1 /* Copyright (c) 2019, Google Inc. 2 * 3 * Permission to use, copy, modify, and/or distribute this software for any 4 * purpose with or without fee is hereby granted, provided that the above 5 * copyright notice and this permission notice appear in all copies. 6 * 7 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 8 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 9 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY 10 * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 11 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION 12 * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN 13 * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ 14 15 #ifndef OPENSSL_HEADER_TRUST_TOKEN_INTERNAL_H 16 #define OPENSSL_HEADER_TRUST_TOKEN_INTERNAL_H 17 18 #include <openssl/base.h> 19 #include <openssl/ec.h> 20 #include <openssl/ec_key.h> 21 #include <openssl/nid.h> 22 23 #include "../fipsmodule/ec/internal.h" 24 25 #include <openssl/trust_token.h> 26 27 28 #if defined(__cplusplus) 29 extern "C" { 30 #endif 31 32 33 // For the following cryptographic schemes, we use P-384 instead of our usual 34 // choice of P-256. See Appendix I of 35 // https://eprint.iacr.org/2020/072/20200324:214215 which describes two attacks 36 // which may affect smaller curves. In particular, p-1 for P-256 is smooth, 37 // giving a low complexity for the p-1 attack. P-384's p-1 has a 281-bit prime 38 // factor, 39 // 3055465788140352002733946906144561090641249606160407884365391979704929268480326390471. 40 // This lower-bounds the p-1 attack at O(2^140). The p+1 attack is lower-bounded 41 // by O(p^(1/3)) or O(2^128), so we do not need to check the smoothness of p+1. 42 43 44 // TRUST_TOKEN_NONCE_SIZE is the size of nonces used as part of the Trust_Token 45 // protocol. 46 #define TRUST_TOKEN_NONCE_SIZE 64 47 48 typedef struct { 49 // TODO(https://crbug.com/boringssl/334): These should store |EC_PRECOMP| so 50 // that |TRUST_TOKEN_finish_issuance| can use |ec_point_mul_scalar_precomp|. 51 EC_AFFINE pub0; 52 EC_AFFINE pub1; 53 EC_AFFINE pubs; 54 } TRUST_TOKEN_CLIENT_KEY; 55 56 typedef struct { 57 EC_SCALAR x0; 58 EC_SCALAR y0; 59 EC_SCALAR x1; 60 EC_SCALAR y1; 61 EC_SCALAR xs; 62 EC_SCALAR ys; 63 EC_AFFINE pub0; 64 EC_PRECOMP pub0_precomp; 65 EC_AFFINE pub1; 66 EC_PRECOMP pub1_precomp; 67 EC_AFFINE pubs; 68 EC_PRECOMP pubs_precomp; 69 } TRUST_TOKEN_ISSUER_KEY; 70 71 // TRUST_TOKEN_PRETOKEN represents the intermediate state a client keeps during 72 // a Trust_Token issuance operation. 73 typedef struct pmb_pretoken_st { 74 uint8_t salt[TRUST_TOKEN_NONCE_SIZE]; 75 uint8_t t[TRUST_TOKEN_NONCE_SIZE]; 76 EC_SCALAR r; 77 EC_AFFINE Tp; 78 } TRUST_TOKEN_PRETOKEN; 79 80 // TRUST_TOKEN_PRETOKEN_free releases the memory associated with |token|. 81 OPENSSL_EXPORT void TRUST_TOKEN_PRETOKEN_free(TRUST_TOKEN_PRETOKEN *token); 82 83 DEFINE_STACK_OF(TRUST_TOKEN_PRETOKEN) 84 85 86 // PMBTokens. 87 // 88 // PMBTokens is described in https://eprint.iacr.org/2020/072/20200324:214215 89 // and provides anonymous tokens with private metadata. We implement the 90 // construction with validity verification, described in appendix H, 91 // construction 6. 92 93 // The following functions implement the corresponding |TRUST_TOKENS_METHOD| 94 // functions for |TRUST_TOKENS_experiment_v1|'s PMBTokens construction which 95 // uses P-384. 