1 //! Message signatures.
2 //!
3 //! The `Signer` allows for the computation of cryptographic signatures of
4 //! data given a private key. The `Verifier` can then be used with the
5 //! corresponding public key to verify the integrity and authenticity of that
6 //! data given the signature.
7 //!
8 //! # Examples
9 //!
10 //! Sign and verify data given an RSA keypair:
11 //!
12 //! ```rust
13 //! use openssl::sign::{Signer, Verifier};
14 //! use openssl::rsa::Rsa;
15 //! use openssl::pkey::PKey;
16 //! use openssl::hash::MessageDigest;
17 //!
18 //! // Generate a keypair
19 //! let keypair = Rsa::generate(2048).unwrap();
20 //! let keypair = PKey::from_rsa(keypair).unwrap();
21 //!
22 //! let data = b"hello, world!";
23 //! let data2 = b"hola, mundo!";
24 //!
25 //! // Sign the data
26 //! let mut signer = Signer::new(MessageDigest::sha256(), &keypair).unwrap();
27 //! signer.update(data).unwrap();
28 //! signer.update(data2).unwrap();
29 //! let signature = signer.sign_to_vec().unwrap();
30 //!
31 //! // Verify the data
32 //! let mut verifier = Verifier::new(MessageDigest::sha256(), &keypair).unwrap();
33 //! verifier.update(data).unwrap();
34 //! verifier.update(data2).unwrap();
35 //! assert!(verifier.verify(&signature).unwrap());
36 //! ```
37 //!
38 //! Compute an HMAC:
39 //!
40 //! ```rust
41 //! use openssl::hash::MessageDigest;
42 //! use openssl::memcmp;
43 //! use openssl::pkey::PKey;
44 //! use openssl::sign::Signer;
45 //!
46 //! // Create a PKey
47 //! let key = PKey::hmac(b"my secret").unwrap();
48 //!
49 //! let data = b"hello, world!";
50 //! let data2 = b"hola, mundo!";
51 //!
52 //! // Compute the HMAC
53 //! let mut signer = Signer::new(MessageDigest::sha256(), &key).unwrap();
54 //! signer.update(data).unwrap();
55 //! signer.update(data2).unwrap();
56 //! let hmac = signer.sign_to_vec().unwrap();
57 //!
58 //! // `Verifier` cannot be used with HMACs; use the `memcmp::eq` function instead
59 //! //
60 //! // Do not simply check for equality with `==`!
61 //! # let target = hmac.clone();
62 //! assert!(memcmp::eq(&hmac, &target));
63 //! ```
64 use cfg_if::cfg_if;
65 use foreign_types::ForeignTypeRef;
66 use libc::c_int;
67 use std::io::{self, Write};
68 use std::marker::PhantomData;
69 use std::ptr;
70
71 use crate::error::ErrorStack;
72 use crate::hash::MessageDigest;
73 use crate::pkey::{HasPrivate, HasPublic, PKeyRef};
74 use crate::rsa::Padding;
75 use crate::{cvt, cvt_p};
76
77 cfg_if! {
78 if #[cfg(ossl110)] {
79 use ffi::{EVP_MD_CTX_free, EVP_MD_CTX_new};
80 } else {
81 use ffi::{EVP_MD_CTX_create as EVP_MD_CTX_new, EVP_MD_CTX_destroy as EVP_MD_CTX_free};
82 }
83 }
84
85 /// Salt lengths that must be used with `set_rsa_pss_saltlen`.
86 pub struct RsaPssSaltlen(c_int);
87
88 impl RsaPssSaltlen {
89 /// Returns the integer representation of `RsaPssSaltlen`.
as_raw(&self) -> c_int90 fn as_raw(&self) -> c_int {
91 self.0
92 }
93
94 /// Sets the salt length to the given value.
custom(val: c_int) -> RsaPssSaltlen95 pub fn custom(val: c_int) -> RsaPssSaltlen {
96 RsaPssSaltlen(val)
97 }
98
99 /// The salt length is set to the digest length.
100 /// Corresponds to the special value `-1`.
101 pub const DIGEST_LENGTH: RsaPssSaltlen = RsaPssSaltlen(-1);
102 /// The salt length is set to the maximum permissible value.
103 /// Corresponds to the special value `-2`.
104 pub const MAXIMUM_LENGTH: RsaPssSaltlen = RsaPssSaltlen(-2);
105 }
106
107 /// A type which computes cryptographic signatures of data.
108 pub struct Signer<'a> {
109 md_ctx: *mut ffi::EVP_MD_CTX,
110 pctx: *mut ffi::EVP_PKEY_CTX,
111 _p: PhantomData<&'a ()>,
112 }
113
114 unsafe impl<'a> Sync for Signer<'a> {}
115 unsafe impl<'a> Send for Signer<'a> {}
116
117 impl<'a> Drop for Signer<'a> {
drop(&mut self)118 fn drop(&mut self) {
119 // pkey_ctx is owned by the md_ctx, so no need to explicitly free it.
