/src/boringssl/crypto/evp/p_ed25519_asn1.c
Line | Count | Source (jump to first uncovered line) |
1 | | /* Copyright (c) 2017, Google Inc. |
2 | | * |
3 | | * Permission to use, copy, modify, and/or distribute this software for any |
4 | | * purpose with or without fee is hereby granted, provided that the above |
5 | | * copyright notice and this permission notice appear in all copies. |
6 | | * |
7 | | * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES |
8 | | * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF |
9 | | * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY |
10 | | * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES |
11 | | * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION |
12 | | * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN |
13 | | * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ |
14 | | |
15 | | #include <openssl/evp.h> |
16 | | |
17 | | #include <openssl/bytestring.h> |
18 | | #include <openssl/curve25519.h> |
19 | | #include <openssl/err.h> |
20 | | #include <openssl/mem.h> |
21 | | |
22 | | #include "internal.h" |
23 | | #include "../internal.h" |
24 | | |
25 | | |
26 | 0 | static void ed25519_free(EVP_PKEY *pkey) { |
27 | 0 | OPENSSL_free(pkey->pkey); |
28 | 0 | pkey->pkey = NULL; |
29 | 0 | } |
30 | | |
31 | 0 | static int ed25519_set_priv_raw(EVP_PKEY *pkey, const uint8_t *in, size_t len) { |
32 | 0 | if (len != 32) { |
33 | 0 | OPENSSL_PUT_ERROR(EVP, EVP_R_DECODE_ERROR); |
34 | 0 | return 0; |
35 | 0 | } |
36 | | |
37 | 0 | ED25519_KEY *key = OPENSSL_malloc(sizeof(ED25519_KEY)); |
38 | 0 | if (key == NULL) { |
39 | 0 | return 0; |
40 | 0 | } |
41 | | |
42 | | // The RFC 8032 encoding stores only the 32-byte seed, so we must recover the |
43 | | // full representation which we use from it. |
44 | 0 | uint8_t pubkey_unused[32]; |
45 | 0 | ED25519_keypair_from_seed(pubkey_unused, key->key, in); |
46 | 0 | key->has_private = 1; |
47 | |
|
48 | 0 | ed25519_free(pkey); |
49 | 0 | pkey->pkey = key; |
50 | 0 | return 1; |
51 | 0 | } |
52 | | |
53 | 0 | static int ed25519_set_pub_raw(EVP_PKEY *pkey, const uint8_t *in, size_t len) { |
54 | 0 | if (len != 32) { |
55 | 0 | OPENSSL_PUT_ERROR(EVP, EVP_R_DECODE_ERROR); |
56 | 0 | return 0; |
57 | 0 | } |
58 | | |
59 | 0 | ED25519_KEY *key = OPENSSL_malloc(sizeof(ED25519_KEY)); |
60 | 0 | if (key == NULL) { |
61 | 0 | return 0; |
62 | 0 | } |
63 | | |
64 | 0 | OPENSSL_memcpy(key->key + ED25519_PUBLIC_KEY_OFFSET, in, 32); |
65 | 0 | key->has_private = 0; |
66 | |
|
67 | 0 | ed25519_free(pkey); |
68 | 0 | pkey->pkey = key; |
69 | 0 | return 1; |
70 | 0 | } |
71 | | |
72 | | static int ed25519_get_priv_raw(const EVP_PKEY *pkey, uint8_t *out, |
73 | 0 | size_t *out_len) { |
74 | 0 | const ED25519_KEY *key = pkey->pkey; |
