Open-Transactions  0.93.0-ge03d287
 All Classes Namespaces Files Functions Variables Typedefs Enumerations Enumerator Friends Macros Pages
opentxs::OTCrypto_OpenSSL::OTCrypto_OpenSSLdp Class Reference

Public Member Functions

bool SignContractDefaultHash (const OTString &strContractUnsigned, const EVP_PKEY *pkey, OTSignature &theSignature, const OTPasswordData *pPWData=nullptr) const
 
bool VerifyContractDefaultHash (const OTString &strContractToVerify, const EVP_PKEY *pkey, const OTSignature &theSignature, const OTPasswordData *pPWData=nullptr) const
 
bool SignContract (const OTString &strContractUnsigned, const EVP_PKEY *pkey, OTSignature &theSignature, const OTString &strHashType, const OTPasswordData *pPWData=nullptr) const
 
bool VerifySignature (const OTString &strContractToVerify, const EVP_PKEY *pkey, const OTSignature &theSignature, const OTString &strHashType, const OTPasswordData *pPWData=nullptr) const
 

Static Public Member Functions

static const EVP_MD * GetOpenSSLDigestByName (const OTString &theName)
 

Detailed Description

Definition at line 212 of file OTCrypto.cpp.

Member Function Documentation

const EVP_MD * opentxs::OTCrypto_OpenSSL::OTCrypto_OpenSSLdp::GetOpenSSLDigestByName ( const OTString theName)
static

Definition at line 1636 of file OTCrypto.cpp.

1638 {
1639  if (theName.Compare("SHA1"))
1640  return EVP_sha1();
1641  else if (theName.Compare("SHA224"))
1642  return EVP_sha224();
1643  else if (theName.Compare("SHA256"))
1644  return EVP_sha256();
1645  else if (theName.Compare("SHA384"))
1646  return EVP_sha384();
1647  else if (theName.Compare("SHA512"))
1648  return EVP_sha512();
1649  //#ifndef ANDROID
1650  else if (theName.Compare("WHIRLPOOL")) // Todo: follow up on any cleanup
1651  // issues related to this. (Are the
1652  // others dynamically allocated? This
1653  // one isn't.)
1654  return EVP_whirlpool();
1655  //#endif
1656  return nullptr;
1657 }
bool opentxs::OTCrypto_OpenSSL::OTCrypto_OpenSSLdp::SignContract ( const OTString strContractUnsigned,
const EVP_PKEY *  pkey,
OTSignature theSignature,
const OTString strHashType,
const OTPasswordData pPWData = nullptr 
) const

Definition at line 4640 of file OTCrypto.cpp.

4644 {
4645  OT_ASSERT_MSG(nullptr != pkey,
4646  "Null private key sent to OTCrypto_OpenSSL::SignContract.\n");
4647 
4648  const char* szFunc = "OTCrypto_OpenSSL::SignContract";
4649 
4650  class _OTCont_SignCont1
4651  {
4652  private:
4653  const char* m_szFunc;
4654  EVP_MD_CTX& m_ctx;
4655 
4656  public:
4657  _OTCont_SignCont1(const char* param_szFunc, EVP_MD_CTX& param_ctx)
4658  : m_szFunc(param_szFunc)
4659  , m_ctx(param_ctx)
4660  {
4661  OT_ASSERT(nullptr != m_szFunc);
4662 
4663  EVP_MD_CTX_init(&m_ctx);
4664  }
4665  ~_OTCont_SignCont1()
4666  {
4667  if (0 == EVP_MD_CTX_cleanup(&m_ctx))
4668  otErr << m_szFunc << ": Failure in cleanup. (It returned 0.)\n";
4669  }
4670  };
4671 
4672  // Moving this lower...
4673 
4674  // _OTCont_SignCont1 theInstance(szFunc, md_ctx);
4675 
4676  // OTString strDoubleHash;
4677 
4678  // Are we using the special SAMY hash? In which case, we have to actually
4679  // combine two signatures.
4680  const bool bUsesDefaultHashAlgorithm =
4681  strHashType.Compare(OTIdentifier::DefaultHashAlgorithm);
4682  EVP_MD* md = nullptr;
4683 
4684  // SAMY hash. (The "default" hash.)
4685  if (bUsesDefaultHashAlgorithm) {
4686  // OTIdentifier hash1, hash2;
4687  //
4688  // hash1.CalculateDigest(strContractUnsigned,
4689  // OTIdentifier::HashAlgorithm1);
4690  // hash2.CalculateDigest(strContractUnsigned,
4691  // OTIdentifier::HashAlgorithm2);
4692  //
4693  // hash1.XOR(hash2);
4694  // hash1.GetString(strDoubleHash);
4695  //
4696  // md = (EVP_MD
4697  // *)OTCrypto_OpenSSL::GetOpenSSLDigestByName(OTIdentifier::HashAlgorithm1);
4698 
4699  return SignContractDefaultHash(strContractUnsigned, pkey, theSignature,
4700  pPWData);
4701  }
4702 
4703  // else
4704  {
4705  md = (EVP_MD*)
4707  strHashType); // todo cast
4708  }
4709 
4710  // If it's not the default hash, then it's just a normal hash.
4711  // Either way then we process it, first by getting the message digest
4712  // pointer for signing.
4713 
4714  if (nullptr == md) {
4715  otErr << szFunc
4716  << ": Unable to decipher Hash algorithm: " << strHashType << "\n";
4717  return false;
4718  }
4719 
4720  // RE: EVP_SignInit() or EVP_MD_CTX_init()...
4721  //
4722  // Since only a copy of the digest context is ever finalized the
4723  // context MUST be cleaned up after use by calling EVP_MD_CTX_cleanup()
4724  // or a memory leak will occur.
4725  //
4726  EVP_MD_CTX md_ctx;
4727 
4728  _OTCont_SignCont1 theInstance(szFunc, md_ctx);
4729 
4730  // Do the signature
4731  // Note: I just changed this to the _ex version (in case I'm debugging later
4732  // and find a problem here.)
4733  //
4734  EVP_SignInit_ex(&md_ctx, md, nullptr);
4735 
4736  // if (bUsesDefaultHashAlgorithm)
4737  // {
4738  // EVP_SignUpdate (&md_ctx, strDoubleHash.Get(),
4739  // strDoubleHash.GetLength());
4740  // }
4741  // else
4742  {
4743  EVP_SignUpdate(&md_ctx, strContractUnsigned.Get(),
4744  strContractUnsigned.GetLength());
4745  }
4746 
4747  uint8_t sig_buf[4096]; // Safe since we pass the size when we use it.
4748 
4749  int32_t sig_len = sizeof(sig_buf);
4750  int32_t err = EVP_SignFinal(&md_ctx, sig_buf, (uint32_t*)&sig_len,
4751  (EVP_PKEY*)pkey); // todo cast
4752 
4753  if (err != 1) {
4754  otErr << szFunc << ": Error signing xml contents.\n";
4755  return false;
4756  }
4757  else {
4758  otLog3 << szFunc << ": Successfully signed xml contents.\n";
4759 
4760  // We put the signature data into the signature object that
4761  // was passed in for that purpose.
4762  OTData tempData;
4763  tempData.Assign(sig_buf, sig_len);
4764  theSignature.SetData(tempData);
4765 
4766  return true;
4767  }
4768 }
OTLOG_IMPORT OTLogStream otLog3
bool SignContractDefaultHash(const OTString &strContractUnsigned, const EVP_PKEY *pkey, OTSignature &theSignature, const OTPasswordData *pPWData=nullptr) const
Definition: OTCrypto.cpp:3738
#define OT_ASSERT(x)
Definition: Assert.hpp:150
static EXPORT const OTString DefaultHashAlgorithm
#define OT_ASSERT_MSG(x, s)
Definition: Assert.hpp:155
OTLOG_IMPORT OTLogStream otErr
static const EVP_MD * GetOpenSSLDigestByName(const OTString &theName)
Definition: OTCrypto.cpp:1636
bool opentxs::OTCrypto_OpenSSL::OTCrypto_OpenSSLdp::SignContractDefaultHash ( const OTString strContractUnsigned,
const EVP_PKEY *  pkey,
OTSignature theSignature,
const OTPasswordData pPWData = nullptr 
) const

