On Fri, Aug 24, 2018 at 01:52:20AM +0200, Joe wrote: > TL;DR: This is non-trivial. If you're doing this on a unix-like > platforms you might have more luck using a library that wraps openssl or > similar.
Unless I can use ctypes to get openssl working on mirage, that won't really help me unfortunatly. I tried playing a bit with ctypes / cstubs to get the official C library for U2F on mirage, but it doesn't seem to compile anymore when I change the target from unix to virtio, maybe trying to pack openssl is a bit much. > > The portable mirage way (AFAIK): > > - openssl_verify() seems to take a PEM certificate, data, and verify > that some signature was performed with the PEM cert. > > - There are some examples here: > http://php.net/openssl_verify > > I think you would need something along the lines of: > > 1) install the x509 opam package > > 2) use X509.Encoding.Pem.Certificate.of_pem_cstruct1 to extract a X509.t > I was afraid of that, I did try it already but it won't parse. Seems like the lib doesn't support some extensions I'm afraid the certificate might have, or if that's not it I guess the pubkey isn't RSA. I'll dig this way then, thanks > 3) use X509.public_key (the function) to extract the X509.public_key > (the type), pray to god it's a `RSA key (if not, you're in for a lot of > fun writing a new Asn.codec) from which you can pattern-match the > Nocrypto.Rsa.pub key. > > 4) Now you have to figure out the encoding of the signature. From the > comments section on php.net this sounds like it's a PKCS1 signature, > if not then you'll need to decode it, somehow. > > 5) Unfortunately, while the ocaml-nocrypto library has rudimentary > support for PKCS1, it's not super easy to use in its current form, > but you can probably wiggle it if you hard-code some ASN.1 > constants, if you search for "PKCS1" in the issues/pull requests > you'll likely come upon some relevant discussion. > > Alternatively you can wait for a new release, since the upstream > introduced a nicer API for PKCS1 stuff in 2017; > or you could use the upstream directly, if you can get it to build > (I didn't manage last I tried a few weeks ago). > > Some kind spirits have a collection of commits that works towards > making that easier at 'https://github.com/hannesm/ocaml- > nocrypto.git#safely'; that branch compiles for me if I turn off the > ACCELERATE flag. > > 6) I'm not sure how to make `opam` build `nocrypto` without the > ACCELERATE flag, but perhaps someone else on this list knows how to > do that. > > Hope that makes sense. > I think I mostly get it, but it seems like it won't be easy. I doubt I have any chance of making that work, I'm not the one to implement any kind of crypto. If ocaml-X509 can't parse the pem, I guess the auth systems will be done by someone else in PHP. Thanks ! -- PGP Fingerprint : 0x624E42C734DAC346
signature.asc
Description: Digital signature
_______________________________________________ MirageOS-devel mailing list [email protected] https://lists.xenproject.org/mailman/listinfo/mirageos-devel
