archive
/
windows-server-2003
mirror of https://github.com/selfrender/Windows-Server-2003
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Leaked source code of windows server 2003
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
2 Commits
1 Branch
0 Tags
1.5 GiB
Tree: 7b07a90fc1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '7b07a90fc1'
${ noResults }
windows-server-2003/ds/win32/ntcrypto/mincrypt/verhash.cpp

538 lines
15 KiB
Raw Normal View History

commiting as it is
4 years ago
  1. //+-------------------------------------------------------------------------
  2. // Microsoft Windows
  3. //
  4. // Copyright (C) Microsoft Corporation, 2001 - 2001
  5. //
  6. // File: verhash.cpp
  7. //
  8. // Contents: Minimal Cryptographic functions to verify ASN.1 encoded
  9. // signed hashes. Signed hashes are used in X.509 certificates
  10. // and PKCS #7 signed data.
  11. //
  12. // Also contains md5 or sha1 memory hash function.
  13. //
  14. //
  15. // Functions: MinCryptDecodeHashAlgorithmIdentifier
  16. // MinCryptHashMemory
  17. // MinCryptVerifySignedHash
  18. //
  19. // History: 17-Jan-01 philh created
  20. //--------------------------------------------------------------------------
  22. #include "global.hxx"
  23. #include <md5.h>
  24. #include <sha.h>
  25. #include <rsa.h>
  27. #define MAX_RSA_PUB_KEY_BIT_LEN 4096
  28. #define MAX_RSA_PUB_KEY_BYTE_LEN (MAX_RSA_PUB_KEY_BIT_LEN / 8 )
  29. #define MAX_BSAFE_PUB_KEY_MODULUS_BYTE_LEN \
  30. (MAX_RSA_PUB_KEY_BYTE_LEN + sizeof(DWORD) * 4)
  32. typedef struct _BSAFE_PUB_KEY_CONTENT {
  33. BSAFE_PUB_KEY Header;
  34. BYTE rgbModulus[MAX_BSAFE_PUB_KEY_MODULUS_BYTE_LEN];
  35. } BSAFE_PUB_KEY_CONTENT, *PBSAFE_PUB_KEY_CONTENT;
  38. #ifndef RSA1
  39. #define RSA1 ((DWORD)'R'+((DWORD)'S'<<8)+((DWORD)'A'<<16)+((DWORD)'1'<<24))
  40. #endif
  42. // from \nt\ds\win32\ntcrypto\scp\nt_sign.c
  44. //
  45. // Reverse ASN.1 Encodings of possible hash identifiers. The leading byte is
  46. // the length of the remaining byte string.
  47. //
  49. static const BYTE
  50. *md5Encodings[]
  51. = { (CONST BYTE *)"\x12\x10\x04\x00\x05\x05\x02\x0d\xf7\x86\x48\x86\x2a\x08\x06\x0c\x30\x20\x30",
  52. (CONST BYTE *)"\x10\x10\x04\x05\x02\x0d\xf7\x86\x48\x86\x2a\x08\x06\x0a\x30\x1e\x30",
  53. (CONST BYTE *)"\x00" },
  55. *shaEncodings[]
  56. = { (CONST BYTE *)"\x0f\x14\x04\x00\x05\x1a\x02\x03\x0e\x2b\x05\x06\x09\x30\x21\x30",
  57. (CONST BYTE *)"\x0d\x14\x04\x1a\x02\x03\x0e\x2b\x05\x06\x07\x30\x1f\x30",
  58. (CONST BYTE *)"\x00"};
