1*e7b1675dSTing-Kang Chang// Copyright 2020 Google LLC 2*e7b1675dSTing-Kang Chang// 3*e7b1675dSTing-Kang Chang// Licensed under the Apache License, Version 2.0 (the "License"); 4*e7b1675dSTing-Kang Chang// you may not use this file except in compliance with the License. 5*e7b1675dSTing-Kang Chang// You may obtain a copy of the License at 6*e7b1675dSTing-Kang Chang// 7*e7b1675dSTing-Kang Chang// http://www.apache.org/licenses/LICENSE-2.0 8*e7b1675dSTing-Kang Chang// 9*e7b1675dSTing-Kang Chang// Unless required by applicable law or agreed to in writing, software 10*e7b1675dSTing-Kang Chang// distributed under the License is distributed on an "AS IS" BASIS, 11*e7b1675dSTing-Kang Chang// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12*e7b1675dSTing-Kang Chang// See the License for the specific language governing permissions and 13*e7b1675dSTing-Kang Chang// limitations under the License. 14*e7b1675dSTing-Kang Chang// 15*e7b1675dSTing-Kang Chang//////////////////////////////////////////////////////////////////////////////// 16*e7b1675dSTing-Kang Chang 17*e7b1675dSTing-Kang Changpackage subtle 18*e7b1675dSTing-Kang Chang 19*e7b1675dSTing-Kang Changimport ( 20*e7b1675dSTing-Kang Chang "crypto/ecdsa" 21*e7b1675dSTing-Kang Chang "errors" 22*e7b1675dSTing-Kang Chang "fmt" 23*e7b1675dSTing-Kang Chang "hash" 24*e7b1675dSTing-Kang Chang "math/big" 25*e7b1675dSTing-Kang Chang 26*e7b1675dSTing-Kang Chang "github.com/google/tink/go/subtle" 27*e7b1675dSTing-Kang Chang) 28*e7b1675dSTing-Kang Chang 29*e7b1675dSTing-Kang Changvar errInvalidECDSASignature = errors.New("ecdsa_verifier: invalid signature") 30*e7b1675dSTing-Kang Chang 31*e7b1675dSTing-Kang Chang// ECDSAVerifier is an implementation of Verifier for ECDSA. 32*e7b1675dSTing-Kang Chang// At the moment, the implementation only accepts signatures with strict DER encoding. 33*e7b1675dSTing-Kang Changtype ECDSAVerifier struct { 34*e7b1675dSTing-Kang Chang publicKey *ecdsa.PublicKey 35*e7b1675dSTing-Kang Chang hashFunc func() hash.Hash 36*e7b1675dSTing-Kang Chang encoding string 37*e7b1675dSTing-Kang Chang} 38*e7b1675dSTing-Kang Chang 39*e7b1675dSTing-Kang Chang// NewECDSAVerifier creates a new instance of ECDSAVerifier. 40*e7b1675dSTing-Kang Changfunc NewECDSAVerifier(hashAlg string, curve string, encoding string, x []byte, y []byte) (*ECDSAVerifier, error) { 41*e7b1675dSTing-Kang Chang publicKey := &ecdsa.PublicKey{ 42*e7b1675dSTing-Kang Chang Curve: subtle.GetCurve(curve), 43*e7b1675dSTing-Kang Chang X: new(big.Int).SetBytes(x), 44*e7b1675dSTing-Kang Chang Y: new(big.Int).SetBytes(y), 45*e7b1675dSTing-Kang Chang } 46*e7b1675dSTing-Kang Chang return NewECDSAVerifierFromPublicKey(hashAlg, encoding, publicKey) 47*e7b1675dSTing-Kang Chang} 48*e7b1675dSTing-Kang Chang 49*e7b1675dSTing-Kang Chang// NewECDSAVerifierFromPublicKey creates a new instance of ECDSAVerifier. 50*e7b1675dSTing-Kang Changfunc NewECDSAVerifierFromPublicKey(hashAlg string, encoding string, publicKey *ecdsa.PublicKey) (*ECDSAVerifier, error) { 51*e7b1675dSTing-Kang Chang if publicKey.Curve == nil { 52*e7b1675dSTing-Kang Chang return nil, errors.New("ecdsa_verifier: invalid curve") 53*e7b1675dSTing-Kang Chang } 54*e7b1675dSTing-Kang Chang if !publicKey.Curve.IsOnCurve(publicKey.X, publicKey.Y) { 55*e7b1675dSTing-Kang Chang return nil, fmt.Errorf("ecdsa_verifier: invalid public key") 56*e7b1675dSTing-Kang Chang } 57*e7b1675dSTing-Kang Chang curve := subtle.ConvertCurveName(publicKey.Curve.Params().Name) 58*e7b1675dSTing-Kang Chang if err := ValidateECDSAParams(hashAlg, curve, encoding); err != nil { 59*e7b1675dSTing-Kang Chang return nil, fmt.Errorf("ecdsa_verifier: %s", err) 60*e7b1675dSTing-Kang Chang } 61*e7b1675dSTing-Kang Chang hashFunc := subtle.GetHashFunc(hashAlg) 62*e7b1675dSTing-Kang Chang return &ECDSAVerifier{ 63*e7b1675dSTing-Kang Chang publicKey: publicKey, 64*e7b1675dSTing-Kang Chang hashFunc: hashFunc, 65*e7b1675dSTing-Kang Chang encoding: encoding, 66*e7b1675dSTing-Kang Chang }, nil 67*e7b1675dSTing-Kang Chang} 68*e7b1675dSTing-Kang Chang 69*e7b1675dSTing-Kang Chang// Verify verifies whether the given signature is valid for the given data. 70*e7b1675dSTing-Kang Chang// It returns an error if the signature is not valid; nil otherwise. 71*e7b1675dSTing-Kang Changfunc (e *ECDSAVerifier) Verify(signatureBytes, data []byte) error { 72*e7b1675dSTing-Kang Chang signature, err := DecodeECDSASignature(signatureBytes, e.encoding) 73*e7b1675dSTing-Kang Chang if err != nil { 74*e7b1675dSTing-Kang Chang return fmt.Errorf("ecdsa_verifier: %s", err) 75*e7b1675dSTing-Kang Chang } 76*e7b1675dSTing-Kang Chang hashed, err := subtle.ComputeHash(e.hashFunc, data) 77*e7b1675dSTing-Kang Chang if err != nil { 78*e7b1675dSTing-Kang Chang return err 79*e7b1675dSTing-Kang Chang } 80*e7b1675dSTing-Kang Chang valid := ecdsa.Verify(e.publicKey, hashed, signature.R, signature.S) 81*e7b1675dSTing-Kang Chang if !valid { 82*e7b1675dSTing-Kang Chang return errInvalidECDSASignature 83*e7b1675dSTing-Kang Chang } 84*e7b1675dSTing-Kang Chang return nil 85*e7b1675dSTing-Kang Chang} 86