Google Git
Sign in
fuchsia / third_party / tink / c45eb7a5ba5a806fc1488d5ab39294dca89b9932 / . / cc / subtle / ecdsa_verify_boringssl.cc
blob: e78203b1903b3cfbab4109ccda77eb943a699087 [file] [log] [blame]
// Copyright 2017 Google Inc.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
//
///////////////////////////////////////////////////////////////////////////////
#include "tink/subtle/ecdsa_verify_boringssl.h"
#include "absl/strings/str_cat.h"
#include "openssl/bn.h"
#include "openssl/ec.h"
#include "openssl/ecdsa.h"
#include "openssl/evp.h"
#include "openssl/mem.h"
#include "tink/subtle/common_enums.h"
#include "tink/subtle/subtle_util_boringssl.h"
#include "tink/util/errors.h"
namespace crypto {
namespace tink {
namespace subtle {
namespace {
// Transforms ECDSA IEEE_P1363 signature encoding to DER encoding.
//
// The IEEE_P1363 signature's format is r || s, where r and s are zero-padded
// and have the same size in bytes as the order of the curve. For example, for
// NIST P-256 curve, r and s are zero-padded to 32 bytes.
//
// The DER signature is encoded using ASN.1
// (https://tools.ietf.org/html/rfc5480#appendix-A): ECDSA-Sig-Value :: =
// SEQUENCE { r INTEGER, s INTEGER }. In particular, the encoding is: 0x30 ||
// totalLength || 0x02 || r's length || r || 0x02 || s's length || s.
crypto::tink::util::StatusOr<std::string> IeeeToDer(absl::string_view ieee,
const EC_KEY* key) {
size_t field_size_in_bytes =
(EC_GROUP_get_degree(EC_KEY_get0_group(key)) + 7) / 8;
if (ieee.size() != field_size_in_bytes * 2) {
return util::Status(util::error::INVALID_ARGUMENT,
"Signature is not valid.");
}
bssl::UniquePtr<ECDSA_SIG> ecdsa(ECDSA_SIG_new());
auto status_or_r =
SubtleUtilBoringSSL::str2bn(ieee.substr(0, ieee.size() / 2));
if (!status_or_r.ok()) {
return status_or_r.status();
}
auto status_or_s = SubtleUtilBoringSSL::str2bn(
ieee.substr(ieee.size() / 2, ieee.size() / 2));
if (!status_or_s.ok()) {
return status_or_s.status();
}
if (1 != ECDSA_SIG_set0(ecdsa.get(), status_or_r.ValueOrDie().get(),
status_or_s.ValueOrDie().get())) {
return util::Status(util::error::INTERNAL, "ECDSA_SIG_set0 error.");
}
// ECDSA_SIG_set0 takes ownership of s and r's pointers.
status_or_r.ValueOrDie().release();
status_or_s.ValueOrDie().release();
uint8_t* der = nullptr;
size_t der_len;
if (!ECDSA_SIG_to_bytes(&der, &der_len, ecdsa.get())) {
return util::Status(util::error::INVALID_ARGUMENT,
"ECDSA_SIG_to_bytes error");
}
std::string result = std::string(reinterpret_cast<char*>(der), der_len);
OPENSSL_free(der);
return result;
}
} // namespace
// static
util::StatusOr<std::unique_ptr<EcdsaVerifyBoringSsl>> EcdsaVerifyBoringSsl::New(
const SubtleUtilBoringSSL::EcKey& ec_key, HashType hash_type,
EcdsaSignatureEncoding encoding) {
// Check curve.
auto group_result(SubtleUtilBoringSSL::GetEcGroup(ec_key.curve));
if (!group_result.ok()) return group_result.status();
bssl::UniquePtr<EC_GROUP> group(group_result.ValueOrDie());
bssl::UniquePtr<EC_KEY> key(EC_KEY_new());
EC_KEY_set_group(key.get(), group.get());
// Check key.
auto ec_point_result =
SubtleUtilBoringSSL::GetEcPoint(ec_key.curve, ec_key.pub_x, ec_key.pub_y);
if (!ec_point_result.ok()) return ec_point_result.status();
bssl::UniquePtr<EC_POINT> pub_key(ec_point_result.ValueOrDie());
if (!EC_KEY_set_public_key(key.get(), pub_key.get())) {
return util::Status(util::error::INVALID_ARGUMENT,
absl::StrCat("Invalid public key: ",
SubtleUtilBoringSSL::GetErrors()));
}
return New(std::move(key), hash_type, encoding);
}
// static
util::StatusOr<std::unique_ptr<EcdsaVerifyBoringSsl>> EcdsaVerifyBoringSsl::New(
bssl::UniquePtr<EC_KEY> ec_key, HashType hash_type,
EcdsaSignatureEncoding encoding) {
// Check hash.
auto hash_status = SubtleUtilBoringSSL::ValidateSignatureHash(hash_type);
if (!hash_status.ok()) {
return hash_status;
}
auto hash_result = SubtleUtilBoringSSL::EvpHash(hash_type);
if (!hash_result.ok()) return hash_result.status();
const EVP_MD* hash = hash_result.ValueOrDie();
std::unique_ptr<EcdsaVerifyBoringSsl> verify(
new EcdsaVerifyBoringSsl(ec_key.release(), hash, encoding));
return std::move(verify);
}
EcdsaVerifyBoringSsl::EcdsaVerifyBoringSsl(EC_KEY* key, const EVP_MD* hash,
EcdsaSignatureEncoding encoding)
: key_(key), hash_(hash), encoding_(encoding) {}
util::Status EcdsaVerifyBoringSsl::Verify(
absl::string_view signature,
absl::string_view data) const {
// BoringSSL expects a non-null pointer for data,
// regardless of whether the size is 0.
data = SubtleUtilBoringSSL::EnsureNonNull(data);
// Compute the digest.
unsigned int digest_size;
uint8_t digest[EVP_MAX_MD_SIZE];
if (1 != EVP_Digest(data.data(), data.size(), digest, &digest_size, hash_,
nullptr)) {
return util::Status(util::error::INTERNAL, "Could not compute digest.");
}
std::string derSig(signature);
if (encoding_ == subtle::EcdsaSignatureEncoding::IEEE_P1363) {
auto status_or_der = IeeeToDer(signature, key_.get());
if (!status_or_der.ok()) {
return status_or_der.status();
}
derSig = status_or_der.ValueOrDie();
}
// Verify the signature.
if (1 != ECDSA_verify(0 /* unused */, digest, digest_size,
reinterpret_cast<const uint8_t*>(derSig.data()),
derSig.size(), key_.get())) {
// signature is invalid
return util::Status(util::error::INVALID_ARGUMENT,
"Signature is not valid.");
}
// signature is valid
return util::Status::OK;
}
} // namespace subtle
} // namespace tink
} // namespace crypto