size_t bdConvToOctets(T b, unsigned char *c, size_t nbytes)
/* Convert big digit b into string of octets, in big-endian order,
padding to nbytes or truncating if necessary.
Returns # significant bytes.
If c is NULL or nbytes == 0 then just return required size.
*/
{
size_t noctets, nbits, n;
assert(b);
nbits = mpBitLength(b->digits, b->ndigits);
noctets = (nbits + 7) / 8;
/* [2008-05-23] always return at least 1 */
if (0 == noctets) noctets = 1;
if (!c || 0 == nbytes)
{
return noctets;
}
n = mpConvToOctets(b->digits, b->ndigits, c, nbytes);
return noctets;
}
/* --------------------------------------------------------------------------
* EcdsaSignerDoFinal
* -------------------------------------------------------------------------- */
VLT_STS EcdsaSignerDoFinal(
VLT_PU8 pu8Message,
VLT_U32 u32MessageLen,
VLT_U32 u32MessageCapacity,
VLT_PU8 pu8Signature,
VLT_PU32 pu32SignatureLen,
VLT_U32 u32SignatureCapacity )
{
E2n_Point P;
E2n_Point R;
E2n_Point Q;
/* intermediate calculation storage */
DIGIT_T k[MAX_DIGITS];
DIGIT_T k1[MAX_DIGITS];
DIGIT_T tmp[MAX_DIGITS];
DIGIT_T r[MAX_DIGITS];
DIGIT_T s[MAX_DIGITS];
DIGIT_T u1[MAX_DIGITS];
DIGIT_T u2[MAX_DIGITS];
DIGIT_T v[MAX_DIGITS];
DIGIT_T yy[MAX_DIGITS];
DIGIT_T Px[MAX_DIGITS];
DIGIT_T Py[MAX_DIGITS];
DIGIT_T Rx[MAX_DIGITS];
DIGIT_T Ry[MAX_DIGITS];
DIGIT_T Qx[MAX_DIGITS];
DIGIT_T Qy[MAX_DIGITS];
/* SHA-256 storage */
DIGIT_T bdHash[MAX_DIGITS];
VLT_U8 bHash[HASH_BYTE_SIZE];
UINT len;
UINT hashLen;
sha256_ctx ctx; // context holder
VLT_STS status = VLT_FAIL;
if((ST_INITIALISED_SIGN != signerState) &&
(ST_INITIALISED_VERIFY != signerState))
{
/* not initialised */
return EECDSAEXECUTIONERROR;
}
/* Initialise Point variables */
P.x = Px;
P.y = Py;
R.x = Rx;
R.y = Ry;
Q.x = Qx;
Q.y = Qy;
if ( ( NULL == pu8Message ) ||
( NULL == pu8Signature ) ||
( NULL == pu32SignatureLen ) )
{
return ( EECDSAINUPNULLPARAM );
}
/* hash of message used by both signing and verify */
/* e or e1 = SHA-256(M) */
sha256_begin(&ctx);
sha256_hash(pu8Message, u32MessageLen, &ctx);
sha256_end(bHash, &ctx);
/* convert hash to big digits,
same size as base point order if > hash size */
if (sNumBpOrderDigits > HASH_DIGIT_SIZE)
hashLen = sNumBpOrderDigits;
else
hashLen = HASH_DIGIT_SIZE;
mpConvFromOctets(bdHash, hashLen, bHash, HASH_BYTE_SIZE);
/* ANS X9.62-2005 7.3.e
// if bit length of hash is > bit length of base point order
// then truncate hash by removing LSBs until bit length
// equals the length of the base point order
*/
len = mpBitLength(E.r, E.rlen);
if (len < HASH_SIZE)
{
/* take leftmost bits of message by shifting right */
mpShiftRight(tmp, bdHash, HASH_SIZE - len, hashLen);
/* truncate to base point order size */
mpSetEqual(bdHash, tmp, E.rlen);
}
if (ST_INITIALISED_SIGN == signerState)
{
/* signing process as per ANS X9.62 Section 7.3 */
*pu32SignatureLen = 0;
/* generate ephemeral private key k such that 0 < k < n */
