ecdsa implementation

2024-09-19 18:30:15 +00:00 · 2013-02-20 16:49:56 +09:00 · 2013-02-20 16:49:56 +09:00 · a368a45a0d
commit a368a45a0d
parent 5f1088e4be
8 changed files with 2724 additions and 2527 deletions
--- a/2494
+++ b/2494
--- a/2477
+++ b/2477
--- a/src/Makefile.in
+++ b/src/Makefile.in
@ -84,7 +84,7 @@ CSRC = $(PORTSRC) \
       main.c usb_stm32f103.c adc_stm32f103.c \
 	usb_desc.c usb_ctrl.c \
 	usb-icc.c openpgp.c ac.c openpgp-do.c flash.c \
-	bn.c modp256.c jpc.c mod.c ec_p256.c \
+	bn.c modp256.c jpc.c mod.c ec_p256.c call-ec_p256.c \
 	random.c neug.c sys.c

 ifneq ($(ENABLE_DEBUG),)
--- a/src/call-ec_p256.c
+++ b/src/call-ec_p256.c
@ -0,0 +1,85 @@
+/*
+ * call-ec_p256.c - interface between Gnuk and Elliptic curve over GF(p256)
+ *
+ * Copyright (C) 2013 Free Software Initiative of Japan
+ * Author: NIIBE Yutaka <gniibe@fsij.org>
+ *
+ * This file is a part of Gnuk, a GnuPG USB Token implementation.
+ *
+ * Gnuk is free software: you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * Gnuk is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public
+ * License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+#include <stdint.h>
+#include <stdlib.h>
+#include <string.h>
+#include "bn.h"
+#include "jpc-ac.h"
+#include "ec_p256.h"
+
+#include "ch.h"
+#include "gnuk.h"
+
+/* We are little endian.  */
+
+#define ECDSA_BYTE_SIZE 32
+
+int
+ecdsa_sign (const uint8_t *hash, uint8_t *output,
+	    const struct key_data *kd)
+{
+  int i;
+  bn256 r[1], s[1], z[1];
+  uint8_t *p;
+
+  p = (uint8_t *)z;
+  for (i = 0; i < ECDSA_BYTE_SIZE; i++)
+    p[ECDSA_BYTE_SIZE - i - 1] = hash[i];
+
+  ecdsa (r, s, z, (const bn256 *)kd);
+  p = (uint8_t *)r;
+  for (i = 0; i < ECDSA_BYTE_SIZE; i++)
+    *output++ = p[ECDSA_BYTE_SIZE - i - 1];
+  p = (uint8_t *)s;
+  for (i = 0; i < ECDSA_BYTE_SIZE; i++)
+    *output++ = p[ECDSA_BYTE_SIZE - i - 1];
+  return 0;
+}
+
+const uint8_t *
+ecdsa_compute_public (const uint8_t *key_data)
+{
+  uint8_t *p0, *p, *p1;
+  ac q[1];
+  bn256 k[1];
+  int i;
+
+  p0 = (uint8_t *)malloc (ECDSA_BYTE_SIZE * 2);
+  if (p0 == NULL)
+    return NULL;
+
+  p = (uint8_t *)k;
+  for (i = 0; i < ECDSA_BYTE_SIZE; i++)
+    p[ECDSA_BYTE_SIZE - i - 1] = key_data[i];
+  compute_kG (q, k);
+  p = p0;
+  p1 = (uint8_t *)q->x;
+  for (i = 0; i < ECDSA_BYTE_SIZE; i++)
+    *p++ = p1[ECDSA_BYTE_SIZE - i - 1];
+  p1 = (uint8_t *)q->y;
+  for (i = 0; i < ECDSA_BYTE_SIZE; i++)
+    *p++ = p1[ECDSA_BYTE_SIZE - i - 1];
+
+  return p0;
+}
--- a/src/call-rsa.c
+++ b/src/call-rsa.c
@ -107,11 +107,6 @@ modulus_calc (const uint8_t *p, int len)
  return modulus;
 }

-void
-modulus_free (const uint8_t *p)
-{
-  free ((void *)p);
-}

 int
 rsa_decrypt (const uint8_t *input, uint8_t *output, int msg_len,
--- a/src/gnuk.h
+++ b/src/gnuk.h
@ -237,12 +237,15 @@ extern struct key_data kd[3];

 extern int rsa_sign (const uint8_t *, uint8_t *, int, struct key_data *);
 extern const uint8_t *modulus_calc (const uint8_t *, int);
-extern void modulus_free (const uint8_t *);
 extern int rsa_decrypt (const uint8_t *, uint8_t *, int, struct key_data *);
 extern int rsa_verify (const uint8_t *pubkey, const uint8_t *hash,
 		       const uint8_t *signature);
 extern const uint8_t *rsa_genkey (void);

