1 /* crypto/ecdsa/ecdsatest.c */
2 /* ====================================================================
3 * Copyright (c) 2000-2002 The OpenSSL Project. All rights reserved.
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in
14 * the documentation and/or other materials provided with the
17 * 3. All advertising materials mentioning features or use of this
18 * software must display the following acknowledgment:
19 * "This product includes software developed by the OpenSSL Project
20 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
22 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
23 * endorse or promote products derived from this software without
24 * prior written permission. For written permission, please contact
25 * licensing@OpenSSL.org.
27 * 5. Products derived from this software may not be called "OpenSSL"
28 * nor may "OpenSSL" appear in their names without prior written
29 * permission of the OpenSSL Project.
31 * 6. Redistributions of any form whatsoever must retain the following
33 * "This product includes software developed by the OpenSSL Project
34 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
36 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
37 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
38 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
39 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
40 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
41 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
42 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
43 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
44 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
45 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
46 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
47 * OF THE POSSIBILITY OF SUCH DAMAGE.
48 * ====================================================================
50 * This product includes cryptographic software written by Eric Young
51 * (eay@cryptsoft.com). This product includes software written by Tim
52 * Hudson (tjh@cryptsoft.com).
55 /* ====================================================================
56 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
58 * Portions of the attached software ("Contribution") are developed by
59 * SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project.
61 * The Contribution is licensed pursuant to the OpenSSL open source
62 * license provided above.
64 * The elliptic curve binary polynomial software is originally written by
65 * Sheueling Chang Shantz and Douglas Stebila of Sun Microsystems Laboratories.
75 /* "To determine the time in seconds, the value returned
76 * by the clock function should be divided by the value
77 * of the macro CLOCKS_PER_SEC."
81 /* "`CLOCKS_PER_SEC' undeclared (first use this function)"
82 * -- cc on NeXTstep/OpenStep */
84 # define CLOCKS_PER_SEC 1
87 #ifdef OPENSSL_NO_ECDSA
88 int main(int argc, char * argv[]) { puts("Elliptic curves are disabled."); return 0; }
91 #include <openssl/crypto.h>
92 #include <openssl/bio.h>
93 #include <openssl/evp.h>
94 #include <openssl/x509.h>
95 #include <openssl/ecdsa.h>
96 #include <openssl/engine.h>
97 #include <openssl/err.h>
99 static BIO *bio_err=NULL;