96 int pmbtoken_exp1_generate_key(CBB *out_private, CBB *out_public); 97 int pmbtoken_exp1_derive_key_from_secret(CBB *out_private, CBB *out_public, 98 const uint8_t *secret, 99 size_t secret_len); 100 int pmbtoken_exp1_client_key_from_bytes(TRUST_TOKEN_CLIENT_KEY *key, 101 const uint8_t *in, size_t len); 102 int pmbtoken_exp1_issuer_key_from_bytes(TRUST_TOKEN_ISSUER_KEY *key, 103 const uint8_t *in, size_t len); 104 STACK_OF(TRUST_TOKEN_PRETOKEN) *pmbtoken_exp1_blind(CBB *cbb, size_t count, 105 int include_message, 106 const uint8_t *msg, 107 size_t msg_len); 108 int pmbtoken_exp1_sign(const TRUST_TOKEN_ISSUER_KEY *key, CBB *cbb, CBS *cbs, 109 size_t num_requested, size_t num_to_issue, 110 uint8_t private_metadata); 111 STACK_OF(TRUST_TOKEN) *pmbtoken_exp1_unblind( 112 const TRUST_TOKEN_CLIENT_KEY *key, 113 const STACK_OF(TRUST_TOKEN_PRETOKEN) *pretokens, CBS *cbs, size_t count, 114 uint32_t key_id); 115 int pmbtoken_exp1_read(const TRUST_TOKEN_ISSUER_KEY *key, 116 uint8_t out_nonce[TRUST_TOKEN_NONCE_SIZE], 117 uint8_t *out_private_metadata, const uint8_t *token, 118 size_t token_len, int include_message, 119 const uint8_t *msg, size_t msg_len); 120 121 // pmbtoken_exp1_get_h_for_testing returns H in uncompressed coordinates. This 122 // function is used to confirm H was computed as expected. 123 OPENSSL_EXPORT int pmbtoken_exp1_get_h_for_testing(uint8_t out[97]); 124 125 // The following functions implement the corresponding |TRUST_TOKENS_METHOD| 126 // functions for |TRUST_TOKENS_experiment_v2|'s PMBTokens construction which 127 // uses P-384. 128 int pmbtoken_exp2_generate_key(CBB *out_private, CBB *out_public); 129 int pmbtoken_exp2_derive_key_from_secret(CBB *out_private, CBB *out_public, 130 const uint8_t *secret, 131 size_t secret_len); 132 int pmbtoken_exp2_client_key_from_bytes(TRUST_TOKEN_CLIENT_KEY *key, 133 const uint8_t *in, size_t len); 134 int pmbtoken_exp2_issuer_key_from_bytes(TRUST_TOKEN_ISSUER_KEY *key, 135 const uint8_t *in, size_t len); 136 STACK_OF(TRUST_TOKEN_PRETOKEN) *pmbtoken_exp2_blind(CBB *cbb, size_t count, 137 int include_message, 138 const uint8_t *msg, 139 size_t msg_len); 140 int pmbtoken_exp2_sign(const TRUST_TOKEN_ISSUER_KEY *key, CBB *cbb, CBS *cbs, 141 size_t num_requested, size_t num_to_issue, 142 uint8_t private_metadata); 143 STACK_OF(TRUST_TOKEN) *pmbtoken_exp2_unblind( 144 const TRUST_TOKEN_CLIENT_KEY *key, 145 const STACK_OF(TRUST_TOKEN_PRETOKEN) *pretokens, CBS *cbs, size_t count, 146 uint32_t key_id); 147 int pmbtoken_exp2_read(const TRUST_TOKEN_ISSUER_KEY *key, 148 uint8_t out_nonce[TRUST_TOKEN_NONCE_SIZE], 149 uint8_t *out_private_metadata, const uint8_t *token, 150 size_t token_len, int include_message, 151 const uint8_t *msg, size_t msg_len); 152 153 // pmbtoken_exp2_get_h_for_testing returns H in uncompressed coordinates. This 154 // function is used to confirm H was computed as expected. 155 OPENSSL_EXPORT int pmbtoken_exp2_get_h_for_testing(uint8_t out[97]); 156 157 // The following functions implement the corresponding |TRUST_TOKENS_METHOD| 158 // functions for |TRUST_TOKENS_pst_v1|'s PMBTokens construction which uses 159 // P-384. 