1 /*
2 * Copyright (c) 2018, The OpenThread Authors.
3 * All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions are met:
7 * 1. Redistributions of source code must retain the above copyright
8 * notice, this list of conditions and the following disclaimer.
9 * 2. Redistributions in binary form must reproduce the above copyright
10 * notice, this list of conditions and the following disclaimer in the
11 * documentation and/or other materials provided with the distribution.
12 * 3. Neither the name of the copyright holder nor the
13 * names of its contributors may be used to endorse or promote products
14 * derived from this software without specific prior written permission.
15 *
16 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
17 * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
18 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
19 * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
20 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
21 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
22 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
23 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
24 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
25 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
26 * POSSIBILITY OF SUCH DAMAGE.
27 */
28
29 /**
30 * @file
31 * This file implements ECDSA signing.
32 */
33
34 #include "ecdsa.hpp"
35
36 #if OPENTHREAD_CONFIG_ECDSA_ENABLE
37
38 #ifndef MBEDTLS_USE_TINYCRYPT
39
40 #include <string.h>
41
42 #include <mbedtls/ctr_drbg.h>
43 #include <mbedtls/ecdsa.h>
44 #include <mbedtls/pk.h>
45 #include <mbedtls/version.h>
46
47 #include "common/code_utils.hpp"
48 #include "common/debug.hpp"
49 #include "common/random.hpp"
50 #include "crypto/mbedtls.hpp"
51
52 namespace ot {
53 namespace Crypto {
54 namespace Ecdsa {
55
Generate(void)56 Error P256::KeyPair::Generate(void)
57 {
58 mbedtls_pk_context pk;
59 int ret;
60
61 mbedtls_pk_init(&pk);
62
63 ret = mbedtls_pk_setup(&pk, mbedtls_pk_info_from_type(MBEDTLS_PK_ECKEY));
64 VerifyOrExit(ret == 0);
65
66 ret = mbedtls_ecp_gen_key(MBEDTLS_ECP_DP_SECP256R1, mbedtls_pk_ec(pk), MbedTls::CryptoSecurePrng, nullptr);
67 VerifyOrExit(ret == 0);
68
69 ret = mbedtls_pk_write_key_der(&pk, mDerBytes, sizeof(mDerBytes));
70 VerifyOrExit(ret > 0);
71
72 mDerLength = static_cast<uint8_t>(ret);
73
74 memmove(mDerBytes, mDerBytes + sizeof(mDerBytes) - mDerLength, mDerLength);
75
76 exit:
77 mbedtls_pk_free(&pk);
78
79 return (ret >= 0) ? kErrorNone : MbedTls::MapError(ret);
80 }
81
Parse(void * aContext) const82 Error P256::KeyPair::Parse(void *aContext) const
83 {
84 Error error = kErrorNone;
85 mbedtls_pk_context *pk = reinterpret_cast<mbedtls_pk_context *>(aContext);
86
87 mbedtls_pk_init(pk);
88
89 VerifyOrExit(mbedtls_pk_setup(pk, mbedtls_pk_info_from_type(MBEDTLS_PK_ECKEY)) == 0, error = kErrorFailed);
90 #if (MBEDTLS_VERSION_NUMBER >= 0x03000000)
91 VerifyOrExit(mbedtls_pk_parse_key(pk, mDerBytes, mDerLength, nullptr, 0, MbedTls::CryptoSecurePrng, nullptr) == 0,
92 error = kErrorParse);
93 #else
94 VerifyOrExit(mbedtls_pk_parse_key(pk, mDerBytes, mDerLength, nullptr, 0) == 0, error = kErrorParse);
95 #endif
96