100 static const char rnd_seed[] = "string to make the random number generator think it has entropy";
102 #define ECDSA_NIST_TESTS 10
103 ECDSA_SIG* signatures[ECDSA_NIST_TESTS];
104 unsigned char digest[ECDSA_NIST_TESTS][20];
106 /* some declarations */
107 void clear_ecdsa(EC_KEY *);
108 int set_p192_param(EC_KEY *);
109 int set_p239_param(EC_KEY *);
110 int test_sig_vrf(EC_KEY *, const unsigned char *);
111 int test_x962_sig_vrf(EC_KEY *, const unsigned char *,
112 const char *, const char *, const char *);
113 int ecdsa_cmp(const EC_KEY *, const EC_KEY *);
115 void clear_ecdsa(EC_KEY *ecdsa)
121 EC_GROUP_free(ecdsa->group);
126 EC_POINT_free(ecdsa->pub_key);
127 ecdsa->pub_key = NULL;
131 BN_free(ecdsa->priv_key);
132 ecdsa->priv_key = NULL;
136 int set_p192_param(EC_KEY *ecdsa)
143 if ((ctx = BN_CTX_new()) == NULL) goto err;
146 if ((ecdsa->group = EC_GROUP_new_by_nid(NID_X9_62_prime192v1)) == NULL)
148 BIO_printf(bio_err,"ECDSA_SET_GROUP_P_192_V1() failed \n");
151 if ((ecdsa->pub_key = EC_POINT_new(ecdsa->group)) == NULL)
153 BIO_printf(bio_err,"EC_POINT_new failed \n");
157 if (!BN_dec2bn(&(ecdsa->priv_key), "651056770906015076056810763456358567190100156695615665659")) goto err;
158 if (!EC_POINT_mul(ecdsa->group,ecdsa->pub_key,ecdsa->priv_key,NULL,NULL,ctx))
160 BIO_printf(bio_err,"EC_POINT_mul() failed \n");
165 err : if (ctx) BN_CTX_free(ctx);
169 int set_p239_param(EC_KEY *ecdsa)
176 if ((ctx = BN_CTX_new()) == NULL) goto err;
179 if ((ecdsa->group = EC_GROUP_new_by_nid(NID_X9_62_prime239v1)) == NULL)
181 BIO_printf(bio_err,"ECDSA_SET_GROUP_P_239_V1() failed \n");
184 if ((ecdsa->pub_key = EC_POINT_new(ecdsa->group)) == NULL)
186 BIO_printf(bio_err,"EC_POINT_new failed \n");
190 if (!BN_dec2bn(&(ecdsa->priv_key), "876300101507107567501066130761671078357010671067781776716671676178726717")) goto err;
191 if (!EC_POINT_mul(ecdsa->group,ecdsa->pub_key,ecdsa->priv_key,NULL,NULL,ctx))
193 BIO_printf(bio_err,"EC_POINT_mul() failed \n");
198 err : if (ctx) BN_CTX_free(ctx);
202 int test_sig_vrf(EC_KEY *ecdsa, const unsigned char* dgst)
205 unsigned char *buffer=NULL;
206 unsigned int buf_len;
209 if (!ecdsa || !ecdsa->group || !ecdsa->pub_key || !ecdsa->priv_key)
211 if ((buf_len = ECDSA_size(ecdsa)) == 0)
213 BIO_printf(bio_err, "ECDSA_size() == 0 \n");
216 if ((buffer = OPENSSL_malloc(buf_len)) == NULL)
220 if (!ECDSA_sign(type, dgst , 20, buffer, &buf_len, ecdsa))
222 BIO_printf(bio_err, "ECDSA_sign() FAILED \n");
226 BIO_printf(bio_err, " [ ECDSA_sign() %.2f"UNIT, (double)tim/(CLOCKS_PER_SEC));
229 ret = ECDSA_verify(type, dgst, 20, buffer, buf_len, ecdsa);
232 BIO_printf(bio_err, "ECDSA_verify() FAILED \n");
236 BIO_printf(bio_err, " and ECDSA_verify() %.2f"UNIT" ] ", (double)tim/(CLOCKS_PER_SEC));
238 err: OPENSSL_free(buffer);
242 int test_x962_sig_vrf(EC_KEY *eckey, const unsigned char *dgst,
243 const char *k_in, const char *r_in, const char *s_in)
247 EC_POINT *point=NULL;
248 BIGNUM *r=NULL,*s=NULL,*k=NULL,*x=NULL,*y=NULL,*m=NULL,*ord=NULL;
251 ECDSA_DATA *ecdsa = ecdsa_check(eckey);;
253 if (!eckey || !eckey->group || !eckey->pub_key || !eckey->priv_key
256 if ((point = EC_POINT_new(eckey->group)) == NULL) goto err;
257 if ((r = BN_new()) == NULL || (s = BN_new()) == NULL
