/src/boringssl/pki/verify_signed_data.cc

Source (jump to first uncovered line)
// Copyright 2015 The Chromium Authors
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
//     https://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

#include "verify_signed_data.h"

#include <openssl/bytestring.h>
#include <openssl/digest.h>
#include <openssl/err.h>
#include <openssl/evp.h>
#include <openssl/pki/signature_verify_cache.h>
#include <openssl/rsa.h>
#include <openssl/sha.h>

#include "cert_errors.h"
#include "input.h"
#include "parse_values.h"
#include "parser.h"
#include "signature_algorithm.h"

BSSL_NAMESPACE_BEGIN

namespace {

bool SHA256UpdateWithLengthPrefixedData(SHA256_CTX *s_ctx, const uint8_t *data,
                                        uint64_t length) {
  return (SHA256_Update(s_ctx, reinterpret_cast<uint8_t *>(&length),
                        sizeof(length)) &&
          SHA256_Update(s_ctx, data, length));
}

// Increase to make incompatible changes in the computation of the
// cache key.
constexpr uint32_t VerifyCacheKeyVersion = 1;

std::string SignatureVerifyCacheKey(std::string_view algorithm_name,
                                    der::Input signed_data,
                                    der::Input signature_value_bytes,
                                    EVP_PKEY *public_key) {
  SHA256_CTX s_ctx;
  bssl::ScopedCBB public_key_cbb;
  uint8_t digest[SHA256_DIGEST_LENGTH];
  uint32_t version = VerifyCacheKeyVersion;
  if (CBB_init(public_key_cbb.get(), 128) &&
      EVP_marshal_public_key(public_key_cbb.get(), public_key) &&
      SHA256_Init(&s_ctx) &&
      SHA256_Update(&s_ctx, reinterpret_cast<uint8_t *>(&version),
                    sizeof(version)) &&
      SHA256UpdateWithLengthPrefixedData(
          &s_ctx, reinterpret_cast<const uint8_t *>(algorithm_name.data()),
          algorithm_name.length()) &&
      SHA256UpdateWithLengthPrefixedData(&s_ctx, CBB_data(public_key_cbb.get()),
                                         CBB_len(public_key_cbb.get())) &&
      SHA256UpdateWithLengthPrefixedData(&s_ctx, signature_value_bytes.data(),
                                         signature_value_bytes.size()) &&
      SHA256UpdateWithLengthPrefixedData(&s_ctx, signed_data.data(),
                                         signed_data.size()) &&
      SHA256_Final(digest, &s_ctx)) {
    return std::string(reinterpret_cast<char *>(digest), sizeof(digest));
  }
  return std::string();
}

// Place an instance of this class on the call stack to automatically clear
// the OpenSSL error stack on function exit.
// TODO(crbug.com/boringssl/38): Remove this when the library is more robust to
// leaving things in the error queue.
class OpenSSLErrStackTracer {
 public:
  ~OpenSSLErrStackTracer() { ERR_clear_error(); }
};