75 | 0 | if (!key->has_private) { |
76 | 0 | OPENSSL_PUT_ERROR(EVP, EVP_R_NOT_A_PRIVATE_KEY); |
77 | 0 | return 0; |
78 | 0 | } |
79 | | |
80 | 0 | if (out == NULL) { |
81 | 0 | *out_len = 32; |
82 | 0 | return 1; |
83 | 0 | } |
84 | | |
85 | 0 | if (*out_len < 32) { |
86 | 0 | OPENSSL_PUT_ERROR(EVP, EVP_R_BUFFER_TOO_SMALL); |
87 | 0 | return 0; |
88 | 0 | } |
89 | | |
90 | | // The raw private key format is the first 32 bytes of the private key. |
91 | 0 | OPENSSL_memcpy(out, key->key, 32); |
92 | 0 | *out_len = 32; |
93 | 0 | return 1; |
94 | 0 | } |
95 | | |
96 | | static int ed25519_get_pub_raw(const EVP_PKEY *pkey, uint8_t *out, |
97 | 0 | size_t *out_len) { |
98 | 0 | const ED25519_KEY *key = pkey->pkey; |
99 | 0 | if (out == NULL) { |
100 | 0 | *out_len = 32; |
101 | 0 | return 1; |
102 | 0 | } |
103 | | |
104 | 0 | if (*out_len < 32) { |
105 | 0 | OPENSSL_PUT_ERROR(EVP, EVP_R_BUFFER_TOO_SMALL); |
106 | 0 | return 0; |
107 | 0 | } |
108 | | |
109 | 0 | OPENSSL_memcpy(out, key->key + ED25519_PUBLIC_KEY_OFFSET, 32); |
110 | 0 | *out_len = 32; |
111 | 0 | return 1; |
112 | 0 | } |
113 | | |
114 | 0 | static int ed25519_pub_decode(EVP_PKEY *out, CBS *params, CBS *key) { |
115 | | // See RFC 8410, section 4. |
116 | | |
117 | | // The parameters must be omitted. Public keys have length 32. |
118 | 0 | if (CBS_len(params) != 0) { |
119 | 0 | OPENSSL_PUT_ERROR(EVP, EVP_R_DECODE_ERROR); |
120 | 0 | return 0; |
121 | 0 | } |
122 | | |
123 | 0 | return ed25519_set_pub_raw(out, CBS_data(key), CBS_len(key)); |
124 | 0 | } |
125 | | |
126 | 0 | static int ed25519_pub_encode(CBB *out, const EVP_PKEY *pkey) { |
127 | 0 | const ED25519_KEY *key = pkey->pkey; |
128 | | |
129 | | // See RFC 8410, section 4. |
130 | 0 | CBB spki, algorithm, oid, key_bitstring; |
131 | 0 | if (!CBB_add_asn1(out, &spki, CBS_ASN1_SEQUENCE) || |
132 | 0 | !CBB_add_asn1(&spki, &algorithm, CBS_ASN1_SEQUENCE) || |
133 | 0 | !CBB_add_asn1(&algorithm, &oid, CBS_ASN1_OBJECT) || |
134 | 0 | !CBB_add_bytes(&oid, ed25519_asn1_meth.oid, ed25519_asn1_meth.oid_len) || |
135 | 0 | !CBB_add_asn1(&spki, &key_bitstring, CBS_ASN1_BITSTRING) || |
136 | 0 | !CBB_add_u8(&key_bitstring, 0 /* padding */) || |
137 | 0 | !CBB_add_bytes(&key_bitstring, key->key + ED25519_PUBLIC_KEY_OFFSET, |
138 | 0 | 32) || |
139 | 0 | !CBB_flush(out)) { |
140 | 0 | OPENSSL_PUT_ERROR(EVP, EVP_R_ENCODE_ERROR); |
141 | 0 | return 0; |
142 | 0 | } |
143 | | |
144 | 0 | return 1; |
145 | 0 | } |
146 | | |
147 | 0 | static int ed25519_pub_cmp(const EVP_PKEY *a, const EVP_PKEY *b) { |
148 | 0 | const ED25519_KEY *a_key = a->pkey; |
149 | 0 | const ED25519_KEY *b_key = b->pkey; |
150 | 0 | return OPENSSL_memcmp(a_key->key + ED25519_PUBLIC_KEY_OFFSET, |
151 | 0 | b_key->key + ED25519_PUBLIC_KEY_OFFSET, 32) == 0; |
