xref: /aosp_15_r20/external/pigweed/pw_crypto/ecdsa_uecc.cc (revision 61c4878ac05f98d0ceed94b57d316916de578985) 
1*61c4878aSAndroid Build Coastguard Worker // Copyright 2021 The Pigweed Authors
2*61c4878aSAndroid Build Coastguard Worker //
3*61c4878aSAndroid Build Coastguard Worker // Licensed under the Apache License, Version 2.0 (the "License"); you may not
4*61c4878aSAndroid Build Coastguard Worker // use this file except in compliance with the License. You may obtain a copy of
5*61c4878aSAndroid Build Coastguard Worker // the License at
6*61c4878aSAndroid Build Coastguard Worker //
7*61c4878aSAndroid Build Coastguard Worker //     https://www.apache.org/licenses/LICENSE-2.0
8*61c4878aSAndroid Build Coastguard Worker //
9*61c4878aSAndroid Build Coastguard Worker // Unless required by applicable law or agreed to in writing, software
10*61c4878aSAndroid Build Coastguard Worker // distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
11*61c4878aSAndroid Build Coastguard Worker // WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
12*61c4878aSAndroid Build Coastguard Worker // License for the specific language governing permissions and limitations under
13*61c4878aSAndroid Build Coastguard Worker // the License.
14*61c4878aSAndroid Build Coastguard Worker #define PW_LOG_MODULE_NAME "ECDSA-UECC"
15*61c4878aSAndroid Build Coastguard Worker #define PW_LOG_LEVEL PW_LOG_LEVEL_WARN
16*61c4878aSAndroid Build Coastguard Worker 
17*61c4878aSAndroid Build Coastguard Worker #include <cstring>
18*61c4878aSAndroid Build Coastguard Worker 
19*61c4878aSAndroid Build Coastguard Worker #include "pw_crypto/ecdsa.h"
20*61c4878aSAndroid Build Coastguard Worker #include "pw_log/log.h"
21*61c4878aSAndroid Build Coastguard Worker #include "uECC.h"
22*61c4878aSAndroid Build Coastguard Worker 
23*61c4878aSAndroid Build Coastguard Worker namespace pw::crypto::ecdsa {
24*61c4878aSAndroid Build Coastguard Worker 
25*61c4878aSAndroid Build Coastguard Worker constexpr size_t kP256CurveOrderBytes = 32;
26*61c4878aSAndroid Build Coastguard Worker constexpr size_t kP256PublicKeySize = 2 * kP256CurveOrderBytes + 1;
27*61c4878aSAndroid Build Coastguard Worker constexpr size_t kP256SignatureSize = kP256CurveOrderBytes * 2;
28*61c4878aSAndroid Build Coastguard Worker 
VerifyP256Signature(ConstByteSpan public_key,ConstByteSpan digest,ConstByteSpan signature)29*61c4878aSAndroid Build Coastguard Worker Status VerifyP256Signature(ConstByteSpan public_key,
30*61c4878aSAndroid Build Coastguard Worker                            ConstByteSpan digest,
31*61c4878aSAndroid Build Coastguard Worker                            ConstByteSpan signature) {
32*61c4878aSAndroid Build Coastguard Worker   // Signature expected in raw format (r||s)
33*61c4878aSAndroid Build Coastguard Worker   if (signature.size() != kP256SignatureSize) {
34*61c4878aSAndroid Build Coastguard Worker     PW_LOG_DEBUG("Bad signature format");
35*61c4878aSAndroid Build Coastguard Worker     return Status::InvalidArgument();
36*61c4878aSAndroid Build Coastguard Worker   }
37*61c4878aSAndroid Build Coastguard Worker 
38*61c4878aSAndroid Build Coastguard Worker   // Supports SEC 1 uncompressed form (04||X||Y) only.
39*61c4878aSAndroid Build Coastguard Worker   if (public_key.size() != kP256PublicKeySize ||
40*61c4878aSAndroid Build Coastguard Worker       std::to_integer<uint8_t>(public_key.data()[0]) != 0x04) {
41*61c4878aSAndroid Build Coastguard Worker     PW_LOG_DEBUG("Bad public key format");
42*61c4878aSAndroid Build Coastguard Worker     return Status::InvalidArgument();
43*61c4878aSAndroid Build Coastguard Worker   }
44*61c4878aSAndroid Build Coastguard Worker 
45*61c4878aSAndroid Build Coastguard Worker #if defined(uECC_VLI_NATIVE_LITTLE_ENDIAN) && uECC_VLI_NATIVE_LITTLE_ENDIAN
46*61c4878aSAndroid Build Coastguard Worker   // uECC_VLI_NATIVE_LITTLE_ENDIAN is defined with a non-zero value when
47*61c4878aSAndroid Build Coastguard Worker   // pw_crypto_ECDSA_BACKEND is set to "//pw_crypto:ecdsa_uecc_little_endian".
48*61c4878aSAndroid Build Coastguard Worker   //
49*61c4878aSAndroid Build Coastguard Worker   // Since pw_crypto APIs are big endian only (standard practice), here we
50*61c4878aSAndroid Build Coastguard Worker   // need to convert input parameters to little endian.
51*61c4878aSAndroid Build Coastguard Worker   //
52*61c4878aSAndroid Build Coastguard Worker   // Additionally uECC requires these little endian buffers to be word aligned
53*61c4878aSAndroid Build Coastguard Worker   // in case unaligned accesses are not supported by the hardware. We choose
54*61c4878aSAndroid Build Coastguard Worker   // the maximum 8-byte alignment to avoid referrencing internal uECC headers.
