12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394959697989910010110210310410510610710810911011111211311411511611711811912012112212312412512612712812913013113213313413513613713813914014114214314414514614714814915015115215315415515615715815916016116216316416516616716816917017117217317417517617717817918018118218318418518618718818919019119219319419519619719819920020120220320420520620720820921021121221321421521621721821922022122222322422522622722822923023123223323423523623723823924024124224324424524624724824925025125225325425525625725825926026126226326426526626726826927027127227327427527627727827928028128228328428528628728828929029129229329429529629729829930030130230330430530630730830931031131231331431531631731831932032132232332432532632732832933033133233333433533633733833934034134234334434534634734834935035135235335435535635735835936036136236336436536636736836937037137237337437537637737837938038138238338438538638738838939039139239339439539639739839940040140240340440540640740840941041141241341441541641741841942042142242342442542642742842943043143243343443543643743843944044144244344444544644744844945045145245345445545645745845946046146246346446546646746846947047147247347447547647747847948048148248348448548648748848949049149249349449549649749849950050150250350450550650750850951051151251351451551651751851952052152252352452552652752852953053153253353453553653753853954054154254354454554654754854955055155255355455555655755855956056156256356456556656756856957057157257357457557657757857958058158258358458558658758858959059159259359459559659759859960060160260360460560660760860961061161261361461561661761861962062162262362462562662762862963063163263363463563663763863964064164264364464564664764864965065165265365465565665765865966066166266366466566666766866967067167267367467567667767867968068168268368468568668768868969069169269369469569669769869970070170270370470570670770870971071171271371471571671771871972072172272372472572672772872973073173273373473573673773873974074174274374474574674774874975075175275375475575675775875976076176276376476576676776876977077177277377477577677777877978078178278378478578678778878979079179279379479579679779879980080180280380480580680780880981081181281381481581681781881982082182282382482582682782882983083183283383483583683783883984084184284384484584684784884985085185285385485585685785885986086186286386486586686786886987087187287387487587687787887988088188288388488588688788888989089189289389489589689789889990090190290390490590690790890991091191291391491591691791891992092192292392492592692792892993093193293393493593693793893994094194294394494594694794894995095195295395495595695795895996096196296396496596696796896997097197297397497597697797897998098198298398498598698798898999099199299399499599699799899910001001100210031004100510061007100810091010101110121013101410151016101710181019102010211022102310241025102610271028102910301031103210331034103510361037103810391040104110421043104410451046104710481049105010511052105310541055105610571058105910601061106210631064106510661067106810691070107110721073107410751076107710781079108010811082108310841085108610871088108910901091109210931094109510961097109810991100110111021103110411051106110711081109111011111112111311141115111611171118111911201121112211231124112511261127112811291130113111321133113411351136113711381139114011411142114311441145114611471148114911501151115211531154115511561157115811591160116111621163116411651166116711681169117011711172117311741175117611771178117911801181118211831184118511861187118811891190119111921193119411951196119711981199120012011202120312041205120612071208120912101211121212131214121512161217121812191220122112221223122412251226122712281229123012311232123312341235123612371238123912401241124212431244124512461247124812491250125112521253125412551256125712581259126012611262126312641265126612671268126912701271127212731274127512761277127812791280128112821283128412851286128712881289129012911292129312941295129612971298129913001301130213031304130513061307130813091310131113121313131413151316131713181319132013211322132313241325132613271328132913301331133213331334133513361337133813391340134113421343134413451346134713481349135013511352135313541355135613571358135913601361136213631364136513661367136813691370137113721373137413751376137713781379138013811382138313841385138613871388138913901391139213931394139513961397139813991400140114021403140414051406140714081409141014111412141314141415141614171418141914201421142214231424142514261427142814291430143114321433143414351436143714381439144014411442144314441445144614471448144914501451145214531454145514561457145814591460146114621463146414651466146714681469147014711472147314741475147614771478147914801481148214831484148514861487148814891490149114921493149414951496149714981499150015011502150315041505150615071508150915101511151215131514151515161517151815191520152115221523152415251526152715281529153015311532153315341535153615371538153915401541154215431544154515461547154815491550155115521553155415551556155715581559156015611562156315641565156615671568156915701571157215731574157515761577157815791580158115821583158415851586158715881589159015911592159315941595159615971598159916001601160216031604160516061607160816091610161116121613161416151616161716181619162016211622162316241625162616271628162916301631163216331634163516361637163816391640164116421643164416451646164716481649165016511652165316541655165616571658165916601661166216631664166516661667166816691670167116721673167416751676167716781679168016811682168316841685168616871688168916901691169216931694169516961697169816991700170117021703170417051706170717081709171017111712171317141715171617171718171917201721172217231724172517261727172817291730173117321733173417351736173717381739174017411742174317441745174617471748174917501751175217531754175517561757175817591760176117621763176417651766176717681769177017711772177317741775177617771778177917801781178217831784178517861787178817891790179117921793179417951796179717981799180018011802180318041805180618071808180918101811181218131814181518161817181818191820182118221823182418251826182718281829183018311832183318341835183618371838183918401841184218431844184518461847184818491850185118521853185418551856185718581859186018611862186318641865186618671868186918701871187218731874187518761877187818791880188118821883188418851886188718881889189018911892189318941895189618971898189919001901190219031904190519061907190819091910191119121913191419151916191719181919192019211922192319241925192619271928192919301931193219331934193519361937193819391940194119421943194419451946194719481949195019511952195319541955195619571958195919601961196219631964196519661967196819691970197119721973197419751976197719781979198019811982198319841985198619871988198919901991199219931994199519961997199819992000200120022003200420052006200720082009201020112012201320142015201620172018201920202021202220232024202520262027202820292030203120322033203420352036203720382039204020412042204320442045204620472048204920502051205220532054205520562057205820592060206120622063206420652066206720682069207020712072207320742075207620772078207920802081208220832084208520862087208820892090209120922093209420952096209720982099210021012102210321042105210621072108210921102111211221132114211521162117211821192120212121222123212421252126212721282129213021312132213321342135213621372138213921402141214221432144214521462147214821492150215121522153215421552156215721582159216021612162216321642165216621672168216921702171217221732174217521762177217821792180218121822183218421852186218721882189219021912192219321942195219621972198219922002201220222032204220522062207220822092210221122122213221422152216221722182219222022212222222322242225222622272228222922302231223222332234223522362237223822392240224122422243224422452246224722482249225022512252225322542255225622572258225922602261226222632264226522662267 |
- /* eccsi.c
- *
- * Copyright (C) 2006-2022 wolfSSL Inc.
- *
- * This file is part of wolfSSL.
- *
- * wolfSSL is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version.
- *
- * wolfSSL is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
- */
- #ifdef HAVE_CONFIG_H
- #include <config.h>
- #endif
- #include <wolfssl/wolfcrypt/settings.h>
- #ifdef NO_INLINE
- #include <wolfssl/wolfcrypt/misc.h>
- #else
- #define WOLFSSL_MISC_INCLUDED
- #include <wolfcrypt/src/misc.c>
- #endif
- #ifdef WOLFCRYPT_HAVE_ECCSI
- #include <wolfssl/wolfcrypt/error-crypt.h>
- #include <wolfssl/wolfcrypt/eccsi.h>
- #include <wolfssl/wolfcrypt/asn_public.h>
- #ifdef WOLFSSL_HAVE_SP_ECC
- #include <wolfssl/wolfcrypt/sp.h>
- #endif
- /**
- * Initialize the components of the ECCSI key and use the specified curve.
- *
- * Must be called before performing any operations.
- * Free the ECCSI key with wc_FreeEccsiKey() when no longer needed.
- *
- * @param [in] key ECCSI key to initialize.
- * @param [in] heap Heap hint.
- * @param [in] devId Device identifier.
- * Use INVALID_DEVID when no device used.
- * @return 0 on success.
- * @return BAD_FUNC_ARG when key is NULL.
- * @return MEMORY_E when dynamic memory allocation fails.
- */
- int wc_InitEccsiKey_ex(EccsiKey* key, int keySz, int curveId, void* heap,
- int devId)
- {
- int err = 0;
- ecc_key* ecc = NULL;
- ecc_key* pubkey = NULL;
- EccsiKeyParams* params = NULL;
- if (key == NULL) {
- err = BAD_FUNC_ARG;
- }
- if (err == 0) {
- XMEMSET(key, 0, sizeof(*key));
- key->heap = heap;
- params = &key->params;
- err = wc_ecc_init_ex(&key->ecc, heap, devId);
- }
- if (err == 0) {
- ecc = &key->ecc;
- err = wc_ecc_init_ex(&key->pubkey, heap, devId);
- }
- if (err == 0) {
- key->pvt = wc_ecc_new_point_h(heap);
- if (key->pvt == NULL) {
- err = MEMORY_E;
- }
- }
- if (err == 0) {
- pubkey = &key->pubkey;
- err = mp_init_multi(¶ms->order,
- #ifdef WOLFCRYPT_ECCSI_CLIENT
- ¶ms->a, ¶ms->b, ¶ms->prime, &key->tmp, &key->ssk
- #else
- NULL, NULL, NULL, NULL, NULL
- #endif
- );
- }
- if (err == 0) {
- err = wc_ecc_set_curve(&key->ecc, keySz, curveId);
- }
- if (err == 0) {
- err = wc_ecc_set_curve(&key->pubkey, keySz, curveId);
- }
- if (err != 0) {
- wc_ecc_free(pubkey);
- wc_ecc_free(ecc);
- }
- return err;
- }
- /**
- * Initialize the components of the ECCSI key.
- * Default curve used: NIST_P256 (ECC_SECP256R1)
- *
- * Must be called before performing any operations.
- * Free the ECCSI key with wc_FreeEccsiKey() when no longer needed.
- *
- * @param [in] key ECCSI key to initialize.
- * @param [in] heap Heap hint.
- * @param [in] devId Device identifier.
- * Use INVALID_DEVID when no device used.
- * @return 0 on success.
- * @return BAD_FUNC_ARG when key is NULL.
- * @return MEMORY_E when dynamic memory allocation fails.
- */
- int wc_InitEccsiKey(EccsiKey* key, void* heap, int devId)
- {
- return wc_InitEccsiKey_ex(key, 32, ECC_SECP256R1, heap, devId);
- }
- /**
- * Frees memory associated with components of the ECCIS key.
- *
- * Must be called when finished with the ECCIS key.
- *
- * @param [in] key ECCIS key.