  62. typedef struct _ENCODED_OID_INFO {
  63. DWORD cbEncodedOID;
  64. const BYTE *pbEncodedOID;
  65. ALG_ID AlgId;
  66. } ENCODED_OID_INFO, *PENCODED_OID_INFO;
  68. //
  69. // SHA1/MD5 HASH OIDS
  70. //
  72. // #define szOID_OIWSEC_sha1 "1.3.14.3.2.26"
  73. const BYTE rgbOIWSEC_sha1[] =
  74. {0x2B, 0x0E, 0x03, 0x02, 0x1A};
  76. // #define szOID_OIWSEC_sha "1.3.14.3.2.18"
  77. const BYTE rgbOID_OIWSEC_sha[] =
  78. {0x2B, 0x0E, 0x03, 0x02, 0x12};
  80. // #define szOID_RSA_MD5 "1.2.840.113549.2.5"
  81. const BYTE rgbOID_RSA_MD5[] =
  82. {0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x02, 0x05};
  84. //
  85. // RSA SHA1/MD5 SIGNATURE OIDS
  86. //
  88. // #define szOID_RSA_SHA1RSA "1.2.840.113549.1.1.5"
  89. const BYTE rgbOID_RSA_SHA1RSA[] =
  90. {0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x05};
  92. // #define szOID_RSA_MD5RSA "1.2.840.113549.1.1.4"
  93. const BYTE rgbOID_RSA_MD5RSA[] =
  94. {0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x04};
  96. // #define szOID_OIWSEC_sha1RSASign "1.3.14.3.2.29"
  97. const BYTE rgbOID_OIWSEC_sha1RSASign[] =
  98. {0x2B, 0x0E, 0x03, 0x02, 0x1D};
  100. // #define szOID_OIWSEC_shaRSA "1.3.14.3.2.15"
  101. const BYTE rgbOID_OIWSEC_shaRSA[] =
  102. {0x2B, 0x0E, 0x03, 0x02, 0x0F};
  104. // #define szOID_OIWSEC_md5RSA "1.3.14.3.2.3"
  105. const BYTE rgbOID_OIWSEC_md5RSA[] =
  106. {0x2B, 0x0E, 0x03, 0x02, 0x03};
  108. const ENCODED_OID_INFO HashAlgTable[] = {
  109. // Hash OIDs
  110. sizeof(rgbOIWSEC_sha1), rgbOIWSEC_sha1, CALG_SHA1,
  111. sizeof(rgbOID_OIWSEC_sha), rgbOID_OIWSEC_sha, CALG_SHA1,
  112. sizeof(rgbOID_RSA_MD5), rgbOID_RSA_MD5, CALG_MD5,
  114. // Signature OIDs
  115. sizeof(rgbOID_RSA_SHA1RSA), rgbOID_RSA_SHA1RSA, CALG_SHA1,
  116. sizeof(rgbOID_RSA_MD5RSA), rgbOID_RSA_MD5RSA, CALG_MD5,
  117. sizeof(rgbOID_OIWSEC_sha1RSASign), rgbOID_OIWSEC_sha1RSASign, CALG_SHA1,
  118. sizeof(rgbOID_OIWSEC_shaRSA), rgbOID_OIWSEC_shaRSA, CALG_SHA1,
  119. sizeof(rgbOID_OIWSEC_md5RSA), rgbOID_OIWSEC_md5RSA, CALG_MD5,
  120. };
  121. #define HASH_ALG_CNT (sizeof(HashAlgTable) / sizeof(HashAlgTable[0]))
  125. //+-------------------------------------------------------------------------
  126. // Decodes an ASN.1 encoded Algorithm Identifier and converts to
  127. // a CAPI Hash AlgID, such as, CALG_SHA1 or CALG_MD5.
  128. //
  129. // Returns 0 if there isn't a CAPI AlgId corresponding to the Algorithm
  130. // Identifier.
  131. //
  132. // Only CALG_SHA1, CALG_MD5 are supported.
