Arm Mbed OS support forum

authenticating a public signature using mbedtls using esp32

New to embedded programming.
I am trying to replicate this authentication function using mbedtls which is called npnt_check_authenticity where authentication of an artifact takes place using a signature value. Using esp32 to perform this operation.

The function has been written in mind using two libraries

  1. wolfssl
  2. openssl

But both make use of openssl as can be seen here

#include <wolfssl/openssl/bio.h>
#include <wolfssl/openssl/err.h>
#include <wolfssl/openssl/ec.h>
#include <wolfssl/openssl/pem.h>
#include <openssl/bio.h>
#include <openssl/err.h>
#include <openssl/ec.h>
#include <openssl/pem.h>

according to Mbed Tls

Mbed TLS is a direct replacement for OpenSSL when you look at the
standards. If you look at our Features you will see similar items as
on the OpenSSL feature list. The major difference is the way we make
the code

My understanding of both wolfssl & openssl, they performing same operation

wolfssl code

wc_PemToDer - Convert PemToDer
wc_InitRsaKey - Initialize RSA key
wc_RsaPublicKeyDecode - Rsa PublicKey Decode
wc_RsaSSL_VerifyInline - Verify the signature by decrypting the value
Check the decrypted result matches the encoded digest

openssl code

PEM_read_PUBKEY - Read public key
EVP_PKEY_CTX_new - Pointer to public key
EVP_PKEY_verify_init - Initialize public key verify
EVP_PKEY_CTX_set_rsa_padding - set rsa padding
EVP_PKEY_CTX_set_signature_md - set signature_md
EVP_PKEY_verify - Verify signature,signature length with public key, raw data and raw data length

I found a mbedtls/programs/pkey/rsa_verify.c code,I don’t exactly know how to used these parameters npnt_s *handle, uint8_t* raw_data, uint16_t raw_data_len, uint8_t* signature, uint16_t signature_len

I have altered the example of rsa_verfiy.c, please check and guide for proper implementation

   #include "mbedtls/build_info.h"

#include "mbedtls/platform.h"
#include <stdio.h>
#include <stdlib.h>
#define mbedtls_printf          printf
#define mbedtls_snprintf        snprintf
#define mbedtls_exit            exit

#if !defined(MBEDTLS_BIGNUM_C) || !defined(MBEDTLS_RSA_C) ||  \
    !defined(MBEDTLS_SHA256_C) || !defined(MBEDTLS_MD_C) || \
int main( void )
    mbedtls_printf("MBEDTLS_BIGNUM_C and/or MBEDTLS_RSA_C and/or "
            "MBEDTLS_MD_C and/or "
            "MBEDTLS_SHA256_C and/or MBEDTLS_FS_IO not defined.\n");
    mbedtls_exit( 0 );

#include "mbedtls/rsa.h"
#include "mbedtls/md.h"

#include <stdio.h>
#include <string.h>

mbedtls_rsa_context rsa;
mbedtls_rsa_init( &rsa );
unsigned char hash[32];
unsigned char buf[MBEDTLS_MPI_MAX_SIZE];

// variables: uint8_t* raw_data, uint16_t raw_data_len,
// uint8_t* signature, uint16_t signature_len

 * Compute the SHA-256 hash of the input and
 * verify the signature

////[int mbedtls_md](
//This function calculates the message-digest of a buffer, with respect 
//to a configurable message-digest algorithm in a single call
//(     const mbedtls_md_info_t *   md_info,
//        const unsigned char *   input,
//        size_t      ilen,
//        unsigned char *     output 
//    )
//md_info = mbedtls_md_info_from_type( MBEDTLS_MD_SHA256 )
//input = raw_data
//ilen = raw_data_len
//output = hash

if( ( ret = mbedtls_md(
                mbedtls_md_info_from_type( MBEDTLS_MD_SHA256 ),
                raw_data,raw_data_len, hash ) ) != 0 )
    mbedtls_printf( " failed\n  ! Could not read Signature\n\n",);
    goto exit;
//[int mbedtls_rsa_pkcs1_verify](
//int mbedtls_rsa_pkcs1_verify  (   mbedtls_rsa_context *   ctx,
        int     mode,
        mbedtls_md_type_t   md_alg,
        unsigned int    hashlen,
        const unsigned char *   hash,
        const unsigned char *   sig 
//mbedtls_md_type_t = MBEDTLS_MD_SHA256
//hashlen = 32
//hash = hash
//sig = buf
//Generic wrapper to perform a PKCS#1 verification using the mode from the context. 

if( ( ret = mbedtls_rsa_pkcs1_verify( &rsa, MBEDTLS_MD_SHA256,
                                      (int) sizeof( hash ), hash, 256 ) ) != 0 )
    mbedtls_printf( " failed\n  ! mbedtls_rsa_pkcs1_verify returned -0x%0x\n\n", (unsigned int) -ret );
    goto exit;

mbedtls_printf( "\n  . OK (the signature is valid)\n\n" );