CR50: add a simple ASN.1 parser & certificate verifier

Add a certificate verifier, so that endorsement certificates may be verified upon installation. Doing so allows for catching certificate errors early. BRANCH=none BUG=chrome-os-partner:43025,chrome-os-partner:47524 TEST=all tests in test/tpm_test/tpmtest.py pass Change-Id: I9339a6bc36e4d82ae875ce774e31848ae983fa1f Signed-off-by: nagendra modadugu <ngm@google.com> Reviewed-on: https://chromium-review.googlesource.com/351031 Commit-Ready: Nagendra Modadugu <ngm@google.com> Tested-by: Nagendra Modadugu <ngm@google.com> Reviewed-by: Bill Richardson <wfrichar@chromium.org>
2025-12-29 18:11:05 +00:00 · 2016-06-08 17:38:24 -07:00
parent 2698aba559
commit a8473bf87d
6 changed files with 380 additions and 5 deletions
--- a/board/cr50/tpm2/rsa.c
+++ b/board/cr50/tpm2/rsa.c
@@ -16,8 +16,6 @@ static void reverse_tpm2b(TPM2B *b)
 }
 TPM2B_BYTE_VALUE(4);

-#define RSA_F4 65537
-
 static int check_key(const RSA_KEY *key)
 {
 	if (key->publicKey->size & 0x3)
@@ -364,6 +362,7 @@ enum {
 	TEST_RSA_KEYGEN = 4,
 	TEST_RSA_KEYTEST = 5,
 	TEST_BN_PRIMEGEN = 6,
+	TEST_X509_VERIFY = 7,
 };

 static const TPM2B_PUBLIC_KEY_RSA RSA_768_N = {
@@ -536,6 +535,118 @@ static const TPM2B_PUBLIC_KEY_RSA RSA_2048_N = {
 	}
 };

