Used Openssl RSA_verify function

2 files changed, 63 insertions, 9 deletions

diff --git a/src/libimcv/plugins/imv_attestation/imv_attestation_process.c b/src/libimcv/plugins/imv_attestation/imv_attestation_process.c
index 5e3e70643..f0970431c 100644
--- a/src/libimcv/plugins/imv_attestation/imv_attestation_process.c
+++ b/src/libimcv/plugins/imv_attestation/imv_attestation_process.c
@@ -312,8 +312,7 @@ bool imv_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list,
 				hasher->allocate_hash(hasher, quote_info, &quote_digest);
 				hasher->destroy(hasher);
 				
-				if (!chunk_equals(pcr_comp, chunk_empty)
-					&& strncmp(quote_info.ptr, pcr_comp.ptr,
+				if (pcr_comp.ptr && strncmp(quote_info.ptr, pcr_comp.ptr,
 								quote_info.len - ASSESSMENT_SECRET_LEN) != 0)
 				{
 					DBG1(DBG_IMV, "calculated TPM Quote Info differs from received");
@@ -325,7 +324,7 @@ bool imv_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list,
 				}
 				DBG2(DBG_IMV, "received TPM Quote Info matches with calculated");
 				
-				if (!chunk_equals(tpm_quote_sign, chunk_empty) &&
+				if (tpm_quote_sign.ptr &&
 					!pts->verify_quote_signature(pts, quote_digest, tpm_quote_sign))
 				{
 					free(quote_digest.ptr);
diff --git a/src/libpts/pts/pts.c b/src/libpts/pts/pts.c
index da1c30c3d..05e4b7dac 100644
--- a/src/libpts/pts/pts.c
+++ b/src/libpts/pts/pts.c
@@ -29,6 +29,10 @@
 #include <sys/utsname.h>
 #include <errno.h>
 
+#include <openssl/rsa.h>
+#include <openssl/evp.h>
+#include <openssl/x509.h>
+
 #define PTS_BUF_SIZE	4096
 
 typedef struct private_pts_t private_pts_t;
@@ -1211,27 +1215,78 @@ METHOD(pts_t, get_quote_info, bool,
 METHOD(pts_t, verify_quote_signature, bool,
 				private_pts_t *this, chunk_t data, chunk_t signature)
 {
-	/** Implementation using strongswan -> not working */
 	public_key_t *aik_pub_key;
+	chunk_t key_encoding;
+	EVP_PKEY *pkey = NULL;
+	RSA *rsa = NULL;
+	unsigned char *p;
 
 	aik_pub_key = this->aik->get_public_key(this->aik);
-
 	if (!aik_pub_key)
 	{
 		DBG1(DBG_PTS, "failed to get public key from AIK certificate");
 		return FALSE;
 	}
 
-	if (!aik_pub_key->verify(aik_pub_key, SIGN_RSA_EMSA_PKCS1_SHA1, data, signature))
+	/** Implementation using strongswan -> not working */
+	/*if (!aik_pub_key->verify(aik_pub_key, SIGN_RSA_EMSA_PKCS1_SHA1, data, signature))
 	{
 		DBG1(DBG_PTS, "signature verification failed for TPM Quote Info");
-		aik_pub_key->destroy(aik_pub_key);
-		return FALSE;
+		goto cleanup;
 	}
+	*/
 
-	aik_pub_key->destroy(aik_pub_key);
+	if (!aik_pub_key->get_encoding(aik_pub_key, PUBKEY_SPKI_ASN1_DER, &key_encoding))
+	{
+		DBG1(DBG_PTS, "failed to get encoding of AIK public key");
+		goto cleanup;
+	}
 	
+	p = key_encoding.ptr;
+	pkey = d2i_PUBKEY(NULL, (const unsigned char**)&p, key_encoding.len);
+	if (!pkey)
+	{
+		DBG1(DBG_PTS, "failed to get EVP_PKEY object from AIK public key encoding");
+		goto cleanup;
+	}
+
+	rsa = EVP_PKEY_get1_RSA(pkey);
+	if (!rsa)
+	{
+		DBG1(DBG_PTS, "failed to get RSA object from EVP_PKEY");
+		goto cleanup;
+	}
+
+	if (RSA_verify(NID_sha1, data.ptr, data.len, signature.ptr, signature.len, rsa) != 1)
+	{
+		DBG1(DBG_PTS, "signature verification failed for TPM Quote Info");
+		goto cleanup;
+	}
+
+	RSA_free(rsa);
+	EVP_PKEY_free(pkey);
+	if (key_encoding.ptr)
+	{
+		chunk_clear(&key_encoding);
+	}
+	aik_pub_key->destroy(aik_pub_key);
 	return TRUE;
+
+cleanup:
+	if (rsa)
+	{
+		RSA_free(rsa);
+	}
+	if (pkey)
+	{
+		EVP_PKEY_free(pkey);
+	}
+	if (key_encoding.ptr)
+	{
+		chunk_clear(&key_encoding);
+	}
+	DESTROY_IF(aik_pub_key);
+	return FALSE;
 }
 
 METHOD(pts_t, destroy, void,