2 * Copyright 2006-2018 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
11 #include "internal/cryptlib.h"
12 #include <openssl/x509.h>
13 #include <openssl/ec.h>
14 #include <openssl/rand.h>
15 #include "internal/asn1_int.h"
16 #include "internal/evp_int.h"
18 #include "curve448/curve448_lcl.h"
20 #define X25519_BITS 253
21 #define X25519_SECURITY_BITS 128
23 #define ED25519_SIGSIZE 64
26 #define ED448_BITS 456
27 #define X448_SECURITY_BITS 224
29 #define ED448_SIGSIZE 114
31 #define ISX448(id) ((id) == EVP_PKEY_X448)
32 #define IS25519(id) ((id) == EVP_PKEY_X25519 || (id) == EVP_PKEY_ED25519)
33 #define KEYLENID(id) (IS25519(id) ? X25519_KEYLEN \
34 : ((id) == EVP_PKEY_X448 ? X448_KEYLEN \
36 #define KEYLEN(p) KEYLENID((p)->ameth->pkey_id)
45 /* Setup EVP_PKEY using public, private or generation */
46 static int ecx_key_op(EVP_PKEY
*pkey
, int id
, const X509_ALGOR
*palg
,
47 const unsigned char *p
, int plen
, ecx_key_op_t op
)
50 unsigned char *privkey
, *pubkey
;
52 if (op
!= KEY_OP_KEYGEN
) {
56 /* Algorithm parameters must be absent */
57 X509_ALGOR_get0(NULL
, &ptype
, NULL
, palg
);
58 if (ptype
!= V_ASN1_UNDEF
) {
59 ECerr(EC_F_ECX_KEY_OP
, EC_R_INVALID_ENCODING
);
64 if (p
== NULL
|| plen
!= KEYLENID(id
)) {
65 ECerr(EC_F_ECX_KEY_OP
, EC_R_INVALID_ENCODING
);
70 key
= OPENSSL_zalloc(sizeof(*key
));
72 ECerr(EC_F_ECX_KEY_OP
, ERR_R_MALLOC_FAILURE
);
77 if (op
== KEY_OP_PUBLIC
) {
78 memcpy(pubkey
, p
, plen
);
80 privkey
= key
->privkey
= OPENSSL_secure_malloc(KEYLENID(id
));
81 if (privkey
== NULL
) {
82 ECerr(EC_F_ECX_KEY_OP
, ERR_R_MALLOC_FAILURE
);
85 if (op
== KEY_OP_KEYGEN
) {
86 if (RAND_priv_bytes(privkey
, KEYLENID(id
)) <= 0) {
87 OPENSSL_secure_free(privkey
);
91 if (id
== EVP_PKEY_X25519
) {
93 privkey
[X25519_KEYLEN
- 1] &= 127;
94 privkey
[X25519_KEYLEN
- 1] |= 64;
95 } else if (id
== EVP_PKEY_X448
) {
97 privkey
[X448_KEYLEN
- 1] |= 128;
100 memcpy(privkey
, p
, KEYLENID(id
));
103 case EVP_PKEY_X25519
:
104 X25519_public_from_private(pubkey
, privkey
);
106 case EVP_PKEY_ED25519
:
107 ED25519_public_from_private(pubkey
, privkey
);
110 X448_public_from_private(pubkey
, privkey
);
114 * TODO(3.0): We set the library context to NULL for now. This will
117 ED448_public_from_private(NULL
, pubkey
, privkey
);
122 EVP_PKEY_assign(pkey
, id
, key
);
129 static int ecx_pub_encode(X509_PUBKEY
*pk
, const EVP_PKEY
*pkey
)
131 const ECX_KEY
*ecxkey
= pkey
->pkey
.ecx
;
134 if (ecxkey
== NULL
) {
135 ECerr(EC_F_ECX_PUB_ENCODE
, EC_R_INVALID_KEY
);
139 penc
= OPENSSL_memdup(ecxkey
->pubkey
, KEYLEN(pkey
));
141 ECerr(EC_F_ECX_PUB_ENCODE
, ERR_R_MALLOC_FAILURE
);
145 if (!X509_PUBKEY_set0_param(pk
, OBJ_nid2obj(pkey
->ameth
->pkey_id
),
146 V_ASN1_UNDEF
, NULL
, penc
, KEYLEN(pkey
))) {
148 ECerr(EC_F_ECX_PUB_ENCODE
, ERR_R_MALLOC_FAILURE
);
154 static int ecx_pub_decode(EVP_PKEY