Definition at line 3738 of file OTCrypto.cpp.

3741 {
3742  const char* szFunc = "OTCrypto_OpenSSL::SignContractDefaultHash";
3743 
3744  bool bReturnValue = false;
3745 
3746  // These two contain the output of the two message digest
3747  // functions that we're using (SHA-256 and WHIRLPOOL.)
3748  // the two output hashes are then merged together into this one.
3749  std::vector<uint8_t> vOutputHash1(OTCryptoConfig::SymmetricKeySizeMax());
3750  std::vector<uint8_t> vOutputHash2(OTCryptoConfig::SymmetricKeySizeMax());
3751  std::vector<uint8_t> vDigest(OTCryptoConfig::SymmetricKeySizeMax());
3752 
3753  // This stores the message digest, pre-encrypted, but with the padding
3754  // added.
3755  // This stores the final signature, when the EM value has been signed by RSA
3756  // private key.
3757  std::vector<uint8_t> vEM(OTCryptoConfig::PublicKeysizeMax());
3758  std::vector<uint8_t> vpSignature(OTCryptoConfig::PublicKeysizeMax());
3759 
3760  uint32_t uDigest1Len =
3761  OTCryptoConfig::Digest1Size(); // 32 bytes == 256 bits. (These are used
3762  // for function output below, not input.)
3763  uint32_t uDigest2Len =
3764  OTCryptoConfig::Digest2Size(); // 64 bytes == 512 bits. (These are used
3765  // for function output below, not input.)
3766 
3767  EVP_MD_CTX mdHash1_ctx, mdHash2_ctx;
3768 
3769  // OTPassword::zeroMemory(uint8_t* szMemory, uint32_t theSize);
3770  // OTPassword::zeroMemory(void* vMemory, uint32_t theSize);
3771  OTPassword::zeroMemory(&vOutputHash1.at(0),
3773  OTPassword::zeroMemory(&vOutputHash2.at(0),
3775  OTPassword::zeroMemory(&vDigest.at(0),
3778  OTPassword::zeroMemory(&vpSignature.at(0),
3780 
3781  // Here, we convert the EVP_PKEY that was passed in, to an RSA key for
3782  // signing.
3783  //
3784  RSA* pRsaKey = EVP_PKEY_get1_RSA(const_cast<EVP_PKEY*>(pkey));
3785 
3786  if (!pRsaKey) {
3787  otErr << szFunc << ": EVP_PKEY_get1_RSA failed with error "
3788  << ERR_error_string(ERR_get_error(), nullptr) << "\n";
3789  return false;
3790  }
3791 
3792  // Since the idea of this special code is that we're using 2 hash
3793  // algorithms,
3794  // let's look them up and see what they are.
3795  // addendum: unless we're on Android... then there's only 1 hash algorithm.
3796  //
3797  const EVP_MD* digest1 =
3799  OTIdentifier::HashAlgorithm1); // SHA-256
3800 
3801  if (nullptr == digest1) {
3802  otErr << szFunc << ": Failure to load message digest algorithm.\n";
3803  RSA_free(pRsaKey);
3804  pRsaKey = nullptr;
3805  return false;
3806  }
3807 
3808  // hash the contents of the contract with HashAlgorithm1 (SHA-256)
3809  EVP_MD_CTX_init(&mdHash1_ctx);
3810  EVP_DigestInit(&mdHash1_ctx, digest1); // digest1 is the actual algorithm
3811  EVP_DigestUpdate(&mdHash1_ctx, strContractUnsigned.Get(),
3812  strContractUnsigned.GetLength()); // input
3813  EVP_DigestFinal(&mdHash1_ctx, &vOutputHash1.at(0),
3814  &uDigest1Len); // output and length
3815  EVP_MD_CTX_cleanup(&mdHash1_ctx); // cleanup
3816 
3817  /*
3818  TODO:
3819  The functions EVP_DigestInit(), EVP_DigestFinal() and EVP_MD_CTX_copy() are
3820  obsolete but are retained to maintain compatibility
3821  with existing code. New applications should use EVP_DigestInit_ex(),
3822  EVP_DigestFinal_ex() and EVP_MD_CTX_copy_ex() because they
3823  can efficiently reuse a digest context instead of initializing and cleaning
3824  it up on each call and allow non default implementations
3825  of digests to be specified.
3826  */
3827  //#ifndef ANDROID
3828  const EVP_MD* digest2 =
3830  OTIdentifier::HashAlgorithm2); // WHIRLPOOL (512)
3831 
3832  if (nullptr == digest2) {
3833  otErr << szFunc << ": Failure to load message digest algorithm.\n";
3834  RSA_free(pRsaKey);
3835  pRsaKey = nullptr;
3836  return false;
3837  }
3838 
3839  // hash the same contents with HashAlgorithm2 (WHIRLPOOL)
3840  EVP_MD_CTX_init(&mdHash2_ctx);
3841  EVP_DigestInit(&mdHash2_ctx, digest2); // digest2 is the algorithm
3842  EVP_DigestUpdate(&mdHash2_ctx, strContractUnsigned.Get(),
3843  strContractUnsigned.GetLength()); // Input
3844  EVP_DigestFinal(&mdHash2_ctx, &vOutputHash2.at(0),
3845  &uDigest2Len); // output and length
3846  EVP_MD_CTX_cleanup(&mdHash2_ctx); // cleanup
3847 
3848  // (Goes with the smaller size.)
3849  const uint32_t uDigestMergedLength =
3850  (uDigest1Len > uDigest2Len ? uDigest2Len : uDigest1Len);
3851 
3852  // XOR the two together
3853  //
3854  for (uint32_t i = 0; i < uDigestMergedLength; i++) {
3855  vDigest.at(i) = ((vOutputHash1.at(i)) ^ (vOutputHash2.at(i)));
3856  }
3857  //#else // ANDROID
3858  // const uint32_t uDigestMergedLength = uDigest1Len;
3859  //
3860  // for (int32_t i = 0; i < uDigestMergedLength; i++)
3861  // {
3862  // pDigest[i] = (vOutputHash1.at(i));
3863  // }
3864  //#endif // ANDROID
3865 
3866  // pDigest is now set up.
3867  // uDigestMergedLength contains its length in bytes.
3868 
3869  /*
3870  NOTE:
3871  RSA_sign only supports PKCS# 1 v1.5 padding which always gives the same
3872  output for the same input data.
3873  If you want to perfom a digital signature with PSS padding, you have to
3874  pad the data yourself by calling RSA_padding_add_PKCS1_PSS and then call
3875  RSA_private_encrypt on the padded output after setting its last
3876  parameter to RSA_NO_PADDING.
3877 
3878  I have written a small sample code that shows how to perform PSS
3879  signature and verification. You can get the code from the following link:
3880  http://www.idrix.fr/Root/Samples/openssl_pss_signature.c
