pico-openpgp/tests/nistp384r1_keys.py

from time import time
from struct import pack
from hashlib import sha1, sha384
from pk_signed_mpi_with_libgcrypt import PK_libgcrypt
from card_const import KEY_ATTRIBUTES_ECDH_NISTP384R1, KEY_ATTRIBUTES_ECDSA_NISTP384R1

lg_nistp384 = PK_libgcrypt(48, "NIST P-384")

class PK_Crypto(object):
    @staticmethod
    def pk_from_pk_info(pk_info):
        return pk_info[5:]

    @staticmethod
    def compute_digestinfo(msg):
        return sha384(msg).digest()

    @staticmethod
    def enc_data(enc_info):
        return b'\xa6\x66\x7f\x49\x63\x86\x61' + enc_info[1]

    @staticmethod
    def enc_check(enc_info, s):
        point = enc_info[0]
        # It's 04 || X || Y, extract X
        return point[1:49] == s


    def __init__(self, keyno=None, pk_info=None, data=None):
        if keyno == None:
            # Just for name space
            return

        self.keyno = keyno
        self.for_encryption = (self.keyno == 1)
        self.timestamp = pack('>I', int(time()))
        if pk_info:
            # Public part only (no private data) from card
            self.q = pk_info[5:]
        else:
            # Private part (in big endian)
            self.d = data[0]
            self.q = data[1]
        self.fpr = self.calc_fpr()

    def calc_fpr(self):
        m_len = 6 + 2 + 97
        ver = b'\x04'
        algo = b'\x12' if self.for_encryption else b'\x16'
        m = b'\x99' + pack('>H', m_len) + ver + self.timestamp + algo \
            + pack('>H', 768+3) + self.q
        return sha1(m).digest()

    def build_privkey_template(self, is_yubikey):
        openpgp_keyno = self.keyno + 1
        if openpgp_keyno == 1:
            keyspec = b'\xb6'
        elif openpgp_keyno == 2:
            keyspec = b'\xb8'
        else:
            keyspec = b'\xa4'
        key_template = b'\x92\x30'
        exthdr = keyspec + b'\x00' + b'\x7f\x48' + b'\x02' + key_template
        suffix = b'\x5f\x48' + b'\x30'
        return b'\x4d' + b'\x3a' + exthdr + suffix + self.d

    def compute_signature(self, digestinfo):
        return lg_nistp384.call_pk_sign(self.d, digestinfo)

    def verify_signature(self, digestinfo, sig):
        return lg_nistp384.call_pk_verify(self.q, digestinfo, sig)

    def encrypt(self, plaintext):
        # Do ECDH
        return lg_nistp384.call_pk_encrypt(self.q, plaintext)

    def get_fpr(self):
        return self.fpr

    def get_timestamp(self):
        return self.timestamp

    def get_pk(self):
        return self.q

key = [ None, None, None ]

# https://csrc.nist.gov/CSRC/media/Projects/Cryptographic-Algorithm-Validation-Program/documents/components/186-3ecdsasiggencomponenttestvectors.zip

nistp384_data0 = (
    b'\x20\x1b\x43\x2d\x8d\xf1\x43\x24\x18\x2d\x62\x61\xdb\x3e\x4b\x3f'
    b'\x46\xa8\x28\x44\x82\xd5\x2e\x37\x0d\xa4\x1e\x6c\xbd\xf4\x5e\xc2'
    b'\x95\x2f\x5d\xb7\xcc\xbc\xe3\xbc\x29\x44\x9f\x4f\xb0\x80\xac\x97',
    b'\x04'
    b'\xc2\xb4\x79\x44\xfb\x5d\xe3\x42\xd0\x32\x85\x88\x01\x77\xca\x5f'
    b'\x7d\x0f\x2f\xca\xd7\x67\x8c\xce\x42\x29\xd6\xe1\x93\x2f\xca\xc1'
    b'\x1b\xfc\x3c\x3e\x97\xd9\x42\xa3\xc5\x6b\xf3\x41\x23\x01\x3d\xbf'
    b'\x37\x25\x79\x06\xa8\x22\x38\x66\xed\xa0\x74\x3c\x51\x96\x16\xa7'
    b'\x6a\x75\x8a\xe5\x8a\xee\x81\xc5\xfd\x35\xfb\xf3\xa8\x55\xb7\x75'
    b'\x4a\x36\xd4\xa0\x67\x2d\xf9\x5d\x6c\x44\xa8\x1c\xf7\x62\x0c\x2d'
)