152 | 0 | } |
153 | | |
154 | 0 | static int ed25519_priv_decode(EVP_PKEY *out, CBS *params, CBS *key) { |
155 | | // See RFC 8410, section 7. |
156 | | |
157 | | // Parameters must be empty. The key is a 32-byte value wrapped in an extra |
158 | | // OCTET STRING layer. |
159 | 0 | CBS inner; |
160 | 0 | if (CBS_len(params) != 0 || |
161 | 0 | !CBS_get_asn1(key, &inner, CBS_ASN1_OCTETSTRING) || |
162 | 0 | CBS_len(key) != 0) { |
163 | 0 | OPENSSL_PUT_ERROR(EVP, EVP_R_DECODE_ERROR); |
164 | 0 | return 0; |
165 | 0 | } |
166 | | |
167 | 0 | return ed25519_set_priv_raw(out, CBS_data(&inner), CBS_len(&inner)); |
168 | 0 | } |
169 | | |
170 | 0 | static int ed25519_priv_encode(CBB *out, const EVP_PKEY *pkey) { |
171 | 0 | const ED25519_KEY *key = pkey->pkey; |
172 | 0 | if (!key->has_private) { |
173 | 0 | OPENSSL_PUT_ERROR(EVP, EVP_R_NOT_A_PRIVATE_KEY); |
174 | 0 | return 0; |
175 | 0 | } |
176 | | |
177 | | // See RFC 8410, section 7. |
178 | 0 | CBB pkcs8, algorithm, oid, private_key, inner; |
179 | 0 | if (!CBB_add_asn1(out, &pkcs8, CBS_ASN1_SEQUENCE) || |
180 | 0 | !CBB_add_asn1_uint64(&pkcs8, 0 /* version */) || |
181 | 0 | !CBB_add_asn1(&pkcs8, &algorithm, CBS_ASN1_SEQUENCE) || |
182 | 0 | !CBB_add_asn1(&algorithm, &oid, CBS_ASN1_OBJECT) || |
183 | 0 | !CBB_add_bytes(&oid, ed25519_asn1_meth.oid, ed25519_asn1_meth.oid_len) || |
184 | 0 | !CBB_add_asn1(&pkcs8, &private_key, CBS_ASN1_OCTETSTRING) || |
185 | 0 | !CBB_add_asn1(&private_key, &inner, CBS_ASN1_OCTETSTRING) || |
186 | | // The PKCS#8 encoding stores only the 32-byte seed which is the first 32 |
187 | | // bytes of the private key. |
188 | 0 | !CBB_add_bytes(&inner, key->key, 32) || |
189 | 0 | !CBB_flush(out)) { |
190 | 0 | OPENSSL_PUT_ERROR(EVP, EVP_R_ENCODE_ERROR); |
191 | 0 | return 0; |
192 | 0 | } |
193 | | |
194 | 0 | return 1; |
195 | 0 | } |
196 | | |
197 | 0 | static int ed25519_size(const EVP_PKEY *pkey) { return 64; } |
198 | | |
199 | 0 | static int ed25519_bits(const EVP_PKEY *pkey) { return 253; } |
200 | | |
201 | | const EVP_PKEY_ASN1_METHOD ed25519_asn1_meth = { |
202 | | EVP_PKEY_ED25519, |
203 | | {0x2b, 0x65, 0x70}, |
204 | | 3, |
205 | | &ed25519_pkey_meth, |
206 | | ed25519_pub_decode, |
207 | | ed25519_pub_encode, |
208 | | ed25519_pub_cmp, |
209 | | ed25519_priv_decode, |
210 | | ed25519_priv_encode, |
211 | | ed25519_set_priv_raw, |
212 | | ed25519_set_pub_raw, |
213 | | ed25519_get_priv_raw, |
214 | | ed25519_get_pub_raw, |
215 | | /*set1_tls_encodedpoint=*/NULL, |
216 | | /*get1_tls_encodedpoint=*/NULL, |
217 | | /*pkey_opaque=*/NULL, |
218 | | ed25519_size, |
219 | | ed25519_bits, |
220 | | /*param_missing=*/NULL, |
221 | | /*param_copy=*/NULL, |
222 | | /*param_cmp=*/NULL, |
223 | | ed25519_free, |
224 | | }; |