+static const uint8_t RSA_2048_CERT[] = {
+	0x30, 0x82, 0x03, 0x5D, 0x30, 0x82, 0x02, 0x45,
+	0xA0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x09, 0x00,
+	0xCB, 0x9D, 0x38, 0x47, 0x3F, 0x4F, 0x3B, 0xC6,
+	0x30, 0x0D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86,
+	0xF7, 0x0D, 0x01, 0x01, 0x0B, 0x05, 0x00, 0x30,
+	0x45, 0x31, 0x0B, 0x30, 0x09, 0x06, 0x03, 0x55,
+	0x04, 0x06, 0x13, 0x02, 0x41, 0x55, 0x31, 0x13,
+	0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0C,
+	0x0A, 0x53, 0x6F, 0x6D, 0x65, 0x2D, 0x53, 0x74,
+	0x61, 0x74, 0x65, 0x31, 0x21, 0x30, 0x1F, 0x06,
+	0x03, 0x55, 0x04, 0x0A, 0x0C, 0x18, 0x49, 0x6E,
+	0x74, 0x65, 0x72, 0x6E, 0x65, 0x74, 0x20, 0x57,
+	0x69, 0x64, 0x67, 0x69, 0x74, 0x73, 0x20, 0x50,
+	0x74, 0x79, 0x20, 0x4C, 0x74, 0x64, 0x30, 0x1E,
+	0x17, 0x0D, 0x31, 0x36, 0x30, 0x36, 0x30, 0x38,
+	0x32, 0x33, 0x34, 0x35, 0x32, 0x33, 0x5A, 0x17,
+	0x0D, 0x31, 0x36, 0x30, 0x37, 0x30, 0x38, 0x32,
+	0x33, 0x34, 0x35, 0x32, 0x33, 0x5A, 0x30, 0x45,
+	0x31, 0x0B, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04,
+	0x06, 0x13, 0x02, 0x41, 0x55, 0x31, 0x13, 0x30,
+	0x11, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0C, 0x0A,
+	0x53, 0x6F, 0x6D, 0x65, 0x2D, 0x53, 0x74, 0x61,
+	0x74, 0x65, 0x31, 0x21, 0x30, 0x1F, 0x06, 0x03,
+	0x55, 0x04, 0x0A, 0x0C, 0x18, 0x49, 0x6E, 0x74,
+	0x65, 0x72, 0x6E, 0x65, 0x74, 0x20, 0x57, 0x69,
+	0x64, 0x67, 0x69, 0x74, 0x73, 0x20, 0x50, 0x74,
+	0x79, 0x20, 0x4C, 0x74, 0x64, 0x30, 0x82, 0x01,
+	0x22, 0x30, 0x0D, 0x06, 0x09, 0x2A, 0x86, 0x48,
+	0x86, 0xF7, 0x0D, 0x01, 0x01, 0x01, 0x05, 0x00,
+	0x03, 0x82, 0x01, 0x0F, 0x00, 0x30, 0x82, 0x01,
+	0x0A, 0x02, 0x82, 0x01, 0x01, 0x00, 0x9C, 0xD7,
+	0x61, 0x2E, 0x43, 0x8E, 0x15, 0xBE, 0xCD, 0x73,
+	0x9F, 0xB7, 0xF5, 0x86, 0x4B, 0xE3, 0x95, 0x90,
+	0x5C, 0x85, 0x19, 0x4C, 0x1D, 0x2E, 0x2C, 0xEF,
+	0x6E, 0x1F, 0xED, 0x75, 0x32, 0x0F, 0x0A, 0xC1,
+	0x72, 0x9F, 0x0C, 0x78, 0x50, 0xA2, 0x99, 0x82,
+	0x53, 0x90, 0xBE, 0x64, 0x23, 0x49, 0x75, 0x7B,
+	0x0C, 0xEB, 0x2D, 0x68, 0x97, 0xD6, 0xAF, 0xB1,
+	0xAA, 0x2A, 0xDE, 0x5E, 0x9B, 0xE3, 0x06, 0x0D,
+	0xF2, 0xAC, 0xD9, 0xD7, 0x1F, 0x50, 0x6E, 0xC9,
+	0x5D, 0xEB, 0xB4, 0xF0, 0xC0, 0x98, 0x23, 0x04,
+	0x30, 0x46, 0x10, 0xDC, 0xD4, 0x6B, 0x57, 0xC7,
+	0x30, 0xC3, 0x06, 0xDD, 0xAF, 0x51, 0x6E, 0x40,
+	0x41, 0xF8, 0x10, 0xDE, 0x49, 0x18, 0x52, 0xB3,
+	0x18, 0xCA, 0x49, 0x50, 0xA8, 0x3A, 0xCD, 0xB6,
+	0x94, 0x7B, 0xDB, 0xF1, 0x2D, 0x05, 0xCE, 0x57,
+	0x0B, 0xBE, 0x38, 0x48, 0xBB, 0xC9, 0xB1, 0x76,
+	0x36, 0xB8, 0xA8, 0xCC, 0xE2, 0x07, 0x5C, 0xC8,
+	0x7B, 0xCF, 0xCF, 0xF0, 0xFA, 0xA3, 0xC5, 0xD7,
+	0x3A, 0x5E, 0xB2, 0xF4, 0xBF, 0xEA, 0xC2, 0xED,
+	0x51, 0x16, 0xA2, 0x92, 0x9C, 0x36, 0xA6, 0x86,
+	0x0E, 0x24, 0xA5, 0x66, 0x15, 0xE7, 0x97, 0x22,
+	0x50, 0x04, 0xFF, 0xC9, 0x4D, 0xB0, 0xBC, 0x27,
+	0x05, 0x5E, 0x2C, 0xF7, 0xEF, 0xDC, 0x5D, 0x58,
+	0xA1, 0x3B, 0x60, 0x83, 0xB7, 0x8C, 0xB7, 0xD0,
+	0x36, 0x6D, 0x55, 0x2E, 0x05, 0x23, 0x63, 0x74,
+	0x4A, 0x97, 0x37, 0xA7, 0x78, 0x40, 0xEF, 0x3E,
+	0x66, 0xFD, 0xBA, 0x6E, 0xB3, 0x72, 0x4A, 0x21,
+	0x82, 0x1F, 0x33, 0xAD, 0x62, 0x0C, 0xF2, 0x1A,
+	0xD2, 0x6A, 0xB5, 0xA7, 0xF2, 0x51, 0x69, 0x1F,
+	0x38, 0xA5, 0x57, 0x9A, 0xC5, 0x88, 0x67, 0xE3,
