size_t bdConvToOctets(T b, unsigned char *c, size_t nbytes)
/* Convert big digit b into string of octets, in big-endian order,
padding to nbytes or truncating if necessary.
Returns # significant bytes.
If c is NULL or nbytes == 0 then just return required size.
*/
{
size_t noctets, nbits, n;
assert(b);
nbits = mpBitLength(b->digits, b->ndigits);
noctets = (nbits + 7) / 8;
/* [2008-05-23] always return at least 1 */
if (0 == noctets) noctets = 1;
if (!c || 0 == nbytes)
{
return noctets;
}
n = mpConvToOctets(b->digits, b->ndigits, c, nbytes);
return noctets;
}
/* --------------------------------------------------------------------------
* EcdsaSignerInit
* -------------------------------------------------------------------------- */
VLT_STS EcdsaSignerInit(
const VLT_ECDSA_DOMAIN_PARAMS* pDomainParams,
const VLT_ECDSA_PRIVATE_KEY* pPrivateKey,
const VLT_ECDSA_PUBLIC_KEY* pPublicKey,
VLT_U8 u8OpMode)
{
UINT len;
if ((NULL == pDomainParams ))
{
return (EECDSAINITNULLPARAM);
}
/* Check the operation mode is supported */
if (VLT_SIGN_MODE == u8OpMode)
{
/* SIGN needs a valid private key */
if (NULL == pPrivateKey)
return (EECDSAINITNULLPARAM);
if (NULL == pPrivateKey->pu8D)
{
return EECDSAINITNULLPARAM;
}
if ((pPrivateKey->u16DLen == 0) ||
(pPrivateKey->u16DLen > MAX_BYTES))
return EECDSAINVALIDPARAM;
}
else if (VLT_VERIFY_MODE == u8OpMode)
{
/* VERIFY needs a public private key */
if (NULL == pPublicKey )
return (EECDSAINITNULLPARAM);
if ((NULL == pPublicKey->pu8Qx) ||
(NULL == pPublicKey->pu8Qy))
{
return EECDSAINITNULLPARAM;
}
if ((pPublicKey->u16QLen == 0) ||
(pPublicKey->u16QLen > MAX_BYTES))
return EECDSAINVALIDPARAM;
}
else
{
/* invalid mode */
return (EECDSAOPMODENOTSUPP);
}
/* validate domain params */
if ((NULL == pDomainParams->pu8A) ||
(NULL == pDomainParams->pu8B) ||
(NULL == pDomainParams->pu8Gx) ||
(NULL == pDomainParams->pu8Gy) ||
(NULL == pDomainParams->pu8Gz) ||
(NULL == pDomainParams->pu8N) ||
(NULL == pDomainParams->pu8Q))
return (EECDSAINITNULLPARAM);
if ( (pDomainParams->u16QLen == 0) ||
(pDomainParams->u16QLen > MAX_BYTES))
return EECDSAINVALIDPARAM;
if ((pDomainParams->u16NLen == 0) ||
(pDomainParams->u16NLen > MAX_BYTES))
return EECDSAINVALIDPARAM;
/* set-up number of big digits and bytes required to represent field elements */
sNumFieldBytes = (VLT_U8)pDomainParams->u16QLen;
sNumFieldDigits = (VLT_U8)NUM_DIGITS(pDomainParams->u16QLen);
/* base point order length may be significantly smaller than field size */
sNumBpOrderBytes = (VLT_U8)pDomainParams->u16NLen;
sNumBpOrderDigits = (VLT_U8)NUM_DIGITS(pDomainParams->u16NLen);
/*
* set-up EC library domain parameter object. This requires
* type conversions and coercions from the VaultIC domain
* type defintions. In general we need to convert from
* BYTE arrays in MSB to LSB order to big digit library arrays,
* which are 32-bit integer arrays in LSB to MSB order.