258 || (k = BN_new()) == NULL || (x = BN_new()) == NULL ||
259 (y = BN_new()) == NULL || (m = BN_new()) == NULL ||
260 (ord = BN_new()) == NULL) goto err;
261 if ((ctx = BN_CTX_new()) == NULL) goto err;
262 if (!BN_bin2bn(dgst, 20, m)) goto err;
263 if (!BN_dec2bn(&k, k_in)) goto err;
264 if (!EC_POINT_mul(eckey->group, point, k, NULL, NULL, ctx)) goto err;
265 if (!EC_POINT_get_affine_coordinates_GFp(eckey->group, point, x, y,
267 if (!EC_GROUP_get_order(eckey->group, ord, ctx)) goto err;
268 if ((ecdsa->r = BN_dup(x)) == NULL) goto err;
269 if ((ecdsa->kinv = BN_mod_inverse(NULL, k, ord, ctx)) == NULL)
272 if ((sig = ECDSA_do_sign(dgst, 20, eckey)) == NULL)
274 BIO_printf(bio_err,"ECDSA_do_sign() failed \n");
278 if (!BN_dec2bn(&r, r_in)) goto err;
279 if (!BN_dec2bn(&s, s_in)) goto err;
280 if (BN_cmp(sig->r,r) != 0 || BN_cmp(sig->s,s) != 0)
282 tmp_char = OPENSSL_malloc(128);
283 if (tmp_char == NULL) goto err;
284 tmp_char = BN_bn2dec(sig->r);
285 BIO_printf(bio_err,"unexpected signature \n");
286 BIO_printf(bio_err,"sig->r = %s\n",tmp_char);
287 tmp_char = BN_bn2dec(sig->s);
288 BIO_printf(bio_err,"sig->s = %s\n",tmp_char);
291 ret = ECDSA_do_verify(dgst, 20, sig, eckey);
294 BIO_printf(bio_err,"ECDSA_do_verify : signature verification failed \n");
299 err : if (r) BN_free(r);
305 if (ord) BN_free(ord);
306 if (sig) ECDSA_SIG_free(sig);
307 if (ctx) BN_CTX_free(ctx);
308 if (point) EC_POINT_free(point);
309 if (tmp_char) OPENSSL_free(tmp_char);
313 int ecdsa_cmp(const EC_KEY *a, const EC_KEY *b)
317 BIGNUM *tmp_a1=NULL, *tmp_a2=NULL, *tmp_a3=NULL;
318 BIGNUM *tmp_b1=NULL, *tmp_b2=NULL, *tmp_b3=NULL;
320 if ((ctx = BN_CTX_new()) == NULL) return 1;
321 if ((tmp_a1 = BN_new()) == NULL || (tmp_a2 = BN_new()) == NULL || (tmp_a3 = BN_new()) == NULL) goto err;
322 if ((tmp_b1 = BN_new()) == NULL || (tmp_b2 = BN_new()) == NULL || (tmp_b3 = BN_new()) == NULL) goto err;
324 if (a->pub_key && b->pub_key)
325 if (EC_POINT_cmp(a->group, a->pub_key, b->pub_key, ctx) != 0) goto err;
326 if (a->priv_key && b->priv_key)
327 if (BN_cmp(a->priv_key, b->priv_key) != 0) goto err;
328 if (!EC_GROUP_get_curve_GFp(a->group, tmp_a1, tmp_a2, tmp_a3, ctx)) goto err;
329 if (!EC_GROUP_get_curve_GFp(a->group, tmp_b1, tmp_b2, tmp_b3, ctx)) goto err;
330 if (BN_cmp(tmp_a1, tmp_b1) != 0) goto err;
331 if (BN_cmp(tmp_a2, tmp_b2) != 0) goto err;
332 if (BN_cmp(tmp_a3, tmp_b3) != 0) goto err;
335 err: if (tmp_a1) BN_free(tmp_a1);
336 if (tmp_a2) BN_free(tmp_a2);
337 if (tmp_a3) BN_free(tmp_a3);
338 if (tmp_b1) BN_free(tmp_b1);
339 if (tmp_b2) BN_free(tmp_b2);
340 if (tmp_b3) BN_free(tmp_b3);
341 if (ctx) BN_CTX_free(ctx);
347 EC_KEY *ecdsa=NULL, *ret_ecdsa=NULL;
349 X509_PUBKEY *x509_pubkey=NULL;
350 PKCS8_PRIV_KEY_INFO *pkcs8=NULL;
351 EVP_PKEY *pkey=NULL, *ret_pkey=NULL;
353 unsigned char *dgst=NULL;
356 unsigned char *buffer=NULL;
360 EVP_MD_CTX *md_ctx=NULL;
362 /* enable memory leak checking unless explicitly disabled */
363 if (!((getenv("OPENSSL_DEBUG_MEMORY") != NULL) && (0 == strcmp(getenv("OPENSSL_DEBUG_MEMORY"), "off"))))
365 CRYPTO_malloc_debug_init();
366 CRYPTO_set_mem_debug_options(V_CRYPTO_MDEBUG_ALL);
370 /* OPENSSL_DEBUG_MEMORY=off */
371 CRYPTO_set_mem_debug_functions(0, 0, 0, 0, 0);
