aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorRob Austein <sra@hactrn.net>2015-08-24 21:46:49 -0400
committerRob Austein <sra@hactrn.net>2015-08-24 21:46:49 -0400
commit2fdf82bbe98632e8f1e6396970bba74625481f0e (patch)
treecad113b0187a4e19afe7df3af7c4cd4e98619fe3
parentdbb766ef71b5b31365b92450aba5312e65bd3c77 (diff)
First stumblings towards ECDSA test code.
-rw-r--r--.gitignore1
-rw-r--r--GNUmakefile2
-rw-r--r--ecdsa.c53
-rw-r--r--tests/GNUmakefile2
-rw-r--r--tests/test-ecdsa.c232
-rw-r--r--tests/test-ecdsa.h213
-rw-r--r--tests/test-ecdsa.py61
7 files changed, 561 insertions, 3 deletions
diff --git a/.gitignore b/.gitignore
index 137543e..7428ea1 100644
--- a/.gitignore
+++ b/.gitignore
@@ -6,6 +6,7 @@ autom4te.cache
config.log
config.status
tests/test-aes-key-wrap
+tests/test-ecdsa
tests/test-hash
tests/test-pbkdf2
tests/test-rsa
diff --git a/GNUmakefile b/GNUmakefile
index 6a777cc..f425c50 100644
--- a/GNUmakefile
+++ b/GNUmakefile
@@ -37,7 +37,7 @@ IO_OBJ_I2C = hal_io_i2c.o
IO_OBJ = ${IO_OBJ_EIM}
TFMDIR := $(abspath ../thirdparty/libtfm)
-CFLAGS := -g3 -Wall -fPIC -std=c99 -I${TFMDIR}
+CFLAGS := -g3 -Wall -fPIC -std=c99 -I${TFMDIR} -DHAL_ECDSA_DEBUG_ONLY_STATIC_TEST_VECTOR_RANDOM=1
LDFLAGS := -g3 -L${TFMDIR} -ltfm
all: ${LIB}
diff --git a/ecdsa.c b/ecdsa.c
index 070c668..a657aaf 100644
--- a/ecdsa.c
+++ b/ecdsa.c
@@ -74,6 +74,15 @@
#include "asn1_internal.h"
/*
+ * Whether we're using static test vectors instead of the random
+ * number generator. Do NOT enable this in production (doh).
+ */
+
+#ifndef HAL_ECDSA_DEBUG_ONLY_STATIC_TEST_VECTOR_RANDOM
+#define HAL_ECDSA_DEBUG_ONLY_STATIC_TEST_VECTOR_RANDOM 1
+#endif
+
+/*
* Whether we want debug output.
*/
@@ -613,6 +622,48 @@ static hal_error_t point_scalar_multiply(const fp_int * const k,
}
/*
+ * Testing only: ECDSA key generation and signature both have a
+ * critical dependency on random numbers, but we can't use the random
+ * number generator when testing against static test vectors. So add a
+ * wrapper around the random number generator calls, with a hook to
+ * let us override the generator for test purposes. Do NOT use this
+ * in production, kids.
+ */
+
+#if HAL_ECDSA_DEBUG_ONLY_STATIC_TEST_VECTOR_RANDOM
+
+#warning hal_ecdsa random number generator overriden for test purposes
+#warning DO NOT USE THIS IN PRODUCTION
+
+typedef hal_error_t (*rng_override_test_function_t)(void *, const size_t);
+
+static rng_override_test_function_t rng_test_override_function = 0;
+
+rng_override_test_function_t hal_ecdsa_set_rng_override_test_function(rng_override_test_function_t new_func)
+{
+ rng_override_test_function_t old_func = rng_test_override_function;
+ rng_test_override_function = new_func;
+ return old_func;
+}
+
+static inline hal_error_t get_random(void *buffer, const size_t length)
+{
+ if (rng_test_override_function)
+ return rng_test_override_function(buffer, length);
+ else
+ return hal_get_random(buffer, length);
+}
+
+#else /* HAL_ECDSA_DEBUG_ONLY_STATIC_TEST_VECTOR_RANDOM */
+
+static inline hal_error_t get_random(void *buffer, const size_t length)
+{
+ return hal_get_random(buffer, length);
+}
+
+#endif /* HAL_ECDSA_DEBUG_ONLY_STATIC_TEST_VECTOR_RANDOM */
+
+/*
* Pick a random point on the curve, return random scalar and
* resulting point.
