/*
* Obtain key size in bits.
* Currently only raw public keys are dealt with (they're the ones
* which come from certs, the only current use for this function).
* Note that if we need to handle ref keys, we'll need a session ref...
*/
void CryptKit::FEEKeyInfoProvider::QueryKeySizeInBits(
CSSM_KEY_SIZE &keySize)
{
feePubKey feeKey = NULL;
if(mKey.blobType() != CSSM_KEYBLOB_RAW) {
CssmError::throwMe(CSSMERR_CSP_INVALID_KEY_FORMAT);
}
feeKey = rawCssmKeyToFee(mKey);
keySize.LogicalKeySizeInBits = feePubKeyBitsize(feeKey);
keySize.EffectiveKeySizeInBits = keySize.LogicalKeySizeInBits;
feePubKeyFree(feeKey);
}
/*
* Create new feeSig object, including a random large integer 'randGiant' for
* possible use in salting a feeHash object, and 'PmX', equal to
* randGiant 'o' P1. Note that this is not called when *verifying* a
* signature, only when signing.
*/
feeSig feeSigNewWithKey(
feePubKey pubKey,
feeRandFcn randFcn, /* optional */
void *randRef)
{
sigInst *sinst = sinstAlloc();
feeRand frand;
unsigned char *randBytes;
unsigned randBytesLen;
curveParams *cp;
if(pubKey == NULL) {
return NULL;
}
cp = feePubKeyCurveParams(pubKey);
if(cp == NULL) {
return NULL;
}
/*
* Generate random m, a little larger than key size, save as randGiant
*/
randBytesLen = (feePubKeyBitsize(pubKey) / 8) + 1;
randBytes = (unsigned char*) fmalloc(randBytesLen);
if(randFcn) {
randFcn(randRef, randBytes, randBytesLen);
}
else {
frand = feeRandAlloc();
feeRandBytes(frand, randBytes, randBytesLen);
feeRandFree(frand);
}
sinst->randGiant = giant_with_data(randBytes, randBytesLen);
memset(randBytes, 0, randBytesLen);
ffree(randBytes);
#if FEE_DEBUG
if(isZero(sinst->randGiant)) {
printf("feeSigNewWithKey: randGiant = 0!\n");
}
#endif // FEE_DEBUG
/*
* Justify randGiant to be in [2, x1OrderPlus]
*/
x1OrderPlusJustify(sinst->randGiant, cp);
/* PmX := randGiant 'o' P1 */
sinst->PmX = newGiant(cp->maxDigits);
#if CRYPTKIT_ELL_PROJ_ENABLE
if(cp->curveType == FCT_Weierstrass) {
pointProjStruct pt0;
sinst->PmY = newGiant(cp->maxDigits);
/* cook up pt0 as P1 */
pt0.x = sinst->PmX;
pt0.y = sinst->PmY;
pt0.z = borrowGiant(cp->maxDigits);
gtog(cp->x1Plus, pt0.x);
gtog(cp->y1Plus, pt0.y);
int_to_giant(1, pt0.z);
/* pt0 := P1 'o' randGiant */
ellMulProjSimple(&pt0, sinst->randGiant, cp);
returnGiant(pt0.z);
}
else {
if(SIG_CURVE == CURVE_PLUS) {
gtog(cp->x1Plus, sinst->PmX);
}
else {
gtog(cp->x1Minus, sinst->PmX);
}
elliptic_simple(sinst->PmX, sinst->randGiant, cp);
}
#else /* CRYPTKIT_ELL_PROJ_ENABLE */
if(SIG_CURVE == CURVE_PLUS) {
gtog(cp->x1Plus, sinst->PmX);
}
else {
gtog(cp->x1Minus, sinst->PmX);
}
elliptic_simple(sinst->PmX, sinst->randGiant, cp);
#endif /* CRYPTKIT_ELL_PROJ_ENABLE */
return sinst;
}
feeReturn feeECDSAVerify(const unsigned char *sigData,
size_t sigDataLen,
const unsigned char *data,
unsigned dataLen,
feePubKey pubKey,
feeSigFormat format)
{
/* giant integers per IEEE P1363 notation */
giant h; // s^(-1)
giant h1; // f h
giant h2; // c times h
giant littleC; // newGiant from ECDSA_decode
giant littleD; // ditto
giant c; // borrowed, full size
giant d; // ditto
giant cPrime = NULL; // i mod r
pointProj h1G = NULL; // h1 'o' G
pointProj h2W = NULL; // h2 'o' W
key W; // i.e., their public key
unsigned version;
feeReturn frtn;
curveParams *cp = feePubKeyCurveParams(pubKey);
unsigned groupBytesLen = ((feePubKeyBitsize(pubKey)+7) / 8);
int result;
if(cp == NULL) {
return FR_BadPubKey;
}
/*
* First decode the byteRep string.
