/**
Get the size of an ECC key
@param key The key to get the size of
@return The size (octets) of the key or INT_MAX on error
*/
int ecc_get_size(ecc_key *key)
{
LTC_ARGCHK(key != NULL);
if (ltc_ecc_is_valid_idx(key->idx))
return key->dp->size;
else
return INT_MAX; /* large value known to cause it to fail when passed to ecc_make_key() */
}
/**
Export an ECC key as a binary packet
@param out [out] Destination for the key
@param outlen [in/out] Max size and resulting size of the exported key
@param type The type of key you want to export (PK_PRIVATE or PK_PUBLIC)
@param key The key to export
@return CRYPT_OK if successful
*/
int ecc_export(unsigned char *out, unsigned long *outlen, int type, ecc_key *key)
{
int err;
unsigned char flags[1];
unsigned long key_size;
LTC_ARGCHK(out != NULL);
LTC_ARGCHK(outlen != NULL);
LTC_ARGCHK(key != NULL);
/* type valid? */
if (key->type != PK_PRIVATE && type == PK_PRIVATE) {
return CRYPT_PK_TYPE_MISMATCH;
}
if (ltc_ecc_is_valid_idx(key->idx) == 0) {
return CRYPT_INVALID_ARG;
}
/* we store the NIST byte size */
key_size = key->dp->size;
if (type == PK_PRIVATE) {
flags[0] = 1;
err = der_encode_sequence_multi(out, outlen,
LTC_ASN1_BIT_STRING, 1UL, flags,
LTC_ASN1_SHORT_INTEGER, 1UL, &key_size,
LTC_ASN1_INTEGER, 1UL, key->pubkey.x,
LTC_ASN1_INTEGER, 1UL, key->pubkey.y,
LTC_ASN1_INTEGER, 1UL, key->k,
LTC_ASN1_EOL, 0UL, NULL);
} else {
flags[0] = 0;
err = der_encode_sequence_multi(out, outlen,
LTC_ASN1_BIT_STRING, 1UL, flags,
LTC_ASN1_SHORT_INTEGER, 1UL, &key_size,
LTC_ASN1_INTEGER, 1UL, key->pubkey.x,
LTC_ASN1_INTEGER, 1UL, key->pubkey.y,
LTC_ASN1_EOL, 0UL, NULL);
}
return err;
}
/** ECC X9.63 (Sec. 4.3.6) uncompressed export
@param key Key to export
@param out [out] destination of export
@param outlen [in/out] Length of destination and final output size
Return CRYPT_OK on success
*/
int ecc_ansi_x963_export(ecc_key *key, unsigned char *out, unsigned long *outlen)
{
unsigned char buf[ECC_BUF_SIZE];
unsigned long numlen, xlen, ylen;
LTC_ARGCHK(key != NULL);
LTC_ARGCHK(outlen != NULL);
if (ltc_ecc_is_valid_idx(key->idx) == 0) {
return CRYPT_INVALID_ARG;
}
numlen = key->dp->size;
xlen = mp_unsigned_bin_size(key->pubkey.x);
ylen = mp_unsigned_bin_size(key->pubkey.y);
if (xlen > numlen || ylen > numlen || sizeof(buf) < numlen) {
return CRYPT_BUFFER_OVERFLOW;
}
if (*outlen < (1 + 2*numlen)) {
*outlen = 1 + 2*numlen;
return CRYPT_BUFFER_OVERFLOW;
}
LTC_ARGCHK(out != NULL);
/* store byte 0x04 */
out[0] = 0x04;
/* pad and store x */
zeromem(buf, sizeof(buf));
mp_to_unsigned_bin(key->pubkey.x, buf + (numlen - xlen));
XMEMCPY(out+1, buf, numlen);
/* pad and store y */
zeromem(buf, sizeof(buf));
mp_to_unsigned_bin(key->pubkey.y, buf + (numlen - ylen));
XMEMCPY(out+1+numlen, buf, numlen);
*outlen = 1 + 2*numlen;
