add verify

Signed-off-by: He Jie Xu <[email protected]>

source/common/tls/cert_validator/default_validator.cc

@@ -317,6 +317,7 @@ ValidationResults DefaultCertValidator::doVerifyCertChain(
       return {ValidationResults::ValidationStatus::Failed,
               Envoy::Ssl::ClientValidationStatus::Failed, absl::nullopt, error};
     }
+    ENVOY_LOG_MISC(debug, "######### before the x509 verify");
     CryptoMBVerifier verifier;
     const bool verify_succeeded = (verifier.verify(ctx.get()) == ValidationResults::ValidationStatus::Successful);
     // const bool verify_succeeded = (X509_verify_cert(ctx.get()) == 1);

source/common/tls/cert_validator/ipp_crypto_impl.h

@@ -1,6 +1,6 @@
 #pragma once
 
-#include "contrib/cryptomb/private_key_providers/source/ipp_crypto.h"
+#include "source/common/tls/cert_validator/ipp_crypto.h"
 #include "crypto_mb/cpu_features.h"
 #include "crypto_mb/ec_nistp256.h"
 #include "crypto_mb/rsa.h"
@@ -22,8 +22,10 @@ class IppCryptoImpl : public virtual IppCrypto {
                                                  const uint64_t* const pa_puby[8],
                                                  const uint64_t* const pa_pubz[8],
                                                         uint8_t* pBuffer) override {
-    return ::mbx_nistp256_ecdsa_verify_mb8(pa_sign_r, pa_sign_s, pa_msg, pa_pubx,
-                                           pa_puby, pa_pubz, pBuffer);
+    return ::mbx_nistp256_ecdsa_verify_mb8(pa_sign_r, pa_sign_s, pa_msg,
+                                           reinterpret_cast<const unsigned long long *const *>(&pa_pubx[0]),
+                                           reinterpret_cast<const unsigned long long *const *>(&pa_puby[0]),
+                                           reinterpret_cast<const unsigned long long *const *>(&pa_pubz[0]), pBuffer);
   }
 };
 

source/common/tls/cert_validator/verifier.cc

@@ -1,18 +1,74 @@
 #include "verifier.h"
 
+#include "source/common/tls/cert_validator/ipp_crypto_impl.h"
+
 #include "openssl/ssl.h"
 
 namespace Envoy {
 namespace Extensions {
 namespace TransportSockets {
 namespace Tls {
 
+int custom_verify(EVP_PKEY_CTX *ctx, 
+                  const uint8_t *sig, size_t siglen,
+                  const uint8_t *, //tbs,
+                  size_t //tbslen
+                  ) {
+    ENVOY_LOG_MISC(debug, "custom verify!!!!!!!!!!!!!!!!!!\n");
+
+    uint8_t pa_sign_r[8][32];
+    uint8_t pa_sign_s[8][32];
+    EVP_PKEY_fetch_parameters(ctx, sig, siglen, &pa_sign_r[0][0], &pa_sign_s[0][0]);
+
+    uint8_t pa_pubx[8][32];
+    uint8_t pa_puby[8][32];
+    uint8_t pa_pubz[8][32];
+    EVP_PKEY_fetch_points(ctx, &pa_pubx[0][0], &pa_puby[0][0], &pa_pubz[0][0]);
+
+    uint8_t *sign_r[8];
+    for (int i = 0; i < 8; i++) {
+      sign_r[i] = &pa_sign_r[i][0];
+    }
+    uint8_t *sign_s[8];
+    for (int i = 0; i < 8; i++) {
+      sign_s[i] = &pa_sign_s[i][0];
+    }
+
+    const uint64_t* pubx[8];
+    for (int i = 0; i < 8; i++) {
+      pubx[i] = reinterpret_cast<uint64_t*>(&pa_pubx[i][0]);
+    }
+    const uint64_t* puby[8];
+    for (int i = 0; i < 8; i++) {
+      puby[i] = reinterpret_cast<uint64_t*>(&pa_puby[i][0]);
+    }
+    const uint64_t* pubz[8];
+    for (int i = 0; i < 8; i++) {
+      pubz[i] = reinterpret_cast<uint64_t*>(&pa_pubz[i][0]);
+    }
+    const uint8_t* msg[8];
+    for (int i = 0; i < 8; i++) {
+      msg[i] = sig;
+    }
+    IppCryptoImpl crypto;
+    return crypto.mbx_nistp256_ecdsa_verify_mb8(sign_r, sign_s, msg, pubx, puby, pubz, nullptr) == 0;
+    // mbx_status mbx_nistp256_ecdsa_verify_mb8(const int8u* const pa_sign_r[8],
+    //                                               const int8u* const pa_sign_s[8],
+    //                                               const int8u* const pa_msg[8],
+    //                                              const int64u* const pa_pubx[8],
+    //                                              const int64u* const pa_puby[8],
+    //                                              const int64u* const pa_pubz[8],
+    //                                                     int8u* pBuffer);
+    // return 0;
+}
+
 ValidationResults::ValidationStatus CryptoMBVerifier::verify(X509_STORE_CTX *ctx) {
+    ENVOY_LOG_MISC(debug, "####### CryptoMBVerifier::verify");
     // int n = (int)sk_X509_num(ctx->chain);
     // n--;
     // X509 *xi = sk_X509_value(ctx->chain, n);
     // EVP_PKEY *pkey = X509_get_pubkey(xi);
-
+    EVP_PKEY_set_ec_verify_method(custom_verify);
     if (X509_verify_cert(ctx) == 1) {
         return ValidationResults::ValidationStatus::Successful;
     }

source/common/tls/context_impl.cc

@@ -173,8 +173,10 @@ ContextImpl::ContextImpl(Stats::Scope& scope, const Envoy::Ssl::ContextConfig& c
   auto verify_mode = cert_validator_->initializeSslContexts(
       ssl_contexts, config.capabilities().provides_certificates);
   if (!capabilities_.verifies_peer_certificates) {
+    ENVOY_LOG_MISC(debug, "####### before set the custom verify callback");
     for (auto ctx : ssl_contexts) {
       if (verify_mode != SSL_VERIFY_NONE) {
+        ENVOY_LOG_MISC(debug, "####### set the custom verify callback");
         // TODO(danzh) Envoy's use of SSL_VERIFY_NONE does not quite match the actual semantics as
         // a client. As a client, SSL_VERIFY_NONE means to verify the certificate (which will fail
         // without trust anchors), save the result in the session ticket, but otherwise continue