• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /*
2  * Copyright 2013 The Android Open Source Project
3  *
4  * Redistribution and use in source and binary forms, with or without
5  * modification, are permitted provided that the following conditions are met:
6  *     * Redistributions of source code must retain the above copyright
7  *       notice, this list of conditions and the following disclaimer.
8  *     * Redistributions in binary form must reproduce the above copyright
9  *       notice, this list of conditions and the following disclaimer in the
10  *       documentation and/or other materials provided with the distribution.
11  *     * Neither the name of Google Inc. nor the names of its contributors may
12  *       be used to endorse or promote products derived from this software
13  *       without specific prior written permission.
14  *
15  * THIS SOFTWARE IS PROVIDED BY Google Inc. ``AS IS'' AND ANY EXPRESS OR
16  * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
17  * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO
18  * EVENT SHALL Google Inc. BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
19  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
20  * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS;
21  * OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
22  * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
23  * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
24  * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
25  */
26 
27 #include <ctype.h>
28 #include <stdio.h>
29 #include <stdlib.h>
30 #include <string.h>
31 #include <sys/cdefs.h>
32 
33 #include "mincrypt/dsa_sig.h"
34 #include "mincrypt/p256.h"
35 #include "mincrypt/p256_ecdsa.h"
36 #include "mincrypt/sha256.h"
37 
38 #ifndef __unused
39 #define __unused __attribute__((__unused__))
40 #endif
41 
42 /**
43  * Messages signed using:
44  *
45 -----BEGIN EC PRIVATE KEY-----
46 MHcCAQEEIDw6UiziVMbjlfSpOAIpA2tcL+v1OlznZLnpadO8BGi1oAoGCCqGSM49
47 AwEHoUQDQgAEZw7VAOjAXYRFuhZWYBgjahdOvkwcAnjGkxQWytZW+iS1hI3ZGE24
48 6XmNka9IGxAgj2n/ip+MuZJMFoJ9DRea3g==
49 -----END EC PRIVATE KEY-----
50  */
51 
52 p256_int key_x = {
53     .a = {0xd656fa24u, 0x931416cau, 0x1c0278c6u, 0x174ebe4cu,
54           0x6018236au, 0x45ba1656u, 0xe8c05d84u, 0x670ed500u}
55 };
56 p256_int key_y = {
57     .a = {0x0d179adeu, 0x4c16827du, 0x9f8cb992u, 0x8f69ff8au,
58           0x481b1020u, 0x798d91afu, 0x184db8e9u, 0xb5848dd9u}
59 };
60 
61 char* message_1 =
62     "f4 5d 55 f3 55 51 e9 75 d6 a8 dc 7e a9 f4 88 59"
63     "39 40 cc 75 69 4a 27 8f 27 e5 78 a1 63 d8 39 b3"
64     "40 40 84 18 08 cf 9c 58 c9 b8 72 8b f5 f9 ce 8e"
65     "e8 11 ea 91 71 4f 47 ba b9 2d 0f 6d 5a 26 fc fe"
66     "ea 6c d9 3b 91 0c 0a 2c 96 3e 64 eb 18 23 f1 02"
67     "75 3d 41 f0 33 59 10 ad 3a 97 71 04 f1 aa f6 c3"
68     "74 27 16 a9 75 5d 11 b8 ee d6 90 47 7f 44 5c 5d"
69     "27 20 8b 2e 28 43 30 fa 3d 30 14 23 fa 7f 2d 08"
70     "6e 0a d0 b8 92 b9 db 54 4e 45 6d 3f 0d ab 85 d9"
71     "53 c1 2d 34 0a a8 73 ed a7 27 c8 a6 49 db 7f a6"
72     "37 40 e2 5e 9a f1 53 3b 30 7e 61 32 99 93 11 0e"
73     "95 19 4e 03 93 99 c3 82 4d 24 c5 1f 22 b2 6b de"
74     "10 24 cd 39 59 58 a2 df eb 48 16 a6 e8 ad ed b5"
75     "0b 1f 6b 56 d0 b3 06 0f f0 f1 c4 cb 0d 0e 00 1d"
76     "d5 9d 73 be 12";
77 
78 char* signature_1 =
79     "30 44 02 20 43 18 fc eb 3b a8 3a a8 a3 cf 41 b7"
80     "81 4a f9 01 e1 8b 6e 95 c1 3a 83 25 9e a5 2e 66"
81     "7c 98 25 d9 02 20 54 f3 7f 5a e9 36 9c a2 f0 51"
82     "e0 6e 78 48 60 a3 f9 8a d5 2c 37 5a 0a 29 c9 f7"
83     "ea 57 7e 88 46 12";
84 
85 // Same as signature 1, but with leading zeroes.
