verify with CA
This commit is contained in:
parent
499ba26d7b
commit
548ed322a4
@ -15,6 +15,8 @@
|
|||||||
#include <openssl/asn1t.h>
|
#include <openssl/asn1t.h>
|
||||||
#include <openssl/asn1.h>
|
#include <openssl/asn1.h>
|
||||||
#include <openssl/x509.h>
|
#include <openssl/x509.h>
|
||||||
|
#include <openssl/ecdsa.h>
|
||||||
|
#include <openssl/bn.h>
|
||||||
|
|
||||||
#include "api.h"
|
#include "api.h"
|
||||||
#include "consts.h"
|
#include "consts.h"
|
||||||
@ -448,6 +450,25 @@ ASN1_SEQUENCE(EncapsulatedContent) = {
|
|||||||
} ASN1_SEQUENCE_END(EncapsulatedContent)
|
} ASN1_SEQUENCE_END(EncapsulatedContent)
|
||||||
IMPLEMENT_ASN1_FUNCTIONS(EncapsulatedContent)
|
IMPLEMENT_ASN1_FUNCTIONS(EncapsulatedContent)
|
||||||
|
|
||||||
|
#include <openssl/opensslv.h>
|
||||||
|
|
||||||
|
#if OPENSSL_VERSION_NUMBER >= 0x10100000L
|
||||||
|
typedef struct ECDSA_SIG_st {
|
||||||
|
BIGNUM *r;
|
||||||
|
BIGNUM *s;
|
||||||
|
} ECDSA_SIG;
|
||||||
|
|
||||||
|
typedef struct bignum_st
|
||||||
|
{
|
||||||
|
BN_ULONG *d; /* Pointer to an array of 'BN_BITS2' bit chunks. */
|
||||||
|
int top; /* Index of last used d +1. */
|
||||||
|
/* The next are internal book keeping for bn_expand. */
|
||||||
|
int dmax; /* Size of the d array. */
|
||||||
|
int neg; /* one if the number is negative */
|
||||||
|
int flags;
|
||||||
|
};
|
||||||
|
#endif
|
||||||
|
|
||||||
void Connector::readEFSOD() {
|
void Connector::readEFSOD() {
|
||||||
auto content = readFileBySFI(EFSOD_SFI);
|
auto content = readFileBySFI(EFSOD_SFI);
|
||||||
bytes digest(256 / 8);
|
bytes digest(256 / 8);
|
||||||
@ -494,7 +515,7 @@ void Connector::readEFSOD() {
|
|||||||
|
|
||||||
bytes encapsulatedDigest(256 / 8);
|
bytes encapsulatedDigest(256 / 8);
|
||||||
SHA256(encapsulatedBytes.data(), encapsulatedBytes.size(), encapsulatedDigest.data());
|
SHA256(encapsulatedBytes.data(), encapsulatedBytes.size(), encapsulatedDigest.data());
|
||||||
logBytes("FILE SOD encapsulated digest %s", encapsulatedDigest);
|
logBytes("FILE SOD calculated encapsulated digest %s", encapsulatedDigest);
|
||||||
|
|
||||||
auto signer = (PKCS7_SIGNER_INFO*)sk_value((OPENSSL_STACK*)pkcs7->d.sign->signer_info, 0);
|
auto signer = (PKCS7_SIGNER_INFO*)sk_value((OPENSSL_STACK*)pkcs7->d.sign->signer_info, 0);
|
||||||
|
|
||||||
@ -507,7 +528,7 @@ void Connector::readEFSOD() {
|
|||||||
if (ASN1_TYPE_get(x) == 4) {
|
if (ASN1_TYPE_get(x) == 4) {
|
||||||
auto p = x->value.octet_string;
|
auto p = x->value.octet_string;
|
||||||
auto pp = bytes(p->data, p->data + p->length);
|
auto pp = bytes(p->data, p->data + p->length);
|
||||||
logBytes("%s", pp);
|
logBytes("sod stored message digest %s", pp);
|
||||||
|
|
||||||
if (pp != encapsulatedDigest) {
|
if (pp != encapsulatedDigest) {
|
||||||
throw "Encapsulated digest check with attribute data wrong";
|
throw "Encapsulated digest check with attribute data wrong";
|
||||||
@ -516,10 +537,62 @@ void Connector::readEFSOD() {
|
|||||||
}
|
}
|
||||||
|
|
||||||
{ // now use openssl to verify with no CA
|
{ // now use openssl to verify with no CA
|
||||||
|
// If PKCS7_NOVERIFY is set the signer's certificates are not chain verified.