}  // namespace

// Parses an RSA public key or EC public key from SPKI to an EVP_PKEY. Returns
// true on success.
//
// This function only recognizes the "pk-rsa" (rsaEncryption) flavor of RSA
// public key from RFC 5912.
//
//     pk-rsa PUBLIC-KEY ::= {
//      IDENTIFIER rsaEncryption
//      KEY RSAPublicKey
//      PARAMS TYPE NULL ARE absent
//      -- Private key format not in this module --
//      CERT-KEY-USAGE {digitalSignature, nonRepudiation,
//      keyEncipherment, dataEncipherment, keyCertSign, cRLSign}
//     }
//
// COMPATIBILITY NOTE: RFC 5912 and RFC 3279 are in disagreement on the value
// of parameters for rsaEncryption. Whereas RFC 5912 says they must be absent,
// RFC 3279 says they must be NULL:
//
//     The rsaEncryption OID is intended to be used in the algorithm field
//     of a value of type AlgorithmIdentifier.  The parameters field MUST
//     have ASN.1 type NULL for this algorithm identifier.
//
// Following RFC 3279 in this case.
//
// In the case of parsing EC keys, RFC 5912 describes all the ECDSA
// signature algorithms as requiring a public key of type "pk-ec":
//
//     pk-ec PUBLIC-KEY ::= {
//      IDENTIFIER id-ecPublicKey
//      KEY ECPoint
//      PARAMS TYPE ECParameters ARE required
//      -- Private key format not in this module --
//      CERT-KEY-USAGE { digitalSignature, nonRepudiation, keyAgreement,
//                           keyCertSign, cRLSign }
//     }
//
// Moreover RFC 5912 stipulates what curves are allowed. The ECParameters
// MUST NOT use an implicitCurve or specificCurve for PKIX:
//
//     ECParameters ::= CHOICE {
//      namedCurve      CURVE.&id({NamedCurve})
//      -- implicitCurve   NULL
//        -- implicitCurve MUST NOT be used in PKIX
//      -- specifiedCurve  SpecifiedCurve
//        -- specifiedCurve MUST NOT be used in PKIX
//        -- Details for specifiedCurve can be found in [X9.62]
//        -- Any future additions to this CHOICE should be coordinated
//        -- with ANSI X.9.
//     }
//     -- If you need to be able to decode ANSI X.9 parameter structures,
//     -- uncomment the implicitCurve and specifiedCurve above, and also
//     -- uncomment the following:
//     --(WITH COMPONENTS {namedCurve PRESENT})
//
// The namedCurves are extensible. The ones described by RFC 5912 are:
//
//     NamedCurve CURVE ::= {
//     { ID secp192r1 } | { ID sect163k1 } | { ID sect163r2 } |
//     { ID secp224r1 } | { ID sect233k1 } | { ID sect233r1 } |
//     { ID secp256r1 } | { ID sect283k1 } | { ID sect283r1 } |
//     { ID secp384r1 } | { ID sect409k1 } | { ID sect409r1 } |
//     { ID secp521r1 } | { ID sect571k1 } | { ID sect571r1 },
//     ... -- Extensible
//     }
bool ParsePublicKey(der::Input public_key_spki,
                    bssl::UniquePtr<EVP_PKEY> *public_key) {
  // Parse the SPKI to an EVP_PKEY.
  OpenSSLErrStackTracer err_tracer;

  CBS cbs;
  CBS_init(&cbs, public_key_spki.data(), public_key_spki.size());
  public_key->reset(EVP_parse_public_key(&cbs));
  if (!*public_key || CBS_len(&cbs) != 0) {
    public_key->reset();
    return false;
  }
  return true;
}

bool VerifySignedData(SignatureAlgorithm algorithm, der::Input signed_data,
                      const der::BitString &signature_value,
                      EVP_PKEY *public_key, SignatureVerifyCache *cache) {
  int expected_pkey_id = 1;
  const EVP_MD *digest = nullptr;
  bool is_rsa_pss = false;
  std::string_view cache_algorithm_name;
  switch (algorithm) {
    case SignatureAlgorithm::kRsaPkcs1Sha1:
      expected_pkey_id = EVP_PKEY_RSA;
      digest = EVP_sha1();
      cache_algorithm_name = "RsaPkcs1Sha1";
      break;
    case SignatureAlgorithm::kRsaPkcs1Sha256:
      expected_pkey_id = EVP_PKEY_RSA;
      digest = EVP_sha256();
      cache_algorithm_name = "RsaPkcs1Sha256";
      break;
    case SignatureAlgorithm::kRsaPkcs1Sha384:
      expected_pkey_id = EVP_PKEY_RSA;
      digest = EVP_sha384();
      cache_algorithm_name = "RsaPkcs1Sha384";
      break;
    case SignatureAlgorithm::kRsaPkcs1Sha512:
      expected_pkey_id = EVP_PKEY_RSA;
      digest = EVP_sha512();
      cache_algorithm_name = "RsaPkcs1Sha512";
      break;

    case SignatureAlgorithm::kEcdsaSha1:
      expected_pkey_id = EVP_PKEY_EC;
      digest = EVP_sha1();
      cache_algorithm_name = "EcdsaSha1";
      break;
    case SignatureAlgorithm::kEcdsaSha256:
      expected_pkey_id = EVP_PKEY_EC;
      digest = EVP_sha256();
      cache_algorithm_name = "EcdsaSha256";
      break;
    case SignatureAlgorithm::kEcdsaSha384:
      expected_pkey_id = EVP_PKEY_EC;
      digest = EVP_sha384();
      cache_algorithm_name = "EcdsaSha384";
      break;
    case SignatureAlgorithm::kEcdsaSha512:
      expected_pkey_id = EVP_PKEY_EC;
      digest = EVP_sha512();
      cache_algorithm_name = "EcdsaSha512";
      break;