120 unsafe {
121 EVP_MD_CTX_free(self.md_ctx);
122 }
123 }
124 }
125
126 #[allow(clippy::len_without_is_empty)]
127 impl<'a> Signer<'a> {
128 /// Creates a new `Signer`.
129 ///
130 /// This cannot be used with Ed25519 or Ed448 keys. Please refer to
131 /// `new_without_digest`.
132 ///
133 /// OpenSSL documentation at [`EVP_DigestSignInit`].
134 ///
135 /// [`EVP_DigestSignInit`]: https://www.openssl.org/docs/manmaster/man3/EVP_DigestSignInit.html
new<T>(type_: MessageDigest, pkey: &'a PKeyRef<T>) -> Result<Signer<'a>, ErrorStack> where T: HasPrivate,136 pub fn new<T>(type_: MessageDigest, pkey: &'a PKeyRef<T>) -> Result<Signer<'a>, ErrorStack>
137 where
138 T: HasPrivate,
139 {
140 Self::new_intern(Some(type_), pkey)
141 }
142
143 /// Creates a new `Signer` without a digest.
144 ///
145 /// This is the only way to create a `Verifier` for Ed25519 or Ed448 keys.
146 /// It can also be used to create a CMAC.
147 ///
148 /// OpenSSL documentation at [`EVP_DigestSignInit`].
149 ///
150 /// [`EVP_DigestSignInit`]: https://www.openssl.org/docs/manmaster/man3/EVP_DigestSignInit.html
new_without_digest<T>(pkey: &'a PKeyRef<T>) -> Result<Signer<'a>, ErrorStack> where T: HasPrivate,151 pub fn new_without_digest<T>(pkey: &'a PKeyRef<T>) -> Result<Signer<'a>, ErrorStack>
152 where
153 T: HasPrivate,
154 {
155 Self::new_intern(None, pkey)
156 }
157
new_intern<T>( type_: Option<MessageDigest>, pkey: &'a PKeyRef<T>, ) -> Result<Signer<'a>, ErrorStack> where T: HasPrivate,158 fn new_intern<T>(
159 type_: Option<MessageDigest>,
160 pkey: &'a PKeyRef<T>,
161 ) -> Result<Signer<'a>, ErrorStack>
162 where
163 T: HasPrivate,
164 {
165 unsafe {
166 ffi::init();
167
168 let ctx = cvt_p(EVP_MD_CTX_new())?;
169 let mut pctx: *mut ffi::EVP_PKEY_CTX = ptr::null_mut();
170 let r = ffi::EVP_DigestSignInit(
171 ctx,
172 &mut pctx,
173 type_.map(|t| t.as_ptr()).unwrap_or(ptr::null()),
174 ptr::null_mut(),
175 pkey.as_ptr(),
176 );
177 if r != 1 {
178 EVP_MD_CTX_free(ctx);
179 return Err(ErrorStack::get());
180 }
181
182 assert!(!pctx.is_null());
183
184 Ok(Signer {
185 md_ctx: ctx,
186 pctx,
187 _p: PhantomData,
188 })
189 }
190 }
191
192 /// Returns the RSA padding mode in use.
193 ///
194 /// This is only useful for RSA keys.
195 ///
196 /// This corresponds to `EVP_PKEY_CTX_get_rsa_padding`.
rsa_padding(&self) -> Result<Padding, ErrorStack>197 pub fn rsa_padding(&self) -> Result<Padding, ErrorStack> {
198 unsafe {
199 let mut pad = 0;
200 cvt(ffi::EVP_PKEY_CTX_get_rsa_padding(self.pctx, &mut pad))
201 .map(|_| Padding::from_raw(pad))
202 }
203 }
204
205 /// Sets the RSA padding mode.
206 ///
207 /// This is only useful for RSA keys.
208 ///
209 /// This corresponds to [`EVP_PKEY_CTX_set_rsa_padding`].
210 ///
211 /// [`EVP_PKEY_CTX_set_rsa_padding`]: https://www.openssl.org/docs/man1.1.0/crypto/EVP_PKEY_CTX_set_rsa_padding.html
set_rsa_padding(&mut self, padding: Padding) -> Result<(), ErrorStack>212 pub fn set_rsa_padding(&mut self, padding: Padding) -> Result<(), ErrorStack> {
213 unsafe {
214 cvt(ffi::EVP_PKEY_CTX_set_rsa_padding(
215 self.pctx,
216 padding.as_raw(),
217 ))
218 .map(|_| ())
219 }
220 }
221
222 /// Sets the RSA PSS salt length.
223 ///
224 /// This is only useful for RSA keys.
225 ///
226 /// This corresponds to [`EVP_PKEY_CTX_set_rsa_pss_saltlen`].
227 ///
228 /// [`EVP_PKEY_CTX_set_rsa_pss_saltlen`]: https://www.openssl.org/docs/man1.1.0/crypto/EVP_PKEY_CTX_set_rsa_pss_saltlen.html
set_rsa_pss_saltlen(&mut self, len: RsaPssSaltlen) -> Result<(), ErrorStack>229 pub fn set_rsa_pss_saltlen(&mut self, len: RsaPssSaltlen) -> Result<(), ErrorStack> {
230 unsafe {
231 cvt(ffi::EVP_PKEY_CTX_set_rsa_pss_saltlen(
232 self.pctx,
233 len.as_raw(),
234 ))
235 .map(|_| ())
236 }
237 }
238
239 /// Sets the RSA MGF1 algorithm.