*/
@@ -644,7 +695,7 @@ static hal_error_t point_pick_random(const ecdsa_curve_t * const curve,
do {
- if ((err = hal_get_random(k_buf, sizeof(k_buf))) != HAL_OK)
+ if ((err = get_random(k_buf, sizeof(k_buf))) != HAL_OK)
return err;
fp_read_unsigned_bin(k, k_buf, sizeof(k_buf));
diff --git a/tests/GNUmakefile b/tests/GNUmakefile
index 307f23e..a1cd4b4 100644
--- a/tests/GNUmakefile
+++ b/tests/GNUmakefile
@@ -27,7 +27,7 @@
INC = ../hal.h
LIB = ../libhal.a
-BIN = test-aes-key-wrap test-hash test-pbkdf2 test-rsa
+BIN = test-aes-key-wrap test-hash test-pbkdf2 test-rsa test-ecdsa
CFLAGS = -g3 -Wall -fPIC -std=c99 -I..
diff --git a/tests/test-ecdsa.c b/tests/test-ecdsa.c
new file mode 100644
index 0000000..65d2415
--- /dev/null
+++ b/tests/test-ecdsa.c
@@ -0,0 +1,232 @@
+/*
+ * test-ecdsa.c
+ * ------------
+ * Test harness for Cryptech ECDSA code.
+ *
+ * At the moment, the ECDSA code is a pure software implementation,
+ * Verilog will be along eventually.
+ *
+ * Testing ECDSA is a bit tricky because ECDSA depends heavily on
+ * using a new random secret for each signature. So we can test some
+ * things against the normal ECDSA implemenation, but some tests
+ * require a side door replacement of the random number generator so
+ * that we can use a known values from our test vector in place of the
+ * random secret that would be used in real operation. Test code for
+ * the latter mode depends on the library having been compiled with
+ * the testing hook enable, which it should not be for production use.
+ *
+ * Authors: Rob Austein
+ * Copyright (c) 2015, SUNET
+ *
+ * Redistribution and use in source and binary forms, with or
+ * without modification, are permitted provided that the following
+ * conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in
+ * the documentation and/or other materials provided with the
+ * distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+ * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+ * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
+ * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include <stdio.h>
+#include <stdint.h>
+#include <stdlib.h>
+#include <string.h>
+#include <assert.h>
+#include <errno.h>
+
+#include <sys/time.h>
+
+#include <hal.h>
+
+#include "test-ecdsa.h"
+
+/*
+ * Supplied test vectors don't use ASN.1 encoding. Don't want to
+ * trust our own ASN.1 code for this (it's one of the things we're
+ * testing) so use Python pyasn1 or ecdsa.der code to build what we
+ * need and supply them as test vector data too. This is probably
+ * also the right way to test our encoding and decoding of private
+ * keys too.
+ */
+
+#if HAL_ECDSA_DEBUG_ONLY_STATIC_TEST_VECTOR_RANDOM
+
+/*
+ * Code to let us replace ECDSA's random numbers with test data, if
+ * the ECDSA library code has been compiled with support for this.
+ */
+
+typedef hal_error_t (*rng_override_test_function_t)(void *, const size_t);
+
+extern rng_override_test_function_t hal_ecdsa_set_rng_override_test_function(rng_override_test_function_t new_func);
+
+static const uint8_t *next_random_value = NULL;
+static size_t next_random_length = 0;
+
+static hal_error_t next_random_handler(void *data, const size_t length)
+{
+ if (data == NULL)
+ return HAL_ERROR_BAD_ARGUMENTS;
+
+ if (next_random_value == NULL || length < next_random_length)
+ return HAL_ERROR_IMPOSSIBLE;
+
+ memset(data, 0, length);
+ memcpy(data + length - next_random_length, next_random_value, next_random_length);
+
+ next_random_value = NULL;
+ next_random_length = 0;
+
+ (void) hal_ecdsa_set_rng_override_test_function(0);
+
+ return HAL_OK;
+}
+
+static void set_next_random(const uint8_t * const data, const size_t length)
+{
+ (void) hal_ecdsa_set_rng_override_test_function(next_random_handler);
+ next_random_value = data;
+ next_random_length = length;
+}
+
+/*
+ * Run one keygen test from test vectors.