    case SignatureAlgorithm::kRsaPssSha256:
      expected_pkey_id = EVP_PKEY_RSA;
      digest = EVP_sha256();
      cache_algorithm_name = "RsaPssSha256";
      is_rsa_pss = true;
      break;
    case SignatureAlgorithm::kRsaPssSha384:
      expected_pkey_id = EVP_PKEY_RSA;
      digest = EVP_sha384();
      cache_algorithm_name = "RsaPssSha384";
      is_rsa_pss = true;
      break;
    case SignatureAlgorithm::kRsaPssSha512:
      expected_pkey_id = EVP_PKEY_RSA;
      digest = EVP_sha512();
      cache_algorithm_name = "RsaPssSha512";
      is_rsa_pss = true;
      break;
  }

  if (expected_pkey_id != EVP_PKEY_id(public_key)) {
    return false;
  }

  // For the supported algorithms the signature value must be a whole
  // number of bytes.
  if (signature_value.unused_bits() != 0) {
    return false;
  }
  der::Input signature_value_bytes = signature_value.bytes();

  std::string cache_key;
  if (cache) {
    cache_key = SignatureVerifyCacheKey(cache_algorithm_name, signed_data,
                                        signature_value_bytes, public_key);
    if (!cache_key.empty()) {
      switch (cache->Check(cache_key)) {
        case SignatureVerifyCache::Value::kValid:
          return true;
        case SignatureVerifyCache::Value::kInvalid:
          return false;
        case SignatureVerifyCache::Value::kUnknown:
          break;
      }
    }
  }

  OpenSSLErrStackTracer err_tracer;

  bssl::ScopedEVP_MD_CTX ctx;
  EVP_PKEY_CTX *pctx = nullptr;  // Owned by |ctx|.

  if (!EVP_DigestVerifyInit(ctx.get(), &pctx, digest, nullptr, public_key)) {
    return false;
  }

  if (is_rsa_pss) {
    // All supported RSASSA-PSS algorithms match signing and MGF-1 digest. They
    // also use the digest length as the salt length, which is specified with -1
    // in OpenSSL's API.
    if (!EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING) ||
        !EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, -1)) {
      return false;
    }
  }

  bool ret = 1 == EVP_DigestVerify(ctx.get(), signature_value_bytes.data(),
                                   signature_value_bytes.size(),
                                   signed_data.data(), signed_data.size());
  if (!cache_key.empty()) {
    cache->Store(cache_key, ret ? SignatureVerifyCache::Value::kValid
                                : SignatureVerifyCache::Value::kInvalid);
  }

  return ret;
}

bool VerifySignedData(SignatureAlgorithm algorithm, der::Input signed_data,
                      const der::BitString &signature_value,
                      der::Input public_key_spki, SignatureVerifyCache *cache) {
  bssl::UniquePtr<EVP_PKEY> public_key;
  if (!ParsePublicKey(public_key_spki, &public_key)) {
    return false;
  }
  return VerifySignedData(algorithm, signed_data, signature_value,
                          public_key.get(), cache);
}

