1 /* Copyright (c) 2019, Google Inc. 2 * 3 * Permission to use, copy, modify, and/or distribute this software for any 4 * purpose with or without fee is hereby granted, provided that the above 5 * copyright notice and this permission notice appear in all copies. 6 * 7 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 8 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 9 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY 10 * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 11 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION 12 * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN 13 * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ 14 15 #ifndef OPENSSL_HEADER_TRUST_TOKEN_INTERNAL_H 16 #define OPENSSL_HEADER_TRUST_TOKEN_INTERNAL_H 17 18 #include <openssl/base.h> 19 #include <openssl/ec.h> 20 #include <openssl/ec_key.h> 21 #include <openssl/nid.h> 22 23 #include "../fipsmodule/ec/internal.h" 24 25 #include <openssl/trust_token.h> 26 27 28 #if defined(__cplusplus) 29 extern "C" { 30 #endif 31 32 33 // For the following cryptographic schemes, we use P-384 instead of our usual 34 // choice of P-256. See Appendix I of 35 // https://eprint.iacr.org/2020/072/20200324:214215 which describes two attacks 36 // which may affect smaller curves. In particular, p-1 for P-256 is smooth, 37 // giving a low complexity for the p-1 attack. P-384's p-1 has a 281-bit prime 38 // factor, 39 // 3055465788140352002733946906144561090641249606160407884365391979704929268480326390471. 40 // This lower-bounds the p-1 attack at O(2^140). The p+1 attack is lower-bounded 41 // by O(p^(1/3)) or O(2^128), so we do not need to check the smoothness of p+1. 42 43 44 // TRUST_TOKEN_NONCE_SIZE is the size of nonces used as part of the Trust_Token 45 // protocol. 46 #define TRUST_TOKEN_NONCE_SIZE 64 47 48 typedef struct { 49 // TODO(https://crbug.com/boringssl/334): These should store |EC_PRECOMP| so 50 // that |TRUST_TOKEN_finish_issuance| can use |ec_point_mul_scalar_precomp|. 51 EC_AFFINE pub0; 52 EC_AFFINE pub1; 53 EC_AFFINE pubs; 54 } TRUST_TOKEN_CLIENT_KEY; 55 56 typedef struct { 57 EC_SCALAR x0; 58 EC_SCALAR y0; 59 EC_SCALAR x1; 60 EC_SCALAR y1; 61 EC_SCALAR xs; 62 EC_SCALAR ys; 63 EC_AFFINE pub0; 64 EC_PRECOMP pub0_precomp; 65 EC_AFFINE pub1; 66 EC_PRECOMP pub1_precomp; 67 EC_AFFINE pubs; 68 EC_PRECOMP pubs_precomp; 69 } TRUST_TOKEN_ISSUER_KEY; 70 71 // TRUST_TOKEN_PRETOKEN represents the intermediate state a client keeps during 72 // a Trust_Token issuance operation. 73 typedef struct pmb_pretoken_st { 74 uint8_t t[TRUST_TOKEN_NONCE_SIZE]; 75 EC_SCALAR r; 76 EC_AFFINE Tp; 77 } TRUST_TOKEN_PRETOKEN; 78 79 // TRUST_TOKEN_PRETOKEN_free releases the memory associated with |token|. 80 OPENSSL_EXPORT void TRUST_TOKEN_PRETOKEN_free(TRUST_TOKEN_PRETOKEN *token); 81 82 DEFINE_STACK_OF(TRUST_TOKEN_PRETOKEN) 83 84 85 // PMBTokens. 86 // 87 // PMBTokens is described in https://eprint.iacr.org/2020/072/20200324:214215 88 // and provides anonymous tokens with private metadata. We implement the 89 // construction with validity verification, described in appendix H, 90 // construction 6. 