[WIP] lib/verifysig: start using bearssl.

It's currently very messy, because decoding the pubkey is erroring out with error 36 (BR_ERR_X509_INNER_TRUNC), but the OpenSSL part does work.
void-linux · Aug 25, 2020 · 80831ea · 80831ea
1 parent d050716
commit 80831ea
Showing 1 changed file with 94 additions and 19 deletions.
diff --git a/lib/verifysig.c b/lib/verifysig.c
@@ -33,42 +33,117 @@
 #include <sys/mman.h>
 
 #include <openssl/err.h>
-#include <openssl/sha.h>
 #include <openssl/rsa.h>
 #include <openssl/ssl.h>
 #include <openssl/pem.h>
+#include <openssl/bn.h>
+#include <bearssl.h>
 
 #include "xbps_api_impl.h"
 
+static void
+copy_to_cert(void *dest_ctx, const void *src, size_t len)
+{
+	puts("running callback");
+	br_x509_decoder_push(dest_ctx, src, len);
+}
+
 static bool
 rsa_verify_hash(struct xbps_repo *repo, xbps_data_t pubkey,
 		unsigned char *sig, unsigned int siglen,
 		unsigned char *sha256)
 {
+	int rv;
+	br_rsa_public_key pk;
+	br_rsa_pkcs1_vrfy vrfy;
+	br_pem_decoder_context pem;
+	br_x509_decoder_context dc;
+	unsigned char *pubkey_data;
+	size_t pubkey_size;
+	int extra_nl = 1;
+	// ssl
+	unsigned char e[3], n[512];
 	BIO *bio;
 	RSA *rsa;
-	int rv;
-
-	ERR_load_crypto_strings();
-	SSL_load_error_strings();
+	const BIGNUM *nrsa = NULL, *ersa = NULL, *drsa = NULL;
+
+	(void) repo;
+
+
+	pubkey_data = __UNCONST(xbps_data_data_nocopy(pubkey));
+	pubkey_size = xbps_data_size(pubkey);
+
+	br_pem_decoder_init(&pem);
+	while (pubkey_size > 0) {
+		size_t pushed;
+		const char *name;
+		printf("pushing: %lu left\n", pubkey_size);
+		pushed = br_pem_decoder_push(&pem, pubkey_data, pubkey_size);
+		printf("pushed: %lu\n", pushed);
+		pubkey_data += pushed;
+		pubkey_size -= pushed;
+
+		switch(br_pem_decoder_event(&pem)) {
+			case 0:
+				puts("got zero");
+				break;
+			case BR_PEM_BEGIN_OBJ:
+				name = br_pem_decoder_name(&pem);
+				br_pem_decoder_setdest(&pem, copy_to_cert, &dc);
+				puts(name);
+				if (strcmp(name, "PUBLIC KEY")) {
+					break;
+				}
+				puts("begin");
+				br_x509_decoder_init(&dc, 0, 0);
+				break;
+			case BR_PEM_END_OBJ:
+				puts("obj end");
+				if (pubkey_size != 0) {
+					return false;
+				}
+				break;
+			default:
+				puts("errors die");
+				break;
+		}
+
+		if (pubkey_size == 0 && extra_nl) {
+			extra_nl = 0;
+			pubkey_data = __UNCONST("\n");
+			pubkey_size = 1;
+		}
+	}
 
-	bio = BIO_new_mem_buf(__UNCONST(xbps_data_data_nocopy(pubkey)),
-			xbps_data_size(pubkey));
-	assert(bio);
+	printf("err code: %d\n", br_x509_decoder_last_error(&dc));
 
-	rsa = PEM_read_bio_RSA_PUBKEY(bio, NULL, NULL, NULL);
-	if (rsa == NULL) {
-		xbps_dbg_printf(repo->xhp, "`%s' error reading public key: %s\n",
-		    repo->uri, ERR_error_string(ERR_get_error(), NULL));
-		return false;
+	if(br_x509_decoder_get_pkey(&dc) == NULL) {
+		puts("found me");
+	} else {
+		pk = br_x509_decoder_get_pkey(&dc)->key.rsa;
 	}
 
-	rv = RSA_verify(NID_sha1, sha256, SHA256_DIGEST_LENGTH, sig, siglen, rsa);
-	RSA_free(rsa);
-	BIO_free(bio);
-	ERR_free_strings();
-
-	return rv ? true : false;
+	bio = BIO_new_mem_buf(__UNCONST(xbps_data_data_nocopy(pubkey)), xbps_data_size(pubkey));
+	rsa = PEM_read_bio_RSA_PUBKEY(bio, NULL, NULL, NULL);
+	RSA_get0_key(rsa, &nrsa, &ersa, &drsa);
+	printf("- n (size %d): ", BN_num_bytes(nrsa));
+	BN_print_fp(stdout, nrsa);
+	printf("\n- e (size %d): ", BN_num_bytes(ersa));
+	BN_print_fp(stdout, ersa);
+	puts("");
+	assert(BN_num_bytes(nrsa) == 512);
+	BN_bn2bin(nrsa, n);
+	BN_bn2bin(ersa, e);
+
+	pk.n = n;
+	pk.nlen = 512;
+	pk.e = e;
+	pk.elen = 3;
+
+	vrfy = br_rsa_pkcs1_vrfy_get_default();
+	rv = vrfy(sig, siglen, BR_HASH_OID_SHA1, 32, &pk, sha256);
+
+	return rv;
 }
 
 bool