*pkey
, X509_PUBKEY
*pubkey
)
156 const unsigned char *p
;
160 if (!X509_PUBKEY_get0_param(NULL
, &p
, &pklen
, &palg
, pubkey
))
162 return ecx_key_op(pkey
, pkey
->ameth
->pkey_id
, palg
, p
, pklen
,
166 static int ecx_pub_cmp(const EVP_PKEY
*a
, const EVP_PKEY
*b
)
168 const ECX_KEY
*akey
= a
->pkey
.ecx
;
169 const ECX_KEY
*bkey
= b
->pkey
.ecx
;
171 if (akey
== NULL
|| bkey
== NULL
)
174 return CRYPTO_memcmp(akey
->pubkey
, bkey
->pubkey
, KEYLEN(a
)) == 0;
177 static int ecx_priv_decode(EVP_PKEY
*pkey
, const PKCS8_PRIV_KEY_INFO
*p8
)
179 const unsigned char *p
;
181 ASN1_OCTET_STRING
*oct
= NULL
;
182 const X509_ALGOR
*palg
;
185 if (!PKCS8_pkey_get0(NULL
, &p
, &plen
, &palg
, p8
))
188 oct
= d2i_ASN1_OCTET_STRING(NULL
, &p
, plen
);
193 p
= ASN1_STRING_get0_data(oct
);
194 plen
= ASN1_STRING_length(oct
);
197 rv
= ecx_key_op(pkey
, pkey
->ameth
->pkey_id
, palg
, p
, plen
, KEY_OP_PRIVATE
);
198 ASN1_OCTET_STRING_free(oct
);
202 static int ecx_priv_encode(PKCS8_PRIV_KEY_INFO
*p8
, const EVP_PKEY
*pkey
)
204 const ECX_KEY
*ecxkey
= pkey
->pkey
.ecx
;
205 ASN1_OCTET_STRING oct
;
206 unsigned char *penc
= NULL
;
209 if (ecxkey
== NULL
|| ecxkey
->privkey
== NULL
) {
210 ECerr(EC_F_ECX_PRIV_ENCODE
, EC_R_INVALID_PRIVATE_KEY
);
214 oct
.data
= ecxkey
->privkey
;
215 oct
.length
= KEYLEN(pkey
);
218 penclen
= i2d_ASN1_OCTET_STRING(&oct
, &penc
);
220 ECerr(EC_F_ECX_PRIV_ENCODE
, ERR_R_MALLOC_FAILURE
);
224 if (!PKCS8_pkey_set0(p8
, OBJ_nid2obj(pkey
->ameth
->pkey_id
), 0,
225 V_ASN1_UNDEF
, NULL
, penc
, penclen
)) {
226 OPENSSL_clear_free(penc
, penclen
);
227 ECerr(EC_F_ECX_PRIV_ENCODE
, ERR_R_MALLOC_FAILURE
);
234 static int ecx_size(const EVP_PKEY
*pkey
)
239 static int ecx_bits(const EVP_PKEY
*pkey
)
241 if (IS25519(pkey
->ameth
->pkey_id
)) {
243 } else if(ISX448(pkey
->ameth
->pkey_id
)) {
250 static int ecx_security_bits(const EVP_PKEY
*pkey
)
252 if (IS25519(pkey
->ameth
->pkey_id
)) {
253 return X25519_SECURITY_BITS
;
255 return X448_SECURITY_BITS
;
259 static void ecx_free(EVP_PKEY
*pkey
)
261 if (pkey
->pkey
.ecx
!= NULL
)
262 OPENSSL_secure_clear_free(pkey
->pkey
.ecx
->privkey
, KEYLEN(pkey
));
263 OPENSSL_free(pkey
->pkey
.ecx
);
266 /* "parameters" are always equal */
267 static int ecx_cmp_parameters(const EVP_PKEY
*a
, const EVP_PKEY
*b
)
272 static int ecx_key_print(BIO
*bp
, const EVP_PKEY
*pkey
, int indent
,
273 ASN1_PCTX
*ctx
, ecx_key_op_t op
)
275 const ECX_KEY
*ecxkey
= pkey
->pkey
.ecx
;
276 const char *nm
= OBJ_nid2ln(pkey
->ameth
->pkey_id
);
278 if (op
== KEY_OP_PRIVATE
) {
279 if (ecxkey
== NULL
|| ecxkey
->privkey
== NULL
) {
280 if (BIO_printf(bp
, "%*s<INVALID PRIVATE KEY>\n", indent
, "") <= 0)
284 if (BIO_printf(bp
, "%*s%s Private-Key:\n", indent
, "", nm
) <= 0)
286 if (BIO_printf(bp
, "%*spriv:\n", indent
, "") <= 0)
288 if (ASN1_buf_print(bp
, ecxkey