91 92 // The following functions implement the corresponding |TRUST_TOKENS_METHOD| 93 // functions for |TRUST_TOKENS_experiment_v1|'s PMBTokens construction which 94 // uses P-384. 95 int pmbtoken_exp1_generate_key(CBB *out_private, CBB *out_public); 96 int pmbtoken_exp1_client_key_from_bytes(TRUST_TOKEN_CLIENT_KEY *key, 97 const uint8_t *in, size_t len); 98 int pmbtoken_exp1_issuer_key_from_bytes(TRUST_TOKEN_ISSUER_KEY *key, 99 const uint8_t *in, size_t len); 100 STACK_OF(TRUST_TOKEN_PRETOKEN) * pmbtoken_exp1_blind(CBB *cbb, size_t count); 101 int pmbtoken_exp1_sign(const TRUST_TOKEN_ISSUER_KEY *key, CBB *cbb, CBS *cbs, 102 size_t num_requested, size_t num_to_issue, 103 uint8_t private_metadata); 104 STACK_OF(TRUST_TOKEN) * 105 pmbtoken_exp1_unblind(const TRUST_TOKEN_CLIENT_KEY *key, 106 const STACK_OF(TRUST_TOKEN_PRETOKEN) * pretokens, 107 CBS *cbs, size_t count, uint32_t key_id); 108 int pmbtoken_exp1_read(const TRUST_TOKEN_ISSUER_KEY *key, 109 uint8_t out_nonce[TRUST_TOKEN_NONCE_SIZE], 110 uint8_t *out_private_metadata, const uint8_t *token, 111 size_t token_len); 112 113 // pmbtoken_exp1_get_h_for_testing returns H in uncompressed coordinates. This 114 // function is used to confirm H was computed as expected. 115 OPENSSL_EXPORT int pmbtoken_exp1_get_h_for_testing(uint8_t out[97]); 116 117 // The following functions implement the corresponding |TRUST_TOKENS_METHOD| 118 // functions for |TRUST_TOKENS_experiment_v2|'s PMBTokens construction which 119 // uses P-384. 120 int pmbtoken_exp2_generate_key(CBB *out_private, CBB *out_public); 121 int pmbtoken_exp2_client_key_from_bytes(TRUST_TOKEN_CLIENT_KEY *key, 122 const uint8_t *in, size_t len); 123 int pmbtoken_exp2_issuer_key_from_bytes(TRUST_TOKEN_ISSUER_KEY *key, 124 const uint8_t *in, size_t len); 125 STACK_OF(TRUST_TOKEN_PRETOKEN) * pmbtoken_exp2_blind(CBB *cbb, size_t count); 126 int pmbtoken_exp2_sign(const TRUST_TOKEN_ISSUER_KEY *key, CBB *cbb, CBS *cbs, 127 size_t num_requested, size_t num_to_issue, 128 uint8_t private_metadata); 129 STACK_OF(TRUST_TOKEN) * 130 pmbtoken_exp2_unblind(const TRUST_TOKEN_CLIENT_KEY *key, 131 const STACK_OF(TRUST_TOKEN_PRETOKEN) * pretokens, 132 CBS *cbs, size_t count, uint32_t key_id); 133 int pmbtoken_exp2_read(const TRUST_TOKEN_ISSUER_KEY *key, 134 uint8_t out_nonce[TRUST_TOKEN_NONCE_SIZE], 135 uint8_t *out_private_metadata, const uint8_t *token, 136 size_t token_len); 137 138 // pmbtoken_exp2_get_h_for_testing returns H in uncompressed coordinates. This 139 // function is used to confirm H was computed as expected. 140 OPENSSL_EXPORT int pmbtoken_exp2_get_h_for_testing(uint8_t out[97]); 141 142 143 // VOPRF. 144 // 145 // VOPRFs are described in https://tools.ietf.org/html/draft-irtf-cfrg-voprf-04 146 // and provide anonymous tokens. This implementation uses TrustToken DSTs and 147 // the DLEQ batching primitive from 148 // https://eprint.iacr.org/2020/072/20200324:214215. 149 // VOPRF only uses the |pub|' field of the TRUST_TOKEN_CLIENT_KEY and 150 // |xs|/|pubs| fields of the TRUST_TOKEN_ISSUER_KEY. 151 152 // The following functions implement the corresponding |TRUST_TOKENS_METHOD| 153 // functions for |TRUST_TOKENS_experiment_v2|'s VOPRF construction which uses 154 // P-384. 