From 27e4bc5eeb32b492f7212ba72a94f7098653fd2f Mon Sep 17 00:00:00 2001
From: Zale Young <zale@meta.com>
Date: Mon, 27 Jan 2025 17:45:34 -0800
Subject: [PATCH] move prepareSignData out of the openssl backend

Summary: this is a generic function that other backends will use. Moving it to protocol/Certificate.h

Reviewed By: mingtaoy

Differential Revision: D64883829

fbshipit-source-id: ef2f5a0df3ba6aaf755a1a1052c938c3eb325737
---
 .../openssl/certificate/CertUtils-inl.h       | 10 ++--
 .../backend/openssl/certificate/CertUtils.cpp | 50 -----------------
 fizz/backend/openssl/certificate/CertUtils.h  |  8 ---
 .../certificate/OpenSSLSelfCertImpl-inl.h     | 10 ++--
 .../javacrypto/JavaCryptoPeerCert.cpp         |  4 +-
 fizz/protocol/Certificate.cpp                 | 53 +++++++++++++++++++
 fizz/protocol/Certificate.h                   | 12 +++++
 fizz/protocol/test/CertTest.cpp               |  2 +-
 8 files changed, 78 insertions(+), 71 deletions(-)

diff --git a/fizz/backend/openssl/certificate/CertUtils-inl.h b/fizz/backend/openssl/certificate/CertUtils-inl.h
index 3ab50dce85c..67283f39598 100644
--- a/fizz/backend/openssl/certificate/CertUtils-inl.h
+++ b/fizz/backend/openssl/certificate/CertUtils-inl.h
@@ -46,7 +46,7 @@ inline void CertUtils::verify<KeyType::P256>(
     CertificateVerifyContext context,
     folly::ByteRange toBeSigned,
     folly::ByteRange signature) {
-  auto signData = CertUtils::prepareSignData(context, toBeSigned);
+  auto signData = fizz::certverify::prepareSignData(context, toBeSigned);
   switch (scheme) {
     case SignatureScheme::ecdsa_secp256r1_sha256:
       return certSignature.verify<SignatureScheme::ecdsa_secp256r1_sha256>(
@@ -63,7 +63,7 @@ inline void CertUtils::verify<KeyType::P384>(
     CertificateVerifyContext context,
     folly::ByteRange toBeSigned,
     folly::ByteRange signature) {
-  auto signData = CertUtils::prepareSignData(context, toBeSigned);
+  auto signData = fizz::certverify::prepareSignData(context, toBeSigned);
   switch (scheme) {
     case SignatureScheme::ecdsa_secp384r1_sha384:
       return certSignature.verify<SignatureScheme::ecdsa_secp384r1_sha384>(
@@ -80,7 +80,7 @@ inline void CertUtils::verify<KeyType::P521>(
     CertificateVerifyContext context,
     folly::ByteRange toBeSigned,
     folly::ByteRange signature) {
-  auto signData = CertUtils::prepareSignData(context, toBeSigned);
+  auto signData = fizz::certverify::prepareSignData(context, toBeSigned);
   switch (scheme) {
     case SignatureScheme::ecdsa_secp521r1_sha512:
       return certSignature.verify<SignatureScheme::ecdsa_secp521r1_sha512>(
@@ -97,7 +97,7 @@ inline void CertUtils::verify<KeyType::ED25519>(
     CertificateVerifyContext context,
     folly::ByteRange toBeSigned,
     folly::ByteRange signature) {
-  auto signData = CertUtils::prepareSignData(context, toBeSigned);
+  auto signData = fizz::certverify::prepareSignData(context, toBeSigned);
   switch (scheme) {
     case SignatureScheme::ed25519:
       return certSignature.verify<SignatureScheme::ed25519>(
@@ -114,7 +114,7 @@ inline void CertUtils::verify<KeyType::RSA>(
     CertificateVerifyContext context,
     folly::ByteRange toBeSigned,
     folly::ByteRange signature) {
-  auto signData = CertUtils::prepareSignData(context, toBeSigned);
+  auto signData = fizz::certverify::prepareSignData(context, toBeSigned);
   switch (scheme) {
     case SignatureScheme::rsa_pss_sha256:
       return certSignature.verify<SignatureScheme::rsa_pss_sha256>(
diff --git a/fizz/backend/openssl/certificate/CertUtils.cpp b/fizz/backend/openssl/certificate/CertUtils.cpp
index 25354d496a3..cc9b18457be 100644
--- a/fizz/backend/openssl/certificate/CertUtils.cpp
+++ b/fizz/backend/openssl/certificate/CertUtils.cpp
@@ -38,56 +38,6 @@ folly::Optional<std::string> getIdentityFromX509(X509* x) {
 }
 } // namespace detail
 