->privkey
, KEYLEN(pkey
),
292 if (ecxkey
== NULL
) {
293 if (BIO_printf(bp
, "%*s<INVALID PUBLIC KEY>\n", indent
, "") <= 0)
297 if (BIO_printf(bp
, "%*s%s Public-Key:\n", indent
, "", nm
) <= 0)
300 if (BIO_printf(bp
, "%*spub:\n", indent
, "") <= 0)
303 if (ASN1_buf_print(bp
, ecxkey
->pubkey
, KEYLEN(pkey
),
309 static int ecx_priv_print(BIO
*bp
, const EVP_PKEY
*pkey
, int indent
,
312 return ecx_key_print(bp
, pkey
, indent
, ctx
, KEY_OP_PRIVATE
);
315 static int ecx_pub_print(BIO
*bp
, const EVP_PKEY
*pkey
, int indent
,
318 return ecx_key_print(bp
, pkey
, indent
, ctx
, KEY_OP_PUBLIC
);
321 static int ecx_ctrl(EVP_PKEY
*pkey
, int op
, long arg1
, void *arg2
)
325 case ASN1_PKEY_CTRL_SET1_TLS_ENCPT
:
326 return ecx_key_op(pkey
, pkey
->ameth
->pkey_id
, NULL
, arg2
, arg1
,
329 case ASN1_PKEY_CTRL_GET1_TLS_ENCPT
:
330 if (pkey
->pkey
.ecx
!= NULL
) {
331 unsigned char **ppt
= arg2
;
333 *ppt
= OPENSSL_memdup(pkey
->pkey
.ecx
->pubkey
, KEYLEN(pkey
));
345 static int ecd_ctrl(EVP_PKEY
*pkey
, int op
, long arg1
, void *arg2
)
348 case ASN1_PKEY_CTRL_DEFAULT_MD_NID
:
349 /* We currently only support Pure EdDSA which takes no digest */
350 *(int *)arg2
= NID_undef
;
359 static int ecx_set_priv_key(EVP_PKEY
*pkey
, const unsigned char *priv
,
362 return ecx_key_op(pkey
, pkey
->ameth
->pkey_id
, NULL
, priv
, len
,
366 static int ecx_set_pub_key(EVP_PKEY
*pkey
, const unsigned char *pub
, size_t len
)
368 return ecx_key_op(pkey
, pkey
->ameth
->pkey_id
, NULL
, pub
, len
,
372 static int ecx_get_priv_key(const EVP_PKEY
*pkey
, unsigned char *priv
,
375 const ECX_KEY
*key
= pkey
->pkey
.ecx
;
378 *len
= KEYLENID(pkey
->ameth
->pkey_id
);
383 || key
->privkey
== NULL
384 || *len
< (size_t)KEYLENID(pkey
->ameth
->pkey_id
))
387 *len
= KEYLENID(pkey
->ameth
->pkey_id
);
388 memcpy(priv
, key
->privkey
, *len
);
393 static int ecx_get_pub_key(const EVP_PKEY
*pkey
, unsigned char *pub
,
396 const ECX_KEY
*key
= pkey
->pkey
.ecx
;
399 *len
= KEYLENID(pkey
->ameth
->pkey_id
);
404 || *len
< (size_t)KEYLENID(pkey
->ameth
->pkey_id
))
407 *len
= KEYLENID(pkey
->ameth
->pkey_id
);
408 memcpy(pub
, key
->pubkey
, *len
);
413 const EVP_PKEY_ASN1_METHOD ecx25519_asn1_meth
= {
418 "OpenSSL X25519 algorithm",
456 const EVP_PKEY_ASN1_METHOD ecx448_asn1_meth
= {
461 "OpenSSL X448 algorithm",
499 static int ecd_size25519(const EVP_PKEY
*pkey
)
501 return ED25519_SIGSIZE
;
504 static int ecd_size448(const EVP_PKEY
*pkey
)
506 return ED448_SIGSIZE
;
509 static int ecd_item_verify(EVP_MD_CTX
*ctx
, const ASN1_ITEM
*it
, void *asn
,
510 X509_ALGOR
*sigalg
, ASN1_BIT_STRING
*str
,
513 const ASN1_OBJECT
*obj
;
517 /* Sanity check: make sure it is ED25519/ED448 with absent parameters */
518 X509_ALGOR_get0(&obj
, &ptype
, NULL
, sigalg
);
519 nid
= OBJ_obj2nid(obj
);
520 if ((nid
!= NID_ED25519
&& nid
!= NID_ED448