*/
frtn = ECDSA_decode(
format,
groupBytesLen,
sigData,
sigDataLen,
&littleC,
&littleD,
&version);
if(frtn) {
return frtn;
}
/*
* littleC and littleD have capacity = abs(sign), probably
* not big enough....
*/
c = borrowGiant(cp->maxDigits);
d = borrowGiant(cp->maxDigits);
gtog(littleC, c);
gtog(littleD, d);
freeGiant(littleC);
freeGiant(littleD);
sigDbg(("ECDSA verify:\n"));
/*
* Verify that c and d are within [1,group_order-1]
*/
if((gcompg(cp->cOrderPlus, c) != 1) || (gcompg(cp->cOrderPlus, d) != 1) ||
isZero(c) || isZero(d))
{
returnGiant(c);
returnGiant(d);
return FR_InvalidSignature;
}
/*
* W = signer's public key
*/
W = feePubKeyPlusCurve(pubKey);
/*
* 1) Compute h = d^(-1) (mod x1OrderPlus);
*/
SIGPROF_START;
h = borrowGiant(cp->maxDigits);
gtog(d, h);
binvg_x1OrderPlus(cp, h);
SIGPROF_END(vfyStep1);
/*
* 2) h1 = digest as giant (skips assigning to 'f' in P1363)
*/
if(dataLen > (cp->maxDigits * GIANT_BYTES_PER_DIGIT)) {
h1 = borrowGiant(BYTES_TO_GIANT_DIGITS(dataLen));
}
else {
h1 = borrowGiant(cp->maxDigits);
}
deserializeGiant(data, h1, dataLen);
/*
* Certicom SEC1 states that if the digest is larger than the modulus,
* use the left q bits of the digest.
*/
unsigned hashBits = dataLen * 8;
if(hashBits > cp->q) {
gshiftright(hashBits - cp->q, h1);
}
sigLogGiant(" Wx : ", W->x);
sigLogGiant(" f : ", h1);
sigLogGiant(" c : ", c);
sigLogGiant(" d : ", d);
sigLogGiant(" s^(-1) : ", h);
/*
* 3) Compute h1 = f * h mod x1OrderPlus;
*/
SIGPROF_START;
mulg(h, h1); // h1 := f * h
x1OrderPlusMod(h1, cp);
SIGPROF_END(vfyStep3);
/*
* 4) Compute h2 = c * h (mod x1OrderPlus);
*/
SIGPROF_START;
h2 = borrowGiant(cp->maxDigits);
gtog(c, h2);
mulg(h, h2); // h2 := c * h
x1OrderPlusMod(h2, cp);
SIGPROF_END(vfyStep4);
/*
* 5) Compute h2W = h2 'o' W (W = theirPub)
*/
CKASSERT((W->y != NULL) && !isZero(W->y));
h2W = newPointProj(cp->maxDigits);
gtog(W->x, h2W->x);
gtog(W->y, h2W->y);
int_to_giant(1, h2W->z);
ellMulProjSimple(h2W, h2, cp);
/*
* 6) Compute h1G = h1 'o' G (G = {x1Plus, y1Plus, 1} )
*/
CKASSERT((cp->y1Plus != NULL) && !isZero(cp->y1Plus));
h1G = newPointProj(cp->maxDigits);
gtog(cp->x1Plus, h1G->x);
gtog(cp->y1Plus, h1G->y);
int_to_giant(1, h1G->z);
ellMulProjSimple(h1G, h1, cp);
/*
* 7) h1G := (h1 'o' G) + (h2 'o' W)
*/
ellAddProj(h1G, h2W, cp);
/*
* 8) If elliptic sum is point at infinity, signature is bad; stop.
*/
if(isZero(h1G->z)) {
dbgLog(("feeECDSAVerify: h1 * G = point at infinity\n"));
result = 1;
goto vfyDone;
}
normalizeProj(h1G, cp);
/*
* 9) cPrime = x coordinate of elliptic sum, mod x1OrderPlus
*/
cPrime = borrowGiant(cp->maxDigits);
gtog(h1G->x, cPrime);
x1OrderPlusMod(cPrime, cp);
/*
* 10) Good sig iff cPrime == c
*/
result = gcompg(c, cPrime);
vfyDone:
if(result) {
frtn = FR_InvalidSignature;
#if LOG_BAD_SIG
printf("***yup, bad sig***\n");
#endif // LOG_BAD_SIG
}
else {
frtn = FR_Success;
}
returnGiant(c);
returnGiant(d);
returnGiant(h);
returnGiant(h1);
returnGiant(h2);
if(h1G != NULL) {
freePointProj(h1G);
}
if(h2W != NULL) {
freePointProj(h2W);
}
if(cPrime != NULL) {
returnGiant(cPrime);
}
return frtn;
}
/*
* Sign specified block of data (most likely a hash result) using
* specified feePubKey.
