/libfido2/src/es384.c

Source
/*
 * Copyright (c) 2022 Yubico AB. All rights reserved.
 * Use of this source code is governed by a BSD-style
 * license that can be found in the LICENSE file.
 * SPDX-License-Identifier: BSD-2-Clause
 */

#include <openssl/bn.h>
#include <openssl/ecdsa.h>
#include <openssl/obj_mac.h>

#include "fido.h"
#include "fido/es384.h"

#if OPENSSL_VERSION_NUMBER >= 0x30000000
#define get0_EC_KEY(x)  EVP_PKEY_get0_EC_KEY((x))
#else
#define get0_EC_KEY(x)  EVP_PKEY_get0((x))
#endif

static int
decode_coord(const cbor_item_t *item, void *xy, size_t xy_len)
{
        if (cbor_isa_bytestring(item) == false ||
            cbor_bytestring_is_definite(item) == false ||
            cbor_bytestring_length(item) != xy_len) {
                fido_log_debug("%s: cbor type", __func__);
                return (-1);
        }

        memcpy(xy, cbor_bytestring_handle(item), xy_len);

        return (0);
}

static int
decode_pubkey_point(const cbor_item_t *key, const cbor_item_t *val, void *arg)
{
        es384_pk_t *k = arg;

        if (cbor_isa_negint(key) == false ||
            cbor_int_get_width(key) != CBOR_INT_8)
                return (0); /* ignore */

        switch (cbor_get_uint8(key)) {
        case 1: /* x coordinate */
                return (decode_coord(val, &k->x, sizeof(k->x)));
        case 2: /* y coordinate */
                return (decode_coord(val, &k->y, sizeof(k->y)));
        }

        return (0); /* ignore */
}

int
es384_pk_decode(const cbor_item_t *item, es384_pk_t *k)
{
        if (cbor_isa_map(item) == false ||
            cbor_map_is_definite(item) == false ||
            cbor_map_iter(item, k, decode_pubkey_point) < 0) {
                fido_log_debug("%s: cbor type", __func__);
                return (-1);
        }

        return (0);
}

es384_pk_t *
es384_pk_new(void)
{
        return (calloc(1, sizeof(es384_pk_t)));
}

void
es384_pk_free(es384_pk_t **pkp)
{
        es384_pk_t *pk;

        if (pkp == NULL || (pk = *pkp) == NULL)
                return;

        freezero(pk, sizeof(*pk));
        *pkp = NULL;
}

int
es384_pk_from_ptr(es384_pk_t *pk, const void *ptr, size_t len)
{
        const uint8_t   *p = ptr;
        EVP_PKEY        *pkey;

        if (len < sizeof(*pk))
                return (FIDO_ERR_INVALID_ARGUMENT);

        if (len == sizeof(*pk) + 1 && *p == 0x04)
                memcpy(pk, ++p, sizeof(*pk)); /* uncompressed format */
        else
                memcpy(pk, ptr, sizeof(*pk)); /* libfido2 x||y format */

        if ((pkey = es384_pk_to_EVP_PKEY(pk)) == NULL) {
                fido_log_debug("%s: es384_pk_to_EVP_PKEY", __func__);
                explicit_bzero(pk, sizeof(*pk));
                return (FIDO_ERR_INVALID_ARGUMENT);
        }

        EVP_PKEY_free(pkey);

        return (FIDO_OK);
}

EVP_PKEY *
es384_pk_to_EVP_PKEY(const es384_pk_t *k)
{
        BN_CTX          *bnctx = NULL;
        EC_KEY          *ec = NULL;
        EC_POINT        *q = NULL;
        EVP_PKEY        *pkey = NULL;
        BIGNUM          *x = NULL;
        BIGNUM          *y = NULL;
        const EC_GROUP  *g = NULL;
        int              ok = -1;

        if ((bnctx = BN_CTX_new()) == NULL)
                goto fail;

