1 /*
2 * Copyright (c) 2017, [Ribose Inc](https://www.ribose.com).
3 * All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
13 *
14 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
15 * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
16 * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
17 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDERS OR CONTRIBUTORS
18 * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
19 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
20 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
21 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
22 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
23 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
24 * POSSIBILITY OF SUCH DAMAGE.
25 */
26
27 #include <string.h>
28 #include <botan/ffi.h>
29 #include "eddsa.h"
30 #include "utils.h"
31
32 static bool
eddsa_load_public_key(botan_pubkey_t * pubkey,const pgp_ec_key_t * keydata)33 eddsa_load_public_key(botan_pubkey_t *pubkey, const pgp_ec_key_t *keydata)
34 {
35 if (keydata->curve != PGP_CURVE_ED25519) {
36 return false;
37 }
38 /*
39 * See draft-ietf-openpgp-rfc4880bis-01 section 13.3
40 */
41 if ((mpi_bytes(&keydata->p) != 33) || (keydata->p.mpi[0] != 0x40)) {
42 return false;
43 }
44 if (botan_pubkey_load_ed25519(pubkey, keydata->p.mpi + 1)) {
45 return false;
46 }
47
48 return true;
49 }
50
51 static bool
eddsa_load_secret_key(botan_privkey_t * seckey,const pgp_ec_key_t * keydata)52 eddsa_load_secret_key(botan_privkey_t *seckey, const pgp_ec_key_t *keydata)
53 {
54 uint8_t keybuf[32] = {0};
55 size_t sz;
56
57 if (keydata->curve != PGP_CURVE_ED25519) {
58 return false;
59 }
60 sz = mpi_bytes(&keydata->x);
61 if (!sz || (sz > 32)) {
62 return false;
63 }
64 mpi2mem(&keydata->x, keybuf + 32 - sz);
65 if (botan_privkey_load_ed25519(seckey, keybuf)) {
66 return false;
67 }
68
69 return true;
70 }
71
72 rnp_result_t
eddsa_validate_key(rnp::RNG * rng,const pgp_ec_key_t * key,bool secret)73 eddsa_validate_key(rnp::RNG *rng, const pgp_ec_key_t *key, bool secret)
74 {
75 botan_pubkey_t bpkey = NULL;
76 botan_privkey_t bskey = NULL;
77 rnp_result_t ret = RNP_ERROR_BAD_PARAMETERS;
78
79 if (!eddsa_load_public_key(&bpkey, key) ||
80 botan_pubkey_check_key(bpkey, rng->handle(), 0)) {
81 goto done;
82 }
83
84 if (!secret) {
85 ret = RNP_SUCCESS;
86 goto done;
87 }
88
89 if (!eddsa_load_secret_key(&bskey, key) ||
90 botan_privkey_check_key(bskey, rng->handle(), 0)) {
91 goto done;
92 }
93 ret = RNP_SUCCESS;
94 done:
95 botan_privkey_destroy(bskey);
96 botan_pubkey_destroy(bpkey);
97 return ret;
98 }
99
100 rnp_result_t
eddsa_generate(rnp::RNG * rng,pgp_ec_key_t * key)101 eddsa_generate(rnp::RNG *rng, pgp_ec_key_t *key)
102 {
103 botan_privkey_t eddsa = NULL;
104 rnp_result_t ret = RNP_ERROR_GENERIC;
105 uint8_t key_bits[64];
106
107 if (botan_privkey_create(&eddsa, "Ed25519", NULL, rng->handle()) != 0) {
108 goto end;
109 }
110
111 if (botan_privkey_ed25519_get_privkey(eddsa, key_bits)) {
112 goto end;
113 }
114
115 // First 32 bytes of key_bits are the EdDSA seed (private key)
116 // Second 32 bytes are the EdDSA public key
117
118 mem2mpi(&key->x, key_bits, 32);
119 // insert the required 0x40 prefix on the public key
120 key_bits[31] = 0x40;
121 mem2mpi(&key->p, key_bits + 31, 33);
122 key->curve = PGP_CURVE_ED25519;
123
124 ret = RNP_SUCCESS;
125 end:
126 botan_privkey_destroy(eddsa);
127 return ret;
128 }
129
130 rnp_result_t
eddsa_verify(const pgp_ec_signature_t * sig,const uint8_t * hash,size_t hash_len,const pgp_ec_key_t * key)131 eddsa_verify(const pgp_ec_signature_t *sig,
132 const uint8_t * hash,
133 size_t hash_len,
134 const pgp_ec_key_t * key)
135 {
136 botan_pubkey_t eddsa = NULL;
137 botan_pk_op_verify_t verify_op = NULL;
138 rnp_result_t ret = RNP_ERROR_SIGNATURE_INVALID;
139 uint8_t bn_buf[64] = {0};
140
141 if (!eddsa_load_public_key(&eddsa, key)) {
142 ret = RNP_ERROR_BAD_PARAMETERS;
143 goto done;
144 }
145
146 if (botan_pk_op_verify_create(&verify_op, eddsa, "Pure", 0) != 0) {
147 goto done;
148 }
149
150 if (botan_pk_op_verify_update(verify_op, hash, hash_len) != 0) {
151 goto done;
152 }
153
154 // Unexpected size for Ed25519 signature
155 if ((mpi_bytes(&sig->r) > 32) || (mpi_bytes(&sig->s) > 32)) {
156 goto done;
157 }
158 mpi2mem(&sig->r, &bn_buf[32 - mpi_bytes(&sig->r)]);
159 mpi2mem(&sig->s, &bn_buf[64 - mpi_bytes(&sig->s)]);
160
161 if (botan_pk_op_verify_finish(verify_op, bn_buf, 64) == 0) {
162 ret = RNP_SUCCESS;
163 }
164 done:
165 botan_pk_op_verify_destroy(verify_op);
166 botan_pubkey_destroy(eddsa);
167 return ret;
168 }
169
170 rnp_result_t
eddsa_sign(rnp::RNG * rng,pgp_ec_signature_t * sig,const uint8_t * hash,size_t hash_len,const pgp_ec_key_t * key)171 eddsa_sign(rnp::RNG * rng,
172 pgp_ec_signature_t *sig,
173 const uint8_t * hash,
174 size_t hash_len,
175 const pgp_ec_key_t *key)
176 {
177 botan_privkey_t eddsa = NULL;
178 botan_pk_op_sign_t sign_op = NULL;
179 rnp_result_t ret = RNP_ERROR_SIGNING_FAILED;
180 uint8_t bn_buf[64] = {0};
181 size_t sig_size = sizeof(bn_buf);
182
183 if (!eddsa_load_secret_key(&eddsa, key)) {
184 ret = RNP_ERROR_BAD_PARAMETERS;
185 goto done;
186 }
187
188 if (botan_pk_op_sign_create(&sign_op, eddsa, "Pure", 0) != 0) {
189 goto done;
190 }
191
192 if (botan_pk_op_sign_update(sign_op, hash, hash_len) != 0) {
193 goto done;
194 }
195
196 if (botan_pk_op_sign_finish(sign_op, rng->handle(), bn_buf, &sig_size) != 0) {
197 goto done;
198 }
199
200 // Unexpected size...
201 if (sig_size != 64) {
202 goto done;
203 }
204
205 mem2mpi(&sig->r, bn_buf, 32);
206 mem2mpi(&sig->s, bn_buf + 32, 32);
207 ret = RNP_SUCCESS;
208 done:
209 botan_pk_op_sign_destroy(sign_op);
210 botan_privkey_destroy(eddsa);
211 return ret;
212 }
213