- */
- void wc_FreeEccsiKey(EccsiKey* key)
- {
- if (key != NULL) {
- EccsiKeyParams* params = &key->params;
- wc_ecc_del_point_h(params->base, key->heap);
- #ifdef WOLFCRYPT_ECCSI_CLIENT
- mp_free(&key->ssk);
- mp_free(&key->tmp);
- mp_free(¶ms->prime);
- mp_free(¶ms->b);
- mp_free(¶ms->a);
- #endif
- mp_free(¶ms->order);
- wc_ecc_del_point_h(key->pvt, key->heap);
- wc_ecc_free(&key->pubkey);
- wc_ecc_free(&key->ecc);
- XMEMSET(key, 0, sizeof(*key));
- }
- }
- /*
- * Order, as a hex string in the ECC object, loaded into mp_int in key.
- * Flags that the order is available so it isn't loaded multiple times.
- *
- * @param [in] key ECCSI key.
- * @return 0 on success.
- * @return MEMORY_E when dynamic memory allocation fails.
- */
- static int eccsi_load_order(EccsiKey* key)
- {
- int err = 0;
- if (!key->params.haveOrder) {
- err = mp_read_radix(&key->params.order, key->ecc.dp->order,
- MP_RADIX_HEX);
- if (err == 0) {
- key->params.haveOrder = 1;
- }
- }
- return err;
- }
- #ifdef WOLFCRYPT_ECCSI_CLIENT
- /*
- * Parameters, as a hex strings in the ECC object, loaded into mp_ints in key.
- *
- * Parameters loaded: order, A, B, prime.
- * Flags that each parameter is available so they aren't loaded multiple times.
- *
- * @param [in] key ECCSI key.
- * @return 0 on success.
- * @return MEMORY_E when dynamic memory allocation fails.
- */
- static int eccsi_load_ecc_params(EccsiKey* key)
- {
- int err = 0;
- EccsiKeyParams* params = &key->params;
- err = eccsi_load_order(key);
- if ((err == 0) && (!params->haveA)) {
- err = mp_read_radix(¶ms->a, key->ecc.dp->Af, MP_RADIX_HEX);
- if (err == 0) {
- params->haveA = 1;
- }
- }
- if ((err == 0) && (!params->haveB)) {
- err = mp_read_radix(¶ms->b, key->ecc.dp->Bf, MP_RADIX_HEX);
- if (err == 0) {
- params->haveB = 1;
- }
- }
- if ((err == 0) && (!params->havePrime)) {
- err = mp_read_radix(¶ms->prime, key->ecc.dp->prime, MP_RADIX_HEX);
- if (err == 0) {
- params->havePrime = 1;
- }
- }
- return err;
- }
- #endif /* WOLFCRYPT_ECCSI_CLIENT */
- /*
- * Get the base point, hex encoded in the ECC object, as an ecc_point.
- *
- * Flags that base is available so it isn't loaded multiple times.
- * @param [in] key ECCSI key.
- * @param [out] base Base point of curve.
- * @return 0 on success.
- * @return MEMORY_E when dynamic memory allocation fails.
- */
- static int eccsi_load_base(EccsiKey* key)
- {
- int err = 0;
- EccsiKeyParams* params = &key->params;
- if (!params->haveBase) {
- if (params->base == NULL) {
- params->base = wc_ecc_new_point_h(key->heap);
- if (params->base == NULL) {
- err = MEMORY_E;
- }
- }
- if (err == 0) {
- err = mp_read_radix(params->base->x, key->ecc.dp->Gx, MP_RADIX_HEX);
- }
- if (err == 0) {
- err = mp_read_radix(params->base->y, key->ecc.dp->Gy, MP_RADIX_HEX);
- }
- if (err == 0) {
- err = mp_set(params->base->z, 1);
- }
- if (err == 0) {
- params->haveBase = 1;
- }
- }
- return err;
- }
- /*
- * Encode the base point of the curve.
- *
- * Base point is hex encoded in the ECC object or cached as an ECC point from
- * previous load calls.
- *
- * @param [in] key ECCSI key.
- * @param [out] data Buffer to encode base point into.
- * @param [out] dataSz Length of base point in bytes.
- * @return 0 on success.
- * @return MEMORY_E when dynamic memory allocation fails.
- * @return Other -ve value when an internal operation fails.
- */
- static int eccsi_encode_base(EccsiKey* key, byte* data, word32* dataSz)
- {
- int err;
- int idx = wc_ecc_get_curve_idx(key->ecc.dp->id);
- err = eccsi_load_base(key);
- if (err == 0) {
- err = wc_ecc_export_point_der(idx, key->params.base, data, dataSz);
- }
- return err;
- }
- #ifndef WOLFSSL_HAVE_SP_ECC
- /*
- * Convert the KPAK to montgomery form.
- *
- * The KPAK is needed in Montgomery form for verification.
- *
- * @param [in] key ECCSI key.
- * @return 0 on success.
- * @return MP_MEM or MEMORY_E when dynamic memory allocation fails.
- * @return Other -ve value when an internal operation fails.
- */
- static int eccsi_kpak_to_mont(EccsiKey* key)
- {
- int err = 0;
- ecc_point* kpak = &key->ecc.pubkey;
- mp_int* mu = &key->tmp;
- mp_int* prime = &key->params.prime;
- if (!key->kpakMont) {
- err = mp_montgomery_calc_normalization(mu, prime);
- if (err == 0) {
- err = mp_mulmod(kpak->x, mu, prime, kpak->x);
- }
- if (err == 0) {
- err = mp_mulmod(kpak->y, mu, prime, kpak->y);
- }
- if (err == 0) {
- err = mp_mulmod(kpak->z, mu, prime, kpak->z);
- }
- if (err == 0) {
- key->kpakMont = 1;
- }
- }
- return err;
- }
- #endif
- /*
- * Convert the KPAK from montgomery form.
- *
- * The KPAK is needed in Montgomery form for verification.
- *
- * @param [in] key ECCSI key.
- * @return 0 on success.
- * @return MP_MEM or MEMORY_E when dynamic memory allocation fails.
- * @return Other -ve value when an internal operation fails.
- */
- static int eccsi_kpak_from_mont(EccsiKey* key)
- {
- int err = 0;
- ecc_point* kpak = &key->ecc.pubkey;
- mp_digit mp;
- mp_int* prime = &key->params.prime;
- if (key->kpakMont) {
- err = mp_montgomery_setup(prime, &mp);
- if (err == 0) {
- err = mp_montgomery_reduce(kpak->x, prime, mp);
- }
- if (err == 0) {
- err = mp_montgomery_reduce(kpak->y, prime, mp);
- }
- if (err == 0) {
- err = mp_montgomery_reduce(kpak->z, prime, mp);
- }
- if (err == 0) {
- key->kpakMont = 0;
- }
- }
- return err;
- }
- /*
- * Compute HS = hash( G | KPAK | ID | PVT )
- *
- * Use when making a (SSK,PVT) pair, signing and verifying.
- *
- * @param [in] key ECCSI key.
- * @param [in] hashType Type of hash algorithm. e.g. WC_SHA256
- * @param [in] id Identity to create hash from.
- * @param [in] idSz Length of identity in bytes.
- * @param [in] pvt Public Validation Token (PVT) as an ECC point.
- * @param [out] hash Buffer to hold hash data.
- * @param [out] hashSz Length of hash data in bytes.
- * @return 0 on success.
- * @return MEMORY_E when dynamic memory allocation fails.
- * @return Other -ve value when an internal operation fails.
- */
- static int eccsi_compute_hs(EccsiKey* key, enum wc_HashType hashType,
- const byte* id, word32 idSz, ecc_point* pvt, byte* hash, byte* hashSz)
- {
- int err;
- word32 dataSz = 0;
- int idx = wc_ecc_get_curve_idx(key->ecc.dp->id);
- ecc_point* kpak = &key->ecc.pubkey;
- int hash_inited = 0;
- /* HS = hash( G | KPAK | ID | PVT ) */
- err = wc_HashInit_ex(&key->hash, hashType, key->heap, INVALID_DEVID);
- if (err == 0) {
- hash_inited = 1;
- /* Base Point - G */
- dataSz = sizeof(key->data);
- err = eccsi_encode_base(key, key->data, &dataSz);
- }
- if (err == 0) {
- err = wc_HashUpdate(&key->hash, hashType, key->data, dataSz);
- }
- if (err == 0) {
- err = eccsi_kpak_from_mont(key);
- }
- if (err == 0) {
- dataSz = sizeof(key->data);
- /* KPAK - public key */
- err = wc_ecc_export_point_der(idx, kpak, key->data, &dataSz);
- }
- if (err == 0) {
- err = wc_HashUpdate(&key->hash, hashType, key->data, dataSz);
- }
- if (err == 0) {
- /* Id - Signer's ID */
- err = wc_HashUpdate(&key->hash, hashType, id, idSz);
- }
- if (err == 0) {
- dataSz = sizeof(key->data);
- /* PVT - Public Validation Token */
- err = wc_ecc_export_point_der(idx, pvt, key->data, &dataSz);
- }
- if (err == 0) {
- /* PVT - Public Validation Token */
- err = wc_HashUpdate(&key->hash, hashType, key->data, dataSz);
- }
- if (err == 0) {
- err = wc_HashFinal(&key->hash, hashType, hash);
- }
- if (err == 0) {
- *hashSz = (byte)wc_HashGetDigestSize(hashType);
- }
- if (hash_inited) {
- (void)wc_HashFree(&key->hash, hashType);
- }
- return err;
- }
- #ifdef WOLFCRYPT_ECCSI_KMS
- /**
- * Generate KMS Secret Auth Key (KSAK) and KMS Public Auth Key (KPAK).
- *
- * RFC 6507, Section 4.2
- *
- * Called when establishing a new KMS.\n
- * KSAK must be kept secret while KPAK is required by clients for signing
- * and verifying.\n
- * Export key using wc_ExportEccsiKey(), once generated, to reuse the key.\n
- * Export KPAK using wc_ExportEccsiPublicKey(), once generate to send to
- * clients.
- *
- * Creates a random private key and multiplies it by the base point to calculate
- * the public key.
- *
- * @param [in] key ECCSI key.
- * @param [in] rng Random number generator.
- * @return 0 on success.
- * @return BAD_FUNC_ARG when key or rng is NULL.
- * @return MP_MEM or MEMORY_E when dynamic memory allocation fails.
