1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
|
// Copyright 2021 The Pigweed Authors
//
// Licensed under the Apache License, Version 2.0 (the "License"); you may not
// use this file except in compliance with the License. You may obtain a copy of
// the License at
//
// https://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
// WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
// License for the specific language governing permissions and limitations under
// the License.
#define PW_LOG_MODULE_NAME "ECDSA-BSSL"
#define PW_LOG_LEVEL PW_LOG_LEVEL_WARN
#include "pw_preprocessor/compiler.h"
PW_MODIFY_DIAGNOSTICS_PUSH();
PW_MODIFY_DIAGNOSTIC(ignored, "-Wcast-qual");
PW_MODIFY_DIAGNOSTIC(ignored, "-Wgnu-anonymous-struct");
PW_MODIFY_DIAGNOSTIC(ignored, "-Wnested-anon-types");
#include "openssl/bn.h"
#include "openssl/ec.h"
#include "openssl/ecdsa.h"
#include "openssl/nid.h"
PW_MODIFY_DIAGNOSTICS_POP();
#include "pw_crypto/ecdsa.h"
#include "pw_log/log.h"
namespace pw::crypto::ecdsa {
constexpr size_t kP256CurveOrderBytes = 32;
Status VerifyP256Signature(ConstByteSpan public_key,
ConstByteSpan digest,
ConstByteSpan signature) {
const uint8_t* public_key_bytes =
reinterpret_cast<const uint8_t*>(public_key.data());
const uint8_t* digest_bytes = reinterpret_cast<const uint8_t*>(digest.data());
const uint8_t* signature_bytes =
reinterpret_cast<const uint8_t*>(signature.data());
// Allocate objects needed for ECDSA verification. BoringSSL relies on
// dynamic allocation.
bssl::UniquePtr<EC_GROUP> group(
EC_GROUP_new_by_curve_name(NID_X9_62_prime256v1));
if (!group) {
return Status::ResourceExhausted();
}
bssl::UniquePtr<EC_POINT> pub_key(EC_POINT_new(group.get()));
bssl::UniquePtr<EC_KEY> key(EC_KEY_new());
bssl::UniquePtr<ECDSA_SIG> sig(ECDSA_SIG_new());
if (!(pub_key && key && sig)) {
return Status::ResourceExhausted();
}
// Load the public key.
if (!EC_POINT_oct2point(group.get(),
pub_key.get(),
public_key_bytes,
public_key.size(),
nullptr)) {
PW_LOG_DEBUG("Bad public key format");
return Status::InvalidArgument();
}
if (!EC_KEY_set_group(key.get(), group.get())) {
return Status::InvalidArgument();
}
if (!EC_KEY_set_public_key(key.get(), pub_key.get())) {
return Status::InvalidArgument();
}
// Load the signature.
if (signature.size() != kP256CurveOrderBytes * 2) {
PW_LOG_DEBUG("Bad signature format");
return Status::InvalidArgument();
}
if (!(BN_bin2bn(signature_bytes, kP256CurveOrderBytes, sig->r) &&
BN_bin2bn(signature_bytes + kP256CurveOrderBytes,
kP256CurveOrderBytes,
sig->s))) {
return Status::Internal();
}
// Digest must be 32 bytes or longer (and will be truncated).
if (digest.size() < kP256CurveOrderBytes) {
PW_LOG_DEBUG("Digest is too short");
return Status::InvalidArgument();
}
// Verify the signature.
if (!ECDSA_do_verify(digest_bytes, digest.size(), sig.get(), key.get())) {
PW_LOG_DEBUG("Signature verification failed");
return Status::Unauthenticated();
}
return OkStatus();
}
} // namespace pw::crypto::ecdsa
|