-Buf CertUtils::prepareSignData(
-    CertificateVerifyContext context,
-    folly::ByteRange toBeSigned) {
-  static constexpr folly::StringPiece kServerLabel =
-      "TLS 1.3, server CertificateVerify";
-  static constexpr folly::StringPiece kClientLabel =
-      "TLS 1.3, client CertificateVerify";
-  static constexpr folly::StringPiece kAuthLabel = "Exported Authenticator";
-  static constexpr folly::StringPiece kServerDelegatedCredLabel =
-      "TLS, server delegated credentials";
-  static constexpr folly::StringPiece kClientDelegatedCredLabel =
-      "TLS, client delegated credentials";
-  static constexpr size_t kSigPrefixLen = 64;
-  static constexpr uint8_t kSigPrefix = 32;
-
-  folly::StringPiece label;
-  switch (context) {
-    case CertificateVerifyContext::Server:
-      label = kServerLabel;
-      break;
-    case CertificateVerifyContext::Client:
-      label = kClientLabel;
-      break;
-    case CertificateVerifyContext::Authenticator:
-      label = kAuthLabel;
-      break;
-    case CertificateVerifyContext::ClientDelegatedCredential:
-      label = kClientDelegatedCredLabel;
-      break;
-    case CertificateVerifyContext::ServerDelegatedCredential:
-      label = kServerDelegatedCredLabel;
-      break;
-  }
-
-  size_t sigDataLen = kSigPrefixLen + label.size() + 1 + toBeSigned.size();
-  auto buf = folly::IOBuf::create(sigDataLen);
-  buf->append(sigDataLen);
-
-  // Place bytes in the right order.
-  size_t offset = 0;
-  memset(buf->writableData(), kSigPrefix, kSigPrefixLen);
-  offset += kSigPrefixLen;
-  memcpy(buf->writableData() + offset, label.data(), label.size());
-  offset += label.size();
-  memset(buf->writableData() + offset, 0, 1);
-  offset += 1;
-  memcpy(buf->writableData() + offset, toBeSigned.data(), toBeSigned.size());
-  return buf;
-}
-
 CertificateMsg CertUtils::getCertMessage(
     const std::vector<folly::ssl::X509UniquePtr>& certs,
     Buf certificateRequestContext) {
diff --git a/fizz/backend/openssl/certificate/CertUtils.h b/fizz/backend/openssl/certificate/CertUtils.h
index 2f5f6225ec2..9458636aba7 100644
--- a/fizz/backend/openssl/certificate/CertUtils.h
+++ b/fizz/backend/openssl/certificate/CertUtils.h
@@ -24,14 +24,6 @@ namespace openssl {
 