3881 
3882  I hope this answers your questions.
3883  Cheers,
3884  --
3885  Mounir IDRASSI
3886  */
3887  // compute the PSS padded data
3888  // the result goes into EM.
3889 
3890  /*
3891  int32_t RSA_padding_add_PKCS1_PSS(RSA* rsa, uint8_t* EM, const uint8_t*
3892  mHash, const EVP_MD* Hash, int32_t sLen);
3893  */
3894  // int32_t RSA_padding_add_xxx(uint8_t* to, int32_t tlen,
3895  // uint8_t *f, int32_t fl);
3896  // RSA_padding_add_xxx() encodes *fl* bytes from *f* so as to fit into
3897  // *tlen*
3898  // bytes and stores the result at *to*.
3899  // An error occurs if fl does not meet the size requirements of the encoding
3900  // method.
3901  // The RSA_padding_add_xxx() functions return 1 on success, 0 on error.
3902  // The RSA_padding_check_xxx() functions return the length of the recovered
3903  // data, -1 on error.
3904 
3905  // rsa EM mHash Hash sLen
3906  // in OUT IN in in
3907  int32_t status =
3908  RSA_padding_add_PKCS1_PSS(pRsaKey, &vEM.at(0), &vDigest.at(0), digest1,
3909  -2); // maximum salt length
3910 
3911  // Above, pDigest is the input, but its length is not needed, since it is
3912  // determined
3913  // by the digest algorithm (digest1.) In this case, that size is 32 bytes ==
3914  // 256 bits.
3915 
3916  // Also notice that digest1 and digest2 are both processed, and then digest1
3917  // is used here
3918  // again, since RSA_padding_add_PKCS1_PSS requires a digest. Might be
3919  // optimization opportunities there.
3920  //
3921  // More clearly: pDigest is 256 bits int64_t, aka 32 bytes. The call to
3922  // RSA_padding_add_PKCS1_PSS above
3923  // is transforming its contents based on digest1, into EM. Once this is
3924  // done, the new digest stored in
3925  // EM will be RSA_size(pRsaKey)-11 bytes in size, with the rest padded.
3926  // Therefore if this is sucessful, then we can call RSA_private_encrypt
3927  // without any further padding,
3928  // since it's already accomplished here. EM itself will be RSA_size(pRsaKey)
3929  // in size total (exactly.)
3930 
3931  if (!status) // 1 or 0.
3932  {
3933  otErr << __FILE__ << ": RSA_padding_add_PKCS1_PSS failure: "
3934  << ERR_error_string(ERR_get_error(), nullptr) << "\n";
3935  RSA_free(pRsaKey);
3936  pRsaKey = nullptr;
3937  return false;
3938  }
3939 
3940  // EM is now set up.
3941  // But how big is it? Answer: RSA_size(pRsaKey)
3942  // No size is returned because the whole point of RSA_padding_add_PKCS1_PSS
3943  // is to safely pad
3944  // pDigest into EM within a specific size based on the keysize.
3945 
3946  // RSA_padding_check_xxx() verifies that the fl bytes at f contain a valid
3947  // encoding for a rsa_len byte RSA key in the respective
3948  // encoding method and stores the recovered data of at most tlen bytes (for
3949  // RSA_NO_PADDING: of size tlen) at to.
3950 
3951  // RSA_private_encrypt
3952  // int32_t RSA_private_encrypt(int32_t flen, uint8_t* from,
3953  // uint8_t *to, RSA* rsa, int32_t padding);
3954  // RSA_private_encrypt() signs the *flen* bytes at *from* (usually a message
3955  // digest with
3956  // an algorithm identifier) using the private key rsa and stores the
3957  // signature in *to*.
3958  // to must point to RSA_size(rsa) bytes of memory.
3959  // RSA_private_encrypt() returns the size of the signature (i.e.,
3960  // RSA_size(rsa)).
3961  //
3962  status = RSA_private_encrypt(
3963  RSA_size(pRsaKey), // input
3964  &vEM.at(0), // padded message digest (input)
3965  &vpSignature.at(0), // encrypted padded message digest (output)
3966  pRsaKey, // private key (input )
3967  RSA_NO_PADDING); // why not RSA_PKCS1_PADDING ? (Custom padding above in
3968  // PSS mode with two hashes.)
3969 
3970  if (status == -1) {
3971  otErr << szFunc << ": RSA_private_encrypt failure: "
3972  << ERR_error_string(ERR_get_error(), nullptr) << "\n";
3973  RSA_free(pRsaKey);
3974  pRsaKey = nullptr;
3975  return false;
3976  }
3977  // status contains size
3978 
3979  OTData binSignature(&vpSignature.at(0), status); // RSA_private_encrypt
3980  // actually returns the
3981  // right size.
3982  // OTData binSignature(pSignature, 128); // stop hardcoding this block
3983  // size.
3984 
3985  // theSignature that was passed in, now contains the final signature.
3986  // The contents were hashed twice, and the resulting hashes were
3987  // XOR'd together, and then padding was added, and then it was signed
3988  // with the private key.
3989  theSignature.SetData(binSignature, true); // true means, "yes, with newlines
3990  // in the b64-encoded output,
3991  // please."
3992  bReturnValue = true;
3993 
3994  if (pRsaKey) RSA_free(pRsaKey);
3995  pRsaKey = nullptr;
3996 
3997  return bReturnValue;
3998 }
static EXPORT const OTString HashAlgorithm2
EXPORT void zeroMemory()
Definition: OTPassword.cpp:281
static EXPORT uint32_t SymmetricKeySizeMax()
Definition: OTCrypto.cpp:387
static EXPORT uint32_t Digest1Size()
Definition: OTCrypto.cpp:407
static EXPORT uint32_t PublicKeysizeMax()
Definition: OTCrypto.cpp:403
OTLOG_IMPORT OTLogStream otErr
static EXPORT uint32_t Digest2Size()
Definition: OTCrypto.cpp:411
static const EVP_MD * GetOpenSSLDigestByName(const OTString &theName)
Definition: OTCrypto.cpp:1636
static EXPORT const OTString HashAlgorithm1
bool opentxs::OTCrypto_OpenSSL::OTCrypto_OpenSSLdp::VerifyContractDefaultHash ( const OTString strContractToVerify,
const EVP_PKEY *  pkey,
const OTSignature theSignature,
const OTPasswordData pPWData = nullptr 
) const

