Ported to OpenSSL

dmitri-d · dmitri-d · commit 9b122e75d40b · 2021-08-26T09:54:32.000-07:00
diff --git a/BUILD b/BUILD
@@ -38,6 +38,15 @@ cc_library(
     ],
 )
 
+cc_library(
+    name = "openssl-crypto",
+    srcs = [
+        "libcrypto.so.1.1",
+    ],
+    visibility = ["//visibility:public"],
+    linkstatic=False,
+)
+
 cc_library(
     name = "base_lib",
     srcs = [
@@ -58,7 +67,7 @@ cc_library(
     ],
     deps = [
         ":headers",
-        "@boringssl//:crypto",
+        "@openssl//:openssl-crypto",
     ],
 )
 
diff --git a/WORKSPACE b/WORKSPACE
@@ -11,3 +11,9 @@ proxy_wasm_cpp_host_dependencies()
 load("@rules_foreign_cc//foreign_cc:repositories.bzl", "rules_foreign_cc_dependencies")
 
 rules_foreign_cc_dependencies()
+
+new_local_repository(
+    name = "openssl",
+    path = "/usr/lib64/",
+    build_file = "openssl.BUILD"
+)
diff --git a/bazel/repositories.bzl b/bazel/repositories.bzl
@@ -22,13 +22,6 @@ def proxy_wasm_cpp_host_repositories():
         urls = ["https://github.com/proxy-wasm/proxy-wasm-cpp-sdk/archive/fd0be8405db25de0264bdb78fae3a82668c03782.tar.gz"],
     )
 
-    http_archive(
-        name = "boringssl",
-        sha256 = "bb55b0ed2f0cb548b5dce6a6b8307ce37f7f748eb9f1be6bfe2d266ff2b4d52b",
-        strip_prefix = "boringssl-2192bbc878822cf6ab5977d4257a1339453d9d39",
-        urls = ["https://github.com/google/boringssl/archive/2192bbc878822cf6ab5977d4257a1339453d9d39.tar.gz"],
-    )
-
     http_archive(
         name = "com_google_googletest",
         sha256 = "9dc9157a9a1551ec7a7e43daea9a694a0bb5fb8bec81235d8a1e6ef64c716dcb",
diff --git a/openssl.BUILD b/openssl.BUILD
@@ -0,0 +1,10 @@
+licenses(["notice"])  # Apache 2
+
+cc_library(
+    name = "openssl-crypto",
+    srcs = [
+        "libcrypto.so.1.1",
+    ],
+    visibility = ["//visibility:public"],
+    linkstatic=False,
+)
diff --git a/src/signature_util.cc b/src/signature_util.cc
@@ -17,7 +17,7 @@
 #include <array>
 #include <cstring>
 
-#include <openssl/curve25519.h>
+#include <openssl/evp.h>
 #include <openssl/sha.h>
 
 #include "include/proxy-wasm/bytecode_util.h"
@@ -90,6 +90,7 @@ bool SignatureUtil::verifySignature(std::string_view bytecode, std::string &mess
   }
 
   const auto *signature = reinterpret_cast<const uint8_t *>(payload.data()) + sizeof(uint32_t);
+  const auto sig_len = payload.size() - sizeof(uint32_t); 
 
   SHA512_CTX ctx;
   SHA512_Init(&ctx);
@@ -103,13 +104,28 @@ bool SignatureUtil::verifySignature(std::string_view bytecode, std::string &mess
 
   static const auto ed25519_pubkey = hex2pubkey<32>(PROXY_WASM_VERIFY_WITH_ED25519_PUBKEY);
 
-  if (!ED25519_verify(hash, sizeof(hash), signature, ed25519_pubkey.data())) {
+  bool retval = true;
+  EVP_MD_CTX* mctx(EVP_MD_CTX_new());
+  EVP_PKEY* key(EVP_PKEY_new_raw_public_key(EVP_PKEY_ED25519, NULL, static_cast<const unsigned char*>(ed25519_pubkey.data()), ed25519_pubkey.size()));
+
+  if (key == nullptr) {
+    message = "Failed to load ed25519 public key";
+    retval = false;
+  }
+  if (retval && (1 != EVP_DigestVerifyInit(mctx, NULL, NULL, NULL, key))) {
+    message = "Failed to initialize ed25519 digest verify";
+    retval = false;
+  }
+  if (retval && !EVP_DigestVerify(mctx, signature, sig_len, hash, sizeof(hash))) { 
     message = "Signature mismatch";
-    return false;
+    retval = false;
   }
 
-  message = "Wasm signature OK (Ed25519)";
-  return true;
+  EVP_PKEY_free(key);
+  EVP_MD_CTX_free(mctx);
+
+  if (retval) message = "Wasm signature OK (Ed25519)";
+  return retval;
 
 #endif
 