97 exit:
98 return error;
99 }
100
GetPublicKey(PublicKey & aPublicKey) const101 Error P256::KeyPair::GetPublicKey(PublicKey &aPublicKey) const
102 {
103 Error error;
104 mbedtls_pk_context pk;
105 mbedtls_ecp_keypair *keyPair;
106 int ret;
107
108 SuccessOrExit(error = Parse(&pk));
109
110 keyPair = mbedtls_pk_ec(pk);
111
112 ret = mbedtls_mpi_write_binary(&keyPair->MBEDTLS_PRIVATE(Q).MBEDTLS_PRIVATE(X), aPublicKey.mData, kMpiSize);
113 VerifyOrExit(ret == 0, error = MbedTls::MapError(ret));
114
115 ret = mbedtls_mpi_write_binary(&keyPair->MBEDTLS_PRIVATE(Q).MBEDTLS_PRIVATE(Y), aPublicKey.mData + kMpiSize,
116 kMpiSize);
117 VerifyOrExit(ret == 0, error = MbedTls::MapError(ret));
118
119 exit:
120 mbedtls_pk_free(&pk);
121 return error;
122 }
123
Sign(const Sha256::Hash & aHash,Signature & aSignature) const124 Error P256::KeyPair::Sign(const Sha256::Hash &aHash, Signature &aSignature) const
125 {
126 Error error;
127 mbedtls_pk_context pk;
128 mbedtls_ecp_keypair * keypair;
129 mbedtls_ecdsa_context ecdsa;
130 mbedtls_mpi r;
131 mbedtls_mpi s;
132 int ret;
133
134 mbedtls_ecdsa_init(&ecdsa);
135 mbedtls_mpi_init(&r);
136 mbedtls_mpi_init(&s);
137
138 SuccessOrExit(error = Parse(&pk));
139
140 keypair = mbedtls_pk_ec(pk);
141
142 ret = mbedtls_ecdsa_from_keypair(&ecdsa, keypair);
143 VerifyOrExit(ret == 0, error = MbedTls::MapError(ret));
144
145 #if (MBEDTLS_VERSION_NUMBER >= 0x02130000)
146 ret = mbedtls_ecdsa_sign_det_ext(&ecdsa.MBEDTLS_PRIVATE(grp), &r, &s, &ecdsa.MBEDTLS_PRIVATE(d), aHash.GetBytes(),
147 Sha256::Hash::kSize, MBEDTLS_MD_SHA256, MbedTls::CryptoSecurePrng, nullptr);
148 #else
149 ret = mbedtls_ecdsa_sign_det(&ecdsa.MBEDTLS_PRIVATE(grp), &r, &s, &ecdsa.MBEDTLS_PRIVATE(d), aHash.GetBytes(),
150 Sha256::Hash::kSize, MBEDTLS_MD_SHA256);
151 #endif
152 VerifyOrExit(ret == 0, error = MbedTls::MapError(ret));
153
154 OT_ASSERT(mbedtls_mpi_size(&r) <= kMpiSize);
155
156 ret = mbedtls_mpi_write_binary(&r, aSignature.mShared.mMpis.mR, kMpiSize);
157 VerifyOrExit(ret == 0, error = MbedTls::MapError(ret));
158
159 ret = mbedtls_mpi_write_binary(&s, aSignature.mShared.mMpis.mS, kMpiSize);
160 VerifyOrExit(ret == 0, error = MbedTls::MapError(ret));
161
162 exit:
163 mbedtls_pk_free(&pk);
164 mbedtls_mpi_free(&s);
165 mbedtls_mpi_free(&r);
166 mbedtls_ecdsa_free(&ecdsa);
167
168 return error;
169 }
170
Verify(const Sha256::Hash & aHash,const Signature & aSignature) const171 Error P256::PublicKey::Verify(const Sha256::Hash &aHash, const Signature &aSignature) const
172 {
173 Error error = kErrorNone;
174 mbedtls_ecdsa_context ecdsa;
175 mbedtls_mpi r;
176 mbedtls_mpi s;
177 int ret;
178
179 mbedtls_ecdsa_init(&ecdsa);
180 mbedtls_mpi_init(&r);
181 mbedtls_mpi_init(&s);
182
183 ret = mbedtls_ecp_group_load(&ecdsa.MBEDTLS_PRIVATE(grp), MBEDTLS_ECP_DP_SECP256R1);
184 VerifyOrExit(ret == 0, error = MbedTls::MapError(ret));
185
186 ret = mbedtls_mpi_read_binary(&ecdsa.MBEDTLS_PRIVATE(Q).MBEDTLS_PRIVATE(X), GetBytes(), kMpiSize);
187 VerifyOrExit(ret == 0, error = MbedTls::MapError(ret));
188 ret = mbedtls_mpi_read_binary(&ecdsa.MBEDTLS_PRIVATE(Q).MBEDTLS_PRIVATE(Y), GetBytes() + kMpiSize, kMpiSize);
189 VerifyOrExit(ret == 0, error = MbedTls::MapError(ret));