Definition at line 4008 of file OTCrypto.cpp.

4011 {
4012  const char* szFunc = "OTCrypto_OpenSSL::VerifyContractDefaultHash";
4013 
4014  bool bReturnValue = false;
4015 
4016  std::vector<uint8_t> vOutputHash1(
4017  OTCryptoConfig::SymmetricKeySizeMax()); // These two contain the output
4018  // of the two message digest
4019  std::vector<uint8_t> vOutputHash2(
4020  OTCryptoConfig::SymmetricKeySizeMax()); // functions that we're using
4021  // (SHA-256 and WHIRLPOOL.)
4022  std::vector<uint8_t> vDigest(
4023  OTCryptoConfig::SymmetricKeySizeMax()); // the two output hashes are
4024  // then merged together into
4025  // this one.
4026 
4027  std::vector<uint8_t> vDecrypted(
4028  OTCryptoConfig::PublicKeysizeMax()); // Contains the decrypted
4029  // signature.
4030 
4031  uint32_t uDigest1Len =
4032  OTCryptoConfig::Digest1Size(); // 32 bytes == 256 bits. (These are used
4033  // for function output below, not input.)
4034  uint32_t uDigest2Len =
4035  OTCryptoConfig::Digest2Size(); // 64 bytes == 512 bits. (These are used
4036  // for function output below, not input.)
4037 
4038  EVP_MD_CTX mdHash1_ctx, mdHash2_ctx;
4039 
4040  OTPassword::zeroMemory(&vOutputHash1.at(0),
4042  OTPassword::zeroMemory(&vOutputHash2.at(0),
4044  OTPassword::zeroMemory(&vDigest.at(0),
4046  OTPassword::zeroMemory(&vDecrypted.at(0),
4048 
4049  // Here, we convert the EVP_PKEY that was passed in, to an RSA key for
4050  // signing.
4051  RSA* pRsaKey = EVP_PKEY_get1_RSA(const_cast<EVP_PKEY*>(pkey));
4052 
4053  if (!pRsaKey) {
4054  otErr << szFunc << ": EVP_PKEY_get1_RSA failed with error "
4055  << ERR_error_string(ERR_get_error(), nullptr) << "\n";
4056  return false;
4057  }
4058 
4059  // Since the idea of this special code is that we're using 2 hash
4060  // algorithms,
4061  // let's look them up and see what they are.
4062  const EVP_MD* digest1 =
4064  OTIdentifier::HashAlgorithm1); // SHA-256
4065  if (nullptr == digest1) {
4066  otErr << szFunc << ": Failure to load message digest algorithm.\n";
4067  RSA_free(pRsaKey);
4068  pRsaKey = nullptr;
4069  return false;
4070  }
4071 
4072  // hash the contents of the contract with HashAlgorithm1 (SHA-256)
4073  EVP_MD_CTX_init(&mdHash1_ctx);
4074  EVP_DigestInit(&mdHash1_ctx, digest1); // digest1 is the algorithm itself
4075  EVP_DigestUpdate(&mdHash1_ctx, strContractToVerify.Get(),
4076  strContractToVerify.GetLength()); // input
4077  EVP_DigestFinal(&mdHash1_ctx, &vOutputHash1.at(0),
4078  &uDigest1Len); // output and size
4079  EVP_MD_CTX_cleanup(&mdHash1_ctx); // cleanup
4080 
4081  //#ifndef ANDROID // NOT Android.
4082  const EVP_MD* digest2 =
4084  OTIdentifier::HashAlgorithm2); // WHIRLPOOL
4085  if (nullptr == digest2) {
4086  otErr << szFunc << ": Failure to load message digest algorithm.\n";
4087  RSA_free(pRsaKey);
4088  pRsaKey = nullptr;
4089  return false;
4090  }
4091 
4092  // hash the same contents with HashAlgorithm2 (WHIRLPOOL)
4093  EVP_MD_CTX_init(&mdHash2_ctx);
4094  EVP_DigestInit(&mdHash2_ctx, digest2); // digest2 is the algorithm itself
4095  EVP_DigestUpdate(&mdHash2_ctx, strContractToVerify.Get(),
4096  strContractToVerify.GetLength()); // Input
4097  EVP_DigestFinal(&mdHash2_ctx, &vOutputHash2.at(0),
4098  &uDigest2Len); // output and size
4099  EVP_MD_CTX_cleanup(&mdHash2_ctx); // cleanup
4100 
4101  // (Goes with the smaller size.)
4102  const uint32_t uDigestMergedLength =
4103  (uDigest1Len > uDigest2Len ? uDigest2Len : uDigest1Len);
4104 
4105  // XOR the two together
4106  for (uint32_t i = 0; i < uDigestMergedLength; i++) {
4107  vDigest.at(i) = ((vOutputHash1.at(i)) ^ (vOutputHash2.at(i)));
4108  }
4109  //#else // ** is ** ANDROID
4110  //
4111  // // (Goes with the smaller size.)
4112  // const uint32_t uDigestMergedLength = uDigest1Len;
4113  //
4114  // for (int32_t i = 0; i < uDigest1Len; i++)
4115  // {
4116  // pDigest[i] = (pOutputHash1[i]);
4117  // }
4118  //#endif // ANDROID
4119 
4120  // Now we have the exact content in pDigest that we should also see if we
4121  // decrypt
4122  // the signature that was passed in.
4123  //
4124 
4125  OTPayload binSignature;
4126 
4127  // This will cause binSignature to contain the base64 decoded binary of the
4128  // signature that we're verifying. Unless the call fails of course...
4129  //
4130  if ((theSignature.GetLength() < 10) ||
4131  (false == theSignature.GetData(binSignature))) {
4132  otErr << szFunc << ": Error decoding base64 data for Signature.\n";
4133  RSA_free(pRsaKey);
4134  pRsaKey = nullptr;
4135  return false;
4136  }
4137 
4138  const int32_t nSignatureSize = static_cast<int32_t>(
4139  binSignature.GetSize()); // converting from unsigned to signed (since
4140  // openssl wants it that way.)
4141 
4142  if ((binSignature.GetSize() < static_cast<uint32_t>(RSA_size(pRsaKey))) ||
4143  (nSignatureSize < RSA_size(pRsaKey))) // this one probably unnecessary.
4144  {
4145  otErr << szFunc << ": Decoded base64-encoded data for signature, but "
4146  "resulting size was < RSA_size(pRsaKey): "
4147  "Signed: " << nSignatureSize
4148  << ". Unsigned: " << binSignature.GetSize() << ".\n";
4149  RSA_free(pRsaKey);
4150  pRsaKey = nullptr;
4151  return false;
4152  }
4153 
4154  // now we will verify the signature
4155  // Start by a RAW decrypt of the signature
4156  // output goes to pDecrypted
4157  // FYI: const void * binSignature.GetPointer()
4158 
4159  // RSA_PKCS1_OAEP_PADDING
4160  // RSA_PKCS1_PADDING
4161 
4162  // the 128 in the below call was a BUG. The SIZE of the ciphertext
4163  // (signature) being decrypted is NOT 128 (modulus / cleartext size).
4164  // Rather, the size of the signature is RSA_size(pRsaKey). Will have to
4165  // revisit this likely, elsewhere in the code.
4166  // status = RSA_public_decrypt(128, static_cast<const
4167  // uint8_t*>(binSignature.GetPointer()), pDecrypted, pRsaKey,
4168  // RSA_NO_PADDING);
4169  int32_t status = RSA_public_decrypt(
4170  nSignatureSize, // length of signature, aka RSA_size(rsa)
4171  static_cast<const uint8_t*>(
4172  binSignature.GetPayloadPointer()), // location of signature
4173  &vDecrypted.at(0), // Output--must be large enough to hold the md (which
4174  // is smaller than RSA_size(rsa) - 11)
