mirror of
https://github.com/wolfSSL/wolfssl.git
synced 2025-07-31 19:24:42 +02:00
Merge pull request #1440 from dgarske/VerifyRsaSign_PKCallback
Added VerifyRsaSign PK callback
This commit is contained in:
toddouska
GitHub
@@ -3100,13 +3100,18 @@ int RsaVerify(WOLFSSL* ssl, byte* in, word32 inSz, byte** out, int sigAlgo,
|
||||
}
|
||||
|
||||
/* Verify RSA signature, 0 on success */
|
||||
/* This function is used to check the sign result */
|
||||
int VerifyRsaSign(WOLFSSL* ssl, byte* verifySig, word32 sigSz,
|
||||
const byte* plain, word32 plainSz, int sigAlgo, int hashAlgo, RsaKey* key)
|
||||
const byte* plain, word32 plainSz, int sigAlgo, int hashAlgo, RsaKey* key,
|
||||
const byte* keyBuf, word32 keySz, void* ctx)
|
||||
{
|
||||
byte* out = NULL; /* inline result */
|
||||
int ret;
|
||||
|
||||
(void)ssl;
|
||||
(void)keyBuf;
|
||||
(void)keySz;
|
||||
(void)ctx;
|
||||
(void)sigAlgo;
|
||||
(void)hashAlgo;
|
||||
|
||||
@@ -3136,8 +3141,24 @@ int VerifyRsaSign(WOLFSSL* ssl, byte* verifySig, word32 sigSz,
|
||||
ret = ConvertHashPss(hashAlgo, &hashType, &mgf);
|
||||
if (ret != 0)
|
||||
return ret;
|
||||
ret = wc_RsaPSS_VerifyInline(verifySig, sigSz, &out, hashType, mgf,
|
||||
key);
|
||||
#ifdef HAVE_PK_CALLBACKS
|
||||
if (ssl->ctx->RsaPssSignCheckCb) {
|
||||
/* The key buffer includes private/public portion,
|
||||
but only public is used */
|
||||
/* If HSM hardware is checking the signature result you can
|
||||
optionally skip the sign check and return 0 */
|
||||
/* The ctx here is the RsaSignCtx set using wolfSSL_SetRsaSignCtx */
|
||||
ret = ssl->ctx->RsaPssSignCheckCb(ssl, verifySig, sigSz, &out,
|
||||
TypeHash(hashAlgo), mgf,
|
||||
keyBuf, keySz, ctx);
|
||||
}
|
||||
else
|
||||
#endif /* HAVE_PK_CALLBACKS */
|
||||
{
|
||||
ret = wc_RsaPSS_VerifyInline(verifySig, sigSz, &out, hashType, mgf,
|
||||
key);
|
||||
}
|
||||
|
||||
if (ret > 0) {
|
||||
ret = wc_RsaPSS_CheckPadding(plain, plainSz, out, ret, hashType);
|
||||
if (ret != 0)
|
||||
@@ -3145,9 +3166,24 @@ int VerifyRsaSign(WOLFSSL* ssl, byte* verifySig, word32 sigSz,
|
||||
}
|
||||
}
|
||||
else
|
||||
#endif
|
||||
#endif /* WC_RSA_PSS */
|
||||
{
|
||||
ret = wc_RsaSSL_VerifyInline(verifySig, sigSz, &out, key);
|
||||
#ifdef HAVE_PK_CALLBACKS
|
||||
if (ssl->ctx->RsaSignCheckCb) {
|
||||
/* The key buffer includes private/public portion,
|
||||
but only public is used */
|
||||
/* If HSM hardware is checking the signature result you can
|
||||
optionally skip the sign check and return 0 */
|
||||
/* The ctx here is the RsaSignCtx set using wolfSSL_SetRsaSignCtx */
|
||||
ret = ssl->ctx->RsaSignCheckCb(ssl, verifySig, sigSz, &out,
|
||||
keyBuf, keySz, ctx);
|
||||
}
|
||||
else
|
||||
#endif /* HAVE_PK_CALLBACKS */
|
||||
{
|
||||
ret = wc_RsaSSL_VerifyInline(verifySig, sigSz, &out, key);
|
||||
}
|
||||
|
||||
if (ret > 0) {
|
||||
if (ret != (int)plainSz || !out ||
