Ported to OpenSSL

Author: dmitri-d

BUILD

@@ -44,6 +44,15 @@ cc_library(
     ],
 )
 
+cc_library(
+    name = "openssl-crypto",
+    srcs = [
+        "libcrypto.so.1.1",
+    ],
+    visibility = ["//visibility:public"],
+    linkstatic=False,
+)
+
 cc_library(
     name = "base_lib",
     srcs = [
@@ -70,7 +79,7 @@ cc_library(
         ":headers",
     ] + select({
         "//bazel:crypto_system": [],
-        "//conditions:default": ["@boringssl//:crypto"],
+        "//conditions:default": ["@openssl//:openssl-crypto"],
     }),
     alwayslink = 1,
 )

WORKSPACE

@@ -7,3 +7,13 @@ proxy_wasm_cpp_host_repositories()
 load("@proxy_wasm_cpp_host//bazel:dependencies.bzl", "proxy_wasm_cpp_host_dependencies")
 
 proxy_wasm_cpp_host_dependencies()
+
+load("@rules_foreign_cc//foreign_cc:repositories.bzl", "rules_foreign_cc_dependencies")
+
+rules_foreign_cc_dependencies()
+
+new_local_repository(
+    name = "openssl",
+    path = "/usr/lib64/",
+    build_file = "openssl.BUILD"
+)

bazel/repositories.bzl

@@ -76,15 +76,6 @@ def proxy_wasm_cpp_host_repositories():
 
     # Core.
 
-    maybe(
-        http_archive,
-        name = "boringssl",
-        # 2022-02-07 (master-with-bazel)
-        sha256 = "7dec97795a7ac7e3832228e4440ee06cceb18d3663f4580b0840e685281e28a0",
-        strip_prefix = "boringssl-eaa29f431f71b8121e1da76bcd3ddc2248238ade",
-        urls = ["https://github.com/google/boringssl/archive/eaa29f431f71b8121e1da76bcd3ddc2248238ade.tar.gz"],
-    )
-
     maybe(
         http_archive,
         name = "proxy_wasm_cpp_sdk",

openssl.BUILD

@@ -0,0 +1,10 @@
+licenses(["notice"])  # Apache 2
+
+cc_library(
+    name = "openssl-crypto",
+    srcs = [
+        "libcrypto.so.1.1",
+    ],
+    visibility = ["//visibility:public"],
+    linkstatic=False,
+)

src/signature_util.cc

@@ -17,7 +17,6 @@
 #include <array>
 #include <cstring>
 
-#ifdef PROXY_WASM_VERIFY_WITH_ED25519_PUBKEY
 #include <openssl/evp.h>
 #include <openssl/sha.h>
 #endif
@@ -94,6 +93,7 @@ bool SignatureUtil::verifySignature(std::string_view bytecode, std::string &mess
   }
 
   const auto *signature = reinterpret_cast<const uint8_t *>(payload.data()) + sizeof(uint32_t);
+  const auto sig_len = payload.size() - sizeof(uint32_t); 
 
   SHA512_CTX ctx;
   SHA512_Init(&ctx);
@@ -107,34 +107,28 @@ bool SignatureUtil::verifySignature(std::string_view bytecode, std::string &mess
 
   static const auto ed25519_pubkey = hex2pubkey<32>(PROXY_WASM_VERIFY_WITH_ED25519_PUBKEY);
 
-  EVP_PKEY *pubkey = EVP_PKEY_new_raw_public_key(EVP_PKEY_ED25519, nullptr, ed25519_pubkey.data(),
-                                                 32 /* ED25519_PUBLIC_KEY_LEN */);
-  if (pubkey == nullptr) {
-    message = "Failed to load the public key";
-    return false;
-  }
+  bool retval = true;
+  EVP_MD_CTX* mctx(EVP_MD_CTX_new());
+  EVP_PKEY* key(EVP_PKEY_new_raw_public_key(EVP_PKEY_ED25519, NULL, static_cast<const unsigned char*>(ed25519_pubkey.data()), ed25519_pubkey.size()));
 
-  EVP_MD_CTX *mdctx = EVP_MD_CTX_new();
-  if (mdctx == nullptr) {
-    message = "Failed to allocate memory for EVP_MD_CTX";
-    EVP_PKEY_free(pubkey);
-    return false;
+  if (key == nullptr) {
+    message = "Failed to load ed25519 public key";
+    retval = false;
   }
-
-  bool ok =
-      (EVP_DigestVerifyInit(mdctx, nullptr, nullptr, nullptr, pubkey) != 0) &&
-      (EVP_DigestVerify(mdctx, signature, 64 /* ED25519_SIGNATURE_LEN */, hash, sizeof(hash)) != 0);
-
-  EVP_MD_CTX_free(mdctx);
-  EVP_PKEY_free(pubkey);
-
-  if (!ok) {
+  if (retval && (1 != EVP_DigestVerifyInit(mctx, NULL, NULL, NULL, key))) {
+    message = "Failed to initialize ed25519 digest verify";
+    retval = false;
+  }
+  if (retval && !EVP_DigestVerify(mctx, signature, sig_len, hash, sizeof(hash))) { 
     message = "Signature mismatch";
-    return false;
+    retval = false;
   }
 
-  message = "Wasm signature OK (Ed25519)";
-  return true;
+  EVP_PKEY_free(key);
+  EVP_MD_CTX_free(mctx);
+
+  if (retval) message = "Wasm signature OK (Ed25519)";
+  return retval;
 
 #endif