|
||||||
|
int simple_verify = PKCS7_verify(pkcs7, nullptr, nullptr, nullptr, nullptr, PKCS7_NOVERIFY);
|
||||||
|
LOGI("certificate basic check status %d", simple_verify);
|
||||||
}
|
}
|
||||||
|
|
||||||
{ // extract certificate and check with CA pubkey
|
{ // extract certificate's signature and check with CA pubkey
|
||||||
|
auto cert = (X509*)sk_value((OPENSSL_STACK*)pkcs7->d.sign->cert, 0);
|
||||||
|
const ASN1_BIT_STRING *psig;
|
||||||
|
const X509_ALGOR *palg;
|
||||||
|
X509_get0_signature(&psig, &palg, cert);
|
||||||
|
|
||||||
|
bytes signature(psig->data, psig->data + psig->length);
|
||||||
|
logBytes("signature raw %s", signature);
|
||||||
|
|
||||||
|
const unsigned char* sig = signature.data();
|
||||||
|
ECDSA_SIG* cert_sig;
|
||||||
|
d2i_ECDSA_SIG(&cert_sig, &sig, signature.size());
|
||||||
|
|
||||||
|
if (!cert_sig) {
|
||||||
|
throw "cannot get certificate signature";
|
||||||
|
}
|
||||||
|
|
||||||
|
LOGI("certificate get successfully");
|
||||||
|
|
||||||
|
LOGI("certificate signature: (%s,%s)\n",
|
||||||
|
BN_bn2hex(ECDSA_SIG_get0_r(cert_sig)),
|
||||||
|
BN_bn2hex(ECDSA_SIG_get0_s(cert_sig)));
|
||||||
|
|
||||||
|
bytes tbs(1000);
|
||||||
|
unsigned char* tbsPtr = tbs.data();
|
||||||
|
int tbsSize = i2d_re_X509_tbs(cert, &tbsPtr);
|
||||||
|
printf("%d\n", tbsSize);
|
||||||
|
logBytes("tbs %s", tbs);
|
||||||
|
|
||||||
|
bytes tbsDigest(384 / 8);
|
||||||
|
SHA384(tbs.data(), tbsSize, tbsDigest.data());
|
||||||
|
logBytes("digest %s", tbsDigest);
|
||||||
|
|
||||||
|
// ca params
|
||||||
|
BIGNUM* ca_x = nullptr;
|
||||||
|
BIGNUM* ca_y = nullptr;
|
||||||
|
BN_dec2bn(&ca_x, "5705586746797687392276527904990313555022905475611271258729414636068323857880334000957361424951661974682935706611888");
|
||||||
|
BN_dec2bn(&ca_y, "7821704373206592378644977211567592118672246135776362491204878202396889655625917188376232816427307041739256606332695");
|
||||||
|
|
||||||
|
// printf("ca pubkey: (%s,%s)\n",
|
||||||
|
// BN_bn2hex(ca_x),
|
||||||
|
// BN_bn2hex(ca_y));
|
||||||
|
|
||||||
|
EC_KEY* ca = EC_KEY_new_by_curve_name(NID_secp384r1);
|
||||||
|
EC_KEY_set_public_key_affine_coordinates(ca, ca_x, ca_y);
|
||||||
|
|
||||||
|
bool ca_verify = ECDSA_do_verify(tbsDigest.data(), tbsDigest.size(), cert_sig, ca);
|
||||||
|
LOGI("ca verified status %d\n", ca_verify);
|
||||||
|
|
||||||
|
if (ca_verify != 1) {
|
||||||
|
throw "verification with CA returns false";
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
Loading…
Reference in New Issue
Block a user