if (VLT_OK != GenerateRandomDigits(tmp, E.rlen))
return EECDSAEXECUTIONERROR;
mpModulo(k, tmp, E.rlen, E.r, E.rlen);
if (mpIsZero(k, E.rlen))
{
/* probability of a zero is 1/n */
if (VLT_OK != GenerateRandomDigits(tmp, E.rlen))
return EECDSAEXECUTIONERROR;
mpModulo(k, tmp, E.rlen, E.r, E.rlen);
if (mpIsZero(k, E.rlen))
{
return EECDSAEXECUTIONERROR;
}
}
/* generate ephemeral public key: P = kG */
e2n_point_mul(&E, &P, &E.G, k, E.rlen);
/* convert P.x to integer j */
/* conversion is implicit for polynomial basis */
/*
// r = j mod n, n = base point oder (E.r)
*/
mpModulo(r, P.x, E.rlen, E.r, E.rlen);
/*
// calculate s = k^-1 (e + dr) mod n
*/
/* Compute k' = k^-1 mod n */
mpModInv(k1, k, E.r, E.rlen);
/* Compute s = (k^-1(SHA-xxx(M) + dr)) mod n */
/* d * r */
mpModMult(tmp, sPrivateKey, r, E.r, E.rlen);
/* M + d * r */
mpModAdd(yy, tmp, bdHash, E.r, E.rlen);
/* s = (k^-1)(M + dr) */
mpModMult(s, k1, yy, E.r, E.rlen);
/* signing: convert back to byte format and construct r || s */
mpConvToOctets(r, sNumBpOrderDigits, pu8Signature, sNumBpOrderBytes);
mpConvToOctets(s, sNumBpOrderDigits, pu8Signature + sNumBpOrderBytes,
sNumBpOrderBytes);
/* set the byte length of the output signature */
*pu32SignatureLen = sNumBpOrderBytes * 2;
status = VLT_OK;
}
else
{
/* ANS X9.62-2005 Section 7.4.1: Verification with Public Key */;
/* extract r & s and format as big digits */
mpConvFromOctets(r, E.rlen, pu8Signature, (*pu32SignatureLen) / 2);
mpConvFromOctets(s, E.rlen, pu8Signature + (*pu32SignatureLen / 2),
(*pu32SignatureLen) / 2);
/* Compute u1 = e1(s1^-1) mod n */
mpModInv(tmp, s, E.r, E.rlen);
mpModMult(u1, tmp, bdHash, E.r, E.rlen);
/* Compute u2 = r1(s1^-1) mod n */
mpModMult(u2, tmp, r, E.r, E.rlen);
/* use supplied public key */
mpSetEqual(Q.x, sPublicKeyQx, E.len);
mpSetEqual(Q.y, sPublicKeyQy, E.len);
/* compute R = u1G */
e2n_point_mul(&E, &R, &E.G, u1, E.rlen);
/* P = u2Q */
e2n_point_mul(&E, &P, &Q, u2, E.rlen);
/* R = R + P */
e2n_point_add(&E, &R, &R, &P);
/* compute v = j mod n */
mpModulo(v, R.x, E.rlen, E.r, E.rlen);
/* verify v == r */
if (mpEqual(v, r, E.rlen))
{
status = VLT_OK;
}
else
{
status = VLT_FAIL;
}
}
return ( status );
}
int main(void)
{
DIGIT_T n[MOD_SIZE], e[MOD_SIZE], d[MOD_SIZE];
DIGIT_T s[MOD_SIZE], m[MOD_SIZE], m1[MOD_SIZE], s1[MOD_SIZE];
size_t nbytes;
char decimal[MOD_SIZE*4];
/* Data in big-endian byte format:-
*/
unsigned char nn[] = {
0x0A, 0x66, 0x79, 0x1D, 0xC6, 0x98, 0x81, 0x68,
0xDE, 0x7A, 0xB7, 0x74, 0x19, 0xBB, 0x7F, 0xB0,
0xC0, 0x01, 0xC6, 0x27, 0x10, 0x27, 0x00, 0x75,
0x14, 0x29, 0x42, 0xE1, 0x9A, 0x8D, 0x8C, 0x51,
0xD0, 0x53, 0xB3, 0xE3, 0x78, 0x2A, 0x1D, 0xE5,
0xDC, 0x5A, 0xF4, 0xEB, 0xE9, 0x94, 0x68, 0x17,
0x01, 0x14, 0xA1, 0xDF, 0xE6, 0x7C, 0xDC, 0x9A,
0x9A, 0xF5, 0x5D, 0x65, 0x56, 0x20, 0xBB, 0xAB,
};
unsigned char ee[] = { 0x01, 0x00, 0x01 };