+ */
+
+static int test_keygen_static(const hal_ecdsa_curve_t curve)
+
+{
+ uint8_t keybuf[hal_ecdsa_key_t_size];
+ hal_ecdsa_key_t *key = NULL;
+ hal_error_t err;
+ const uint8_t *d, *Qx, *Qy;
+ size_t d_len, Qx_len, Qy_len;
+
+ switch (curve) {
+
+ case HAL_ECDSA_CURVE_P256:
+ printf("ECDSA P-256 key generation test\n");
+ d = p256_d; d_len = sizeof(p256_d);
+ Qx = p256_Qx; Qx_len = sizeof(p256_Qx);
+ Qy = p256_Qy; Qy_len = sizeof(p256_Qy);
+ break;
+
+ case HAL_ECDSA_CURVE_P384:
+ printf("ECDSA P-384 key generation test\n");
+ d = p384_d; d_len = sizeof(p384_d);
+ Qx = p384_Qx; Qx_len = sizeof(p384_Qx);
+ Qy = p384_Qy; Qy_len = sizeof(p384_Qy);
+ break;
+
+ default:
+ printf("Unsupported ECDSA curve type\n");
+ return 0;
+ }
+
+ set_next_random(d, d_len);
+
+ if ((err = hal_ecdsa_key_gen(&key, keybuf, sizeof(keybuf), curve)) != HAL_OK)
+ return printf("hal_ecdsa_key_gen() failed: %s\n", hal_error_string(err)), 0;
+
+ uint8_t Rx[Qx_len], Ry[Qy_len];
+ size_t Rx_len, Ry_len;
+
+ if ((err = hal_ecdsa_key_get_public(key, Rx, &Rx_len, sizeof(Rx), Ry, &Ry_len, sizeof(Ry))) != HAL_OK)
+ return printf("hal_ecdsa_key_get_public() failed: %s\n", hal_error_string(err)), 0;
+
+ if (Qx_len != Rx_len || memcmp(Qx, Rx, Rx_len) != 0)
+ return printf("Qx mismatch\n"), 0;
+
+ if (Qy_len != Ry_len || memcmp(Qy, Ry, Ry_len) != 0)
+ return printf("Qy mismatch\n"), 0;
+
+ return 1;
+}
+
+#endif /* HAL_ECDSA_DEBUG_ONLY_STATIC_TEST_VECTOR_RANDOM */
+
+/*
+ * Time a test.
+ */
+
+static void _time_check(const struct timeval t0, const int ok)
+{
+ struct timeval t;
+ gettimeofday(&t, NULL);
+ t.tv_sec -= t0.tv_sec;
+ t.tv_usec = t0.tv_usec;
+ if (t.tv_usec < 0) {
+ t.tv_usec += 1000000;
+ t.tv_sec -= 1;
+ }
+ printf("Elapsed time %lu.%06lu seconds, %s\n",
+ (unsigned long) t.tv_sec,
+ (unsigned long) t.tv_usec,
+ ok ? "OK" : "FAILED");
+}
+
+#define time_check(_expr_) \
+ do { \
+ struct timeval _t; \
+ gettimeofday(&_t, NULL); \
+ int _ok = (_expr_); \
+ _time_check(_t, _ok); \
+ ok &= _ok; \
+ } while (0)
+
+/*
+ * Run tests for one ECDSA curve.
+ */
+
+static int test_ecdsa(const hal_ecdsa_curve_t curve)
+
+{
+ int ok = 1;
+
+ time_check(test_keygen_static(curve));
+
+ return ok;
+}
+
+int main(int argc, char *argv[])
+{
+ uint8_t name[8], version[4];
+ hal_error_t err;
+
+ /*
+ * Initialize EIM and report what core we're running.
+ */
+
+ if ((err = hal_io_read(CSPRNG_ADDR_NAME0, name, sizeof(name))) != HAL_OK ||
+ (err = hal_io_read(CSPRNG_ADDR_VERSION, version, sizeof(version))) != HAL_OK) {
+ printf("Initialization failed: %s\n", hal_error_string(err));
+ return 1;
+ }
+
+ printf("\"%8.8s\" \"%4.4s\"\n\n", name, version);
+
+ return !test_ecdsa(HAL_ECDSA_CURVE_P256) || !test_ecdsa(HAL_ECDSA_CURVE_P384);
+}
+
+/*
+ * Local variables:
+ * indent-tabs-mode: nil
+ * End:
+ */
diff --git a/tests/test-ecdsa.h b/tests/test-ecdsa.h
new file mode 100644
index 0000000..61124e4
--- /dev/null
+++ b/tests/test-ecdsa.h
@@ -0,0 +1,213 @@
+/*
+ * ECDSA test data.
