deon/gnuk
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

ecdsa implementation

Browse Source
This commit is contained in:
NIIBE Yutaka
2013-02-20 16:49:56 +09:00
parent 5f1088e4be
commit a368a45a0d
8 changed files with 2724 additions and 2527 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2494
ChangeLog
View File

File diff suppressed because it is too large Load Diff

2477
ChangeLog-1_0 Normal file
View File

File diff suppressed because it is too large Load Diff

2
src/Makefile.in
View File

@@ -84,7 +84,7 @@ CSRC = $(PORTSRC) \
main.c usb_stm32f103.c adc_stm32f103.c \ main.c usb_stm32f103.c adc_stm32f103.c \
usb_desc.c usb_ctrl.c \ usb_desc.c usb_ctrl.c \
usb-icc.c openpgp.c ac.c openpgp-do.c flash.c \ usb-icc.c openpgp.c ac.c openpgp-do.c flash.c \
bn.c modp256.c jpc.c mod.c ec_p256.c \ bn.c modp256.c jpc.c mod.c ec_p256.c call-ec_p256.c \
random.c neug.c sys.c random.c neug.c sys.c
ifneq ($(ENABLE_DEBUG),) ifneq ($(ENABLE_DEBUG),)

85
src/call-ec_p256.c Normal file
View File

@@ -0,0 +1,85 @@
/*
* call-ec_p256.c - interface between Gnuk and Elliptic curve over GF(p256)
*
* Copyright (C) 2013 Free Software Initiative of Japan
* Author: NIIBE Yutaka <gniibe@fsij.org>
*
* This file is a part of Gnuk, a GnuPG USB Token implementation.
*
* Gnuk is free software: you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* Gnuk is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public
* License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*/
#include <stdint.h>
#include <stdlib.h>
#include <string.h>
#include "bn.h"
#include "jpc-ac.h"
#include "ec_p256.h"
#include "ch.h"
#include "gnuk.h"
/* We are little endian. */
#define ECDSA_BYTE_SIZE 32
int
ecdsa_sign (const uint8_t *hash, uint8_t *output,
const struct key_data *kd)
{
int i;
bn256 r[1], s[1], z[1];
uint8_t *p;
p = (uint8_t *)z;
for (i = 0; i < ECDSA_BYTE_SIZE; i++)
p[ECDSA_BYTE_SIZE - i - 1] = hash[i];
ecdsa (r, s, z, (const bn256 *)kd);
p = (uint8_t *)r;
for (i = 0; i < ECDSA_BYTE_SIZE; i++)
*output++ = p[ECDSA_BYTE_SIZE - i - 1];
p = (uint8_t *)s;
for (i = 0; i < ECDSA_BYTE_SIZE; i++)
*output++ = p[ECDSA_BYTE_SIZE - i - 1];
return 0;
}
const uint8_t *
ecdsa_compute_public (const uint8_t *key_data)
{
uint8_t *p0, *p, *p1;
ac q[1];
bn256 k[1];
int i;
p0 = (uint8_t *)malloc (ECDSA_BYTE_SIZE * 2);
if (p0 == NULL)
return NULL;
p = (uint8_t *)k;
for (i = 0; i < ECDSA_BYTE_SIZE; i++)
p[ECDSA_BYTE_SIZE - i - 1] = key_data[i];
compute_kG (q, k);
p = p0;
p1 = (uint8_t *)q->x;
for (i = 0; i < ECDSA_BYTE_SIZE; i++)
*p++ = p1[ECDSA_BYTE_SIZE - i - 1];
p1 = (uint8_t *)q->y;
for (i = 0; i < ECDSA_BYTE_SIZE; i++)
*p++ = p1[ECDSA_BYTE_SIZE - i - 1];
return p0;
}

5
src/call-rsa.c
View File

@@ -107,11 +107,6 @@ modulus_calc (const uint8_t *p, int len)
return modulus; return modulus;
} }
void
modulus_free (const uint8_t *p)
{
free ((void *)p);
}
int int
rsa_decrypt (const uint8_t *input, uint8_t *output, int msg_len, rsa_decrypt (const uint8_t *input, uint8_t *output, int msg_len,