240 ///
241 /// This is only useful for RSA keys.
242 ///
243 /// This corresponds to [`EVP_PKEY_CTX_set_rsa_mgf1_md`].
244 ///
245 /// [`EVP_PKEY_CTX_set_rsa_mgf1_md`]: https://www.openssl.org/docs/manmaster/man7/RSA-PSS.html
set_rsa_mgf1_md(&mut self, md: MessageDigest) -> Result<(), ErrorStack>246 pub fn set_rsa_mgf1_md(&mut self, md: MessageDigest) -> Result<(), ErrorStack> {
247 unsafe {
248 cvt(ffi::EVP_PKEY_CTX_set_rsa_mgf1_md(
249 self.pctx,
250 md.as_ptr() as *mut _,
251 ))
252 .map(|_| ())
253 }
254 }
255
256 /// Feeds more data into the `Signer`.
257 ///
258 /// Please note that PureEdDSA (Ed25519 and Ed448 keys) do not support streaming.
259 /// Use `sign_oneshot` instead.
260 ///
261 /// OpenSSL documentation at [`EVP_DigestUpdate`].
262 ///
263 /// [`EVP_DigestUpdate`]: https://www.openssl.org/docs/manmaster/man3/EVP_DigestInit.html
update(&mut self, buf: &[u8]) -> Result<(), ErrorStack>264 pub fn update(&mut self, buf: &[u8]) -> Result<(), ErrorStack> {
265 unsafe {
266 cvt(ffi::EVP_DigestUpdate(
267 self.md_ctx,
268 buf.as_ptr() as *const _,
269 buf.len(),
270 ))
271 .map(|_| ())
272 }
273 }
274
275 /// Computes an upper bound on the signature length.
276 ///
277 /// The actual signature may be shorter than this value. Check the return value of
278 /// `sign` to get the exact length.
279 ///
280 /// OpenSSL documentation at [`EVP_DigestSignFinal`].
281 ///
282 /// [`EVP_DigestSignFinal`]: https://www.openssl.org/docs/man1.1.0/crypto/EVP_DigestSignFinal.html
len(&self) -> Result<usize, ErrorStack>283 pub fn len(&self) -> Result<usize, ErrorStack> {
284 self.len_intern()
285 }
286
287 #[cfg(not(ossl111))]
len_intern(&self) -> Result<usize, ErrorStack>288 fn len_intern(&self) -> Result<usize, ErrorStack> {
289 unsafe {
290 let mut len = 0;
291 cvt(ffi::EVP_DigestSignFinal(
292 self.md_ctx,
293 ptr::null_mut(),
294 &mut len,
295 ))?;
296 Ok(len)
297 }
298 }
299
300 #[cfg(ossl111)]
len_intern(&self) -> Result<usize, ErrorStack>301 fn len_intern(&self) -> Result<usize, ErrorStack> {
302 unsafe {
303 let mut len = 0;
304 cvt(ffi::EVP_DigestSign(
305 self.md_ctx,
306 ptr::null_mut(),
307 &mut len,
308 ptr::null(),
309 0,
310 ))?;
311 Ok(len)
312 }
313 }
314
315 /// Writes the signature into the provided buffer, returning the number of bytes written.
316 ///
317 /// This method will fail if the buffer is not large enough for the signature. Use the `len`
318 /// method to get an upper bound on the required size.
319 ///
320 /// OpenSSL documentation at [`EVP_DigestSignFinal`].
321 ///
322 /// [`EVP_DigestSignFinal`]: https://www.openssl.org/docs/man1.1.0/crypto/EVP_DigestSignFinal.html
sign(&self, buf: &mut [u8]) -> Result<usize, ErrorStack>323 pub fn sign(&self, buf: &mut [u8]) -> Result<usize, ErrorStack> {
324 unsafe {
325 let mut len = buf.len();
326 cvt(ffi::EVP_DigestSignFinal(
327 self.md_ctx,
328 buf.as_mut_ptr() as *mut _,
329 &mut len,
330 ))?;
331 Ok(len)
332 }
333 }
334
335 /// Returns the signature.
336 ///
337 /// This is a simple convenience wrapper over `len` and `sign`.
sign_to_vec(&self) -> Result<Vec<u8>, ErrorStack>338 pub fn sign_to_vec(&self) -> Result<Vec<u8>, ErrorStack> {
339 let mut buf = vec![0; self.len()?];
340 let len = self.sign(&mut buf)?;
341 // The advertised length is not always equal to the real length for things like DSA
342 buf.truncate(len);
343 Ok(buf)
344 }
345
346 /// Signs the data in data_buf and writes the signature into the buffer sig_buf, returning the
347 /// number of bytes written.
348 ///
349 /// For PureEdDSA (Ed25519 and Ed448 keys) this is the only way to sign data.