+extern int ecdsa_sign  (const uint8_t *hash, uint8_t *output,
+			const struct key_data *kd);
+extern const uint8_t *ecdsa_compute_public (const uint8_t *key_data);
+
 extern const uint8_t *gpg_do_read_simple (uint8_t);
 extern void gpg_do_write_simple (uint8_t, const uint8_t *, int);
 extern void gpg_increment_digital_signature_counter (void);
--- a/src/openpgp-do.c
+++ b/src/openpgp-do.c
@ -122,7 +122,7 @@ static const uint8_t extended_capabilities[] __attribute__ ((aligned (1))) = {
 };

 /* Algorithm Attributes */
-static const uint8_t algorithm_attr[] __attribute__ ((aligned (1))) = {
+static const uint8_t algorithm_attr_rsa[] __attribute__ ((aligned (1))) = {
  6,
  0x01, /* RSA */
  0x08, 0x00,	      /* Length modulus (in bit): 2048 */
@ -130,6 +130,12 @@ static const uint8_t algorithm_attr[] __attribute__ ((aligned (1))) = {
  0x00		      /* 0: p&q , 3: CRT with N (not yet supported) */
 };

+static const uint8_t algorithm_attr_ecdsa[] __attribute__ ((aligned (1))) = {
+  9,
+  0x13, /* ECDSA */
+  0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07 /* OID of NIST curve P-256 */
+};
+
 #define PW_LEN_MAX 127
 /*
 * Representation of PW1_LIFETIME:
@ -722,7 +728,7 @@ static int8_t num_prv_keys;

 static int
 gpg_do_write_prvkey (enum kind_of_key kk, const uint8_t *key_data, int key_len,
-		     const uint8_t *keystring_admin, const uint8_t *modulus)
+		     const uint8_t *keystring_admin, const uint8_t *pubkey)
 {
  uint8_t nr = get_do_ptr_nr_for_kk (kk);
  const uint8_t *p;
@ -734,7 +740,7 @@ gpg_do_write_prvkey (enum kind_of_key kk, const uint8_t *key_data, int key_len,
  const uint8_t *ks_pw1;
  const uint8_t *ks_rc;
  struct key_data_internal kdi;
-  int modulus_allocated_here = 0;
+  int pubkey_allocated_here = 0;
  uint8_t ks_pw1_len = 0;
  uint8_t ks_rc_len = 0;

@ -745,23 +751,28 @@ gpg_do_write_prvkey (enum kind_of_key kk, const uint8_t *key_data, int key_len,
    /* No replace support, you need to remove it first.  */
    return -1;

-  if (key_len != KEY_CONTENT_LEN)
+  if (kk != GPG_KEY_FOR_AUTHENTICATION && key_len != KEY_CONTENT_LEN)
+    return -1;
+  if (kk == GPG_KEY_FOR_AUTHENTICATION && key_len != 32)
    return -1;

  pd = (struct prvkey_data *)malloc (sizeof (struct prvkey_data));
  if (pd == NULL)
    return -1;

-  if (modulus == NULL)
+  if (pubkey == NULL)
    {
-      modulus = modulus_calc (key_data, key_len);
-      if (modulus == NULL)
+      if (kk == GPG_KEY_FOR_AUTHENTICATION)
+	pubkey = ecdsa_compute_public (key_data);
+      else
+	pubkey = modulus_calc (key_data, key_len);
+      if (pubkey == NULL)
 	{
 	  free (pd);
 	  return -1;
 	}

-      modulus_allocated_here = 1;
+      pubkey_allocated_here = 1;
    }

  DEBUG_INFO ("Getting keystore address...\r\n");
@ -769,15 +780,21 @@ gpg_do_write_prvkey (enum kind_of_key kk, const uint8_t *key_data, int key_len,
  if (key_addr == NULL)
    {
      free (pd);
-      if (modulus_allocated_here)
-	modulus_free (modulus);
+      if (pubkey_allocated_here)
+	free ((void *)pubkey);
      return -1;
    }

  DEBUG_INFO ("key_addr: ");
  DEBUG_WORD ((uint32_t)key_addr);

