sgx_ecc256_ecdsa.cpp 12 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405
  1. /*
  2. * Copyright (C) 2011-2018 Intel Corporation. All rights reserved.
  3. *
  4. * Redistribution and use in source and binary forms, with or without
  5. * modification, are permitted provided that the following conditions
  6. * are met:
  7. *
  8. * * Redistributions of source code must retain the above copyright
  9. * notice, this list of conditions and the following disclaimer.
  10. * * Redistributions in binary form must reproduce the above copyright
  11. * notice, this list of conditions and the following disclaimer in
  12. * the documentation and/or other materials provided with the
  13. * distribution.
  14. * * Neither the name of Intel Corporation nor the names of its
  15. * contributors may be used to endorse or promote products derived
  16. * from this software without specific prior written permission.
  17. *
  18. * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
  19. * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
  20. * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
  21. * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
  22. * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
  23. * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
  24. * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
  25. * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
  26. * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
  27. * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
  28. * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  29. *
  30. */
  31. #include "se_tcrypto_common.h"
  32. #include <openssl/sha.h>
  33. #include <openssl/ec.h>
  34. #include <openssl/bn.h>
  35. #include <openssl/err.h>
  36. #include "ssl_wrapper.h"
  37. #include "se_memcpy.h"
  38. #include "sgx_tcrypto.h"
  39. /* Computes signature for data based on private key
  40. * Parameters:
  41. * Return: sgx_status_t - SGX_SUCCESS or failure as defined sgx_error.h
  42. * Inputs: sgx_ecc_state_handle_t ecc_handle - Handle to ECC crypto system
  43. * sgx_ec256_private_t *p_private - Pointer to the private key - LITTLE ENDIAN
  44. * sgx_uint8_t *p_data - Pointer to the data to be signed
  45. * uint32_t data_size - Size of the data to be signed
  46. * Output: sgx_ec256_signature_t *p_signature - Pointer to the signature - LITTLE ENDIAN */
  47. sgx_status_t sgx_ecdsa_sign(const uint8_t *p_data,
  48. uint32_t data_size,
  49. sgx_ec256_private_t *p_private,
  50. sgx_ec256_signature_t *p_signature,
  51. sgx_ecc_state_handle_t ecc_handle)
  52. {
  53. if ((ecc_handle == NULL) || (p_private == NULL) || (p_signature == NULL) || (p_data == NULL) || (data_size < 1))
  54. {
  55. return SGX_ERROR_INVALID_PARAMETER;
  56. }
  57. EC_KEY *private_key = NULL;
  58. BIGNUM *bn_priv = NULL;
  59. ECDSA_SIG *ecdsa_sig = NULL;
  60. const BIGNUM *r = NULL;
  61. const BIGNUM *s = NULL;
  62. unsigned char digest[SGX_SHA256_HASH_SIZE] = { 0 };
  63. int written_bytes = 0;
  64. int sig_size = 0;
  65. int max_sig_size = 0;
  66. sgx_status_t retval = SGX_ERROR_UNEXPECTED;
  67. CLEAR_OPENSSL_ERROR_QUEUE;
  68. do {
  69. // converts the r value of private key, represented as positive integer in little-endian into a BIGNUM
  70. //
  71. bn_priv = BN_lebin2bn((unsigned char*)p_private->r, sizeof(p_private->r), 0);
  72. if (NULL == bn_priv) {
  73. break;
  74. }
  75. // create empty ecc key
  76. //
  77. private_key = EC_KEY_new();
  78. if (NULL == private_key) {
  79. retval = SGX_ERROR_OUT_OF_MEMORY;
  80. break;
  81. }
  82. // sets ecc key group (set curve)
  83. //
  84. if (1 != EC_KEY_set_group(private_key, (EC_GROUP*)ecc_handle)) {
  85. break;
  86. }
  87. // uses bn_priv to set the ecc private key
  88. //
  89. if (1 != EC_KEY_set_private_key(private_key, bn_priv)) {
  90. break;
  91. }
  92. /* generates digest of p_data */
  93. if (NULL == SHA256((const unsigned char *)p_data, data_size, (unsigned char *)digest)) {
  94. break;
  95. }
  96. // computes a digital signature of the SGX_SHA256_HASH_SIZE bytes hash value dgst using the private EC key private_key.
