size_t bdConvFromOctets(T b, const unsigned char *c, size_t nbytes)
/* Converts nbytes octets into big digit b, resizing if necessary */
{
size_t ndigits, n;
assert(b);
ndigits = (nbytes + OCTETS_PER_DIGIT - 1) / OCTETS_PER_DIGIT;
bd_resize(b, ndigits);
n = mpConvFromOctets(b->digits, ndigits, c, nbytes);
b->ndigits = mpSizeof(b->digits, n);
return n;
}
/* --------------------------------------------------------------------------
* EcdsaSignerInit
* -------------------------------------------------------------------------- */
VLT_STS EcdsaSignerInit(
const VLT_ECDSA_DOMAIN_PARAMS* pDomainParams,
const VLT_ECDSA_PRIVATE_KEY* pPrivateKey,
const VLT_ECDSA_PUBLIC_KEY* pPublicKey,
VLT_U8 u8OpMode)
{
UINT len;
if ((NULL == pDomainParams ))
{
return (EECDSAINITNULLPARAM);
}
/* Check the operation mode is supported */
if (VLT_SIGN_MODE == u8OpMode)
{
/* SIGN needs a valid private key */
if (NULL == pPrivateKey)
return (EECDSAINITNULLPARAM);
if (NULL == pPrivateKey->pu8D)
{
return EECDSAINITNULLPARAM;
}
if ((pPrivateKey->u16DLen == 0) ||
(pPrivateKey->u16DLen > MAX_BYTES))
return EECDSAINVALIDPARAM;
}
else if (VLT_VERIFY_MODE == u8OpMode)
{
/* VERIFY needs a public private key */
if (NULL == pPublicKey )
return (EECDSAINITNULLPARAM);
if ((NULL == pPublicKey->pu8Qx) ||
(NULL == pPublicKey->pu8Qy))
{
return EECDSAINITNULLPARAM;
}
if ((pPublicKey->u16QLen == 0) ||
(pPublicKey->u16QLen > MAX_BYTES))
return EECDSAINVALIDPARAM;
}
else
{
/* invalid mode */
return (EECDSAOPMODENOTSUPP);
}
/* validate domain params */
if ((NULL == pDomainParams->pu8A) ||
(NULL == pDomainParams->pu8B) ||
(NULL == pDomainParams->pu8Gx) ||
(NULL == pDomainParams->pu8Gy) ||
(NULL == pDomainParams->pu8Gz) ||
(NULL == pDomainParams->pu8N) ||
(NULL == pDomainParams->pu8Q))
return (EECDSAINITNULLPARAM);
if ( (pDomainParams->u16QLen == 0) ||
(pDomainParams->u16QLen > MAX_BYTES))
return EECDSAINVALIDPARAM;
if ((pDomainParams->u16NLen == 0) ||
(pDomainParams->u16NLen > MAX_BYTES))
return EECDSAINVALIDPARAM;
/* set-up number of big digits and bytes required to represent field elements */
sNumFieldBytes = (VLT_U8)pDomainParams->u16QLen;
sNumFieldDigits = (VLT_U8)NUM_DIGITS(pDomainParams->u16QLen);
/* base point order length may be significantly smaller than field size */
sNumBpOrderBytes = (VLT_U8)pDomainParams->u16NLen;
sNumBpOrderDigits = (VLT_U8)NUM_DIGITS(pDomainParams->u16NLen);
/*
* set-up EC library domain parameter object. This requires
* type conversions and coercions from the VaultIC domain
* type defintions. In general we need to convert from
* BYTE arrays in MSB to LSB order to big digit library arrays,
* which are 32-bit integer arrays in LSB to MSB order.
*/
mpConvFromOctets(E_a, sNumFieldDigits, pDomainParams->pu8A, sNumFieldBytes);
mpConvFromOctets(E_b, sNumFieldDigits, pDomainParams->pu8B, sNumFieldBytes);
mpConvFromOctets(E_Gx, sNumFieldDigits, pDomainParams->pu8Gx, sNumFieldBytes);
mpConvFromOctets(E_Gy, sNumFieldDigits, pDomainParams->pu8Gy, sNumFieldBytes);
mpConvFromOctets(E_n, sNumFieldDigits, pDomainParams->pu8Q, sNumFieldBytes);
mpConvFromOctets(E_r, sNumFieldDigits, pDomainParams->pu8N, sNumFieldBytes);
/* set-up curve data structure */
E.G.x = E_Gx; /* base generator point X co-ordinate */
E.G.y = E_Gy; /* base generator point Y co-ordinate */
E.a = E_a; /* curve equation co-efficient a */
E.b = E_b; /* curve equation co-efficient b */
E.h = pDomainParams->u32H; /* co-factor */
E.len = sNumFieldDigits; /* size of field in big digits */
E.n = E_n; /* reduction polynomial */
E.r = E_r; /* base point order */
E.rlen = sNumFieldDigits; /* base point order length in big digits */
/* check field size is within bounds */
len = mpBitLength(E.n, E.len);
if (len > (MAX_BITS + 1))
{
return EECDSAINVALIDPARAM;
}
/* set-up key storage */
if (VLT_VERIFY_MODE == u8OpMode)
{
mpConvFromOctets(sPublicKeyQx, sNumFieldDigits,
pPublicKey->pu8Qx, pPublicKey->u16QLen);
mpConvFromOctets(sPublicKeyQy, sNumFieldDigits,
pPublicKey->pu8Qy, pPublicKey->u16QLen);
signerState = ST_INITIALISED_VERIFY;
}
if (VLT_SIGN_MODE == u8OpMode)
{
mpConvFromOctets(sPrivateKey, sNumBpOrderDigits,
pPrivateKey->pu8D, pPrivateKey->u16DLen);
signerState = ST_INITIALISED_SIGN;
}
/* Seed the random-number generator with current time so that
* the numbers will be different every time we run.