 class CertUtils {
  public:
-  /**
-   * Adds the appropriate context data to prepare toBeSigned for a signature
-   * scheme's signing function.
-   */
-  static Buf prepareSignData(
-      CertificateVerifyContext context,
-      folly::ByteRange toBeSigned);
-
   static CertificateMsg getCertMessage(
       const std::vector<folly::ssl::X509UniquePtr>& certs,
       Buf certificateRequestContext);
diff --git a/fizz/backend/openssl/certificate/OpenSSLSelfCertImpl-inl.h b/fizz/backend/openssl/certificate/OpenSSLSelfCertImpl-inl.h
index fb61214e46f..521257eb054 100644
--- a/fizz/backend/openssl/certificate/OpenSSLSelfCertImpl-inl.h
+++ b/fizz/backend/openssl/certificate/OpenSSLSelfCertImpl-inl.h
@@ -79,7 +79,7 @@ inline Buf OpenSSLSelfCertImpl<KeyType::P256>::sign(
     SignatureScheme scheme,
     CertificateVerifyContext context,
     folly::ByteRange toBeSigned) const {
-  auto signData = CertUtils::prepareSignData(context, toBeSigned);
+  auto signData = fizz::certverify::prepareSignData(context, toBeSigned);
   switch (scheme) {
     case SignatureScheme::ecdsa_secp256r1_sha256:
       return signature_.sign<SignatureScheme::ecdsa_secp256r1_sha256>(
@@ -94,7 +94,7 @@ inline Buf OpenSSLSelfCertImpl<KeyType::P384>::sign(
     SignatureScheme scheme,
     CertificateVerifyContext context,
     folly::ByteRange toBeSigned) const {
-  auto signData = CertUtils::prepareSignData(context, toBeSigned);
+  auto signData = fizz::certverify::prepareSignData(context, toBeSigned);
   switch (scheme) {
     case SignatureScheme::ecdsa_secp384r1_sha384:
       return signature_.sign<SignatureScheme::ecdsa_secp384r1_sha384>(
@@ -109,7 +109,7 @@ inline Buf OpenSSLSelfCertImpl<KeyType::P521>::sign(
     SignatureScheme scheme,
     CertificateVerifyContext context,
     folly::ByteRange toBeSigned) const {
-  auto signData = CertUtils::prepareSignData(context, toBeSigned);
+  auto signData = fizz::certverify::prepareSignData(context, toBeSigned);
   switch (scheme) {
     case SignatureScheme::ecdsa_secp521r1_sha512:
       return signature_.sign<SignatureScheme::ecdsa_secp521r1_sha512>(
@@ -124,7 +124,7 @@ inline Buf OpenSSLSelfCertImpl<KeyType::ED25519>::sign(
     SignatureScheme scheme,
     CertificateVerifyContext context,
     folly::ByteRange toBeSigned) const {
-  auto signData = CertUtils::prepareSignData(context, toBeSigned);
+  auto signData = fizz::certverify::prepareSignData(context, toBeSigned);
   switch (scheme) {
     case SignatureScheme::ed25519:
       return signature_.sign<SignatureScheme::ed25519>(signData->coalesce());
@@ -138,7 +138,7 @@ inline Buf OpenSSLSelfCertImpl<KeyType::RSA>::sign(
     SignatureScheme scheme,
     CertificateVerifyContext context,
     folly::ByteRange toBeSigned) const {
-  auto signData = CertUtils::prepareSignData(context, toBeSigned);
+  auto signData = fizz::certverify::prepareSignData(context, toBeSigned);
   switch (scheme) {
     case SignatureScheme::rsa_pss_sha256:
       return signature_.sign<SignatureScheme::rsa_pss_sha256>(
diff --git a/fizz/extensions/javacrypto/JavaCryptoPeerCert.cpp b/fizz/extensions/javacrypto/JavaCryptoPeerCert.cpp
index 734e91bd8bb..ed0e0d327f6 100644
--- a/fizz/extensions/javacrypto/JavaCryptoPeerCert.cpp
+++ b/fizz/extensions/javacrypto/JavaCryptoPeerCert.cpp
@@ -6,9 +6,9 @@
  *  LICENSE file in the root directory of this source tree.
  */
 
-#include <fizz/backend/openssl/certificate/CertUtils.h>
 #include <fizz/extensions/javacrypto/JavaCryptoPeerCert.h>
 #include <fizz/extensions/javacrypto/JniUtils.h>
+#include <fizz/protocol/Certificate.h>
 
 namespace fizz {
 
@@ -71,7 +71,7 @@ void JavaCryptoPeerCert::verify(
       throw std::runtime_error("Unsupported signature scheme");
   }
   auto jAlgorithm = env->NewStringUTF(algorithm.c_str());
-  auto signData = openssl::CertUtils::prepareSignData(context, toBeSigned);
+  auto signData = fizz::certverify::prepareSignData(context, toBeSigned);
   auto jSignData = jni::createByteArray(env, std::move(signData));
   auto jSignature = jni::createByteArray(env, signature);
 