  97. // the signature is returned as a newly allocated ECDSA_SIG structure.
  98. //
  99. ecdsa_sig = ECDSA_do_sign(digest, SGX_SHA256_HASH_SIZE, private_key);
  100. if (NULL == ecdsa_sig) {
  101. break;
  102. }
  103. // returns internal pointers the r and s values contained in ecdsa_sig.
  104. ECDSA_SIG_get0(ecdsa_sig, &r, &s);
  105. // converts the r BIGNUM of the signature to little endian buffer, bounded with the len of out buffer
  106. //
  107. written_bytes = BN_bn2lebinpad(r, (unsigned char*)p_signature->x, SGX_ECP256_KEY_SIZE);
  108. if (0 >= written_bytes) {
  109. break;
  110. }
  111. sig_size = written_bytes;
  112. // converts the s BIGNUM of the signature to little endian buffer, bounded with the len of out buffer
  113. //
  114. written_bytes = BN_bn2lebinpad(s, (unsigned char*)p_signature->y, SGX_ECP256_KEY_SIZE);
  115. if (0 >= written_bytes) {
  116. break;
  117. }
  118. sig_size += written_bytes;
  119. // returns the maximum length of a DER encoded ECDSA signature created with the private EC key.
  120. //
  121. max_sig_size = ECDSA_size(private_key);
  122. if (max_sig_size <= 0) {
  123. break;
  124. }
  125. // checks if the signature size not larger than the max len of valid signature
  126. // this check if done for validity, not for overflow.
  127. //
  128. if (sig_size > max_sig_size) {
  129. break;
  130. }
  131. retval = SGX_SUCCESS;
  132. } while(0);
  133. if (SGX_SUCCESS != retval) {
  134. GET_LAST_OPENSSL_ERROR;
  135. }
  136. if (bn_priv)
  137. BN_clear_free(bn_priv);
  138. if (ecdsa_sig)
  139. ECDSA_SIG_free(ecdsa_sig);
  140. if (private_key)
  141. EC_KEY_free(private_key);
  142. return retval;
  143. }
  144. /* Verifies the signature for the given data based on the public key
  145. *
  146. * Parameters:
  147. * Return: sgx_status_t - SGX_SUCCESS or failure as defined sgx_error.h
  148. * Inputs: sgx_ecc_state_handle_t ecc_handle - Handle to ECC crypto system
  149. * sgx_ec256_public_t *p_public - Pointer to the public key - LITTLE ENDIAN
  150. * uint8_t *p_data - Pointer to the data to be signed
  151. * uint32_t data_size - Size of the data to be signed
  152. * sgx_ec256_signature_t *p_signature - Pointer to the signature - LITTLE ENDIAN
  153. * Output: uint8_t *p_result - Pointer to the result of verification check */
  154. sgx_status_t sgx_ecdsa_verify(const uint8_t *p_data,
  155. uint32_t data_size,
  156. const sgx_ec256_public_t *p_public,
  157. sgx_ec256_signature_t *p_signature,
  158. uint8_t *p_result,
  159. sgx_ecc_state_handle_t ecc_handle)
  160. {
  161. if ((ecc_handle == NULL) || (p_public == NULL) || (p_signature == NULL) ||
  162. (p_data == NULL) || (data_size < 1) || (p_result == NULL))
  163. {
  164. return SGX_ERROR_INVALID_PARAMETER;
  165. }
  166. EC_KEY *public_key = NULL;
  167. BIGNUM *bn_pub_x = NULL;
  168. BIGNUM *bn_pub_y = NULL;
  169. BIGNUM *bn_r = NULL;
  170. BIGNUM *bn_s = NULL;
  171. BIGNUM *prev_bn_r = NULL;
  172. BIGNUM *prev_bn_s = NULL;
  173. EC_POINT *public_point = NULL;