        BN_CTX_start(bnctx);

        if ((x = BN_CTX_get(bnctx)) == NULL ||
            (y = BN_CTX_get(bnctx)) == NULL)
                goto fail;

        if (BN_bin2bn(k->x, sizeof(k->x), x) == NULL ||
            BN_bin2bn(k->y, sizeof(k->y), y) == NULL) {
                fido_log_debug("%s: BN_bin2bn", __func__);
                goto fail;
        }

        if ((ec = EC_KEY_new_by_curve_name(NID_secp384r1)) == NULL ||
            (g = EC_KEY_get0_group(ec)) == NULL) {
                fido_log_debug("%s: EC_KEY init", __func__);
                goto fail;
        }

        if ((q = EC_POINT_new(g)) == NULL ||
            EC_POINT_set_affine_coordinates_GFp(g, q, x, y, bnctx) == 0 ||
            EC_KEY_set_public_key(ec, q) == 0) {
                fido_log_debug("%s: EC_KEY_set_public_key", __func__);
                goto fail;
        }

        if ((pkey = EVP_PKEY_new()) == NULL ||
            EVP_PKEY_assign_EC_KEY(pkey, ec) == 0) {
                fido_log_debug("%s: EVP_PKEY_assign_EC_KEY", __func__);
                goto fail;
        }

        ec = NULL; /* at this point, ec belongs to evp */

        ok = 0;
fail:
        if (bnctx != NULL) {
                BN_CTX_end(bnctx);
                BN_CTX_free(bnctx);
        }

        if (ec != NULL)
                EC_KEY_free(ec);
        if (q != NULL)
                EC_POINT_free(q);

        if (ok < 0 && pkey != NULL) {
                EVP_PKEY_free(pkey);
                pkey = NULL;
        }

        return (pkey);
}

int
es384_pk_from_EC_KEY(es384_pk_t *pk, const EC_KEY *ec)
{
        BN_CTX          *bnctx = NULL;
        BIGNUM          *x = NULL;
        BIGNUM          *y = NULL;
        const EC_POINT  *q = NULL;
        EC_GROUP        *g = NULL;
        size_t           dx;
        size_t           dy;
        int              ok = FIDO_ERR_INTERNAL;
        int              nx;
        int              ny;

        if ((q = EC_KEY_get0_public_key(ec)) == NULL ||
            (g = EC_GROUP_new_by_curve_name(NID_secp384r1)) == NULL ||
            (bnctx = BN_CTX_new()) == NULL)
                goto fail;

        BN_CTX_start(bnctx);

        if ((x = BN_CTX_get(bnctx)) == NULL ||
            (y = BN_CTX_get(bnctx)) == NULL)
                goto fail;

        if (EC_POINT_is_on_curve(g, q, bnctx) != 1) {
                fido_log_debug("%s: EC_POINT_is_on_curve", __func__);
                ok = FIDO_ERR_INVALID_ARGUMENT;
                goto fail;
        }

        if (EC_POINT_get_affine_coordinates_GFp(g, q, x, y, bnctx) == 0 ||
            (nx = BN_num_bytes(x)) < 0 || (size_t)nx > sizeof(pk->x) ||
            (ny = BN_num_bytes(y)) < 0 || (size_t)ny > sizeof(pk->y)) {
                fido_log_debug("%s: EC_POINT_get_affine_coordinates_GFp",
                    __func__);
                goto fail;
        }

        dx = sizeof(pk->x) - (size_t)nx;
        dy = sizeof(pk->y) - (size_t)ny;

        if ((nx = BN_bn2bin(x, pk->x + dx)) < 0 || (size_t)nx > sizeof(pk->x) ||
            (ny = BN_bn2bin(y, pk->y + dy)) < 0 || (size_t)ny > sizeof(pk->y)) {
                fido_log_debug("%s: BN_bn2bin", __func__);
                goto fail;
        }

        ok = FIDO_OK;
fail:
        EC_GROUP_free(g);

        if (bnctx != NULL) {
                BN_CTX_end(bnctx);
                BN_CTX_free(bnctx);
        }

        return (ok);
}

int
es384_pk_from_EVP_PKEY(es384_pk_t *pk, const EVP_PKEY *pkey)
{
        const EC_KEY *ec;

        if (EVP_PKEY_base_id(pkey) != EVP_PKEY_EC ||
            (ec = get0_EC_KEY(pkey)) == NULL)
                return (FIDO_ERR_INVALID_ARGUMENT);

        return (es384_pk_from_EC_KEY(pk, ec));
}

int
es384_verify_sig(const fido_blob_t *dgst, EVP_PKEY *pkey,
    const fido_blob_t *sig)
{
        EVP_PKEY_CTX    *pctx = NULL;
        int              ok = -1;

        if (EVP_PKEY_base_id(pkey) != EVP_PKEY_EC) {
                fido_log_debug("%s: EVP_PKEY_base_id", __func__);
                goto fail;
        }