4175  pRsaKey, // signer's public key
4176  RSA_NO_PADDING);
4177 
4178  // int32_t RSA_public_decrypt(int32_t flen, uint8_t* from,
4179  // uint8_t *to, RSA* rsa, int32_t padding);
4180 
4181  // RSA_public_decrypt() recovers the message digest from the *flen* bytes
4182  // int64_t signature at *from*,
4183  // using the signer's public key *rsa*.
4184  // padding is the padding mode that was used to sign the data.
4185  // *to* must point to a memory section large enough to hold the message
4186  // digest
4187  // (which is smaller than RSA_size(rsa) - 11).
4188  // RSA_public_decrypt() returns the size of the recovered message digest.
4189  /*
4190  message to be encrypted, an octet string of length at
4191  most k-2-2hLen, where k is the length in octets of the
4192  modulus n and hLen is the length in octets of the hash
4193  function output for EME-OAEP
4194  */
4195 
4196  if (status == -1) // Error
4197  {
4198  otErr << szFunc << ": RSA_public_decrypt failed with error "
4199  << ERR_error_string(ERR_get_error(), nullptr) << "\n";
4200  RSA_free(pRsaKey);
4201  pRsaKey = nullptr;
4202  return false;
4203  }
4204  // status contains size of recovered message digest after signature
4205  // decryption.
4206 
4207  // verify the data
4208  // Now it compares pDecrypted (the decrypted message digest from the
4209  // signature) with pDigest
4210  // (supposedly the same message digest, which we calculated above based on
4211  // the message itself.)
4212  // They SHOULD be the same.
4213  /*
4214  int32_t RSA_verify_PKCS1_PSS(RSA* rsa, const uint8_t* mHash, const EVP_MD* Hash, const uint8_t* EM, int32_t sLen)
4215  */ // rsa mHash Hash alg. EM sLen
4216  status = RSA_verify_PKCS1_PSS(pRsaKey, &vDigest.at(0), digest1,
4217  &vDecrypted.at(0),
4218  -2); // salt length recovered from signature
4219 
4220  if (status == 1) {
4221  otLog5 << " *Signature verified*\n";
4222  bReturnValue = true;
4223  }
4224  else {
4225  otLog5 << szFunc << ": RSA_verify_PKCS1_PSS failed with error: "
4226  << ERR_error_string(ERR_get_error(), nullptr) << "\n";
4227  RSA_free(pRsaKey);
4228  pRsaKey = nullptr;
4229  return false;
4230  }
4231 
4232  /*
4233 
4234  NOTE:
4235  RSA_private_encrypt() signs the flen bytes at from (usually a message
4236  digest with an algorithm identifier)
4237  using the private key rsa and stores the signature in to. to must point to
4238  RSA_size(rsa) bytes of memory.
4239 
4240  From: http://linux.die.net/man/3/rsa_public_decrypt
4241 
4242  RSA_NO_PADDING
4243  Raw RSA signature. This mode should only be used to implement
4244  cryptographically sound padding modes in the application code.
4245  Signing user data directly with RSA is insecure.
4246 
4247  RSA_PKCS1_PADDING
4248  PKCS #1 v1.5 padding. This function does not handle the algorithmIdentifier
4249  specified in PKCS #1. When generating or verifying
4250  PKCS #1 signatures, rsa_sign(3) and rsa_verify(3) should be used.
4251 
4252  Need to research this and make sure it's being done right.
4253 
4254  Perhaps my use of the lower-level call here is related to my use of two
4255  message-digest algorithms.
4256  -------------------------------
4257 
4258  On Sun, Feb 25, 2001 at 08:04:55PM -0500, Greg Stark wrote:
4259 
4260  > It is not a bug, it is a known fact. As Joseph Ashwood notes, you end up
4261  > trying to encrypt values that are larger than the modulus. The
4262  documentation
4263  > and most literature do tend to refer to moduli as having a certain
4264  "length"
4265  > in bits or bytes. This is fine for most discussions, but if you are
4266  planning
4267  > to use RSA to directly encrypt/decrypt AND you are not willing or able to
4268  > use one of the padding schemes, then you'll have to understand *all* the
4269  > details. One of these details is that it is possible to supply
4270  > RSA_public_encrypt() with plaintext values that are greater than the
4271  modulus
4272  > N. It returns values that are always between 0 and N-1, which is the only
4273  > reasonable behavior. Similarly, RSA_public_decrypt() returns values
4274  between
4275  > 0 and N-1.
4276 
4277  I have to confess I totally overlooked that and just assumed that if
4278  RSA_size(key) would be 1024, then I would be able to encrypt messages of
4279  1024
4280  bits.
4281 
4282  > There are multiple solutions to this problem. A generally useful one
4283  > is to use the RSA PKCS#1 ver 1.5 padding
4284  > (http://www.rsalabs.com/pkcs/pkcs-1/index.html). If you don't like that
4285  > padding scheme, then you might want to read the PKCS#1 document for the
4286  > reasons behind that padding scheme and decide for yourself where you can
4287  > modify it. It sounds like it be easiest if you just follow Mr. Ashwood's
4288  > advice. Is there some problem with that?
4289 
4290  Yes well, upon reading the PKCS#1 v1.5 document I noticed that Mr. Ashwood
4291  solves this problem by not only making the most significant bit zero, but
4292  in
4293  fact the 6 most significant bits.
4294 
4295  I don't want to use one of the padding schemes because I already know the
4296  message size in advance, and so does a possible attacker. Using a padding
4297  scheme would therefore add known plaintext, which does not improve
4298  security.
4299 
4300  But thank you for the link! I think this solves my problem now :).
4301  */
4302 
4303  /*
4304  #include <openssl/rsa.h>
4305 
4306  int32_t RSA_sign(int32_t type, const uint8_t* m, uint32_t m_len, uint8_t*
4307  sigret, uint32_t* siglen, RSA* rsa);
4308  int32_t RSA_verify(int32_t type, const uint8_t* m, uint32_t m_len, uint8_t*
4309  sigbuf, uint32_t siglen, RSA* rsa);
4310 
4311  DESCRIPTION
4312 
4313  RSA_sign() signs the message digest m of size m_len using the private key
4314  rsa as specified in PKCS #1 v2.0.
4315  It stores the signature in sigret and the signature size in siglen. sigret
4316  must point to RSA_size(rsa) bytes of memory.
4317 
4318  type denotes the message digest algorithm that was used to generate m. It
4319  usually is one of NID_sha1, NID_ripemd160
4320  and NID_md5; see objects(3) for details. If type is NID_md5_sha1, an SSL
4321  signature (MD5 and SHA1 message digests with
