1 /*
2  * Copyright (c) 2017, [Ribose Inc](https://www.ribose.com).
3  * All rights reserved.
4  *
5  * Redistribution and use in source and binary forms, with or without
6  * modification, are permitted provided that the following conditions
7  * are met:
8  * 1. Redistributions of source code must retain the above copyright
9  *    notice, this list of conditions and the following disclaimer.
10  * 2. Redistributions in binary form must reproduce the above copyright
11  *    notice, this list of conditions and the following disclaimer in the
12  *    documentation and/or other materials provided with the distribution.
13  *
14  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
15  * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
16  * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
17  * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDERS OR CONTRIBUTORS
18  * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
19  * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
20  * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
21  * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
22  * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
23  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
24  * POSSIBILITY OF SUCH DAMAGE.
25  */
26 
27 #include <string.h>
28 #include <botan/ffi.h>
29 #include "eddsa.h"
30 #include "utils.h"
31 
32 static bool
eddsa_load_public_key(botan_pubkey_t * pubkey,const pgp_ec_key_t * keydata)33 eddsa_load_public_key(botan_pubkey_t *pubkey, const pgp_ec_key_t *keydata)
34 {
35     if (keydata->curve != PGP_CURVE_ED25519) {
36         return false;
37     }
38     /*
39      * See draft-ietf-openpgp-rfc4880bis-01 section 13.3
40      */
41     if ((mpi_bytes(&keydata->p) != 33) || (keydata->p.mpi[0] != 0x40)) {
42         return false;
43     }
44     if (botan_pubkey_load_ed25519(pubkey, keydata->p.mpi + 1)) {
45         return false;
46     }
47 
48     return true;
49 }
50 
51 static bool
eddsa_load_secret_key(botan_privkey_t * seckey,const pgp_ec_key_t * keydata)52 eddsa_load_secret_key(botan_privkey_t *seckey, const pgp_ec_key_t *keydata)
53 {
54     uint8_t keybuf[32] = {0};
55     size_t  sz;
56 
57     if (keydata->curve != PGP_CURVE_ED25519) {
58         return false;
59     }
60     sz = mpi_bytes(&keydata->x);
61     if (!sz || (sz > 32)) {
62         return false;
63     }
64     mpi2mem(&keydata->x, keybuf + 32 - sz);
65     if (botan_privkey_load_ed25519(seckey, keybuf)) {
66         return false;
67     }
68 
69     return true;
70 }
71 
72 rnp_result_t
eddsa_validate_key(rnp::RNG * rng,const pgp_ec_key_t * key,bool secret)73 eddsa_validate_key(rnp::RNG *rng, const pgp_ec_key_t *key, bool secret)
74 {
75     botan_pubkey_t  bpkey = NULL;
76     botan_privkey_t bskey = NULL;
77     rnp_result_t    ret = RNP_ERROR_BAD_PARAMETERS;
78 
79     if (!eddsa_load_public_key(&bpkey, key) ||
80         botan_pubkey_check_key(bpkey, rng->handle(), 0)) {
81         goto done;
82     }
83 
84     if (!secret) {
85         ret = RNP_SUCCESS;
86         goto done;
87     }
88 
89     if (!eddsa_load_secret_key(&bskey, key) ||
90         botan_privkey_check_key(bskey, rng->handle(), 0)) {
91         goto done;
92     }
93     ret = RNP_SUCCESS;
94 done:
95     botan_privkey_destroy(bskey);
96     botan_pubkey_destroy(bpkey);
97     return ret;
98 }
99 
100 rnp_result_t
eddsa_generate(rnp::RNG * rng,pgp_ec_key_t * key)101 eddsa_generate(rnp::RNG *rng, pgp_ec_key_t *key)
102 {
103     botan_privkey_t eddsa = NULL;