return CRYPT_OK;
}
/**
Verify an ECC signature
@param sig The signature to verify
@param siglen The length of the signature (octets)
@param hash The hash (message digest) that was signed
@param hashlen The length of the hash (octets)
@param stat Result of signature, 1==valid, 0==invalid
@param key The corresponding public ECC key
@return CRYPT_OK if successful (even if the signature is not valid)
*/
int ecc_verify_hash(const unsigned char *sig, unsigned long siglen,
const unsigned char *hash, unsigned long hashlen,
int *stat, ecc_key *key)
{
ecc_point *mG, *mQ;
void *r, *s, *v, *w, *u1, *u2, *e, *p, *m;
void *mp;
int err;
LTC_ARGCHK(sig != NULL);
LTC_ARGCHK(hash != NULL);
LTC_ARGCHK(stat != NULL);
LTC_ARGCHK(key != NULL);
/* default to invalid signature */
*stat = 0;
mp = NULL;
/* is the IDX valid ? */
if (ltc_ecc_is_valid_idx(key->idx) != 1) {
return CRYPT_PK_INVALID_TYPE;
}
/* allocate ints */
if ((err = mp_init_multi(&r, &s, &v, &w, &u1, &u2, &p, &e, &m, NULL)) != CRYPT_OK) {
return CRYPT_MEM;
}
/* allocate points */
mG = ltc_ecc_new_point();
mQ = ltc_ecc_new_point();
if (mQ == NULL || mG == NULL) {
err = CRYPT_MEM;
goto error;
}
/* parse header */
if ((err = der_decode_sequence_multi(sig, siglen,
LTC_ASN1_INTEGER, 1UL, r,
LTC_ASN1_INTEGER, 1UL, s,
LTC_ASN1_EOL, 0UL, NULL)) != CRYPT_OK) {
goto error;
}
/* get the order */
if ((err = mp_read_radix(p, (char *)key->dp->order, 16)) != CRYPT_OK) { goto error; }
/* get the modulus */
if ((err = mp_read_radix(m, (char *)key->dp->prime, 16)) != CRYPT_OK) { goto error; }
/* check for zero */
if (mp_iszero(r) || mp_iszero(s) || mp_cmp(r, p) != LTC_MP_LT || mp_cmp(s, p) != LTC_MP_LT) {
err = CRYPT_INVALID_PACKET;
goto error;
}
/* read hash */
if ((err = mp_read_unsigned_bin(e, (unsigned char *)hash, (int)hashlen)) != CRYPT_OK) { goto error; }
/* w = s^-1 mod n */
if ((err = mp_invmod(s, p, w)) != CRYPT_OK) { goto error; }
/* u1 = ew */
if ((err = mp_mulmod(e, w, p, u1)) != CRYPT_OK) { goto error; }
/* u2 = rw */
if ((err = mp_mulmod(r, w, p, u2)) != CRYPT_OK) { goto error; }
/* find mG and mQ */
if ((err = mp_read_radix(mG->x, (char *)key->dp->Gx, 16)) != CRYPT_OK) { goto error; }
if ((err = mp_read_radix(mG->y, (char *)key->dp->Gy, 16)) != CRYPT_OK) { goto error; }
if ((err = mp_set(mG->z, 1)) != CRYPT_OK) { goto error; }
if ((err = mp_copy(key->pubkey.x, mQ->x)) != CRYPT_OK) { goto error; }
if ((err = mp_copy(key->pubkey.y, mQ->y)) != CRYPT_OK) { goto error; }
if ((err = mp_copy(key->pubkey.z, mQ->z)) != CRYPT_OK) { goto error; }
/* compute u1*mG + u2*mQ = mG */
if (ltc_mp.ecc_mul2add == NULL) {
if ((err = ltc_mp.ecc_ptmul(u1, mG, mG, m, 0)) != CRYPT_OK) { goto error; }
if ((err = ltc_mp.ecc_ptmul(u2, mQ, mQ, m, 0)) != CRYPT_OK) { goto error; }
/* find the montgomery mp */