- * @return Other -ve value when an internal operation fails.
- */
- int wc_MakeEccsiKey(EccsiKey* key, WC_RNG* rng)
- {
- int err = 0;
- if ((key == NULL) || (rng == NULL)) {
- err = BAD_FUNC_ARG;
- }
- if (err == 0) {
- err = wc_ecc_make_key_ex(rng, key->ecc.dp->size, &key->ecc,
- key->ecc.dp->id);
- }
- return err;
- }
- /*
- * Encode a point into a buffer.
- *
- * X and y ordinate of point concatenated. Each number is zero padded tosize.
- * Descriptor byte (0x04) is prepended when not raw.
- *
- * @param [in] point ECC point to encode.
- * @param [in] size Size of prime in bytes - maximum ordinate length.
- * @param [out] data Buffer to hold encoded data.
- * NULL when needing length of encoded data.
- * @param [in,out] sz In, the size of the buffer in bytes.
- * Out, the size of the encoded data in bytes.
- * @param [in] raw On 0, prepend descriptor byte.
- * On 1, only include ordinates.
- * @return 0 on success.
- * @return BAD_FUNC_ARG when key or sz is NULL.
- * @return LENGTH_ONLY_E when data is NULL - sz will hold the size in bytes of
- * the encoded data.
- * @return BUFFER_E when size of buffer is too small.
- */
- static int eccsi_encode_point(ecc_point* point, word32 size, byte* data,
- word32* sz, int raw)
- {
- int err = 0;
- if (data == NULL) {
- *sz = size * 2 + !raw;
- err = LENGTH_ONLY_E;
- }
- if ((err == 0) && (*sz < size * 2 + !raw)) {
- err = BUFFER_E;
- }
- if (err == 0) {
- if (!raw) {
- data[0] = 0x04;
- data++;
- }
- /* Write out the point's x ordinate into key size bytes. */
- err = mp_to_unsigned_bin_len(point->x, data, size);
- }
- if (err == 0) {
- data += size;
- /* Write out the point's y ordinate into key size bytes. */
- err = mp_to_unsigned_bin_len(point->y, data, size);
- }
- if (err == 0) {
- *sz = size * 2 + !raw;
- }
- return err;
- }
- /*
- * Decode the data into an ECC point.
- *
- * X and y ordinate of point concatenated. Each number is zero padded to
- * key size. Supports prepended descriptor byte (0x04).
- *
- * @param [out] point ECC point to encode.
- * @param [in] size Size of prime in bytes - maximum ordinate length.
- * @param [in] data Encoded public key.
- * @param [in] sz Size of the encoded public key in bytes.
- * @return 0 on success.
- * @return BAD_FUNC_ARG when key or z is NULL.
- * @return BUFFER_E when size of data is not equal to the expected size.
- * @return ASN_PARSE_E when format byte is invalid.
- * @return MP_MEM or MEMORY_E when dynamic memory allocation fails.
- */
- static int eccsi_decode_point(ecc_point* point, word32 size, const byte* data,
- word32 sz)
- {
- int err = 0;
- if ((sz != size * 2) && (sz != size * 2 + 1)) {
- err = BUFFER_E;
- }
- if ((err == 0) && (sz & 1)) {
- if (data[0] != 0x04) {
- err = ASN_PARSE_E;
- }
- data++;
- }
- if (err == 0) {
- /* Read the public key point's x value from key size bytes. */
- err = mp_read_unsigned_bin(point->x, data, size);
- }
- if (err == 0) {
- data += size;
- /* Read the public key point's y value from key size bytes. */
- err = mp_read_unsigned_bin(point->y, data, size);
- }
- if (err == 0) {
- err = mp_set(point->z, 1);
- }
- return err;
- }
- /*
- * Encode the ECCSI key.
- *
- * Encodes the private key as big-endian bytes of fixed length.
- * Encodes the public key x and y ordinates as big-endian bytes of fixed length.
- *
- * @param [in] key ECCSI key.
- * @param [out] data Buffer to hold encoded ECCSI key.
- * @return 0 on success.
- * @return MEMORY_E when dynamic memory allocation fails (WOLFSSL_SMALL_STACK).
- */
- static int eccsi_encode_key(EccsiKey* key, byte* data)
- {
- int err;
- word32 sz = (word32)key->ecc.dp->size * 2;
- /* Write out the secret value into key size bytes. */
- err = mp_to_unsigned_bin_len(&key->ecc.k, data, key->ecc.dp->size);
- if (err == 0) {
- data += key->ecc.dp->size;
- /* Write the public key. */
- err = eccsi_encode_point(&key->ecc.pubkey, (word32)key->ecc.dp->size,
- data, &sz, 1);
- }
- return err;
- }
- /**
- * Export the ECCSI key as encoded public/private ECC key.
- *
- * Use when saving the KMS key pair.
- *
- * Private key, x ordinate of public key and y ordinate of public key
- * concatenated. Each number is zero padded to key size.
- *
- * @param [in] key ECCSI key.
- * @param [out] data Buffer to hold encoded ECCSI key.
- * NULL when requesting required length.
- * @param [in,out] sz On in, size of buffer in bytes.
- * On out, size of encoded ECCSI key in bytes.
- * @return 0 on success.
- * @return BAD_FUNC_ARG when key or sz is NULL
- * @return BAD_STATE_E when no key to export.
- * @return LENGTH_ONLY_E when data is NULL - sz is set.
- * @return BUFFER_E when the buffer passed in is too small.
- * @return MEMORY_E when dynamic memory allocation fails (WOLFSSL_SMALL_STACK).
- */
- int wc_ExportEccsiKey(EccsiKey* key, byte* data, word32* sz)
- {
- int err = 0;
- if ((key == NULL) || (sz == NULL)) {
- err = BAD_FUNC_ARG;
- }
- if ((err == 0) && (key->ecc.type != ECC_PRIVATEKEY)) {
- err = BAD_STATE_E;
- }
- if (err == 0) {
- if (data == NULL) {
- *sz = key->ecc.dp->size * 3;
- err = LENGTH_ONLY_E;
- }
- else if (*sz < (word32)key->ecc.dp->size * 3) {
- err = BUFFER_E;
- }
- else {
- *sz = key->ecc.dp->size * 3;
- }
- }
- if (err == 0) {
- err = eccsi_kpak_from_mont(key);
- }
- if (err == 0) {
- /* Encode key */
- err = eccsi_encode_key(key, data);
- }
- return err;
- }
- /*
- * Import the ECCSI key as encoded public/private ECC key.
- *
- * Decodes the private key as big-endian bytes of fixed length.
- * Decodes the public key x and y ordinates as big-endian bytes of fixed length.
- *
- * @param [in] key ECCSI key.
- * @param [in] data Buffer holding encoded ECCSI key.
- * @return 0 on success.
- * @return MP_MEM or MEMORY_E when dynamic memory allocation fails.
- */
- static int eccsi_decode_key(EccsiKey* key, const byte* data)
- {
- int err;
- /* Read the secret value from key size bytes. */
- err = mp_read_unsigned_bin(&key->ecc.k, data, key->ecc.dp->size);
- if (err == 0) {
- data += key->ecc.dp->size;
- /* Read public key. */
- err = eccsi_decode_point(&key->ecc.pubkey, (word32)key->ecc.dp->size,
- data, key->ecc.dp->size * 2);
- }
- return err;
- }
- /**
- * Import the ECCSI key as encoded public/private ECC key.
- *
- * Use when restoring the KMS key pair.
- *
- * Private key, x ordinate of public key and y ordinate of public key
- * concatenated. Each number is zero padded to key size.
- *
- * @param [in] key ECCSI key.
- * @param [in] data Buffer holding encoded ECCSI key.
- * @param [in] sz Size of encoded ECCSI key in bytes.
- * @return 0 on success.
- * @return BAD_FUNC_ARG when key or data is NULL.
- * @return BUFFER_E when size of data is not equal to the expected size.
- * @return MP_MEM or MEMORY_E when dynamic memory allocation fails.
- */
- int wc_ImportEccsiKey(EccsiKey* key, const byte* data, word32 sz)
- {
- int err = 0;
- if ((key == NULL) || (data == NULL)) {
- err = BAD_FUNC_ARG;
- }
- if ((err == 0) && (sz != (word32)key->ecc.dp->size * 3)) {
- err = BUFFER_E;
- }
- if (err == 0) {
- key->kpakMont = 0;
- /* Decode key */
- err = eccsi_decode_key(key, data);
- }
- if (err == 0) {
- key->ecc.type = ECC_PRIVATEKEY;
- }
- return err;
- }
- /**
- * Export the ECCSI private key.
- *
- * Use when saving the KMS key.
- *
- * Private key is zero padded to key size.
- *
- * @param [in] key ECCSI key.
- * @param [out] data Buffer to hold encoded ECCSI private key.
- * NULL when requesting required length.
- * @param [in,out] sz On in, size of buffer in bytes.
- * On out, size of encoded ECCSI private key in bytes.
- * @return 0 on success.
- * @return BAD_FUNC_ARG when key or sz is NULL
- * @return BAD_STATE_E when no key to export.
- * @return LENGTH_ONLY_E when data is NULL - sz is set.
- * @return BUFFER_E when the buffer passed in is too small.
- * @return MEMORY_E when dynamic memory allocation fails (WOLFSSL_SMALL_STACK).
- */
- int wc_ExportEccsiPrivateKey(EccsiKey* key, byte* data, word32* sz)
- {
- int err = 0;
- if ((key == NULL) || (sz == NULL)) {
- err = BAD_FUNC_ARG;
- }
- if ((err == 0) && (key->ecc.type != ECC_PRIVATEKEY)) {
- err = BAD_STATE_E;
- }
- if (err == 0) {
- if (data == NULL) {
- *sz = key->ecc.dp->size;
- err = LENGTH_ONLY_E;
- }
- else if (*sz < (word32)key->ecc.dp->size) {
- err = BUFFER_E;
- }
- else {
- *sz = key->ecc.dp->size;
- }
- }
- if (err == 0) {
- err = mp_to_unsigned_bin_len(&key->ecc.k, data, key->ecc.dp->size);
- }
- return err;
- }
- /**
- * Import the ECCSI private key.
- *
- * Use when restoring the KMS key pair.
- *
- * Private key is zero padded to key size.
- *
- * @param [in] key ECCSI key.
- * @param [in] data Buffer holding encoded ECCSI private key.
