2 * Copyright 2006-2018 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
11 #include "internal/cryptlib.h"
12 #include <openssl/x509.h>
13 #include <openssl/ec.h>
14 #include <openssl/rand.h>
15 #include "internal/asn1_int.h"
16 #include "internal/evp_int.h"
19 #define X25519_BITS 253
20 #define X25519_SECURITY_BITS 128
22 #define ED25519_SIGSIZE 64
25 #define ED448_BITS 456
26 #define X448_SECURITY_BITS 224
28 #define ED448_SIGSIZE 114
30 #define ISX448(id) ((id) == EVP_PKEY_X448)
31 #define IS25519(id) ((id) == EVP_PKEY_X25519 || (id) == EVP_PKEY_ED25519)
32 #define KEYLENID(id) (IS25519(id) ? X25519_KEYLEN \
33 : ((id) == EVP_PKEY_X448 ? X448_KEYLEN \
35 #define KEYLEN(p) KEYLENID((p)->ameth->pkey_id)
44 /* Setup EVP_PKEY using public, private or generation */
45 static int ecx_key_op(EVP_PKEY *pkey, int id, const X509_ALGOR *palg,
46 const unsigned char *p, int plen, ecx_key_op_t op)
49 unsigned char *privkey, *pubkey;
51 if (op != KEY_OP_KEYGEN) {
55 /* Algorithm parameters must be absent */
56 X509_ALGOR_get0(NULL, &ptype, NULL, palg);
57 if (ptype != V_ASN1_UNDEF) {
58 ECerr(EC_F_ECX_KEY_OP, EC_R_INVALID_ENCODING);
63 if (p == NULL || plen != KEYLENID(id)) {
64 ECerr(EC_F_ECX_KEY_OP, EC_R_INVALID_ENCODING);
69 key = OPENSSL_zalloc(sizeof(*key));
71 ECerr(EC_F_ECX_KEY_OP, ERR_R_MALLOC_FAILURE);
76 if (op == KEY_OP_PUBLIC) {
77 memcpy(pubkey, p, plen);
79 privkey = key->privkey = OPENSSL_secure_malloc(KEYLENID(id));
80 if (privkey == NULL) {
81 ECerr(EC_F_ECX_KEY_OP, ERR_R_MALLOC_FAILURE);
84 if (op == KEY_OP_KEYGEN) {
85 if (RAND_priv_bytes(privkey, KEYLENID(id)) <= 0) {
86 OPENSSL_secure_free(privkey);
90 if (id == EVP_PKEY_X25519) {
92 privkey[X25519_KEYLEN - 1] &= 127;
93 privkey[X25519_KEYLEN - 1] |= 64;
94 } else if (id == EVP_PKEY_X448) {
96 privkey[X448_KEYLEN - 1] |= 128;
99 memcpy(privkey, p, KEYLENID(id));
102 case EVP_PKEY_X25519:
103 X25519_public_from_private(pubkey, privkey);
105 case EVP_PKEY_ED25519:
106 ED25519_public_from_private(pubkey, privkey);
109 X448_public_from_private(pubkey, privkey);
112 ED448_public_from_private(pubkey, privkey);
117 EVP_PKEY_assign(pkey, id, key);
124 static int ecx_pub_encode(X509_PUBKEY *pk, const EVP_PKEY *pkey)
126 const ECX_KEY *ecxkey = pkey->pkey.ecx;
129 if (ecxkey == NULL) {
130 ECerr(EC_F_ECX_PUB_ENCODE, EC_R_INVALID_KEY);
134 penc = OPENSSL_memdup(ecxkey->pubkey, KEYLEN(pkey));
136 ECerr(EC_F_ECX_PUB_ENCODE, ERR_R_MALLOC_FAILURE);
140 if (!X509_PUBKEY_set0_param(pk, OBJ_nid2obj(pkey->ameth->pkey_id),
141 V_ASN1_UNDEF, NULL, penc, KEYLEN(pkey))) {
143 ECerr(EC_F_ECX_PUB_ENCODE, ERR_R_MALLOC_FAILURE);
149 static int ecx_pub_decode(EVP_PKEY *pkey, X509_PUBKEY *pubkey)
