hasher->allocate_hash(hasher, quote_info, "e_digest);
hasher->destroy(hasher);
- if (!chunk_equals(pcr_comp, chunk_empty)
- && strncmp(quote_info.ptr, pcr_comp.ptr,
+ if (pcr_comp.ptr && strncmp(quote_info.ptr, pcr_comp.ptr,
quote_info.len - ASSESSMENT_SECRET_LEN) != 0)
{
DBG1(DBG_IMV, "calculated TPM Quote Info differs from received");
}
DBG2(DBG_IMV, "received TPM Quote Info matches with calculated");
- if (!chunk_equals(tpm_quote_sign, chunk_empty) &&
+ if (tpm_quote_sign.ptr &&
!pts->verify_quote_signature(pts, quote_digest, tpm_quote_sign))
{
free(quote_digest.ptr);
#include <sys/utsname.h>
#include <errno.h>
+#include <openssl/rsa.h>
+#include <openssl/evp.h>
+#include <openssl/x509.h>
+
#define PTS_BUF_SIZE 4096
typedef struct private_pts_t private_pts_t;
METHOD(pts_t, verify_quote_signature, bool,
private_pts_t *this, chunk_t data, chunk_t signature)
{
- /** Implementation using strongswan -> not working */
public_key_t *aik_pub_key;
+ chunk_t key_encoding;
+ EVP_PKEY *pkey = NULL;
+ RSA *rsa = NULL;
+ unsigned char *p;
aik_pub_key = this->aik->get_public_key(this->aik);
-
if (!aik_pub_key)
{
DBG1(DBG_PTS, "failed to get public key from AIK certificate");
return FALSE;
}
- if (!aik_pub_key->verify(aik_pub_key, SIGN_RSA_EMSA_PKCS1_SHA1, data, signature))
+ /** Implementation using strongswan -> not working */
+ /*if (!aik_pub_key->verify(aik_pub_key, SIGN_RSA_EMSA_PKCS1_SHA1, data, signature))
{
DBG1(DBG_PTS, "signature verification failed for TPM Quote Info");
- aik_pub_key->destroy(aik_pub_key);
- return FALSE;
+ goto cleanup;
}
+ */
- aik_pub_key->destroy(aik_pub_key);
+ if (!aik_pub_key->get_encoding(aik_pub_key, PUBKEY_SPKI_ASN1_DER, &key_encoding))
+ {
+ DBG1(DBG_PTS, "failed to get encoding of AIK public key");
+ goto cleanup;
+ }
+ p = key_encoding.ptr;
+ pkey = d2i_PUBKEY(NULL, (const unsigned char**)&p, key_encoding.len);
+ if (!pkey)
+ {
+ DBG1(DBG_PTS, "failed to get EVP_PKEY object from AIK public key encoding");
+ goto cleanup;
+ }
+
+ rsa = EVP_PKEY_get1_RSA(pkey);
+ if (!rsa)
+ {
+ DBG1(DBG_PTS, "failed to get RSA object from EVP_PKEY");
+ goto cleanup;
+ }
+
+ if (RSA_verify(NID_sha1, data.ptr, data.len, signature.ptr, signature.len, rsa) != 1)
+ {
+ DBG1(DBG_PTS, "signature verification failed for TPM Quote Info");
+ goto cleanup;
+ }
+
+ RSA_free(rsa);
+ EVP_PKEY_free(pkey);
+ if (key_encoding.ptr)
+ {
+ chunk_clear(&key_encoding);
+ }
+ aik_pub_key->destroy(aik_pub_key);
return TRUE;
+
+cleanup:
+ if (rsa)
+ {
+ RSA_free(rsa);
+ }
+ if (pkey)
+ {
+ EVP_PKEY_free(pkey);
+ }
+ if (key_encoding.ptr)
+ {
+ chunk_clear(&key_encoding);
+ }
+ DESTROY_IF(aik_pub_key);
+ return FALSE;
}
METHOD(pts_t, destroy, void,