- * @param [in] sz Size of encoded ECCSI private key in bytes.
- * @return 0 on success.
- * @return BAD_FUNC_ARG when key or data is NULL.
- * @return BUFFER_E when size of data is not equal to the expected size.
- * @return MP_MEM or MEMORY_E when dynamic memory allocation fails.
- */
- int wc_ImportEccsiPrivateKey(EccsiKey* key, const byte* data, word32 sz)
- {
- int err = 0;
- if ((key == NULL) || (data == NULL)) {
- err = BAD_FUNC_ARG;
- }
- if ((err == 0) && (sz != (word32)key->ecc.dp->size)) {
- err = BUFFER_E;
- }
- if (err == 0) {
- err = mp_read_unsigned_bin(&key->ecc.k, data, key->ecc.dp->size);
- }
- return err;
- }
- /**
- * Export the KMS Public Auth Key (KPAK) from the ECCSI object.
- *
- * KPAK is required by all clients in order to perform cryptographic operations.
- *
- * X and y ordinate of public key concatenated. Each number is zero padded to
- * key size.
- * Descriptor byte (0x04) is prepended when not raw.
- *
- * @param [in] key ECCSI key.
- * @param [out] data Buffer to hold the encoded public key.
- * @param [in,out] sz On in, size of buffer in bytes.
- * On out, length of encoded public key in bytes.
- * @param [in] raw On 0, prepend descriptor byte.
- * On 1, only include ordinates.
- * @return 0 on success.
- * @return BAD_FUNC_ARG when key or sz is NULL.
- * @return LENGTH_ONLY_E when data is NULL - sz is set.
- * @return BUFFER_E when the buffer passed in is too small.
- */
- int wc_ExportEccsiPublicKey(EccsiKey* key, byte* data, word32* sz, int raw)
- {
- int err = 0;
- if ((key == NULL) || (sz == NULL)) {
- err = BAD_FUNC_ARG;
- }
- if ((err == 0) && (key->ecc.type != ECC_PRIVATEKEY) &&
- (key->ecc.type != ECC_PUBLICKEY)) {
- err = BAD_STATE_E;
- }
- if ((err == 0) && (data != NULL)) {
- err = eccsi_kpak_from_mont(key);
- }
- if (err == 0) {
- /* Write out public key. */
- err = eccsi_encode_point(&key->ecc.pubkey, (word32)key->ecc.dp->size,
- data, sz, raw);
- }
- return err;
- }
- /*
- * Generates an (SSK, PVT) Pair - signing key pair.
- *
- * RFC 6507, Section 5.1.1
- *
- * @param [in] key ECCSI key.
- * @param [in] rng Random number generator.
- * @param [in] hashType Type of hash algorithm. e.g. WC_SHA256
- * @param [in] id Identity to create hash from.
- * @param [in] idSz Length of identity in bytes.
- * @param [out] ssk Secret Signing Key as an MP integer.
- * @param [out] pvt Public Validation Token (PVT) as an ECC point.
- * @return 0 on success.
- * @return MP_MEM or MEMORY_E when dynamic memory allocation fails.
- * @return Other -ve value when an internal operation fails.
- */
- static int eccsi_make_pair(EccsiKey* key, WC_RNG* rng,
- enum wc_HashType hashType, const byte* id, word32 idSz, mp_int* ssk,
- ecc_point* pvt)
- {
- int err = 0;
- byte hashSz = 0;
- int genTryCnt = 0;
- do {
- /* Don't infinitely make pairs when random number generator fails. */
- if ((++genTryCnt) > ECCSI_MAX_GEN_COUNT) {
- err = RNG_FAILURE_E;
- }
- if (err == 0) {
- wc_ecc_free(&key->pubkey);
- /* Step 1 and 2: Generate ephemeral key - v, PVT = [v]G */
- err = wc_ecc_make_key_ex(rng, key->ecc.dp->size, &key->pubkey,
- key->ecc.dp->id);
- }
- if (err == 0) {
- err = wc_ecc_copy_point(&key->pubkey.pubkey, pvt);
- }
- /* Step 3: Compute HS */
- if (err == 0) {
- hashSz = (byte)sizeof(key->data);
- err = eccsi_compute_hs(key, hashType, id, idSz, pvt, key->data,
- &hashSz);
- }
- /* Step 4: Compute SSK = ( KSAK + HS * v ) modulo q */
- if (err == 0) {
- err = mp_read_unsigned_bin(ssk, key->data, hashSz);
- }
- if (err == 0) {
- err = mp_mulmod(ssk, &key->pubkey.k, &key->params.order, ssk);
- }
- if (err == 0) {
- err = mp_addmod(ssk, &key->ecc.k, &key->params.order, ssk);
- }
- }
- while ((err == 0) && (mp_iszero(ssk) ||
- (mp_cmp(ssk, &key->ecc.k) == MP_EQ)));
- /* Step 5: ensure SSK and HS are non-zero (code lines above) */
- /* Step 6: Copy out SSK (done during calc) and PVT. Erase v */
- mp_forcezero(&key->pubkey.k);
- return err;
- }
- /**
- * Generates an (SSK, PVT) Pair - signing key pair.
- *
- * RFC 6507, Section 5.1.1
- *
- * ID should include information to indicate a revocation date.\n
- * SSK must be zeroized after sending to client.\n
- * SSK is sent to signing client only.\n
- * PVT is sent to all client types.
- *
- * @param [in] key ECCSI key.
- * @param [in] rng Random number generator.
- * @param [in] hashType Type of hash algorithm. e.g. WC_SHA256
- * @param [in] id Identity to create hash from.
- * @param [in] idSz Length of identity in bytes.
- * @param [out] ssk Secret Signing Key as an MP integer.
- * @param [out] pvt Public Validation Token (PVT) as an ECC point.
- * @return 0 on success.
- * @return BAD_FUNC_ARG when key, rng, id, ssk or pvt is NULL.
- * @return BAD_STATE_E when curve not set (key not set).
- * @return MP_MEM or MEMORY_E when dynamic memory allocation fails.
- * @return Other -ve value when an internal operation fails.
- */
- int wc_MakeEccsiPair(EccsiKey* key, WC_RNG* rng, enum wc_HashType hashType,
- const byte* id, word32 idSz, mp_int* ssk, ecc_point* pvt)
- {
- int err = 0;
- if ((key == NULL) || (rng == NULL) || (id == NULL) || (ssk == NULL) ||
- (pvt == NULL)) {
- err = BAD_FUNC_ARG;
- }
- if ((err == 0) && (key->ecc.type != ECC_PRIVATEKEY)) {
- err = BAD_STATE_E;
- }
- if (err == 0) {
- err = eccsi_load_order(key);
- }
- if (err == 0) {
- err = eccsi_make_pair(key, rng, hashType, id, idSz, ssk, pvt);
- }
- return err;
- }
- /**
- * Encode the SSK and PVT into a buffer.
- *
- * SSK and PVT required by client signing messages.
- *
- * @param [in] key ECCSI key.
- * @param [in] ssk Secret Signing Key as an MP integer.
- * @param [in] pvt Public Validation Token (PVT) as an ECC point.
- * @param [out] data Buffer to encode key pair into.
- * @param [in,out] sz In, size of buffer in bytes.
- * Out, size of encoded pair data in bytes.
- * @return 0 on success.
- * @return BAD_FUNC_ARG when key, ssk, pvt or sz is NULL.
- * @return MP_MEM or MEMORY_E when dynamic memory allocation fails.
- * @return LENGTH_ONLY_E when data is NULL - sz is set.
- */
- int wc_EncodeEccsiPair(const EccsiKey* key, mp_int* ssk, ecc_point* pvt,
- byte* data, word32* sz)
- {
- int err = 0;
- if ((key == NULL) || (ssk == NULL) || (pvt == NULL) || (sz == NULL)) {
- err = BAD_FUNC_ARG;
- }
- if ((err == 0) && (data == NULL)) {
- *sz = key->ecc.dp->size * 3;
- err = LENGTH_ONLY_E;
- }
- if ((err == 0) && (*sz < (word32)(key->ecc.dp->size * 3))) {
- err = BUFFER_E;
- }
- if (err == 0) {
- err = mp_to_unsigned_bin_len(ssk, data, key->ecc.dp->size);
- }
- if (err == 0) {
- data += key->ecc.dp->size;
- /* Write out the PVT's x ordinate into key size bytes. */
- err = mp_to_unsigned_bin_len(pvt->x, data, key->ecc.dp->size);
- }
- if (err == 0) {
- data += key->ecc.dp->size;
- /* Write out the PVT's y ordinate into key size bytes. */
- err = mp_to_unsigned_bin_len(pvt->y, data, key->ecc.dp->size);
- }
- if (err == 0) {
- *sz = key->ecc.dp->size * 3;
- }
- return err;
- }
- /**
- * Encode the Secret Signing Key (SSK).
- *
- * Use when saving the key pair.
- *
- * SSK is zero padded to key size.
- *
- * @param [in] key ECCSI key.
- * @param [in] ssk Secret Signing Key as an MP integer.
- * @param [out] data Buffer to hold encoded SSK.
- * NULL when requesting required length.
- * @param [in,out] sz On in, size of buffer in bytes.
- * On out, size of encoded ECCSI key in bytes.
- * @return 0 on success.
- * @return BAD_FUNC_ARG when key, ssk or sz is NULL
- * @return BAD_STATE_E when no key to export.
- * @return LENGTH_ONLY_E when data is NULL - sz is set.
- * @return BUFFER_E when the buffer passed in is too small.
- * @return MEMORY_E when dynamic memory allocation fails (WOLFSSL_SMALL_STACK).
- */
- int wc_EncodeEccsiSsk(const EccsiKey* key, mp_int* ssk, byte* data, word32* sz)
- {
- int err = 0;
- if ((key == NULL) || (ssk == NULL) || (sz == NULL)) {
- err = BAD_FUNC_ARG;
- }
- if ((err == 0) && (key->ecc.type != ECC_PRIVATEKEY)) {
- err = BAD_STATE_E;
- }
- if (err == 0) {
- if (data == NULL) {
- *sz = key->ecc.dp->size;
- err = LENGTH_ONLY_E;
- }
- else if (*sz < (word32)key->ecc.dp->size) {
- err = BUFFER_E;
- }
- else {
- *sz = key->ecc.dp->size;
- }
- }
- if (err == 0) {
- err = mp_to_unsigned_bin_len(ssk, data, key->ecc.dp->size);
- }
- return err;
- }
- /**
- * Decode the Secret Signing Key (SSK).