*/
feeReturn feeSigSign(feeSig sig,
const unsigned char *data, // data to be signed
unsigned dataLen, // in bytes
feePubKey pubKey)
{
sigInst *sinst = (sigInst*) sig;
giant messageGiant = NULL;
unsigned maxlen;
giant privGiant;
unsigned privGiantBytes;
feeReturn frtn = FR_Success;
unsigned randBytesLen;
unsigned uDigits; // alloc'd digits in sinst->u
curveParams *cp;
if(pubKey == NULL) {
return FR_BadPubKey;
}
cp = feePubKeyCurveParams(pubKey);
if(cp == NULL) {
return FR_BadPubKey;
}
privGiant = feePubKeyPrivData(pubKey);
if(privGiant == NULL) {
dbgLog(("Attempt to Sign without private data\n"));
frtn = FR_IllegalArg;
goto abort;
}
privGiantBytes = abs(privGiant->sign) * GIANT_BYTES_PER_DIGIT;
/*
* Note PmX = m 'o' P1.
* Get message/digest as giant. May be significantly different
* in size from pubKey's basePrime.
*/
messageGiant = giant_with_data(data, dataLen); // M(text)
randBytesLen = feePubKeyBitsize(pubKey) / 8;
maxlen = max(randBytesLen, dataLen);
/* leave plenty of room.... */
uDigits = (3 * (privGiantBytes + maxlen)) / GIANT_BYTES_PER_DIGIT;
sinst->u = newGiant(uDigits);
gtog(privGiant, sinst->u); // u := ourPri
mulg(messageGiant, sinst->u); // u *= M(text)
addg(sinst->randGiant, sinst->u); // u += m
/*
* Paranoia: we're using the curveParams from the caller's pubKey;
* this cp will have a valid x1OrderPlusRecip if pubKey is the same
* as the one passed to feeSigNewWithKey() (since feeSigNewWithKey
* called x1OrderPlusJustify()). But the caller could conceivably be
* using a different instance of their pubKey, in which case
* the key's cp->x1OrderPlusRecip may not be valid.
*/
calcX1OrderPlusRecip(cp);
/* u := u mod x1OrderPlus */
#if SIG_DEBUG
if(sigDebug) {
printf("sigSign:\n");
printf("u pre-modg : ");
printGiant(sinst->u);
}
#endif
modg_via_recip(cp->x1OrderPlus, cp->x1OrderPlusRecip, sinst->u);
#if SIG_DEBUG
if(sigDebug) {
printf("privGiant : ");
printGiant(privGiant);
printf("u : ");
printGiant(sinst->u);
printf("messageGiant: ");
printGiant(messageGiant);
printf("curveParams :\n");
printCurveParams(cp);
}
#endif // SIG_DEBUG
abort:
if(messageGiant) {
freeGiant(messageGiant);
}
return frtn;
}
feeReturn feeECDSASign(
feePubKey pubKey,
feeSigFormat format, // Signature format DER 9.62 / RAW
const unsigned char *data, // data to be signed
unsigned dataLen, // in bytes
feeRandFcn randFcn, // optional
void *randRef, // optional
unsigned char **sigData, // malloc'd and RETURNED
unsigned *sigDataLen) // RETURNED
{
curveParams *cp;
/* giant integers per IEEE P1363 notation */
giant c; // both 1363 'c' and 'i'
// i.e., x-coord of u's pub key
giant d;
giant u; // random private key
giant s; // private key as giant
giant f; // data (message) as giant
feeReturn frtn = FR_Success;
feeRand frand;
unsigned char *randBytes;
unsigned randBytesLen;
unsigned groupBytesLen;
giant privGiant;
#if ECDSA_SIGN_USE_PROJ
pointProjStruct pt; // pt->x = c
giant pty; // pt->y
giant ptz; // pt->z
#endif // ECDSA_SIGN_USE_PROJ
if(pubKey == NULL) {
return FR_BadPubKey;
}
cp = feePubKeyCurveParams(pubKey);
if(cp == NULL) {
return FR_BadPubKey;
}
if(cp->curveType != FCT_Weierstrass) {
return FR_IllegalCurve;
}
CKASSERT(!isZero(cp->x1OrderPlus));
/*
* Private key and message to be signed as giants
*/
privGiant = feePubKeyPrivData(pubKey);
if(privGiant == NULL) {
dbgLog(("Attempt to Sign without private data\n"));
return FR_IllegalArg;
}
s = borrowGiant(cp->maxDigits);
gtog(privGiant, s);
if(dataLen > (cp->maxDigits * GIANT_BYTES_PER_DIGIT)) {
f = borrowGiant(BYTES_TO_GIANT_DIGITS(dataLen));
}
else {
f = borrowGiant(cp->maxDigits);
}
deserializeGiant(data, f, dataLen);
/*
* Certicom SEC1 states that if the digest is larger than the modulus,
* use the left q bits of the digest.