86 char* message_2 =
87     "f4 5d 55 f3 55 51 e9 75 d6 a8 dc 7e a9 f4 88 59"
88     "39 40 cc 75 69 4a 27 8f 27 e5 78 a1 63 d8 39 b3"
89     "40 40 84 18 08 cf 9c 58 c9 b8 72 8b f5 f9 ce 8e"
90     "e8 11 ea 91 71 4f 47 ba b9 2d 0f 6d 5a 26 fc fe"
91     "ea 6c d9 3b 91 0c 0a 2c 96 3e 64 eb 18 23 f1 02"
92     "75 3d 41 f0 33 59 10 ad 3a 97 71 04 f1 aa f6 c3"
93     "74 27 16 a9 75 5d 11 b8 ee d6 90 47 7f 44 5c 5d"
94     "27 20 8b 2e 28 43 30 fa 3d 30 14 23 fa 7f 2d 08"
95     "6e 0a d0 b8 92 b9 db 54 4e 45 6d 3f 0d ab 85 d9"
96     "53 c1 2d 34 0a a8 73 ed a7 27 c8 a6 49 db 7f a6"
97     "37 40 e2 5e 9a f1 53 3b 30 7e 61 32 99 93 11 0e"
98     "95 19 4e 03 93 99 c3 82 4d 24 c5 1f 22 b2 6b de"
99     "10 24 cd 39 59 58 a2 df eb 48 16 a6 e8 ad ed b5"
100     "0b 1f 6b 56 d0 b3 06 0f f0 f1 c4 cb 0d 0e 00 1d"
101     "d5 9d 73 be 12";
102 
103 char* signature_2 =
104     "30 46 02 21 00 43 18 fc eb 3b a8 3a a8 a3 cf 41 b7"
105     "81 4a f9 01 e1 8b 6e 95 c1 3a 83 25 9e a5 2e 66"
106     "7c 98 25 d9 02 21 00 54 f3 7f 5a e9 36 9c a2 f0 51"
107     "e0 6e 78 48 60 a3 f9 8a d5 2c 37 5a 0a 29 c9 f7"
108     "ea 57 7e 88 46 12";
109 
110 // Excessive zeroes on the signature
111 char* message_3 =
112     "f4 5d 55 f3 55 51 e9 75 d6 a8 dc 7e a9 f4 88 59"
113     "39 40 cc 75 69 4a 27 8f 27 e5 78 a1 63 d8 39 b3"
114     "40 40 84 18 08 cf 9c 58 c9 b8 72 8b f5 f9 ce 8e"
115     "e8 11 ea 91 71 4f 47 ba b9 2d 0f 6d 5a 26 fc fe"
116     "ea 6c d9 3b 91 0c 0a 2c 96 3e 64 eb 18 23 f1 02"
117     "75 3d 41 f0 33 59 10 ad 3a 97 71 04 f1 aa f6 c3"
118     "74 27 16 a9 75 5d 11 b8 ee d6 90 47 7f 44 5c 5d"
119     "27 20 8b 2e 28 43 30 fa 3d 30 14 23 fa 7f 2d 08"
120     "6e 0a d0 b8 92 b9 db 54 4e 45 6d 3f 0d ab 85 d9"
121     "53 c1 2d 34 0a a8 73 ed a7 27 c8 a6 49 db 7f a6"
122     "37 40 e2 5e 9a f1 53 3b 30 7e 61 32 99 93 11 0e"
123     "95 19 4e 03 93 99 c3 82 4d 24 c5 1f 22 b2 6b de"
124     "10 24 cd 39 59 58 a2 df eb 48 16 a6 e8 ad ed b5"
125     "0b 1f 6b 56 d0 b3 06 0f f0 f1 c4 cb 0d 0e 00 1d"
126     "d5 9d 73 be 12";
127 
128 char* signature_3 =
129     "30 4c 02 24 00 00 00 00 43 18 fc eb 3b a8 3a a8 a3 cf 41 b7"
130     "81 4a f9 01 e1 8b 6e 95 c1 3a 83 25 9e a5 2e 66"
131     "7c 98 25 d9 02 24 00 00 00 00 54 f3 7f 5a e9 36 9c a2 f0 51"
132     "e0 6e 78 48 60 a3 f9 8a d5 2c 37 5a 0a 29 c9 f7"
133     "ea 57 7e 88 46 12";
134 
135 
136 char* good_dsa_signature_1 =
137     "30 0D 02 01 01 02 08 00 A5 55 5A 01 FF A5 01";
138 p256_int good_dsa_signature_1_r = {
139     .a = {0x00000001U, 0x00000000U, 0x00000000U, 0x00000000U,
140           0x00000000U, 0x00000000U, 0x00000000U, 0x00000000U}
141 };
142 p256_int good_dsa_signature_1_s = {
143     .a = {0x01FFA501U, 0x00A5555AU, 0x00000000U, 0x00000000U,
144           0x00000000U, 0x00000000U, 0x00000000U, 0x00000000U}
145 };
146 
147 
148 char* bad_dsa_signature_1 =
149      "a0 06 02 01 01 02 01 01";
150 
151 char* bad_dsa_signature_2 =
152      "30 07 02 01 01 02 01 01";
153 
154 char* bad_dsa_signature_3 =
155      "30 06 82 01 01 02 01 01";
156 
157 char* bad_dsa_signature_4 =
158      "30 06 02 00 01 02 01 01";
159 
160 char* bad_dsa_signature_5 =
161      "30 06 02 01 01 82 01 01";
162 
163 char* bad_dsa_signature_6 =
164      "30 05 02 01 01 02 00";
165 
166 char* bad_dsa_signature_7 =
167      "30 06 02 01 01 02 00 01";
168 
parsehex(char * str,int * len)169 unsigned char* parsehex(char* str, int* len) {
170     // result can't be longer than input
171     unsigned char* result = malloc(strlen(str));
172 
173     unsigned char* p = result;
174     *len = 0;
175 
176     while (*str) {
177         int b;
178 
179         while (isspace(*str)) str++;