151 const unsigned char *p;
155 if (!X509_PUBKEY_get0_param(NULL, &p, &pklen, &palg, pubkey))
157 return ecx_key_op(pkey, pkey->ameth->pkey_id, palg, p, pklen,
161 static int ecx_pub_cmp(const EVP_PKEY *a, const EVP_PKEY *b)
163 const ECX_KEY *akey = a->pkey.ecx;
164 const ECX_KEY *bkey = b->pkey.ecx;
166 if (akey == NULL || bkey == NULL)
169 return CRYPTO_memcmp(akey->pubkey, bkey->pubkey, KEYLEN(a)) == 0;
172 static int ecx_priv_decode(EVP_PKEY *pkey, const PKCS8_PRIV_KEY_INFO *p8)
174 const unsigned char *p;
176 ASN1_OCTET_STRING *oct = NULL;
177 const X509_ALGOR *palg;
180 if (!PKCS8_pkey_get0(NULL, &p, &plen, &palg, p8))
183 oct = d2i_ASN1_OCTET_STRING(NULL, &p, plen);
188 p = ASN1_STRING_get0_data(oct);
189 plen = ASN1_STRING_length(oct);
192 rv = ecx_key_op(pkey, pkey->ameth->pkey_id, palg, p, plen, KEY_OP_PRIVATE);
193 ASN1_OCTET_STRING_free(oct);
197 static int ecx_priv_encode(PKCS8_PRIV_KEY_INFO *p8, const EVP_PKEY *pkey)
199 const ECX_KEY *ecxkey = pkey->pkey.ecx;
200 ASN1_OCTET_STRING oct;
201 unsigned char *penc = NULL;
204 if (ecxkey == NULL || ecxkey->privkey == NULL) {
205 ECerr(EC_F_ECX_PRIV_ENCODE, EC_R_INVALID_PRIVATE_KEY);
209 oct.data = ecxkey->privkey;
210 oct.length = KEYLEN(pkey);
213 penclen = i2d_ASN1_OCTET_STRING(&oct, &penc);
215 ECerr(EC_F_ECX_PRIV_ENCODE, ERR_R_MALLOC_FAILURE);
219 if (!PKCS8_pkey_set0(p8, OBJ_nid2obj(pkey->ameth->pkey_id), 0,
220 V_ASN1_UNDEF, NULL, penc, penclen)) {
221 OPENSSL_clear_free(penc, penclen);
222 ECerr(EC_F_ECX_PRIV_ENCODE, ERR_R_MALLOC_FAILURE);
229 static int ecx_size(const EVP_PKEY *pkey)
234 static int ecx_bits(const EVP_PKEY *pkey)
236 if (IS25519(pkey->ameth->pkey_id)) {
238 } else if(ISX448(pkey->ameth->pkey_id)) {
245 static int ecx_security_bits(const EVP_PKEY *pkey)
247 if (IS25519(pkey->ameth->pkey_id)) {
248 return X25519_SECURITY_BITS;
250 return X448_SECURITY_BITS;
254 static void ecx_free(EVP_PKEY *pkey)
256 if (pkey->pkey.ecx != NULL)
257 OPENSSL_secure_clear_free(pkey->pkey.ecx->privkey, KEYLEN(pkey));
258 OPENSSL_free(pkey->pkey.ecx);
261 /* "parameters" are always equal */
262 static int ecx_cmp_parameters(const EVP_PKEY *a, const EVP_PKEY *b)
267 static int ecx_key_print(BIO *bp, const EVP_PKEY *pkey, int indent,
268 ASN1_PCTX *ctx, ecx_key_op_t op)
270 const ECX_KEY *ecxkey = pkey->pkey.ecx;
271 const char *nm = OBJ_nid2ln(pkey->ameth->pkey_id);
273 if (op == KEY_OP_PRIVATE) {
274 if (ecxkey == NULL || ecxkey->privkey == NULL) {
275 if (BIO_printf(bp, "%*s<INVALID PRIVATE KEY>\n", indent, "") <= 0)
279 if (BIO_printf(bp, "%*s%s Private-Key:\n", indent, "", nm) <= 0)
281 if (BIO_printf(bp, "%*spriv:\n", indent, "") <= 0)
283 if (ASN1_buf_print(bp, ecxkey->privkey, KEYLEN(pkey),
