quiche/blind_sign_auth/anonymous_tokens/cpp/crypto/rsa_ssa_pss_verifier.cc - quiche - Git at Google

 // Copyright 2023 Google LLC
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at
 //
 //    https://www.apache.org/licenses/LICENSE-2.0
 //
 // Unless required by applicable law or agreed to in writing, software
 // distributed under the License is distributed on an "AS IS" BASIS,
 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 // See the License for the specific language governing permissions and
 // limitations under the License.

 #include "quiche/blind_sign_auth/anonymous_tokens/cpp/crypto/rsa_ssa_pss_verifier.h"

 #include <stdint.h>

 #include <memory>
 #include <string>
 #include <utility>

 #include "absl/memory/memory.h"
 #include "absl/status/status.h"
 #include "absl/status/statusor.h"
 #include "absl/strings/str_cat.h"
 #include "absl/strings/string_view.h"
 #include "quiche/blind_sign_auth/anonymous_tokens/cpp/crypto/constants.h"
 #include "quiche/blind_sign_auth/anonymous_tokens/cpp/crypto/crypto_utils.h"
 #include "quiche/blind_sign_auth/anonymous_tokens/cpp/shared/status_utils.h"
 #include "quiche/blind_sign_auth/anonymous_tokens/proto/anonymous_tokens.pb.h"
 #include "openssl/bn.h"
 #include "openssl/rsa.h"

 namespace private_membership {
 namespace anonymous_tokens {

 absl::StatusOr<std::unique_ptr<RsaSsaPssVerifier>> RsaSsaPssVerifier::New(
     const int salt_length, const EVP_MD* sig_hash, const EVP_MD* mgf1_hash,
     const RSAPublicKey& public_key, absl::string_view public_metadata) {
   // Convert to OpenSSL RSA which will be used in the code paths for the
   // standard RSA blind signature scheme.
   //
   // Moreover, it will also be passed as an argument to PSS related padding
   // verification methods irrespective of whether RsaBlinder is being used as a
   // part of the standard RSA blind signature scheme or the scheme with public
   // metadata support.
   ANON_TOKENS_ASSIGN_OR_RETURN(bssl::UniquePtr<RSA> rsa_public_key,
                                AnonymousTokensRSAPublicKeyToRSA(public_key));
   ANON_TOKENS_ASSIGN_OR_RETURN(bssl::UniquePtr<BIGNUM> rsa_modulus,
                                StringToBignum(public_key.n()));
   ANON_TOKENS_ASSIGN_OR_RETURN(bssl::UniquePtr<BIGNUM> rsa_e,
                                StringToBignum(public_key.e()));

   bssl::UniquePtr<BIGNUM> augemented_rsa_e = nullptr;
   // Currently if public metadata is not empty, RsaBlinder will compute a
   // modified public exponent.
   if (!public_metadata.empty()) {
     ANON_TOKENS_ASSIGN_OR_RETURN(
         augemented_rsa_e,
         ComputeFinalExponentUnderPublicMetadata(*rsa_modulus.get(),
                                                 *rsa_e.get(), public_metadata));
   }
   return absl::WrapUnique(new RsaSsaPssVerifier(
       salt_length, sig_hash, mgf1_hash, std::move(rsa_public_key),
       std::move(rsa_modulus), std::move(augemented_rsa_e)));
 }

 RsaSsaPssVerifier::RsaSsaPssVerifier(int salt_length, const EVP_MD* sig_hash,
                                      const EVP_MD* mgf1_hash,
                                      bssl::UniquePtr<RSA> rsa_public_key,
                                      bssl::UniquePtr<BIGNUM> rsa_modulus,
                                      bssl::UniquePtr<BIGNUM> augmented_rsa_e)
     : salt_length_(salt_length),
       sig_hash_(sig_hash),
       mgf1_hash_(mgf1_hash),
       rsa_public_key_(std::move(rsa_public_key)),
       rsa_modulus_(std::move(rsa_modulus)),
       augmented_rsa_e_(std::move(augmented_rsa_e)) {}

 absl::Status RsaSsaPssVerifier::Verify(absl::string_view unblind_token,
                                        absl::string_view message) {
   if (message.empty()) {
     return absl::InvalidArgumentError("Input message string is empty.");
   }