+ * File automatically generated by test-ecdsa.py
+ */
+
+static const uint8_t p256_H[] = { /* 32 bytes */
+ 0x7c, 0x3e, 0x88, 0x3d, 0xdc, 0x8b, 0xd6, 0x88, 0xf9, 0x6e, 0xac, 0x5e,
+ 0x93, 0x24, 0x22, 0x2c, 0x8f, 0x30, 0xf9, 0xd6, 0xbb, 0x59, 0xe9, 0xc5,
+ 0xf0, 0x20, 0xbd, 0x39, 0xba, 0x2b, 0x83, 0x77
+};
+
+static const uint8_t p256_M[] = { /* 48 bytes */
+ 0x54, 0x68, 0x69, 0x73, 0x20, 0x69, 0x73, 0x20, 0x6f, 0x6e, 0x6c, 0x79,
+ 0x20, 0x61, 0x20, 0x74, 0x65, 0x73, 0x74, 0x20, 0x6d, 0x65, 0x73, 0x73,
+ 0x61, 0x67, 0x65, 0x2e, 0x20, 0x49, 0x74, 0x20, 0x69, 0x73, 0x20, 0x34,
+ 0x38, 0x20, 0x62, 0x79, 0x74, 0x65, 0x73, 0x20, 0x6c, 0x6f, 0x6e, 0x67
+};
+
+static const uint8_t p256_Qx[] = { /* 32 bytes */
+ 0x81, 0x01, 0xec, 0xe4, 0x74, 0x64, 0xa6, 0xea, 0xd7, 0x0c, 0xf6, 0x9a,
+ 0x6e, 0x2b, 0xd3, 0xd8, 0x86, 0x91, 0xa3, 0x26, 0x2d, 0x22, 0xcb, 0xa4,
+ 0xf7, 0x63, 0x5e, 0xaf, 0xf2, 0x66, 0x80, 0xa8
+};
+
+static const uint8_t p256_Qy[] = { /* 32 bytes */
+ 0xd8, 0xa1, 0x2b, 0xa6, 0x1d, 0x59, 0x92, 0x35, 0xf6, 0x7d, 0x9c, 0xb4,
+ 0xd5, 0x8f, 0x17, 0x83, 0xd3, 0xca, 0x43, 0xe7, 0x8f, 0x0a, 0x5a, 0xba,
+ 0xa6, 0x24, 0x07, 0x99, 0x36, 0xc0, 0xc3, 0xa9
+};
+
+static const uint8_t p256_Rx[] = { /* 32 bytes */
+ 0x72, 0x14, 0xbc, 0x96, 0x47, 0x16, 0x0b, 0xbd, 0x39, 0xff, 0x2f, 0x80,
+ 0x53, 0x3f, 0x5d, 0xc6, 0xdd, 0xd7, 0x0d, 0xdf, 0x86, 0xbb, 0x81, 0x56,
+ 0x61, 0xe8, 0x05, 0xd5, 0xd4, 0xe6, 0xf2, 0x7c
+};
+
+static const uint8_t p256_Ry[] = { /* 32 bytes */
+ 0x8b, 0x81, 0xe3, 0xe9, 0x77, 0x59, 0x71, 0x10, 0xc7, 0xcf, 0x26, 0x33,
+ 0x43, 0x5b, 0x22, 0x94, 0xb7, 0x26, 0x42, 0x98, 0x7d, 0xef, 0xd3, 0xd4,
+ 0x00, 0x7e, 0x1c, 0xfc, 0x5d, 0xf8, 0x45, 0x41
+};
+
+static const uint8_t p256_d[] = { /* 32 bytes */
+ 0x70, 0xa1, 0x2c, 0x2d, 0xb1, 0x68, 0x45, 0xed, 0x56, 0xff, 0x68, 0xcf,
+ 0xc2, 0x1a, 0x47, 0x2b, 0x3f, 0x04, 0xd7, 0xd6, 0x85, 0x1b, 0xf6, 0x34,
+ 0x9f, 0x2d, 0x7d, 0x5b, 0x34, 0x52, 0xb3, 0x8a
+};
+
+static const uint8_t p256_e[] = { /* 32 bytes */
+ 0x7c, 0x3e, 0x88, 0x3d, 0xdc, 0x8b, 0xd6, 0x88, 0xf9, 0x6e, 0xac, 0x5e,
+ 0x93, 0x24, 0x22, 0x2c, 0x8f, 0x30, 0xf9, 0xd6, 0xbb, 0x59, 0xe9, 0xc5,
+ 0xf0, 0x20, 0xbd, 0x39, 0xba, 0x2b, 0x83, 0x77
+};
+
+static const uint8_t p256_k[] = { /* 32 bytes */
+ 0x58, 0x0e, 0xc0, 0x0d, 0x85, 0x64, 0x34, 0x33, 0x4c, 0xef, 0x3f, 0x71,
+ 0xec, 0xae, 0xd4, 0x96, 0x5b, 0x12, 0xae, 0x37, 0xfa, 0x47, 0x05, 0x5b,
+ 0x19, 0x65, 0xc7, 0xb1, 0x34, 0xee, 0x45, 0xd0