  133. //--------------------------------------------------------------------------
  134. ALG_ID
  135. WINAPI
  136. MinCryptDecodeHashAlgorithmIdentifier(
  137. IN PCRYPT_DER_BLOB pAlgIdValueBlob
  138. )
  139. {
  140. ALG_ID HashAlgId = 0;
  141. LONG lSkipped;
  142. CRYPT_DER_BLOB rgAlgIdBlob[MINASN1_ALGID_BLOB_CNT];
  143. DWORD cbEncodedOID;
  144. const BYTE *pbEncodedOID;
  145. DWORD i;
  147. lSkipped = MinAsn1ParseAlgorithmIdentifier(
  148. pAlgIdValueBlob,
  149. rgAlgIdBlob
  150. );
  151. if (0 >= lSkipped)
  152. goto CommonReturn;
  154. cbEncodedOID = rgAlgIdBlob[MINASN1_ALGID_OID_IDX].cbData;
  155. pbEncodedOID = rgAlgIdBlob[MINASN1_ALGID_OID_IDX].pbData;
  157. for (i = 0; i < HASH_ALG_CNT; i++) {
  158. if (cbEncodedOID == HashAlgTable[i].cbEncodedOID &&
  159. 0 == memcmp(pbEncodedOID, HashAlgTable[i].pbEncodedOID,
  160. cbEncodedOID)) {
  161. HashAlgId = HashAlgTable[i].AlgId;
  162. break;
  163. }
  164. }
  166. CommonReturn:
  167. return HashAlgId;
  168. }
  171. #pragma warning (push)
  172. // local variable 'Md5Ctx' may be used without having been initialized
  173. #pragma warning (disable: 4701)
  175. //+-------------------------------------------------------------------------
  176. // Hashes one or more memory blobs according to the Hash ALG_ID.
  177. //
  178. // rgbHash is updated with the resultant hash. *pcbHash is updated with
  179. // the length associated with the hash algorithm.
  180. //
  181. // If the function succeeds, the return value is ERROR_SUCCESS. Otherwise,
  182. // a nonzero error code is returned.
  183. //
  184. // Only CALG_SHA1, CALG_MD5 are supported.
  185. //--------------------------------------------------------------------------
  186. LONG
  187. WINAPI
  188. MinCryptHashMemory(
  189. IN ALG_ID HashAlgId,
  190. IN DWORD cBlob,
  191. IN PCRYPT_DER_BLOB rgBlob,
  192. OUT BYTE rgbHash[MINCRYPT_MAX_HASH_LEN],
  193. OUT DWORD *pcbHash
  194. )
  195. {
  196. A_SHA_CTX ShaCtx;
  197. MD5_CTX Md5Ctx;
  198. DWORD iBlob;
  200. switch (HashAlgId) {
  201. case CALG_MD5:
  202. MD5Init(&Md5Ctx);
  203. *pcbHash = MINCRYPT_MD5_HASH_LEN;
  204. break;
  206. case CALG_SHA1:
  207. A_SHAInit(&ShaCtx);
  208. *pcbHash = MINCRYPT_SHA1_HASH_LEN;
  209. break;
  211. default:
  212. *pcbHash = 0;
  213. return NTE_BAD_ALGID;
  214. }
  216. for (iBlob = 0; iBlob < cBlob; iBlob++) {
  217. BYTE *pb = rgBlob[iBlob].pbData;
  218. DWORD cb = rgBlob[iBlob].cbData;
  220. if (0 == cb)
  221. continue;
  223. switch (HashAlgId) {
  224. case CALG_MD5:
  225. MD5Update(&Md5Ctx, pb, cb);
  226. break;
  228. case CALG_SHA1:
  229. A_SHAUpdate(&ShaCtx, pb, cb);