   ANON_TOKENS_ASSIGN_OR_RETURN(std::string message_digest,
                                ComputeHash(message, *sig_hash_));
   const int hash_size = EVP_MD_size(sig_hash_);
   // Make sure the size of the digest is correct.
   if (message_digest.size() != hash_size) {
     return absl::InvalidArgumentError(
         absl::StrCat("Size of the digest doesn't match the one "
                      "of the hashing algorithm; expected ",
                      hash_size, " got ", message_digest.size()));
   }
   const int rsa_modulus_size = BN_num_bytes(rsa_modulus_.get());
   if (unblind_token.size() != rsa_modulus_size) {
     return absl::InternalError("Signature size not equal to modulus size.");
   }

   std::string recovered_message_digest(rsa_modulus_size, 0);
   if (augmented_rsa_e_ == nullptr) {
     int recovered_message_digest_size = RSA_public_decrypt(
         /*flen=*/unblind_token.size(),
         /*from=*/reinterpret_cast<const uint8_t*>(unblind_token.data()),
         /*to=*/
         reinterpret_cast<uint8_t*>(recovered_message_digest.data()),
         /*rsa=*/rsa_public_key_.get(),
         /*padding=*/RSA_NO_PADDING);
     if (recovered_message_digest_size != rsa_modulus_size) {
       return absl::InvalidArgumentError(
           absl::StrCat("Invalid signature size (likely an incorrect key is "
                        "used); expected ",
                        rsa_modulus_size, " got ", recovered_message_digest_size,
                        ": ", GetSslErrors()));
     }
   } else {
     ANON_TOKENS_ASSIGN_OR_RETURN(bssl::UniquePtr<BIGNUM> unblind_token_bn,
                                  StringToBignum(unblind_token));
     if (BN_ucmp(unblind_token_bn.get(), rsa_modulus_.get()) >= 0) {
       return absl::InternalError("Data too large for modulus.");
     }
     ANON_TOKENS_ASSIGN_OR_RETURN(BnCtxPtr bn_ctx, GetAndStartBigNumCtx());
     bssl::UniquePtr<BN_MONT_CTX> bn_mont_ctx(
         BN_MONT_CTX_new_for_modulus(rsa_modulus_.get(), bn_ctx.get()));
     if (!bn_mont_ctx) {
       return absl::InternalError("BN_MONT_CTX_new_for_modulus failed.");
     }
     ANON_TOKENS_ASSIGN_OR_RETURN(
         bssl::UniquePtr<BIGNUM> recovered_message_digest_bn, NewBigNum());
     if (BN_mod_exp_mont(recovered_message_digest_bn.get(),
                         unblind_token_bn.get(), augmented_rsa_e_.get(),
                         rsa_modulus_.get(), bn_ctx.get(),
                         bn_mont_ctx.get()) != kBsslSuccess) {
       return absl::InternalError("Exponentiation failed.");
     }
     ANON_TOKENS_ASSIGN_OR_RETURN(
         recovered_message_digest,
         BignumToString(*recovered_message_digest_bn, rsa_modulus_size));
   }
   if (RSA_verify_PKCS1_PSS_mgf1(
           rsa_public_key_.get(),
           reinterpret_cast<const uint8_t*>(&message_digest[0]), sig_hash_,
           mgf1_hash_,
           reinterpret_cast<const uint8_t*>(recovered_message_digest.data()),
           salt_length_) != kBsslSuccess) {
     return absl::InvalidArgumentError(
         absl::StrCat("PSS padding verification failed: ", GetSslErrors()));
   }
   return absl::OkStatus();
 }

 }  // namespace anonymous_tokens
 }  // namespace private_membership
	// Copyright 2023 Google LLC
	//
	// Licensed under the Apache License, Version 2.0 (the "License");
	// you may not use this file except in compliance with the License.
	// You may obtain a copy of the License at
	//
	// https://www.apache.org/licenses/LICENSE-2.0
	//
	// Unless required by applicable law or agreed to in writing, software
	// distributed under the License is distributed on an "AS IS" BASIS,
	// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	// See the License for the specific language governing permissions and
	// limitations under the License.