4322  PKCS #1 padding and no algorithm identifier) is created.
4323 
4324  RSA_verify() verifies that the signature sigbuf of size siglen matches a
4325  given message digest m of size m_len. type
4326  denotes the message digest algorithm that was used to generate the
4327  signature. rsa is the signer's public key.
4328 
4329  RETURN VALUES
4330 
4331  RSA_sign() returns 1 on success, 0 otherwise. RSA_verify() returns 1 on
4332  successful verification, 0 otherwise.
4333 
4334  The error codes can be obtained by ERR_get_error(3).
4335  */
4336 
4337  /*
4338  Hello,
4339  > I am getting the following error in calling OCSP_basic_verify():
4340  >
4341  > error:04067084:rsa routines:RSA_EAY_PUBLIC_DECRYPT:data too large for
4342  modulus
4343  >
4344  > Could somebody advice what is going wrong?
4345 
4346  In RSA you can encrypt/decrypt only as much data as RSA key size
4347  (size of RSA key is the size of modulus n = p*q).
4348  In this situation, RSA routine checks size of data to decrypt
4349  (probably signature) and this size of bigger than RSA key size,
4350  this if of course error.
4351  I think that in this situation this is possible when OCSP was signed
4352  with (for example) 2048 bit key (private key) and you have some
4353  certificate with (maybe old) 1024 bit public key.
4354  In this case this error may happen.
4355  My suggestion is to check signer certificate.
4356 
4357  Best regards,
4358  --
4359  Marek Marcola <[EMAIL PROTECTED]>
4360 
4361 
4362 
4363  Daniel Stenberg | 16 Jul 19:57
4364 
4365  Re: SSL cert error with CURLOPT_SSL_VERIFYPEER
4366 
4367  On Thu, 16 Jul 2009, Stephen Collyer wrote:
4368 
4369  > error:04067084:rsa routines:RSA_EAY_PUBLIC_DECRYPT:data too large for
4370  > modulus
4371 
4372  This sounds like an OpenSSL problem to me.
4373 
4374 
4375 
4376  http://www.mail-archive.com/[email protected]/msg38183.html
4377  On Tue, Dec 07, 2004, Jesse Hammons wrote:
4378 
4379  >
4380  > > Jesse Hammons wrote:
4381  > >
4382  > >> So to clarify: If I generate a 65-bit key, will I be able to use that
4383  > >> 65-bit key to sign any 64-bit value?
4384  > >
4385  > > Yes, but
4386  >
4387  > Actually, I have found the answer to be "no" :-)
4388  >
4389  > > a 65 bit key won't be very secure AT ALL, it will be
4390  > > very easy to factor a modulus that small.
4391  >
4392  > Security is not my goal. This is more of a theoretical exercise that
4393  > happens to have a practical application for me.
4394  >
4395  > > Bottom line: asymmetrical
4396  > > (public-key) encryption has a fairly large "minimum block size" that
4397  > > actually increases as key size increases.
4398  >
4399  > Indeed. I have found experimentally that:
4400  > * The minimum signable data quantity in OpenSSL is 1 byte
4401  > * The minimum size RSA key that can be used to sign 1 byte is 89 bits
4402  > * A signature created using a 64-bit RSA key would create a number 64
4403  > bits int64_t, BUT:
4404  > - This is not possible to do in OpenSSL because the maximum signable
4405  > quantity for a 64
4406  > bit RSA key is only a few bits, and OpenSSL input/output is done on
4407  > byte boundaries
4408  >
4409  > Do those number sound right?
4410 
4411  It depends on the padding mode. These insert/delete padding bytes depending
4412  on
4413  the mode used. If you use the no padding mode you can "sign" data equal to
4414  the
4415  modulus length but less than its magnitude.
4416 
4417  Check the manual pages (e.g. RSA_private_encrypt()) for more info.
4418 
4419 
4420 
4421 
4422 
4423  http://www.mail-archive.com/[email protected]/msg29731.html
4424  Hmm, the error message "RSA_R_DATA_TOO_LARGE_FOR_MODULUS"
4425  is triggered by:
4426 
4427  ... (from RSA_eay_private_encrypt() in rsa_eay.c)
4428  if (BN_ucmp(&f, rsa->n) >= 0)
4429  {
4430  // usually the padding functions would catch this
4431  RSAerr(...,RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
4432  goto err;
4433  }
4434  ...
4435  => the error message has nothing to do with PKCS#1. It should tell you
4436  that your plaintext (as a BIGNUM) is greater (or equal) than the modulus.
4437  The typical error message in case of PKCS#1 error (in your case) would
4438  be "RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE".
4439 
4440  > I can arrange for the plaintext to be a little smaller: 14 octets is
4441  > definitely doable. (The 15 octet length for the ciphertext I can't
4442  exceed.)
4443  > If I arrange for the plaintext to be a zero followed by 14 octets of
4444  data,
4445  > can I make this work?
4446 
4447  it should work (, but what about a longer (== more secure) key ?)
4448 
4449  Regards,
4450  Nils
4451 
4452 
4453 
4454 
4455  For reasons that would be tedious to rehearse, the size of the encrypted
4456  block has to be not more than 15 octets.
4457  I was hoping for something a little more definitive than "should work."
4458 
4459 
4460  >
4461  > Would a good approach be perhaps to generate keys until I found one for
4462  > which n is greater than the bignum representation of the largest
4463  plaintext?
4464  > (Yeah, I know, this would restrict the key space, which might be a
4465  security
4466  > concern.)
4467 
4468  It would be sufficient is the highest bit of the plaintext is zero
4469  , because the highest bit of the modulus is certainly set
4470  (at least if the key is generated with OpenSSL).
4471 
4472  ...
4473  > > it should work (, but what about a longer (== more secure) key ?)
4474  >
4475  > For reasons that would be tedious to rehearse, the size of the encrypted
4476  > block has to be not more than 15 octets.
4477  >
4478  > I was hoping for something a little more definitive than "should work."
4479 
4480  Ok , unless something really strange happens: it will work :-)
4481 
4482  Regards,
4483  Nils
4484 
4485 
4486  Re: RSA_private_encrypt does not work with RSA_NO_PADDING option
4487  by Dr. Stephen Henson Jul 19, 2010; 10:31am :: Rate this Message: - Use
4488  ratings to moderate (?)
4489  Reply | Print | View Threaded | Show Only this Message
4490  On Mon, Jul 19, 2010, anhpham wrote:
4491 
4492  >
4493  > Hi all :x