5
src/gnuk.h
View File

@@ -237,12 +237,15 @@ extern struct key_data kd[3];
extern int rsa_sign (const uint8_t *, uint8_t *, int, struct key_data *); extern int rsa_sign (const uint8_t *, uint8_t *, int, struct key_data *);
extern const uint8_t *modulus_calc (const uint8_t *, int); extern const uint8_t *modulus_calc (const uint8_t *, int);
extern void modulus_free (const uint8_t *);
extern int rsa_decrypt (const uint8_t *, uint8_t *, int, struct key_data *); extern int rsa_decrypt (const uint8_t *, uint8_t *, int, struct key_data *);
extern int rsa_verify (const uint8_t *pubkey, const uint8_t *hash, extern int rsa_verify (const uint8_t *pubkey, const uint8_t *hash,
const uint8_t *signature); const uint8_t *signature);
extern const uint8_t *rsa_genkey (void); extern const uint8_t *rsa_genkey (void);
extern int ecdsa_sign (const uint8_t *hash, uint8_t *output,
const struct key_data *kd);
extern const uint8_t *ecdsa_compute_public (const uint8_t *key_data);
extern const uint8_t *gpg_do_read_simple (uint8_t); extern const uint8_t *gpg_do_read_simple (uint8_t);
extern void gpg_do_write_simple (uint8_t, const uint8_t *, int); extern void gpg_do_write_simple (uint8_t, const uint8_t *, int);
extern void gpg_increment_digital_signature_counter (void); extern void gpg_increment_digital_signature_counter (void);