160 int pmbtoken_pst1_generate_key(CBB *out_private, CBB *out_public); 161 int pmbtoken_pst1_derive_key_from_secret(CBB *out_private, CBB *out_public, 162 const uint8_t *secret, 163 size_t secret_len); 164 int pmbtoken_pst1_client_key_from_bytes(TRUST_TOKEN_CLIENT_KEY *key, 165 const uint8_t *in, size_t len); 166 int pmbtoken_pst1_issuer_key_from_bytes(TRUST_TOKEN_ISSUER_KEY *key, 167 const uint8_t *in, size_t len); 168 STACK_OF(TRUST_TOKEN_PRETOKEN) *pmbtoken_pst1_blind(CBB *cbb, size_t count, 169 int include_message, 170 const uint8_t *msg, 171 size_t msg_len); 172 int pmbtoken_pst1_sign(const TRUST_TOKEN_ISSUER_KEY *key, CBB *cbb, CBS *cbs, 173 size_t num_requested, size_t num_to_issue, 174 uint8_t private_metadata); 175 STACK_OF(TRUST_TOKEN) *pmbtoken_pst1_unblind( 176 const TRUST_TOKEN_CLIENT_KEY *key, 177 const STACK_OF(TRUST_TOKEN_PRETOKEN) *pretokens, CBS *cbs, size_t count, 178 uint32_t key_id); 179 int pmbtoken_pst1_read(const TRUST_TOKEN_ISSUER_KEY *key, 180 uint8_t out_nonce[TRUST_TOKEN_NONCE_SIZE], 181 uint8_t *out_private_metadata, const uint8_t *token, 182 size_t token_len, int include_message, 183 const uint8_t *msg, size_t msg_len); 184 185 // pmbtoken_pst1_get_h_for_testing returns H in uncompressed coordinates. This 186 // function is used to confirm H was computed as expected. 187 OPENSSL_EXPORT int pmbtoken_pst1_get_h_for_testing(uint8_t out[97]); 188 189 190 // VOPRF. 191 // 192 // VOPRFs are described in https://tools.ietf.org/html/draft-irtf-cfrg-voprf-04 193 // and provide anonymous tokens. This implementation uses TrustToken DSTs and 194 // the DLEQ batching primitive from 195 // https://eprint.iacr.org/2020/072/20200324:214215. 196 // VOPRF only uses the |pub|' field of the TRUST_TOKEN_CLIENT_KEY and 197 // |xs|/|pubs| fields of the TRUST_TOKEN_ISSUER_KEY. 198 199 // The following functions implement the corresponding |TRUST_TOKENS_METHOD| 200 // functions for |TRUST_TOKENS_experiment_v2|'s VOPRF construction which uses 201 // P-384. 202 int voprf_exp2_generate_key(CBB *out_private, CBB *out_public); 203 int voprf_exp2_derive_key_from_secret(CBB *out_private, CBB *out_public, 204 const uint8_t *secret, size_t secret_len); 205 int voprf_exp2_client_key_from_bytes(TRUST_TOKEN_CLIENT_KEY *key, 206 const uint8_t *in, size_t len); 207 int voprf_exp2_issuer_key_from_bytes(TRUST_TOKEN_ISSUER_KEY *key, 208 const uint8_t *in, size_t len); 209 STACK_OF(TRUST_TOKEN_PRETOKEN) *voprf_exp2_blind(CBB *cbb, size_t count, 210 int include_message, 211 const uint8_t *msg, 212 size_t msg_len); 213 int voprf_exp2_sign(const TRUST_TOKEN_ISSUER_KEY *key, CBB *cbb, CBS *cbs, 214 size_t num_requested, size_t num_to_issue, 215 uint8_t private_metadata); 216 STACK_OF(TRUST_TOKEN) *voprf_exp2_unblind( 217 const TRUST_TOKEN_CLIENT_KEY *key, 218 const STACK_OF(TRUST_TOKEN_PRETOKEN) *pretokens, CBS *cbs, size_t count, 219 uint32_t key_id); 220 int voprf_exp2_read(const TRUST_TOKEN_ISSUER_KEY *key, 221 uint8_t out_nonce[TRUST_TOKEN_NONCE_SIZE], 222 uint8_t *out_private_metadata, const uint8_t *token, 223 size_t token_len, int include_message, const uint8_t *msg, 224 size_t msg_len); 225 226 // The following functions implement the corresponding |TRUST_TOKENS_METHOD| 227 // functions for |TRUST_TOKENS_pst_v1|'s VOPRF construction which uses P-384. 