	#include "quiche/blind_sign_auth/anonymous_tokens/cpp/crypto/rsa_ssa_pss_verifier.h"

	#include <stdint.h>

	#include <memory>
	#include <string>
	#include <utility>

	#include "absl/memory/memory.h"
	#include "absl/status/status.h"
	#include "absl/status/statusor.h"
	#include "absl/strings/str_cat.h"
	#include "absl/strings/string_view.h"
	#include "quiche/blind_sign_auth/anonymous_tokens/cpp/crypto/constants.h"
	#include "quiche/blind_sign_auth/anonymous_tokens/cpp/crypto/crypto_utils.h"
	#include "quiche/blind_sign_auth/anonymous_tokens/cpp/shared/status_utils.h"
	#include "quiche/blind_sign_auth/anonymous_tokens/proto/anonymous_tokens.pb.h"
	#include "openssl/bn.h"
	#include "openssl/rsa.h"

	namespace private_membership {
	namespace anonymous_tokens {

	absl::StatusOr<std::unique_ptr<RsaSsaPssVerifier>> RsaSsaPssVerifier::New(
	const int salt_length, const EVP_MD* sig_hash, const EVP_MD* mgf1_hash,
	const RSAPublicKey& public_key, absl::string_view public_metadata) {
	// Convert to OpenSSL RSA which will be used in the code paths for the
	// standard RSA blind signature scheme.
	//
	// Moreover, it will also be passed as an argument to PSS related padding
	// verification methods irrespective of whether RsaBlinder is being used as a
	// part of the standard RSA blind signature scheme or the scheme with public
	// metadata support.
	ANON_TOKENS_ASSIGN_OR_RETURN(bssl::UniquePtr<RSA> rsa_public_key,
	AnonymousTokensRSAPublicKeyToRSA(public_key));
	ANON_TOKENS_ASSIGN_OR_RETURN(bssl::UniquePtr<BIGNUM> rsa_modulus,
	StringToBignum(public_key.n()));
	ANON_TOKENS_ASSIGN_OR_RETURN(bssl::UniquePtr<BIGNUM> rsa_e,
	StringToBignum(public_key.e()));

	bssl::UniquePtr<BIGNUM> augemented_rsa_e = nullptr;
	// Currently if public metadata is not empty, RsaBlinder will compute a
	// modified public exponent.
	if (!public_metadata.empty()) {
	ANON_TOKENS_ASSIGN_OR_RETURN(
	augemented_rsa_e,
	ComputeFinalExponentUnderPublicMetadata(*rsa_modulus.get(),
	*rsa_e.get(), public_metadata));
	}
	return absl::WrapUnique(new RsaSsaPssVerifier(
	salt_length, sig_hash, mgf1_hash, std::move(rsa_public_key),
	std::move(rsa_modulus), std::move(augemented_rsa_e)));
	}

	RsaSsaPssVerifier::RsaSsaPssVerifier(int salt_length, const EVP_MD* sig_hash,
	const EVP_MD* mgf1_hash,
	bssl::UniquePtr<RSA> rsa_public_key,
	bssl::UniquePtr<BIGNUM> rsa_modulus,
	bssl::UniquePtr<BIGNUM> augmented_rsa_e)
	: salt_length_(salt_length),
	sig_hash_(sig_hash),
	mgf1_hash_(mgf1_hash),
	rsa_public_key_(std::move(rsa_public_key)),
	rsa_modulus_(std::move(rsa_modulus)),
	augmented_rsa_e_(std::move(augmented_rsa_e)) {}

	absl::Status RsaSsaPssVerifier::Verify(absl::string_view unblind_token,
	absl::string_view message) {
	if (message.empty()) {
	return absl::InvalidArgumentError("Input message string is empty.");
	}