if ((err = mp_montgomery_setup(m, &mp)) != CRYPT_OK) { goto error; }
/* add them */
if ((err = ltc_mp.ecc_ptadd(mQ, mG, mG, m, mp)) != CRYPT_OK) { goto error; }
/* reduce */
if ((err = ltc_mp.ecc_map(mG, m, mp)) != CRYPT_OK) { goto error; }
} else {
/* use Shamir's trick to compute u1*mG + u2*mQ using half of the doubles */
if ((err = ltc_mp.ecc_mul2add(mG, u1, mQ, u2, mG, m)) != CRYPT_OK) { goto error; }
}
/* v = X_x1 mod n */
if ((err = mp_mod(mG->x, p, v)) != CRYPT_OK) { goto error; }
/* does v == r */
if (mp_cmp(v, r) == LTC_MP_EQ) {
*stat = 1;
}
/* clear up and return */
err = CRYPT_OK;
error:
ltc_ecc_del_point(mG);
ltc_ecc_del_point(mQ);
mp_clear_multi(r, s, v, w, u1, u2, p, e, m, NULL);
if (mp != NULL) {
mp_montgomery_free(mp);
}
return err;
}
int ecc_export_full(unsigned char *out, unsigned long *outlen, int type, ecc_key *key)
{
int err;
void *prime, *order, *a, *b, *gx, *gy;
unsigned char bin_a[256], bin_b[256], bin_k[256], bin_g[512], bin_xy[512];
unsigned long len_a, len_b, len_k, len_g, len_xy;
unsigned long cofactor, one = 1;
oid_st oid;
ltc_asn1_list seq_fieldid[2], seq_curve[2], seq_ecparams[6], seq_priv[4];
LTC_ARGCHK(out != NULL);
LTC_ARGCHK(outlen != NULL);
LTC_ARGCHK(key != NULL);
if (key->type != PK_PRIVATE && type == PK_PRIVATE) return CRYPT_PK_TYPE_MISMATCH;
if (ltc_ecc_is_valid_idx(key->idx) == 0) return CRYPT_INVALID_ARG;
if ((err = mp_init_multi(&prime, &order, &a, &b, &gx, &gy, NULL)) != CRYPT_OK) return err;
if ((err = mp_read_radix(prime, key->dp->prime, 16)) != CRYPT_OK) goto error;
if ((err = mp_read_radix(order, key->dp->order, 16)) != CRYPT_OK) goto error;
if ((err = mp_read_radix(b, key->dp->B, 16)) != CRYPT_OK) goto error;
if ((err = mp_read_radix(a, key->dp->A, 16)) != CRYPT_OK) goto error;
if ((err = mp_read_radix(gx, key->dp->Gx, 16)) != CRYPT_OK) goto error;
if ((err = mp_read_radix(gy, key->dp->Gy, 16)) != CRYPT_OK) goto error;
/* curve param a */
len_a = mp_unsigned_bin_size(a);
if (len_a > sizeof(bin_a)) { err = CRYPT_BUFFER_OVERFLOW; goto error; }
if ((err = mp_to_unsigned_bin(a, bin_a)) != CRYPT_OK) goto error;
if (len_a == 0) { len_a = 1; bin_a[0] = 0; } /* XXX-TODO hack to handle case a == 0 */
/* curve param b */
len_b = mp_unsigned_bin_size(b);
if (len_b > sizeof(bin_b)) { err = CRYPT_BUFFER_OVERFLOW; goto error; }
if ((err = mp_to_unsigned_bin(b, bin_b)) != CRYPT_OK) goto error;
if (len_b == 0) { len_b = 1; bin_b[0] = 0; } /* XXX-TODO hack to handle case b == 0 */
/* base point - we export uncompressed form */
len_g = sizeof(bin_g);
if ((err = ecc_export_point(bin_g, &len_g, gx, gy, key->dp->size, 0)) != CRYPT_OK) goto error;
/* public key */
len_xy = sizeof(bin_xy);
if ((err = ecc_export_point(bin_xy, &len_xy, key->pubkey.x, key->pubkey.y, key->dp->size, 0)) != CRYPT_OK) goto error;
