Used Openssl RSA_verify function
This commit is contained in:
parent
72684a710b
commit
52ae3f27f8
|
@ -312,8 +312,7 @@ bool imv_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list,
|
|||
hasher->allocate_hash(hasher, quote_info, "e_digest);
|
||||
hasher->destroy(hasher);
|
||||
|
||||
if (!chunk_equals(pcr_comp, chunk_empty)
|
||||
&& strncmp(quote_info.ptr, pcr_comp.ptr,
|
||||
if (pcr_comp.ptr && strncmp(quote_info.ptr, pcr_comp.ptr,
|
||||
quote_info.len - ASSESSMENT_SECRET_LEN) != 0)
|
||||
{
|
||||
DBG1(DBG_IMV, "calculated TPM Quote Info differs from received");
|
||||
|
@ -325,7 +324,7 @@ bool imv_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list,
|
|||
}
|
||||
DBG2(DBG_IMV, "received TPM Quote Info matches with calculated");
|
||||
|
||||
if (!chunk_equals(tpm_quote_sign, chunk_empty) &&
|
||||
if (tpm_quote_sign.ptr &&
|
||||
!pts->verify_quote_signature(pts, quote_digest, tpm_quote_sign))
|
||||
{
|
||||
free(quote_digest.ptr);
|
||||
|
|
|
@ -29,6 +29,10 @@
|
|||
#include <sys/utsname.h>
|
||||
#include <errno.h>
|
||||
|
||||
#include <openssl/rsa.h>
|
||||
#include <openssl/evp.h>
|
||||
#include <openssl/x509.h>
|
||||
|
||||
#define PTS_BUF_SIZE 4096
|
||||
|
||||
typedef struct private_pts_t private_pts_t;
|
||||
|
@ -1211,27 +1215,78 @@ METHOD(pts_t, get_quote_info, bool,
|
|||
METHOD(pts_t, verify_quote_signature, bool,
|
||||
private_pts_t *this, chunk_t data, chunk_t signature)
|
||||
{
|
||||
/** Implementation using strongswan -> not working */
|
||||
public_key_t *aik_pub_key;
|
||||
chunk_t key_encoding;
|
||||
EVP_PKEY *pkey = NULL;
|
||||
RSA *rsa = NULL;
|
||||
unsigned char *p;
|
||||
|
||||
aik_pub_key = this->aik->get_public_key(this->aik);
|
||||
|
||||
if (!aik_pub_key)
|
||||
{
|
||||
DBG1(DBG_PTS, "failed to get public key from AIK certificate");
|
||||
return FALSE;
|
||||
}
|
||||
|
||||
if (!aik_pub_key->verify(aik_pub_key, SIGN_RSA_EMSA_PKCS1_SHA1, data, signature))
|
||||
/** Implementation using strongswan -> not working */
|
||||
/*if (!aik_pub_key->verify(aik_pub_key, SIGN_RSA_EMSA_PKCS1_SHA1, data, signature))
|
||||
{
|
||||
DBG1(DBG_PTS, "signature verification failed for TPM Quote Info");
|
||||
aik_pub_key->destroy(aik_pub_key);
|
||||
return FALSE;
|
||||
goto cleanup;
|
||||
}
|
||||
*/
|
||||
|
||||
if (!aik_pub_key->get_encoding(aik_pub_key, PUBKEY_SPKI_ASN1_DER, &key_encoding))
|
||||
{
|
||||
DBG1(DBG_PTS, "failed to get encoding of AIK public key");
|
||||
goto cleanup;
|
||||
}
|
||||
|
||||
p = key_encoding.ptr;
|
||||
pkey = d2i_PUBKEY(NULL, (const unsigned char**)&p, key_encoding.len);
|
||||
if (!pkey)
|
||||
{
|
||||
DBG1(DBG_PTS, "failed to get EVP_PKEY object from AIK public key encoding");
|
||||
goto cleanup;
|
||||
}
|
||||
|
||||
rsa = EVP_PKEY_get1_RSA(pkey);
|
||||
if (!rsa)
|
||||
{
|
||||
DBG1(DBG_PTS, "failed to get RSA object from EVP_PKEY");
|
||||
goto cleanup;
|
||||
}
|
||||
|
||||
if (RSA_verify(NID_sha1, data.ptr, data.len, signature.ptr, signature.len, rsa) != 1)
|
||||
{
|
||||
DBG1(DBG_PTS, "signature verification failed for TPM Quote Info");
|
||||
goto cleanup;
|
||||
}
|
||||
|
||||
RSA_free(rsa);
|
||||
EVP_PKEY_free(pkey);
|
||||
if (key_encoding.ptr)
|
||||
{
|
||||
chunk_clear(&key_encoding);
|
||||
}
|
||||
aik_pub_key->destroy(aik_pub_key);
|
||||
|
||||
return TRUE;
|
||||
|
||||
cleanup:
|
||||
if (rsa)
|
||||
{
|
||||
RSA_free(rsa);
|
||||
}
|
||||
if (pkey)
|
||||
{
|
||||
EVP_PKEY_free(pkey);
|
||||
}
|
||||
if (key_encoding.ptr)
|
||||
{
|
||||
chunk_clear(&key_encoding);
|
||||
}
|
||||
DESTROY_IF(aik_pub_key);
|
||||
return FALSE;
|
||||
}
|
||||
|
||||
METHOD(pts_t, destroy, void,
|
||||
|
|
Loading…
Reference in New Issue