287 if (ecxkey == NULL) {
288 if (BIO_printf(bp, "%*s<INVALID PUBLIC KEY>\n", indent, "") <= 0)
292 if (BIO_printf(bp, "%*s%s Public-Key:\n", indent, "", nm) <= 0)
295 if (BIO_printf(bp, "%*spub:\n", indent, "") <= 0)
298 if (ASN1_buf_print(bp, ecxkey->pubkey, KEYLEN(pkey),
304 static int ecx_priv_print(BIO *bp, const EVP_PKEY *pkey, int indent,
307 return ecx_key_print(bp, pkey, indent, ctx, KEY_OP_PRIVATE);
310 static int ecx_pub_print(BIO *bp, const EVP_PKEY *pkey, int indent,
313 return ecx_key_print(bp, pkey, indent, ctx, KEY_OP_PUBLIC);
316 static int ecx_ctrl(EVP_PKEY *pkey, int op, long arg1, void *arg2)
320 case ASN1_PKEY_CTRL_SET1_TLS_ENCPT:
321 return ecx_key_op(pkey, pkey->ameth->pkey_id, NULL, arg2, arg1,
324 case ASN1_PKEY_CTRL_GET1_TLS_ENCPT:
325 if (pkey->pkey.ecx != NULL) {
326 unsigned char **ppt = arg2;
328 *ppt = OPENSSL_memdup(pkey->pkey.ecx->pubkey, KEYLEN(pkey));
340 static int ecd_ctrl(EVP_PKEY *pkey, int op, long arg1, void *arg2)
343 case ASN1_PKEY_CTRL_DEFAULT_MD_NID:
344 /* We currently only support Pure EdDSA which takes no digest */
345 *(int *)arg2 = NID_undef;
354 static int ecx_set_priv_key(EVP_PKEY *pkey, const unsigned char *priv,
357 return ecx_key_op(pkey, pkey->ameth->pkey_id, NULL, priv, len,
361 static int ecx_set_pub_key(EVP_PKEY *pkey, const unsigned char *pub, size_t len)
363 return ecx_key_op(pkey, pkey->ameth->pkey_id, NULL, pub, len,
367 static int ecx_get_priv_key(const EVP_PKEY *pkey, unsigned char *priv,
370 const ECX_KEY *key = pkey->pkey.ecx;
373 *len = KEYLENID(pkey->ameth->pkey_id);
378 || key->privkey == NULL
379 || *len < (size_t)KEYLENID(pkey->ameth->pkey_id))
382 *len = KEYLENID(pkey->ameth->pkey_id);
383 memcpy(priv, key->privkey, *len);
388 static int ecx_get_pub_key(const EVP_PKEY *pkey, unsigned char *pub,
391 const ECX_KEY *key = pkey->pkey.ecx;
394 *len = KEYLENID(pkey->ameth->pkey_id);
399 || *len < (size_t)KEYLENID(pkey->ameth->pkey_id))
402 *len = KEYLENID(pkey->ameth->pkey_id);
403 memcpy(pub, key->pubkey, *len);
408 const EVP_PKEY_ASN1_METHOD ecx25519_asn1_meth = {
413 "OpenSSL X25519 algorithm",
451 const EVP_PKEY_ASN1_METHOD ecx448_asn1_meth = {
456 "OpenSSL X448 algorithm",
494 static int ecd_size25519(const EVP_PKEY *pkey)
496 return ED25519_SIGSIZE;
499 static int ecd_size448(const EVP_PKEY *pkey)
501 return ED448_SIGSIZE;
504 static int ecd_item_verify(EVP_MD_CTX *ctx, const ASN1_ITEM *it, void *asn,
505 X509_ALGOR *sigalg, ASN1_BIT_STRING *str,
508 const ASN1_OBJECT *obj;
512 /* Sanity check: make sure it is ED25519/ED448 with absent parameters */
513 X509_ALGOR_get0(&obj, &ptype, NULL, sigalg);
514 nid = OBJ_obj2nid(obj);
