1*4882a593Smuzhiyun /** 2*4882a593Smuzhiyun * \file ecdsa.h 3*4882a593Smuzhiyun * 4*4882a593Smuzhiyun * \brief Elliptic curve DSA 5*4882a593Smuzhiyun * 6*4882a593Smuzhiyun * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved 7*4882a593Smuzhiyun * SPDX-License-Identifier: Apache-2.0 8*4882a593Smuzhiyun * 9*4882a593Smuzhiyun * Licensed under the Apache License, Version 2.0 (the "License"); you may 10*4882a593Smuzhiyun * not use this file except in compliance with the License. 11*4882a593Smuzhiyun * You may obtain a copy of the License at 12*4882a593Smuzhiyun * 13*4882a593Smuzhiyun * http://www.apache.org/licenses/LICENSE-2.0 14*4882a593Smuzhiyun * 15*4882a593Smuzhiyun * Unless required by applicable law or agreed to in writing, software 16*4882a593Smuzhiyun * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 17*4882a593Smuzhiyun * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 18*4882a593Smuzhiyun * See the License for the specific language governing permissions and 19*4882a593Smuzhiyun * limitations under the License. 20*4882a593Smuzhiyun * 21*4882a593Smuzhiyun * This file is part of mbed TLS (https://tls.mbed.org) 22*4882a593Smuzhiyun */ 23*4882a593Smuzhiyun #ifndef MBEDTLS_ECDSA_H 24*4882a593Smuzhiyun #define MBEDTLS_ECDSA_H 25*4882a593Smuzhiyun 26*4882a593Smuzhiyun #include "ecp.h" 27*4882a593Smuzhiyun #include "md.h" 28*4882a593Smuzhiyun 29*4882a593Smuzhiyun /* 30*4882a593Smuzhiyun * RFC 4492 page 20: 31*4882a593Smuzhiyun * 32*4882a593Smuzhiyun * Ecdsa-Sig-Value ::= SEQUENCE { 33*4882a593Smuzhiyun * r INTEGER, 34*4882a593Smuzhiyun * s INTEGER 35*4882a593Smuzhiyun * } 36*4882a593Smuzhiyun * 37*4882a593Smuzhiyun * Size is at most 38*4882a593Smuzhiyun * 1 (tag) + 1 (len) + 1 (initial 0) + ECP_MAX_BYTES for each of r and s, 39*4882a593Smuzhiyun * twice that + 1 (tag) + 2 (len) for the sequence 40*4882a593Smuzhiyun * (assuming ECP_MAX_BYTES is less than 126 for r and s, 41*4882a593Smuzhiyun * and less than 124 (total len <= 255) for the sequence) 42*4882a593Smuzhiyun */ 43*4882a593Smuzhiyun #if MBEDTLS_ECP_MAX_BYTES > 124 44*4882a593Smuzhiyun #error "MBEDTLS_ECP_MAX_BYTES bigger than expected, please fix MBEDTLS_ECDSA_MAX_LEN" 45*4882a593Smuzhiyun #endif 46*4882a593Smuzhiyun /** Maximum size of an ECDSA signature in bytes */ 47*4882a593Smuzhiyun #define MBEDTLS_ECDSA_MAX_LEN ( 3 + 2 * ( 3 + MBEDTLS_ECP_MAX_BYTES ) ) 48*4882a593Smuzhiyun 49*4882a593Smuzhiyun /** 50*4882a593Smuzhiyun * \brief ECDSA context structure 51*4882a593Smuzhiyun */ 52*4882a593Smuzhiyun typedef mbedtls_ecp_keypair mbedtls_ecdsa_context; 53*4882a593Smuzhiyun 54*4882a593Smuzhiyun #ifdef __cplusplus 55*4882a593Smuzhiyun extern "C" { 56*4882a593Smuzhiyun #endif 57*4882a593Smuzhiyun 58*4882a593Smuzhiyun /** 59*4882a593Smuzhiyun * \brief Compute ECDSA signature of a previously hashed message 60*4882a593Smuzhiyun * 61*4882a593Smuzhiyun * \note The deterministic version is usually prefered. 