  174. ECDSA_SIG *ecdsa_sig = NULL;
  175. unsigned char digest[SGX_SHA256_HASH_SIZE] = { 0 };
  176. sgx_status_t retval = SGX_ERROR_UNEXPECTED;
  177. int valid = 0;
  178. *p_result = SGX_EC_INVALID_SIGNATURE;
  179. CLEAR_OPENSSL_ERROR_QUEUE;
  180. do {
  181. // converts the x value of public key, represented as positive integer in little-endian into a BIGNUM
  182. //
  183. bn_pub_x = BN_lebin2bn((unsigned char*)p_public->gx, sizeof(p_public->gx), 0);
  184. if (NULL == bn_pub_x) {
  185. break;
  186. }
  187. // converts the y value of public key, represented as positive integer in little-endian into a BIGNUM
  188. //
  189. bn_pub_y = BN_lebin2bn((unsigned char*)p_public->gy, sizeof(p_public->gy), 0);
  190. if (NULL == bn_pub_y) {
  191. break;
  192. }
  193. // converts the x value of the signature, represented as positive integer in little-endian into a BIGNUM
  194. //
  195. bn_r = BN_lebin2bn((unsigned char*)p_signature->x, sizeof(p_signature->x), 0);
  196. if (NULL == bn_r) {
  197. break;
  198. }
  199. // converts the y value of the signature, represented as positive integer in little-endian into a BIGNUM
  200. //
  201. bn_s = BN_lebin2bn((unsigned char*)p_signature->y, sizeof(p_signature->y), 0);
  202. if (NULL == bn_s) {
  203. break;
  204. }
  205. // creates new point and assigned the group object that the point relates to
  206. //
  207. public_point = EC_POINT_new((EC_GROUP*)ecc_handle);
  208. if (public_point == NULL) {
  209. retval = SGX_ERROR_OUT_OF_MEMORY;
  210. break;
  211. }
  212. // sets point based on public key's x,y coordinates
  213. //
  214. if (1 != EC_POINT_set_affine_coordinates_GFp((EC_GROUP*)ecc_handle, public_point, bn_pub_x, bn_pub_y, NULL)) {
  215. break;
  216. }
  217. // check point if the point is on curve
  218. //
  219. if (1 != EC_POINT_is_on_curve((EC_GROUP*)ecc_handle, public_point, NULL)) {
  220. break;
  221. }
  222. // create empty ecc key
  223. //
  224. public_key = EC_KEY_new();
  225. if (NULL == public_key) {
  226. retval = SGX_ERROR_OUT_OF_MEMORY;
  227. break;
  228. }
  229. // sets ecc key group (set curve)
  230. //
  231. if (1 != EC_KEY_set_group(public_key, (EC_GROUP*)ecc_handle)) {
  232. break;
  233. }
  234. // uses the created point to set the public key value
  235. //
  236. if (1 != EC_KEY_set_public_key(public_key, public_point)) {
  237. break;
  238. }
  239. /* generates digest of p_data */
  240. if (NULL == SHA256((const unsigned char *)p_data, data_size, (unsigned char *)digest)) {
  241. break;
  242. }
  243. // allocates a new ECDSA_SIG structure (note: this function also allocates the BIGNUMs) and initialize it
  244. //
  245. ecdsa_sig = ECDSA_SIG_new();
  246. if (NULL == ecdsa_sig) {
  247. retval = SGX_ERROR_OUT_OF_MEMORY;
  248. break;
  249. }
  250. // free internal allocated BIGBNUMs
  251. ECDSA_SIG_get0(ecdsa_sig, (const BIGNUM **)&prev_bn_r, (const BIGNUM **)&prev_bn_s);
  252. if (prev_bn_r)
  253. BN_clear_free(prev_bn_r);
  254. if (prev_bn_s)
  255. BN_clear_free(prev_bn_s);