350 ///
351 /// This method will fail if the buffer is not large enough for the signature. Use the `len`
352 /// method to get an upper bound on the required size.
353 ///
354 /// OpenSSL documentation at [`EVP_DigestSign`].
355 ///
356 /// [`EVP_DigestSign`]: https://www.openssl.org/docs/man1.1.1/man3/EVP_DigestSign.html
357 #[cfg(ossl111)]
sign_oneshot( &mut self, sig_buf: &mut [u8], data_buf: &[u8], ) -> Result<usize, ErrorStack>358 pub fn sign_oneshot(
359 &mut self,
360 sig_buf: &mut [u8],
361 data_buf: &[u8],
362 ) -> Result<usize, ErrorStack> {
363 unsafe {
364 let mut sig_len = sig_buf.len();
365 cvt(ffi::EVP_DigestSign(
366 self.md_ctx,
367 sig_buf.as_mut_ptr() as *mut _,
368 &mut sig_len,
369 data_buf.as_ptr() as *const _,
370 data_buf.len(),
371 ))?;
372 Ok(sig_len)
373 }
374 }
375
376 /// Returns the signature.
377 ///
378 /// This is a simple convenience wrapper over `len` and `sign_oneshot`.
379 #[cfg(ossl111)]
sign_oneshot_to_vec(&mut self, data_buf: &[u8]) -> Result<Vec<u8>, ErrorStack>380 pub fn sign_oneshot_to_vec(&mut self, data_buf: &[u8]) -> Result<Vec<u8>, ErrorStack> {
381 let mut sig_buf = vec![0; self.len()?];
382 let len = self.sign_oneshot(&mut sig_buf, data_buf)?;
383 // The advertised length is not always equal to the real length for things like DSA
384 sig_buf.truncate(len);
385 Ok(sig_buf)
386 }
387 }
388
389 impl<'a> Write for Signer<'a> {
write(&mut self, buf: &[u8]) -> io::Result<usize>390 fn write(&mut self, buf: &[u8]) -> io::Result<usize> {
391 self.update(buf)?;
392 Ok(buf.len())
393 }
394
flush(&mut self) -> io::Result<()>395 fn flush(&mut self) -> io::Result<()> {
396 Ok(())
397 }
398 }
399
400 pub struct Verifier<'a> {
401 md_ctx: *mut ffi::EVP_MD_CTX,
402 pctx: *mut ffi::EVP_PKEY_CTX,
403 pkey_pd: PhantomData<&'a ()>,
404 }
405
406 unsafe impl<'a> Sync for Verifier<'a> {}
407 unsafe impl<'a> Send for Verifier<'a> {}
408
409 impl<'a> Drop for Verifier<'a> {
drop(&mut self)410 fn drop(&mut self) {
411 // pkey_ctx is owned by the md_ctx, so no need to explicitly free it.
412 unsafe {
413 EVP_MD_CTX_free(self.md_ctx);
414 }
415 }
416 }
417
418 /// A type which verifies cryptographic signatures of data.
419 impl<'a> Verifier<'a> {
420 /// Creates a new `Verifier`.
421 ///
422 /// This cannot be used with Ed25519 or Ed448 keys. Please refer to
423 /// `new_without_digest`.
424 ///
425 /// OpenSSL documentation at [`EVP_DigestVerifyInit`].
426 ///
427 /// [`EVP_DigestVerifyInit`]: https://www.openssl.org/docs/manmaster/man3/EVP_DigestVerifyInit.html
new<T>(type_: MessageDigest, pkey: &'a PKeyRef<T>) -> Result<Verifier<'a>, ErrorStack> where T: HasPublic,428 pub fn new<T>(type_: MessageDigest, pkey: &'a PKeyRef<T>) -> Result<Verifier<'a>, ErrorStack>
429 where
430 T: HasPublic,
431 {
432 Verifier::new_intern(Some(type_), pkey)
433 }
434
435 /// Creates a new `Verifier` without a digest.
436 ///
437 /// This is the only way to create a `Verifier` for Ed25519 or Ed448 keys.
438 ///
439 /// OpenSSL documentation at [`EVP_DigestVerifyInit`].
440 ///
441 /// [`EVP_DigestVerifyInit`]: https://www.openssl.org/docs/manmaster/man3/EVP_DigestVerifyInit.html
new_without_digest<T>(pkey: &'a PKeyRef<T>) -> Result<Verifier<'a>, ErrorStack> where T: HasPublic,442 pub fn new_without_digest<T>(pkey: &'a PKeyRef<T>) -> Result<Verifier<'a>, ErrorStack>
443 where
444 T: HasPublic,
445 {
446 Verifier::new_intern(None, pkey)
447 }
448
new_intern<T>( type_: Option<MessageDigest>, pkey: &'a PKeyRef<T>, ) -> Result<Verifier<'a>, ErrorStack> where T: HasPublic,449 fn new_intern<T>(
450 type_: Option<MessageDigest>,
451 pkey: &'a PKeyRef<T>,
452 ) -> Result<Verifier<'a>, ErrorStack>
453 where
454 T: HasPublic,
455 {
456 unsafe {
457 ffi::init();
458
459 let ctx = cvt_p(EVP_MD_CTX_new())?;
460 let mut pctx: *mut ffi::EVP_PKEY_CTX = ptr::null_mut();
461 let r = ffi::EVP_DigestVerifyInit(
462 ctx,
463 &mut pctx,
464 type_.map(|t| t.as_ptr()).unwrap_or(ptr::null()),
465 ptr::null_mut(),
466 pkey.as_ptr(),
467 );
468 if r != 1 {
469 EVP_MD_CTX_free(ctx);
470 return Err(ErrorStack::get());
471 }
472
473 assert!(!pctx.is_null());
474
475 Ok(Verifier {
476 md_ctx: ctx,
477 pctx,
478 pkey_pd: PhantomData,
479 })
480 }
481 }
482
483 /// Returns the RSA padding mode in use.