BSSL_NAMESPACE_END

Coverage Report

Created: 2025-06-11 06:41

Line	Count	Source (jump to first uncovered line)
1		// Copyright 2015 The Chromium Authors
2		//
3		// Licensed under the Apache License, Version 2.0 (the "License");
4		// you may not use this file except in compliance with the License.
5		// You may obtain a copy of the License at
6		//
7		// https://www.apache.org/licenses/LICENSE-2.0
8		//
9		// Unless required by applicable law or agreed to in writing, software
10		// distributed under the License is distributed on an "AS IS" BASIS,
11		// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12		// See the License for the specific language governing permissions and
13		// limitations under the License.
14
15		#include "verify_signed_data.h"
16
17		#include <openssl/bytestring.h>
18		#include <openssl/digest.h>
19		#include <openssl/err.h>
20		#include <openssl/evp.h>
21		#include <openssl/pki/signature_verify_cache.h>
22		#include <openssl/rsa.h>
23		#include <openssl/sha.h>
24
25		#include "cert_errors.h"
26		#include "input.h"
27		#include "parse_values.h"
28		#include "parser.h"
29		#include "signature_algorithm.h"
30
31		BSSL_NAMESPACE_BEGIN
32
33		namespace {
34
35		bool SHA256UpdateWithLengthPrefixedData(SHA256_CTX s_ctx, const uint8_t data,
36	0	uint64_t length) {
37	0	return (SHA256_Update(s_ctx, reinterpret_cast<uint8_t *>(&length),
38	0	sizeof(length)) &&
39	0	SHA256_Update(s_ctx, data, length));
40	0	}
41
42		// Increase to make incompatible changes in the computation of the
43		// cache key.
44		constexpr uint32_t VerifyCacheKeyVersion = 1;
45
46		std::string SignatureVerifyCacheKey(std::string_view algorithm_name,
47		der::Input signed_data,
48		der::Input signature_value_bytes,
49	0	EVP_PKEY *public_key) {
50	0	SHA256_CTX s_ctx;
51	0	bssl::ScopedCBB public_key_cbb;
52	0	uint8_t digest[SHA256_DIGEST_LENGTH];
53	0	uint32_t version = VerifyCacheKeyVersion;
54	0	if (CBB_init(public_key_cbb.get(), 128) &&
55	0	EVP_marshal_public_key(public_key_cbb.get(), public_key) &&
56	0	SHA256_Init(&s_ctx) &&
57	0	SHA256_Update(&s_ctx, reinterpret_cast<uint8_t *>(&version),
58	0	sizeof(version)) &&
59	0	SHA256UpdateWithLengthPrefixedData(
60	0	&s_ctx, reinterpret_cast<const uint8_t *>(algorithm_name.data()),
61	0	algorithm_name.length()) &&
62	0	SHA256UpdateWithLengthPrefixedData(&s_ctx, CBB_data(public_key_cbb.get()),
63	0	CBB_len(public_key_cbb.get())) &&
64	0	SHA256UpdateWithLengthPrefixedData(&s_ctx, signature_value_bytes.data(),
65	0	signature_value_bytes.size()) &&
66	0	SHA256UpdateWithLengthPrefixedData(&s_ctx, signed_data.data(),
67	0	signed_data.size()) &&
68	0	SHA256_Final(digest, &s_ctx)) {
69	0	return std::string(reinterpret_cast<char *>(digest), sizeof(digest));
70	0	}
71	0	return std::string();
72	0	}
73
74		// Place an instance of this class on the call stack to automatically clear
75		// the OpenSSL error stack on function exit.
76		// TODO(crbug.com/boringssl/38): Remove this when the library is more robust to
77		// leaving things in the error queue.
78		class OpenSSLErrStackTracer {
79		public:
80	0	~OpenSSLErrStackTracer() { ERR_clear_error(); }
81		};
82
83		} // namespace
84
85		// Parses an RSA public key or EC public key from SPKI to an EVP_PKEY. Returns
86		// true on success.
87		//
88		// This function only recognizes the "pk-rsa" (rsaEncryption) flavor of RSA
89		// public key from RFC 5912.
90		//
91		// pk-rsa PUBLIC-KEY ::= {
92		// IDENTIFIER rsaEncryption
93		// KEY RSAPublicKey
94		// PARAMS TYPE NULL ARE absent
95		// -- Private key format not in this module --
96		// CERT-KEY-USAGE {digitalSignature, nonRepudiation,
97		// keyEncipherment, dataEncipherment, keyCertSign, cRLSign}