+	0x11, 0xA6, 0x53, 0x4F, 0xB1, 0xE9, 0x07, 0x41,
+	0xDE, 0xE8, 0xDF, 0x93, 0xA9, 0x99, 0x02, 0x03,
+	0x01, 0x00, 0x01, 0xA3, 0x50, 0x30, 0x4E, 0x30,
+	0x1D, 0x06, 0x03, 0x55, 0x1D, 0x0E, 0x04, 0x16,
+	0x04, 0x14, 0xDF, 0xA0, 0x28, 0xD1, 0xAF, 0xB0,
+	0x55, 0xE3, 0xC1, 0xF1, 0x33, 0x28, 0xED, 0x5C,
+	0xDD, 0xC2, 0xBB, 0xBF, 0x22, 0x6E, 0x30, 0x1F,
+	0x06, 0x03, 0x55, 0x1D, 0x23, 0x04, 0x18, 0x30,
+	0x16, 0x80, 0x14, 0xDF, 0xA0, 0x28, 0xD1, 0xAF,
+	0xB0, 0x55, 0xE3, 0xC1, 0xF1, 0x33, 0x28, 0xED,
+	0x5C, 0xDD, 0xC2, 0xBB, 0xBF, 0x22, 0x6E, 0x30,
+	0x0C, 0x06, 0x03, 0x55, 0x1D, 0x13, 0x04, 0x05,
+	0x30, 0x03, 0x01, 0x01, 0xFF, 0x30, 0x0D, 0x06,
+	0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01,
+	0x01, 0x0B, 0x05, 0x00, 0x03, 0x82, 0x01, 0x01,
+	0x00, 0x42, 0x3D, 0x98, 0x0C, 0x98, 0x54, 0xD0,
+	0xD7, 0x7B, 0x04, 0x18, 0x5C, 0x8F, 0xD2, 0xC1,
+	0xE9, 0xB4, 0xDA, 0x13, 0x76, 0x25, 0xD8, 0x9E,
+	0x8D, 0x00, 0x4A, 0x03, 0x89, 0xF3, 0x15, 0xB0,
+	0x0A, 0x80, 0x78, 0x5A, 0xB2, 0xAA, 0xBC, 0xE5,
+	0x37, 0xF1, 0x4C, 0xAE, 0x34, 0x3B, 0xB1, 0x6B,
+	0xD9, 0xF5, 0x8E, 0xA1, 0xFE, 0xC5, 0xED, 0x2E,
+	0xA5, 0xD6, 0xA1, 0xDC, 0x13, 0xB7, 0x36, 0xEC,
+	0xC5, 0x98, 0x9F, 0xE8, 0xA3, 0x22, 0x66, 0x88,
+	0xF2, 0x94, 0x5D, 0x9C, 0x8C, 0x6F, 0xAB, 0x81,
+	0x05, 0x3D, 0xE0, 0x9E, 0x5B, 0x03, 0xA9, 0xCA,
+	0x54, 0x8F, 0xDC, 0xE2, 0xD6, 0x0E, 0xDA, 0x15,
+	0x96, 0xAF, 0x47, 0xA1, 0x99, 0xA8, 0x37, 0xD6,
+	0xED, 0xBE, 0x3F, 0x4A, 0x4A, 0x9A, 0xC0, 0x05,
+	0x77, 0x6F, 0x1E, 0x62, 0xCB, 0x11, 0x74, 0xDF,
+	0x6D, 0xB7, 0xFF, 0x42, 0x77, 0xB3, 0x29, 0x6C,
+	0x38, 0x6F, 0xBA, 0xE5, 0x5F, 0xB7, 0x23, 0x2F,
+	0x53, 0x19, 0xC0, 0x49, 0x09, 0x18, 0x50, 0x9D,
+	0x0F, 0xFE, 0x6C, 0xA4, 0xBD, 0x35, 0x2A, 0xDD,
+	0xCF, 0xF8, 0xB6, 0x42, 0x06, 0xE1, 0x53, 0xCA,
+	0xC3, 0xF6, 0xA6, 0x70, 0x82, 0x3C, 0x3B, 0x1F,
+	0x19, 0x93, 0xBE, 0xC5, 0xB8, 0x11, 0x28, 0xEC,
+	0x66, 0xB6, 0xA5, 0x3A, 0x35, 0x82, 0x17, 0x1A,
+	0x3C, 0x4E, 0x3E, 0x25, 0xFE, 0x4C, 0xA3, 0x1F,
+	0xCA, 0xFB, 0xE6, 0xF8, 0x3B, 0x61, 0xE2, 0x33,
+	0x5C, 0x89, 0x66, 0x0F, 0xFB, 0x99, 0xFE, 0xFD,
+	0xDB, 0xC2, 0xB7, 0xA8, 0xCF, 0x45, 0xC9, 0xF1,
+	0x67, 0xB8, 0xA8, 0x97, 0xF4, 0xA5, 0x90, 0xA1,
+	0x99, 0xAA, 0xA6, 0xFF, 0x47, 0x38, 0x13, 0x82,
+	0xE4, 0x81, 0x84, 0x36, 0xC3, 0x8C, 0xE5, 0xDD,
+	0x7A, 0x70, 0xF8, 0x70, 0x27, 0xFB, 0xCD, 0xC2,
+	0xA0, 0xA9, 0xC5, 0x61, 0xA4, 0x3C, 0x9D, 0x1B,
+	0x57
+};
+
 static const TPM2B_PUBLIC_KEY_RSA RSA_2048_D = {
 	.t  = {256, {
 			0x4e, 0x9d, 0x02, 0x1f, 0xdf, 0x4a, 0x8b, 0x89,
@@ -827,6 +938,35 @@ static void rsa_command_handler(void *cmd_body,
 		} else {
 			*response_size = 0;
 		}
+		return;
+	case TEST_X509_VERIFY:
+	{
+		int result;
+		struct RSA rsa;
+
+		if (key.publicKey != &N.b) {
+			*response_size = 0;
+			return;
+		}
+
+		reverse_tpm2b(key.publicKey);
+		rsa.e = key.exponent;
+		rsa.N.dmax = key.publicKey->size / sizeof(uint32_t);
+		rsa.N.d = (struct access_helper *) &key.publicKey->buffer;
+		rsa.d.dmax = 0;
+		rsa.d.d = NULL;
+
+		result = DCRYPTO_x509_verify(RSA_2048_CERT,
+					sizeof(RSA_2048_CERT), &rsa);
+		reverse_tpm2b(key.publicKey);
+
+		if (!result) {
+			*response_size = 0;
+			return;
+		}
+		*out = 0x01;
+		*response_size = 1;
+	}
 	}
 }