|
||||
XMEMCMP(plain, out, plainSz) != 0) {
|
||||
@@ -20568,7 +20604,13 @@ int SendCertificateVerify(WOLFSSL* ssl)
|
||||
ret = VerifyRsaSign(ssl,
|
||||
args->verifySig, args->sigSz,
|
||||
ssl->buffers.sig.buffer, ssl->buffers.sig.length,
|
||||
args->sigAlgo, ssl->suites->hashAlgo, key
|
||||
args->sigAlgo, ssl->suites->hashAlgo, key,
|
||||
ssl->buffers.key->buffer, ssl->buffers.key->length,
|
||||
#ifdef HAVE_PK_CALLBACKS
|
||||
ssl->RsaSignCtx
|
||||
#else
|
||||
NULL
|
||||
#endif
|
||||
);
|
||||
}
|
||||
#endif /* !NO_RSA */
|
||||
@@ -22323,7 +22365,13 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
|
||||
ssl->buffers.sig.buffer,
|
||||
ssl->buffers.sig.length,
|
||||
ssl->suites->sigAlgo, ssl->suites->hashAlgo,
|
||||
key
|
||||
key, ssl->buffers.key->buffer,
|
||||
ssl->buffers.key->length,
|
||||
#ifdef HAVE_PK_CALLBACKS
|
||||
ssl->RsaSignCtx
|
||||
#else
|
||||
NULL
|
||||
#endif
|
||||
);
|
||||
break;
|
||||
}
|
||||
@@ -22395,7 +22443,13 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
|
||||
ssl->buffers.sig.buffer,
|
||||
ssl->buffers.sig.length,
|
||||
ssl->suites->sigAlgo, ssl->suites->hashAlgo,
|
||||
key
|
||||
key, ssl->buffers.key->buffer,
|
||||
ssl->buffers.key->length,
|
||||
#ifdef HAVE_PK_CALLBACKS
|
||||
ssl->RsaSignCtx
|
||||
#else
|
||||
NULL
|
||||
#endif
|
||||
);
|
||||
break;
|
||||
}
|
||||
|
||||
12
src/ssl.c
12
src/ssl.c
@@ -28731,6 +28731,12 @@ void wolfSSL_CTX_SetRsaVerifyCb(WOLFSSL_CTX* ctx, CallbackRsaVerify cb)
|
||||
ctx->RsaVerifyCb = cb;
|
||||
}
|
||||
|
||||
void wolfSSL_CTX_SetRsaSignCheckCb(WOLFSSL_CTX* ctx, CallbackRsaVerify cb)
|
||||
{
|
||||
if (ctx)
|
||||
ctx->RsaSignCheckCb = cb;
|
||||
}
|
||||
|
||||
|
||||
void wolfSSL_SetRsaVerifyCtx(WOLFSSL* ssl, void *ctx)
|
||||
{
|
||||
@@ -28777,6 +28783,12 @@ void wolfSSL_CTX_SetRsaPssVerifyCb(WOLFSSL_CTX* ctx, CallbackRsaPssVerify cb)
|
||||
ctx->RsaPssVerifyCb = cb;
|
||||
}
|
||||
|
||||
void wolfSSL_CTX_SetRsaPssSignCheckCb(WOLFSSL_CTX* ctx, CallbackRsaPssVerify cb)
|
||||
{
|
||||
if (ctx)
|
||||
ctx->RsaPssSignCheckCb = cb;
|
||||
}
|
||||
|
||||
|
||||
void wolfSSL_SetRsaPssVerifyCtx(WOLFSSL* ssl, void *ctx)
|
||||
{
|
||||
|
||||
@@ -4997,7 +4997,14 @@ static int SendTls13CertificateVerify(WOLFSSL* ssl)
|
||||
/* check for signature faults */
|
||||
ret = VerifyRsaSign(ssl, args->verifySig, args->sigLen,
|
||||
sig->buffer, sig->length, args->sigAlgo,
|
||||
ssl->suites->hashAlgo, (RsaKey*)ssl->hsKey);
|
||||
ssl->suites->hashAlgo, (RsaKey*)ssl->hsKey,
|
||||
ssl->buffers.key->buffer, ssl->buffers.key->length,
|
||||
#ifdef HAVE_PK_CALLBACKS
|
||||
ssl->RsaSignCtx
|
||||
#else
|
||||
NULL
|
||||
#endif
|
||||
);
|
||||
}
|
||||
#endif /* !NO_RSA */
|
||||
|
||||
|
||||
@@ -2507,11 +2507,13 @@ struct WOLFSSL_CTX {
|
||||
CallbackDhAgree DhAgreeCb; /* User DH Agree Callback handler */
|
||||
#endif
|
||||
#ifndef NO_RSA
|