484 ///
485 /// This is only useful for RSA keys.
486 ///
487 /// This corresponds to `EVP_PKEY_CTX_get_rsa_padding`.
rsa_padding(&self) -> Result<Padding, ErrorStack>488 pub fn rsa_padding(&self) -> Result<Padding, ErrorStack> {
489 unsafe {
490 let mut pad = 0;
491 cvt(ffi::EVP_PKEY_CTX_get_rsa_padding(self.pctx, &mut pad))
492 .map(|_| Padding::from_raw(pad))
493 }
494 }
495
496 /// Sets the RSA padding mode.
497 ///
498 /// This is only useful for RSA keys.
499 ///
500 /// This corresponds to [`EVP_PKEY_CTX_set_rsa_padding`].
501 ///
502 /// [`EVP_PKEY_CTX_set_rsa_padding`]: https://www.openssl.org/docs/man1.1.0/crypto/EVP_PKEY_CTX_set_rsa_padding.html
set_rsa_padding(&mut self, padding: Padding) -> Result<(), ErrorStack>503 pub fn set_rsa_padding(&mut self, padding: Padding) -> Result<(), ErrorStack> {
504 unsafe {
505 cvt(ffi::EVP_PKEY_CTX_set_rsa_padding(
506 self.pctx,
507 padding.as_raw(),
508 ))
509 .map(|_| ())
510 }
511 }
512
513 /// Sets the RSA PSS salt length.
514 ///
515 /// This is only useful for RSA keys.
516 ///
517 /// This corresponds to [`EVP_PKEY_CTX_set_rsa_pss_saltlen`].
518 ///
519 /// [`EVP_PKEY_CTX_set_rsa_pss_saltlen`]: https://www.openssl.org/docs/man1.1.0/crypto/EVP_PKEY_CTX_set_rsa_pss_saltlen.html
set_rsa_pss_saltlen(&mut self, len: RsaPssSaltlen) -> Result<(), ErrorStack>520 pub fn set_rsa_pss_saltlen(&mut self, len: RsaPssSaltlen) -> Result<(), ErrorStack> {
521 unsafe {
522 cvt(ffi::EVP_PKEY_CTX_set_rsa_pss_saltlen(
523 self.pctx,
524 len.as_raw(),
525 ))
526 .map(|_| ())
527 }
528 }
529
530 /// Sets the RSA MGF1 algorithm.
531 ///
532 /// This is only useful for RSA keys.
533 ///
534 /// This corresponds to [`EVP_PKEY_CTX_set_rsa_mgf1_md`].
535 ///
536 /// [`EVP_PKEY_CTX_set_rsa_mgf1_md`]: https://www.openssl.org/docs/manmaster/man7/RSA-PSS.html
set_rsa_mgf1_md(&mut self, md: MessageDigest) -> Result<(), ErrorStack>537 pub fn set_rsa_mgf1_md(&mut self, md: MessageDigest) -> Result<(), ErrorStack> {
538 unsafe {
539 cvt(ffi::EVP_PKEY_CTX_set_rsa_mgf1_md(
540 self.pctx,
541 md.as_ptr() as *mut _,
542 ))
543 .map(|_| ())
544 }
545 }
546
547 /// Feeds more data into the `Verifier`.
548 ///
549 /// Please note that PureEdDSA (Ed25519 and Ed448 keys) do not support streaming.
550 /// Use `verify_oneshot` instead.
551 ///
552 /// OpenSSL documentation at [`EVP_DigestUpdate`].
553 ///
554 /// [`EVP_DigestUpdate`]: https://www.openssl.org/docs/manmaster/man3/EVP_DigestInit.html
update(&mut self, buf: &[u8]) -> Result<(), ErrorStack>555 pub fn update(&mut self, buf: &[u8]) -> Result<(), ErrorStack> {
556 unsafe {
557 cvt(ffi::EVP_DigestUpdate(
558 self.md_ctx,
559 buf.as_ptr() as *const _,
560 buf.len(),
561 ))
562 .map(|_| ())
563 }
564 }
565
566 /// Determines if the data fed into the `Verifier` matches the provided signature.
567 ///
568 /// OpenSSL documentation at [`EVP_DigestVerifyFinal`].