unsigned char dd[] = {
0x01, 0x23, 0xC5, 0xB6, 0x1B, 0xA3, 0x6E, 0xDB,
0x1D, 0x36, 0x79, 0x90, 0x41, 0x99, 0xA8, 0x9E,
0xA8, 0x0C, 0x09, 0xB9, 0x12, 0x2E, 0x14, 0x00,
0xC0, 0x9A, 0xDC, 0xF7, 0x78, 0x46, 0x76, 0xD0,
0x1D, 0x23, 0x35, 0x6A, 0x7D, 0x44, 0xD6, 0xBD,
0x8B, 0xD5, 0x0E, 0x94, 0xBF, 0xC7, 0x23, 0xFA,
0x87, 0xD8, 0x86, 0x2B, 0x75, 0x17, 0x76, 0x91,
0xC1, 0x1D, 0x75, 0x76, 0x92, 0xDF, 0x88, 0x81,
};
unsigned char mm[] = {
0x00, 0x01, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x30, 0x20,
0x30, 0x0C, 0x06, 0x08, 0x2A, 0x86, 0x48, 0x86,
0xF7, 0x0D, 0x02, 0x02, 0x05, 0x00, 0x04, 0x10,
0xDC, 0xA9, 0xEC, 0xF1, 0xC1, 0x5C, 0x1B, 0xD2,
0x66, 0xAF, 0xF9, 0xC8, 0x79, 0x93, 0x65, 0xCD,
};
unsigned char ss[] = {
0x06, 0xDB, 0x36, 0xCB, 0x18, 0xD3, 0x47, 0x5B,
0x9C, 0x01, 0xDB, 0x3C, 0x78, 0x95, 0x28, 0x08,
0x02, 0x79, 0xBB, 0xAE, 0xFF, 0x2B, 0x7D, 0x55,
0x8E, 0xD6, 0x61, 0x59, 0x87, 0xC8, 0x51, 0x86,
0x3F, 0x8A, 0x6C, 0x2C, 0xFF, 0xBC, 0x89, 0xC3,
0xF7, 0x5A, 0x18, 0xD9, 0x6B, 0x12, 0x7C, 0x71,
0x7D, 0x54, 0xD0, 0xD8, 0x04, 0x8D, 0xA8, 0xA0,
0x54, 0x46, 0x26, 0xD1, 0x7A, 0x2A, 0x8F, 0xBE,
};
printf("Test BIGDIGITS using 508-bit RSA key from 'Some Examples of the PKCS Standards'\n");
/* Convert bytes to BIGDIGITS */
mpConvFromOctets(n, MOD_SIZE, nn, sizeof(nn));
mpConvFromOctets(e, MOD_SIZE, ee, sizeof(ee));
mpConvFromOctets(d, MOD_SIZE, dd, sizeof(dd));
mpConvFromOctets(m, MOD_SIZE, mm, sizeof(mm));
mpConvFromOctets(s1, MOD_SIZE, ss, sizeof(ss));
printf("n ="); mpPrintNL(n, MOD_SIZE);
printf("e ="); mpPrintNL(e, MOD_SIZE);
printf("d ="); mpPrintNL(d, MOD_SIZE);
printf("m ="); mpPrintNL(m, MOD_SIZE);
/* Sign, i.e. Encrypt with private key, s = m^d mod n */
mpModExp(s, m, d, n, MOD_SIZE);
printf("s ="); mpPrintNL(s, MOD_SIZE);
/* Did we get the same answer as expected? */
if (!mpEqual(s1, s, MOD_SIZE))
printf("<= ERROR - no match\n");
else
printf("<= OK\n");
assert(mpEqual(s1, s, MOD_SIZE));
/* Verify, i.e. Decrypt with public key m' = s^e mod n */
mpModExp(m1, s, e, n, MOD_SIZE);
printf("m'="); mpPrintNL(m1, MOD_SIZE);
/* Check that we got back where we started */
if (!mpEqual(m1, m, MOD_SIZE))
printf("<= ERROR - no match\n");
else
printf("<= OK\n");
assert(mpEqual(m1, m, MOD_SIZE));
/* Now convert back to octets (bytes) */
memset(mm, 0, sizeof(mm));
nbytes = mpConvToOctets(m, MOD_SIZE, mm, sizeof(mm));
printf("%d non-zero bytes converted from m:\n", nbytes);
pr_bytes(mm, sizeof(mm));
memset(ee, 0, sizeof(ee));
nbytes = mpConvToOctets(e, MOD_SIZE, ee, sizeof(ee));
printf("%d non-zero bytes converted from e:\n", nbytes);
pr_bytes(ee, sizeof(ee));
/* Do a conversion to decimal */
nbytes = mpConvToDecimal(e, MOD_SIZE, decimal, sizeof(decimal));
printf("%d non-zero decimal digits converted from e:\n", nbytes);
printf("%s\n", decimal);
assert(strcmp(decimal, "65537") == 0);
printf("OK, successfully completed tests.\n");
return 0;
}