) || ptype
!= V_ASN1_UNDEF
) {
521 ECerr(EC_F_ECD_ITEM_VERIFY
, EC_R_INVALID_ENCODING
);
525 if (!EVP_DigestVerifyInit(ctx
, NULL
, NULL
, NULL
, pkey
))
531 static int ecd_item_sign25519(EVP_MD_CTX
*ctx
, const ASN1_ITEM
*it
, void *asn
,
532 X509_ALGOR
*alg1
, X509_ALGOR
*alg2
,
533 ASN1_BIT_STRING
*str
)
535 /* Set algorithms identifiers */
536 X509_ALGOR_set0(alg1
, OBJ_nid2obj(NID_ED25519
), V_ASN1_UNDEF
, NULL
);
538 X509_ALGOR_set0(alg2
, OBJ_nid2obj(NID_ED25519
), V_ASN1_UNDEF
, NULL
);
539 /* Algorithm identifiers set: carry on as normal */
543 static int ecd_sig_info_set25519(X509_SIG_INFO
*siginf
, const X509_ALGOR
*alg
,
544 const ASN1_STRING
*sig
)
546 X509_SIG_INFO_set(siginf
, NID_undef
, NID_ED25519
, X25519_SECURITY_BITS
,
551 static int ecd_item_sign448(EVP_MD_CTX
*ctx
, const ASN1_ITEM
*it
, void *asn
,
552 X509_ALGOR
*alg1
, X509_ALGOR
*alg2
,
553 ASN1_BIT_STRING
*str
)
555 /* Set algorithm identifier */
556 X509_ALGOR_set0(alg1
, OBJ_nid2obj(NID_ED448
), V_ASN1_UNDEF
, NULL
);
558 X509_ALGOR_set0(alg2
, OBJ_nid2obj(NID_ED448
), V_ASN1_UNDEF
, NULL
);
559 /* Algorithm identifier set: carry on as normal */
563 static int ecd_sig_info_set448(X509_SIG_INFO
*siginf
, const X509_ALGOR
*alg
,
564 const ASN1_STRING
*sig
)
566 X509_SIG_INFO_set(siginf
, NID_undef
, NID_ED448
, X448_SECURITY_BITS
,
572 const EVP_PKEY_ASN1_METHOD ed25519_asn1_meth
= {
577 "OpenSSL ED25519 algorithm",
602 ecd_sig_info_set25519
,
614 const EVP_PKEY_ASN1_METHOD ed448_asn1_meth
= {
619 "OpenSSL ED448 algorithm",
656 static int pkey_ecx_keygen(EVP_PKEY_CTX
*ctx
, EVP_PKEY
*pkey
)
658 return ecx_key_op(pkey
, ctx
->pmeth
->pkey_id
, NULL
, NULL
, 0, KEY_OP_KEYGEN
);
661 static int validate_ecx_derive(EVP_PKEY_CTX
*ctx
, unsigned char *key
,
663 const unsigned char **privkey
,
664 const unsigned char **pubkey
)
666 const ECX_KEY
*ecxkey
, *peerkey
;
668 if (ctx
->pkey
== NULL
|| ctx
->peerkey
== NULL
) {
669 ECerr(EC_F_VALIDATE_ECX_DERIVE
, EC_R_KEYS_NOT_SET
);
672 ecxkey
= ctx
->pkey
->pkey
.ecx
;
673 peerkey
= ctx
->peerkey
->pkey
.ecx
;
674 if (ecxkey
== NULL
|| ecxkey
->privkey
== NULL
) {
675 ECerr(EC_F_VALIDATE_ECX_DERIVE
, EC_R_INVALID_PRIVATE_KEY
);
678 if (peerkey
== NULL
) {
679 ECerr(EC_F_VALIDATE_ECX_DERIVE
, EC_R_INVALID_PEER_KEY
);
682 *privkey
= ecxkey
->privkey
;
683 *pubkey
= peerkey
->pubkey
;
688 static int pkey_ecx_derive25519(EVP_PKEY_CTX
*ctx
, unsigned char *key
,
691 const unsigned char *privkey
, *pubkey
;
693 if (!validate_ecx_derive(ctx
, key
, keylen
, &privkey
, &pubkey
)
695 && X25519(key
, privkey
, pubkey
) == 0))
697 *keylen
= X25519_KEYLEN
;
701 static int pkey_ecx_derive448(EVP_PKEY_CTX
*ctx
, unsigned char *key
,
704 const unsigned char *privkey
, *pubkey
;
706 if (!validate_ecx_derive(ctx
, key
, keylen
, &privkey
, &pubkey
)
708 && X448(key
, privkey
, pubkey
) == 0))