569 ///
570 /// [`EVP_DigestVerifyFinal`]: https://www.openssl.org/docs/manmaster/man3/EVP_DigestVerifyFinal.html
verify(&self, signature: &[u8]) -> Result<bool, ErrorStack>571 pub fn verify(&self, signature: &[u8]) -> Result<bool, ErrorStack> {
572 unsafe {
573 let r =
574 EVP_DigestVerifyFinal(self.md_ctx, signature.as_ptr() as *mut _, signature.len());
575 match r {
576 1 => Ok(true),
577 0 => {
578 ErrorStack::get(); // discard error stack
579 Ok(false)
580 }
581 _ => Err(ErrorStack::get()),
582 }
583 }
584 }
585
586 /// Determines if the data given in buf matches the provided signature.
587 ///
588 /// OpenSSL documentation at [`EVP_DigestVerify`].
589 ///
590 /// [`EVP_DigestVerify`]: https://www.openssl.org/docs/man1.1.1/man3/EVP_DigestVerify.html
591 #[cfg(ossl111)]
verify_oneshot(&mut self, signature: &[u8], buf: &[u8]) -> Result<bool, ErrorStack>592 pub fn verify_oneshot(&mut self, signature: &[u8], buf: &[u8]) -> Result<bool, ErrorStack> {
593 unsafe {
594 let r = ffi::EVP_DigestVerify(
595 self.md_ctx,
596 signature.as_ptr() as *const _,
597 signature.len(),
598 buf.as_ptr() as *const _,
599 buf.len(),
600 );
601 match r {
602 1 => Ok(true),
603 0 => {
604 ErrorStack::get();
605 Ok(false)
606 }
607 _ => Err(ErrorStack::get()),
608 }
609 }
610 }
611 }
612
613 impl<'a> Write for Verifier<'a> {
write(&mut self, buf: &[u8]) -> io::Result<usize>614 fn write(&mut self, buf: &[u8]) -> io::Result<usize> {
615 self.update(buf)?;
616 Ok(buf.len())
617 }
618
flush(&mut self) -> io::Result<()>619 fn flush(&mut self) -> io::Result<()> {
620 Ok(())
621 }
622 }
623
624 #[cfg(not(ossl101))]
625 use ffi::EVP_DigestVerifyFinal;
626
627 #[cfg(ossl101)]
628 #[allow(bad_style)]
EVP_DigestVerifyFinal( ctx: *mut ffi::EVP_MD_CTX, sigret: *const ::libc::c_uchar, siglen: ::libc::size_t, ) -> ::libc::c_int629 unsafe fn EVP_DigestVerifyFinal(
630 ctx: *mut ffi::EVP_MD_CTX,
631 sigret: *const ::libc::c_uchar,
632 siglen: ::libc::size_t,
633 ) -> ::libc::c_int {
634 ffi::EVP_DigestVerifyFinal(ctx, sigret as *mut _, siglen)
635 }
636
637 #[cfg(test)]
638 mod test {
639 use hex::{self, FromHex};
640 use std::iter;
641
642 use crate::ec::{EcGroup, EcKey};
643 use crate::hash::MessageDigest;
644 use crate::nid::Nid;
645 use crate::pkey::PKey;
646 use crate::rsa::{Padding, Rsa};
647 #[cfg(ossl111)]
648 use crate::sign::RsaPssSaltlen;
649 use crate::sign::{Signer, Verifier};
650
651 const INPUT: &str =
652 "65794a68624763694f694a53557a49314e694a392e65794a7063334d694f694a71623255694c41304b49434a6c\
653 654841694f6a457a4d4441344d546b7a4f44417344516f67496d6830644841364c79396c654746746347786c4c\
654 6d4e76625339706331397962323930496a7030636e566c6651";
655
656 const SIGNATURE: &str =
657 "702e218943e88fd11eb5d82dbf7845f34106ae1b81fff7731116add1717d83656d420afd3c96eedd73a2663e51\
658 66687b000b87226e0187ed1073f945e582adfcef16d85a798ee8c66ddb3db8975b17d09402beedd5d9d9700710\
659 8db28160d5f8040ca7445762b81fbe7ff9d92e0ae76f24f25b33bbe6f44ae61eb1040acb20044d3ef9128ed401\
660 30795bd4bd3b41eecad066ab651981fde48df77f372dc38b9fafdd3befb18b5da3cc3c2eb02f9e3a41d612caad\
661 15911273a05f23b9e838faaf849d698429ef5a1e88798236c3d40e604522a544c8f27a7a2db80663d16cf7caea\
662 56de405cb2215a45b2c25566b55ac1a748a070dfc8a32a469543d019eefb47";
663
664 #[test]
rsa_sign()665 fn rsa_sign() {
666 let key = include_bytes!("../test/rsa.pem");
667 let private_key = Rsa::private_key_from_pem(key).unwrap();
668 let pkey = PKey::from_rsa(private_key).unwrap();
669
670 let mut signer = Signer::new(MessageDigest::sha256(), &pkey).unwrap();
671 assert_eq!(signer.rsa_padding().unwrap(), Padding::PKCS1);
672 signer.set_rsa_padding(Padding::PKCS1).unwrap();