+};
+
+static const uint8_t p256_kinv[] = { /* 32 bytes */
+ 0x6a, 0x66, 0x4f, 0xa1, 0x15, 0x35, 0x6d, 0x33, 0xf1, 0x63, 0x31, 0xb5,
+ 0x4c, 0x4e, 0x7c, 0xe9, 0x67, 0x96, 0x53, 0x86, 0xc7, 0xdc, 0xbf, 0x29,
+ 0x04, 0x60, 0x4d, 0x0c, 0x13, 0x2b, 0x4a, 0x74
+};
+
+static const uint8_t p256_r[] = { /* 32 bytes */
+ 0x72, 0x14, 0xbc, 0x96, 0x47, 0x16, 0x0b, 0xbd, 0x39, 0xff, 0x2f, 0x80,
+ 0x53, 0x3f, 0x5d, 0xc6, 0xdd, 0xd7, 0x0d, 0xdf, 0x86, 0xbb, 0x81, 0x56,
+ 0x61, 0xe8, 0x05, 0xd5, 0xd4, 0xe6, 0xf2, 0x7c
+};
+
+static const uint8_t p256_s[] = { /* 32 bytes */
+ 0x7d, 0x1f, 0xf9, 0x61, 0x98, 0x0f, 0x96, 0x1b, 0xda, 0xa3, 0x23, 0x3b,
+ 0x62, 0x09, 0xf4, 0x01, 0x33, 0x17, 0xd3, 0xe3, 0xf9, 0xe1, 0x49, 0x35,
+ 0x92, 0xdb, 0xea, 0xa1, 0xaf, 0x2b, 0xc3, 0x67
+};
+
+static const uint8_t p256_u1[] = { /* 32 bytes */
+ 0xbb, 0x25, 0x24, 0x01, 0xd6, 0xfb, 0x32, 0x2b, 0xb7, 0x47, 0x18, 0x4c,
+ 0xf2, 0xac, 0x52, 0xbf, 0x8d, 0x54, 0xb9, 0x5a, 0x15, 0x15, 0x06, 0x2a,
+ 0x2f, 0x61, 0x41, 0xf2, 0xe2, 0x09, 0x2e, 0xd8
+};
+
+static const uint8_t p256_u2[] = { /* 32 bytes */
+ 0xaa, 0xe7, 0xd1, 0xc7, 0xf2, 0xc2, 0x32, 0xdf, 0xc6, 0x41, 0x94, 0x8a,
+ 0xf3, 0xdb, 0xa1, 0x41, 0xd4, 0xde, 0x86, 0x34, 0xe5, 0x71, 0xcf, 0x84,
+ 0xc4, 0x86, 0x30, 0x1b, 0x51, 0x0c, 0xfc, 0x04
+};
+
+static const uint8_t p256_v[] = { /* 32 bytes */
+ 0x72, 0x14, 0xbc, 0x96, 0x47, 0x16, 0x0b, 0xbd, 0x39, 0xff, 0x2f, 0x80,
+ 0x53, 0x3f, 0x5d, 0xc6, 0xdd, 0xd7, 0x0d, 0xdf, 0x86, 0xbb, 0x81, 0x56,
+ 0x61, 0xe8, 0x05, 0xd5, 0xd4, 0xe6, 0xf2, 0x7c
+};
+
+static const uint8_t p256_w[] = { /* 32 bytes */
+ 0xd6, 0x9b, 0xe7, 0x5f, 0x67, 0xee, 0x53, 0x94, 0xca, 0xbb, 0x6c, 0x28,
+ 0x6f, 0x36, 0x10, 0xcf, 0x62, 0xd7, 0x22, 0xcb, 0xa9, 0xee, 0xa7, 0x0f,
+ 0xae, 0xe7, 0x70, 0xa6, 0xb2, 0xed, 0x72, 0xdc
+};
+
+static const uint8_t p384_H[] = { /* 48 bytes */
+ 0xb9, 0x21, 0x0c, 0x9d, 0x7e, 0x20, 0x89, 0x7a, 0xb8, 0x65, 0x97, 0x26,
+ 0x6a, 0x9d, 0x50, 0x77, 0xe8, 0xdb, 0x1b, 0x06, 0xf7, 0x22, 0x0e, 0xd6,
+ 0xee, 0x75, 0xbd, 0x8b, 0x45, 0xdb, 0x37, 0x89, 0x1f, 0x8b, 0xa5, 0x55,
+ 0x03, 0x04, 0x00, 0x41, 0x59, 0xf4, 0x45, 0x3d, 0xc5, 0xb3, 0xf5, 0xa1
+};
+
+static const uint8_t p384_M[] = { /* 48 bytes */
+ 0x54, 0x68, 0x69, 0x73, 0x20, 0x69, 0x73, 0x20, 0x6f, 0x6e, 0x6c, 0x79,
+ 0x20, 0x61, 0x20, 0x74, 0x65, 0x73, 0x74, 0x20, 0x6d, 0x65, 0x73, 0x73,
+ 0x61, 0x67, 0x65, 0x2e, 0x20, 0x49, 0x74, 0x20, 0x69, 0x73, 0x20, 0x34,