--- a/chip/g/build.mk
+++ b/chip/g/build.mk
@@ -46,6 +46,7 @@ chip-$(CONFIG_DCRYPTO)+= dcrypto/p256_ecies.o
 chip-$(CONFIG_DCRYPTO)+= dcrypto/rsa.o
 chip-$(CONFIG_DCRYPTO)+= dcrypto/sha1.o
 chip-$(CONFIG_DCRYPTO)+= dcrypto/sha256.o
+chip-$(CONFIG_DCRYPTO)+= dcrypto/x509.o

 chip-$(CONFIG_SPI_MASTER)+=spi_master.o

--- a/chip/g/dcrypto/dcrypto.h
+++ b/chip/g/dcrypto/dcrypto.h
@@ -82,6 +82,7 @@ void DCRYPTO_bn_wrap(struct BIGNUM *b, void *buf, size_t len);
 /* Largest supported key size, 2048-bits. */
 #define RSA_MAX_BYTES   256
 #define RSA_MAX_WORDS   (RSA_MAX_BYTES / sizeof(uint32_t))
+#define RSA_F4          65537

 struct RSA {
 	uint32_t e;
@@ -116,7 +117,7 @@ int DCRYPTO_rsa_sign(struct RSA *rsa, uint8_t *out, uint32_t *out_len,
 		enum padding_mode padding, enum hashing_mode hashing);