4494  > I encountered an error when using function RSA_private_encrypt with
4495  > RSA_NO_PADDING option.
4496  > I had an uint8_t array a with length = 20, RSA* r,
4497  > uint8_t* sig = (uint8_t*) malloc(RSA_size(r)) and then I invoked
4498  > function int32_t i = RSA_private_encrypt(20,a ,sign,r,RSA_NO_PADDING );
4499  The
4500  > returned value i = -1 means that this function failed. However, when I
4501  > invoked int32_t i = RSA_private_encrypt(20,a,sig,r,RSA_PKCS1_PADDING ),
4502  it did
4503  > run smoothly. I'm confused whether it is an error of the library or not
4504  but
4505  > I don't know how to solve this problem.
4506  > Please help me :-<
4507  ... [show rest of quote]
4508 
4509  If you use RSA_NO_PADDING you have to supply a buffer of RSA_size(r) bytes
4510  and
4511  whose value is less than the modulus.
4512 
4513  With RSA_PKCS1_PADDING you can pass up to RSA_size(r) - 11.
4514 
4515  Steve.
4516  --
4517  Dr Stephen N. Henson. OpenSSL project core developer.
4518  Commercial tech support now available see: http://www.openssl.org
4519 
4520 
4521 
4522  Hello,
4523 
4524  I have a problem, I cannot really cover.
4525 
4526  I'm using public key encryption together with RSA_NO_PADDING. The
4527  Key-/Modulus-Size is 128Byte and the message to be encrypted are also
4528  128Byte sized.
4529 
4530  Now my problem:
4531  Using the same (!) binary code (running in a debugging environment or not)
4532  it sometimes work properly, sometimes it failes with the following
4533  message:
4534 
4535  "error:04068084:rsa routines:RSA_EAY_PUBLIC_ENCRYPT:data too large for
4536  modulus"
4537 
4538  Reply:
4539  It is *not* enough that the modulus and message are both 128 bytes. You
4540  need
4541  a stronger condition.
4542 
4543  Suppose your RSA modulus, as a BigNum, is n. Suppose the data you are
4544  trying
4545  to encrypt, as a BigNum, is x. You must ensure that x < n, or you get that
4546  error message. That is one of the reasons to use a padding scheme such as
4547  RSA_PKCS1 padding.
4548 
4549 
4550  knotwork
4551  is this a reason to use larger keys or something? 4096 instead of2048 or
4552  1024?
4553 
4554  4:41
4555  FellowTraveler
4556  larger keys is one solution, and that is why I've been looking at mkcert.c
4557  which, BTW *you* need to look at mkcert.c since there are default values
4558  hardcoded, and I need you to give me a better idea of what you would want
4559  in those places, as a server operator.
4560  First argument of encrypt should have been key.size() and first argument of
4561  decrypt should have been RSA_size(myKey).
4562  Padding scheme should have been used
4563  furthermore, RSA_Sign and RSA_Verify should have been used instead of
4564  RSA_Public_Decrypt and RSA_Private_Encrypt
4565  What you are seeing, your error, is a perfectly normal result of the fact
4566  that the message data being passed in is too large for the modulus of your
4567  key.
4568  .
4569  All of the above fixes need to be investigated and implemented at some
4570  point, and that will almost certainly change the data format inside the key
4571  enough to invalidate all existing signatures
4572  This is a real bug you found, in the crypto.
4573 
4574  4:43
4575  knotwork
4576  zmq got you thinking you could have large messages so you forgot the crypto
4577  had its own limits on message size?
4578 
4579  4:43
4580  FellowTraveler
4581  it's not message size per se
4582  it's message DIGEST size in relation to key modulus
4583  which must be smaller based on a bignum comparison of the two
4584  RSA_Size is supposed to be used in decrypt
4585 
4586  4:44
4587  knotwork
4588  a form of the resync should fix everything, it just needs to run throguh
4589  everything resigning it with new type of signature?
4590 
4591  4:44
4592  FellowTraveler
4593  not that simple
4594  I would have to code some kind of special "convert legacy data" thing into
4595  OT itself
4596  though there might be a stopgap measure now, good enough to keep data until
4597  all the above fixes are made
4598  ok see if this fixes it for you......
4599  knotwork, go into OTLib/OTContract.cpp
4600  Find the first line that begins with status = RSA_public_decrypt
4601 
4602  4:46
4603  knotwork
4604  vanalces would be enough maybe. jsut a way to set balances of all accoutns
4605  to whatever they actually are at the time
4606 
4607  4:46
4608  FellowTraveler
4609  the only other one is commented out, so it's not hard
4610  you will see a hardcoded size: status = RSA_public_decrypt(128,
4611  CHANGE the 128 to this value:
4612  RSA_size(pRsaKey)
4613  for now you can change the entire line to this:
4614  status = RSA_public_decrypt(RSA_size(pRsaKey), static_cast<const
4615  uint8_t*>(binSignature.GetPointer()), pDecrypted, pRsaKey, RSA_NO_PADDING);
4616  Then see if your bug goes away
4617  I will still need to make fixes someday though, even if this works, and
4618  will have to lose or convert data.
4619  4:48
4620  otherwise there could be security issues down the road.
4621 
4622 
4623  TODO SECURITY ^ sign/verify needs revamping!
4624 
4625  UPDATE: Okay I may have it fixed now, though need to test still.
4626 
4627  http://www.bmt-online.org/geekisms/RSA_verify
4628 
4629  Also see: ~/Projects/openssl/demos/sign
4630  */
4631 
4632  if (pRsaKey) RSA_free(pRsaKey);
4633  pRsaKey = nullptr;
4634 
4635  return bReturnValue;
4636 }
static EXPORT const OTString HashAlgorithm2
EXPORT void zeroMemory()
Definition: OTPassword.cpp:281
static EXPORT uint32_t SymmetricKeySizeMax()
Definition: OTCrypto.cpp:387
static EXPORT uint32_t Digest1Size()
Definition: OTCrypto.cpp:407
static EXPORT uint32_t PublicKeysizeMax()
Definition: OTCrypto.cpp:403
OTLOG_IMPORT OTLogStream otErr
static EXPORT uint32_t Digest2Size()
Definition: OTCrypto.cpp:411
static const EVP_MD * GetOpenSSLDigestByName(const OTString &theName)
Definition: OTCrypto.cpp:1636
static EXPORT const OTString HashAlgorithm1
OTLOG_IMPORT OTLogStream otLog5
bool opentxs::OTCrypto_OpenSSL::OTCrypto_OpenSSLdp::VerifySignature ( const OTString strContractToVerify,
const EVP_PKEY *  pkey,
const OTSignature theSignature,
const OTString strHashType,
const OTPasswordData pPWData = nullptr 
) const