*/
srand( (unsigned)time( NULL ) );
return VLT_OK;
}
/* --------------------------------------------------------------------------
* EcdsaSignerDoFinal
* -------------------------------------------------------------------------- */
VLT_STS EcdsaSignerDoFinal(
VLT_PU8 pu8Message,
VLT_U32 u32MessageLen,
VLT_U32 u32MessageCapacity,
VLT_PU8 pu8Signature,
VLT_PU32 pu32SignatureLen,
VLT_U32 u32SignatureCapacity )
{
E2n_Point P;
E2n_Point R;
E2n_Point Q;
/* intermediate calculation storage */
DIGIT_T k[MAX_DIGITS];
DIGIT_T k1[MAX_DIGITS];
DIGIT_T tmp[MAX_DIGITS];
DIGIT_T r[MAX_DIGITS];
DIGIT_T s[MAX_DIGITS];
DIGIT_T u1[MAX_DIGITS];
DIGIT_T u2[MAX_DIGITS];
DIGIT_T v[MAX_DIGITS];
DIGIT_T yy[MAX_DIGITS];
DIGIT_T Px[MAX_DIGITS];
DIGIT_T Py[MAX_DIGITS];
DIGIT_T Rx[MAX_DIGITS];
DIGIT_T Ry[MAX_DIGITS];
DIGIT_T Qx[MAX_DIGITS];
DIGIT_T Qy[MAX_DIGITS];
/* SHA-256 storage */
DIGIT_T bdHash[MAX_DIGITS];
VLT_U8 bHash[HASH_BYTE_SIZE];
UINT len;
UINT hashLen;
sha256_ctx ctx; // context holder
VLT_STS status = VLT_FAIL;
if((ST_INITIALISED_SIGN != signerState) &&
(ST_INITIALISED_VERIFY != signerState))
{
/* not initialised */
return EECDSAEXECUTIONERROR;
}
/* Initialise Point variables */
P.x = Px;
P.y = Py;
R.x = Rx;
R.y = Ry;
Q.x = Qx;
Q.y = Qy;
if ( ( NULL == pu8Message ) ||
( NULL == pu8Signature ) ||
( NULL == pu32SignatureLen ) )
{
return ( EECDSAINUPNULLPARAM );
}
/* hash of message used by both signing and verify */
/* e or e1 = SHA-256(M) */
sha256_begin(&ctx);
sha256_hash(pu8Message, u32MessageLen, &ctx);
sha256_end(bHash, &ctx);
/* convert hash to big digits,
same size as base point order if > hash size */
if (sNumBpOrderDigits > HASH_DIGIT_SIZE)
hashLen = sNumBpOrderDigits;
else
hashLen = HASH_DIGIT_SIZE;
mpConvFromOctets(bdHash, hashLen, bHash, HASH_BYTE_SIZE);
/* ANS X9.62-2005 7.3.e
// if bit length of hash is > bit length of base point order
// then truncate hash by removing LSBs until bit length
// equals the length of the base point order
*/
len = mpBitLength(E.r, E.rlen);
if (len < HASH_SIZE)
{
/* take leftmost bits of message by shifting right */
mpShiftRight(tmp, bdHash, HASH_SIZE - len, hashLen);
/* truncate to base point order size */
mpSetEqual(bdHash, tmp, E.rlen);
}
if (ST_INITIALISED_SIGN == signerState)
{
/* signing process as per ANS X9.62 Section 7.3 */
*pu32SignatureLen = 0;
/* generate ephemeral private key k such that 0 < k < n */
if (VLT_OK != GenerateRandomDigits(tmp, E.rlen))
return EECDSAEXECUTIONERROR;
mpModulo(k, tmp, E.rlen, E.r, E.rlen);
if (mpIsZero(k, E.rlen))
{
/* probability of a zero is 1/n */
if (VLT_OK != GenerateRandomDigits(tmp, E.rlen))
return EECDSAEXECUTIONERROR;
mpModulo(k, tmp, E.rlen, E.r, E.rlen);
if (mpIsZero(k, E.rlen))