190 ret = mbedtls_mpi_lset(&ecdsa.MBEDTLS_PRIVATE(Q).MBEDTLS_PRIVATE(Z), 1);
191 VerifyOrExit(ret == 0, error = MbedTls::MapError(ret));
192
193 ret = mbedtls_mpi_read_binary(&r, aSignature.mShared.mMpis.mR, kMpiSize);
194 VerifyOrExit(ret == 0, error = MbedTls::MapError(ret));
195
196 ret = mbedtls_mpi_read_binary(&s, aSignature.mShared.mMpis.mS, kMpiSize);
197 VerifyOrExit(ret == 0, error = MbedTls::MapError(ret));
198
199 ret = mbedtls_ecdsa_verify(&ecdsa.MBEDTLS_PRIVATE(grp), aHash.GetBytes(), Sha256::Hash::kSize,
200 &ecdsa.MBEDTLS_PRIVATE(Q), &r, &s);
201 VerifyOrExit(ret == 0, error = kErrorSecurity);
202
203 exit:
204 mbedtls_mpi_free(&s);
205 mbedtls_mpi_free(&r);
206 mbedtls_ecdsa_free(&ecdsa);
207
208 return error;
209 }
210
Sign(uint8_t * aOutput,uint16_t & aOutputLength,const uint8_t * aInputHash,uint16_t aInputHashLength,const uint8_t * aPrivateKey,uint16_t aPrivateKeyLength)211 Error Sign(uint8_t * aOutput,
212 uint16_t & aOutputLength,
213 const uint8_t *aInputHash,
214 uint16_t aInputHashLength,
215 const uint8_t *aPrivateKey,
216 uint16_t aPrivateKeyLength)
217 {
218 Error error = kErrorNone;
219 mbedtls_ecdsa_context ctx;
220 mbedtls_pk_context pkCtx;
221 mbedtls_ecp_keypair * keypair;
222 mbedtls_mpi rMpi;
223 mbedtls_mpi sMpi;
224
225 mbedtls_pk_init(&pkCtx);
226 mbedtls_ecdsa_init(&ctx);
227 mbedtls_mpi_init(&rMpi);
228 mbedtls_mpi_init(&sMpi);
229
230 // Parse a private key in PEM format.
231 #if (MBEDTLS_VERSION_NUMBER >= 0x03000000)
232 VerifyOrExit(mbedtls_pk_parse_key(&pkCtx, aPrivateKey, aPrivateKeyLength, nullptr, 0, MbedTls::CryptoSecurePrng,
233 nullptr) == 0,
234 error = kErrorInvalidArgs);
235 #else
236 VerifyOrExit(mbedtls_pk_parse_key(&pkCtx, aPrivateKey, aPrivateKeyLength, nullptr, 0) == 0,
237 error = kErrorInvalidArgs);
238 #endif
239 VerifyOrExit(mbedtls_pk_get_type(&pkCtx) == MBEDTLS_PK_ECKEY, error = kErrorInvalidArgs);
240
241 keypair = mbedtls_pk_ec(pkCtx);
242 OT_ASSERT(keypair != nullptr);
243
244 VerifyOrExit(mbedtls_ecdsa_from_keypair(&ctx, keypair) == 0, error = kErrorFailed);
245
246 // Sign using ECDSA.
247 VerifyOrExit(mbedtls_ecdsa_sign(&ctx.MBEDTLS_PRIVATE(grp), &rMpi, &sMpi, &ctx.MBEDTLS_PRIVATE(d), aInputHash,
248 aInputHashLength, MbedTls::CryptoSecurePrng, nullptr) == 0,
249 error = kErrorFailed);
250 VerifyOrExit(mbedtls_mpi_size(&rMpi) + mbedtls_mpi_size(&sMpi) <= aOutputLength, error = kErrorNoBufs);
251
252 // Concatenate the two octet sequences in the order R and then S.
253 VerifyOrExit(mbedtls_mpi_write_binary(&rMpi, aOutput, mbedtls_mpi_size(&rMpi)) == 0, error = kErrorFailed);
254 aOutputLength = static_cast<uint16_t>(mbedtls_mpi_size(&rMpi));
255
256 VerifyOrExit(mbedtls_mpi_write_binary(&sMpi, aOutput + aOutputLength, mbedtls_mpi_size(&sMpi)) == 0,
257 error = kErrorFailed);
258 aOutputLength += mbedtls_mpi_size(&sMpi);
259
260 exit:
261 mbedtls_mpi_free(&rMpi);
262 mbedtls_mpi_free(&sMpi);
263 mbedtls_ecdsa_free(&ctx);
264 mbedtls_pk_free(&pkCtx);
265
266 return error;
267 }
268
269 } // namespace Ecdsa
270 } // namespace Crypto
271 } // namespace ot
272
273 #endif // MBEDTLS_USE_TINYCRYPT
274 #endif // OPENTHREAD_CONFIG_ECDSA_ENABLE
275