diff --git a/src/libpts/pts/pts.c b/src/libpts/pts/pts.c index becfdae0a..7692ba2b3 100644 --- a/src/libpts/pts/pts.c +++ b/src/libpts/pts/pts.c @@ -27,6 +27,10 @@ #include #include +#include +#include +#include + #define PTS_BUF_SIZE 4096 typedef struct private_pts_t private_pts_t; @@ -1170,8 +1174,11 @@ METHOD(pts_t, get_quote_info, bool, METHOD(pts_t, verify_quote_signature, bool, private_pts_t *this, chunk_t data, chunk_t signature) { - /** Implementation using strongswan -> not working */ public_key_t *aik_pub_key; + chunk_t key_encoding; + EVP_PKEY *pkey = NULL; + RSA *rsa = NULL; + unsigned char *p; aik_pub_key = this->aik->get_public_key(this->aik); if (!aik_pub_key) @@ -1187,10 +1194,59 @@ METHOD(pts_t, verify_quote_signature, bool, DESTROY_IF(aik_pub_key); return FALSE; } + */ - aik_pub_key->destroy(aik_pub_key); + if (!aik_pub_key->get_encoding(aik_pub_key, PUBKEY_SPKI_ASN1_DER, &key_encoding)) + { + DBG1(DBG_PTS, "failed to get encoding of AIK public key"); + goto cleanup; + } + p = key_encoding.ptr; + pkey = d2i_PUBKEY(NULL, (const unsigned char**)&p, key_encoding.len); + if (!pkey) + { + DBG1(DBG_PTS, "failed to get EVP_PKEY object from AIK public key encoding"); + goto cleanup; + } + + rsa = EVP_PKEY_get1_RSA(pkey); + if (!rsa) + { + DBG1(DBG_PTS, "failed to get RSA object from EVP_PKEY"); + goto cleanup; + } + + if (RSA_verify(NID_sha1, data.ptr, data.len, signature.ptr, signature.len, rsa) != 1) + { + DBG1(DBG_PTS, "signature verification failed for TPM Quote Info"); + goto cleanup; + } + + RSA_free(rsa); + EVP_PKEY_free(pkey); + if (key_encoding.ptr) + { + chunk_clear(&key_encoding); + } + aik_pub_key->destroy(aik_pub_key); return TRUE; + +cleanup: + if (rsa) + { + RSA_free(rsa); + } + if (pkey) + { + EVP_PKEY_free(pkey); + } + if (key_encoding.ptr) + { + chunk_clear(&key_encoding); + } + DESTROY_IF(aik_pub_key); + return FALSE; } METHOD(pts_t, destroy, void,