155 int voprf_exp2_generate_key(CBB *out_private, CBB *out_public); 156 int voprf_exp2_client_key_from_bytes(TRUST_TOKEN_CLIENT_KEY *key, 157 const uint8_t *in, size_t len); 158 int voprf_exp2_issuer_key_from_bytes(TRUST_TOKEN_ISSUER_KEY *key, 159 const uint8_t *in, size_t len); 160 STACK_OF(TRUST_TOKEN_PRETOKEN) * voprf_exp2_blind(CBB *cbb, size_t count); 161 int voprf_exp2_sign(const TRUST_TOKEN_ISSUER_KEY *key, CBB *cbb, CBS *cbs, 162 size_t num_requested, size_t num_to_issue, 163 uint8_t private_metadata); 164 STACK_OF(TRUST_TOKEN) * 165 voprf_exp2_unblind(const TRUST_TOKEN_CLIENT_KEY *key, 166 const STACK_OF(TRUST_TOKEN_PRETOKEN) * pretokens, 167 CBS *cbs, size_t count, uint32_t key_id); 168 int voprf_exp2_read(const TRUST_TOKEN_ISSUER_KEY *key, 169 uint8_t out_nonce[TRUST_TOKEN_NONCE_SIZE], 170 uint8_t *out_private_metadata, const uint8_t *token, 171 size_t token_len); 172 173 174 // Trust Tokens internals. 175 176 struct trust_token_method_st { 177 // generate_key generates a fresh keypair and writes their serialized 178 // forms into |out_private| and |out_public|. It returns one on success and 179 // zero on failure. 180 int (*generate_key)(CBB *out_private, CBB *out_public); 181 182 // client_key_from_bytes decodes a client key from |in| and sets |key| 183 // to the resulting key. It returns one on success and zero 184 // on failure. 185 int (*client_key_from_bytes)(TRUST_TOKEN_CLIENT_KEY *key, const uint8_t *in, 186 size_t len); 187 188 // issuer_key_from_bytes decodes a issuer key from |in| and sets |key| 189 // to the resulting key. It returns one on success and zero 190 // on failure. 191 int (*issuer_key_from_bytes)(TRUST_TOKEN_ISSUER_KEY *key, const uint8_t *in, 192 size_t len); 193 194 // blind generates a new issuance request for |count| tokens. On 195 // success, it returns a newly-allocated |STACK_OF(TRUST_TOKEN_PRETOKEN)| and 196 // writes a request to the issuer to |cbb|. On failure, it returns NULL. The 197 // |STACK_OF(TRUST_TOKEN_PRETOKEN)|s should be passed to |pmbtoken_unblind| when 198 // the server responds. 199 // 200 // This function implements the AT.Usr0 operation. 201 STACK_OF(TRUST_TOKEN_PRETOKEN) * (*blind)(CBB *cbb, size_t count); 202 203 // sign parses a request for |num_requested| tokens from |cbs| and 204 // issues |num_to_issue| tokens with |key| and a private metadata value of 205 // |private_metadata|. It then writes the response to |cbb|. It returns one on 206 // success and zero on failure. 207 // 208 // This function implements the AT.Sig operation. 209 int (*sign)(const TRUST_TOKEN_ISSUER_KEY *key, CBB *cbb, CBS *cbs, 210 size_t num_requested, size_t num_to_issue, 211 uint8_t private_metadata); 212 213 // unblind processes an issuance response for |count| tokens from |cbs| 214 // and unblinds the signed tokens. |pretokens| are the pre-tokens returned 215 // from the corresponding |blind| call. On success, the function returns a 216 // newly-allocated |STACK_OF(TRUST_TOKEN)| containing the resulting tokens. 