228 int voprf_pst1_generate_key(CBB *out_private, CBB *out_public); 229 int voprf_pst1_derive_key_from_secret(CBB *out_private, CBB *out_public, 230 const uint8_t *secret, size_t secret_len); 231 int voprf_pst1_client_key_from_bytes(TRUST_TOKEN_CLIENT_KEY *key, 232 const uint8_t *in, size_t len); 233 int voprf_pst1_issuer_key_from_bytes(TRUST_TOKEN_ISSUER_KEY *key, 234 const uint8_t *in, size_t len); 235 STACK_OF(TRUST_TOKEN_PRETOKEN) *voprf_pst1_blind(CBB *cbb, size_t count, 236 int include_message, 237 const uint8_t *msg, 238 size_t msg_len); 239 int voprf_pst1_sign(const TRUST_TOKEN_ISSUER_KEY *key, CBB *cbb, CBS *cbs, 240 size_t num_requested, size_t num_to_issue, 241 uint8_t private_metadata); 242 OPENSSL_EXPORT int voprf_pst1_sign_with_proof_scalar_for_testing( 243 const TRUST_TOKEN_ISSUER_KEY *key, CBB *cbb, CBS *cbs, size_t num_requested, 244 size_t num_to_issue, uint8_t private_metadata, 245 const uint8_t *proof_scalar_buf, size_t proof_scalar_len); 246 STACK_OF(TRUST_TOKEN) *voprf_pst1_unblind( 247 const TRUST_TOKEN_CLIENT_KEY *key, 248 const STACK_OF(TRUST_TOKEN_PRETOKEN) *pretokens, CBS *cbs, size_t count, 249 uint32_t key_id); 250 int voprf_pst1_read(const TRUST_TOKEN_ISSUER_KEY *key, 251 uint8_t out_nonce[TRUST_TOKEN_NONCE_SIZE], 252 uint8_t *out_private_metadata, const uint8_t *token, 253 size_t token_len, int include_message, const uint8_t *msg, 254 size_t msg_len); 255 256 257 // Trust Tokens internals. 258 259 struct trust_token_method_st { 260 // generate_key generates a fresh keypair and writes their serialized 261 // forms into |out_private| and |out_public|. It returns one on success and 262 // zero on failure. 263 int (*generate_key)(CBB *out_private, CBB *out_public); 264 265 // derive_key_from_secret deterministically derives a keypair based on 266 // |secret| and writes their serialized forms into |out_private| and 267 // |out_public|. It returns one on success and zero on failure. 268 int (*derive_key_from_secret)(CBB *out_private, CBB *out_public, 269 const uint8_t *secret, size_t secret_len); 270 271 // client_key_from_bytes decodes a client key from |in| and sets |key| 272 // to the resulting key. It returns one on success and zero 273 // on failure. 274 int (*client_key_from_bytes)(TRUST_TOKEN_CLIENT_KEY *key, const uint8_t *in, 275 size_t len); 276 277 // issuer_key_from_bytes decodes a issuer key from |in| and sets |key| 278 // to the resulting key. It returns one on success and zero 279 // on failure. 280 int (*issuer_key_from_bytes)(TRUST_TOKEN_ISSUER_KEY *key, const uint8_t *in, 281 size_t len); 282 283 // blind generates a new issuance request for |count| tokens. If 284 // |include_message| is set, then |msg| is used to derive the token nonces. On 285 // success, it returns a newly-allocated |STACK_OF(TRUST_TOKEN_PRETOKEN)| and 286 // writes a request to the issuer to |cbb|. On failure, it returns NULL. The 287 // |STACK_OF(TRUST_TOKEN_PRETOKEN)|s should be passed to |pmbtoken_unblind| 288 // when the server responds. 289 // 290 // This function implements the AT.Usr0 operation. 291 STACK_OF(TRUST_TOKEN_PRETOKEN) *(*blind)(CBB *cbb, size_t count, 292 int include_message, 293 const uint8_t *msg, size_t msg_len); 294 295 // sign parses a request for |num_requested| tokens from |cbs| and 296 // issues |num_to_issue| tokens with |key| and a private metadata value of 297 // |private_metadata|. It then writes the response to |cbb|. It returns one on 298 // success and zero on failure. 299 // 300 // This function implements the AT.Sig operation. 301 int (*sign)(const TRUST_TOKEN_ISSUER_KEY *key, CBB *cbb, CBS *cbs, 302 size_t num_requested, size_t num_to_issue, 303 uint8_t private_metadata); 304 305 // unblind processes an issuance response for |count| tokens from |cbs| 306 // and unblinds the signed tokens. |pretokens| are the pre-tokens returned 307 // from the corresponding |blind| call. On success, the function returns a 308 // newly-allocated |STACK_OF(TRUST_TOKEN)| containing the resulting tokens. 