Verifies a signature on single-part data.
CK_BYTE_PTR pData,
CK_ULONG ulDataLen,
CK_BYTE_PTR pSignature,
CK_ULONG ulSignatureLen )
{
int32_t lMbedTLSResult;
CK_RV xResult = CKR_OK;
CK_BYTE pxCMACBuffer[ MBEDTLS_AES_BLOCK_SIZE ] = { 0 };
if( ( NULL == pData ) ||
( NULL == pSignature ) )
{
LogError( (
"Failed verify operation. Received a NULL pointer." ) );
xResult = CKR_ARGUMENTS_BAD;
}
if( xResult == CKR_OK )
{
{
{
LogError( (
"Failed verify operation. Data Length was too "
"short for pkcs11RSA_2048_SIGNATURE_LENGTH." ) );
xResult = CKR_DATA_LEN_RANGE;
}
{
LogError( (
"Failed verify operation. Signature Length was too "
"short for pkcs11RSA_2048_SIGNATURE_LENGTH." ) );
xResult = CKR_SIGNATURE_LEN_RANGE;
}
}
{
{
LogError( (
"Failed verify operation. Data Length was too "
"short for pkcs11SHA256_DIGEST_LENGTH." ) );
xResult = CKR_DATA_LEN_RANGE;
}
{
LogError( (
"Failed verify operation. Data Length was too "
"short for pkcs11ECDSA_P256_SIGNATURE_LENGTH." ) );
xResult = CKR_SIGNATURE_LEN_RANGE;
}
}
{
{
LogError( (
"Failed verify operation. Data Length was too "
"short for pkcs11SHA256_DIGEST_LENGTH." ) );
xResult = CKR_SIGNATURE_LEN_RANGE;
}
}
{
{
LogError( (
"Failed verify operation. Data Length was too "
"short for PKCS11_AES_CMAC_MIN_SIZE." ) );
xResult = CKR_SIGNATURE_LEN_RANGE;
}
}
else
{
LogError( (
"Failed verify operation. A C_Verify operation must be "
"initialized by a preceding call to C_VerifyInit. "
"This must happen before every call to C_Verify." ) );
xResult = CKR_OPERATION_NOT_INITIALIZED;
}
}
if( xResult == CKR_OK )
{
if( 0 == mbedtls_mutex_lock( &pxSessionObj->
xVerifyMutex ) )
{
{
{
lMbedTLSResult = mbedtls_pk_verify( &pxSessionObj->
xVerifyKey,
MBEDTLS_MD_SHA256,
pData,
ulDataLen,
pSignature,
ulSignatureLen );
if( 0 != lMbedTLSResult )
{
LogError( (
"Failed verify operation. mbedtls_pk_verify "
"failed: mbed TLS error = %s : %s.",
xResult = CKR_SIGNATURE_INVALID;
}
}
else
{
LogError( (
"Failed verify operation. Verify Key was not "
"present in session context." ) );
xResult = CKR_SIGNATURE_INVALID;
}
}
{
mbedtls_ecdsa_context * pxEcdsaContext;
mbedtls_mpi xR;
mbedtls_mpi xS;
mbedtls_mpi_init( &xR );
mbedtls_mpi_init( &xS );
lMbedTLSResult = mbedtls_mpi_read_binary( &xR, &pSignature[ 0 ], 32 );
if( lMbedTLSResult != 0 )
{
xResult = CKR_SIGNATURE_INVALID;
LogError( (
"Failed verify operation. Failed to parse R in EC "
"signature: mbed TLS error = %s : %s.",
}
else
{
lMbedTLSResult = mbedtls_mpi_read_binary( &xS, &pSignature[ 32 ], 32 );
if( lMbedTLSResult != 0 )
{
xResult = CKR_SIGNATURE_INVALID;
LogError( (
"Failed verify operation. Failed to parse S in "
"EC signature: mbed TLS error = %s : %s.",
}
}
if( xResult == CKR_OK )
{
{
lMbedTLSResult = mbedtls_ecdsa_verify( &pxEcdsaContext->grp, pData, ulDataLen, &pxEcdsaContext->Q, &xR, &xS );
}
if( lMbedTLSResult != 0 )
{
xResult = CKR_SIGNATURE_INVALID;
"mbedtls_ecdsa_verify failed: mbed TLS error = %s : %s.",
}
}
mbedtls_mpi_free( &xR );
mbedtls_mpi_free( &xS );
}
{
lMbedTLSResult = mbedtls_md_hmac_update( &pxSessionObj->
xHMACSecretContext, pData, ulDataLen );
if( lMbedTLSResult != 0 )
{
xResult = CKR_SIGNATURE_INVALID;
"mbedtls_md_hmac_update failed: mbed TLS error = %s : %s.",
}
else
{
lMbedTLSResult = mbedtls_md_hmac_finish( &pxSessionObj->
xHMACSecretContext, pxHMACBuffer );
if( lMbedTLSResult != 0 )
{
xResult = CKR_SIGNATURE_INVALID;
"mbedtls_md_hmac_finish failed: mbed TLS error = %s : %s.",
}
else
{
{
xResult = CKR_SIGNATURE_INVALID;
LogError( (
"Failed verify operation. Signature was invalid." ) );
}
}
}
}
{
lMbedTLSResult = mbedtls_cipher_cmac_update( &pxSessionObj->
xCMACSecretContext, pData, ulDataLen );
if( lMbedTLSResult != 0 )
{
xResult = CKR_SIGNATURE_INVALID;
"mbedtls_md_hmac_update failed: mbed TLS error = %s : %s.",
}
else
{
lMbedTLSResult = mbedtls_cipher_cmac_finish( &pxSessionObj->
xCMACSecretContext, pxCMACBuffer );
if( lMbedTLSResult != 0 )
{
xResult = CKR_SIGNATURE_INVALID;
"mbedtls_md_hmac_finish failed: mbed TLS error = %s : %s.",
}
else
{
if( 0 != memcmp( pxCMACBuffer, pSignature, MBEDTLS_AES_BLOCK_SIZE ) )
{
xResult = CKR_SIGNATURE_INVALID;
LogError( (
"Failed verify operation. Signature was invalid." ) );
}
}
}
}
else
{
LogError( (
"Failed verify operation. Received an unexpected mechanism." ) );
}
( void ) mbedtls_mutex_unlock( &pxSessionObj->
xVerifyMutex );
}
else
{
LogError( (
"Failed to initialize verify operation. Could not "
"take xVerifyMutex." ) );
xResult = CKR_CANT_LOCK;
}
}
if( xResult != CKR_SESSION_HANDLE_INVALID )
{
LogDebug( (
"Reset Verify mechanism to pkcs11NO_OPERATION." ) );
}
return xResult;
}