        if ((pctx = EVP_PKEY_CTX_new(pkey, NULL)) == NULL ||
            EVP_PKEY_verify_init(pctx) != 1 ||
            EVP_PKEY_verify(pctx, sig->ptr, sig->len, dgst->ptr,
            dgst->len) != 1) {
                fido_log_debug("%s: EVP_PKEY_verify", __func__);
                goto fail;
        }

        ok = 0;
fail:
        EVP_PKEY_CTX_free(pctx);

        return (ok);
}

int
es384_pk_verify_sig(const fido_blob_t *dgst, const es384_pk_t *pk,
    const fido_blob_t *sig)
{
        EVP_PKEY        *pkey;
        int              ok = -1;

        if ((pkey = es384_pk_to_EVP_PKEY(pk)) == NULL ||
            es384_verify_sig(dgst, pkey, sig) < 0) {
                fido_log_debug("%s: es384_verify_sig", __func__);
                goto fail;
        }

        ok = 0;
fail:
        EVP_PKEY_free(pkey);

        return (ok);
}

Coverage Report

Created: 2026-04-08 06:32

Line	Count	Source
1		/*
2		* Copyright (c) 2022 Yubico AB. All rights reserved.
3		* Use of this source code is governed by a BSD-style
4		* license that can be found in the LICENSE file.
5		* SPDX-License-Identifier: BSD-2-Clause
6		*/
7
8		#include <openssl/bn.h>
9		#include <openssl/ecdsa.h>
10		#include <openssl/obj_mac.h>
11
12		#include "fido.h"
13		#include "fido/es384.h"
14
15		#if OPENSSL_VERSION_NUMBER >= 0x30000000
16	479	#define get0_EC_KEY(x) EVP_PKEY_get0_EC_KEY((x))
17		#else
18		#define get0_EC_KEY(x) EVP_PKEY_get0((x))
19		#endif
20
21		static int
22		decode_coord(const cbor_item_t item, void xy, size_t xy_len)
23	791	{
24	791	if (cbor_isa_bytestring(item) == false \|\|
25	791	cbor_bytestring_is_definite(item) == false \|\|
26	791	cbor_bytestring_length(item) != xy_len) {
27	8	fido_log_debug("%s: cbor type", __func__);
28	8	return (-1);
29	8	}
30
31	783	memcpy(xy, cbor_bytestring_handle(item), xy_len);
32
33	783	return (0);
34	791	}
35
36		static int
37		decode_pubkey_point(const cbor_item_t key, const cbor_item_t val, void *arg)
38	2.15k	{
39	2.15k	es384_pk_t *k = arg;
40
41	2.15k	if (cbor_isa_negint(key) == false \|\|
42	2.15k	cbor_int_get_width(key) != CBOR_INT_8)
43	898	return (0); /* ignore */
44
45	1.25k	switch (cbor_get_uint8(key)) {
46	407	case 1: /* x coordinate */
47	407	return (decode_coord(val, &k->x, sizeof(k->x)));
48	384	case 2: /* y coordinate */
49	384	return (decode_coord(val, &k->y, sizeof(k->y)));
50	1.25k	}
51
52	462	return (0); /* ignore */
53	1.25k	}
54
55		int
56		es384_pk_decode(const cbor_item_t item, es384_pk_t k)
57	435	{
58	435	if (cbor_isa_map(item) == false \|\|
59	435	cbor_map_is_definite(item) == false \|\|
60	435	cbor_map_iter(item, k, decode_pubkey_point) < 0) {
61	12	fido_log_debug("%s: cbor type", __func__);
62	12	return (-1);
63	12	}
64
65	423	return (0);
66	435	}
67
68		es384_pk_t *
69		es384_pk_new(void)
70	4.84k	{
71	4.84k	return (calloc(1, sizeof(es384_pk_t)));
72	4.84k	}
73
74		void
75		es384_pk_free(es384_pk_t **pkp)
76	27.5k	{
77	27.5k	es384_pk_t *pk;