309 // Each token's serialization will have |key_id| prepended. Otherwise, it 310 // returns NULL. 311 // 312 // This function implements the AT.Usr1 operation. 313 STACK_OF(TRUST_TOKEN) *(*unblind)( 314 const TRUST_TOKEN_CLIENT_KEY *key, 315 const STACK_OF(TRUST_TOKEN_PRETOKEN) *pretokens, CBS *cbs, size_t count, 316 uint32_t key_id); 317 318 // read parses a token from |token| and verifies it using |key|. If 319 // |include_message| is set, then the nonce is derived from |msg| and the salt 320 // in the token. On success, it returns one and stores the nonce and private 321 // metadata bit in |out_nonce| and |*out_private_metadata|. Otherwise, it 322 // returns zero. Note that, unlike the output of |unblind|, |token| does not 323 // have a four-byte key ID prepended. 324 int (*read)(const TRUST_TOKEN_ISSUER_KEY *key, 325 uint8_t out_nonce[TRUST_TOKEN_NONCE_SIZE], 326 uint8_t *out_private_metadata, const uint8_t *token, 327 size_t token_len, int include_message, const uint8_t *msg, 328 size_t msg_len); 329 330 // whether the construction supports private metadata. 331 int has_private_metadata; 332 333 // max keys that can be configured. 334 size_t max_keys; 335 336 // whether the SRR is part of the protocol. 337 int has_srr; 338 }; 339 340 // Structure representing a single Trust Token public key with the specified ID. 341 struct trust_token_client_key_st { 342 uint32_t id; 343 TRUST_TOKEN_CLIENT_KEY key; 344 }; 345 346 // Structure representing a single Trust Token private key with the specified 347 // ID. 348 struct trust_token_issuer_key_st { 349 uint32_t id; 350 TRUST_TOKEN_ISSUER_KEY key; 351 }; 352 353 struct trust_token_client_st { 354 const TRUST_TOKEN_METHOD *method; 355 356 // max_batchsize is the maximum supported batchsize. 357 uint16_t max_batchsize; 358 359 // keys is the set of public keys that are supported by the client for 360 // issuance/redemptions. 361 struct trust_token_client_key_st keys[6]; 362 363 // num_keys is the number of keys currently configured. 364 size_t num_keys; 365 366 // pretokens is the intermediate state during an active issuance. 367 STACK_OF(TRUST_TOKEN_PRETOKEN) *pretokens; 368 369 // srr_key is the public key used to verify the signature of the SRR. 370 EVP_PKEY *srr_key; 371 }; 372 373 374 struct trust_token_issuer_st { 375 const TRUST_TOKEN_METHOD *method; 376 377 // max_batchsize is the maximum supported batchsize. 378 uint16_t max_batchsize; 379 380 // keys is the set of private keys that are supported by the issuer for 381 // issuance/redemptions. The public metadata is an index into this list of 382 // keys. 383 struct trust_token_issuer_key_st keys[6]; 384 385 // num_keys is the number of keys currently configured. 386 size_t num_keys; 387 388 // srr_key is the private key used to sign the SRR. 389 EVP_PKEY *srr_key; 390 391 // metadata_key is the secret material used to encode the private metadata bit 392 // in the SRR. 393 uint8_t *metadata_key; 394 size_t metadata_key_len; 395 }; 396 397 398 #if defined(__cplusplus) 399 } // extern C 400 401 extern "C++" { 402 403 BSSL_NAMESPACE_BEGIN 404 405 BORINGSSL_MAKE_DELETER(TRUST_TOKEN_PRETOKEN, TRUST_TOKEN_PRETOKEN_free) 406 407 BSSL_NAMESPACE_END 408 409 } // extern C++ 410 #endif 411 412 #endif // OPENSSL_HEADER_TRUST_TOKEN_INTERNAL_H 413