{
return EECDSAEXECUTIONERROR;
}
}
/* generate ephemeral public key: P = kG */
e2n_point_mul(&E, &P, &E.G, k, E.rlen);
/* convert P.x to integer j */
/* conversion is implicit for polynomial basis */
/*
// r = j mod n, n = base point oder (E.r)
*/
mpModulo(r, P.x, E.rlen, E.r, E.rlen);
/*
// calculate s = k^-1 (e + dr) mod n
*/
/* Compute k' = k^-1 mod n */
mpModInv(k1, k, E.r, E.rlen);
/* Compute s = (k^-1(SHA-xxx(M) + dr)) mod n */
/* d * r */
mpModMult(tmp, sPrivateKey, r, E.r, E.rlen);
/* M + d * r */
mpModAdd(yy, tmp, bdHash, E.r, E.rlen);
/* s = (k^-1)(M + dr) */
mpModMult(s, k1, yy, E.r, E.rlen);
/* signing: convert back to byte format and construct r || s */
mpConvToOctets(r, sNumBpOrderDigits, pu8Signature, sNumBpOrderBytes);
mpConvToOctets(s, sNumBpOrderDigits, pu8Signature + sNumBpOrderBytes,
sNumBpOrderBytes);
/* set the byte length of the output signature */
*pu32SignatureLen = sNumBpOrderBytes * 2;
status = VLT_OK;
}
else
{
/* ANS X9.62-2005 Section 7.4.1: Verification with Public Key */;
/* extract r & s and format as big digits */
mpConvFromOctets(r, E.rlen, pu8Signature, (*pu32SignatureLen) / 2);
mpConvFromOctets(s, E.rlen, pu8Signature + (*pu32SignatureLen / 2),
(*pu32SignatureLen) / 2);
/* Compute u1 = e1(s1^-1) mod n */
mpModInv(tmp, s, E.r, E.rlen);
mpModMult(u1, tmp, bdHash, E.r, E.rlen);
/* Compute u2 = r1(s1^-1) mod n */
mpModMult(u2, tmp, r, E.r, E.rlen);
/* use supplied public key */
mpSetEqual(Q.x, sPublicKeyQx, E.len);
mpSetEqual(Q.y, sPublicKeyQy, E.len);
/* compute R = u1G */
e2n_point_mul(&E, &R, &E.G, u1, E.rlen);
/* P = u2Q */
e2n_point_mul(&E, &P, &Q, u2, E.rlen);
/* R = R + P */
e2n_point_add(&E, &R, &R, &P);
/* compute v = j mod n */
mpModulo(v, R.x, E.rlen, E.r, E.rlen);
/* verify v == r */
if (mpEqual(v, r, E.rlen))
{
status = VLT_OK;
}
else
{
status = VLT_FAIL;
}
}
return ( status );
}
int main(void)
{
DIGIT_T n[MOD_SIZE], e[MOD_SIZE], d[MOD_SIZE];
DIGIT_T s[MOD_SIZE], m[MOD_SIZE], m1[MOD_SIZE], s1[MOD_SIZE];
size_t nbytes;
char decimal[MOD_SIZE*4];
/* Data in big-endian byte format:-
*/
unsigned char nn[] = {
0x0A, 0x66, 0x79, 0x1D, 0xC6, 0x98, 0x81, 0x68,
0xDE, 0x7A, 0xB7, 0x74, 0x19, 0xBB, 0x7F, 0xB0,
0xC0, 0x01, 0xC6, 0x27, 0x10, 0x27, 0x00, 0x75,
0x14, 0x29, 0x42, 0xE1, 0x9A, 0x8D, 0x8C, 0x51,
0xD0, 0x53, 0xB3, 0xE3, 0x78, 0x2A, 0x1D, 0xE5,
0xDC, 0x5A, 0xF4, 0xEB, 0xE9, 0x94, 0x68, 0x17,
0x01, 0x14, 0xA1, 0xDF, 0xE6, 0x7C, 0xDC, 0x9A,
0x9A, 0xF5, 0x5D, 0x65, 0x56, 0x20, 0xBB, 0xAB,
};
unsigned char ee[] = { 0x01, 0x00, 0x01 };
unsigned char dd[] = {
0x01, 0x23, 0xC5, 0xB6, 0x1B, 0xA3, 0x6E, 0xDB,
0x1D, 0x36, 0x79, 0x90, 0x41, 0x99, 0xA8, 0x9E,
0xA8, 0x0C, 0x09, 0xB9, 0x12, 0x2E, 0x14, 0x00,