  230. break;
  231. }
  233. }
  235. switch (HashAlgId) {
  236. case CALG_MD5:
  237. MD5Final(&Md5Ctx);
  238. assert(MD5DIGESTLEN == MINCRYPT_MD5_HASH_LEN);
  239. memcpy(rgbHash, Md5Ctx.digest, MD5DIGESTLEN);
  240. break;
  242. case CALG_SHA1:
  243. A_SHAFinal(&ShaCtx, rgbHash);
  244. break;
  245. }
  247. return ERROR_SUCCESS;
  249. }
  251. #pragma warning (pop)
  253. //+=========================================================================
  254. // MinCryptVerifySignedHash Support Functions
  255. //-=========================================================================
  257. VOID
  258. WINAPI
  259. I_ReverseAndCopyBytes(
  260. OUT BYTE *pbDst,
  261. IN const BYTE *pbSrc,
  262. IN DWORD cb
  263. )
  264. {
  265. if (0 == cb)
  266. return;
  267. for (pbDst += cb - 1; cb > 0; cb--)
  268. *pbDst-- = *pbSrc++;
  269. }
  273. // The basis for much of the code in this function can be found in
  274. // \nt\ds\win32\ntcrypto\scp\nt_key.c
  275. LONG
  276. WINAPI
  277. I_ConvertParsedRSAPubKeyToBSafePubKey(
  278. IN CRYPT_DER_BLOB rgRSAPubKeyBlob[MINASN1_RSA_PUBKEY_BLOB_CNT],
  279. OUT PBSAFE_PUB_KEY_CONTENT pBSafePubKeyContent
  280. )
  281. {
  282. LONG lErr;
  283. DWORD cbModulus;
  284. const BYTE *pbAsn1Modulus;
  285. DWORD cbExp;
  286. const BYTE *pbAsn1Exp;
  287. DWORD cbTmpLen;
  288. LPBSAFE_PUB_KEY pBSafePubKey;
  290. // Get the ASN.1 public key modulus (BIG ENDIAN). The modulus length
  291. // is the public key byte length.
  292. cbModulus = rgRSAPubKeyBlob[MINASN1_RSA_PUBKEY_MODULUS_IDX].cbData;
  293. pbAsn1Modulus = rgRSAPubKeyBlob[MINASN1_RSA_PUBKEY_MODULUS_IDX].pbData;
  294. // Strip off a leading 0 byte. Its there in the decoded ASN
  295. // integer for an unsigned integer with the leading bit set.
  296. if (cbModulus > 1 && *pbAsn1Modulus == 0) {
  297. pbAsn1Modulus++;
  298. cbModulus--;
  299. }
  300. if (MAX_RSA_PUB_KEY_BYTE_LEN < cbModulus)
  301. goto ExceededMaxPubKeyModulusLen;
  303. // Get the ASN.1 public exponent (BIG ENDIAN).
  304. cbExp = rgRSAPubKeyBlob[MINASN1_RSA_PUBKEY_EXPONENT_IDX].cbData;
  305. pbAsn1Exp = rgRSAPubKeyBlob[MINASN1_RSA_PUBKEY_EXPONENT_IDX].pbData;
  306. // Strip off a leading 0 byte. Its there in the decoded ASN
  307. // integer for an unsigned integer with the leading bit set.
  308. if (cbExp > 1 && *pbAsn1Exp == 0) {
  309. pbAsn1Exp++;
  310. cbExp--;
  311. }
  312. if (sizeof(DWORD) < cbExp)
  313. goto ExceededMaxPubKeyExpLen;
  315. if (0 == cbModulus || 0 == cbExp)
  316. goto InvalidPubKey;
  318. // Update the BSAFE data structure from the parsed and length validated
  319. // ASN.1 public key modulus and exponent components.