/* co-factor */
cofactor = key->dp->cofactor;
/* we support only prime-field EC */
if ((err = pk_get_oid(EC_PRIME_FIELD, &oid)) != CRYPT_OK) goto error;
/* FieldID SEQUENCE */
LTC_SET_ASN1(seq_fieldid, 0, LTC_ASN1_OBJECT_IDENTIFIER, oid.OID, oid.OIDlen);
LTC_SET_ASN1(seq_fieldid, 1, LTC_ASN1_INTEGER, prime, 1UL);
/* Curve SEQUENCE */
LTC_SET_ASN1(seq_curve, 0, LTC_ASN1_OCTET_STRING, bin_a, len_a);
LTC_SET_ASN1(seq_curve, 1, LTC_ASN1_OCTET_STRING, bin_b, len_b);
/* ECParameters SEQUENCE */
LTC_SET_ASN1(seq_ecparams, 0, LTC_ASN1_SHORT_INTEGER, &one, 1UL);
LTC_SET_ASN1(seq_ecparams, 1, LTC_ASN1_SEQUENCE, seq_fieldid, 2UL);
LTC_SET_ASN1(seq_ecparams, 2, LTC_ASN1_SEQUENCE, seq_curve, 2UL);
LTC_SET_ASN1(seq_ecparams, 3, LTC_ASN1_OCTET_STRING, bin_g, len_g);
LTC_SET_ASN1(seq_ecparams, 4, LTC_ASN1_INTEGER, order, 1UL);
LTC_SET_ASN1(seq_ecparams, 5, LTC_ASN1_SHORT_INTEGER, &cofactor, 1UL);
if (type == PK_PRIVATE) {
/* private key format: http://tools.ietf.org/html/rfc5915
ECPrivateKey ::= SEQUENCE { # SEQUENCE
version INTEGER { ecPrivkeyVer1(1) } (ecPrivkeyVer1), # INTEGER :01
privateKey OCTET STRING, # OCTET STRING
[0] ECParameters ::= SEQUENCE { # SEQUENCE
version INTEGER { ecpVer1(1) } (ecpVer1), # INTEGER :01
FieldID ::= SEQUENCE { # SEQUENCE
fieldType FIELD-ID.&id({IOSet}), # OBJECT :prime-field
parameters FIELD-ID.&Type({IOSet}{@fieldType}) # INTEGER
}
Curve ::= SEQUENCE { # SEQUENCE
a FieldElement ::= OCTET STRING # OCTET STRING
b FieldElement ::= OCTET STRING # OCTET STRING
seed BIT STRING OPTIONAL
}
base ECPoint ::= OCTET STRING # OCTET STRING
order INTEGER, # INTEGER
cofactor INTEGER OPTIONAL # INTEGER
}
[1] publicKey # BIT STRING
}
*/
/* private key */
len_k = mp_unsigned_bin_size(key->k);
if (len_k > sizeof(bin_k)) { err = CRYPT_BUFFER_OVERFLOW; goto error; }
if ((err = mp_to_unsigned_bin(key->k, bin_k)) != CRYPT_OK) goto error;
LTC_SET_ASN1(seq_priv, 0, LTC_ASN1_SHORT_INTEGER, &one, 1UL);
LTC_SET_ASN1(seq_priv, 1, LTC_ASN1_OCTET_STRING, bin_k, len_k);
LTC_SET_ASN1(seq_priv, 2, LTC_ASN1_SEQUENCE, seq_ecparams, 6UL);
LTC_SET_ASN1(seq_priv, 3, LTC_ASN1_RAW_BIT_STRING, bin_xy, 8*len_xy);
seq_priv[2].tag = 0xA0;
seq_priv[3].tag = 0xA1;
err = der_encode_sequence(seq_priv, 4, out, outlen);
}
else {
/* public key format: http://tools.ietf.org/html/rfc5480
SubjectPublicKeyInfo ::= SEQUENCE { # SEQUENCE
AlgorithmIdentifier ::= SEQUENCE { # SEQUENCE
algorithm OBJECT IDENTIFIER # OBJECT :id-ecPublicKey
ECParameters ::= SEQUENCE { # SEQUENCE
version INTEGER { ecpVer1(1) } (ecpVer1), # INTEGER :01
FieldID ::= SEQUENCE { # SEQUENCE
fieldType FIELD-ID.&id({IOSet}), # OBJECT :prime-field
parameters FIELD-ID.&Type({IOSet}{@fieldType}) # INTEGER
}
Curve ::= SEQUENCE { # SEQUENCE
a FieldElement ::= OCTET STRING # OCTET STRING