98		// }
99		//
100		// COMPATIBILITY NOTE: RFC 5912 and RFC 3279 are in disagreement on the value
101		// of parameters for rsaEncryption. Whereas RFC 5912 says they must be absent,
102		// RFC 3279 says they must be NULL:
103		//
104		// The rsaEncryption OID is intended to be used in the algorithm field
105		// of a value of type AlgorithmIdentifier. The parameters field MUST
106		// have ASN.1 type NULL for this algorithm identifier.
107		//
108		// Following RFC 3279 in this case.
109		//
110		// In the case of parsing EC keys, RFC 5912 describes all the ECDSA
111		// signature algorithms as requiring a public key of type "pk-ec":
112		//
113		// pk-ec PUBLIC-KEY ::= {
114		// IDENTIFIER id-ecPublicKey
115		// KEY ECPoint
116		// PARAMS TYPE ECParameters ARE required
117		// -- Private key format not in this module --
118		// CERT-KEY-USAGE { digitalSignature, nonRepudiation, keyAgreement,
119		// keyCertSign, cRLSign }
120		// }
121		//
122		// Moreover RFC 5912 stipulates what curves are allowed. The ECParameters
123		// MUST NOT use an implicitCurve or specificCurve for PKIX:
124		//
125		// ECParameters ::= CHOICE {
126		// namedCurve CURVE.&id({NamedCurve})
127		// -- implicitCurve NULL
128		// -- implicitCurve MUST NOT be used in PKIX
129		// -- specifiedCurve SpecifiedCurve
130		// -- specifiedCurve MUST NOT be used in PKIX
131		// -- Details for specifiedCurve can be found in [X9.62]
132		// -- Any future additions to this CHOICE should be coordinated
133		// -- with ANSI X.9.
134		// }
135		// -- If you need to be able to decode ANSI X.9 parameter structures,
136		// -- uncomment the implicitCurve and specifiedCurve above, and also
137		// -- uncomment the following:
138		// --(WITH COMPONENTS {namedCurve PRESENT})
139		//
140		// The namedCurves are extensible. The ones described by RFC 5912 are:
141		//
142		// NamedCurve CURVE ::= {
143		// { ID secp192r1 } \| { ID sect163k1 } \| { ID sect163r2 } \|
144		// { ID secp224r1 } \| { ID sect233k1 } \| { ID sect233r1 } \|
145		// { ID secp256r1 } \| { ID sect283k1 } \| { ID sect283r1 } \|
146		// { ID secp384r1 } \| { ID sect409k1 } \| { ID sect409r1 } \|
147		// { ID secp521r1 } \| { ID sect571k1 } \| { ID sect571r1 },
148		// ... -- Extensible
149		// }
150		bool ParsePublicKey(der::Input public_key_spki,
151	0	bssl::UniquePtr<EVP_PKEY> *public_key) {
152		// Parse the SPKI to an EVP_PKEY.
153	0	OpenSSLErrStackTracer err_tracer;
154
155	0	CBS cbs;
156	0	CBS_init(&cbs, public_key_spki.data(), public_key_spki.size());
157	0	public_key->reset(EVP_parse_public_key(&cbs));
158	0	if (!*public_key \|\| CBS_len(&cbs) != 0) {
159	0	public_key->reset();
160	0	return false;
161	0	}
162	0	return true;
163	0	}
164
165		bool VerifySignedData(SignatureAlgorithm algorithm, der::Input signed_data,
166		const der::BitString &signature_value,
167	0	EVP_PKEY public_key, SignatureVerifyCache cache) {
168	0	int expected_pkey_id = 1;
169	0	const EVP_MD *digest = nullptr;
170	0	bool is_rsa_pss = false;
171	0	std::string_view cache_algorithm_name;
172	0	switch (algorithm) {
173	0	case SignatureAlgorithm::kRsaPkcs1Sha1:
174	0	expected_pkey_id = EVP_PKEY_RSA;
175	0	digest = EVP_sha1();
176	0	cache_algorithm_name = "RsaPkcs1Sha1";
177	0	break;
178	0	case SignatureAlgorithm::kRsaPkcs1Sha256:
179	0	expected_pkey_id = EVP_PKEY_RSA;
180	0	digest = EVP_sha256();
181	0	cache_algorithm_name = "RsaPkcs1Sha256";
182	0	break;
183	0	case SignatureAlgorithm::kRsaPkcs1Sha384:
184	0	expected_pkey_id = EVP_PKEY_RSA;
185	0	digest = EVP_sha384();
186	0	cache_algorithm_name = "RsaPkcs1Sha384";
187	0	break;
188	0	case SignatureAlgorithm::kRsaPkcs1Sha512:
189	0	expected_pkey_id = EVP_PKEY_RSA;
190	0	digest = EVP_sha512();
191	0	cache_algorithm_name = "RsaPkcs1Sha512";
192	0	break;
193
194	0	case SignatureAlgorithm::kEcdsaSha1:
195	0	expected_pkey_id = EVP_PKEY_EC;
196	0	digest = EVP_sha1();
197	0	cache_algorithm_name = "EcdsaSha1";
198	0	break;
199	0	case SignatureAlgorithm::kEcdsaSha256:
200	0	expected_pkey_id = EVP_PKEY_EC;
201	0	digest = EVP_sha256();
202	0	cache_algorithm_name = "EcdsaSha256";
203	0	break;
204	0	case SignatureAlgorithm::kEcdsaSha384:
205	0	expected_pkey_id = EVP_PKEY_EC;
206	0	digest = EVP_sha384();
207	0	cache_algorithm_name = "EcdsaSha384";
208	0	break;
209	0	case SignatureAlgorithm::kEcdsaSha512:
210	0	expected_pkey_id = EVP_PKEY_EC;
211	0	digest = EVP_sha512();
212	0	cache_algorithm_name = "EcdsaSha512";
213	0	break;
214
215	0	case SignatureAlgorithm::kRsaPssSha256:
216	0	expected_pkey_id = EVP_PKEY_RSA;
217	0	digest = EVP_sha256();
218	0	cache_algorithm_name = "RsaPssSha256";
219	0	is_rsa_pss = true;
220	0	break;
221	0	case SignatureAlgorithm::kRsaPssSha384:
222	0	expected_pkey_id = EVP_PKEY_RSA;
223	0	digest = EVP_sha384();
224	0	cache_algorithm_name = "RsaPssSha384";
225	0	is_rsa_pss = true;
226	0	break;
227	0	case SignatureAlgorithm::kRsaPssSha512:
228	0	expected_pkey_id = EVP_PKEY_RSA;
229	0	digest = EVP_sha512();
230	0	cache_algorithm_name = "RsaPssSha512";
231	0	is_rsa_pss = true;
232	0	break;
233	0	}
234
235	0	if (expected_pkey_id != EVP_PKEY_id(public_key)) {
236	0	return false;
237	0	}
238
239		// For the supported algorithms the signature value must be a whole
240		// number of bytes.
241	0	if (signature_value.unused_bits() != 0) {
242	0	return false;
243	0	}
244	0	der::Input signature_value_bytes = signature_value.bytes();
245
246	0	std::string cache_key;
247	0	if (cache) {
248	0	cache_key = SignatureVerifyCacheKey(cache_algorithm_name, signed_data,
249	0	signature_value_bytes, public_key);
250	0	if (!cache_key.empty()) {
251	0	switch (cache->Check(cache_key)) {
252	0	case SignatureVerifyCache::Value::kValid:
253	0	return true;
254	0	case SignatureVerifyCache::Value::kInvalid:
255	0	return false;
256	0	case SignatureVerifyCache::Value::kUnknown:
257	0	break;
258	0	}
259	0	}
260	0	}
261
262	0	OpenSSLErrStackTracer err_tracer;
263
264	0	bssl::ScopedEVP_MD_CTX ctx;
265	0	EVP_PKEY_CTX *pctx = nullptr; // Owned by \|ctx\|.
266
267	0	if (!EVP_DigestVerifyInit(ctx.get(), &pctx, digest, nullptr, public_key)) {
268	0	return false;
269	0	}
270
271	0	if (is_rsa_pss) {
272		// All supported RSASSA-PSS algorithms match signing and MGF-1 digest. They
273		// also use the digest length as the salt length, which is specified with -1
274		// in OpenSSL's API.
275	0	if (!EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING) \|\|
276	0	!EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, -1)) {
277	0	return false;
278	0	}
279	0	}
280
281	0	bool ret = 1 == EVP_DigestVerify(ctx.get(), signature_value_bytes.data(),
282	0	signature_value_bytes.size(),
283	0	signed_data.data(), signed_data.size());
284	0	if (!cache_key.empty()) {
285	0	cache->Store(cache_key, ret ? SignatureVerifyCache::Value::kValid
286	0	: SignatureVerifyCache::Value::kInvalid);
287	0	}
288
289	0	return ret;
290	0	}
291
292		bool VerifySignedData(SignatureAlgorithm algorithm, der::Input signed_data,
293		const der::BitString &signature_value,
294	0	der::Input public_key_spki, SignatureVerifyCache *cache) {
295	0	bssl::UniquePtr<EVP_PKEY> public_key;
296	0	if (!ParsePublicKey(public_key_spki, &public_key)) {
297	0	return false;
298	0	}
299	0	return VerifySignedData(algorithm, signed_data, signature_value,
300	0	public_key.get(), cache);
301	0	}
302
303		BSSL_NAMESPACE_END