62*4882a593Smuzhiyun * 63*4882a593Smuzhiyun * \param grp ECP group 64*4882a593Smuzhiyun * \param r First output integer 65*4882a593Smuzhiyun * \param s Second output integer 66*4882a593Smuzhiyun * \param d Private signing key 67*4882a593Smuzhiyun * \param buf Message hash 68*4882a593Smuzhiyun * \param blen Length of buf 69*4882a593Smuzhiyun * \param f_rng RNG function 70*4882a593Smuzhiyun * \param p_rng RNG parameter 71*4882a593Smuzhiyun * 72*4882a593Smuzhiyun * \return 0 if successful, 73*4882a593Smuzhiyun * or a MBEDTLS_ERR_ECP_XXX or MBEDTLS_MPI_XXX error code 74*4882a593Smuzhiyun */ 75*4882a593Smuzhiyun int mbedtls_ecdsa_sign( mbedtls_ecp_group *grp, mbedtls_mpi *r, mbedtls_mpi *s, 76*4882a593Smuzhiyun const mbedtls_mpi *d, const unsigned char *buf, size_t blen, 77*4882a593Smuzhiyun int (*f_rng)(void *, unsigned char *, size_t), void *p_rng ); 78*4882a593Smuzhiyun 79*4882a593Smuzhiyun #if defined(MBEDTLS_ECDSA_DETERMINISTIC) 80*4882a593Smuzhiyun /** 81*4882a593Smuzhiyun * \brief Compute ECDSA signature of a previously hashed message, 82*4882a593Smuzhiyun * deterministic version (RFC 6979). 83*4882a593Smuzhiyun * 84*4882a593Smuzhiyun * \param grp ECP group 85*4882a593Smuzhiyun * \param r First output integer 86*4882a593Smuzhiyun * \param s Second output integer 87*4882a593Smuzhiyun * \param d Private signing key 88*4882a593Smuzhiyun * \param buf Message hash 89*4882a593Smuzhiyun * \param blen Length of buf 90*4882a593Smuzhiyun * \param md_alg MD algorithm used to hash the message 91*4882a593Smuzhiyun * 92*4882a593Smuzhiyun * \return 0 if successful, 93*4882a593Smuzhiyun * or a MBEDTLS_ERR_ECP_XXX or MBEDTLS_MPI_XXX error code 94*4882a593Smuzhiyun */ 95*4882a593Smuzhiyun int mbedtls_ecdsa_sign_det( mbedtls_ecp_group *grp, mbedtls_mpi *r, mbedtls_mpi *s, 96*4882a593Smuzhiyun const mbedtls_mpi *d, const unsigned char *buf, size_t blen, 97*4882a593Smuzhiyun mbedtls_md_type_t md_alg ); 98*4882a593Smuzhiyun #endif /* MBEDTLS_ECDSA_DETERMINISTIC */ 99*4882a593Smuzhiyun 100*4882a593Smuzhiyun /** 101*4882a593Smuzhiyun * \brief Verify ECDSA signature of a previously hashed message 102*4882a593Smuzhiyun * 103*4882a593Smuzhiyun * \param grp ECP group 104*4882a593Smuzhiyun * \param buf Message hash 105*4882a593Smuzhiyun * \param blen Length of buf 106*4882a593Smuzhiyun * \param Q Public key to use for verification 107*4882a593Smuzhiyun * \param r First integer of the signature 108*4882a593Smuzhiyun * \param s Second integer of the signature 109*4882a593Smuzhiyun * 110*4882a593Smuzhiyun * \return 0 if successful, 111*4882a593Smuzhiyun * MBEDTLS_ERR_ECP_BAD_INPUT_DATA if signature is invalid 112*4882a593Smuzhiyun * or a MBEDTLS_ERR_ECP_XXX or MBEDTLS_MPI_XXX error code 113*4882a593Smuzhiyun */ 114*4882a593Smuzhiyun int mbedtls_ecdsa_verify( mbedtls_ecp_group *grp, 115*4882a593Smuzhiyun const unsigned char *buf, size_t blen, 116*4882a593Smuzhiyun const mbedtls_ecp_point *Q, const mbedtls_mpi *r, const mbedtls_mpi *s); 117*4882a593Smuzhiyun 118*4882a593Smuzhiyun /** 119*4882a593Smuzhiyun * \brief Compute ECDSA signature and write it to buffer, 120*4882a593Smuzhiyun * serialized as defined in RFC 4492 page 20. 121*4882a593Smuzhiyun * (Not thread-safe to use same context in multiple threads) 122*4882a593Smuzhiyun * 123*4882a593Smuzhiyun * \note The deterministice version (RFC 6979) is used if 124*4882a593Smuzhiyun * MBEDTLS_ECDSA_DETERMINISTIC is defined. 125*4882a593Smuzhiyun * 126*4882a593Smuzhiyun * \param ctx ECDSA context 127*4882a593Smuzhiyun * \param md_alg Algorithm that was used to hash the message 128*4882a593Smuzhiyun * \param hash Message hash 129*4882a593Smuzhiyun * \param hlen Length of hash 130*4882a593Smuzhiyun * \param sig Buffer that will hold the signature 131*4882a593Smuzhiyun * \param slen Length of the signature written 132*4882a593Smuzhiyun * \param f_rng RNG function 133*4882a593Smuzhiyun * \param p_rng RNG parameter 134*4882a593Smuzhiyun * 135*4882a593Smuzhiyun * \note The "sig" buffer must be at least as large as twice the 136*4882a593Smuzhiyun * size of the curve used, plus 9 (eg. 73 bytes if a 256-bit 137*4882a593Smuzhiyun * curve is used). MBEDTLS_ECDSA_MAX_LEN is always safe. 138*4882a593Smuzhiyun * 139*4882a593Smuzhiyun * \return 0 if successful, 140*4882a593Smuzhiyun * or a MBEDTLS_ERR_ECP_XXX, MBEDTLS_ERR_MPI_XXX or 141*4882a593Smuzhiyun * MBEDTLS_ERR_ASN1_XXX error code 142*4882a593Smuzhiyun */ 143*4882a593Smuzhiyun int mbedtls_ecdsa_write_signature( mbedtls_ecdsa_context *ctx, mbedtls_md_type_t md_alg, 144*4882a593Smuzhiyun const unsigned char *hash, size_t hlen, 145*4882a593Smuzhiyun unsigned char *sig, size_t *slen, 146*4882a593Smuzhiyun int (*f_rng)(void *, unsigned char *, size_t), 147*4882a593Smuzhiyun void *p_rng ); 148*4882a593Smuzhiyun 149*4882a593Smuzhiyun #if defined(MBEDTLS_ECDSA_DETERMINISTIC) 150*4882a593Smuzhiyun #if ! defined(MBEDTLS_DEPRECATED_REMOVED) 151*4882a593Smuzhiyun #if defined(MBEDTLS_DEPRECATED_WARNING) 152*4882a593Smuzhiyun #define MBEDTLS_DEPRECATED __attribute__((deprecated)) 153*4882a593Smuzhiyun #else 154*4882a593Smuzhiyun #define MBEDTLS_DEPRECATED 155*4882a593Smuzhiyun #endif 156*4882a593Smuzhiyun /** 157*4882a593Smuzhiyun * \brief Compute ECDSA signature and write it to buffer, 158*4882a593Smuzhiyun * serialized as defined in RFC 4492 page 20. 159*4882a593Smuzhiyun * Deterministic version, RFC 6979. 