1 // Copyright 2021 The Pigweed Authors
2 //
3 // Licensed under the Apache License, Version 2.0 (the "License"); you may not
4 // use this file except in compliance with the License. You may obtain a copy of
5 // the License at
6 //
7 // https://www.apache.org/licenses/LICENSE-2.0
8 //
9 // Unless required by applicable law or agreed to in writing, software
10 // distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
11 // WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
12 // License for the specific language governing permissions and limitations under
13 // the License.
14 #define PW_LOG_MODULE_NAME "ECDSA-BSSL"
15 #define PW_LOG_LEVEL PW_LOG_LEVEL_WARN
16
17 #include "openssl/bn.h"
18 #include "openssl/ec.h"
19 #include "openssl/ecdsa.h"
20 #include "openssl/nid.h"
21 #include "pw_crypto/ecdsa.h"
22 #include "pw_log/log.h"
23
24 namespace pw::crypto::ecdsa {
25
26 constexpr size_t kP256CurveOrderBytes = 32;
27
VerifyP256Signature(ConstByteSpan public_key,ConstByteSpan digest,ConstByteSpan signature)28 Status VerifyP256Signature(ConstByteSpan public_key,
29 ConstByteSpan digest,
30 ConstByteSpan signature) {
31 const uint8_t* public_key_bytes =
32 reinterpret_cast<const uint8_t*>(public_key.data());
33 const uint8_t* digest_bytes = reinterpret_cast<const uint8_t*>(digest.data());
34 const uint8_t* signature_bytes =
35 reinterpret_cast<const uint8_t*>(signature.data());
36
37 // Allocate objects needed for ECDSA verification. BoringSSL relies on
38 // dynamic allocation.
39 bssl::UniquePtr<EC_GROUP> group(
40 EC_GROUP_new_by_curve_name(NID_X9_62_prime256v1));
41 if (!group) {
42 return Status::ResourceExhausted();
43 }
44
45 bssl::UniquePtr<EC_POINT> pub_key(EC_POINT_new(group.get()));
46 bssl::UniquePtr<EC_KEY> key(EC_KEY_new());
47 bssl::UniquePtr<ECDSA_SIG> sig(ECDSA_SIG_new());
48 if (!(pub_key && key && sig)) {
49 return Status::ResourceExhausted();
50 }
51
52 // Load the public key.
53 if (!EC_POINT_oct2point(group.get(),
54 pub_key.get(),
55 public_key_bytes,
56 public_key.size(),
57 nullptr)) {
58 PW_LOG_DEBUG("Bad public key format");
59 return Status::InvalidArgument();
60 }
61
62 if (!EC_KEY_set_group(key.get(), group.get())) {
63 return Status::InvalidArgument();
64 }
65
66 if (!EC_KEY_set_public_key(key.get(), pub_key.get())) {
67 return Status::InvalidArgument();
68 }
69
70 // Load the signature.
71 if (signature.size() != kP256CurveOrderBytes * 2) {
72 PW_LOG_DEBUG("Bad signature format");
73 return Status::InvalidArgument();
74 }
75
76 if (!(BN_bin2bn(signature_bytes, kP256CurveOrderBytes, sig->r) &&
77 BN_bin2bn(signature_bytes + kP256CurveOrderBytes,
78 kP256CurveOrderBytes,
79 sig->s))) {
80 return Status::Internal();
81 }
82
83 // Digest must be 32 bytes or longer (and will be truncated).
84 if (digest.size() < kP256CurveOrderBytes) {
85 PW_LOG_DEBUG("Digest is too short");
86 return Status::InvalidArgument();
87 }
88
89 // Verify the signature.
90 if (!ECDSA_do_verify(digest_bytes, digest.size(), sig.get(), key.get())) {
91 PW_LOG_DEBUG("Signature verification failed");
92 return Status::Unauthenticated();
93 }
94
95 return OkStatus();
96 }
97
98 } // namespace pw::crypto::ecdsa
99