crypto/signature_verifier_win.cc

   1 // Copyright (c) 2011 The Chromium Authors. All rights reserved.
   2 // Use of this source code is governed by a BSD-style license that can be
   3 // found in the LICENSE file.
   4
   5 #include "crypto/signature_verifier.h"
   6
   7 #include "base/logging.h"
   8 #include "crypto/capi_util.h"
   9
  10 #pragma comment(lib, "crypt32.lib")
  11
  12 namespace crypto {
  13
  14 SignatureVerifier::SignatureVerifier() : hash_object_(0), public_key_(0) {
  15   if (!CryptAcquireContext(provider_.receive(), NULL, NULL,
  16                            PROV_RSA_FULL, CRYPT_VERIFYCONTEXT))
  17     provider_.reset();
  18 }
  19
  20 SignatureVerifier::~SignatureVerifier() {
  21 }
  22
  23 bool SignatureVerifier::VerifyInit(const uint8* signature_algorithm,
  24                                    int signature_algorithm_len,
  25                                    const uint8* signature,
  26                                    int signature_len,
  27                                    const uint8* public_key_info,
  28                                    int public_key_info_len) {
  29   signature_.reserve(signature_len);
  30   // CryptoAPI uses big integers in the little-endian byte order, so we need
  31   // to first swap the order of signature bytes.
  32   for (int i = signature_len - 1; i >= 0; --i)
  33     signature_.push_back(signature[i]);
  34
  35   CRYPT_DECODE_PARA decode_para;
  36   decode_para.cbSize = sizeof(decode_para);
  37   decode_para.pfnAlloc = crypto::CryptAlloc;
  38   decode_para.pfnFree = crypto::CryptFree;
  39   CERT_PUBLIC_KEY_INFO* cert_public_key_info = NULL;
  40   DWORD struct_len = 0;
  41   BOOL ok;
  42   ok = CryptDecodeObjectEx(X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,
  43                            X509_PUBLIC_KEY_INFO,
  44                            public_key_info,
  45                            public_key_info_len,
  46                            CRYPT_DECODE_ALLOC_FLAG | CRYPT_DECODE_NOCOPY_FLAG,
  47                            &decode_para,
  48                            &cert_public_key_info,
  49                            &struct_len);
  50   if (!ok)
  51     return false;
  52
  53   ok = CryptImportPublicKeyInfo(provider_,
  54                                 X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,
  55                                 cert_public_key_info, public_key_.receive());
  56   crypto::CryptFree(cert_public_key_info);
  57   if (!ok)
  58     return false;
  59
  60   CRYPT_ALGORITHM_IDENTIFIER* signature_algorithm_id;
  61   struct_len = 0;
  62   ok = CryptDecodeObjectEx(X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,
  63                            X509_ALGORITHM_IDENTIFIER,
  64                            signature_algorithm,
  65                            signature_algorithm_len,
  66                            CRYPT_DECODE_ALLOC_FLAG | CRYPT_DECODE_NOCOPY_FLAG,
  67                            &decode_para,
  68                            &signature_algorithm_id,
  69                            &struct_len);
  70   DCHECK(ok || GetLastError() == ERROR_FILE_NOT_FOUND);
  71   ALG_ID hash_alg_id;
  72   if (ok) {
  73     hash_alg_id = CALG_MD4;  // Initialize to a weak hash algorithm that we
  74                              // don't support.
  75     if (!strcmp(signature_algorithm_id->pszObjId, szOID_RSA_SHA1RSA))
  76       hash_alg_id = CALG_SHA1;
  77     else if (!strcmp(signature_algorithm_id->pszObjId, szOID_RSA_MD5RSA))
  78       hash_alg_id = CALG_MD5;
  79     crypto::CryptFree(signature_algorithm_id);
  80     DCHECK_NE(static_cast<ALG_ID>(CALG_MD4), hash_alg_id);
  81     if (hash_alg_id == CALG_MD4)
  82       return false;  // Unsupported hash algorithm.
  83   } else if (GetLastError() == ERROR_FILE_NOT_FOUND) {
  84     // TODO(wtc): X509_ALGORITHM_IDENTIFIER isn't supported on XP SP2.  We
  85     // may be able to encapsulate signature_algorithm in a dummy SignedContent
  86     // and decode it with X509_CERT into a CERT_SIGNED_CONTENT_INFO.  For now,
  87     // just hardcode the hash algorithm to be SHA-1.
  88     hash_alg_id = CALG_SHA1;
  89   } else {
  90     return false;
  91   }
  92
  93   ok = CryptCreateHash(provider_, hash_alg_id, 0, 0, hash_object_.receive());
  94   if (!ok)
  95     return false;
  96   return true;
  97 }
  98
  99 void SignatureVerifier::VerifyUpdate(const uint8* data_part,
 100                                      int data_part_len) {
 101   BOOL ok = CryptHashData(hash_object_, data_part, data_part_len, 0);
 102   DCHECK(ok) << "CryptHashData failed: " << GetLastError();
 103 }
 104
 105 bool SignatureVerifier::VerifyFinal() {
 106   BOOL ok = CryptVerifySignature(hash_object_, &signature_[0],
 107                                  signature_.size(), public_key_, NULL, 0);
 108   Reset();
 109   if (!ok)
 110     return false;
 111   return true;
 112 }
 113
 114 void SignatureVerifier::Reset() {
 115   hash_object_.reset();
 116   public_key_.reset();
 117   signature_.clear();
 118 }
 119
 120 }  // namespace crypto
 121