Gitiles
Code Review Sign In
gerrit.openfyde.cn / boringssl.googlesource.com / boringssl / d69d94e7e3fc1caaf9b785ca8a62494c3ea23164^! / . / crypto / x509 / algorithm.c
commitd69d94e7e3fc1caaf9b785ca8a62494c3ea23164[log] [tgz]
authorDavid Benjamin <davidben@google.com>Wed Mar 29 16:08:50 2017 -0500
committerAdam Langley <agl@google.com>Wed Apr 05 23:35:30 2017 +0000
tree7c17523b73065e48cff841ddd8eb0aba7f5f7071
parent4e78e30933dcad235020116f1461e846e9f3a599 [diff] [blame]
Teach crypto/x509 how to verify an Ed25519 signature.

BUG=187

Change-Id: I5775ce0886041b0c12174a7d665f3af1e8bce511
Reviewed-on: https://boringssl-review.googlesource.com/14505
Commit-Queue: David Benjamin <davidben@google.com>
Reviewed-by: Adam Langley <agl@google.com>

diff --git a/crypto/x509/algorithm.c b/crypto/x509/algorithm.c
index 78ae882..6e0f3f2 100644
--- a/crypto/x509/algorithm.c
+++ b/crypto/x509/algorithm.c

@@ -101,8 +101,11 @@
   return 1;
 }
 
-int x509_digest_verify_init(EVP_MD_CTX *ctx, X509_ALGOR *sigalg,
-                            EVP_PKEY *pkey) {
+int x509_digest_verify_init(EVP_PKEY_CTX *ctx, X509_ALGOR *sigalg) {
+  if (!EVP_PKEY_verify_init(ctx)) {
+    return 0;
+  }
+
   /* Convert the signature OID into digest and public key OIDs. */
   int sigalg_nid = OBJ_obj2nid(sigalg->algorithm);
   int digest_nid, pkey_nid;
@@ -112,6 +115,7 @@
   }
 
   /* Check the public key OID matches the public key type. */
+  EVP_PKEY *pkey = EVP_PKEY_CTX_get0_pkey(ctx);
   if (pkey_nid != EVP_PKEY_id(pkey)) {
     OPENSSL_PUT_ERROR(ASN1, ASN1_R_WRONG_PUBLIC_KEY_TYPE);
     return 0;
@@ -119,11 +123,18 @@
 
   /* NID_undef signals that there are custom parameters to set. */
   if (digest_nid == NID_undef) {
-    if (sigalg_nid != NID_rsassaPss) {
-      OPENSSL_PUT_ERROR(ASN1, ASN1_R_UNKNOWN_SIGNATURE_ALGORITHM);
-      return 0;
+    if (sigalg_nid == NID_rsassaPss) {
+      return x509_rsa_pss_to_ctx(ctx, sigalg);
     }
-    return x509_rsa_pss_to_ctx(ctx, sigalg, pkey);
+    if (sigalg_nid == NID_Ed25519) {
+      if (sigalg->parameter != NULL) {
+        OPENSSL_PUT_ERROR(X509, X509_R_INVALID_PARAMETER);
+        return 0;
+      }
+      return 1; /* Nothing to configure. */
+    }
+    OPENSSL_PUT_ERROR(ASN1, ASN1_R_UNKNOWN_SIGNATURE_ALGORITHM);
+    return 0;
   }
 
   /* Otherwise, initialize with the digest from the OID. */
@@ -133,5 +144,5 @@
     return 0;
   }
 
-  return EVP_DigestVerifyInit(ctx, NULL, digest, NULL, pkey);
+  return EVP_PKEY_CTX_set_signature_md(ctx, digest);
 }