373 CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON);
375 ERR_load_crypto_strings();
378 bio_err=BIO_new_fp(stderr, BIO_NOCLOSE);
380 RAND_seed(rnd_seed, sizeof(rnd_seed));
382 if ((ecdsa = EC_KEY_new()) == NULL) goto err;
384 set_p192_param(ecdsa);
385 EC_KEY_print(bio_err, ecdsa, 0);
387 /* en- decode tests */
389 /* i2d_ - d2i_ECParameters() */
390 BIO_printf(bio_err, "\nTesting i2d_ - d2i_ECDSAParameters \n");
391 buf_len = i2d_ECParameters(ecdsa, NULL);
392 if (!buf_len || (buffer = OPENSSL_malloc(buf_len)) == NULL) goto err;
394 if (!i2d_ECParameters(ecdsa, &pp)) goto err;
396 if ((ret_ecdsa = d2i_ECParameters(&ret_ecdsa, (const unsigned char **)&pp,
397 buf_len)) == NULL) goto err;
398 ECParameters_print(bio_err, ret_ecdsa);
399 if (ecdsa_cmp(ecdsa, ret_ecdsa)) goto err;
400 OPENSSL_free(buffer);
402 EC_KEY_free(ret_ecdsa);
405 /* i2d_ - d2i_ECPrivateKey() */
406 BIO_printf(bio_err, "\nTesting i2d_ - d2i_ECDSAPrivateKey \n");
407 buf_len = i2d_ECPrivateKey(ecdsa, NULL);
408 if (!buf_len || (buffer = OPENSSL_malloc(buf_len)) == NULL) goto err;
410 if (!i2d_ECPrivateKey(ecdsa, &pp)) goto err;
412 if ((ret_ecdsa = d2i_ECPrivateKey(&ret_ecdsa, (const unsigned char**)&pp,
413 buf_len)) == NULL) goto err;
414 EC_KEY_print(bio_err, ret_ecdsa, 0);
415 if (ecdsa_cmp(ecdsa, ret_ecdsa)) goto err;
416 EC_KEY_free(ret_ecdsa);
418 OPENSSL_free(buffer);
421 /* X509_PUBKEY_set() & X509_PUBKEY_get() */
423 BIO_printf(bio_err, "\nTesting X509_PUBKEY_{get,set} : ");
424 if ((pkey = EVP_PKEY_new()) == NULL) goto err;
425 EVP_PKEY_assign_EC_KEY(pkey, ecdsa);
426 if ((x509_pubkey = X509_PUBKEY_new()) == NULL) goto err;
427 if (!X509_PUBKEY_set(&x509_pubkey, pkey)) goto err;
429 if ((ret_pkey = X509_PUBKEY_get(x509_pubkey)) == NULL) goto err;
430 ret_ecdsa = EVP_PKEY_get1_EC_KEY(ret_pkey);
431 EVP_PKEY_free(ret_pkey);
434 if (ecdsa_cmp(ecdsa, ret_ecdsa))
436 BIO_printf(bio_err, "TEST FAILED \n");
439 else BIO_printf(bio_err, "TEST OK \n");
440 X509_PUBKEY_free(x509_pubkey);
442 EC_KEY_free(ret_ecdsa);
445 /* Testing PKCS8_PRIV_KEY_INFO <-> EVP_PKEY */
446 BIO_printf(bio_err, "Testing PKCS8_PRIV_KEY_INFO <-> EVP_PKEY : \n");
447 BIO_printf(bio_err, "PKCS8_OK : ");
448 if ((pkcs8 = EVP_PKEY2PKCS8_broken(pkey, PKCS8_OK)) == NULL) goto err;
449 if ((ret_pkey = EVP_PKCS82PKEY(pkcs8)) == NULL) goto err;
450 ret_ecdsa = EVP_PKEY_get1_EC_KEY(ret_pkey);
451 if (ecdsa_cmp(ecdsa, ret_ecdsa))
453 BIO_printf(bio_err, "TEST FAILED \n");
456 else BIO_printf(bio_err, "TEST OK \n");
457 EVP_PKEY_free(ret_pkey);
459 EC_KEY_free(ret_ecdsa);
461 PKCS8_PRIV_KEY_INFO_free(pkcs8);
467 /* sign and verify tests */
468 if ((d = BN_new()) == NULL) goto err;
470 if (!BN_dec2bn(&d, "968236873715988614170569073515315707566766479517")) goto err;
471 dgst_len = BN_num_bytes(d);
472 if ((dgst = OPENSSL_malloc(dgst_len)) == NULL) goto err;
473 if (!BN_bn2bin(d, dgst)) goto err;
475 BIO_printf(bio_err, "Performing tests based on examples H.3.1 and H.3.2 of X9.62 \n");
477 BIO_printf(bio_err, "PRIME_192_V1 : ");
478 if ((ecdsa = EC_KEY_new()) == NULL) goto err;
479 if (!set_p192_param(ecdsa)) goto err;
480 if (!test_x962_sig_vrf(ecdsa, dgst, "6140507067065001063065065565667405560006161556565665656654",