160*4882a593Smuzhiyun * (Not thread-safe to use same context in multiple threads) 161*4882a593Smuzhiyun * 162*4882a593Smuzhiyun * \deprecated Superseded by mbedtls_ecdsa_write_signature() in 2.0.0 163*4882a593Smuzhiyun * 164*4882a593Smuzhiyun * \param ctx ECDSA context 165*4882a593Smuzhiyun * \param hash Message hash 166*4882a593Smuzhiyun * \param hlen Length of hash 167*4882a593Smuzhiyun * \param sig Buffer that will hold the signature 168*4882a593Smuzhiyun * \param slen Length of the signature written 169*4882a593Smuzhiyun * \param md_alg MD algorithm used to hash the message 170*4882a593Smuzhiyun * 171*4882a593Smuzhiyun * \note The "sig" buffer must be at least as large as twice the 172*4882a593Smuzhiyun * size of the curve used, plus 9 (eg. 73 bytes if a 256-bit 173*4882a593Smuzhiyun * curve is used). MBEDTLS_ECDSA_MAX_LEN is always safe. 174*4882a593Smuzhiyun * 175*4882a593Smuzhiyun * \return 0 if successful, 176*4882a593Smuzhiyun * or a MBEDTLS_ERR_ECP_XXX, MBEDTLS_ERR_MPI_XXX or 177*4882a593Smuzhiyun * MBEDTLS_ERR_ASN1_XXX error code 178*4882a593Smuzhiyun */ 179*4882a593Smuzhiyun int mbedtls_ecdsa_write_signature_det( mbedtls_ecdsa_context *ctx, 180*4882a593Smuzhiyun const unsigned char *hash, size_t hlen, 181*4882a593Smuzhiyun unsigned char *sig, size_t *slen, 182*4882a593Smuzhiyun mbedtls_md_type_t md_alg ) MBEDTLS_DEPRECATED; 183*4882a593Smuzhiyun #undef MBEDTLS_DEPRECATED 184*4882a593Smuzhiyun #endif /* MBEDTLS_DEPRECATED_REMOVED */ 185*4882a593Smuzhiyun #endif /* MBEDTLS_ECDSA_DETERMINISTIC */ 186*4882a593Smuzhiyun 187*4882a593Smuzhiyun /** 188*4882a593Smuzhiyun * \brief Read and verify an ECDSA signature 189*4882a593Smuzhiyun * 190*4882a593Smuzhiyun * \param ctx ECDSA context 191*4882a593Smuzhiyun * \param hash Message hash 192*4882a593Smuzhiyun * \param hlen Size of hash 193*4882a593Smuzhiyun * \param sig Signature to read and verify 194*4882a593Smuzhiyun * \param slen Size of sig 195*4882a593Smuzhiyun * 196*4882a593Smuzhiyun * \return 0 if successful, 197*4882a593Smuzhiyun * MBEDTLS_ERR_ECP_BAD_INPUT_DATA if signature is invalid, 198*4882a593Smuzhiyun * MBEDTLS_ERR_ECP_SIG_LEN_MISMATCH if the signature is 199*4882a593Smuzhiyun * valid but its actual length is less than siglen, 200*4882a593Smuzhiyun * or a MBEDTLS_ERR_ECP_XXX or MBEDTLS_ERR_MPI_XXX error code 201*4882a593Smuzhiyun */ 202*4882a593Smuzhiyun int mbedtls_ecdsa_read_signature( mbedtls_ecdsa_context *ctx, 203*4882a593Smuzhiyun const unsigned char *hash, size_t hlen, 204*4882a593Smuzhiyun const unsigned char *sig, size_t slen ); 205*4882a593Smuzhiyun 206*4882a593Smuzhiyun /** 207*4882a593Smuzhiyun * \brief Generate an ECDSA keypair on the given curve 208*4882a593Smuzhiyun * 209*4882a593Smuzhiyun * \param ctx ECDSA context in which the keypair should be stored 210*4882a593Smuzhiyun * \param gid Group (elliptic curve) to use. One of the various 211*4882a593Smuzhiyun * MBEDTLS_ECP_DP_XXX macros depending on configuration. 