104     rnp_result_t    ret = RNP_ERROR_GENERIC;
105     uint8_t         key_bits[64];
106 
107     if (botan_privkey_create(&eddsa, "Ed25519", NULL, rng->handle()) != 0) {
108         goto end;
109     }
110 
111     if (botan_privkey_ed25519_get_privkey(eddsa, key_bits)) {
112         goto end;
113     }
114 
115     // First 32 bytes of key_bits are the EdDSA seed (private key)
116     // Second 32 bytes are the EdDSA public key
117 
118     mem2mpi(&key->x, key_bits, 32);
119     // insert the required 0x40 prefix on the public key
120     key_bits[31] = 0x40;
121     mem2mpi(&key->p, key_bits + 31, 33);
122     key->curve = PGP_CURVE_ED25519;
123 
124     ret = RNP_SUCCESS;
125 end:
126     botan_privkey_destroy(eddsa);
127     return ret;
128 }
129 
130 rnp_result_t
eddsa_verify(const pgp_ec_signature_t * sig,const uint8_t * hash,size_t hash_len,const pgp_ec_key_t * key)131 eddsa_verify(const pgp_ec_signature_t *sig,
132              const uint8_t *           hash,
133              size_t                    hash_len,
134              const pgp_ec_key_t *      key)
135 {
136     botan_pubkey_t       eddsa = NULL;
137     botan_pk_op_verify_t verify_op = NULL;
138     rnp_result_t         ret = RNP_ERROR_SIGNATURE_INVALID;
139     uint8_t              bn_buf[64] = {0};
140 
141     if (!eddsa_load_public_key(&eddsa, key)) {
142         ret = RNP_ERROR_BAD_PARAMETERS;
143         goto done;
144     }
145 
146     if (botan_pk_op_verify_create(&verify_op, eddsa, "Pure", 0) != 0) {
147         goto done;
148     }
149 
150     if (botan_pk_op_verify_update(verify_op, hash, hash_len) != 0) {
151         goto done;
152     }
153 
154     // Unexpected size for Ed25519 signature
155     if ((mpi_bytes(&sig->r) > 32) || (mpi_bytes(&sig->s) > 32)) {
156         goto done;
157     }
158     mpi2mem(&sig->r, &bn_buf[32 - mpi_bytes(&sig->r)]);
159     mpi2mem(&sig->s, &bn_buf[64 - mpi_bytes(&sig->s)]);
160 
161     if (botan_pk_op_verify_finish(verify_op, bn_buf, 64) == 0) {
162         ret = RNP_SUCCESS;
163     }
164 done:
165     botan_pk_op_verify_destroy(verify_op);
166     botan_pubkey_destroy(eddsa);
167     return ret;
168 }
169 
170 rnp_result_t
eddsa_sign(rnp::RNG * rng,pgp_ec_signature_t * sig,const uint8_t * hash,size_t hash_len,const pgp_ec_key_t * key)171 eddsa_sign(rnp::RNG *          rng,
172            pgp_ec_signature_t *sig,
173            const uint8_t *     hash,
174            size_t              hash_len,
175            const pgp_ec_key_t *key)
176 {
177     botan_privkey_t    eddsa = NULL;
178     botan_pk_op_sign_t sign_op = NULL;
179     rnp_result_t       ret = RNP_ERROR_SIGNING_FAILED;
180     uint8_t            bn_buf[64] = {0};
181     size_t             sig_size = sizeof(bn_buf);
182 
183     if (!eddsa_load_secret_key(&eddsa, key)) {
184         ret = RNP_ERROR_BAD_PARAMETERS;
185         goto done;
186     }
187 
188     if (botan_pk_op_sign_create(&sign_op, eddsa, "Pure", 0) != 0) {
189         goto done;
190     }
191 
192     if (botan_pk_op_sign_update(sign_op, hash, hash_len) != 0) {
193         goto done;
194     }
195 
196     if (botan_pk_op_sign_finish(sign_op, rng->handle(), bn_buf, &sig_size) != 0) {
197         goto done;
198     }
199 
200     // Unexpected size...
201     if (sig_size != 64) {
202         goto done;
203     }
204 
205     mem2mpi(&sig->r, bn_buf, 32);
206     mem2mpi(&sig->s, bn_buf + 32, 32);
207     ret = RNP_SUCCESS;
208 done:
209     botan_pk_op_sign_destroy(sign_op);
210     botan_privkey_destroy(eddsa);
211     return ret;
212 }
213