78
79	27.5k	if (pkp == NULL \|\| (pk = *pkp) == NULL)
80	22.9k	return;
81
82	4.57k	freezero(pk, sizeof(*pk));
83	4.57k	*pkp = NULL;
84	4.57k	}
85
86		int
87		es384_pk_from_ptr(es384_pk_t pk, const void ptr, size_t len)
88	4.09k	{
89	4.09k	const uint8_t *p = ptr;
90	4.09k	EVP_PKEY *pkey;
91
92	4.09k	if (len < sizeof(*pk))
93	2.50k	return (FIDO_ERR_INVALID_ARGUMENT);
94
95	1.59k	if (len == sizeof(pk) + 1 && p == 0x04)
96	27	memcpy(pk, ++p, sizeof(pk)); / uncompressed format */
97	1.56k	else
98	1.56k	memcpy(pk, ptr, sizeof(pk)); / libfido2 x\|\|y format */
99
100	1.59k	if ((pkey = es384_pk_to_EVP_PKEY(pk)) == NULL) {
101	774	fido_log_debug("%s: es384_pk_to_EVP_PKEY", __func__);
102	774	explicit_bzero(pk, sizeof(*pk));
103	774	return (FIDO_ERR_INVALID_ARGUMENT);
104	774	}
105
106	820	EVP_PKEY_free(pkey);
107
108	820	return (FIDO_OK);
109	1.59k	}
110
111		EVP_PKEY *
112		es384_pk_to_EVP_PKEY(const es384_pk_t *k)
113	5.91k	{
114	5.91k	BN_CTX *bnctx = NULL;
115	5.91k	EC_KEY *ec = NULL;
116	5.91k	EC_POINT *q = NULL;
117	5.91k	EVP_PKEY *pkey = NULL;
118	5.91k	BIGNUM *x = NULL;
119	5.91k	BIGNUM *y = NULL;
120	5.91k	const EC_GROUP *g = NULL;
121	5.91k	int ok = -1;
122
123	5.91k	if ((bnctx = BN_CTX_new()) == NULL)
124	61	goto fail;
125
126	5.85k	BN_CTX_start(bnctx);
127
128	5.85k	if ((x = BN_CTX_get(bnctx)) == NULL \|\|
129	5.85k	(y = BN_CTX_get(bnctx)) == NULL)
130	109	goto fail;
131
132	5.74k	if (BN_bin2bn(k->x, sizeof(k->x), x) == NULL \|\|
133	5.74k	BN_bin2bn(k->y, sizeof(k->y), y) == NULL) {
134	313	fido_log_debug("%s: BN_bin2bn", __func__);
135	313	goto fail;
136	313	}
137
138	5.43k	if ((ec = EC_KEY_new_by_curve_name(NID_secp384r1)) == NULL \|\|
139	5.43k	(g = EC_KEY_get0_group(ec)) == NULL) {
140	85	fido_log_debug("%s: EC_KEY init", __func__);
141	85	goto fail;
142	85	}
143
144	5.34k	if ((q = EC_POINT_new(g)) == NULL \|\|
145	5.34k	EC_POINT_set_affine_coordinates_GFp(g, q, x, y, bnctx) == 0 \|\|
146	5.34k	EC_KEY_set_public_key(ec, q) == 0) {
147	3.70k	fido_log_debug("%s: EC_KEY_set_public_key", __func__);
148	3.70k	goto fail;
149	3.70k	}
150
151	1.64k	if ((pkey = EVP_PKEY_new()) == NULL \|\|
152	1.64k	EVP_PKEY_assign_EC_KEY(pkey, ec) == 0) {
153	13	fido_log_debug("%s: EVP_PKEY_assign_EC_KEY", __func__);
154	13	goto fail;
155	13	}
156
157	1.63k	ec = NULL; /* at this point, ec belongs to evp */
158
159	1.63k	ok = 0;
160	5.91k	fail:
161	5.91k	if (bnctx != NULL) {
162	5.85k	BN_CTX_end(bnctx);
163	5.85k	BN_CTX_free(bnctx);
164	5.85k	}
165
166	5.91k	if (ec != NULL)
167	3.74k	EC_KEY_free(ec);
168	5.91k	if (q != NULL)
169	5.31k	EC_POINT_free(q);
170
171	5.91k	if (ok < 0 && pkey != NULL) {
172	5	EVP_PKEY_free(pkey);
173	5	pkey = NULL;
174	5	}
175
176	5.91k	return (pkey);
177	1.63k	}
178
179		int
180		es384_pk_from_EC_KEY(es384_pk_t pk, const EC_KEY ec)
181	470	{
182	470	BN_CTX *bnctx = NULL;
183	470	BIGNUM *x = NULL;
184	470	BIGNUM *y = NULL;
185	470	const EC_POINT *q = NULL;
186	470	EC_GROUP *g = NULL;