212*4882a593Smuzhiyun * \param f_rng RNG function 213*4882a593Smuzhiyun * \param p_rng RNG parameter 214*4882a593Smuzhiyun * 215*4882a593Smuzhiyun * \return 0 on success, or a MBEDTLS_ERR_ECP_XXX code. 216*4882a593Smuzhiyun */ 217*4882a593Smuzhiyun int mbedtls_ecdsa_genkey( mbedtls_ecdsa_context *ctx, mbedtls_ecp_group_id gid, 218*4882a593Smuzhiyun int (*f_rng)(void *, unsigned char *, size_t), void *p_rng ); 219*4882a593Smuzhiyun 220*4882a593Smuzhiyun /** 221*4882a593Smuzhiyun * \brief Set an ECDSA context from an EC key pair 222*4882a593Smuzhiyun * 223*4882a593Smuzhiyun * \param ctx ECDSA context to set 224*4882a593Smuzhiyun * \param key EC key to use 225*4882a593Smuzhiyun * 226*4882a593Smuzhiyun * \return 0 on success, or a MBEDTLS_ERR_ECP_XXX code. 227*4882a593Smuzhiyun */ 228*4882a593Smuzhiyun int mbedtls_ecdsa_from_keypair( mbedtls_ecdsa_context *ctx, const mbedtls_ecp_keypair *key ); 229*4882a593Smuzhiyun 230*4882a593Smuzhiyun /** 231*4882a593Smuzhiyun * \brief Initialize context 232*4882a593Smuzhiyun * 233*4882a593Smuzhiyun * \param ctx Context to initialize 234*4882a593Smuzhiyun */ 235*4882a593Smuzhiyun void mbedtls_ecdsa_init( mbedtls_ecdsa_context *ctx ); 236*4882a593Smuzhiyun 237*4882a593Smuzhiyun /** 238*4882a593Smuzhiyun * \brief Free context 239*4882a593Smuzhiyun * 240*4882a593Smuzhiyun * \param ctx Context to free 241*4882a593Smuzhiyun */ 242*4882a593Smuzhiyun void mbedtls_ecdsa_free( mbedtls_ecdsa_context *ctx ); 243*4882a593Smuzhiyun 244*4882a593Smuzhiyun int rk_ecdsa_sign(const mbed_ecc_key_t *key, unsigned char *hash, unsigned int hash_len, 245*4882a593Smuzhiyun unsigned char *sig, size_t *sig_len); 246*4882a593Smuzhiyun 247*4882a593Smuzhiyun int rk_ecdsa_verify(const mbed_ecc_key_t *key, unsigned char *hash, unsigned int hash_len, 248*4882a593Smuzhiyun unsigned char *sig, unsigned int sig_len); 249*4882a593Smuzhiyun 250*4882a593Smuzhiyun int rk_ecdsa_sign2(const mbed_ecc_key_t *key, unsigned char *hash, unsigned int hash_len, 251*4882a593Smuzhiyun unsigned char *r_data, unsigned int *r_len, unsigned char *s_data, unsigned int *s_len); 252*4882a593Smuzhiyun 253*4882a593Smuzhiyun int rk_ecdsa_verify2(const mbed_ecc_key_t *key, unsigned char *hash, unsigned int hash_len, 254*4882a593Smuzhiyun unsigned char *r_data, unsigned int r_len, unsigned char *s_data, unsigned int s_len); 255*4882a593Smuzhiyun 256*4882a593Smuzhiyun #ifdef __cplusplus 257*4882a593Smuzhiyun } 258*4882a593Smuzhiyun #endif 259*4882a593Smuzhiyun 260*4882a593Smuzhiyun #endif /* ecdsa.h */ 261