
+		return rc;
+	}
+
+	rc = verify(&cert, data_buf, datalen, sig_buf, siglen);
+
+	return rc;
+}
-- 
2.20.1