710 *keylen
= X448_KEYLEN
;
714 static int pkey_ecx_ctrl(EVP_PKEY_CTX
*ctx
, int type
, int p1
, void *p2
)
716 /* Only need to handle peer key for derivation */
717 if (type
== EVP_PKEY_CTRL_PEER_KEY
)
722 const EVP_PKEY_METHOD ecx25519_pkey_meth
= {
726 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
727 pkey_ecx_derive25519
,
732 const EVP_PKEY_METHOD ecx448_pkey_meth
= {
736 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
742 static int pkey_ecd_digestsign25519(EVP_MD_CTX
*ctx
, unsigned char *sig
,
743 size_t *siglen
, const unsigned char *tbs
,
746 const ECX_KEY
*edkey
= EVP_MD_CTX_pkey_ctx(ctx
)->pkey
->pkey
.ecx
;
749 *siglen
= ED25519_SIGSIZE
;
752 if (*siglen
< ED25519_SIGSIZE
) {
753 ECerr(EC_F_PKEY_ECD_DIGESTSIGN25519
, EC_R_BUFFER_TOO_SMALL
);
757 if (ED25519_sign(sig
, tbs
, tbslen
, edkey
->pubkey
, edkey
->privkey
) == 0)
759 *siglen
= ED25519_SIGSIZE
;
763 static int pkey_ecd_digestsign448(EVP_MD_CTX
*ctx
, unsigned char *sig
,
764 size_t *siglen
, const unsigned char *tbs
,
767 const ECX_KEY
*edkey
= EVP_MD_CTX_pkey_ctx(ctx
)->pkey
->pkey
.ecx
;
770 *siglen
= ED448_SIGSIZE
;
773 if (*siglen
< ED448_SIGSIZE
) {
774 ECerr(EC_F_PKEY_ECD_DIGESTSIGN448
, EC_R_BUFFER_TOO_SMALL
);
779 * TODO(3.0): We use NULL for the library context for now. Will need to
782 if (ED448_sign(NULL
, sig
, tbs
, tbslen
, edkey
->pubkey
, edkey
->privkey
,
785 *siglen
= ED448_SIGSIZE
;
789 static int pkey_ecd_digestverify25519(EVP_MD_CTX
*ctx
, const unsigned char *sig
,
790 size_t siglen
, const unsigned char *tbs
,
793 const ECX_KEY
*edkey
= EVP_MD_CTX_pkey_ctx(ctx
)->pkey
->pkey
.ecx
;
795 if (siglen
!= ED25519_SIGSIZE
)
798 return ED25519_verify(tbs
, tbslen
, sig
, edkey
->pubkey
);
801 static int pkey_ecd_digestverify448(EVP_MD_CTX
*ctx
, const unsigned char *sig
,
802 size_t siglen
, const unsigned char *tbs
,
805 const ECX_KEY
*edkey
= EVP_MD_CTX_pkey_ctx(ctx
)->pkey
->pkey
.ecx
;
807 if (siglen
!= ED448_SIGSIZE
)
811 * TODO(3.0): We send NULL for the OPENSSL_CTX for now. This will need to
814 return ED448_verify(NULL
, tbs
, tbslen
, sig
, edkey
->pubkey
, NULL
, 0);
817 static int pkey_ecd_ctrl(EVP_PKEY_CTX
*ctx
, int type
, int p1
, void *p2
)
820 case EVP_PKEY_CTRL_MD
:
821 /* Only NULL allowed as digest */
822 if (p2
== NULL
|| (const EVP_MD
*)p2
== EVP_md_null())
824 ECerr(EC_F_PKEY_ECD_CTRL
, EC_R_INVALID_DIGEST_TYPE
);
827 case EVP_PKEY_CTRL_DIGESTINIT
:
833 const EVP_PKEY_METHOD ed25519_pkey_meth
= {
834 EVP_PKEY_ED25519
, EVP_PKEY_FLAG_SIGCTX_CUSTOM
,
837 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
840 pkey_ecd_digestsign25519
,
841 pkey_ecd_digestverify25519
844 const EVP_PKEY_METHOD ed448_pkey_meth
= {
845 EVP_PKEY_ED448
, EVP_PKEY_FLAG_SIGCTX_CUSTOM
,
848 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
851 pkey_ecd_digestsign448
,
852 pkey_ecd_digestverify448