- *
- * Use when restoring the key pair.
- *
- * SSK is zero padded to key size.
- *
- * @param [in] key ECCSI key.
- * @param [in] data Buffer holding encoded ECCSI key.
- * @param [in] sz Size of encoded ECCSI key in bytes.
- * @param [out] ssk Secret Signing Key as an MP integer.
- * @return 0 on success.
- * @return BAD_FUNC_ARG when key, data or ssk is NULL.
- * @return BUFFER_E when size of data is not equal to the expected size.
- * @return MP_MEM or MEMORY_E when dynamic memory allocation fails.
- */
- int wc_DecodeEccsiSsk(const EccsiKey* key, const byte* data, word32 sz,
- mp_int* ssk)
- {
- int err = 0;
- if ((key == NULL) || (data == NULL) || (ssk == NULL)) {
- err = BAD_FUNC_ARG;
- }
- if ((err == 0) && (sz != (word32)key->ecc.dp->size)) {
- err = BUFFER_E;
- }
- if (err == 0) {
- err = mp_read_unsigned_bin(ssk, data, key->ecc.dp->size);
- }
- return err;
- }
- /**
- * Encode the PVT into a buffer.
- *
- * PVT required by client verifying messages.
- *
- * X and y ordinate of public key concatenated. Each number is zero padded to
- * key size.
- * Descriptor byte (0x04) is prepended when not raw.
- *
- * @param [in] key ECCSI key.
- * @param [in] pvt Public Validation Token (PVT) as an ECC point.
- * @param [out] data Buffer to encode key pair into.
- * @param [in,out] sz In, size of buffer in bytes.
- * Out, size of encoded pair data in bytes.
- * @param [in] raw On 0, prepend descriptor byte.
- * On 1, only include ordinates.
- * @return 0 on success.
- * @return BAD_FUNC_ARG when key, pvt or sz is NULL.
- * @return BAD_STATE_E when PVT has not been set.
- * @return MP_MEM or MEMORY_E when dynamic memory allocation fails.
- * @return LENGTH_ONLY_E when data is NULL - sz is set.
- */
- int wc_EncodeEccsiPvt(const EccsiKey* key, ecc_point* pvt, byte* data,
- word32* sz, int raw)
- {
- int err = 0;
- if ((key == NULL) || (pvt == NULL) || (sz == NULL)) {
- err = BAD_FUNC_ARG;
- }
- if (err == 0) {
- err = eccsi_encode_point(pvt, (word32)key->ecc.dp->size, data, sz, raw);
- }
- return err;
- }
- #endif /* WOLFCRYPT_ECCSI_KMS */
- #ifdef WOLFCRYPT_ECCSI_CLIENT
- /**
- * Decode the SSK and PVT data into separate variables.
- *
- * A signing client decodes the data so that it can validate the pair and sign.
- *
- * @param [in] key ECCSI key.
- * @param [in] data Buffer holding key pair data.
- * @param [in] sz Size of data in bytes.
- * @param [out] ssk Secret Signing Key as an MP integer.
- * @param [out] pvt Public Validation Token (PVT) as an ECC point.
- * @return 0 on success.
- * @return BAD_FUNC_ARG when key, data, ssk or pvt is NULL.
- * @return LENGTH_ONLY_E when data is NULL - sz is set.
- * @return BUFFER_E when size of data is not equal to the expected size.
- * @return MP_MEM or MEMORY_E when dynamic memory allocation fails.
- */
- int wc_DecodeEccsiPair(const EccsiKey* key, const byte* data, word32 sz,
- mp_int* ssk, ecc_point* pvt)
- {
- int err = 0;
- if ((key == NULL) || (data == NULL) || (ssk == NULL) || (pvt == NULL)) {
- err = BAD_FUNC_ARG;
- }
- if ((err == 0) && (sz != (word32)(key->ecc.dp->size * 3))) {
- err = BUFFER_E;
- }
- if (err == 0) {
- /* Read the SSK value from key size bytes. */
- err = mp_read_unsigned_bin(ssk, data, key->ecc.dp->size);
- }
- if (err == 0) {
- data += key->ecc.dp->size;
- /* Read the PVT's x value from key size bytes. */
- err = mp_read_unsigned_bin(pvt->x, data, key->ecc.dp->size);
- }
- if (err == 0) {
- data += key->ecc.dp->size;
- /* Read the PVT's y value from key size bytes. */
- err = mp_read_unsigned_bin(pvt->y, data, key->ecc.dp->size);
- }
- if (err == 0) {
- err = mp_set(pvt->z, 1);
- }
- return err;
- }
- /**
- * Decode the PVT data into an ECC point.
- *
- * A verifying client decodes the data so that it can verify a message.
- *
- * X and y ordinate of public key concatenated. Each number is zero padded to
- * key size.
- * Descriptor byte (0x04) is prepended when not raw.
- *
- * @param [in] key ECCSI key.
- * @param [in] data Buffer holding PVT data.
- * @param [in] sz Size of data in bytes.
- * @param [out] pvt Public Validation Token (PVT) as an ECC point.
- * @return 0 on success.
- * @return BAD_FUNC_ARG when key, data, ssk or pvt is NULL.
- * @return BUFFER_E when size of data is not equal to the expected size.
- * @return ASN_PARSE_E when format byte is invalid.
- * @return MP_MEM or MEMORY_E when dynamic memory allocation fails.
- */
- int wc_DecodeEccsiPvt(const EccsiKey* key, const byte* data, word32 sz,
- ecc_point* pvt)
- {
- int err = 0;
- if ((key == NULL) || (data == NULL) || (pvt == NULL)) {
- err = BAD_FUNC_ARG;
- }
- if (err == 0) {
- err = eccsi_decode_point(pvt, (word32)key->ecc.dp->size, data, sz);
- }
- return err;
- }
- /**
- * Decode the PVT data, from a signature, into an ECC point.
- *
- * A verifying client decodes the data so that it can calculate the identity
- * hash.
- *
- * X and y ordinate of public key concatenated. Each number is zero padded to
- * key size.
- * Descriptor byte (0x04) is prepended when not raw.
- *
- * @param [in] key ECCSI key.
- * @param [in] sig Buffer holding signature data.
- * @param [in] sz Size of data in bytes.
- * @param [out] pvt Public Validation Token (PVT) as an ECC point.
- * @return 0 on success.
- * @return BAD_FUNC_ARG when key, data, ssk or pvt is NULL.
- * @return BUFFER_E when size of data is not equal to the expected size.
- * @return ASN_PARSE_E when format byte is invalid.
- * @return MP_MEM or MEMORY_E when dynamic memory allocation fails.
- */
- int wc_DecodeEccsiPvtFromSig(const EccsiKey* key, const byte* sig, word32 sz,
- ecc_point* pvt)
- {
- int err = 0;
- if ((key == NULL) || (sig == NULL) || (pvt == NULL)) {
- err = BAD_FUNC_ARG;
- }
- if (err == 0) {
- word32 rSz = key->ecc.dp->size * 2;
- err = eccsi_decode_point(pvt, (word32)key->ecc.dp->size, sig + rSz,
- sz - rSz);
- }
- return err;
- }
- /**
- * Import the KMS Public Auth Key (KPAK) into the ECCSI object.
- *
- * Clients import the KPAK to perform cryptographic operations.
- *
- * X and y ordinate of public key concatenated. Each number is zero padded to
- * key size.
- * Descriptor byte (0x04) is prepended when not raw.
- *
- * @param [in] key ECCSI key.
- * @param [in] data Encoded public key as an array of bytes.
- * @param [in] sz Length of encoded KPAK in bytes.
- * @param [in] trusted 1 when public key is trusted.
- * 0 when validation is required to be performed.
- * @return 0 on success.
- * @return BAD_FUNC_ARG when key or data is NULL.
- * @return BUFFER_E when size of data is not equal to the expected size.
- * @return ASN_PARSE_E when format byte is invalid.
- * @return ECC_OUT_OF_RANGE_E when point is invalid.
- * @return ECC_INF_E when point is at infinity and invalid.
- * @return MP_MEM or MEMORY_E when dynamic memory allocation fails.
- */
- int wc_ImportEccsiPublicKey(EccsiKey* key, const byte* data, word32 sz,
- int trusted)
- {
- int err = 0;
- if ((key == NULL) || (data == NULL)) {
- err = BAD_FUNC_ARG;
- }
- if (err == 0) {
- key->kpakMont = 0;
- /* Read the public key. */
- err = eccsi_decode_point(&key->ecc.pubkey, (word32)key->ecc.dp->size,
- data, sz);
- }
- if (err == 0) {
- key->ecc.type = ECC_PUBLICKEY;
- }
- if ((err == 0) && (!trusted)) {
- err = wc_ecc_check_key(&key->ecc);
- }
- return err;
- }
- /*
- * Scalar multiply the base point of the curve and add a point.
- *
- * @param [in] key ECCSI key.
- * @param [in] n MP integer representing scalar to multiply by.
- * @param [in] a ECC point to add.
- * @param [out] res ECC point representation of the resulting point.
- * @param [in] mp Montgomery reduction multiplier.
- * @param [in] map 0 indicates to leave in projective representation.
- * 1 indicates map projective point to affine.
- * @return 0 on success.
- * @return MEMORY_E when dynamic memory allocation fails.
- * @return Other -ve value when an internal operation fails.
- */
- static int eccsi_mulmod_base_add(EccsiKey* key, const mp_int* n,
- ecc_point* a, ecc_point* res, mp_digit mp, int map)
- {
- int err = 0;
- #ifdef WOLFSSL_HAVE_SP_ECC
- #ifndef WOLFSSL_SP_NO_256
- if ((key->ecc.idx != ECC_CUSTOM_IDX) &&
- (ecc_sets[key->ecc.idx].id == ECC_SECP256R1)) {
- err = sp_ecc_mulmod_base_add_256(n, a, 1, res, map, key->heap);
- }
- else
- #endif
- #endif
- #ifndef WOLFSSL_SP_MATH
- {
- EccsiKeyParams* params = &key->params;
- err = wc_ecc_mulmod(n, params->base, params->base, ¶ms->a,
- ¶ms->prime, 0);
- key->params.haveBase = 0;
- if (err == 0) {
- err = ecc_projective_add_point(params->base, a, res, ¶ms->a,
- ¶ms->prime, mp);
- }
- if ((err == 0) && map) {
- err = ecc_map(res, ¶ms->prime, mp);
- }
- }
- #else
- {
- err = NOT_COMPILED_IN;
- }
- (void)mp;
- #endif
- return err;
- }
- /*
- * Scalar multiply a point on the curve.