673 signer.update(&Vec::from_hex(INPUT).unwrap()).unwrap();
674 let result = signer.sign_to_vec().unwrap();
675
676 assert_eq!(hex::encode(result), SIGNATURE);
677 }
678
679 #[test]
rsa_verify_ok()680 fn rsa_verify_ok() {
681 let key = include_bytes!("../test/rsa.pem");
682 let private_key = Rsa::private_key_from_pem(key).unwrap();
683 let pkey = PKey::from_rsa(private_key).unwrap();
684
685 let mut verifier = Verifier::new(MessageDigest::sha256(), &pkey).unwrap();
686 assert_eq!(verifier.rsa_padding().unwrap(), Padding::PKCS1);
687 verifier.update(&Vec::from_hex(INPUT).unwrap()).unwrap();
688 assert!(verifier.verify(&Vec::from_hex(SIGNATURE).unwrap()).unwrap());
689 }
690
691 #[test]
rsa_verify_invalid()692 fn rsa_verify_invalid() {
693 let key = include_bytes!("../test/rsa.pem");
694 let private_key = Rsa::private_key_from_pem(key).unwrap();
695 let pkey = PKey::from_rsa(private_key).unwrap();
696
697 let mut verifier = Verifier::new(MessageDigest::sha256(), &pkey).unwrap();
698 verifier.update(&Vec::from_hex(INPUT).unwrap()).unwrap();
699 verifier.update(b"foobar").unwrap();
700 assert!(!verifier.verify(&Vec::from_hex(SIGNATURE).unwrap()).unwrap());
701 }
702
test_hmac(ty: MessageDigest, tests: &[(Vec<u8>, Vec<u8>, Vec<u8>)])703 fn test_hmac(ty: MessageDigest, tests: &[(Vec<u8>, Vec<u8>, Vec<u8>)]) {
704 for &(ref key, ref data, ref res) in tests.iter() {
705 let pkey = PKey::hmac(key).unwrap();
706 let mut signer = Signer::new(ty, &pkey).unwrap();
707 signer.update(data).unwrap();
708 assert_eq!(signer.sign_to_vec().unwrap(), *res);
709 }
710 }
711
712 #[test]
hmac_md5()713 fn hmac_md5() {
714 // test vectors from RFC 2202
715 let tests: [(Vec<u8>, Vec<u8>, Vec<u8>); 7] = [
716 (
717 iter::repeat(0x0b_u8).take(16).collect(),
718 b"Hi There".to_vec(),
719 Vec::from_hex("9294727a3638bb1c13f48ef8158bfc9d").unwrap(),
720 ),
721 (
722 b"Jefe".to_vec(),
723 b"what do ya want for nothing?".to_vec(),
724 Vec::from_hex("750c783e6ab0b503eaa86e310a5db738").unwrap(),
725 ),
726 (
727 iter::repeat(0xaa_u8).take(16).collect(),
728 iter::repeat(0xdd_u8).take(50).collect(),
729 Vec::from_hex("56be34521d144c88dbb8c733f0e8b3f6").unwrap(),
730 ),
731 (
732 Vec::from_hex("0102030405060708090a0b0c0d0e0f10111213141516171819").unwrap(),
733 iter::repeat(0xcd_u8).take(50).collect(),
734 Vec::from_hex("697eaf0aca3a3aea3a75164746ffaa79").unwrap(),
735 ),
736 (
737 iter::repeat(0x0c_u8).take(16).collect(),
738 b"Test With Truncation".to_vec(),
739 Vec::from_hex("56461ef2342edc00f9bab995690efd4c").unwrap(),
740 ),
741 (
742 iter::repeat(0xaa_u8).take(80).collect(),
743 b"Test Using Larger Than Block-Size Key - Hash Key First".to_vec(),
744 Vec::from_hex("6b1ab7fe4bd7bf8f0b62e6ce61b9d0cd").unwrap(),
745 ),
746 (
747 iter::repeat(0xaa_u8).take(80).collect(),
748 b"Test Using Larger Than Block-Size Key \
749 and Larger Than One Block-Size Data"
750 .to_vec(),
751 Vec::from_hex("6f630fad67cda0ee1fb1f562db3aa53e").unwrap(),
752 ),
753 ];
754
755 test_hmac(MessageDigest::md5(), &tests);
756 }
757
758 #[test]
hmac_sha1()759 fn hmac_sha1() {
760 // test vectors from RFC 2202
761 let tests: [(Vec<u8>, Vec<u8>, Vec<u8>); 7] = [
762 (
763 iter::repeat(0x0b_u8).take(20).collect(),
764 b"Hi There".to_vec(),
765 Vec::from_hex("b617318655057264e28bc0b6fb378c8ef146be00").unwrap(),
766 ),
767 (
768 b"Jefe".to_vec(),
769 b"what do ya want for nothing?".to_vec(),
770 Vec::from_hex("effcdf6ae5eb2fa2d27416d5f184df9c259a7c79").unwrap(),
771 ),
772 (
773 iter::repeat(0xaa_u8).take(20).collect(),
774 iter::repeat(0xdd_u8).take(50).collect(),
775 Vec::from_hex("125d7342b9ac11cd91a39af48aa17b4f63f175d3").unwrap(),
