Xen project Mailing List

Re: [MirageOS-devel] ocaml equivalent of php's openssl_verify function

Date: Fri, 24 Aug 2018 09:04:33 +0100

Delivery-date: Fri, 24 Aug 2018 08:04:57 +0000

Domainkey-signature: a=rsa-sha1; c=nofws; d=ulrar.net; h=date:from:to :subject:message-id:references:mime-version:content-type :in-reply-to; q=dns; s=dkim; b=Ytbkgw2r1Hu7cikjlWXGLjvLNOY0AJV3K rbSzBIjWLF0csjvUcPO5Oy6N+GZety0lE2pbJ5y+XdXCsEvdmdBHkjS4xwvjrtiu o8ui3nAapDverUMsH5z1hN5O5VFqLI0gWIw3VTxDUAQJoN+IhttJRFS6WthbCs5d oRPnvEvsOA=

List-id: Developer list for MirageOS <mirageos-devel.lists.xenproject.org>

On Fri, Aug 24, 2018 at 01:52:20AM +0200, Joe wrote: > TL;DR: This is non-trivial. If you're doing this on a unix-like > platforms you might have more luck using a library that wraps openssl or > similar. Unless I can use ctypes to get openssl working on mirage, that won't really help me unfortunatly. I tried playing a bit with ctypes / cstubs to get the official C library for U2F on mirage, but it doesn't seem to compile anymore when I change the target from unix to virtio, maybe trying to pack openssl is a bit much. > > The portable mirage way (AFAIK): > > - openssl_verify() seems to take a PEM certificate, data, and verify > that some signature was performed with the PEM cert. > > - There are some examples here: > http://php.net/openssl_verify > > I think you would need something along the lines of: > > 1) install the x509 opam package > > 2) use X509.Encoding.Pem.Certificate.of_pem_cstruct1 to extract a X509.t > I was afraid of that, I did try it already but it won't parse. Seems like the lib doesn't support some extensions I'm afraid the certificate might have, or if that's not it I guess the pubkey isn't RSA. I'll dig this way then, thanks > 3) use X509.public_key (the function) to extract the X509.public_key > (the type), pray to god it's a `RSA key (if not, you're in for a lot of > fun writing a new Asn.codec) from which you can pattern-match the > Nocrypto.Rsa.pub key. > > 4) Now you have to figure out the encoding of the signature. From the > comments section on php.net this sounds like it's a PKCS1 signature, > if not then you'll need to decode it, somehow. > > 5) Unfortunately, while the ocaml-nocrypto library has rudimentary > support for PKCS1, it's not super easy to use in its current form, > but you can probably wiggle it if you hard-code some ASN.1 > constants, if you search for "PKCS1" in the issues/pull requests > you'll likely come upon some relevant discussion. > > Alternatively you can wait for a new release, since the upstream > introduced a nicer API for PKCS1 stuff in 2017; > or you could use the upstream directly, if you can get it to build > (I didn't manage last I tried a few weeks ago). > > Some kind spirits have a collection of commits that works towards > making that easier at 'https://github.com/hannesm/ocaml- > nocrypto.git#safely'; that branch compiles for me if I turn off the > ACCELERATE flag. > > 6) I'm not sure how to make `opam` build `nocrypto` without the > ACCELERATE flag, but perhaps someone else on this list knows how to > do that. > > Hope that makes sense. > I think I mostly get it, but it seems like it won't be easy. I doubt I have any chance of making that work, I'm not the one to implement any kind of crypto. If ocaml-X509 can't parse the pem, I guess the auth systems will be done by someone else in PHP. Thanks ! -- PGP Fingerprint : 0x624E42C734DAC346

Attachment: signature.asc
Description: Digital signature

_______________________________________________ MirageOS-devel mailing list MirageOS-devel@xxxxxxxxxxxxxxxxxxxx https://lists.xenproject.org/mailman/listinfo/mirageos-devel

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.