  256. // setes the r and s values of ecdsa_sig
  257. // calling this function transfers the memory management of the values to the ECDSA_SIG object,
  258. // and therefore the values that have been passed in should not be freed directly after this function has been called
  259. //
  260. if (1 != ECDSA_SIG_set0(ecdsa_sig, bn_r, bn_s)) {
  261. ECDSA_SIG_free(ecdsa_sig);
  262. ecdsa_sig = NULL;
  263. break;
  264. }
  265. // verifies that the signature ecdsa_sig is a valid ECDSA signature of the hash value digest of size SGX_SHA256_HASH_SIZE using the public key public_key
  266. //
  267. valid = ECDSA_do_verify(digest, SGX_SHA256_HASH_SIZE, ecdsa_sig, public_key);
  268. if (-1 == valid) {
  269. break;
  270. }
  271. // sets the p_result based on ECDSA_do_verify result
  272. //
  273. if (valid) {
  274. *p_result = SGX_EC_VALID;
  275. }
  276. retval = SGX_SUCCESS;
  277. } while(0);
  278. if (SGX_SUCCESS != retval) {
  279. GET_LAST_OPENSSL_ERROR;
  280. }
  281. if (bn_pub_x)
  282. BN_clear_free(bn_pub_x);
  283. if (bn_pub_y)
  284. BN_clear_free(bn_pub_y);
  285. if (public_point)
  286. EC_POINT_clear_free(public_point);
  287. if (ecdsa_sig) {
  288. ECDSA_SIG_free(ecdsa_sig);
  289. bn_r = NULL;
  290. bn_s = NULL;
  291. }
  292. if (public_key)
  293. EC_KEY_free(public_key);
  294. if (bn_r)
  295. BN_clear_free(bn_r);
  296. if (bn_s)
  297. BN_clear_free(bn_s);
  298. return retval;
  299. }
  300. sgx_status_t sgx_calculate_ecdsa_priv_key(const unsigned char* hash_drg, int hash_drg_len,
  301. const unsigned char* sgx_nistp256_r_m1, int sgx_nistp256_r_m1_len,
  302. unsigned char* out_key, int out_key_len) {
  303. if (out_key == NULL || hash_drg_len <= 0 || sgx_nistp256_r_m1_len <= 0 ||
  304. out_key_len <= 0 || hash_drg == NULL || sgx_nistp256_r_m1 == NULL) {
  305. return SGX_ERROR_INVALID_PARAMETER;
  306. }
  307. sgx_status_t ret_code = SGX_ERROR_UNEXPECTED;
  308. int result_len = 0;
  309. BIGNUM* bn_d = NULL;
  310. BIGNUM* bn_m = NULL;
  311. BIGNUM* bn_o = NULL;
  312. BN_CTX* tmp_ctx = NULL;
  313. do {
  314. bn_o = BN_new();
  315. NULL_BREAK(bn_o);
  316. bn_d = BN_lebin2bn(hash_drg, hash_drg_len, bn_d);
  317. BN_CHECK_BREAK(bn_d);
  318. bn_m = BN_lebin2bn(sgx_nistp256_r_m1, sgx_nistp256_r_m1_len, bn_m);
  319. BN_CHECK_BREAK(bn_m);
  320. tmp_ctx = BN_CTX_new();
  321. NULL_BREAK(tmp_ctx);
  322. if (!BN_mod(bn_o, bn_d, bn_m, tmp_ctx)) {
  323. break;
  324. }
  325. if (!BN_add_word(bn_o, 1)) {
  326. break;
  327. }
  328. result_len = BN_num_bytes(bn_o);
  329. if ((result_len < 0) || (out_key_len < result_len)) {
  330. break;
  331. }
  332. if (BN_bn2bin(bn_o, out_key) != result_len) {
  333. break;
  334. }
  335. ret_code = SGX_SUCCESS;
  336. } while (0);
  337. //clear and free used structs
  338. //
  339. BN_CTX_free(tmp_ctx);
  340. BN_clear_free(bn_d);
  341. BN_clear_free(bn_m);
  342. BN_clear_free(bn_o);
  343. if (ret_code != SGX_SUCCESS) {
  344. (void)memset_s(out_key, out_key_len, 0, out_key_len);
  345. }
  346. return ret_code;
  347. }