 /* Calculate r = m ^ e mod N */
-int DCRYPTO_rsa_verify(struct RSA *rsa, const uint8_t *digest,
+int DCRYPTO_rsa_verify(const struct RSA *rsa, const uint8_t *digest,
 		uint32_t digest_len, const uint8_t *sig,
 		const uint32_t sig_len,	enum padding_mode padding,
 		enum hashing_mode hashing);
@@ -168,4 +169,10 @@ void DCRYPTO_bn_wrap(struct BIGNUM *b, void *buf, size_t len);
 void DCRYPTO_bn_mul(struct BIGNUM *c, const struct BIGNUM *a,
 		const struct BIGNUM *b);

+/*
+ *  X509.
+ */
+int DCRYPTO_x509_verify(const uint8_t *cert, size_t len,
+			const struct RSA *ca_pub_key);
+
 #endif  /* ! __EC_CHIP_G_DCRYPTO_DCRYPTO_H */
--- a/chip/g/dcrypto/rsa.c
+++ b/chip/g/dcrypto/rsa.c
@@ -574,7 +574,7 @@ int DCRYPTO_rsa_sign(struct RSA *rsa, uint8_t *out, uint32_t *out_len,
 	return 1;
 }

-int DCRYPTO_rsa_verify(struct RSA *rsa, const uint8_t *digest,
+int DCRYPTO_rsa_verify(const struct RSA *rsa, const uint8_t *digest,
 		uint32_t digest_len, const uint8_t *sig,
 		const uint32_t sig_len,	enum padding_mode padding,
 		enum hashing_mode hashing)
--- a/chip/g/dcrypto/x509.c
+++ b/chip/g/dcrypto/x509.c
@@ -0,0 +1,203 @@
+/* Copyright 2016 The Chromium OS Authors. All rights reserved.
+ * Use of this source code is governed by a BSD-style license that can be
+ * found in the LICENSE file.
+ */
+
+#include "dcrypto.h"
+
+#include <stdint.h>
+
+/* Limit the size of long form encoded objects to < 64 kB. */
+#define MAX_ASN1_OBJ_LEN_BYTES 3
+
+/* Tag related constants. */
+#define V_ASN1_CONSTRUCTED 0x20
+#define V_ASN1_SEQUENCE    0x10
+#define V_ASN1_BIT_STRING  0x03
+
+/* The SHA256 OID, from https://tools.ietf.org/html/rfc5754#section-3.2
+ * Only the object bytes below, the DER encoding header ([0x30 0x0d])
+ * is verified by the parser. */
+static const uint8_t OID_SHA256_WITH_RSA_ENCRYPTION[13] = {
+	0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d,
+	0x01, 0x01, 0x0b, 0x05, 0x00
+};
+
+
+/*
+ * An ASN.1 DER (Definite Encoding Rules) parser.
+ * Details about the format are available here:
+ *     https://en.wikipedia.org/wiki/X.690#Definite_form
+ */
+static size_t asn1_parse(const uint8_t **p, size_t available,
+			uint8_t expected_type, const uint8_t **out,
+			size_t *out_len, size_t *remaining)
+{
+	const size_t tag_len = 1;
+	const uint8_t *in = *p;
+	size_t obj_len = 0;
+	size_t obj_len_bytes;
+	size_t consumed;
+
+	if (available < 2)
+		return 0;
+	if (in[0] != expected_type)  /* in[0] specifies the tag. */
+		return 0;
+
+	if ((in[1] & 128) == 0) {
+		/* Short-length encoding (i.e. obj_len <= 127). */
+		obj_len = in[1];
+		obj_len_bytes = 1;
+	} else {
+		int i;
+
+		obj_len_bytes = 1 + (in[1] & 127);
+		if (obj_len_bytes > MAX_ASN1_OBJ_LEN_BYTES ||
+			tag_len + obj_len_bytes > available)
+			return 0;
+
+		if (in[2] == 0)
+			/* Definite form encoding requires minimal
+			 * length encoding. */
+			return 0;
+		for (i = 0; i < obj_len_bytes - 1; i++) {
+			obj_len <<= 8;
+			obj_len |= in[tag_len + 1 + i];
+		}
+	}
+
+	consumed = tag_len + obj_len_bytes + obj_len;
+	if (consumed > available)
+		return 0;    /* Invalid object length.*/
+	if (out)
+		*out = &in[tag_len + obj_len_bytes];
+	if (out_len)
+		*out_len = obj_len;
+
+	*p = in + consumed;
+	if (remaining)
+		*remaining = available - consumed;
+	return consumed;
+}
+
+static size_t asn1_parse_certificate(const uint8_t **p, size_t *available)
+{
+	size_t consumed;
+	size_t obj_len;
+	const uint8_t *in = *p;
+
+	consumed = asn1_parse(&in, *available,