+ 0x38, 0x20, 0x62, 0x79, 0x74, 0x65, 0x73, 0x20, 0x6c, 0x6f, 0x6e, 0x67
+};
+
+static const uint8_t p384_Qx[] = { /* 48 bytes */
+ 0x1f, 0xba, 0xc8, 0xee, 0xbd, 0x0c, 0xbf, 0x35, 0x64, 0x0b, 0x39, 0xef,
+ 0xe0, 0x80, 0x8d, 0xd7, 0x74, 0xde, 0xbf, 0xf2, 0x0a, 0x2a, 0x32, 0x9e,
+ 0x91, 0x71, 0x3b, 0xaf, 0x7d, 0x7f, 0x3c, 0x3e, 0x81, 0x54, 0x6d, 0x88,
+ 0x37, 0x30, 0xbe, 0xe7, 0xe4, 0x86, 0x78, 0xf8, 0x57, 0xb0, 0x2c, 0xa0
+};
+
+static const uint8_t p384_Qy[] = { /* 48 bytes */
+ 0xeb, 0x21, 0x31, 0x03, 0xbd, 0x68, 0xce, 0x34, 0x33, 0x65, 0xa8, 0xa4,
+ 0xc3, 0xd4, 0x55, 0x5f, 0xa3, 0x85, 0xf5, 0x33, 0x02, 0x03, 0xbd, 0xd7,
+ 0x6f, 0xfa, 0xd1, 0xf3, 0xaf, 0xfb, 0x95, 0x75, 0x1c, 0x13, 0x20, 0x07,
+ 0xe1, 0xb2, 0x40, 0x35, 0x3c, 0xb0, 0xa4, 0xcf, 0x16, 0x93, 0xbd, 0xf9
+};
+
+static const uint8_t p384_Rx[] = { /* 48 bytes */
+ 0xa0, 0xc2, 0x7e, 0xc8, 0x93, 0x09, 0x2d, 0xea, 0x1e, 0x1b, 0xd2, 0xcc,
+ 0xfe, 0xd3, 0xcf, 0x94, 0x5c, 0x81, 0x34, 0xed, 0x0c, 0x9f, 0x81, 0x31,
+ 0x1a, 0x0f, 0x4a, 0x05, 0x94, 0x2d, 0xb8, 0xdb, 0xed, 0x8d, 0xd5, 0x9f,
+ 0x26, 0x74, 0x71, 0xd5, 0x46, 0x2a, 0xa1, 0x4f, 0xe7, 0x2d, 0xe8, 0x56
+};
+
+static const uint8_t p384_Ry[] = { /* 48 bytes */
+ 0x85, 0x56, 0x49, 0x40, 0x98, 0x15, 0xbb, 0x91, 0x42, 0x4e, 0xac, 0xa5,
+ 0xfd, 0x76, 0xc9, 0x73, 0x75, 0xd5, 0x75, 0xd1, 0x42, 0x2e, 0xc5, 0x3d,
+ 0x34, 0x3b, 0xd3, 0x3b, 0x84, 0x7f, 0xdf, 0x0c, 0x11, 0x56, 0x96, 0x85,
+ 0xb5, 0x28, 0xab, 0x25, 0x49, 0x30, 0x15, 0x42, 0x8d, 0x7c, 0xf7, 0x2b
+};
+
+static const uint8_t p384_d[] = { /* 48 bytes */
+ 0xc8, 0x38, 0xb8, 0x52, 0x53, 0xef, 0x8d, 0xc7, 0x39, 0x4f, 0xa5, 0x80,
+ 0x8a, 0x51, 0x83, 0x98, 0x1c, 0x7d, 0xee, 0xf5, 0xa6, 0x9b, 0xa8, 0xf4,
+ 0xf2, 0x11, 0x7f, 0xfe, 0xa3, 0x9c, 0xfc, 0xd9, 0x0e, 0x95, 0xf6, 0xcb,
+ 0xc8, 0x54, 0xab, 0xac, 0xab, 0x70, 0x1d, 0x50, 0xc1, 0xf3, 0xcf, 0x24
+};
+
+static const uint8_t p384_e[] = { /* 48 bytes */
+ 0xb9, 0x21, 0x0c, 0x9d, 0x7e, 0x20, 0x89, 0x7a, 0xb8, 0x65, 0x97, 0x26,
+ 0x6a, 0x9d, 0x50, 0x77, 0xe8, 0xdb, 0x1b, 0x06, 0xf7, 0x22, 0x0e, 0xd6,
+ 0xee, 0x75, 0xbd, 0x8b, 0x45, 0xdb, 0x37, 0x89, 0x1f, 0x8b, 0xa5, 0x55,
+ 0x03, 0x04, 0x00, 0x41, 0x59, 0xf4, 0x45, 0x3d, 0xc5, 0xb3, 0xf5, 0xa1
+};
+
+static const uint8_t p384_k[] = { /* 48 bytes */
+ 0xdc, 0x6b, 0x44, 0x03, 0x69, 0x89, 0xa1, 0x96, 0xe3, 0x9d, 0x1c, 0xda,
+ 0xc0, 0x00, 0x81, 0x2f, 0x4b, 0xdd, 0x8b, 0x2d, 0xb4, 0x1b, 0xb3, 0x3a,