134
src/openpgp-do.c
View File

@@ -122,7 +122,7 @@ static const uint8_t extended_capabilities[] __attribute__ ((aligned (1))) = {
}; };
/* Algorithm Attributes */ /* Algorithm Attributes */
static const uint8_t algorithm_attr[] __attribute__ ((aligned (1))) = { static const uint8_t algorithm_attr_rsa[] __attribute__ ((aligned (1))) = {
6, 6,
0x01, /* RSA */ 0x01, /* RSA */
0x08, 0x00, /* Length modulus (in bit): 2048 */ 0x08, 0x00, /* Length modulus (in bit): 2048 */
@@ -130,6 +130,12 @@ static const uint8_t algorithm_attr[] __attribute__ ((aligned (1))) = {
0x00 /* 0: p&q , 3: CRT with N (not yet supported) */ 0x00 /* 0: p&q , 3: CRT with N (not yet supported) */
}; };
static const uint8_t algorithm_attr_ecdsa[] __attribute__ ((aligned (1))) = {
9,
0x13, /* ECDSA */
0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07 /* OID of NIST curve P-256 */
};
#define PW_LEN_MAX 127 #define PW_LEN_MAX 127
/* /*
* Representation of PW1_LIFETIME: * Representation of PW1_LIFETIME:
@@ -722,7 +728,7 @@ static int8_t num_prv_keys;
static int static int
gpg_do_write_prvkey (enum kind_of_key kk, const uint8_t *key_data, int key_len, gpg_do_write_prvkey (enum kind_of_key kk, const uint8_t *key_data, int key_len,
const uint8_t *keystring_admin, const uint8_t *modulus) const uint8_t *keystring_admin, const uint8_t *pubkey)
{ {
uint8_t nr = get_do_ptr_nr_for_kk (kk); uint8_t nr = get_do_ptr_nr_for_kk (kk);
const uint8_t *p; const uint8_t *p;
@@ -734,7 +740,7 @@ gpg_do_write_prvkey (enum kind_of_key kk, const uint8_t *key_data, int key_len,
const uint8_t *ks_pw1; const uint8_t *ks_pw1;
const uint8_t *ks_rc; const uint8_t *ks_rc;
struct key_data_internal kdi; struct key_data_internal kdi;
int modulus_allocated_here = 0; int pubkey_allocated_here = 0;
uint8_t ks_pw1_len = 0; uint8_t ks_pw1_len = 0;
uint8_t ks_rc_len = 0; uint8_t ks_rc_len = 0;
@@ -745,23 +751,28 @@ gpg_do_write_prvkey (enum kind_of_key kk, const uint8_t *key_data, int key_len,
/* No replace support, you need to remove it first. */ /* No replace support, you need to remove it first. */
return -1; return -1;
if (key_len != KEY_CONTENT_LEN) if (kk != GPG_KEY_FOR_AUTHENTICATION && key_len != KEY_CONTENT_LEN)
return -1;
if (kk == GPG_KEY_FOR_AUTHENTICATION && key_len != 32)
return -1; return -1;
pd = (struct prvkey_data *)malloc (sizeof (struct prvkey_data)); pd = (struct prvkey_data *)malloc (sizeof (struct prvkey_data));
if (pd == NULL) if (pd == NULL)
return -1; return -1;
if (modulus == NULL) if (pubkey == NULL)
{ {
modulus = modulus_calc (key_data, key_len); if (kk == GPG_KEY_FOR_AUTHENTICATION)
if (modulus == NULL) pubkey = ecdsa_compute_public (key_data);
else
pubkey = modulus_calc (key_data, key_len);
if (pubkey == NULL)
{ {
free (pd); free (pd);
return -1; return -1;
} }
modulus_allocated_here = 1; pubkey_allocated_here = 1;
} }
DEBUG_INFO ("Getting keystore address...\r\n"); DEBUG_INFO ("Getting keystore address...\r\n");
@@ -769,15 +780,21 @@ gpg_do_write_prvkey (enum kind_of_key kk, const uint8_t *key_data, int key_len,
if (key_addr == NULL) if (key_addr == NULL)
{ {
free (pd); free (pd);
if (modulus_allocated_here) if (pubkey_allocated_here)
modulus_free (modulus); free ((void *)pubkey);
return -1; return -1;
} }
DEBUG_INFO ("key_addr: "); DEBUG_INFO ("key_addr: ");
DEBUG_WORD ((uint32_t)key_addr); DEBUG_WORD ((uint32_t)key_addr);
memcpy (kdi.data, key_data, KEY_CONTENT_LEN); if (kk == GPG_KEY_FOR_AUTHENTICATION)
{
memcpy (kdi.data, key_data, key_len);
memset (kdi.data + key_len, 0, KEY_CONTENT_LEN - key_len);
}
else
memcpy (kdi.data, key_data, KEY_CONTENT_LEN);
compute_key_data_checksum (&kdi, 0); compute_key_data_checksum (&kdi, 0);
dek = random_bytes_get (); /* 32-byte random bytes */ dek = random_bytes_get (); /* 32-byte random bytes */
@@ -790,9 +807,9 @@ gpg_do_write_prvkey (enum kind_of_key kk, const uint8_t *key_data, int key_len,
encrypt (dek, iv, (uint8_t *)&kdi, sizeof (struct key_data_internal)); encrypt (dek, iv, (uint8_t *)&kdi, sizeof (struct key_data_internal));
r = flash_key_write (key_addr, kdi.data, modulus); r = flash_key_write (key_addr, kdi.data, pubkey);
if (modulus_allocated_here) if (pubkey_allocated_here)
modulus_free (modulus); free ((void *)pubkey);
if (r < 0) if (r < 0)
{ {
@@ -895,13 +912,23 @@ gpg_do_chks_prvkey (enum kind_of_key kk,