-  memcpy (kdi.data, key_data, KEY_CONTENT_LEN);
+  if (kk == GPG_KEY_FOR_AUTHENTICATION)
+    {
+      memcpy (kdi.data, key_data, key_len);
+      memset (kdi.data + key_len, 0, KEY_CONTENT_LEN - key_len);
+    }
+  else
+    memcpy (kdi.data, key_data, KEY_CONTENT_LEN);
  compute_key_data_checksum (&kdi, 0);

  dek = random_bytes_get (); /* 32-byte random bytes */
@ -790,9 +807,9 @@ gpg_do_write_prvkey (enum kind_of_key kk, const uint8_t *key_data, int key_len,

  encrypt (dek, iv, (uint8_t *)&kdi, sizeof (struct key_data_internal));

-  r = flash_key_write (key_addr, kdi.data, modulus);
-  if (modulus_allocated_here)
-    modulus_free (modulus);
+  r = flash_key_write (key_addr, kdi.data, pubkey);
+  if (pubkey_allocated_here)
+    free ((void *)pubkey);

  if (r < 0)
    {
@ -895,13 +912,23 @@ gpg_do_chks_prvkey (enum kind_of_key kk,
 }

 /*
+ * RSA:
 * 4d, xx, xx, xx:    Extended Header List
 *   b6 00 (SIG) / b8 00 (DEC) / a4 00 (AUT)
 *   7f48, xx: cardholder private key template
- *       91 xx
- *       92 xx xx
- *       93 xx xx
+ *       91 xx: length of E
+ *       92 xx xx: length of P
+ *       93 xx xx: length of Q
 *   5f48, xx xx xx: cardholder private key
+ * <E: 4-byte>, <P: 128-byte>, <Q: 128-byte>
+ *
+ * ECDSA:
+ * 4d, xx:    Extended Header List
+ *   a4 00 (AUT)
+ *   7f48, xx: cardholder private key template
+ *       91 xx: length of d
+ *   5f48, xx : cardholder private key
+ * <d>
 */
 static int
 proc_key_import (const uint8_t *data, int len)
@ -944,7 +971,8 @@ proc_key_import (const uint8_t *data, int len)
      ac_reset_other ();
    }

-  if (len <= 22)
+  if ((kk != GPG_KEY_FOR_AUTHENTICATION && len <= 22)
+      || (kk == GPG_KEY_FOR_AUTHENTICATION && len <= 12))
    {					    /* Deletion of the key */
      uint8_t nr = get_do_ptr_nr_for_kk (kk);
      const uint8_t *do_data = do_ptr[nr - NR_DO__FIRST__];
@ -972,9 +1000,15 @@ proc_key_import (const uint8_t *data, int len)
      return 1;
    }

-  /* It should starts with 00 01 00 01 (E) */
-  /* Skip E, 4-byte */
-  r = gpg_do_write_prvkey (kk, &data[26], len - 26, keystring_admin, NULL);
+  if (kk != GPG_KEY_FOR_AUTHENTICATION)
+    {			   /* RSA */
+      /* It should starts with 00 01 00 01 (E) */
+      /* Skip E, 4-byte */
+      r = gpg_do_write_prvkey (kk, &data[26], len - 26, keystring_admin, NULL);
+    }
+  else
+    r = gpg_do_write_prvkey (kk, &data[12], len - 12, keystring_admin, NULL);
+
  if (r < 0)
    return 0;
  else
@ -1032,9 +1066,9 @@ gpg_do_table[] = {
    rw_pw_status },
  /* Fixed data */
  { GPG_DO_EXTCAP, DO_FIXED, AC_ALWAYS, AC_NEVER, extended_capabilities },
-  { GPG_DO_ALG_SIG, DO_FIXED, AC_ALWAYS, AC_NEVER, algorithm_attr },
-  { GPG_DO_ALG_DEC, DO_FIXED, AC_ALWAYS, AC_NEVER, algorithm_attr },
-  { GPG_DO_ALG_AUT, DO_FIXED, AC_ALWAYS, AC_NEVER, algorithm_attr },
+  { GPG_DO_ALG_SIG, DO_FIXED, AC_ALWAYS, AC_NEVER, algorithm_attr_rsa },
+  { GPG_DO_ALG_DEC, DO_FIXED, AC_ALWAYS, AC_NEVER, algorithm_attr_rsa },
+  { GPG_DO_ALG_AUT, DO_FIXED, AC_ALWAYS, AC_NEVER, algorithm_attr_ecdsa },
  /* Compound data: Read access only */
  { GPG_DO_CH_DATA, DO_CMP_READ, AC_ALWAYS, AC_NEVER, cmp_ch_data },
  { GPG_DO_APP_DATA, DO_CMP_READ, AC_ALWAYS, AC_NEVER, cmp_app_data },
@ -1475,26 +1509,42 @@ gpg_do_public_key (uint8_t kk_byte)