||||
CallbackRsaSign RsaSignCb; /* User RsaSign Callback handler */
|
||||
CallbackRsaVerify RsaVerifyCb; /* User RsaVerify Callback handler */
|
||||
CallbackRsaSign RsaSignCb; /* User RsaSign Callback handler (priv key) */
|
||||
CallbackRsaVerify RsaVerifyCb; /* User RsaVerify Callback handler (pub key) */
|
||||
CallbackRsaVerify RsaSignCheckCb; /* User VerifyRsaSign Callback handler (priv key) */
|
||||
#ifdef WC_RSA_PSS
|
||||
CallbackRsaPssSign RsaPssSignCb; /* User RsaPssSign */
|
||||
CallbackRsaPssVerify RsaPssVerifyCb; /* User RsaPssVerify */
|
||||
CallbackRsaPssSign RsaPssSignCb; /* User RsaSign (priv key) */
|
||||
CallbackRsaPssVerify RsaPssVerifyCb; /* User RsaVerify (pub key) */
|
||||
CallbackRsaPssVerify RsaPssSignCheckCb; /* User VerifyRsaSign (priv key) */
|
||||
#endif
|
||||
CallbackRsaEnc RsaEncCb; /* User Rsa Public Encrypt handler */
|
||||
CallbackRsaDec RsaDecCb; /* User Rsa Private Decrypt handler */
|
||||
@@ -3831,11 +3833,9 @@ WOLFSSL_LOCAL int SetTicket(WOLFSSL*, const byte*, word32);
|
||||
enum wc_HashType hashType);
|
||||
WOLFSSL_LOCAL int ConvertHashPss(int hashAlgo, enum wc_HashType* hashType, int* mgf);
|
||||
#endif
|
||||
WOLFSSL_LOCAL int VerifyRsaSign(WOLFSSL* ssl,
|
||||
byte* verifySig, word32 sigSz,
|
||||
const byte* plain, word32 plainSz,
|
||||
int sigAlgo, int hashAlgo,
|
||||
RsaKey* key);
|
||||
WOLFSSL_LOCAL int VerifyRsaSign(WOLFSSL* ssl, byte* verifySig,
|
||||
word32 sigSz, const byte* plain, word32 plainSz, int sigAlgo,
|
||||
int hashAlgo, RsaKey* key, const byte* keyBuf, word32 keySz, void* ctx);
|
||||
WOLFSSL_LOCAL int RsaSign(WOLFSSL* ssl, const byte* in, word32 inSz,
|
||||
byte* out, word32* outSz, int sigAlgo, int hashAlgo, RsaKey* key,
|
||||
const byte* keyBuf, word32 keySz, void* ctx);
|
||||
|
||||
@@ -1893,6 +1893,7 @@ typedef int (*CallbackRsaVerify)(WOLFSSL* ssl,
|
||||
const unsigned char* keyDer, unsigned int keySz,
|
||||
void* ctx);
|
||||
WOLFSSL_API void wolfSSL_CTX_SetRsaVerifyCb(WOLFSSL_CTX*, CallbackRsaVerify);
|
||||
WOLFSSL_API void wolfSSL_CTX_SetRsaSignCheckCb(WOLFSSL_CTX*, CallbackRsaVerify);
|
||||
WOLFSSL_API void wolfSSL_SetRsaVerifyCtx(WOLFSSL* ssl, void *ctx);
|
||||
WOLFSSL_API void* wolfSSL_GetRsaVerifyCtx(WOLFSSL* ssl);
|
||||
|
||||
@@ -1915,6 +1916,8 @@ typedef int (*CallbackRsaPssVerify)(WOLFSSL* ssl,
|
||||
void* ctx);
|
||||
WOLFSSL_API void wolfSSL_CTX_SetRsaPssVerifyCb(WOLFSSL_CTX*,
|
||||
CallbackRsaPssVerify);
|
||||
WOLFSSL_API void wolfSSL_CTX_SetRsaPssSignCheckCb(WOLFSSL_CTX*,
|
||||
CallbackRsaPssVerify);
|
||||
WOLFSSL_API void wolfSSL_SetRsaPssVerifyCtx(WOLFSSL* ssl, void *ctx);
|
||||
WOLFSSL_API void* wolfSSL_GetRsaPssVerifyCtx(WOLFSSL* ssl);
|
||||
#endif
|
||||
|
||||
@@ -2101,9 +2101,7 @@ static INLINE int myRsaSign(WOLFSSL* ssl, const byte* in, word32 inSz,
|
||||
|
||||
|
||||
static INLINE int myRsaVerify(WOLFSSL* ssl, byte* sig, word32 sigSz,