} }
/* /*
* RSA:
* 4d, xx, xx, xx: Extended Header List * 4d, xx, xx, xx: Extended Header List
* b6 00 (SIG) / b8 00 (DEC) / a4 00 (AUT) * b6 00 (SIG) / b8 00 (DEC) / a4 00 (AUT)
* 7f48, xx: cardholder private key template * 7f48, xx: cardholder private key template
* 91 xx * 91 xx: length of E
* 92 xx xx * 92 xx xx: length of P
* 93 xx xx * 93 xx xx: length of Q
* 5f48, xx xx xx: cardholder private key * 5f48, xx xx xx: cardholder private key
* <E: 4-byte>, <P: 128-byte>, <Q: 128-byte>
*
* ECDSA:
* 4d, xx: Extended Header List
* a4 00 (AUT)
* 7f48, xx: cardholder private key template
* 91 xx: length of d
* 5f48, xx : cardholder private key
* <d>
*/ */
static int static int
proc_key_import (const uint8_t *data, int len) proc_key_import (const uint8_t *data, int len)
@@ -944,7 +971,8 @@ proc_key_import (const uint8_t *data, int len)
ac_reset_other (); ac_reset_other ();
} }
if (len <= 22) if ((kk != GPG_KEY_FOR_AUTHENTICATION && len <= 22)
|| (kk == GPG_KEY_FOR_AUTHENTICATION && len <= 12))
{ /* Deletion of the key */ { /* Deletion of the key */
uint8_t nr = get_do_ptr_nr_for_kk (kk); uint8_t nr = get_do_ptr_nr_for_kk (kk);
const uint8_t *do_data = do_ptr[nr - NR_DO__FIRST__]; const uint8_t *do_data = do_ptr[nr - NR_DO__FIRST__];
@@ -972,9 +1000,15 @@ proc_key_import (const uint8_t *data, int len)
return 1; return 1;
} }
/* It should starts with 00 01 00 01 (E) */ if (kk != GPG_KEY_FOR_AUTHENTICATION)
/* Skip E, 4-byte */ { /* RSA */
r = gpg_do_write_prvkey (kk, &data[26], len - 26, keystring_admin, NULL); /* It should starts with 00 01 00 01 (E) */
/* Skip E, 4-byte */
r = gpg_do_write_prvkey (kk, &data[26], len - 26, keystring_admin, NULL);
}
else
r = gpg_do_write_prvkey (kk, &data[12], len - 12, keystring_admin, NULL);
if (r < 0) if (r < 0)
return 0; return 0;
else else
@@ -1032,9 +1066,9 @@ gpg_do_table[] = {
rw_pw_status }, rw_pw_status },
/* Fixed data */ /* Fixed data */
{ GPG_DO_EXTCAP, DO_FIXED, AC_ALWAYS, AC_NEVER, extended_capabilities }, { GPG_DO_EXTCAP, DO_FIXED, AC_ALWAYS, AC_NEVER, extended_capabilities },
{ GPG_DO_ALG_SIG, DO_FIXED, AC_ALWAYS, AC_NEVER, algorithm_attr }, { GPG_DO_ALG_SIG, DO_FIXED, AC_ALWAYS, AC_NEVER, algorithm_attr_rsa },
{ GPG_DO_ALG_DEC, DO_FIXED, AC_ALWAYS, AC_NEVER, algorithm_attr }, { GPG_DO_ALG_DEC, DO_FIXED, AC_ALWAYS, AC_NEVER, algorithm_attr_rsa },
{ GPG_DO_ALG_AUT, DO_FIXED, AC_ALWAYS, AC_NEVER, algorithm_attr }, { GPG_DO_ALG_AUT, DO_FIXED, AC_ALWAYS, AC_NEVER, algorithm_attr_ecdsa },
/* Compound data: Read access only */ /* Compound data: Read access only */
{ GPG_DO_CH_DATA, DO_CMP_READ, AC_ALWAYS, AC_NEVER, cmp_ch_data }, { GPG_DO_CH_DATA, DO_CMP_READ, AC_ALWAYS, AC_NEVER, cmp_ch_data },
{ GPG_DO_APP_DATA, DO_CMP_READ, AC_ALWAYS, AC_NEVER, cmp_app_data }, { GPG_DO_APP_DATA, DO_CMP_READ, AC_ALWAYS, AC_NEVER, cmp_app_data },
@@ -1475,26 +1509,42 @@ gpg_do_public_key (uint8_t kk_byte)
/* TAG */ /* TAG */
*res_p++ = 0x7f; *res_p++ = 0x49; *res_p++ = 0x7f; *res_p++ = 0x49;
/* LEN = 9+256 */
*res_p++ = 0x82; *res_p++ = 0x01; *res_p++ = 0x09;
{ if (kk_byte != 0xa4)
/*TAG*/ /*LEN = 256 */ { /* RSA */
*res_p++ = 0x81; *res_p++ = 0x82; *res_p++ = 0x01; *res_p++ = 0x00; /* LEN = 9+256 */
/* 256-byte binary (big endian) */ *res_p++ = 0x82; *res_p++ = 0x01; *res_p++ = 0x09;
memcpy (res_p, key_addr + KEY_CONTENT_LEN, KEY_CONTENT_LEN);
res_p += 256;
}
{
/*TAG*/ /*LEN= 3 */
*res_p++ = 0x82; *res_p++ = 3;
/* 3-byte E=0x10001 (big endian) */
*res_p++ = 0x01; *res_p++ = 0x00; *res_p++ = 0x01;
/* Success */ {
res_APDU_size = res_p - res_APDU; /*TAG*/ /* LEN = 256 */
GPG_SUCCESS (); *res_p++ = 0x81; *res_p++ = 0x82; *res_p++ = 0x01; *res_p++ = 0x00;
} /* 256-byte binary (big endian) */
memcpy (res_p, key_addr + KEY_CONTENT_LEN, KEY_CONTENT_LEN);
res_p += 256;
}
{
/*TAG*/ /* LEN= 3 */
*res_p++ = 0x82; *res_p++ = 3;
/* 3-byte E=0x10001 (big endian) */
*res_p++ = 0x01; *res_p++ = 0x00; *res_p++ = 0x01;
}
}
else
{ /* ECDSA */
/* LEN = 2+64 */
*res_p++ = 0x42;
{
/*TAG*/ /* LEN = 64 */
*res_p++ = 0x81; *res_p++ = 0x40;
/* 64-byte binary (big endian) */
memcpy (res_p, key_addr + KEY_CONTENT_LEN, 64);
res_p += 64;
}
}
/* Success */
res_APDU_size = res_p - res_APDU;
GPG_SUCCESS ();
DEBUG_INFO ("done.\r\n"); DEBUG_INFO ("done.\r\n");
return; return;