*/
unsigned hashBits = dataLen * 8;
if(hashBits > cp->q) {
gshiftright(hashBits - cp->q, f);
}
sigDbg(("ECDSA sign:\n"));
sigLogGiant(" s : ", s);
sigLogGiant(" f : ", f);
c = borrowGiant(cp->maxDigits);
d = borrowGiant(cp->maxDigits);
u = borrowGiant(cp->maxDigits);
if(randFcn == NULL) {
frand = feeRandAlloc();
}
else {
frand = NULL;
}
/*
* Random size is just larger than base prime
*/
groupBytesLen = ((feePubKeyBitsize(pubKey)+7) / 8);
randBytesLen = groupBytesLen+8; // +8bytes (64bits) to reduce the biais when with reduction mod prime. Per FIPS186-4 - "Using Extra Random Bits"
randBytes = (unsigned char*) fmalloc(randBytesLen);
#if ECDSA_SIGN_USE_PROJ
/* quick temp pointProj */
pty = borrowGiant(cp->maxDigits);
ptz = borrowGiant(cp->maxDigits);
pt.x = c;
pt.y = pty;
pt.z = ptz;
#endif // ECDSA_SIGN_USE_PROJ
while(1) {
/* Repeat this loop until we have a non-zero c and d */
/*
* 1) Obtain random u in [2, x1OrderPlus-2]
*/
SIGPROF_START;
if(randFcn) {
randFcn(randRef, randBytes, randBytesLen);
}
else {
feeRandBytes(frand, randBytes, randBytesLen);
}
deserializeGiant(randBytes, u, randBytesLen);
sigLogGiant(" raw u : ", u);
sigLogGiant(" order : ", cp->x1OrderPlus);
x1OrderPlusJustify(u, cp);
SIGPROF_END(signStep1);
sigLogGiant(" in range u : ", u);
/*
* note 'o' indicates elliptic multiply, * is integer mult.
*
* 2) Compute x coordinate, call it c, of u 'o' G
* 3) Reduce: c := c mod x1OrderPlus;
* 4) If c == 0, goto (1);
*/
SIGPROF_START;
gtog(cp->x1Plus, c);
#if ECDSA_SIGN_USE_PROJ
/* projective coordinates */
gtog(cp->y1Plus, pty);
int_to_giant(1, ptz);
ellMulProjSimple(&pt, u, cp);
#else /* ECDSA_SIGN_USE_PROJ */
/* the FEE way */
elliptic_simple(c, u, cp);
#endif /* ECDSA_SIGN_USE_PROJ */
SIGPROF_END(signStep2);
SIGPROF_START;
x1OrderPlusMod(c, cp);
SIGPROF_END(signStep34);
if(isZero(c)) {
dbgLog(("feeECDSASign: zero modulo (1)\n"));
continue;
}
/*
* 5) Compute u^(-1) mod x1OrderPlus;
*/
SIGPROF_START;
gtog(u, d);
binvg_x1OrderPlus(cp, d);
SIGPROF_END(signStep5);
sigLogGiant(" u^(-1) : ", d);
/*
* 6) Compute signature d as:
* d = [u^(-1) (f + s*c)] (mod x1OrderPlus)
*/
SIGPROF_START;
mulg(c, s); // s *= c
x1OrderPlusMod(s, cp);
addg(f, s); // s := f + (s * c)
x1OrderPlusMod(s, cp);
mulg(s, d); // d := u^(-1) (f + (s * c))
x1OrderPlusMod(d, cp);
SIGPROF_END(signStep67);
/*
* 7) If d = 0, goto (1);
*/
if(isZero(d)) {
dbgLog(("feeECDSASign: zero modulo (2)\n"));
continue;
}
sigLogGiant(" c : ", c);
sigLogGiant(" d : ", d);
break; // normal successful exit
}
/*
* 8) signature is now the integer pair (c, d).
*/
/*
* Cook up raw data representing the signature.
*/
SIGPROF_START;
ECDSA_encode(format,groupBytesLen, c, d, sigData, sigDataLen);
SIGPROF_END(signStep8);
if(frand != NULL) {
feeRandFree(frand);
}
ffree(randBytes);
returnGiant(u);
returnGiant(d);
returnGiant(c);
returnGiant(f);
returnGiant(s);
#if ECDSA_SIGN_USE_PROJ
returnGiant(pty);
returnGiant(ptz);
#endif /* ECDSA_SIGN_USE_PROJ */
return frtn;
}