1 // Copyright 2021 The Pigweed Authors
2 //
3 // Licensed under the Apache License, Version 2.0 (the "License"); you may not
4 // use this file except in compliance with the License. You may obtain a copy of
5 // the License at
6 //
7 // https://www.apache.org/licenses/LICENSE-2.0
8 //
9 // Unless required by applicable law or agreed to in writing, software
10 // distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
11 // WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
12 // License for the specific language governing permissions and limitations under
13 // the License.
14 #define PW_LOG_MODULE_NAME "ECDSA-BSSL"
15 #define PW_LOG_LEVEL PW_LOG_LEVEL_WARN
16
17 #include "pw_preprocessor/compiler.h"
18
19 PW_MODIFY_DIAGNOSTICS_PUSH();
20 PW_MODIFY_DIAGNOSTIC(ignored, "-Wcast-qual");
21 PW_MODIFY_DIAGNOSTIC(ignored, "-Wgnu-anonymous-struct");
22 PW_MODIFY_DIAGNOSTIC(ignored, "-Wnested-anon-types");
23 #include "openssl/bn.h"
24 #include "openssl/ec.h"
25 #include "openssl/ecdsa.h"
26 #include "openssl/nid.h"
27 PW_MODIFY_DIAGNOSTICS_POP();
28
29 #include "pw_crypto/ecdsa.h"
30 #include "pw_log/log.h"
31
32 namespace pw::crypto::ecdsa {
33
34 constexpr size_t kP256CurveOrderBytes = 32;
35
VerifyP256Signature(ConstByteSpan public_key,ConstByteSpan digest,ConstByteSpan signature)36 Status VerifyP256Signature(ConstByteSpan public_key,
37 ConstByteSpan digest,
38 ConstByteSpan signature) {
39 const uint8_t* public_key_bytes =
40 reinterpret_cast<const uint8_t*>(public_key.data());
41 const uint8_t* digest_bytes = reinterpret_cast<const uint8_t*>(digest.data());
42 const uint8_t* signature_bytes =
43 reinterpret_cast<const uint8_t*>(signature.data());
44
45 // Allocate objects needed for ECDSA verification. BoringSSL relies on
46 // dynamic allocation.
47 bssl::UniquePtr<EC_GROUP> group(
48 EC_GROUP_new_by_curve_name(NID_X9_62_prime256v1));
49 if (!group) {
50 return Status::ResourceExhausted();
51 }
52
53 bssl::UniquePtr<EC_POINT> pub_key(EC_POINT_new(group.get()));
54 bssl::UniquePtr<EC_KEY> key(EC_KEY_new());
55 bssl::UniquePtr<ECDSA_SIG> sig(ECDSA_SIG_new());
56 if (!(pub_key && key && sig)) {
57 return Status::ResourceExhausted();
58 }
59
60 // Load the public key.
61 if (!EC_POINT_oct2point(group.get(),
62 pub_key.get(),
63 public_key_bytes,
64 public_key.size(),
65 nullptr)) {
66 PW_LOG_DEBUG("Bad public key format");
67 return Status::InvalidArgument();
68 }
69
70 if (!EC_KEY_set_group(key.get(), group.get())) {
71 return Status::InvalidArgument();
72 }
73
74 if (!EC_KEY_set_public_key(key.get(), pub_key.get())) {
75 return Status::InvalidArgument();
76 }
77
78 // Load the signature.
79 if (signature.size() != kP256CurveOrderBytes * 2) {
80 PW_LOG_DEBUG("Bad signature format");
81 return Status::InvalidArgument();
82 }
83
84 if (!(BN_bin2bn(signature_bytes, kP256CurveOrderBytes, sig->r) &&
85 BN_bin2bn(signature_bytes + kP256CurveOrderBytes,
86 kP256CurveOrderBytes,
87 sig->s))) {
88 return Status::Internal();
89 }
90
91 // Digest must be 32 bytes or longer (and will be truncated).
92 if (digest.size() < kP256CurveOrderBytes) {
93 PW_LOG_DEBUG("Digest is too short");
94 return Status::InvalidArgument();
95 }
96
97 // Verify the signature.
98 if (!ECDSA_do_verify(digest_bytes, digest.size(), sig.get(), key.get())) {
99 PW_LOG_DEBUG("Signature verification failed");
100 return Status::Unauthenticated();
101 }
102
103 return OkStatus();
104 }
105
106 } // namespace pw::crypto::ecdsa
107