180 
181         switch (*str) {
182             case '0': case '1': case '2': case '3': case '4':
183             case '5': case '6': case '7': case '8': case '9':
184                 b = (*str - '0') << 4; break;
185             case 'a': case 'b': case 'c': case 'd': case 'e': case 'f':
186                 b = (*str - 'a' + 10) << 4; break;
187             case 'A': case 'B': case 'C': case 'D': case 'E': case 'F':
188                 b = (*str - 'A' + 10) << 4; break;
189             case '\0':
190                 return result;
191             default:
192                 return NULL;
193         }
194         str++;
195 
196         while (isspace(*str)) str++;
197 
198         switch (*str) {
199             case '0': case '1': case '2': case '3': case '4':
200             case '5': case '6': case '7': case '8': case '9':
201                 b |= *str - '0'; break;
202             case 'a': case 'b': case 'c': case 'd': case 'e': case 'f':
203                 b |= *str - 'a' + 10; break;
204             case 'A': case 'B': case 'C': case 'D': case 'E': case 'F':
205                 b |= *str - 'A' + 10; break;
206             default:
207                 return NULL;
208         }
209         str++;
210 
211         *p++ = b;
212         ++*len;
213     }
214 
215     return result;
216 }
217 
main(int arg __unused,char ** argv __unused)218 int main(int arg __unused, char** argv __unused) {
219 
220     unsigned char hash_buf[SHA256_DIGEST_SIZE];
221 
222     unsigned char* message;
223     int mlen;
224     unsigned char* signature;
225     int slen;
226 
227     p256_int hash;
228     p256_int r;
229     p256_int s;
230 
231     int success = 1;
232 
233 #define CHECK_DSA_SIG(sig, good) do {\
234     message = parsehex(sig, &mlen); \
235     int result = dsa_sig_unpack(message, mlen, &r, &s); \
236     printf(#sig ": %s\n", result ? "good" : "bad"); \
237     success = success && !(good ^ result); \
238     free(message); \
239     } while(0)
240 #define CHECK_GOOD_DSA_SIG(n) do {\
241     CHECK_DSA_SIG(good_dsa_signature_##n, 1); \
242     int result = !memcmp(P256_DIGITS(&good_dsa_signature_##n##_r), P256_DIGITS(&r), \
243                          P256_NBYTES); \
244     success = success && result; \
245     printf("    R value %s\n", result ? "good" : "bad"); \
246     result = !memcmp(P256_DIGITS(&good_dsa_signature_##n##_s), P256_DIGITS(&s), \
247                     P256_NBYTES); \
248     success = success && result; \
249     printf("    S value %s\n", result ? "good" : "bad"); \
250     } while (0)
251 #define CHECK_BAD_DSA_SIG(n) \
252     CHECK_DSA_SIG(bad_dsa_signature_##n, 0)
253 
254     CHECK_GOOD_DSA_SIG(1);
255 
256     CHECK_BAD_DSA_SIG(1);
257     CHECK_BAD_DSA_SIG(2);
258     CHECK_BAD_DSA_SIG(3);
259     CHECK_BAD_DSA_SIG(4);
260     CHECK_BAD_DSA_SIG(5);
261     CHECK_BAD_DSA_SIG(6);
262     CHECK_BAD_DSA_SIG(7);
263 
264 
265 #define TEST_MESSAGE(n) do {\
266     message = parsehex(message_##n, &mlen); \
267     SHA256_hash(message, mlen, hash_buf); \
268     p256_from_bin(hash_buf, &hash); \
269     signature = parsehex(signature_##n, &slen); \
270     int result = dsa_sig_unpack(signature, slen, &r, &s); \
271     if (result) { result = p256_ecdsa_verify(&key_x, &key_y, &hash, &r, &s); } \
272     printf("message %d: %s\n", n, result ? "verified" : "not verified"); \
273     success = success && result; \
274     free(signature); \
275     } while(0)
276 
277     TEST_MESSAGE(1);
278     TEST_MESSAGE(2);
279     TEST_MESSAGE(3);
280 
281     printf("\n%s\n\n", success ? "PASS" : "FAIL");
282 
283     return !success;
284 }
285