481 "3342403536405981729393488334694600415596881826869351677613",
482 "5735822328888155254683894997897571951568553642892029982342"))
485 BIO_printf(bio_err, "OK\n");
486 BIO_printf(bio_err, "PRIME_239_V1 : ");
487 if (!set_p239_param(ecdsa))
489 if (!test_x962_sig_vrf(ecdsa, dgst, "700000017569056646655505781757157107570501575775705779575555657156756655",
490 "308636143175167811492622547300668018854959378758531778147462058306432176",
491 "323813553209797357708078776831250505931891051755007842781978505179448783"))
494 BIO_printf(bio_err, "OK\n");
501 for (i=0; i<ECDSA_NIST_TESTS; i++)
502 if (!RAND_bytes(digest[i], 20)) goto err;
504 BIO_printf(bio_err, "\n");
506 /* Macro for each test */
507 #define ECDSA_GROUP_TEST(text, curve) \
508 BIO_printf(bio_err, "Testing sign & verify with %s : \n", text); \
509 EC_KEY_free(ecdsa); \
510 if ((ecdsa = EC_KEY_new()) == NULL) goto err; \
511 if ((ecdsa->group = EC_GROUP_new_by_nid(curve)) == NULL) goto err; \
512 if (!EC_KEY_generate_key(ecdsa)) goto err; \
514 for (i=0; i<ECDSA_NIST_TESTS; i++) \
515 if ((signatures[i] = ECDSA_do_sign(digest[i], 20, ecdsa)) == NULL) goto err; \
516 tim = clock() - tim; \
517 tim_d = (double)tim / CLOCKS_PER_SEC; \
518 BIO_printf(bio_err, "%d x ECDSA_do_sign() in %.2f"UNIT" => average time for ECDSA_do_sign() %.4f"UNIT"\n" \
519 , ECDSA_NIST_TESTS, tim_d, tim_d / ECDSA_NIST_TESTS); \
521 for (i=0; i<ECDSA_NIST_TESTS; i++) \
522 if (!ECDSA_do_verify(digest[i], 20, signatures[i], ecdsa)) goto err; \
523 tim = clock() - tim; \
524 tim_d = (double)tim / CLOCKS_PER_SEC; \
525 BIO_printf(bio_err, "%d x ECDSA_do_verify() in %.2f"UNIT" => average time for ECDSA_do_verify() %.4f"UNIT"\n" \
526 , ECDSA_NIST_TESTS, tim_d, tim_d/ECDSA_NIST_TESTS); \
527 for (i=0; i<ECDSA_NIST_TESTS; i++) \
529 ECDSA_SIG_free(signatures[i]); \
530 signatures[i] = NULL; \
533 /* NIST PRIME CURVES TESTS */
534 ECDSA_GROUP_TEST("NIST Prime-Curve P-192", NID_X9_62_prime192v1);
535 ECDSA_GROUP_TEST("NIST Prime-Curve P-224", NID_secp224r1);
536 ECDSA_GROUP_TEST("NIST Prime-Curve P-256", NID_X9_62_prime256v1);
537 ECDSA_GROUP_TEST("NIST Prime-Curve P-384", NID_secp384r1);
538 ECDSA_GROUP_TEST("NIST Prime-Curve P-521", NID_secp521r1);
539 /* NIST BINARY CURVES TESTS */
540 ECDSA_GROUP_TEST("NIST Binary-Curve K-163", NID_sect163k1);
541 ECDSA_GROUP_TEST("NIST Binary-Curve B-163", NID_sect163r2);
542 ECDSA_GROUP_TEST("NIST Binary-Curve K-233", NID_sect233k1);
543 ECDSA_GROUP_TEST("NIST Binary-Curve B-233", NID_sect233r1);
544 ECDSA_GROUP_TEST("NIST Binary-Curve K-283", NID_sect283k1);
545 ECDSA_GROUP_TEST("NIST Binary-Curve B-283", NID_sect283r1);
546 ECDSA_GROUP_TEST("NIST Binary-Curve K-409", NID_sect409k1);
547 ECDSA_GROUP_TEST("NIST Binary-Curve B-409", NID_sect409r1);
548 ECDSA_GROUP_TEST("NIST Binary-Curve K-571", NID_sect571k1);
549 ECDSA_GROUP_TEST("NIST Binary-Curve B-571", NID_sect571r1);
550 #undef ECDSA_GROUP_TEST
554 OPENSSL_free(buffer);
561 BIO_printf(bio_err, "TEST FAILED \n");
563 BIO_printf(bio_err, "TEST PASSED \n");
565 ERR_print_errors(bio_err);
566 if (ecdsa) EC_KEY_free(ecdsa);
568 if (dgst) OPENSSL_free(dgst);
569 if (md_ctx) EVP_MD_CTX_destroy(md_ctx);
570 if (pkey) EVP_PKEY_free(pkey);
571 CRYPTO_cleanup_all_ex_data();
574 CRYPTO_mem_leaks(bio_err);