49
src/openpgp.c
View File

@@ -833,6 +833,7 @@ cmd_pso (void)
} }
#if RSA_AUTH
#define MAX_DIGEST_INFO_LEN 102 /* 40% */ #define MAX_DIGEST_INFO_LEN 102 /* 40% */
static void static void
cmd_internal_authenticate (void) cmd_internal_authenticate (void)
@@ -876,6 +877,54 @@ cmd_internal_authenticate (void)
DEBUG_INFO ("INTERNAL AUTHENTICATE done.\r\n"); DEBUG_INFO ("INTERNAL AUTHENTICATE done.\r\n");
} }
#else
#define ECDSA_P256_HASH_LEN 32
#define ECDSA_SIGNATURE_LENGTH 64
static void
cmd_internal_authenticate (void)
{
int len = apdu.cmd_apdu_data_len;
int r;
DEBUG_INFO (" - INTERNAL AUTHENTICATE\r\n");
if (P1 (apdu) == 0x00 && P2 (apdu) == 0x00)
{
DEBUG_SHORT (len);
if (!ac_check_status (AC_OTHER_AUTHORIZED))
{
DEBUG_INFO ("security error.");
GPG_SECURITY_FAILURE ();
return;
}
if (len != ECDSA_P256_HASH_LEN)
{
DEBUG_INFO ("wrong hash length.");
GPG_CONDITION_NOT_SATISFIED ();
return;
}
res_APDU_size = ECDSA_SIGNATURE_LENGTH;
r = ecdsa_sign (apdu.cmd_apdu_data, res_APDU,
&kd[GPG_KEY_FOR_AUTHENTICATION]);
if (r < 0)
GPG_ERROR ();
}
else
{
DEBUG_INFO (" - ??");
DEBUG_BYTE (P1 (apdu));
DEBUG_INFO (" - ??");
DEBUG_BYTE (P2 (apdu));
GPG_ERROR ();
}
DEBUG_INFO ("INTERNAL AUTHENTICATE done.\r\n");
}
#endif
#define MBD_OPRATION_WRITE 0 #define MBD_OPRATION_WRITE 0
#define MBD_OPRATION_UPDATE 1 #define MBD_OPRATION_UPDATE 1