Re: [MirageOS-devel] ocaml equivalent of php's openssl_verify function

Thu, 23 Aug 2018 16:53:39 -0700 

On 08/23/2018 03:48 PM, [email protected] wrote:

I can successfully decode all the infos, and I end up with a valid pem
certificate, what looks like a proper signature and the data to check.
I'm looking for the ocaml equivalent of php's openssl_verify (line 231
of the php file), but looking at the doc I'm not sure of what it does
exactly.
As specified on SO, I am using MirageOS, so if something like this
exists already in one of mirage's library, it'd be great.



TL;DR: This is non-trivial. If you're doing this on a unix-like 
platforms you might have more luck using a library that wraps openssl or 
similar.


The portable mirage way (AFAIK):


- openssl_verify() seems to take a PEM certificate, data, and verify 
that some signature was performed with the PEM cert.


- There are some examples here:
  http://php.net/openssl_verify

I think you would need something along the lines of:

1) install the x509 opam package

2) use X509.Encoding.Pem.Certificate.of_pem_cstruct1 to extract a X509.t


3) use X509.public_key (the function) to extract the X509.public_key 
(the type), pray to god it's a `RSA key (if not, you're in for a lot of 
fun writing a new Asn.codec) from which you can pattern-match the 
Nocrypto.Rsa.pub key.


4) Now you have to figure out the encoding of the signature. From the
   comments section on php.net this sounds like it's a PKCS1 signature,
   if not then you'll need to decode it, somehow.

5) Unfortunately, while the ocaml-nocrypto library has rudimentary
   support for PKCS1, it's not super easy to use in its current form,
   but you can probably wiggle it if you hard-code some ASN.1
   constants, if you search for "PKCS1" in the issues/pull requests
   you'll likely come upon some relevant discussion.

  Alternatively you can wait for a new release, since the upstream
  introduced a nicer API for PKCS1 stuff in 2017;
  or you could use the upstream directly, if you can get it to build
  (I didn't manage last I tried a few weeks ago).

  Some kind spirits have a collection of commits that works towards
  making that easier at 'https://github.com/hannesm/ocaml-
  nocrypto.git#safely'; that branch compiles for me if I turn off the
  ACCELERATE flag.

6) I'm not sure how to make `opam` build `nocrypto` without the
   ACCELERATE flag, but perhaps someone else on this list knows how to
   do that.

Hope that makes sense.

_______________________________________________
MirageOS-devel mailing list
[email protected]
https://lists.xenproject.org/mailman/listinfo/mirageos-devel






















					Reply via email to