Used Openssl RSA_verify function
authorSansar Choinyambuu <schoinya@hsr.ch>
Fri, 21 Oct 2011 11:50:28 +0000 (13:50 +0200)
committerAndreas Steffen <andreas.steffen@strongswan.org>
Mon, 28 Nov 2011 13:39:51 +0000 (14:39 +0100)
src/libimcv/plugins/imv_attestation/imv_attestation_process.c
src/libpts/pts/pts.c

index 5e3e706..f097043 100644 (file)
@@ -312,8 +312,7 @@ bool imv_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list,
                                hasher->allocate_hash(hasher, quote_info, &quote_digest);
                                hasher->destroy(hasher);
                                
-                               if (!chunk_equals(pcr_comp, chunk_empty)
-                                       && strncmp(quote_info.ptr, pcr_comp.ptr,
+                               if (pcr_comp.ptr && strncmp(quote_info.ptr, pcr_comp.ptr,
                                                                quote_info.len - ASSESSMENT_SECRET_LEN) != 0)
                                {
                                        DBG1(DBG_IMV, "calculated TPM Quote Info differs from received");
@@ -325,7 +324,7 @@ bool imv_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list,
                                }
                                DBG2(DBG_IMV, "received TPM Quote Info matches with calculated");
                                
-                               if (!chunk_equals(tpm_quote_sign, chunk_empty) &&
+                               if (tpm_quote_sign.ptr &&
                                        !pts->verify_quote_signature(pts, quote_digest, tpm_quote_sign))
                                {
                                        free(quote_digest.ptr);
index da1c30c..05e4b7d 100644 (file)
 #include <sys/utsname.h>
 #include <errno.h>
 
+#include <openssl/rsa.h>
+#include <openssl/evp.h>
+#include <openssl/x509.h>
+
 #define PTS_BUF_SIZE   4096
 
 typedef struct private_pts_t private_pts_t;
@@ -1211,27 +1215,78 @@ METHOD(pts_t, get_quote_info, bool,
 METHOD(pts_t, verify_quote_signature, bool,
                                private_pts_t *this, chunk_t data, chunk_t signature)
 {
-       /** Implementation using strongswan -> not working */
        public_key_t *aik_pub_key;
+       chunk_t key_encoding;
+       EVP_PKEY *pkey = NULL;
+       RSA *rsa = NULL;
+       unsigned char *p;
 
        aik_pub_key = this->aik->get_public_key(this->aik);
-
        if (!aik_pub_key)
        {
                DBG1(DBG_PTS, "failed to get public key from AIK certificate");
                return FALSE;
        }
 
-       if (!aik_pub_key->verify(aik_pub_key, SIGN_RSA_EMSA_PKCS1_SHA1, data, signature))
+       /** Implementation using strongswan -> not working */
+       /*if (!aik_pub_key->verify(aik_pub_key, SIGN_RSA_EMSA_PKCS1_SHA1, data, signature))
        {
                DBG1(DBG_PTS, "signature verification failed for TPM Quote Info");
-               aik_pub_key->destroy(aik_pub_key);
-               return FALSE;
+               goto cleanup;
        }
+       */
 
-       aik_pub_key->destroy(aik_pub_key);
+       if (!aik_pub_key->get_encoding(aik_pub_key, PUBKEY_SPKI_ASN1_DER, &key_encoding))
+       {
+               DBG1(DBG_PTS, "failed to get encoding of AIK public key");
+               goto cleanup;
+       }
        
+       p = key_encoding.ptr;
+       pkey = d2i_PUBKEY(NULL, (const unsigned char**)&p, key_encoding.len);
+       if (!pkey)
+       {
+               DBG1(DBG_PTS, "failed to get EVP_PKEY object from AIK public key encoding");
+               goto cleanup;
+       }
+
+       rsa = EVP_PKEY_get1_RSA(pkey);
+       if (!rsa)
+       {
+               DBG1(DBG_PTS, "failed to get RSA object from EVP_PKEY");
+               goto cleanup;
+       }
+
+       if (RSA_verify(NID_sha1, data.ptr, data.len, signature.ptr, signature.len, rsa) != 1)
+       {
+               DBG1(DBG_PTS, "signature verification failed for TPM Quote Info");
+               goto cleanup;
+       }
+
+       RSA_free(rsa);
+       EVP_PKEY_free(pkey);
+       if (key_encoding.ptr)
+       {
+               chunk_clear(&key_encoding);
+       }
+       aik_pub_key->destroy(aik_pub_key);
        return TRUE;
+
+cleanup:
+       if (rsa)
+       {
+               RSA_free(rsa);
+       }
+       if (pkey)
+       {
+               EVP_PKEY_free(pkey);
+       }
+       if (key_encoding.ptr)
+       {
+               chunk_clear(&key_encoding);
+       }
+       DESTROY_IF(aik_pub_key);
+       return FALSE;
 }
 
 METHOD(pts_t, destroy, void,