+ 0xf5, 0x13, 0x72, 0x58, 0x5e, 0xbd, 0x1d, 0xb6, 0x3f, 0x0c, 0xe8, 0x27,
+ 0x5a, 0xa1, 0xfd, 0x45, 0xe2, 0xd2, 0xa7, 0x35, 0xf8, 0x74, 0x93, 0x59
+};
+
+static const uint8_t p384_kinv[] = { /* 48 bytes */
+ 0x74, 0x36, 0xf0, 0x30, 0x88, 0xe6, 0x5c, 0x37, 0xba, 0x8e, 0x7b, 0x33,
+ 0x88, 0x7f, 0xbc, 0x87, 0x75, 0x75, 0x14, 0xd6, 0x11, 0xf7, 0xd1, 0xfb,
+ 0xdf, 0x6d, 0x21, 0x04, 0xa2, 0x97, 0xad, 0x31, 0x8c, 0xdb, 0xf7, 0x40,
+ 0x4e, 0x4b, 0xa3, 0x7e, 0x59, 0x96, 0x66, 0xdf, 0x37, 0xb8, 0xd8, 0xbe
+};
+
+static const uint8_t p384_r[] = { /* 48 bytes */
+ 0xa0, 0xc2, 0x7e, 0xc8, 0x93, 0x09, 0x2d, 0xea, 0x1e, 0x1b, 0xd2, 0xcc,
+ 0xfe, 0xd3, 0xcf, 0x94, 0x5c, 0x81, 0x34, 0xed, 0x0c, 0x9f, 0x81, 0x31,
+ 0x1a, 0x0f, 0x4a, 0x05, 0x94, 0x2d, 0xb8, 0xdb, 0xed, 0x8d, 0xd5, 0x9f,
+ 0x26, 0x74, 0x71, 0xd5, 0x46, 0x2a, 0xa1, 0x4f, 0xe7, 0x2d, 0xe8, 0x56
+};
+
+static const uint8_t p384_s[] = { /* 48 bytes */
+ 0x20, 0xab, 0x3f, 0x45, 0xb7, 0x4f, 0x10, 0xb6, 0xe1, 0x1f, 0x96, 0xa2,
+ 0xc8, 0xeb, 0x69, 0x4d, 0x20, 0x6b, 0x9d, 0xda, 0x86, 0xd3, 0xc7, 0xe3,
+ 0x31, 0xc2, 0x6b, 0x22, 0xc9, 0x87, 0xb7, 0x53, 0x77, 0x26, 0x57, 0x76,
+ 0x67, 0xad, 0xad, 0xf1, 0x68, 0xeb, 0xbe, 0x80, 0x37, 0x94, 0xa4, 0x02
+};
+
+static const uint8_t p384_u1[] = { /* 48 bytes */
+ 0x6c, 0xe2, 0x56, 0x49, 0xd4, 0x2d, 0x22, 0x3e, 0x02, 0x0c, 0x11, 0x14,
+ 0x0f, 0xe7, 0x72, 0x32, 0x66, 0x12, 0xbb, 0x11, 0xb6, 0x86, 0xd3, 0x5e,
+ 0xe9, 0x8e, 0xd4, 0x55, 0x0e, 0x06, 0x35, 0xd9, 0xdd, 0x3a, 0x2a, 0xfb,
+ 0xca, 0x0c, 0xf2, 0xc4, 0xba, 0xed, 0xcd, 0x23, 0x31, 0x3b, 0x18, 0x9e
+};
+
+static const uint8_t p384_u2[] = { /* 48 bytes */
+ 0xf3, 0xb2, 0x40, 0x75, 0x1d, 0x5d, 0x8e, 0xd3, 0x94, 0xa4, 0xb5, 0xbf,
+ 0x8e, 0x2a, 0x4c, 0x0e, 0x1e, 0x21, 0xaa, 0x51, 0xf2, 0x62, 0x0a, 0x08,
+ 0xb8, 0xc5, 0x5a, 0x2b, 0xc3, 0x34, 0xc9, 0x68, 0x99, 0x23, 0x16, 0x26,
+ 0x48, 0xf0, 0x6e, 0x5f, 0x46, 0x59, 0xfc, 0x52, 0x6d, 0x9c, 0x1f, 0xd6
+};
+
+static const uint8_t p384_v[] = { /* 48 bytes */
+ 0xa0, 0xc2, 0x7e, 0xc8, 0x93, 0x09, 0x2d, 0xea, 0x1e, 0x1b, 0xd2, 0xcc,
+ 0xfe, 0xd3, 0xcf, 0x94, 0x5c, 0x81, 0x34, 0xed, 0x0c, 0x9f, 0x81, 0x31,
+ 0x1a, 0x0f, 0x4a, 0x05, 0x94, 0x2d, 0xb8, 0xdb, 0xed, 0x8d, 0xd5, 0x9f,
+ 0x26, 0x74, 0x71, 0xd5, 0x46, 0x2a, 0xa1, 0x4f, 0xe7, 0x2d, 0xe8, 0x56
+};
+
+static const uint8_t p384_w[] = { /* 48 bytes */
+ 0x17, 0x98, 0x84, 0x5c, 0xd0, 0xa6, 0xce, 0xa5, 0x32, 0x7c, 0x50, 0x1a,
+ 0x71, 0xa4, 0xba, 0xf2, 0xf7, 0xbe, 0x88, 0x2c, 0xfb, 0xc3, 0x03, 0x75,