diff --git a/fizz/protocol/Certificate.cpp b/fizz/protocol/Certificate.cpp
index 04db56fe258..0728378474b 100644
--- a/fizz/protocol/Certificate.cpp
+++ b/fizz/protocol/Certificate.cpp
@@ -19,4 +19,57 @@ std::string IdentityCert::getIdentity() const {
 std::optional<std::string> IdentityCert::getDER() const {
   return std::nullopt;
 }
+
+namespace certverify {
+
+Buf prepareSignData(
+    CertificateVerifyContext context,
+    folly::ByteRange toBeSigned) {
+  static constexpr folly::StringPiece kServerLabel =
+      "TLS 1.3, server CertificateVerify";
+  static constexpr folly::StringPiece kClientLabel =
+      "TLS 1.3, client CertificateVerify";
+  static constexpr folly::StringPiece kAuthLabel = "Exported Authenticator";
+  static constexpr folly::StringPiece kServerDelegatedCredLabel =
+      "TLS, server delegated credentials";
+  static constexpr folly::StringPiece kClientDelegatedCredLabel =
+      "TLS, client delegated credentials";
+  static constexpr size_t kSigPrefixLen = 64;
+  static constexpr uint8_t kSigPrefix = 32;
+
+  folly::StringPiece label;
+  switch (context) {
+    case CertificateVerifyContext::Server:
+      label = kServerLabel;
+      break;
+    case CertificateVerifyContext::Client:
+      label = kClientLabel;
+      break;
+    case CertificateVerifyContext::Authenticator:
+      label = kAuthLabel;
+      break;
+    case CertificateVerifyContext::ClientDelegatedCredential:
+      label = kClientDelegatedCredLabel;
+      break;
+    case CertificateVerifyContext::ServerDelegatedCredential:
+      label = kServerDelegatedCredLabel;
+      break;
+  }
+
+  size_t sigDataLen = kSigPrefixLen + label.size() + 1 + toBeSigned.size();
+  auto buf = folly::IOBuf::create(sigDataLen);
+  buf->append(sigDataLen);
+
+  // Place bytes in the right order.
+  size_t offset = 0;
+  memset(buf->writableData(), kSigPrefix, kSigPrefixLen);
+  offset += kSigPrefixLen;
+  memcpy(buf->writableData() + offset, label.data(), label.size());
+  offset += label.size();
+  memset(buf->writableData() + offset, 0, 1);
+  offset += 1;
+  memcpy(buf->writableData() + offset, toBeSigned.data(), toBeSigned.size());
+  return buf;
+}
+} // namespace certverify
 } // namespace fizz
diff --git a/fizz/protocol/Certificate.h b/fizz/protocol/Certificate.h
index 0d663b5b1e2..f0b3085564d 100644
--- a/fizz/protocol/Certificate.h
+++ b/fizz/protocol/Certificate.h
@@ -49,6 +49,18 @@ enum class CertificateVerifyContext {
   ServerDelegatedCredential
 };
 
+namespace certverify {
+
+/**
+ * Adds the appropriate context data to prepare toBeSigned for a signature
+ * scheme's signing function.
+ */
+Buf prepareSignData(
+    CertificateVerifyContext context,
+    folly::ByteRange toBeSigned);
+
+} // namespace certverify
+
 class IdentityCert : public IdentityCertBase {
  public:
   explicit IdentityCert(std::string identity);
diff --git a/fizz/protocol/test/CertTest.cpp b/fizz/protocol/test/CertTest.cpp
index e587e6c8e29..bc8054d4ec8 100644
--- a/fizz/protocol/test/CertTest.cpp
+++ b/fizz/protocol/test/CertTest.cpp
@@ -87,7 +87,7 @@ TEST(CertTest, GetCertMessage) {
 TEST(CertTest, PrepareSignData) {
   std::array<uint8_t, 32> toBeSigned;
   memset(toBeSigned.data(), 1, toBeSigned.size());
-  auto out = openssl::CertUtils::prepareSignData(
+  auto out = fizz::certverify::prepareSignData(
       CertificateVerifyContext::Server, folly::range(toBeSigned));
   auto hex = hexlify(out->moveToFbString());
   std::string expected =