b FieldElement ::= OCTET STRING # OCTET STRING
seed BIT STRING OPTIONAL
}
base ECPoint ::= OCTET STRING # OCTET STRING
order INTEGER, # INTEGER
cofactor INTEGER OPTIONAL # INTEGER
}
}
subjectPublicKey BIT STRING # BIT STRING
}
*/
err = der_encode_subject_public_key_info( out, outlen,
PKA_EC, bin_xy, len_xy,
LTC_ASN1_SEQUENCE, seq_ecparams, 6 );
}
error:
mp_clear_multi(prime, order, a, b, gx, gy, NULL);
return err;
}
/**
Sign a message digest
@param in The message digest to sign
@param inlen The length of the digest
@param out [out] The destination for the signature
@param outlen [in/out] The max size and resulting size of the signature
@param prng An active PRNG state
@param wprng The index of the PRNG you wish to use
@param key A private ECC key
@return CRYPT_OK if successful
*/
int ecc_sign_hash(const unsigned char *in, unsigned long inlen,
unsigned char *out, unsigned long *outlen,
prng_state *prng, int wprng, ecc_key *key)
{
ecc_key pubkey;
void *r, *s, *e, *p;
int err;
LTC_ARGCHK(in != NULL);
LTC_ARGCHK(out != NULL);
LTC_ARGCHK(outlen != NULL);
LTC_ARGCHK(key != NULL);
/* is this a private key? */
if (key->type != PK_PRIVATE) {
return CRYPT_PK_NOT_PRIVATE;
}
/* is the IDX valid ? */
if (ltc_ecc_is_valid_idx(key->idx) != 1) {
return CRYPT_PK_INVALID_TYPE;
}
if ((err = prng_is_valid(wprng)) != CRYPT_OK) {
return err;
}
/* get the hash and load it as a bignum into 'e' */
/* init the bignums */
if ((err = mp_init_multi(&r, &s, &p, &e, NULL)) != CRYPT_OK) {
ecc_free(&pubkey);
goto LBL_ERR;
}
if ((err = mp_read_radix(p, (char *)ltc_ecc_sets[key->idx].order, 16)) != CRYPT_OK) { goto error; }
if ((err = mp_read_unsigned_bin(e, (unsigned char *)in, (int)inlen)) != CRYPT_OK) { goto error; }
/* make up a key and export the public copy */
for (;;) {
if ((err = ecc_make_key(prng, wprng, ecc_get_size(key), &pubkey)) != CRYPT_OK) {
return err;
}
/* find r = x1 mod n */
if ((err = mp_mod(pubkey.pubkey.x, p, r)) != CRYPT_OK) { goto error; }
if (mp_iszero(r)) {
ecc_free(&pubkey);
} else {
/* find s = (e + xr)/k */
if ((err = mp_invmod(pubkey.k, p, pubkey.k)) != CRYPT_OK) { goto error; } /* k = 1/k */
if ((err = mp_mulmod(key->k, r, p, s)) != CRYPT_OK) { goto error; } /* s = xr */
if ((err = mp_add(e, s, s)) != CRYPT_OK) { goto error; } /* s = e + xr */
if ((err = mp_mod(s, p, s)) != CRYPT_OK) { goto error; } /* s = e + xr */
if ((err = mp_mulmod(s, pubkey.k, p, s)) != CRYPT_OK) { goto error; } /* s = (e + xr)/k */
if (mp_iszero(s)) {
ecc_free(&pubkey);
} else {
break;
}
}
}
/* store as SEQUENCE { r, s -- integer } */
err = der_encode_sequence_multi(out, outlen,
LTC_ASN1_INTEGER, 1UL, r,
LTC_ASN1_INTEGER, 1UL, s,
LTC_ASN1_EOL, 0UL, NULL);
goto LBL_ERR;
error:
LBL_ERR:
mp_clear_multi(r, s, p, e, NULL);
ecc_free(&pubkey);
return err;
}
