[Assignment-7] prototype verify_firmware

Assignment 7 - SGX Hands-on/src/enclave/enclave.c

@@ -202,3 +202,65 @@ sgx_status_t sign_firmware(const uint8_t *data, uint32_t data_size, uint8_t *sea
     sgx_ecc256_close_context(ecc_handle);
     return seal_status;
 }
+
+sgx_status_t verify_firmware(const uint8_t *data, uint32_t data_size, const uint8_t *sealed, uint32_t sealed_size, const uint8_t *public_key, uint32_t public_key_size, const uint8_t *signature, uint32_t signature_size) {
+    // invalid parameter handling
+    if((data == NULL) || (data_size == 0)) {
+        return SGX_ERROR_INVALID_PARAMETER;
+    } else if(((sealed == NULL) || (sealed_size == 0)) && ((public_key == NULL) || (public_key_size == 0))) {
+        return SGX_ERROR_INVALID_PARAMETER;
+    } else if((sealed != NULL) && (public_key != NULL)) {
+        return SGX_ERROR_INVALID_PARAMETER;
+    } else if((signature == NULL) || (signature_size == 0)) {
+        return SGX_ERROR_INVALID_PARAMETER;
+    }
+
+    // declare need structures
+    sgx_ec256_signature_t ecc_signature;
+    sgx_ecc_state_handle_t ecc_handle;
+    sgx_ec256_public_t public;
+
+    // invalid signature
+    if(signature_size > SI_SIZE) {
+        return SGX_ERROR_INVALID_PARAMETER;
+    }
+
+    // open ecc handle
+    sgx_status_t status;
+    if((status = sgx_ecc256_open_context(&ecc_handle)) != SGX_SUCCESS) {
+        return status;
+    }
+
+    // copy signature into struct
+    memcpy(ecc_signature.x, signature, SI_SIZE);
+
+    // verify signature from staff or enclave
+    if(public_key != NULL) {
+        // invalid public key
+        if(public_key_size != PK_SIZE) {
+            return SGX_ERROR_INVALID_PARAMETER;
+        }
+
+        // copy public key into struct
+        memcpy(public.gx, public_key, PK_SIZE);
+    } else {
+        // unseal public key
+        if(unseal_key_pair(sealed, NULL, &public) != SGX_SUCCESS) {
+            sgx_ecc256_close_context(ecc_handle);
+            return SGX_ERROR_UNEXPECTED;
+        }
+    }
+
+    // verify signature
+    uint8_t result;
+    sgx_status_t verification_status = sgx_ecdsa_verify((const uint8_t *)data, data_size, (const sgx_ec256_public_t *)&public, (const sgx_ec256_signature_t *)&ecc_signature, &result, ecc_handle);
+
+    // handle failed verification process
+    if(verification_status != SGX_SUCCESS) {
+        result = verification_status;
+    }
+
+    // close handle and return result
+    sgx_ecc256_close_context(ecc_handle);
+    return result;
+}

Assignment 7 - SGX Hands-on/src/enclave/enclave.edl

@@ -46,6 +46,7 @@ enclave {
         public int get_private_key_size();
         public sgx_status_t get_public_key([in, size=sealed_size]const uint8_t *sealed, uint32_t sealed_size, [out, size=gx_size]uint8_t *gx, uint32_t gx_size, [out, size=gx_size]uint8_t *gy, uint32_t gy_size);
         public sgx_status_t sign_firmware([in, size=data_size]const uint8_t *data, uint32_t data_size, [in, out, size=sealed_size]uint8_t *sealed, uint32_t sealed_size, [out, size=signature_size]uint8_t *signature, uint32_t signature_size);
+        public sgx_status_t verify_firmware([in, size=data_size]const uint8_t *data, uint32_t data_size, [in, size=sealed_size]const uint8_t *sealed, uint32_t sealed_size, [in, size=public_key_size]const uint8_t *public_key, uint32_t public_key_size, [in, size=signature_size]const uint8_t *signature, uint32_t signature_size);
     };
 
     /* 

Assignment 7 - SGX Hands-on/src/enclave/enclave.h

@@ -46,5 +46,6 @@ int get_private_key_size();
 
 sgx_status_t get_public_key(const uint8_t *sealed, const uint32_t sealed_size, uint8_t *gx, uint32_t gx_size, uint8_t *gy, uint32_t gy_size);
 sgx_status_t sign_firmware(const uint8_t *data, uint32_t data_size, uint8_t *sealed, uint32_t sealed_size, uint8_t *signature, uint32_t signature_size);
+sgx_status_t verify_firmware(const uint8_t *data, uint32_t data_size, const uint8_t *sealed, uint32_t sealed_size, const uint8_t *public_key, uint32_t public_key_size, const uint8_t *signature, uint32_t signature_size);
 
 #endif /* !_ENCLAVE_H_ */