Definition at line 4823 of file OTCrypto.cpp.

4827 {
4828  OT_ASSERT_MSG(strContractToVerify.Exists(),
4829  "OTCrypto_OpenSSL::VerifySignature: ASSERT FAILURE: "
4830  "strContractToVerify.Exists()");
4831  OT_ASSERT_MSG(nullptr != pkey,
4832  "Null pkey in OTCrypto_OpenSSL::VerifySignature.\n");
4833 
4834  const char* szFunc = "OTCrypto_OpenSSL::VerifySignature";
4835 
4836  // Are we using the special SAMY hash? In which case, we have to actually
4837  // combine two hashes.
4838  const bool bUsesDefaultHashAlgorithm =
4839  strHashType.Compare(OTIdentifier::DefaultHashAlgorithm);
4840  EVP_MD* md = nullptr;
4841 
4842  if (bUsesDefaultHashAlgorithm) {
4843  // OTIdentifier hash1, hash2;
4844  //
4845  // hash1.CalculateDigest(strContractToVerify,
4846  // OTIdentifier::HashAlgorithm1);
4847  // hash2.CalculateDigest(strContractToVerify,
4848  // OTIdentifier::HashAlgorithm2);
4849  //
4850  // hash1.XOR(hash2);
4851  // hash1.GetString(strDoubleHash);
4852  //
4853  // md = (EVP_MD
4854  // *)OTCrypto_OpenSSL::GetOpenSSLDigestByName(OTIdentifier::HashAlgorithm1);
4855 
4856  return VerifyContractDefaultHash(strContractToVerify, pkey,
4857  theSignature, pPWData);
4858  }
4859 
4860  // else
4861  {
4862  md = (EVP_MD*)
4864  strHashType); // todo cast
4865  }
4866 
4867  if (!md) {
4868  otWarn << szFunc
4869  << ": Unknown message digest algorithm: " << strHashType << "\n";
4870  return false;
4871  }
4872 
4873  OTPayload binSignature;
4874 
4875  // now binSignature contains the base64 decoded binary of the signature.
4876  // Unless the call failed of course...
4877  if (!theSignature.GetData(binSignature)) {
4878  otErr << szFunc << ": Error decoding base64 data for Signature.\n";
4879  return false;
4880  }
4881 
4882  EVP_MD_CTX ctx;
4883  EVP_MD_CTX_init(&ctx);
4884 
4885  EVP_VerifyInit(&ctx, md);
4886 
4887  // Here I'm adding the actual XML portion of the contract (the portion that
4888  // gets signed.)
4889  // Basically we are repeating similarly to the signing process in order to
4890  // verify.
4891 
4892  // if (bUsesDefaultHashAlgorithm)
4893  // {
4894  // EVP_VerifyUpdate(&ctx, strDoubleHash.Get(),
4895  // strDoubleHash.GetLength());
4896  // }
4897  // else
4898  {
4899  EVP_VerifyUpdate(&ctx, strContractToVerify.Get(),
4900  strContractToVerify.GetLength());
4901  }
4902 
4903  // Now we pass in the Signature
4904  // EVP_VerifyFinal() returns 1 for a correct signature,
4905  // 0 for failure and -1 if some other error occurred.
4906  //
4907  int32_t nErr = EVP_VerifyFinal(
4908  &ctx, (const uint8_t*)binSignature.GetPayloadPointer(), // todo cast
4909  (uint32_t)binSignature.GetSize(), (EVP_PKEY*)pkey); // todo cast
4910 
4911  EVP_MD_CTX_cleanup(&ctx);
4912 
4913  // the moment of true. 1 means the signature verified.
4914  if (1 == nErr)
4915  return true;
4916  else
4917  return false;
4918 }
static EXPORT const OTString DefaultHashAlgorithm
#define OT_ASSERT_MSG(x, s)
Definition: Assert.hpp:155
OTLOG_IMPORT OTLogStream otWarn
OTLOG_IMPORT OTLogStream otErr
bool VerifyContractDefaultHash(const OTString &strContractToVerify, const EVP_PKEY *pkey, const OTSignature &theSignature, const OTPasswordData *pPWData=nullptr) const
Definition: OTCrypto.cpp:4008
static const EVP_MD * GetOpenSSLDigestByName(const OTString &theName)
Definition: OTCrypto.cpp:1636

The documentation for this class was generated from the following file: