1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
|
/** @file
RSA Asymmetric Cipher Wrapper Implementation over MbedTLS.
This file implements following APIs which provide basic capabilities for RSA:
1) RsaPssVerify
Copyright (c) 2023, Intel Corporation. All rights reserved.<BR>
SPDX-License-Identifier: BSD-2-Clause-Patent
**/
#include "InternalCryptLib.h"
#include <mbedtls/rsa.h>
/**
Verifies the RSA signature with RSASSA-PSS signature scheme defined in RFC 8017.
Implementation determines salt length automatically from the signature encoding.
Mask generation function is the same as the message digest algorithm.
Salt length should be equal to digest length.
@param[in] RsaContext Pointer to RSA context for signature verification.
@param[in] Message Pointer to octet message to be verified.
@param[in] MsgSize Size of the message in bytes.
@param[in] Signature Pointer to RSASSA-PSS signature to be verified.
@param[in] SigSize Size of signature in bytes.
@param[in] DigestLen Length of digest for RSA operation.
@param[in] SaltLen Salt length for PSS encoding.
@retval TRUE Valid signature encoded in RSASSA-PSS.
@retval FALSE Invalid signature or invalid RSA context.
**/
BOOLEAN
EFIAPI
RsaPssVerify (
IN VOID *RsaContext,
IN CONST UINT8 *Message,
IN UINTN MsgSize,
IN CONST UINT8 *Signature,
IN UINTN SigSize,
IN UINT16 DigestLen,
IN UINT16 SaltLen
)
{
INT32 Ret;
mbedtls_md_type_t md_alg;
UINT8 HashValue[SHA512_DIGEST_SIZE];
BOOLEAN Status;
UINTN ShaCtxSize;
VOID *ShaCtx;
mbedtls_rsa_context *RsaKey;
if (RsaContext == NULL) {
return FALSE;
}
if ((Message == NULL) || (MsgSize == 0) || (MsgSize > INT_MAX)) {
return FALSE;
}
if (SaltLen != DigestLen) {
return FALSE;
}
if ((Signature == NULL) || (SigSize == 0) || (SigSize > INT_MAX)) {
return FALSE;
}
RsaKey = (mbedtls_rsa_context *)RsaContext;
if (mbedtls_rsa_complete (RsaKey) != 0) {
return FALSE;
}
ZeroMem (HashValue, DigestLen);
switch (DigestLen) {
case SHA256_DIGEST_SIZE:
md_alg = MBEDTLS_MD_SHA256;
ShaCtxSize = Sha256GetContextSize ();
ShaCtx = AllocateZeroPool (ShaCtxSize);
Status = Sha256Init (ShaCtx);
if (!Status) {
return FALSE;
}
Status = Sha256Update (ShaCtx, Message, MsgSize);
if (!Status) {
FreePool (ShaCtx);
return FALSE;
}
Status = Sha256Final (ShaCtx, HashValue);
if (!Status) {
FreePool (ShaCtx);
return FALSE;
}
FreePool (ShaCtx);
break;
case SHA384_DIGEST_SIZE:
md_alg = MBEDTLS_MD_SHA384;
ShaCtxSize = Sha384GetContextSize ();
ShaCtx = AllocateZeroPool (ShaCtxSize);
Status = Sha384Init (ShaCtx);
if (!Status) {
return FALSE;
}
Status = Sha384Update (ShaCtx, Message, MsgSize);
if (!Status) {
FreePool (ShaCtx);
return FALSE;
}
Status = Sha384Final (ShaCtx, HashValue);
if (!Status) {
FreePool (ShaCtx);
return FALSE;
}
FreePool (ShaCtx);
break;
case SHA512_DIGEST_SIZE:
md_alg = MBEDTLS_MD_SHA512;
ShaCtxSize = Sha512GetContextSize ();
ShaCtx = AllocateZeroPool (ShaCtxSize);
Status = Sha512Init (ShaCtx);
if (!Status) {
return FALSE;
}
Status = Sha512Update (ShaCtx, Message, MsgSize);
if (!Status) {
FreePool (ShaCtx);
return FALSE;
}
Status = Sha512Final (ShaCtx, HashValue);
if (!Status) {
FreePool (ShaCtx);
return FALSE;
}
FreePool (ShaCtx);
break;
default:
return FALSE;
}
if (mbedtls_rsa_get_len (RsaContext) != SigSize) {
return FALSE;
}
mbedtls_rsa_set_padding (RsaContext, MBEDTLS_RSA_PKCS_V21, md_alg);
Ret = mbedtls_rsa_rsassa_pss_verify (
RsaContext,
md_alg,
(UINT32)DigestLen,
HashValue,
Signature
);
if (Ret != 0) {
return FALSE;
}
return TRUE;
}
|