*/
mpConvFromOctets(E_a, sNumFieldDigits, pDomainParams->pu8A, sNumFieldBytes);
mpConvFromOctets(E_b, sNumFieldDigits, pDomainParams->pu8B, sNumFieldBytes);
mpConvFromOctets(E_Gx, sNumFieldDigits, pDomainParams->pu8Gx, sNumFieldBytes);
mpConvFromOctets(E_Gy, sNumFieldDigits, pDomainParams->pu8Gy, sNumFieldBytes);
mpConvFromOctets(E_n, sNumFieldDigits, pDomainParams->pu8Q, sNumFieldBytes);
mpConvFromOctets(E_r, sNumFieldDigits, pDomainParams->pu8N, sNumFieldBytes);
/* set-up curve data structure */
E.G.x = E_Gx; /* base generator point X co-ordinate */
E.G.y = E_Gy; /* base generator point Y co-ordinate */
E.a = E_a; /* curve equation co-efficient a */
E.b = E_b; /* curve equation co-efficient b */
E.h = pDomainParams->u32H; /* co-factor */
E.len = sNumFieldDigits; /* size of field in big digits */
E.n = E_n; /* reduction polynomial */
E.r = E_r; /* base point order */
E.rlen = sNumFieldDigits; /* base point order length in big digits */
/* check field size is within bounds */
len = mpBitLength(E.n, E.len);
if (len > (MAX_BITS + 1))
{
return EECDSAINVALIDPARAM;
}
/* set-up key storage */
if (VLT_VERIFY_MODE == u8OpMode)
{
mpConvFromOctets(sPublicKeyQx, sNumFieldDigits,
pPublicKey->pu8Qx, pPublicKey->u16QLen);
mpConvFromOctets(sPublicKeyQy, sNumFieldDigits,
pPublicKey->pu8Qy, pPublicKey->u16QLen);
signerState = ST_INITIALISED_VERIFY;
}
if (VLT_SIGN_MODE == u8OpMode)
{
mpConvFromOctets(sPrivateKey, sNumBpOrderDigits,
pPrivateKey->pu8D, pPrivateKey->u16DLen);
signerState = ST_INITIALISED_SIGN;
}
/* Seed the random-number generator with current time so that
* the numbers will be different every time we run.
*/
srand( (unsigned)time( NULL ) );
return VLT_OK;
}
/* --------------------------------------------------------------------------
* EcdsaSignerDoFinal
* -------------------------------------------------------------------------- */
VLT_STS EcdsaSignerDoFinal(
VLT_PU8 pu8Message,
VLT_U32 u32MessageLen,
VLT_U32 u32MessageCapacity,
VLT_PU8 pu8Signature,
VLT_PU32 pu32SignatureLen,
VLT_U32 u32SignatureCapacity )
{
E2n_Point P;
E2n_Point R;
E2n_Point Q;
/* intermediate calculation storage */
DIGIT_T k[MAX_DIGITS];
DIGIT_T k1[MAX_DIGITS];
DIGIT_T tmp[MAX_DIGITS];
DIGIT_T r[MAX_DIGITS];
DIGIT_T s[MAX_DIGITS];
DIGIT_T u1[MAX_DIGITS];
DIGIT_T u2[MAX_DIGITS];
DIGIT_T v[MAX_DIGITS];
DIGIT_T yy[MAX_DIGITS];
DIGIT_T Px[MAX_DIGITS];
DIGIT_T Py[MAX_DIGITS];
DIGIT_T Rx[MAX_DIGITS];
DIGIT_T Ry[MAX_DIGITS];
DIGIT_T Qx[MAX_DIGITS];
DIGIT_T Qy[MAX_DIGITS];
/* SHA-256 storage */
DIGIT_T bdHash[MAX_DIGITS];
VLT_U8 bHash[HASH_BYTE_SIZE];
UINT len;
UINT hashLen;
sha256_ctx ctx; // context holder
VLT_STS status = VLT_FAIL;
if((ST_INITIALISED_SIGN != signerState) &&
(ST_INITIALISED_VERIFY != signerState))
{
/* not initialised */
return EECDSAEXECUTIONERROR;
}
/* Initialise Point variables */
P.x = Px;
P.y = Py;
R.x = Rx;
R.y = Ry;
Q.x = Qx;
Q.y = Qy;
if ( ( NULL == pu8Message ) ||
( NULL == pu8Signature ) ||
( NULL == pu32SignatureLen ) )
{
return ( EECDSAINUPNULLPARAM );
}
/* hash of message used by both signing and verify */
/* e or e1 = SHA-256(M) */
sha256_begin(&ctx);
sha256_hash(pu8Message, u32MessageLen, &ctx);
sha256_end(bHash, &ctx);