	ANON_TOKENS_ASSIGN_OR_RETURN(std::string message_digest,
	ComputeHash(message, *sig_hash_));
	const int hash_size = EVP_MD_size(sig_hash_);
	// Make sure the size of the digest is correct.
	if (message_digest.size() != hash_size) {
	return absl::InvalidArgumentError(
	absl::StrCat("Size of the digest doesn't match the one "
	"of the hashing algorithm; expected ",
	hash_size, " got ", message_digest.size()));
	}
	const int rsa_modulus_size = BN_num_bytes(rsa_modulus_.get());
	if (unblind_token.size() != rsa_modulus_size) {
	return absl::InternalError("Signature size not equal to modulus size.");
	}

	std::string recovered_message_digest(rsa_modulus_size, 0);
	if (augmented_rsa_e_ == nullptr) {
	int recovered_message_digest_size = RSA_public_decrypt(
	/flen=/unblind_token.size(),
	/from=/reinterpret_cast<const uint8_t*>(unblind_token.data()),
	/to=/
	reinterpret_cast<uint8_t*>(recovered_message_digest.data()),
	/rsa=/rsa_public_key_.get(),
	/padding=/RSA_NO_PADDING);
	if (recovered_message_digest_size != rsa_modulus_size) {
	return absl::InvalidArgumentError(
	absl::StrCat("Invalid signature size (likely an incorrect key is "
	"used); expected ",
	rsa_modulus_size, " got ", recovered_message_digest_size,
	": ", GetSslErrors()));
	}
	} else {
	ANON_TOKENS_ASSIGN_OR_RETURN(bssl::UniquePtr<BIGNUM> unblind_token_bn,
	StringToBignum(unblind_token));
	if (BN_ucmp(unblind_token_bn.get(), rsa_modulus_.get()) >= 0) {
	return absl::InternalError("Data too large for modulus.");
	}
	ANON_TOKENS_ASSIGN_OR_RETURN(BnCtxPtr bn_ctx, GetAndStartBigNumCtx());
	bssl::UniquePtr<BN_MONT_CTX> bn_mont_ctx(
	BN_MONT_CTX_new_for_modulus(rsa_modulus_.get(), bn_ctx.get()));
	if (!bn_mont_ctx) {
	return absl::InternalError("BN_MONT_CTX_new_for_modulus failed.");
	}
	ANON_TOKENS_ASSIGN_OR_RETURN(
	bssl::UniquePtr<BIGNUM> recovered_message_digest_bn, NewBigNum());
	if (BN_mod_exp_mont(recovered_message_digest_bn.get(),
	unblind_token_bn.get(), augmented_rsa_e_.get(),
	rsa_modulus_.get(), bn_ctx.get(),
	bn_mont_ctx.get()) != kBsslSuccess) {
	return absl::InternalError("Exponentiation failed.");
	}
	ANON_TOKENS_ASSIGN_OR_RETURN(
	recovered_message_digest,
	BignumToString(*recovered_message_digest_bn, rsa_modulus_size));
	}
	if (RSA_verify_PKCS1_PSS_mgf1(
	rsa_public_key_.get(),
	reinterpret_cast<const uint8_t*>(&message_digest[0]), sig_hash_,
	mgf1_hash_,
	reinterpret_cast<const uint8_t*>(recovered_message_digest.data()),
	salt_length_) != kBsslSuccess) {
	return absl::InvalidArgumentError(
	absl::StrCat("PSS padding verification failed: ", GetSslErrors()));
	}
	return absl::OkStatus();
	}

	} // namespace anonymous_tokens
	} // namespace private_membership