- *
- * @param [in] key ECCSI key.
- * @param [in] n MP integer representing scalar to multiply by.
- * @param [in] point ECC point representation of a point on the curve.
- * @param [out] res ECC point representation of the resulting point.
- * @param [in] map 0 indicates to leave in projective representation.
- * 1 indicates map projective point to affine.
- * @return 0 on success.
- * @return MEMORY_E when dynamic memory allocation fails.
- * @return Other -ve value when an internal operation fails.
- */
- static int eccsi_mulmod_point(EccsiKey* key, const mp_int* n, ecc_point* point,
- ecc_point* res, int map)
- {
- int err;
- #ifdef WOLFSSL_HAVE_SP_ECC
- #ifndef WOLFSSL_SP_NO_256
- if ((key->ecc.idx != ECC_CUSTOM_IDX) &&
- (ecc_sets[key->ecc.idx].id == ECC_SECP256R1)) {
- err = sp_ecc_mulmod_256(n, point, res, map, key->heap);
- }
- else
- #endif
- #endif
- {
- EccsiKeyParams* params = &key->params;
- err = wc_ecc_mulmod(n, point, res, ¶ms->a, ¶ms->prime, map);
- }
- return err;
- }
- /*
- * Scalar multiply a point on the curve and add a.
- *
- * @param [in] key ECCSI key.
- * @param [in] n MP integer representing scalar to multiply by.
- * @param [in] point ECC point representation of a point on the curve.
- * @param [in] a ECC point to add.
- * @param [out] res ECC point representation of the resulting point.
- * @param [in] mp Montgomery reduction multiplier.
- * @param [in] map 0 indicates to leave in projective representation.
- * 1 indicates map projective point to affine.
- * @return 0 on success.
- * @return MEMORY_E when dynamic memory allocation fails.
- * @return Other -ve value when an internal operation fails.
- */
- static int eccsi_mulmod_point_add(EccsiKey* key, const mp_int* n,
- ecc_point* point, ecc_point* a, ecc_point* res, mp_digit mp, int map)
- {
- #ifdef WOLFSSL_HAVE_SP_ECC
- #ifndef WOLFSSL_SP_NO_256
- int err = NOT_COMPILED_IN;
- if ((key->ecc.idx != ECC_CUSTOM_IDX) &&
- (ecc_sets[key->ecc.idx].id == ECC_SECP256R1)) {
- err = sp_ecc_mulmod_add_256(n, point, a, 0, res, map, key->heap);
- }
- (void)mp;
- return err;
- #endif
- #else
- int err;
- EccsiKeyParams* params = &key->params;
- err = wc_ecc_mulmod(n, point, res, ¶ms->a, ¶ms->prime, 0);
- if (err == 0) {
- err = ecc_projective_add_point(res, a, res, &key->params.a,
- ¶ms->prime, mp);
- }
- if ((err == 0) && map) {
- err = ecc_map(res, ¶ms->prime, mp);
- }
- return err;
- #endif
- }
- /**
- * Validate an (SSV, PVT) Pair.
- *
- * RFC 6507, Section 5.1.2
- *
- * A signing client should validate the key pair before first use.
- *
- * @param [in] key ECCSI key.
- * @param [in] hashType Type of hash algorithm. e.g. WC_SHA256
- * @param [in] id Identity to create hash from.
- * @param [in] idSz Length of identity in bytes.
- * @param [in] ssk Secret Signing Key as an MP integer.
- * @param [in] pvt Public Validation Token (PVT) as an ECC point.
- * @param [out] valid 1 when pair is valid and 0 otherwise.
- * @return 0 on success.
- * @return BAD_FUNC_ARG when key, id, ssk, pvt or valid is NULL.
- * @return BAD_STATE_E when curve not set (key not set).
- * @return MP_MEM or MEMORY_E when dynamic memory allocation fails.
- * @return IS_POINT_E when point is not on the curve.
- * @return Other -ve value when an internal operation fails.
- */
- int wc_ValidateEccsiPair(EccsiKey* key, enum wc_HashType hashType,
- const byte* id, word32 idSz, const mp_int* ssk, ecc_point* pvt,
- int* valid)
- {
- int err = 0;
- ecc_point* res = NULL;
- mp_int* hs = NULL;
- mp_digit mp = 0;
- byte hashSz = 0;
- EccsiKeyParams* params = NULL;
- if ((key == NULL) || (id == NULL) || (ssk == NULL) || (pvt == NULL) ||
- (valid == NULL)) {
- err = BAD_FUNC_ARG;
- }
- if ((err == 0) && (key->ecc.type != ECC_PRIVATEKEY) &&
- (key->ecc.type != ECC_PUBLICKEY)) {
- err = BAD_STATE_E;
- }
- if (err != 0)
- return err;
- SAVE_VECTOR_REGISTERS(return _svr_ret;);
- params = &key->params;
- hs = &key->tmp;
- res = &key->pubkey.pubkey;
- err = eccsi_load_base(key);
- if (err == 0) {
- err = eccsi_load_ecc_params(key);
- }
- if (err == 0) {
- err = mp_montgomery_setup(¶ms->prime, &mp);
- }
- /* Step 1: Validate PVT is on curve */
- if (err == 0) {
- err = wc_ecc_is_point(pvt, ¶ms->a, ¶ms->b, ¶ms->prime);
- if (err == -1) {
- err = IS_POINT_E;
- }
- }
- /* Step 2: Compute HS = hash( G | KPAK | ID | PVT ) */
- if (err == 0) {
- hashSz = (byte)sizeof(key->data);
- /* Converts KPAK from mont. */
- err = eccsi_compute_hs(key, hashType, id, idSz, pvt, key->data,
- &hashSz);
- }
- /* Step 3: Validate that KPAK = [SSK]G - [HS]PVT */
- if (err == 0) {
- err = mp_read_unsigned_bin(hs, key->data, hashSz);
- }
- /* [HS]PVT */
- if (err == 0) {
- err = eccsi_mulmod_point(key, hs, pvt, res, 0);
- }
- /* -[HS]PVT */
- if (err == 0) {
- err = mp_sub(¶ms->prime, res->y, res->y);
- }
- /* [SSK]G + -[HS]PVT */
- if (err == 0) {
- err = eccsi_mulmod_base_add(key, ssk, res, res, mp, 1);
- }
- if (valid != NULL) {
- *valid = (err == 0);
- if (err == 0) {
- ecc_point* kpak = &key->ecc.pubkey;
- /* Compare KPAK and [SSK]G + -[HS]PVT */
- *valid = (wc_ecc_cmp_point(res, kpak) == MP_EQ);
- }
- }
- RESTORE_VECTOR_REGISTERS();
- return err;
- }
- /**
- * Validate Public Validation Token (PVT) is on the curve.
- *
- * RFC 6507, Section 5.1.2, Step 1
- *
- * A verifying client should validate the PVT before first use.
- *
- * @param [in] key ECCSI key.
- * @param [in] pvt Public Validation Token (PVT) as an ECC point.
- * @param [out] valid 1 when PVT is valid and 0 otherwise.
- * @return 0 on success.
- * @return BAD_FUNC_ARG when key, pvt or valid is NULL.
- * @return BAD_STATE_E when curve not set (key not set).
- * @return MP_MEM or MEMORY_E when dynamic memory allocation fails.
- * @return Other -ve value when an internal operation fails.
- */
- int wc_ValidateEccsiPvt(EccsiKey* key, const ecc_point* pvt, int* valid)
- {
- int err = 0;
- if ((key == NULL)| (pvt == NULL) || (valid == NULL)) {
- err = BAD_FUNC_ARG;
- }
- if (err == 0) {
- err = wc_ecc_set_curve(&key->pubkey, key->ecc.dp->size,
- key->ecc.dp->id);
- }
- if (err == 0) {
- err = wc_ecc_copy_point(pvt, &key->pubkey.pubkey);
- }
- if (err == 0) {
- *valid = (wc_ecc_check_key(&key->pubkey) == 0);
- }
- return err;
- }
- /**
- * Creates the Hash of the ID and PVT with the ECCSI key.
- *
- * The hash ID is required as input to the sign and verify operations.\n
- * Signing clients may cache this value.
- *
- * RFC 6507, Section 5.2.1, Step 3
- *
- * Set the calculated hash internally for use.
- *
- * @param [in] key ECCSI key.
- * @param [in] hashType Type of hash algorithm. e.g. WC_SHA256
- * @param [in] id Identity to create hash from.
- * @param [in] idSz Length of identity in bytes.
- * @param [in] pvt Public Validation Token (PVT) as an ECC point.
- * @param [out] hash Buffer to hold hash result.
- * @param [out] hashSz Length of hash data in bytes.
- * @return 0 on success.
- * @return BAD_FUNC_ARG when key, id, pvt, hash or hashSz is NULL.
- * @return BAD_STATE_E when public key not set.
- * @return MEMORY_E when dynamic memory allocation fails.
- * @return Other -ve value when an internal operation fails.
- */
- int wc_HashEccsiId(EccsiKey* key, enum wc_HashType hashType, const byte* id,
- word32 idSz, ecc_point* pvt, byte* hash, byte* hashSz)
- {
- int err = 0;
- if ((key == NULL) || (id == NULL) || (pvt == NULL) || (hash == NULL) ||
- (hashSz == NULL)) {
- err = BAD_FUNC_ARG;
- }
- if ((err == 0) && (key->ecc.type != ECC_PRIVATEKEY) &&
- (key->ecc.type != ECC_PUBLICKEY)) {
- err = BAD_STATE_E;
- }
- /* Load the curve parameters for operations */
- if (err == 0) {
- err = eccsi_load_ecc_params(key);
- }
- if (err == 0) {
- err = eccsi_compute_hs(key, hashType, id, idSz, pvt, hash, hashSz);
- }
- if (err == 0) {
- XMEMCPY(key->idHash, hash, *hashSz);
- key->idHashSz = *hashSz;
- }
- return err;
- }
- /**
- * Set the identity hash for use with signing/verification.
- *
- * @param [in] key ECCSI key.
- * @param [in] hash Buffer with hash of identity.
- * @param [in] hashSz Length of hash data in bytes.
- * @return 0 on success.