515 if ((nid != NID_ED25519 && nid != NID_ED448) || ptype != V_ASN1_UNDEF) {
516 ECerr(EC_F_ECD_ITEM_VERIFY, EC_R_INVALID_ENCODING);
520 if (!EVP_DigestVerifyInit(ctx, NULL, NULL, NULL, pkey))
526 static int ecd_item_sign25519(EVP_MD_CTX *ctx, const ASN1_ITEM *it, void *asn,
527 X509_ALGOR *alg1, X509_ALGOR *alg2,
528 ASN1_BIT_STRING *str)
530 /* Set algorithms identifiers */
531 X509_ALGOR_set0(alg1, OBJ_nid2obj(NID_ED25519), V_ASN1_UNDEF, NULL);
533 X509_ALGOR_set0(alg2, OBJ_nid2obj(NID_ED25519), V_ASN1_UNDEF, NULL);
534 /* Algorithm idetifiers set: carry on as normal */
538 static int ecd_sig_info_set25519(X509_SIG_INFO *siginf, const X509_ALGOR *alg,
539 const ASN1_STRING *sig)
541 X509_SIG_INFO_set(siginf, NID_undef, NID_ED25519, X25519_SECURITY_BITS,
546 static int ecd_item_sign448(EVP_MD_CTX *ctx, const ASN1_ITEM *it, void *asn,
547 X509_ALGOR *alg1, X509_ALGOR *alg2,
548 ASN1_BIT_STRING *str)
550 /* Set algorithm identifier */
551 X509_ALGOR_set0(alg1, OBJ_nid2obj(NID_ED448), V_ASN1_UNDEF, NULL);
553 X509_ALGOR_set0(alg2, OBJ_nid2obj(NID_ED448), V_ASN1_UNDEF, NULL);
554 /* Algorithm identifier set: carry on as normal */
558 static int ecd_sig_info_set448(X509_SIG_INFO *siginf, const X509_ALGOR *alg,
559 const ASN1_STRING *sig)
561 X509_SIG_INFO_set(siginf, NID_undef, NID_ED448, X448_SECURITY_BITS,
567 const EVP_PKEY_ASN1_METHOD ed25519_asn1_meth = {
572 "OpenSSL ED25519 algorithm",
597 ecd_sig_info_set25519,
609 const EVP_PKEY_ASN1_METHOD ed448_asn1_meth = {
614 "OpenSSL ED448 algorithm",
651 static int pkey_ecx_keygen(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey)
653 return ecx_key_op(pkey, ctx->pmeth->pkey_id, NULL, NULL, 0, KEY_OP_KEYGEN);
656 static int validate_ecx_derive(EVP_PKEY_CTX *ctx, unsigned char *key,
658 const unsigned char **privkey,
659 const unsigned char **pubkey)
661 const ECX_KEY *ecxkey, *peerkey;
663 if (ctx->pkey == NULL || ctx->peerkey == NULL) {
664 ECerr(EC_F_VALIDATE_ECX_DERIVE, EC_R_KEYS_NOT_SET);
667 ecxkey = ctx->pkey->pkey.ecx;
668 peerkey = ctx->peerkey->pkey.ecx;
669 if (ecxkey == NULL || ecxkey->privkey == NULL) {
670 ECerr(EC_F_VALIDATE_ECX_DERIVE, EC_R_INVALID_PRIVATE_KEY);
673 if (peerkey == NULL) {
674 ECerr(EC_F_VALIDATE_ECX_DERIVE, EC_R_INVALID_PEER_KEY);
677 *privkey = ecxkey->privkey;
678 *pubkey = peerkey->pubkey;
683 static int pkey_ecx_derive25519(EVP_PKEY_CTX *ctx, unsigned char *key,
686 const unsigned char *privkey, *pubkey;
688 if (!validate_ecx_derive(ctx, key, keylen, &privkey, &pubkey)
690 && X25519(key, privkey, pubkey) == 0))
692 *keylen = X25519_KEYLEN;
696 static int pkey_ecx_derive448(EVP_PKEY_CTX *ctx, unsigned char *key,
699 const unsigned char *privkey, *pubkey;
