Verify Safe DDS signature

This is an squashed commit of a privately reviewed branch.

Signed-off-by: Miguel Company <miguelcompany@eprosima.com>
Reviewed-by: danipiza <dpizarrogallego@gmail.com>

Author: MiguelCompany

include/fastdds/dds/core/policy/ParameterTypes.hpp

@@ -187,7 +187,10 @@ enum ParameterId_t : uint16_t
     /* Participant specific */
     PID_WIREPROTOCOL_CONFIG                 = 0x8300,
     /* RPC specific */
-    PID_RPC_MORE_REPLIES                    = 0x8400
+    PID_RPC_MORE_REPLIES                    = 0x8400,
+
+    /* eProsima Safe DDS extensions */
+    PID_SAFE_DDS_SIGNATURE                  = 0x9000,
 };
 
 /*!

include/fastdds/rtps/common/VendorId_t.hpp

@@ -33,6 +33,7 @@ using VendorId_t = std::array<uint8_t, 2>;
 
 const VendorId_t c_VendorId_Unknown = {0x00, 0x00};
 const VendorId_t c_VendorId_eProsima = {0x01, 0x0F};
+const VendorId_t c_VendorId_SafeDDS = {0x01, 0x15};
 const VendorId_t c_VendorId_rti_connext = {0x01, 0x01};
 const VendorId_t c_VendorId_opendds = {0x01, 0x03};
 

src/cpp/rtps/builtin/data/ParticipantProxyData.cpp

@@ -39,6 +39,8 @@
 #include <utils/SystemInfo.hpp>
 #include <utils/TimeConversion.hpp>
 
+#include <utils/license/LicenseTools.hpp>
+
 #include "ProxyDataFilters.hpp"
 #include "ProxyHashTables.hpp"
 
@@ -50,6 +52,20 @@ namespace rtps {
 
 using ::operator <<;
 
+static bool validate_safedds_signature(
+        const octet* const buffer,
+        uint16_t length)
+{
+    if (length != 0x50)
+    {
+        return false;
+    }
+
+    const octet* const data = buffer;
+    const octet* const signature = buffer + 0x10;
+    return verify_safedds_signature(data, 0x10, signature, 0x40);
+}
+
 ParticipantProxyData::ParticipantProxyData(
         const RTPSParticipantAllocationAttributes& allocation)
     : ParticipantBuiltinTopicData(
@@ -482,8 +498,11 @@ bool ParticipantProxyData::read_from_cdr_message(
         bool should_filter_locators,
         fastdds::rtps::VendorId_t source_vendor_id)
 {
+    bool shall_validate_safedds_signature = source_vendor_id == c_VendorId_SafeDDS;
+    bool safedds_signature_valid = false;
+
     auto param_process =
-            [this, &network, &should_filter_locators, source_vendor_id](
+            [this, &network, &should_filter_locators, source_vendor_id, &safedds_signature_valid](
         CDRMessage_t* msg, const ParameterId_t& pid, uint16_t plength)
             {
                 vendor_id = source_vendor_id;
@@ -897,6 +916,21 @@ bool ParticipantProxyData::read_from_cdr_message(
                         }
                         break;
                     }
+                    case fastdds::dds::PID_SAFE_DDS_SIGNATURE:
+                    {
+                        if (source_vendor_id == c_VendorId_SafeDDS)
+                        {
+                            // Validate length
+                            if (msg->length - msg->pos < plength)
+                            {
+                                return false;
+                            }
+
+                            safedds_signature_valid = validate_safedds_signature(&msg->buffer[msg->pos], plength);
+                            msg->pos += plength;
+                        }
+                        break;
+                    }
                     default:
                     {
                         break;
@@ -910,15 +944,17 @@ bool ParticipantProxyData::read_from_cdr_message(
     clear();
     try
     {
-        return ParameterList::readParameterListfromCDRMsg(
-            *msg, param_process, use_encapsulation,
-            qos_size);
+        if (ParameterList::readParameterListfromCDRMsg(*msg, param_process, use_encapsulation, qos_size))
+        {
+            return !shall_validate_safedds_signature || safedds_signature_valid;
+        }
     }
     catch (std::bad_alloc& ba)
     {
         std::cerr << "bad_alloc caught: " << ba.what() << '\n';
-        return false;
     }
+
+    return false;
 }
 