  /* TAG */
  *res_p++ = 0x7f; *res_p++ = 0x49;
-  /* LEN = 9+256 */
-  *res_p++ = 0x82; *res_p++ = 0x01; *res_p++ = 0x09;

-  {
-    /*TAG*/          /*LEN = 256 */
-    *res_p++ = 0x81; *res_p++ = 0x82; *res_p++ = 0x01; *res_p++ = 0x00;
-    /* 256-byte binary (big endian) */
-    memcpy (res_p, key_addr + KEY_CONTENT_LEN, KEY_CONTENT_LEN);
-    res_p += 256;
-  }
-  {
-    /*TAG*/          /*LEN= 3 */
-    *res_p++ = 0x82; *res_p++ = 3;
-    /* 3-byte E=0x10001 (big endian) */
-    *res_p++ = 0x01; *res_p++ = 0x00; *res_p++ = 0x01;
+  if (kk_byte != 0xa4)
+    {				/* RSA */
+      /* LEN = 9+256 */
+      *res_p++ = 0x82; *res_p++ = 0x01; *res_p++ = 0x09;

-    /* Success */
-    res_APDU_size = res_p - res_APDU;
-    GPG_SUCCESS ();
-  }
+      {
+	/*TAG*/          /* LEN = 256 */
+	*res_p++ = 0x81; *res_p++ = 0x82; *res_p++ = 0x01; *res_p++ = 0x00;
+	/* 256-byte binary (big endian) */
+	memcpy (res_p, key_addr + KEY_CONTENT_LEN, KEY_CONTENT_LEN);
+	res_p += 256;
+      }
+      {
+	/*TAG*/          /* LEN= 3 */
+	*res_p++ = 0x82; *res_p++ = 3;
+	/* 3-byte E=0x10001 (big endian) */
+	*res_p++ = 0x01; *res_p++ = 0x00; *res_p++ = 0x01;
+      }
+    }
+  else
+    {				/* ECDSA */
+      /* LEN = 2+64 */
+      *res_p++ = 0x42;
+      {
+	/*TAG*/          /* LEN = 64 */
+	*res_p++ = 0x81; *res_p++ = 0x40;
+	/* 64-byte binary (big endian) */
+	memcpy (res_p, key_addr + KEY_CONTENT_LEN, 64);
+	res_p += 64;
+      }
+    }
+
+  /* Success */
+  res_APDU_size = res_p - res_APDU;
+  GPG_SUCCESS ();

  DEBUG_INFO ("done.\r\n");
  return;
--- a/src/openpgp.c
+++ b/src/openpgp.c
@ -833,6 +833,7 @@ cmd_pso (void)
 }


+#if RSA_AUTH
 #define MAX_DIGEST_INFO_LEN 102 /* 40% */
 static void
 cmd_internal_authenticate (void)
@ -876,6 +877,54 @@ cmd_internal_authenticate (void)

  DEBUG_INFO ("INTERNAL AUTHENTICATE done.\r\n");
 }
+#else
+#define ECDSA_P256_HASH_LEN 32
+#define ECDSA_SIGNATURE_LENGTH 64
+
+static void
+cmd_internal_authenticate (void)
+{
+  int len = apdu.cmd_apdu_data_len;
+  int r;
+
+  DEBUG_INFO (" - INTERNAL AUTHENTICATE\r\n");
+
+  if (P1 (apdu) == 0x00 && P2 (apdu) == 0x00)
+    {
+      DEBUG_SHORT (len);
+
+      if (!ac_check_status (AC_OTHER_AUTHORIZED))
+	{
+	  DEBUG_INFO ("security error.");
+	  GPG_SECURITY_FAILURE ();
+	  return;
+	}
+
+      if (len != ECDSA_P256_HASH_LEN)
+	{
+	  DEBUG_INFO ("wrong hash length.");
+	  GPG_CONDITION_NOT_SATISFIED ();
+	  return;
+	}
+
+      res_APDU_size = ECDSA_SIGNATURE_LENGTH;
+      r = ecdsa_sign (apdu.cmd_apdu_data, res_APDU,
+		      &kd[GPG_KEY_FOR_AUTHENTICATION]);
+      if (r < 0)
+	GPG_ERROR ();
+    }
+  else
+    {
+      DEBUG_INFO (" - ??");
+      DEBUG_BYTE (P1 (apdu));
+      DEBUG_INFO (" - ??");
+      DEBUG_BYTE (P2 (apdu));
+      GPG_ERROR ();
+    }
+
+  DEBUG_INFO ("INTERNAL AUTHENTICATE done.\r\n");
+}
+#endif

 #define MBD_OPRATION_WRITE  0
 #define MBD_OPRATION_UPDATE 1