1 /* LibTomCrypt, modular cryptographic library -- Tom St Denis
3 * LibTomCrypt is a library that provides various cryptographic
4 * algorithms in a highly modular and flexible manner.
6 * The library is free for all purposes without any express
12 @file rsa_verify_hash.c
13 RSA PKCS #1 v1.5 or v2 PSS signature verification, Tom St Denis and Andreas Lange
19 PKCS #1 de-sign then v1.5 or PSS depad
20 @param sig The signature data
21 @param siglen The length of the signature data (octets)
22 @param hash The hash of the message that was signed
23 @param hashlen The length of the hash of the message that was signed (octets)
24 @param padding Type of padding (LTC_PKCS_1_PSS, LTC_PKCS_1_V1_5 or LTC_PKCS_1_V1_5_NA1)
25 @param hash_idx The index of the desired hash
26 @param saltlen The length of the salt used during signature
27 @param stat [out] The result of the signature comparison, 1==valid, 0==invalid
28 @param key The public RSA key corresponding to the key that performed the signature
29 @return CRYPT_OK on success (even if the signature is invalid)
31 int rsa_verify_hash_ex(const unsigned char *sig, unsigned long siglen,
32 const unsigned char *hash, unsigned long hashlen,
34 int hash_idx, unsigned long saltlen,
35 int *stat, rsa_key *key)
37 unsigned long modulus_bitlen, modulus_bytelen, x;
39 unsigned char *tmpbuf;
41 LTC_ARGCHK(hash != NULL);
42 LTC_ARGCHK(sig != NULL);
43 LTC_ARGCHK(stat != NULL);
44 LTC_ARGCHK(key != NULL);
46 /* default to invalid */
51 if ((padding != LTC_PKCS_1_V1_5) &&
52 (padding != LTC_PKCS_1_PSS) &&
53 (padding != LTC_PKCS_1_V1_5_NA1)) {
54 return CRYPT_PK_INVALID_PADDING;
57 if (padding != LTC_PKCS_1_V1_5_NA1) {
59 if ((err = hash_is_valid(hash_idx)) != CRYPT_OK) {
64 /* get modulus len in bits */
65 modulus_bitlen = mp_count_bits( (key->N));
67 /* outlen must be at least the size of the modulus */
68 modulus_bytelen = mp_unsigned_bin_size( (key->N));
69 if (modulus_bytelen != siglen) {
70 return CRYPT_INVALID_PACKET;
73 /* allocate temp buffer for decoded sig */
74 tmpbuf = XMALLOC(siglen);
81 if ((err = ltc_mp.rsa_me(sig, siglen, tmpbuf, &x, PK_PUBLIC, key)) != CRYPT_OK) {
86 /* make sure the output is the right size */
89 return CRYPT_INVALID_PACKET;
92 if (padding == LTC_PKCS_1_PSS) {
93 /* PSS decode and verify it */
95 if(modulus_bitlen%8 == 1){
96 err = pkcs_1_pss_decode(hash, hashlen, tmpbuf+1, x-1, saltlen, hash_idx, modulus_bitlen, stat);
99 err = pkcs_1_pss_decode(hash, hashlen, tmpbuf, x, saltlen, hash_idx, modulus_bitlen, stat);
103 /* PKCS #1 v1.5 decode it */
105 unsigned long outlen;
108 /* allocate temp buffer for decoded hash */
109 outlen = ((modulus_bitlen >> 3) + (modulus_bitlen & 7 ? 1 : 0)) - 3;
110 out = XMALLOC(outlen);
116 if ((err = pkcs_1_v1_5_decode(tmpbuf, x, LTC_PKCS_1_EMSA, modulus_bitlen, out, &outlen, &decoded)) != CRYPT_OK) {
121 if (padding == LTC_PKCS_1_V1_5) {
122 unsigned long loid[16], reallen;
123 ltc_asn1_list digestinfo[2], siginfo[2];
125 /* not all hashes have OIDs... so sad */
126 if (hash_descriptor[hash_idx].OIDlen == 0) {
127 err = CRYPT_INVALID_ARG;
131 /* now we must decode out[0...outlen-1] using ASN.1, test the OID and then test the hash */
132 /* construct the SEQUENCE
134 SEQUENCE {hashoid OID
140 LTC_SET_ASN1(digestinfo, 0, LTC_ASN1_OBJECT_IDENTIFIER, loid, sizeof(loid)/sizeof(loid[0]));
141 LTC_SET_ASN1(digestinfo, 1, LTC_ASN1_NULL, NULL, 0);
142 LTC_SET_ASN1(siginfo, 0, LTC_ASN1_SEQUENCE, digestinfo, 2);
143 LTC_SET_ASN1(siginfo, 1, LTC_ASN1_OCTET_STRING, tmpbuf, siglen);
145 if ((err = der_decode_sequence(out, outlen, siginfo, 2)) != CRYPT_OK) {
146 /* fallback to Legacy:missing NULL */
147 LTC_SET_ASN1(siginfo, 0, LTC_ASN1_SEQUENCE, digestinfo, 1);
148 if ((err = der_decode_sequence(out, outlen, siginfo, 2)) != CRYPT_OK) {
154 if ((err = der_length_sequence(siginfo, 2, &reallen)) != CRYPT_OK) {
160 if ((reallen == outlen) &&
161 (digestinfo[0].size == hash_descriptor[hash_idx].OIDlen) &&
162 (XMEMCMP(digestinfo[0].data, hash_descriptor[hash_idx].OID, sizeof(unsigned long) * hash_descriptor[hash_idx].OIDlen) == 0) &&
163 (siginfo[1].size == hashlen) &&
164 (XMEMCMP(siginfo[1].data, hash, hashlen) == 0)) {
168 /* only check if the hash is equal */
169 if ((hashlen == outlen) &&
170 (XMEMCMP(out, hash, hashlen) == 0)) {
175 #ifdef LTC_CLEAN_STACK
176 zeromem(out, outlen);
182 #ifdef LTC_CLEAN_STACK
183 zeromem(tmpbuf, siglen);
189 #endif /* LTC_MRSA */
191 /* ref: $Format:%D$ */
192 /* git commit: $Format:%H$ */
193 /* commit time: $Format:%ai$ */