 bool ParticipantProxyData::is_from_this_host() const

src/cpp/utils/license/LicenseTools.hpp

@@ -0,0 +1,113 @@
+// Copyright 2025 Proyectos y Sistemas de Mantenimiento SL (eProsima).
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+/**
+ * @file LicenseTools.hpp
+ */
+
+#ifndef UTILS_LICENSE__LICENSETOOLS_HPP_
+#define UTILS_LICENSE__LICENSETOOLS_HPP_
+
+#if HAVE_SECURITY
+#include <openssl/evp.h>
+#include <openssl/x509.h>
+#include <openssl/pem.h>
+#include <openssl/err.h>
+#include <openssl/rsa.h>
+#endif  // HAVE_SECURITY
+
+#include <fastdds/rtps/common/Types.hpp>
+
+namespace eprosima {
+
+using fastdds::rtps::octet;
+
+/**
+ * @brief Verify signature of data using eProsima's licensing public key.
+ *
+ * @param data Pointer to the data to verify.
+ * @param data_length Length of the data to verify.
+ * @param signature Pointer to the signature.
+ * @param signature_length Length of the signature.
+ *
+ * @return true if the signature is valid, false otherwise.
+ */
+bool verify_safedds_signature(
+        const octet* data,
+        size_t data_length,
+        const octet* signature,
+        size_t signature_length)
+{
+#if HAVE_SECURITY
+    static const unsigned char pubkey_der[] =
+    {
+        0x30, 0x2a, 0x30, 0x05, 0x06, 0x03, 0x2b, 0x65, 0x70, 0x03, 0x21, 0x00, 0x4a, 0x01, 0xe9, 0xd4,
+        0x16, 0x79, 0xbd, 0x2e, 0x17, 0xeb, 0xc9, 0x68, 0x07, 0xd7, 0x65, 0x82, 0x0d, 0x56, 0x5d, 0x61,
+        0x8c, 0xab, 0x77, 0xdb, 0x55, 0xd2, 0xa1, 0x2e, 0x31, 0xaa, 0xdb, 0xaa
+    };
+
+    struct OperationCTX
+    {
+        EVP_PKEY* pkey = nullptr;
+        EVP_MD_CTX* md_ctx = nullptr;
+
+        ~OperationCTX()
+        {
+            if (md_ctx != nullptr)
+            {
+                EVP_MD_CTX_free(md_ctx);
+            }
+            if (pkey != nullptr)
+            {
+                EVP_PKEY_free(pkey);
+            }
+        }
+
+    };
+
+    OperationCTX ctx;
+
+    const unsigned char* p = pubkey_der;
+    ctx.pkey = d2i_PUBKEY(nullptr, &p, sizeof(pubkey_der));
+    if (ctx.pkey == nullptr)
+    {
+        return false;
+    }
+
+    ctx.md_ctx = EVP_MD_CTX_new();
+    if (ctx.md_ctx == nullptr)
+    {
+        return false;
+    }
+
+    if (EVP_DigestVerifyInit(ctx.md_ctx, nullptr, nullptr, nullptr, ctx.pkey) != 1)
+    {
+        return false;
+    }
+
+    int verify_result = EVP_DigestVerify(ctx.md_ctx, signature, signature_length, data, data_length);
+    return verify_result == 1;
+#else
+    static_cast<void>(data);
+    static_cast<void>(data_length);
+    static_cast<void>(signature);
+    static_cast<void>(signature_length);
+
+    return true;
+#endif  // HAVE_SECURITY
+}
+
+}  // namespace eprosima
+
+#endif  // UTILS_LICENSE__LICENSETOOLS_HPP_