701 if (!validate_ecx_derive(ctx, key, keylen, &privkey, &pubkey)
703 && X448(key, privkey, pubkey) == 0))
705 *keylen = X448_KEYLEN;
709 static int pkey_ecx_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2)
711 /* Only need to handle peer key for derivation */
712 if (type == EVP_PKEY_CTRL_PEER_KEY)
717 const EVP_PKEY_METHOD ecx25519_pkey_meth = {
721 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
722 pkey_ecx_derive25519,
727 const EVP_PKEY_METHOD ecx448_pkey_meth = {
731 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
737 static int pkey_ecd_digestsign25519(EVP_MD_CTX *ctx, unsigned char *sig,
738 size_t *siglen, const unsigned char *tbs,
741 const ECX_KEY *edkey = EVP_MD_CTX_pkey_ctx(ctx)->pkey->pkey.ecx;
744 *siglen = ED25519_SIGSIZE;
747 if (*siglen < ED25519_SIGSIZE) {
748 ECerr(EC_F_PKEY_ECD_DIGESTSIGN25519, EC_R_BUFFER_TOO_SMALL);
752 if (ED25519_sign(sig, tbs, tbslen, edkey->pubkey, edkey->privkey) == 0)
754 *siglen = ED25519_SIGSIZE;
758 static int pkey_ecd_digestsign448(EVP_MD_CTX *ctx, unsigned char *sig,
759 size_t *siglen, const unsigned char *tbs,
762 const ECX_KEY *edkey = EVP_MD_CTX_pkey_ctx(ctx)->pkey->pkey.ecx;
765 *siglen = ED448_SIGSIZE;
768 if (*siglen < ED448_SIGSIZE) {
769 ECerr(EC_F_PKEY_ECD_DIGESTSIGN448, EC_R_BUFFER_TOO_SMALL);
773 if (ED448_sign(sig, tbs, tbslen, edkey->pubkey, edkey->privkey, NULL,
776 *siglen = ED448_SIGSIZE;
780 static int pkey_ecd_digestverify25519(EVP_MD_CTX *ctx, const unsigned char *sig,
781 size_t siglen, const unsigned char *tbs,
784 const ECX_KEY *edkey = EVP_MD_CTX_pkey_ctx(ctx)->pkey->pkey.ecx;
786 if (siglen != ED25519_SIGSIZE)
789 return ED25519_verify(tbs, tbslen, sig, edkey->pubkey);
792 static int pkey_ecd_digestverify448(EVP_MD_CTX *ctx, const unsigned char *sig,
793 size_t siglen, const unsigned char *tbs,
796 const ECX_KEY *edkey = EVP_MD_CTX_pkey_ctx(ctx)->pkey->pkey.ecx;
798 if (siglen != ED448_SIGSIZE)
801 return ED448_verify(tbs, tbslen, sig, edkey->pubkey, NULL, 0);
804 static int pkey_ecd_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2)
807 case EVP_PKEY_CTRL_MD:
808 /* Only NULL allowed as digest */
809 if (p2 == NULL || (const EVP_MD *)p2 == EVP_md_null())
811 ECerr(EC_F_PKEY_ECD_CTRL, EC_R_INVALID_DIGEST_TYPE);
814 case EVP_PKEY_CTRL_DIGESTINIT:
820 const EVP_PKEY_METHOD ed25519_pkey_meth = {
821 EVP_PKEY_ED25519, EVP_PKEY_FLAG_SIGCTX_CUSTOM,
824 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
827 pkey_ecd_digestsign25519,
828 pkey_ecd_digestverify25519
831 const EVP_PKEY_METHOD ed448_pkey_meth = {
832 EVP_PKEY_ED448, EVP_PKEY_FLAG_SIGCTX_CUSTOM,
835 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
838 pkey_ecd_digestsign448,
839 pkey_ecd_digestverify448