- * @return BAD_FUNC_ARG when key or hash is NULL, or hashSz is greater than
- * WC_MAX_DIGEST_SIZE.
- */
- int wc_SetEccsiHash(EccsiKey* key, const byte* hash, byte hashSz)
- {
- int err = 0;
- if ((key == NULL) || (hash == NULL) || (hashSz > WC_MAX_DIGEST_SIZE)) {
- err = BAD_FUNC_ARG;
- }
- if (err == 0) {
- XMEMCPY(key->idHash, hash, hashSz);
- key->idHashSz = hashSz;
- }
- return err;
- }
- /**
- * Set an (SSV, PVT) Pair for signing.
- *
- * @param [in] key ECCSI key.
- * @param [in] ssk Secret Signing Key as an MP integer.
- * @param [in] pvt Public Validation Token (PVT) as an ECC point.
- * @return 0 on success.
- * @return BAD_FUNC_ARG when key, ssk or pvt is NULL.
- * @return MP math errors when copy fails
- */
- int wc_SetEccsiPair(EccsiKey* key, const mp_int* ssk, const ecc_point* pvt)
- {
- int err = 0;
- if ((key == NULL) || (ssk == NULL) || (pvt == NULL)) {
- err = BAD_FUNC_ARG;
- }
- if (err == 0) {
- err = mp_copy(ssk, &key->ssk);
- }
- if (err == 0) {
- err = wc_ecc_copy_point(pvt, key->pvt);
- }
- return err;
- }
- #ifdef ECCSI_ORDER_MORE_BITS_THAN_PRIME
- /*
- * Fit the number to the maximum number of bytes.
- *
- * If the number is too big then subtract from order.
- * RFC 6507, Section 5.2.1, Note at end.
- * This should only happen when order is larger than prime in bits.
- *
- * @param [in] a MP integer to fix.
- * @param [in] order MP integer representing order of curve.
- * @param [in] m Maximum number of bytes to encode into.
- * @param [out] r MP integer that is the result after fixing.
- * @return 0 on success.
- * @return MEMORY_E when dynamic memory allocation fails.
- */
- static int eccsi_fit_to_octets(const mp_int* a, mp_int* order, int m,
- mp_int* r)
- {
- int err;
- if (mp_count_bits(a) > m * 8) {
- err = mp_sub(order, (mp_int*)a, r);
- }
- else
- {
- err = mp_copy(a, r);
- }
- return err;
- }
- #else
- /*
- * Fit the number to the maximum number of bytes.
- *
- * If the number is too big then subtract from order.
- * RFC 6507, Section 5.2.1, Note at end.
- * This should only happen when order is larger than prime in bits.
- *
- * @param [in] a MP integer to fix.
- * @param [in] order MP integer representing order of curve.
- * @param [in] m Maximum number of bytes to encode into.
- * @param [out] r MP integer that is the result after fixing.
- * @return 0 on success.
- * @return MEMORY_E when dynamic memory allocation fails.
- */
- static int eccsi_fit_to_octets(const mp_int* a, const mp_int* order, int m,
- mp_int* r)
- {
- (void)order;
- (void)m;
- /* Duplicate line to stop static analyzer complaining. */
- return mp_copy(a, r);
- }
- #endif
- /*
- * Compute the HE = hash( HS | r | M ), hash value of signature.
- *
- * Partial result required for signing and verification.
- *
- * @param [in] key ECCSI key.
- * @param [in] hashType Type of hash algorithm. e.g. WC_SHA256
- * @param [in] r MP integer that is the first signature element.
- * @param [in] msg Message of signature.
- * @param [in] msgSz Length of message in bytes.
- * @param [out] he Signature hash.
- * @param [out] heSz Length of signature hash in bytes
- * @return 0 on success.
- * @return MEMORY_E when dynamic memory allocation fails.
- * @return Other -ve value when an internal operation fails.
- */
- static int eccsi_compute_he(EccsiKey* key, enum wc_HashType hashType,
- mp_int* r, const byte* msg, word32 msgSz, byte* he, word32* heSz)
- {
- int err = 0;
- word32 dataSz = key->ecc.dp->size;
- int hash_inited = 0;
- /* HE = hash( HS | r | M ) */
- err = wc_HashInit_ex(&key->hash, hashType, key->heap, INVALID_DEVID);
- if (err == 0) {
- hash_inited = 1;
- /* HS */
- err = wc_HashUpdate(&key->hash, hashType, key->idHash, key->idHashSz);
- }
- if (err == 0) {
- err = mp_to_unsigned_bin_len(r, key->data, dataSz);
- }
- if (err == 0) {
- /* r */
- err = wc_HashUpdate(&key->hash, hashType, key->data, dataSz);
- }
- if (err == 0) {
- /* M */
- err = wc_HashUpdate(&key->hash, hashType, msg, msgSz);
- }
- if (err == 0) {
- err = wc_HashFinal(&key->hash, hashType, he);
- }
- if (err == 0) {
- *heSz = wc_HashGetDigestSize(hashType);
- }
- if (hash_inited) {
- (void)wc_HashFree(&key->hash, hashType);
- }
- return err;
- }
- /*
- * Encode the signature = ( r | s | PVT )
- *
- * @param [in] key ECCSI key.
- * @param [in] r MP integer that is the first signature element.
- * @param [in] s MP integer that is the second signature element.
- * @param [in] pvt ECC point representing Public Validation Token.
- * @param [out] sig Signature of message.
- * @param [out] sigSz Length of signature in bytes.
- */
- static int eccsi_encode_sig(const EccsiKey* key, mp_int* r, mp_int* s,
- byte* sig, word32* sigSz)
- {
- int err;
- word32 sz = key->ecc.dp->size;
- err = mp_to_unsigned_bin_len(r, sig, sz);
- if (err == 0) {
- err = mp_to_unsigned_bin_len(s, sig + sz, sz);
- }
- if (err == 0) {
- *sigSz = key->ecc.dp->size * 2 + 1;
- err = wc_ecc_export_point_der(wc_ecc_get_curve_idx(key->ecc.dp->id),
- key->pvt, sig + sz * 2, sigSz);
- }
- if (err == 0) {
- *sigSz = sz * 4 + 1;
- }
- return err;
- }
- /*
- * Sign the ECCSI hash (of ID with the key) to two mp_int objects: r and s.
- *
- * RFC 6507, Section 5.2.1, Steps 1 to 4
- *
- * @param [in] key ECCSI key.
- * @param [in] rng Random number generator.
- * @param [in] hashType Type of hash algorithm. e.g. WC_SHA256
- * @param [in] msg Message to sign.
- * @param [in] msgSz Length of message in bytes.
- * @param [out] r First big number integer part of signature.
- * @param [out] s Second big number integer part of signature.
- * @return 0 on success.
- * @return MEMORY_E when dynamic memory allocation fails.
- * @return Other -ve value when an internal operation fails.
- */
- static int eccsi_gen_sig(EccsiKey* key, WC_RNG* rng, enum wc_HashType hashType,
- const byte* msg, word32 msgSz, mp_int* r, mp_int* s)
- {
- int err = 0;
- word32 sz = key->ecc.dp->size;
- word32 heSz = 0;
- const mp_int* jx = NULL;
- mp_int* he = &key->tmp;
- int genTryCnt = 0;
- do {
- /* Don't infinitely gen sigs when random number generator fails. */
- if ((++genTryCnt) > ECCSI_MAX_GEN_COUNT) {
- err = RNG_FAILURE_E;
- }
- if (err == 0) {
- wc_ecc_free(&key->pubkey);
- /* Step 1 and 2: Generate ephemeral key - j, J = [j]G, r = Jx */
- err = wc_ecc_make_key_ex(rng, sz, &key->pubkey, key->ecc.dp->id);
- }
- if (err == 0) {
- jx = key->pubkey.pubkey.x;
- err = eccsi_fit_to_octets(jx, &key->params.order, sz, r);
- }
- /* Step 3: Compute HE = hash( HS | r | M ) */
- if (err == 0) {
- err = eccsi_compute_he(key, hashType, r, msg, msgSz, key->data,
- &heSz);
- }
- /* Step 4: Verify that HE + r * SSK is non-zero modulo q */
- if (err == 0) {
- err = mp_read_unsigned_bin(he, key->data, heSz);
- }
- /* s' = r * SSK */
- if (err == 0) {
- err = mp_mulmod(r, &key->ssk, &key->params.order, s);
- }
- /* s' = HE + r * SSK */
- if (err == 0) {
- err = mp_addmod(he, s, &key->params.order, s);
- }
- }
- while ((err == 0) && (mp_iszero(s) || (mp_cmp(s, he) == MP_EQ)));
- return err;
- }
- /**
- * Sign the ECCSI hash (of ID with the key).
- *
- * RFC 6507, Section 5.2.1
- *
- * Must have imported KPAK using wc_ImportEccsiPublicKey() before calling.\n
- * Use wc_HashEccsiId() to calculate the hash and wc_SetEccsiHash() to set
- * the identity hash to use.
- *
- * @param [in] key ECCSI key.
- * @param [in] rng Random number generator.
- * @param [in] hashType Type of hash algorithm. e.g. WC_SHA256
- * @param [in] msg Message to sign.
- * @param [in] msgSz Length of message in bytes.
- * @param [out] sig Signature of message.
- * @param [out] sigSz Length of signature in bytes.
- * @return 0 on success.
- * @return BAD_FUNC_ARG when key, rng, msg or sigSz is NULL.
- * @return BAD_STATE_E when the curve or id hash has not been set (no key set).
- * @return LENGTH_ONLY_E when sig is NULL - sigSz is set.
- * @return MEMORY_E when dynamic memory allocation fails.
- * @return Other -ve value when an internal operation fails.