217 // Each token's serialization will have |key_id| prepended. Otherwise, it 218 // returns NULL. 219 // 220 // This function implements the AT.Usr1 operation. 221 STACK_OF(TRUST_TOKEN) * 222 (*unblind)(const TRUST_TOKEN_CLIENT_KEY *key, 223 const STACK_OF(TRUST_TOKEN_PRETOKEN) * pretokens, CBS *cbs, 224 size_t count, uint32_t key_id); 225 226 // read parses a PMBToken from |token| and verifies it using |key|. On 227 // success, it returns one and stores the nonce and private metadata bit in 228 // |out_nonce| and |*out_private_metadata|. Otherwise, it returns zero. Note 229 // that, unlike the output of |unblind|, |token| does not have a 230 // four-byte key ID prepended. 231 int (*read)(const TRUST_TOKEN_ISSUER_KEY *key, 232 uint8_t out_nonce[TRUST_TOKEN_NONCE_SIZE], 233 uint8_t *out_private_metadata, const uint8_t *token, 234 size_t token_len); 235 236 // whether the construction supports private metadata. 237 int has_private_metadata; 238 239 // max keys that can be configured. 240 size_t max_keys; 241 242 // whether the SRR is part of the protocol. 243 int has_srr; 244 }; 245 246 // Structure representing a single Trust Token public key with the specified ID. 247 struct trust_token_client_key_st { 248 uint32_t id; 249 TRUST_TOKEN_CLIENT_KEY key; 250 }; 251 252 // Structure representing a single Trust Token private key with the specified 253 // ID. 254 struct trust_token_issuer_key_st { 255 uint32_t id; 256 TRUST_TOKEN_ISSUER_KEY key; 257 }; 258 259 struct trust_token_client_st { 260 const TRUST_TOKEN_METHOD *method; 261 262 // max_batchsize is the maximum supported batchsize. 263 uint16_t max_batchsize; 264 265 // keys is the set of public keys that are supported by the client for 266 // issuance/redemptions. 267 struct trust_token_client_key_st keys[6]; 268 269 // num_keys is the number of keys currently configured. 270 size_t num_keys; 271 272 // pretokens is the intermediate state during an active issuance. 273 STACK_OF(TRUST_TOKEN_PRETOKEN)* pretokens; 274 275 // srr_key is the public key used to verify the signature of the SRR. 276 EVP_PKEY *srr_key; 277 }; 278 279 280 struct trust_token_issuer_st { 281 const TRUST_TOKEN_METHOD *method; 282 283 // max_batchsize is the maximum supported batchsize. 284 uint16_t max_batchsize; 285 286 // keys is the set of private keys that are supported by the issuer for 287 // issuance/redemptions. The public metadata is an index into this list of 288 // keys. 289 struct trust_token_issuer_key_st keys[6]; 290 291 // num_keys is the number of keys currently configured. 292 size_t num_keys; 293 294 // srr_key is the private key used to sign the SRR. 295 EVP_PKEY *srr_key; 296 297 // metadata_key is the secret material used to encode the private metadata bit 298 // in the SRR. 299 uint8_t *metadata_key; 300 size_t metadata_key_len; 301 }; 302 303 304 #if defined(__cplusplus) 305 } // extern C 306 307 extern "C++" { 308 309 BSSL_NAMESPACE_BEGIN 310 311 BORINGSSL_MAKE_DELETER(TRUST_TOKEN_PRETOKEN, TRUST_TOKEN_PRETOKEN_free) 312 313 BSSL_NAMESPACE_END 314 315 } // extern C++ 316 #endif 317 318 #endif // OPENSSL_HEADER_TRUST_TOKEN_INTERNAL_H 319