  321. cbTmpLen = (sizeof(DWORD) * 2) - (cbModulus % (sizeof(DWORD) * 2));
  322. if ((sizeof(DWORD) * 2) != cbTmpLen)
  323. cbTmpLen += sizeof(DWORD) * 2;
  325. memset(pBSafePubKeyContent, 0, sizeof(*pBSafePubKeyContent));
  326. pBSafePubKey = &pBSafePubKeyContent->Header;
  327. pBSafePubKey->magic = RSA1;
  328. pBSafePubKey->keylen = cbModulus + cbTmpLen;
  329. pBSafePubKey->bitlen = cbModulus * 8;
  330. pBSafePubKey->datalen = cbModulus - 1;
  332. I_ReverseAndCopyBytes((BYTE *) &pBSafePubKey->pubexp, pbAsn1Exp, cbExp);
  333. I_ReverseAndCopyBytes(pBSafePubKeyContent->rgbModulus, pbAsn1Modulus,
  334. cbModulus);
  336. lErr = ERROR_SUCCESS;
  337. CommonReturn:
  338. return lErr;
  340. ExceededMaxPubKeyModulusLen:
  341. ExceededMaxPubKeyExpLen:
  342. InvalidPubKey:
  343. lErr = NTE_BAD_PUBLIC_KEY;
  344. goto CommonReturn;
  345. }
  348. // The basis for much of the code in this function can be found in
  349. // \nt\ds\win32\ntcrypto\scp\nt_sign.c
  350. LONG
  351. WINAPI
  352. I_VerifyPKCS1SigningFormat(
  353. IN BSAFE_PUB_KEY *pKey,
  354. IN ALG_ID HashAlgId,
  355. IN BYTE *pbHash,
  356. IN DWORD cbHash,
  357. IN BYTE *pbPKCS1Format
  358. )
  359. {
  360. LONG lErr = ERROR_INTERNAL_ERROR;
  361. const BYTE **rgEncOptions;
  362. BYTE rgbTmpHash[MINCRYPT_MAX_HASH_LEN];
  363. DWORD i;
  364. DWORD cb;
  365. BYTE *pbStart;
  366. DWORD cbTmp;
  368. switch (HashAlgId)
  369. {
  370. case CALG_MD5:
  371. rgEncOptions = md5Encodings;
  372. break;
  374. case CALG_SHA:
  375. rgEncOptions = shaEncodings;
  376. break;
  378. default:
  379. goto UnsupportedHash;
  380. }
  382. // Reverse the hash to match the signature.
  383. for (i = 0; i < cbHash; i++)
  384. rgbTmpHash[i] = pbHash[cbHash - (i + 1)];
  386. // See if it matches.
  387. if (0 != memcmp(rgbTmpHash, pbPKCS1Format, cbHash))
  388. {
  389. goto BadSignature;
  390. }
  392. cb = cbHash;
  393. for (i = 0; 0 != *rgEncOptions[i]; i += 1)
  394. {
  395. pbStart = (LPBYTE)rgEncOptions[i];
  396. cbTmp = *pbStart++;
  397. if (0 == memcmp(&pbPKCS1Format[cb], pbStart, cbTmp))
  398. {
  399. cb += cbTmp; // Adjust the end of the hash data.
  400. break;
  401. }
  402. }
  404. // check to make sure the rest of the PKCS #1 padding is correct
  405. if ((0x00 != pbPKCS1Format[cb])
  406. || (0x00 != pbPKCS1Format[pKey->datalen])
  407. || (0x1 != pbPKCS1Format[pKey->datalen - 1]))
  408. {
  409. goto BadSignature;
  410. }
  412. for (i = cb + 1; i < pKey->datalen - 1; i++)
  413. {
  414. if (0xff != pbPKCS1Format[i])
  415. {
  416. goto BadSignature;
  417. }
  418. }
  420. lErr = ERROR_SUCCESS;
  422. CommonReturn:
  423. return lErr;
  425. UnsupportedHash:
  426. lErr = NTE_BAD_ALGID;
  427. goto CommonReturn;
  429. BadSignature:
  430. lErr = NTE_BAD_SIGNATURE;
  431. goto CommonReturn;
  432. }
  435. //+-------------------------------------------------------------------------
  436. // Verifies a signed hash.
  437. //
  438. // The ASN.1 encoded Public Key Info is parsed and used to decrypt the
  439. // signed hash. The decrypted signed hash is compared with the input
  440. // hash.
  441. //
  442. // If the signed hash was successfully verified, ERROR_SUCCESS is returned.
  443. // Otherwise, a nonzero error code is returned.
  444. //
  445. // Only RSA signed hashes are supported.
  446. //
  447. // Only MD5 and SHA1 hashes are supported.