/* convert hash to big digits,
same size as base point order if > hash size */
if (sNumBpOrderDigits > HASH_DIGIT_SIZE)
hashLen = sNumBpOrderDigits;
else
hashLen = HASH_DIGIT_SIZE;
mpConvFromOctets(bdHash, hashLen, bHash, HASH_BYTE_SIZE);
/* ANS X9.62-2005 7.3.e
// if bit length of hash is > bit length of base point order
// then truncate hash by removing LSBs until bit length
// equals the length of the base point order
*/
len = mpBitLength(E.r, E.rlen);
if (len < HASH_SIZE)
{
/* take leftmost bits of message by shifting right */
mpShiftRight(tmp, bdHash, HASH_SIZE - len, hashLen);
/* truncate to base point order size */
mpSetEqual(bdHash, tmp, E.rlen);
}
if (ST_INITIALISED_SIGN == signerState)
{
/* signing process as per ANS X9.62 Section 7.3 */
*pu32SignatureLen = 0;
/* generate ephemeral private key k such that 0 < k < n */
if (VLT_OK != GenerateRandomDigits(tmp, E.rlen))
return EECDSAEXECUTIONERROR;
mpModulo(k, tmp, E.rlen, E.r, E.rlen);
if (mpIsZero(k, E.rlen))
{
/* probability of a zero is 1/n */
if (VLT_OK != GenerateRandomDigits(tmp, E.rlen))
return EECDSAEXECUTIONERROR;
mpModulo(k, tmp, E.rlen, E.r, E.rlen);
if (mpIsZero(k, E.rlen))
{
return EECDSAEXECUTIONERROR;
}
}
/* generate ephemeral public key: P = kG */
e2n_point_mul(&E, &P, &E.G, k, E.rlen);
/* convert P.x to integer j */
/* conversion is implicit for polynomial basis */
/*
// r = j mod n, n = base point oder (E.r)
*/
mpModulo(r, P.x, E.rlen, E.r, E.rlen);
/*
// calculate s = k^-1 (e + dr) mod n
*/
/* Compute k' = k^-1 mod n */
mpModInv(k1, k, E.r, E.rlen);
/* Compute s = (k^-1(SHA-xxx(M) + dr)) mod n */
/* d * r */
mpModMult(tmp, sPrivateKey, r, E.r, E.rlen);
/* M + d * r */
mpModAdd(yy, tmp, bdHash, E.r, E.rlen);
/* s = (k^-1)(M + dr) */
mpModMult(s, k1, yy, E.r, E.rlen);
/* signing: convert back to byte format and construct r || s */
mpConvToOctets(r, sNumBpOrderDigits, pu8Signature, sNumBpOrderBytes);
mpConvToOctets(s, sNumBpOrderDigits, pu8Signature + sNumBpOrderBytes,
sNumBpOrderBytes);
/* set the byte length of the output signature */
*pu32SignatureLen = sNumBpOrderBytes * 2;
status = VLT_OK;
}
else
{
/* ANS X9.62-2005 Section 7.4.1: Verification with Public Key */;
/* extract r & s and format as big digits */
mpConvFromOctets(r, E.rlen, pu8Signature, (*pu32SignatureLen) / 2);
mpConvFromOctets(s, E.rlen, pu8Signature + (*pu32SignatureLen / 2),
(*pu32SignatureLen) / 2);
/* Compute u1 = e1(s1^-1) mod n */
mpModInv(tmp, s, E.r, E.rlen);
mpModMult(u1, tmp, bdHash, E.r, E.rlen);
/* Compute u2 = r1(s1^-1) mod n */
mpModMult(u2, tmp, r, E.r, E.rlen);
/* use supplied public key */
mpSetEqual(Q.x, sPublicKeyQx, E.len);
mpSetEqual(Q.y, sPublicKeyQy, E.len);
/* compute R = u1G */
e2n_point_mul(&E, &R, &E.G, u1, E.rlen);
/* P = u2Q */
e2n_point_mul(&E, &P, &Q, u2, E.rlen);
/* R = R + P */
e2n_point_add(&E, &R, &R, &P);
/* compute v = j mod n */
mpModulo(v, R.x, E.rlen, E.r, E.rlen);
/* verify v == r */
if (mpEqual(v, r, E.rlen))
{
status = VLT_OK;
}
else
{
status = VLT_FAIL;
}
}
return ( status );
}
size_t bdBitLength(T b)
/* Returns base-1 index to most significant bit in b */
{
assert(b);
return mpBitLength(b->digits, b->ndigits);
}