187	470	size_t dx;
188	470	size_t dy;
189	470	int ok = FIDO_ERR_INTERNAL;
190	470	int nx;
191	470	int ny;
192
193	470	if ((q = EC_KEY_get0_public_key(ec)) == NULL \|\|
194	470	(g = EC_GROUP_new_by_curve_name(NID_secp384r1)) == NULL \|\|
195	470	(bnctx = BN_CTX_new()) == NULL)
196	6	goto fail;
197
198	464	BN_CTX_start(bnctx);
199
200	464	if ((x = BN_CTX_get(bnctx)) == NULL \|\|
201	464	(y = BN_CTX_get(bnctx)) == NULL)
202	11	goto fail;
203
204	453	if (EC_POINT_is_on_curve(g, q, bnctx) != 1) {
205	0	fido_log_debug("%s: EC_POINT_is_on_curve", __func__);
206	0	ok = FIDO_ERR_INVALID_ARGUMENT;
207	0	goto fail;
208	0	}
209
210	453	if (EC_POINT_get_affine_coordinates_GFp(g, q, x, y, bnctx) == 0 \|\|
211	453	(nx = BN_num_bytes(x)) < 0 \|\| (size_t)nx > sizeof(pk->x) \|\|
212	453	(ny = BN_num_bytes(y)) < 0 \|\| (size_t)ny > sizeof(pk->y)) {
213	6	fido_log_debug("%s: EC_POINT_get_affine_coordinates_GFp",
214	6	__func__);
215	6	goto fail;
216	6	}
217
218	447	dx = sizeof(pk->x) - (size_t)nx;
219	447	dy = sizeof(pk->y) - (size_t)ny;
220
221	447	if ((nx = BN_bn2bin(x, pk->x + dx)) < 0 \|\| (size_t)nx > sizeof(pk->x) \|\|
222	447	(ny = BN_bn2bin(y, pk->y + dy)) < 0 \|\| (size_t)ny > sizeof(pk->y)) {
223	22	fido_log_debug("%s: BN_bn2bin", __func__);
224	22	goto fail;
225	22	}
226
227	425	ok = FIDO_OK;
228	470	fail:
229	470	EC_GROUP_free(g);
230
231	470	if (bnctx != NULL) {
232	464	BN_CTX_end(bnctx);
233	464	BN_CTX_free(bnctx);
234	464	}
235
236	470	return (ok);
237	425	}
238
239		int
240		es384_pk_from_EVP_PKEY(es384_pk_t pk, const EVP_PKEY pkey)
241	479	{
242	479	const EC_KEY *ec;
243
244	479	if (EVP_PKEY_base_id(pkey) != EVP_PKEY_EC \|\|
245	479	(ec = get0_EC_KEY(pkey)) == NULL)
246	9	return (FIDO_ERR_INVALID_ARGUMENT);
247
248	470	return (es384_pk_from_EC_KEY(pk, ec));
249	479	}
250
251		int
252		es384_verify_sig(const fido_blob_t dgst, EVP_PKEY pkey,
253		const fido_blob_t *sig)
254	81	{
255	81	EVP_PKEY_CTX *pctx = NULL;
256	81	int ok = -1;
257
258	81	if (EVP_PKEY_base_id(pkey) != EVP_PKEY_EC) {
259	0	fido_log_debug("%s: EVP_PKEY_base_id", __func__);
260	0	goto fail;
261	0	}
262
263	81	if ((pctx = EVP_PKEY_CTX_new(pkey, NULL)) == NULL \|\|
264	81	EVP_PKEY_verify_init(pctx) != 1 \|\|
265	81	EVP_PKEY_verify(pctx, sig->ptr, sig->len, dgst->ptr,
266	81	dgst->len) != 1) {
267	81	fido_log_debug("%s: EVP_PKEY_verify", __func__);
268	81	goto fail;
269	81	}
270
271	0	ok = 0;
272	81	fail:
273	81	EVP_PKEY_CTX_free(pctx);
274
275	81	return (ok);
276	0	}
277
278		int
279		es384_pk_verify_sig(const fido_blob_t dgst, const es384_pk_t pk,
280		const fido_blob_t *sig)
281	224	{
282	224	EVP_PKEY *pkey;
283	224	int ok = -1;
284
285	224	if ((pkey = es384_pk_to_EVP_PKEY(pk)) == NULL \|\|
286	224	es384_verify_sig(dgst, pkey, sig) < 0) {
287	224	fido_log_debug("%s: es384_verify_sig", __func__);
288	224	goto fail;
289	224	}
290
291	0	ok = 0;
292	224	fail:
293	224	EVP_PKEY_free(pkey);
294
295	224	return (ok);
296	0	}