[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [MirageOS-devel] ocaml equivalent of php's openssl_verify function

  • To: mirageos-devel@xxxxxxxxxxxxxxxxxxxx
  • From: lemonnierk@xxxxxxxxx
  • Date: Fri, 24 Aug 2018 09:04:33 +0100
  • Delivery-date: Fri, 24 Aug 2018 08:04:57 +0000
  • Domainkey-signature: a=rsa-sha1; c=nofws; d=ulrar.net; h=date:from:to :subject:message-id:references:mime-version:content-type :in-reply-to; q=dns; s=dkim; b=Ytbkgw2r1Hu7cikjlWXGLjvLNOY0AJV3K rbSzBIjWLF0csjvUcPO5Oy6N+GZety0lE2pbJ5y+XdXCsEvdmdBHkjS4xwvjrtiu o8ui3nAapDverUMsH5z1hN5O5VFqLI0gWIw3VTxDUAQJoN+IhttJRFS6WthbCs5d oRPnvEvsOA=
  • List-id: Developer list for MirageOS <mirageos-devel.lists.xenproject.org>

On Fri, Aug 24, 2018 at 01:52:20AM +0200, Joe wrote:
> TL;DR: This is non-trivial. If you're doing this on a unix-like 
> platforms you might have more luck using a library that wraps openssl or 
> similar.

Unless I can use ctypes to get openssl working on mirage, that won't
really help me unfortunatly.
I tried playing a bit with ctypes / cstubs to get the official C library
for U2F on mirage, but it doesn't seem to compile anymore when I change
the target from unix to virtio, maybe trying to pack openssl is a bit much.

> The portable mirage way (AFAIK):
> - openssl_verify() seems to take a PEM certificate, data, and verify 
> that some signature was performed with the PEM cert.
> - There are some examples here:
>    http://php.net/openssl_verify
> I think you would need something along the lines of:
> 1) install the x509 opam package
> 2) use X509.Encoding.Pem.Certificate.of_pem_cstruct1 to extract a X509.t

I was afraid of that, I did try it already but it won't parse. Seems
like the lib doesn't support some extensions I'm afraid the certificate
might have, or if that's not it I guess the pubkey isn't RSA.
I'll dig this way then, thanks

> 3) use X509.public_key (the function) to extract the X509.public_key 
> (the type), pray to god it's a `RSA key (if not, you're in for a lot of 
> fun writing a new Asn.codec) from which you can pattern-match the 
> Nocrypto.Rsa.pub key.
> 4) Now you have to figure out the encoding of the signature. From the
>     comments section on php.net this sounds like it's a PKCS1 signature,
>     if not then you'll need to decode it, somehow.
> 5) Unfortunately, while the ocaml-nocrypto library has rudimentary
>     support for PKCS1, it's not super easy to use in its current form,
>     but you can probably wiggle it if you hard-code some ASN.1
>     constants, if you search for "PKCS1" in the issues/pull requests
>     you'll likely come upon some relevant discussion.
>    Alternatively you can wait for a new release, since the upstream
>    introduced a nicer API for PKCS1 stuff in 2017;
>    or you could use the upstream directly, if you can get it to build
>    (I didn't manage last I tried a few weeks ago).
>    Some kind spirits have a collection of commits that works towards
>    making that easier at 'https://github.com/hannesm/ocaml-
>    nocrypto.git#safely'; that branch compiles for me if I turn off the
>    ACCELERATE flag.
> 6) I'm not sure how to make `opam` build `nocrypto` without the
>     ACCELERATE flag, but perhaps someone else on this list knows how to
>     do that.
> Hope that makes sense.

I think I mostly get it, but it seems like it won't be easy. I doubt I
have any chance of making that work, I'm not the one to implement any
kind of crypto. If ocaml-X509 can't parse the pem, I guess the auth
systems will be done by someone else in PHP.

Thanks !

PGP Fingerprint : 0x624E42C734DAC346

Attachment: signature.asc
Description: Digital signature

MirageOS-devel mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.