0xC0, 0x9A, 0xDC, 0xF7, 0x78, 0x46, 0x76, 0xD0,
0x1D, 0x23, 0x35, 0x6A, 0x7D, 0x44, 0xD6, 0xBD,
0x8B, 0xD5, 0x0E, 0x94, 0xBF, 0xC7, 0x23, 0xFA,
0x87, 0xD8, 0x86, 0x2B, 0x75, 0x17, 0x76, 0x91,
0xC1, 0x1D, 0x75, 0x76, 0x92, 0xDF, 0x88, 0x81,
};
unsigned char mm[] = {
0x00, 0x01, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x30, 0x20,
0x30, 0x0C, 0x06, 0x08, 0x2A, 0x86, 0x48, 0x86,
0xF7, 0x0D, 0x02, 0x02, 0x05, 0x00, 0x04, 0x10,
0xDC, 0xA9, 0xEC, 0xF1, 0xC1, 0x5C, 0x1B, 0xD2,
0x66, 0xAF, 0xF9, 0xC8, 0x79, 0x93, 0x65, 0xCD,
};
unsigned char ss[] = {
0x06, 0xDB, 0x36, 0xCB, 0x18, 0xD3, 0x47, 0x5B,
0x9C, 0x01, 0xDB, 0x3C, 0x78, 0x95, 0x28, 0x08,
0x02, 0x79, 0xBB, 0xAE, 0xFF, 0x2B, 0x7D, 0x55,
0x8E, 0xD6, 0x61, 0x59, 0x87, 0xC8, 0x51, 0x86,
0x3F, 0x8A, 0x6C, 0x2C, 0xFF, 0xBC, 0x89, 0xC3,
0xF7, 0x5A, 0x18, 0xD9, 0x6B, 0x12, 0x7C, 0x71,
0x7D, 0x54, 0xD0, 0xD8, 0x04, 0x8D, 0xA8, 0xA0,
0x54, 0x46, 0x26, 0xD1, 0x7A, 0x2A, 0x8F, 0xBE,
};
printf("Test BIGDIGITS using 508-bit RSA key from 'Some Examples of the PKCS Standards'\n");
/* Convert bytes to BIGDIGITS */
mpConvFromOctets(n, MOD_SIZE, nn, sizeof(nn));
mpConvFromOctets(e, MOD_SIZE, ee, sizeof(ee));
mpConvFromOctets(d, MOD_SIZE, dd, sizeof(dd));
mpConvFromOctets(m, MOD_SIZE, mm, sizeof(mm));
mpConvFromOctets(s1, MOD_SIZE, ss, sizeof(ss));
printf("n ="); mpPrintNL(n, MOD_SIZE);
printf("e ="); mpPrintNL(e, MOD_SIZE);
printf("d ="); mpPrintNL(d, MOD_SIZE);
printf("m ="); mpPrintNL(m, MOD_SIZE);
/* Sign, i.e. Encrypt with private key, s = m^d mod n */
mpModExp(s, m, d, n, MOD_SIZE);
printf("s ="); mpPrintNL(s, MOD_SIZE);
/* Did we get the same answer as expected? */
if (!mpEqual(s1, s, MOD_SIZE))
printf("<= ERROR - no match\n");
else
printf("<= OK\n");
assert(mpEqual(s1, s, MOD_SIZE));
/* Verify, i.e. Decrypt with public key m' = s^e mod n */
mpModExp(m1, s, e, n, MOD_SIZE);
printf("m'="); mpPrintNL(m1, MOD_SIZE);
/* Check that we got back where we started */
if (!mpEqual(m1, m, MOD_SIZE))
printf("<= ERROR - no match\n");
else
printf("<= OK\n");
assert(mpEqual(m1, m, MOD_SIZE));
/* Now convert back to octets (bytes) */
memset(mm, 0, sizeof(mm));
nbytes = mpConvToOctets(m, MOD_SIZE, mm, sizeof(mm));
printf("%d non-zero bytes converted from m:\n", nbytes);
pr_bytes(mm, sizeof(mm));
memset(ee, 0, sizeof(ee));
nbytes = mpConvToOctets(e, MOD_SIZE, ee, sizeof(ee));
printf("%d non-zero bytes converted from e:\n", nbytes);
pr_bytes(ee, sizeof(ee));
/* Do a conversion to decimal */
nbytes = mpConvToDecimal(e, MOD_SIZE, decimal, sizeof(decimal));
printf("%d non-zero decimal digits converted from e:\n", nbytes);
printf("%s\n", decimal);
assert(strcmp(decimal, "65537") == 0);
printf("OK, successfully completed tests.\n");
return 0;
}