55*61c4878aSAndroid Build Coastguard Worker   alignas(8) uint8_t signature_bytes[kP256SignatureSize];
56*61c4878aSAndroid Build Coastguard Worker   memcpy(signature_bytes, signature.data(), sizeof(signature_bytes));
57*61c4878aSAndroid Build Coastguard Worker   std::reverse(signature_bytes, signature_bytes + kP256CurveOrderBytes);  // r
58*61c4878aSAndroid Build Coastguard Worker   std::reverse(signature_bytes + kP256CurveOrderBytes,
59*61c4878aSAndroid Build Coastguard Worker                signature_bytes + sizeof(signature_bytes));  // s
60*61c4878aSAndroid Build Coastguard Worker 
61*61c4878aSAndroid Build Coastguard Worker   alignas(8) uint8_t public_key_bytes[kP256PublicKeySize - 1];
62*61c4878aSAndroid Build Coastguard Worker   memcpy(public_key_bytes, public_key.data() + 1, sizeof(public_key_bytes));
63*61c4878aSAndroid Build Coastguard Worker   std::reverse(public_key_bytes, public_key_bytes + kP256CurveOrderBytes);  // X
64*61c4878aSAndroid Build Coastguard Worker   std::reverse(public_key_bytes + kP256CurveOrderBytes,
65*61c4878aSAndroid Build Coastguard Worker                public_key_bytes + sizeof(public_key_bytes));  // Y
66*61c4878aSAndroid Build Coastguard Worker 
67*61c4878aSAndroid Build Coastguard Worker   alignas(8) uint8_t digest_bytes[kP256CurveOrderBytes];
68*61c4878aSAndroid Build Coastguard Worker   memcpy(digest_bytes, digest.data(), sizeof(digest_bytes));
69*61c4878aSAndroid Build Coastguard Worker   std::reverse(digest_bytes, digest_bytes + sizeof(digest_bytes));
70*61c4878aSAndroid Build Coastguard Worker #else
71*61c4878aSAndroid Build Coastguard Worker   const uint8_t* public_key_bytes =
72*61c4878aSAndroid Build Coastguard Worker       reinterpret_cast<const uint8_t*>(public_key.data()) + 1;
73*61c4878aSAndroid Build Coastguard Worker   const uint8_t* digest_bytes = reinterpret_cast<const uint8_t*>(digest.data());
74*61c4878aSAndroid Build Coastguard Worker   const uint8_t* signature_bytes =
75*61c4878aSAndroid Build Coastguard Worker       reinterpret_cast<const uint8_t*>(signature.data());
76*61c4878aSAndroid Build Coastguard Worker #endif  // uECC_VLI_NATIVE_LITTLE_ENDIAN
77*61c4878aSAndroid Build Coastguard Worker 
78*61c4878aSAndroid Build Coastguard Worker   uECC_Curve curve = uECC_secp256r1();
79*61c4878aSAndroid Build Coastguard Worker   // Make sure the public key is on the curve.
80*61c4878aSAndroid Build Coastguard Worker   if (!uECC_valid_public_key(public_key_bytes, curve)) {
81*61c4878aSAndroid Build Coastguard Worker     PW_LOG_DEBUG("Bad public key curve");
82*61c4878aSAndroid Build Coastguard Worker     return Status::InvalidArgument();
83*61c4878aSAndroid Build Coastguard Worker   }
84*61c4878aSAndroid Build Coastguard Worker 
85*61c4878aSAndroid Build Coastguard Worker   // Digests must be at least 32 bytes. Digests longer than 32
86*61c4878aSAndroid Build Coastguard Worker   // bytes are truncated to 32 bytes.
87*61c4878aSAndroid Build Coastguard Worker   if (digest.size() < kP256CurveOrderBytes) {
88*61c4878aSAndroid Build Coastguard Worker     PW_LOG_DEBUG("Digest is too short");
89*61c4878aSAndroid Build Coastguard Worker     return Status::InvalidArgument();
90*61c4878aSAndroid Build Coastguard Worker   }
91*61c4878aSAndroid Build Coastguard Worker 
92*61c4878aSAndroid Build Coastguard Worker   // Verify the signature.
93*61c4878aSAndroid Build Coastguard Worker   if (!uECC_verify(public_key_bytes,
94*61c4878aSAndroid Build Coastguard Worker                    digest_bytes,
95*61c4878aSAndroid Build Coastguard Worker                    digest.size(),
96*61c4878aSAndroid Build Coastguard Worker                    signature_bytes,
97*61c4878aSAndroid Build Coastguard Worker                    curve)) {
98*61c4878aSAndroid Build Coastguard Worker     PW_LOG_DEBUG("Signature verification failed");
99*61c4878aSAndroid Build Coastguard Worker     return Status::Unauthenticated();
100*61c4878aSAndroid Build Coastguard Worker   }
101*61c4878aSAndroid Build Coastguard Worker 
102*61c4878aSAndroid Build Coastguard Worker   return OkStatus();
103*61c4878aSAndroid Build Coastguard Worker }
104*61c4878aSAndroid Build Coastguard Worker 
105*61c4878aSAndroid Build Coastguard Worker }  // namespace pw::crypto::ecdsa
106