[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [MirageOS-devel] ocaml equivalent of php's openssl_verify function

  • To: mirageos-devel@xxxxxxxxxxxxxxxxxxxx
  • From: Joe <joe@xxxxxxx>
  • Date: Fri, 24 Aug 2018 01:52:20 +0200
  • Authentication-results: mail.tyknet.dk; dkim=none
  • Delivery-date: Thu, 23 Aug 2018 23:52:40 +0000
  • Dkim-filter: OpenDKIM Filter v2.10.3 mail.tyknet.dk 5FD7FC2F130
  • List-id: Developer list for MirageOS <mirageos-devel.lists.xenproject.org>

On 08/23/2018 03:48 PM, lemonnierk@xxxxxxxxx wrote:
I can successfully decode all the infos, and I end up with a valid pem
certificate, what looks like a proper signature and the data to check.
I'm looking for the ocaml equivalent of php's openssl_verify (line 231
of the php file), but looking at the doc I'm not sure of what it does
As specified on SO, I am using MirageOS, so if something like this
exists already in one of mirage's library, it'd be great.

TL;DR: This is non-trivial. If you're doing this on a unix-like platforms you might have more luck using a library that wraps openssl or similar.

The portable mirage way (AFAIK):

- openssl_verify() seems to take a PEM certificate, data, and verify that some signature was performed with the PEM cert.

- There are some examples here:

I think you would need something along the lines of:

1) install the x509 opam package

2) use X509.Encoding.Pem.Certificate.of_pem_cstruct1 to extract a X509.t

3) use X509.public_key (the function) to extract the X509.public_key (the type), pray to god it's a `RSA key (if not, you're in for a lot of fun writing a new Asn.codec) from which you can pattern-match the Nocrypto.Rsa.pub key.

4) Now you have to figure out the encoding of the signature. From the
   comments section on php.net this sounds like it's a PKCS1 signature,
   if not then you'll need to decode it, somehow.

5) Unfortunately, while the ocaml-nocrypto library has rudimentary
   support for PKCS1, it's not super easy to use in its current form,
   but you can probably wiggle it if you hard-code some ASN.1
   constants, if you search for "PKCS1" in the issues/pull requests
   you'll likely come upon some relevant discussion.

  Alternatively you can wait for a new release, since the upstream
  introduced a nicer API for PKCS1 stuff in 2017;
  or you could use the upstream directly, if you can get it to build
  (I didn't manage last I tried a few weeks ago).

  Some kind spirits have a collection of commits that works towards
  making that easier at 'https://github.com/hannesm/ocaml-
  nocrypto.git#safely'; that branch compiles for me if I turn off the

6) I'm not sure how to make `opam` build `nocrypto` without the
   ACCELERATE flag, but perhaps someone else on this list knows how to
   do that.

Hope that makes sense.

MirageOS-devel mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.