776 ),
777 (
778 Vec::from_hex("0102030405060708090a0b0c0d0e0f10111213141516171819").unwrap(),
779 iter::repeat(0xcd_u8).take(50).collect(),
780 Vec::from_hex("4c9007f4026250c6bc8414f9bf50c86c2d7235da").unwrap(),
781 ),
782 (
783 iter::repeat(0x0c_u8).take(20).collect(),
784 b"Test With Truncation".to_vec(),
785 Vec::from_hex("4c1a03424b55e07fe7f27be1d58bb9324a9a5a04").unwrap(),
786 ),
787 (
788 iter::repeat(0xaa_u8).take(80).collect(),
789 b"Test Using Larger Than Block-Size Key - Hash Key First".to_vec(),
790 Vec::from_hex("aa4ae5e15272d00e95705637ce8a3b55ed402112").unwrap(),
791 ),
792 (
793 iter::repeat(0xaa_u8).take(80).collect(),
794 b"Test Using Larger Than Block-Size Key \
795 and Larger Than One Block-Size Data"
796 .to_vec(),
797 Vec::from_hex("e8e99d0f45237d786d6bbaa7965c7808bbff1a91").unwrap(),
798 ),
799 ];
800
801 test_hmac(MessageDigest::sha1(), &tests);
802 }
803
804 #[test]
805 #[cfg(ossl110)]
806 #[cfg_attr(ossl300, ignore)] // https://github.com/openssl/openssl/issues/11671
test_cmac()807 fn test_cmac() {
808 let cipher = crate::symm::Cipher::aes_128_cbc();
809 let key = Vec::from_hex("9294727a3638bb1c13f48ef8158bfc9d").unwrap();
810 let pkey = PKey::cmac(&cipher, &key).unwrap();
811 let mut signer = Signer::new_without_digest(&pkey).unwrap();
812
813 let data = b"Hi There";
814 signer.update(data as &[u8]).unwrap();
815
816 let expected = vec![
817 136, 101, 61, 167, 61, 30, 248, 234, 124, 166, 196, 157, 203, 52, 171, 19,
818 ];
819 assert_eq!(signer.sign_to_vec().unwrap(), expected);
820 }
821
822 #[test]
ec()823 fn ec() {
824 let group = EcGroup::from_curve_name(Nid::X9_62_PRIME256V1).unwrap();
825 let key = EcKey::generate(&group).unwrap();
826 let key = PKey::from_ec_key(key).unwrap();
827
828 let mut signer = Signer::new(MessageDigest::sha256(), &key).unwrap();
829 signer.update(b"hello world").unwrap();
830 let signature = signer.sign_to_vec().unwrap();
831
832 let mut verifier = Verifier::new(MessageDigest::sha256(), &key).unwrap();
833 verifier.update(b"hello world").unwrap();
834 assert!(verifier.verify(&signature).unwrap());
835 }
836
837 #[test]
838 #[cfg(ossl111)]
eddsa()839 fn eddsa() {
840 let key = PKey::generate_ed25519().unwrap();
841
842 let mut signer = Signer::new_without_digest(&key).unwrap();
843 let signature = signer.sign_oneshot_to_vec(b"hello world").unwrap();
844
845 let mut verifier = Verifier::new_without_digest(&key).unwrap();
846 assert!(verifier.verify_oneshot(&signature, b"hello world").unwrap());
847 }
848
849 #[test]
850 #[cfg(ossl111)]
rsa_sign_verify()851 fn rsa_sign_verify() {
852 let key = include_bytes!("../test/rsa.pem");
853 let private_key = Rsa::private_key_from_pem(key).unwrap();
854 let pkey = PKey::from_rsa(private_key).unwrap();
855
856 let mut signer = Signer::new(MessageDigest::sha256(), &pkey).unwrap();
857 signer.set_rsa_padding(Padding::PKCS1_PSS).unwrap();
858 assert_eq!(signer.rsa_padding().unwrap(), Padding::PKCS1_PSS);
859 signer
860 .set_rsa_pss_saltlen(RsaPssSaltlen::DIGEST_LENGTH)
861 .unwrap();
862 signer.set_rsa_mgf1_md(MessageDigest::sha256()).unwrap();
863 signer.update(&Vec::from_hex(INPUT).unwrap()).unwrap();
864 let signature = signer.sign_to_vec().unwrap();
865
866 let mut verifier = Verifier::new(MessageDigest::sha256(), &pkey).unwrap();
867 verifier.set_rsa_padding(Padding::PKCS1_PSS).unwrap();
868 verifier
869 .set_rsa_pss_saltlen(RsaPssSaltlen::DIGEST_LENGTH)
870 .unwrap();
871 verifier.set_rsa_mgf1_md(MessageDigest::sha256()).unwrap();
872 verifier.update(&Vec::from_hex(INPUT).unwrap()).unwrap();
873 assert!(verifier.verify(&signature).unwrap());
874 }
875 }
876