+			V_ASN1_CONSTRUCTED | V_ASN1_SEQUENCE,
+			NULL, &obj_len, NULL);
+	if (consumed == 0 || consumed != *available)  /* Invalid SEQUENCE. */
+		return 0;
+	*p += consumed - obj_len;
+	*available -= consumed - obj_len;
+	return 1;
+}
+
+static size_t asn1_parse_tbs(const uint8_t **p, size_t *available,
+			size_t *tbs_len)
+{
+	size_t consumed;
+
+	consumed = asn1_parse(p, *available,
+			V_ASN1_CONSTRUCTED | V_ASN1_SEQUENCE,
+			NULL, NULL, available);
+	if (consumed == 0)
+		return 0;
+	*tbs_len = consumed;
+	return 1;
+}
+
+static size_t asn1_parse_signature_algorithm(const uint8_t **p,
+					size_t *available)
+{
+	const uint8_t *alg_oid;
+	size_t alg_oid_len;
+
+	if (!asn1_parse(p, *available, V_ASN1_CONSTRUCTED | V_ASN1_SEQUENCE,
+				&alg_oid, &alg_oid_len, available))
+		return 0;
+	if (alg_oid_len != sizeof(OID_SHA256_WITH_RSA_ENCRYPTION))
+		return 0;
+	if (memcmp(alg_oid, OID_SHA256_WITH_RSA_ENCRYPTION,
+			sizeof(OID_SHA256_WITH_RSA_ENCRYPTION)) != 0)
+		return 0;
+	return 1;
+}
+
+static size_t asn1_parse_signature_value(const uint8_t **p, size_t *available,
+					const uint8_t **sig, size_t *sig_len)
+{
+	if (!asn1_parse(p, *available, V_ASN1_BIT_STRING,
+				sig, sig_len, available))
+		return 0;
+	if (*available != 0)
+		return 0;     /* Not all input bytes consumed. */
+	return 1;
+}
+
+/* This method verifies that the provided X509 certificate was issued
+ * by the specified certifcate authority.
+ *
+ * cert is a pointer to a DER encoded X509 certificate, as specified
+ * in https://tools.ietf.org/html/rfc5280#section-4.1.  In ASN.1
+ * notation, the certificate has the following structure:
+ *
+ *   Certificate  ::=  SEQUENCE  {
+ *        tbsCertificate       TBSCertificate,
+ *        signatureAlgorithm   AlgorithmIdentifier,
+ *        signatureValue       BIT STRING  }
+ *
+ *   TBSCertificate  ::=  SEQUENCE  { }
+ *   AlgorithmIdentifier  ::=  SEQUENCE  { }
+ *
+ * where signatureValue = SIGN(HASH(tbsCertificate)), with SIGN and
+ * HASH specified by signatureAlgorithm.
+ */
+int DCRYPTO_x509_verify(const uint8_t *cert, size_t len,
+			const struct RSA *ca_pub_key)
+{
+	const uint8_t *p = cert;
+	const uint8_t *tbs;
+	size_t tbs_len;
+	const uint8_t *sig;
+	size_t sig_len;
+
+	uint8_t digest[SHA256_DIGEST_SIZE];
+
+	/* Read Certificate SEQUENCE. */
+	if (!asn1_parse_certificate(&p, &len))
+		return 0;
+
+	/* Read tbsCertificate SEQUENCE. */
+	tbs = p;
+	if (!asn1_parse_tbs(&p, &len, &tbs_len))
+		return 0;
+
+	/* Read signatureAlgorithm SEQUENCE. */
+	if (!asn1_parse_signature_algorithm(&p, &len))
+		return 0;
+
+	/* Read signatureValue BIT STRING. */
+	if (!asn1_parse_signature_value(&p, &len, &sig, &sig_len))
+		return 0;
+
+	/* Check that the signature length corresponds to the issuer's
+	 * public key size. */
+	if (sig_len != bn_size(&ca_pub_key->N) &&
+		sig_len != bn_size(&ca_pub_key->N) + 1)
+		return 0;
+	/* Check that leading signature bytes (if any) are zero. */
+	if (sig_len == bn_size(&ca_pub_key->N) + 1) {
+		if (sig[0] != 0)
+			return 0;
+		sig++;
+		sig_len--;
+	}
+
+	DCRYPTO_SHA256_hash(tbs, tbs_len, digest);
+	return DCRYPTO_rsa_verify(ca_pub_key, digest, sizeof(digest),
+				sig, sig_len, PADDING_MODE_PKCS1, HASH_SHA256);
+}
--- a/test/tpm_test/rsa_test.py
+++ b/test/tpm_test/rsa_test.py
@@ -21,7 +21,8 @@ _RSA_OPCODES = {
  'VERIFY': 0x03,
  'KEYGEN': 0x04,
  'KEYTEST': 0x05,
-  'PRIMEGEN': 0x06
+  'PRIMEGEN': 0x06,
+  'X509_VERIFY': 0x07
 }