  448. //--------------------------------------------------------------------------
  449. LONG
  450. WINAPI
  451. MinCryptVerifySignedHash(
  452. IN ALG_ID HashAlgId,
  453. IN BYTE *pbHash,
  454. IN DWORD cbHash,
  455. IN PCRYPT_DER_BLOB pSignedHashContentBlob,
  456. IN PCRYPT_DER_BLOB pPubKeyInfoValueBlob
  457. )
  458. {
  459. LONG lErr;
  460. LONG lSkipped;
  462. CRYPT_DER_BLOB rgPubKeyInfoBlob[MINASN1_PUBKEY_INFO_BLOB_CNT];
  463. CRYPT_DER_BLOB rgRSAPubKeyBlob[MINASN1_RSA_PUBKEY_BLOB_CNT];
  464. BSAFE_PUB_KEY_CONTENT BSafePubKeyContent;
  465. LPBSAFE_PUB_KEY pBSafePubKey;
  467. DWORD cbSignature;
  468. const BYTE *pbAsn1Signature;
  470. BYTE rgbBSafeIn[MAX_BSAFE_PUB_KEY_MODULUS_BYTE_LEN];
  471. BYTE rgbBSafeOut[MAX_BSAFE_PUB_KEY_MODULUS_BYTE_LEN];
  474. // Attempt to parse and convert the ASN.1 encoded public key into
  475. // an RSA BSAFE formatted key.
  476. lSkipped = MinAsn1ParsePublicKeyInfo(
  477. pPubKeyInfoValueBlob,
  478. rgPubKeyInfoBlob
  479. );
  480. if (0 >= lSkipped)
  481. goto ParsePubKeyInfoError;
  483. lSkipped = MinAsn1ParseRSAPublicKey(
  484. &rgPubKeyInfoBlob[MINASN1_PUBKEY_INFO_PUBKEY_IDX],
  485. rgRSAPubKeyBlob
  486. );
  487. if (0 >= lSkipped)
  488. goto ParseRSAPubKeyError;
  490. lErr = I_ConvertParsedRSAPubKeyToBSafePubKey(
  491. rgRSAPubKeyBlob,
  492. &BSafePubKeyContent
  493. );
  494. if (ERROR_SUCCESS != lErr)
  495. goto CommonReturn;
  497. pBSafePubKey = &BSafePubKeyContent.Header;
  499. // Get the ASN.1 signature (BIG ENDIAN).
  500. //
  501. // It must be the same length as the public key
  502. cbSignature = pSignedHashContentBlob->cbData;
  503. pbAsn1Signature = pSignedHashContentBlob->pbData;
  504. if (cbSignature != pBSafePubKey->bitlen / 8)
  505. goto InvalidSignatureLen;
  507. // Decrypt the signature (LITTLE ENDIAN)
  508. assert(sizeof(rgbBSafeIn) >= cbSignature);
  509. I_ReverseAndCopyBytes(rgbBSafeIn, pbAsn1Signature, cbSignature);
  510. memset(&rgbBSafeIn[cbSignature], 0, sizeof(rgbBSafeIn) - cbSignature);
  511. memset(rgbBSafeOut, 0, sizeof(rgbBSafeOut));
  513. if (!BSafeEncPublic(pBSafePubKey, rgbBSafeIn, rgbBSafeOut))
  514. goto BSafeEncPublicError;
  517. lErr = I_VerifyPKCS1SigningFormat(
  518. pBSafePubKey,
  519. HashAlgId,
  520. pbHash,
  521. cbHash,
  522. rgbBSafeOut
  523. );
  525. CommonReturn:
  526. return lErr;
  528. ParsePubKeyInfoError:
  529. ParseRSAPubKeyError:
  530. lErr = NTE_BAD_PUBLIC_KEY;
  531. goto CommonReturn;
  533. InvalidSignatureLen:
  534. BSafeEncPublicError:
  535. lErr = NTE_BAD_SIGNATURE;
  536. goto CommonReturn;
  537. }