- */
- int wc_SignEccsiHash(EccsiKey* key, WC_RNG* rng, enum wc_HashType hashType,
- const byte* msg, word32 msgSz, byte* sig, word32* sigSz)
- {
- int err = 0;
- mp_int* r = NULL;
- mp_int* s = NULL;
- mp_int* j = NULL;
- word32 sz = 0;
- if ((key == NULL) || (rng == NULL) || (msg == NULL) || (sigSz == NULL)) {
- err = BAD_FUNC_ARG;
- }
- if ((err == 0) && (key->ecc.type != ECC_PUBLICKEY) &&
- (key->ecc.type != ECC_PRIVATEKEY)) {
- err = BAD_STATE_E;
- }
- if ((err == 0) && (sig != NULL) && (key->idHashSz == 0)) {
- err = BAD_STATE_E;
- }
- if (err == 0) {
- sz = key->ecc.dp->size;
- if (sig == NULL) {
- *sigSz = sz * 4 + 1;
- err = LENGTH_ONLY_E;
- }
- }
- if ((err == 0) && (*sigSz < sz * 4 + 1)) {
- err = BAD_FUNC_ARG;
- }
- if (err == 0) {
- r = key->pubkey.pubkey.y;
- s = key->pubkey.pubkey.z;
- err = eccsi_load_order(key);
- }
- if (err == 0) {
- /* Steps 1 to 4. */
- err = eccsi_gen_sig(key, rng, hashType, msg, msgSz, r, s);
- }
- /* Step 5: s' = ( (( HE + r * SSK )^-1) * j ) modulo q, erase j */
- if (err == 0) {
- err = mp_invmod(s, &key->params.order, s);
- }
- if (err == 0) {
- j = &key->pubkey.k;
- err = mp_mulmod(s, j, &key->params.order, s);
- }
- if (err == 0) {
- mp_forcezero(j);
- /* Step 6: s = s' fitted */
- err = eccsi_fit_to_octets(s, &key->params.order, sz, s);
- }
- /* Step 7: Output Signature = ( r | s | PVT ) */
- if (err == 0) {
- err = eccsi_encode_sig(key, r, s, sig, sigSz);
- }
- return err;
- }
- /*
- * Decode the s part of the signature = ( r | s | PVT )
- *
- * @param [in] key ECCSI key.
- * @param [in] sig Signature of message.
- * @param [in] sigSz Length of signature in bytes.
- * @param [out] s MP integer that is the second signature element.
- * @return 0 on success.
- * @return MEMORY_E when dynamic memory allocation fails.
- * @return Other -ve value when an internal operation fails.
- */
- static int eccsi_decode_sig_s(const EccsiKey* key, const byte* sig,
- word32 sigSz, mp_int* s)
- {
- int err = 0;
- word32 sz = key->ecc.dp->size;
- if (sigSz != sz * 4 + 1) {
- err = BAD_FUNC_ARG;
- }
- if (err == 0) {
- err = mp_read_unsigned_bin(s, sig + sz, sz);
- }
- return err;
- }
- /*
- * Decode the r and pvt part of the signature = ( r | s | PVT )
- *
- * @param [in] key ECCSI key.
- * @param [in] sig Signature of message.
- * @param [in] sigSz Length of signature in bytes.
- * @param [out] r MP integer that is the first signature element.
- * @param [out] pvt ECC point representing Public Validation Token.
- * @return 0 on success.
- * @return MEMORY_E when dynamic memory allocation fails.
- * @return Other -ve value when an internal operation fails.
- */
- static int eccsi_decode_sig_r_pvt(const EccsiKey* key, const byte* sig,
- word32 sigSz, mp_int* r, ecc_point* pvt)
- {
- int err = 0;
- word32 sz = key->ecc.dp->size;
- if (sigSz != sz * 4 + 1) {
- err = BAD_FUNC_ARG;
- }
- if (err == 0) {
- err = mp_read_unsigned_bin(r, sig, sz);
- }
- if (err == 0) {
- /* must free previous public point otherwise wc_ecc_import_point_der
- * could leak memory */
- mp_clear(pvt->x);
- mp_clear(pvt->y);
- mp_clear(pvt->z);
- err = wc_ecc_import_point_der(sig + sz * 2, sz * 2 + 1,
- wc_ecc_get_curve_idx(key->ecc.dp->id), pvt);
- }
- return err;
- }
- /*
- * Calculate Y point as part of verification process.
- *
- * Y = [HS]PVT + KPAK
- *
- * @param [in] key ECCSI key.
- * @param [in] pvt ECC point representing Public Validation Token.
- * @param [in] mp Montgomery reduction multiplier.
- * @param [out] y ECC point representing calculated value Y.
- * @return 0 on success.
- * @return MEMORY_E when dynamic memory allocation fails.
- * @return Other value when an an internal operation fails.
- */
- static int eccsi_calc_y(EccsiKey* key, ecc_point* pvt, mp_digit mp,
- ecc_point* y)
- {
- int err;
- mp_int* hs = &key->ssk;
- err = mp_read_unsigned_bin(hs, key->idHash, key->idHashSz);
- #ifndef WOLFSSL_HAVE_SP_ECC
- /* Need KPAK in montgomery form. */
- if (err == 0) {
- err = eccsi_kpak_to_mont(key);
- }
- #endif
- /* [HS]PVT + KPAK */
- if (err == 0) {
- ecc_point* kpak = &key->ecc.pubkey;
- err = eccsi_mulmod_point_add(key, hs, pvt, kpak, y, mp, 1);
- }
- return err;
- }
- /*
- * Calculate J point as part of verification process.
- *
- * J = [s]( [HE]G + [r]Y )
- *
- * @param [in] key ECCSI key.
- * @param [in] hem MP int representation of HE = Hash (hs, r and message).
- * @param [in] sig Signature of message.
- * @param [in] sigSz Length of signature in bytes.
- * @param [in] y ECC point representing [r]Y.
- * @param [in] mp Montgomery reduction multiplier.
- * @param [out] j ECC point representing calculated value J.
- * @return 0 on success.
- * @return MEMORY_E when dynamic memory allocation fails.
- * @return Other value when an an internal operation fails.
- */
- static int eccsi_calc_j(EccsiKey* key, const mp_int* hem, const byte* sig,
- word32 sigSz, ecc_point* y, mp_digit mp, ecc_point* j)
- {
- int err;
- mp_int* s = &key->tmp;
- /* [HE]G + [r]Y */
- err = eccsi_mulmod_base_add(key, hem, y, j, mp, 1);
- if (err == 0) {
- err = eccsi_decode_sig_s(key, sig, sigSz, s);
- }
- /* [s]( [HE]G + [r]Y ) */
- if (err == 0) {
- err = eccsi_mulmod_point(key, s, j, j, 1);
- }
- return err;
- }
- /**
- * Verify the ECCSI hash (of ID with the key).
- *
- * RFC 6507, Section 5.2.2
- *
- * Must have imported KPAK using wc_ImportEccsiPublicKey() before calling.\n
- * Use wc_HashEccsiId() to calculate the hash and wc_SetEccsiHash() to set
- * the identity hash to use.
- *
- * @param [in] key ECCSI key.
- * @param [in] hashType Type of hash algorithm. e.g. WC_SHA256
- * @param [in] msg Message to verify.
- * @param [in] msgSz Length of message in bytes.
- * @param [in] sig Signature of message.
- * @param [in] sigSz Length of signature in bytes.
- * @param [out] verified 1 when the signature was verified and 0 otherwise.
- * @return 0 on success.
- * @return BAD_FUNC_ARG when key, hash, msg, sig or ret is NULL.
- * @return BAD_STATE_E when the curve or id hash has not been set (no key set).
- * @return MEMORY_E when dynamic memory allocation fails.
- * @return Other value when an an internal operation fails.
- */
- int wc_VerifyEccsiHash(EccsiKey* key, enum wc_HashType hashType,
- const byte* msg, word32 msgSz, const byte* sig, word32 sigSz,
- int* verified)
- {
- int err = 0;
- byte* he = NULL;
- word32 heSz = 0;
- mp_int* r = NULL;
- mp_int* jx = NULL;
- mp_int* hem = NULL;
- ecc_point* pvt = NULL;
- ecc_point* y = NULL;
- ecc_point* j = NULL;
- mp_digit mp = 0;
- EccsiKeyParams* params = NULL;
- if ((key == NULL) || (msg == NULL) || (sig == NULL) || (verified == NULL)) {
- err = BAD_FUNC_ARG;
- }
- if ((err == 0) && (key->ecc.type != ECC_PRIVATEKEY) &&
- (key->ecc.type != ECC_PUBLICKEY)) {
- err = BAD_STATE_E;
- }
- if ((err == 0) && (key->idHashSz == 0)) {
- err = BAD_STATE_E;
- }
- if (err != 0)
- return err;
- SAVE_VECTOR_REGISTERS(return _svr_ret;);
- /* Decode the signature into components. */
- r = &key->pubkey.k;
- pvt = &key->pubkey.pubkey;
- err = eccsi_decode_sig_r_pvt(key, sig, sigSz, r, pvt);
- /* Load the curve parameters for operations */
- if (err == 0) {
- err = eccsi_load_base(key);
- }
- if (err == 0) {
- err = eccsi_load_ecc_params(key);
- }
- if (err == 0) {
- params = &key->params;
- err = mp_montgomery_setup(¶ms->prime, &mp);
- }
- /* Step 1: Validate PVT is on curve */
- if (err == 0) {
- err = wc_ecc_is_point(pvt, ¶ms->a, ¶ms->b, ¶ms->prime);
- }
- /* Step 2: Compute HS = hash( G | KPAK | ID | PVT )
- * HS is key->idHash, key->idHashSz */
- /* Step 3: Compute HE = hash( HS | r | M ) */
- if (err == 0) {
- he = key->data;
- err = eccsi_compute_he(key, hashType, r, msg, msgSz, he, &heSz);
- }
- /* Step 4: Y = [HS]PVT + KPAK */
- if (err == 0) {
- y = pvt;
- err = eccsi_calc_y(key, pvt, mp, y);
- }
- /* Step 5: Compute J = [s]( [HE]G + [r]Y ) */
- /* [r]Y */
- if (err == 0) {
- hem = &key->tmp;
- err = mp_read_unsigned_bin(hem, he, heSz);
- }
- if (err == 0) {
- err = eccsi_mulmod_point(key, r, y, y, 0);
- }
- if (err == 0) {
- j = params->base;
- err = eccsi_calc_j(key, hem, sig, sigSz, y, mp, j);
- key->params.haveBase = 0;
- }
- /* Step 6: Jx fitting, compare with r */
- if (err == 0) {
- jx = &key->tmp;
- err = eccsi_fit_to_octets(j->x, ¶ms->order, key->ecc.dp->size, jx);
- }
- if (verified != NULL) {
- *verified = ((err == 0) && (mp_cmp(jx, r) == MP_EQ));
- }
- RESTORE_VECTOR_REGISTERS();
- return err;
- }
- #endif /* WOLFCRYPT_ECCSI_CLIENT */
- #endif /* WOLFCRYPT_HAVE_ECCSI */
|