|
||||
byte** out,
|
||||
const byte* key, word32 keySz,
|
||||
void* ctx)
|
||||
byte** out, const byte* key, word32 keySz, void* ctx)
|
||||
{
|
||||
int ret;
|
||||
word32 idx = 0;
|
||||
@@ -2123,6 +2121,27 @@ static INLINE int myRsaVerify(WOLFSSL* ssl, byte* sig, word32 sigSz,
|
||||
return ret;
|
||||
}
|
||||
|
||||
static INLINE int myRsaSignCheck(WOLFSSL* ssl, byte* sig, word32 sigSz,
|
||||
byte** out, const byte* key, word32 keySz, void* ctx)
|
||||
{
|
||||
int ret;
|
||||
word32 idx = 0;
|
||||
RsaKey myKey;
|
||||
|
||||
(void)ssl;
|
||||
(void)ctx;
|
||||
|
||||
ret = wc_InitRsaKey(&myKey, NULL);
|
||||
if (ret == 0) {
|
||||
ret = wc_RsaPrivateKeyDecode(key, &idx, &myKey, keySz);
|
||||
if (ret == 0)
|
||||
ret = wc_RsaSSL_VerifyInline(sig, sigSz, out, &myKey);
|
||||
wc_FreeRsaKey(&myKey);
|
||||
}
|
||||
|
||||
return ret;
|
||||
}
|
||||
|
||||
#ifdef WC_RSA_PSS
|
||||
static INLINE int myRsaPssSign(WOLFSSL* ssl, const byte* in, word32 inSz,
|
||||
byte* out, word32* outSz, int hash, int mgf, const byte* key,
|
||||
@@ -2219,6 +2238,48 @@ static INLINE int myRsaPssVerify(WOLFSSL* ssl, byte* sig, word32 sigSz,
|
||||
|
||||
return ret;
|
||||
}
|
||||
|
||||
static INLINE int myRsaPssSignCheck(WOLFSSL* ssl, byte* sig, word32 sigSz,
|
||||
byte** out, int hash, int mgf, const byte* key, word32 keySz, void* ctx)
|
||||
{
|
||||
enum wc_HashType hashType = WC_HASH_TYPE_NONE;
|
||||
int ret;
|
||||
word32 idx = 0;
|
||||
RsaKey myKey;
|
||||
|
||||
(void)ssl;
|
||||
(void)ctx;
|
||||
|
||||
switch (hash) {
|
||||
#ifndef NO_SHA256
|
||||
case SHA256h:
|
||||
hashType = WC_HASH_TYPE_SHA256;
|
||||
break;
|
||||
#endif
|
||||
#ifdef WOLFSSL_SHA384
|
||||
case SHA384h:
|
||||
hashType = WC_HASH_TYPE_SHA384;
|
||||
break;
|
||||
#endif
|
||||
#ifdef WOLFSSL_SHA512
|
||||
case SHA512h:
|
||||
hashType = WC_HASH_TYPE_SHA512;
|
||||
break;
|
||||
#endif
|
||||
}
|
||||
|
||||
ret = wc_InitRsaKey(&myKey, NULL);
|
||||
if (ret == 0) {
|
||||
ret = wc_RsaPrivateKeyDecode(key, &idx, &myKey, keySz);
|
||||
if (ret == 0) {
|
||||
ret = wc_RsaPSS_VerifyInline(sig, sigSz, out, hashType, mgf,
|
||||
&myKey);
|
||||
}
|
||||
wc_FreeRsaKey(&myKey);
|
||||
}
|
||||
|
||||
return ret;
|
||||
}
|
||||
#endif
|
||||
|
||||
|
||||
@@ -2310,9 +2371,11 @@ static INLINE void SetupPkCallbacks(WOLFSSL_CTX* ctx, WOLFSSL* ssl)
|
||||
#ifndef NO_RSA
|
||||
wolfSSL_CTX_SetRsaSignCb(ctx, myRsaSign);
|
||||
wolfSSL_CTX_SetRsaVerifyCb(ctx, myRsaVerify);
|
||||
wolfSSL_CTX_SetRsaSignCheckCb(ctx, myRsaSignCheck);
|
||||
#ifdef WC_RSA_PSS
|
||||
wolfSSL_CTX_SetRsaPssSignCb(ctx, myRsaPssSign);
|
||||
wolfSSL_CTX_SetRsaPssVerifyCb(ctx, myRsaPssVerify);
|
||||
wolfSSL_CTX_SetRsaPssSignCheckCb(ctx, myRsaPssSignCheck);
|
||||
#endif
|
||||
wolfSSL_CTX_SetRsaEncCb(ctx, myRsaEnc);
|
||||
wolfSSL_CTX_SetRsaDecCb(ctx, myRsaDec);
|
||||
|
||||
Reference in New Issue
Block a user