Skip to content

Commit

Permalink
[WIP] lib/verifysig: start using bearssl.
Browse files Browse the repository at this point in the history
It's currently very messy, because decoding the pubkey is erroring out
with error 36 (BR_ERR_X509_INNER_TRUNC), but the OpenSSL part does work.
  • Loading branch information
ericonr committed Aug 25, 2020
1 parent d050716 commit 8bd9b6c
Showing 1 changed file with 94 additions and 21 deletions.
115 changes: 94 additions & 21 deletions lib/verifysig.c
Original file line number Diff line number Diff line change
Expand Up @@ -32,43 +32,116 @@
#include <sys/stat.h>
#include <sys/mman.h>

#include <openssl/err.h>
#include <openssl/sha.h>
#include <openssl/rsa.h>
#include <openssl/ssl.h>
#include <openssl/pem.h>
#include <openssl/bn.h>
#include <bearssl.h>

#include "xbps_api_impl.h"

static void
copy_to_cert(void *dest_ctx, const void *src, size_t len)
{
puts("running callback");
br_x509_decoder_push(dest_ctx, src, len);
}

static bool
rsa_verify_hash(struct xbps_repo *repo, xbps_data_t pubkey,
unsigned char *sig, unsigned int siglen,
unsigned char *sha256)
{
int rv;
br_rsa_public_key pk;
br_rsa_pkcs1_vrfy vrfy;
br_pem_decoder_context pem;
br_x509_decoder_context dc;
unsigned char *pubkey_data;
size_t pubkey_size;
int extra_nl = 1;
// ssl
unsigned char e[3], n[512];
BIO *bio;
RSA *rsa;
int rv;

ERR_load_crypto_strings();
SSL_load_error_strings();
const BIGNUM *nrsa = NULL, *ersa = NULL, *drsa = NULL;

(void) repo;


pubkey_data = __UNCONST(xbps_data_data_nocopy(pubkey));
pubkey_size = xbps_data_size(pubkey);

br_pem_decoder_init(&pem);
while (pubkey_size > 0) {
size_t pushed;
const char *name;
printf("pushing: %lu left\n", pubkey_size);
pushed = br_pem_decoder_push(&pem, pubkey_data, pubkey_size);
printf("pushed: %lu\n", pushed);
pubkey_data += pushed;
pubkey_size -= pushed;

switch(br_pem_decoder_event(&pem)) {
case 0:
puts("got zero");
break;
case BR_PEM_BEGIN_OBJ:
name = br_pem_decoder_name(&pem);
br_pem_decoder_setdest(&pem, copy_to_cert, &dc);
puts(name);
if (strcmp(name, "PUBLIC KEY")) {
break;
}
puts("begin");
br_x509_decoder_init(&dc, 0, 0);
break;
case BR_PEM_END_OBJ:
puts("obj end");
if (pubkey_size != 0) {
return false;
}
break;
default:
puts("errors die");
break;
}

if (pubkey_size == 0 && extra_nl) {
extra_nl = 0;
pubkey_data = __UNCONST("\n");
pubkey_size = 1;
}
}

bio = BIO_new_mem_buf(__UNCONST(xbps_data_data_nocopy(pubkey)),
xbps_data_size(pubkey));
assert(bio);
printf("err code: %d\n", br_x509_decoder_last_error(&dc));

rsa = PEM_read_bio_RSA_PUBKEY(bio, NULL, NULL, NULL);
if (rsa == NULL) {
xbps_dbg_printf(repo->xhp, "`%s' error reading public key: %s\n",
repo->uri, ERR_error_string(ERR_get_error(), NULL));
return false;
if(br_x509_decoder_get_pkey(&dc) == NULL) {
puts("found me");
} else {
pk = br_x509_decoder_get_pkey(&dc)->key.rsa;
}

rv = RSA_verify(NID_sha1, sha256, SHA256_DIGEST_LENGTH, sig, siglen, rsa);
RSA_free(rsa);
BIO_free(bio);
ERR_free_strings();

return rv ? true : false;
bio = BIO_new_mem_buf(__UNCONST(xbps_data_data_nocopy(pubkey)), xbps_data_size(pubkey));
rsa = PEM_read_bio_RSA_PUBKEY(bio, NULL, NULL, NULL);
RSA_get0_key(rsa, &nrsa, &ersa, &drsa);
printf("- n (size %d): ", BN_num_bytes(nrsa));
BN_print_fp(stdout, nrsa);
printf("\n- e (size %d): ", BN_num_bytes(ersa));
BN_print_fp(stdout, ersa);
puts("");
assert(BN_num_bytes(nrsa) == 512);
BN_bn2bin(nrsa, n);
BN_bn2bin(ersa, e);

pk.n = n;
pk.nlen = 512;
pk.e = e;
pk.elen = 3;

vrfy = br_rsa_pkcs1_vrfy_get_default();
rv = vrfy(sig, siglen, BR_HASH_OID_SHA1, 32, &pk, sha256);

return rv;
}

bool
Expand Down

0 comments on commit 8bd9b6c

Please sign in to comment.