nistp384_data2 = (
    b'\x23\xd9\xf4\xea\x6d\x87\xb7\xd6\x16\x3d\x64\x25\x6e\x34\x49\x25'
    b'\x5d\xb1\x47\x86\x40\x1a\x51\xda\xa7\x84\x71\x61\xbf\x56\xd4\x94'
    b'\x32\x5a\xd2\xac\x8b\xa9\x28\x39\x4e\x01\x06\x1d\x88\x2c\x35\x28',
    b'\x04'
    b'\x5d\x42\xd6\x30\x1c\x54\xa4\x38\xf6\x59\x70\xba\xe2\xa0\x98\xcb'
    b'\xc5\x67\xe9\x88\x40\x00\x6e\x35\x62\x21\x96\x6c\x86\xd8\x2e\x8e'
    b'\xca\x51\x5b\xca\x85\x0e\xaa\x3c\xd4\x1f\x17\x5f\x03\xa0\xcb\xfd'
    b'\x4a\xef\x5a\x0c\xee\xce\x95\xd3\x82\xbd\x70\xab\x5c\xe1\xcb\x77'
    b'\x40\x8b\xae\x42\xb5\x1a\x08\x81\x6d\x5e\x5e\x1d\x3d\xa8\xc1\x8f'
    b'\xcc\x95\x56\x4a\x75\x27\x30\xb0\xaa\xbe\xa9\x83\xcc\xea\x4e\x2e'
)

# https://tools.ietf.org/html/rfc5903#section-8.1
nistp384_data1 = (
    b'\x09\x9f\x3c\x70\x34\xd4\xa2\xc6\x99\x88\x4d\x73\xa3\x75\xa6\x7f'
    b'\x76\x24\xef\x7c\x6b\x3c\x0f\x16\x06\x47\xb6\x74\x14\xdc\xe6\x55'
    b'\xe3\x5b\x53\x80\x41\xe6\x49\xee\x3f\xae\xf8\x96\x78\x3a\xb1\x94',
    b'\x04'
    b'\x66\x78\x42\xd7\xd1\x80\xac\x2c\xde\x6f\x74\xf3\x75\x51\xf5\x57'
    b'\x55\xc7\x64\x5c\x20\xef\x73\xe3\x16\x34\xfe\x72\xb4\xc5\x5e\xe6'
    b'\xde\x3a\xc8\x08\xac\xb4\xbd\xb4\xc8\x87\x32\xae\xe9\x5f\x41\xaa'
    b'\x94\x82\xed\x1f\xc0\xee\xb9\xca\xfc\x49\x84\x62\x5c\xcf\xc2\x3f'
    b'\x65\x03\x21\x49\xe0\xe1\x44\xad\xa0\x24\x18\x15\x35\xa0\xf3\x8e'
    b'\xeb\x9f\xcf\xf3\xc2\xc9\x47\xda\xe6\x9b\x4c\x63\x45\x73\xa8\x1c'
)

key[0] = PK_Crypto(0, data=nistp384_data0)
key[1] = PK_Crypto(1, data=nistp384_data1)
key[2] = PK_Crypto(2, data=nistp384_data2)

PLAIN_TEXT0=b"In this test, we verify card generated result by libgcrypt."
PLAIN_TEXT1=b"Signature is non-deterministic (it uses nonce K internally)."
PLAIN_TEXT2=b"We don't use NIST P-384 test vectors (it specifies K of ECDSA)."
PLAIN_TEXT3=b"NOTE: Our test is not for ECDSA implementation itself."

ENCRYPT_TEXT0 = sha384(b"!encrypt me please").digest()
ENCRYPT_TEXT1 = sha384(b"!!!encrypt me please, another").digest()
ENCRYPT_TEXT2 = sha384(b"!encrypt me please, the other").digest()

test_vector = {
    'sign_0' : PLAIN_TEXT0,
    'sign_1' : PLAIN_TEXT1,
    'auth_0' : PLAIN_TEXT2,
    'auth_1' : PLAIN_TEXT3,
    'decrypt_0' : ENCRYPT_TEXT0,
    'decrypt_1' : ENCRYPT_TEXT1,
    'encrypt_0' : ENCRYPT_TEXT2,
}


nistp384r1_pk = PK_Crypto()
nistp384r1_pk.test_vector = test_vector
nistp384r1_pk.key_list = key
nistp384r1_pk.key_attr_list = [KEY_ATTRIBUTES_ECDSA_NISTP384R1, KEY_ATTRIBUTES_ECDH_NISTP384R1, KEY_ATTRIBUTES_ECDSA_NISTP384R1]
nistp384r1_pk.PK_Crypto = PK_Crypto