@@ -135,6 +136,16 @@ def _primegen_cmd(seed):
                                ml=struct.pack('>H', len(seed)), msg=seed,
                                dl=struct.pack('>H', 0), dig='')

+def _x509_verify_cmd(key_len):
+  op = _RSA_OPCODES['X509_VERIFY']
+  padding = _RSA_PADDING['NONE']
+  hashing = _HASH['NONE']
+  return _RSA_CMD_FORMAT.format(o=op, p=padding, h=hashing,
+                                kl=struct.pack('>H', key_len),
+                                ml=struct.pack('>H', 0), msg='',
+                                dl=struct.pack('>H', 0), dig='')
+
+
 _PRIMES = [2, 3, 5, 7, 11, 13, 17, 19, 23, 29, 31, 37, 41, 43, 47, 53,
           59, 61, 67, 71, 73, 79, 83, 89, 97, 101, 103, 107, 109, 113, 127, 131,
           137, 139, 149, 151, 157, 163, 167, 173, 179, 181, 191, 193, 197, 199,
@@ -723,9 +734,22 @@ def _primegen_tests(tpm):
    print('%sSUCCESS: %s' % (utils.cursor_back(), test_name))


+def _x509_verify_tests(tpm):
+  test_name = 'RSA-X509-2048-VERIFY'
+  cmd = _x509_verify_cmd(2048)
+  wrapped_response = tpm.command(tpm.wrap_ext_command(subcmd.RSA, cmd))
+  valid = tpm.unwrap_ext_response(subcmd.RSA, wrapped_response)
+  expected = '\x01'
+  if valid != expected:
+    raise subcmd.TpmTestError('%s error:%s%s' % (
+      test_name, utils.hex_dump(valid), utils.hex_dump(expected)))
+  print('%sSUCCESS: %s' % (utils.cursor_back(), test_name))
+
+
 def rsa_test(tpm):
  _encrypt_tests(tpm)
  _sign_tests(tpm)
  _keytest_tests(tpm)
  _keygen_tests(tpm)
  _primegen_tests(tpm)
+  _x509_verify_tests(tpm)