+ 0x0a, 0x7c, 0x86, 0x1a, 0xf8, 0xfe, 0x82, 0x25, 0x46, 0x7a, 0x25, 0x7f,
+ 0x5b, 0xf9, 0x1a, 0x4a, 0xaa, 0x5a, 0x79, 0xa8, 0x63, 0x7d, 0x21, 0x8a
+};
diff --git a/tests/test-ecdsa.py b/tests/test-ecdsa.py
new file mode 100644
index 0000000..8fb33f1
--- /dev/null
+++ b/tests/test-ecdsa.py
@@ -0,0 +1,61 @@
+# Test vectors from "Suite B Implementer's Guide to FIPS 186-3".
+#
+# e is given in decimal, all other values are hex, because that's how
+# these were given in the paper
+#
+# This script will probably become a bit more elaborate at some later date, eg,
+# to add ASN.1 encoding.
+
+p256_d = 0x70a12c2db16845ed56ff68cfc21a472b3f04d7d6851bf6349f2d7d5b3452b38a
+p256_Qx = 0x8101ece47464a6ead70cf69a6e2bd3d88691a3262d22cba4f7635eaff26680a8
+p256_Qy = 0xd8a12ba61d599235f67d9cb4d58f1783d3ca43e78f0a5abaa624079936c0c3a9
+p256_k = 0x580ec00d856434334cef3f71ecaed4965b12ae37fa47055b1965c7b134ee45d0
+p256_kinv = 0x6a664fa115356d33f16331b54c4e7ce967965386c7dcbf2904604d0c132b4a74
+p256_Rx = 0x7214bc9647160bbd39ff2f80533f5dc6ddd70ddf86bb815661e805d5d4e6f27c
+p256_Ry = 0x8b81e3e977597110c7cf2633435b2294b72642987defd3d4007e1cfc5df84541
+p256_r = p256_Rx
+p256_M = 0x54686973206973206f6e6c7920612074657374206d6573736167652e204974206973203438206279746573206c6f6e67
+p256_H = 0x7c3e883ddc8bd688f96eac5e9324222c8f30f9d6bb59e9c5f020bd39ba2b8377
+p256_e = 56197278047627432394583341962843287937266210957576322469816113796290471232375
+p256_s = 0x7d1ff961980f961bdaa3233b6209f4013317d3e3f9e1493592dbeaa1af2bc367
+p256_w = 0xd69be75f67ee5394cabb6c286f3610cf62d722cba9eea70faee770a6b2ed72dc
+p256_u1 = 0xbb252401d6fb322bb747184cf2ac52bf8d54b95a1515062a2f6141f2e2092ed8
+p256_u2 = 0xaae7d1c7f2c232dfc641948af3dba141d4de8634e571cf84c486301b510cfc04
+p256_v = 0x7214bc9647160bbd39ff2f80533f5dc6ddd70ddf86bb815661e805d5d4e6f27c
+
+p384_d = 0xc838b85253ef8dc7394fa5808a5183981c7deef5a69ba8f4f2117ffea39cfcd90e95f6cbc854abacab701d50c1f3cf24
+p384_Qx = 0x1fbac8eebd0cbf35640b39efe0808dd774debff20a2a329e91713baf7d7f3c3e81546d883730bee7e48678f857b02ca0
+p384_Qy = 0xeb213103bd68ce343365a8a4c3d4555fa385f5330203bdd76ffad1f3affb95751c132007e1b240353cb0a4cf1693bdf9
+p384_k = 0xdc6b44036989a196e39d1cdac000812f4bdd8b2db41bb33af51372585ebd1db63f0ce8275aa1fd45e2d2a735f8749359
+p384_kinv = 0x7436f03088e65c37ba8e7b33887fbc87757514d611f7d1fbdf6d2104a297ad318cdbf7404e4ba37e599666df37b8d8be
+p384_Rx = 0xa0c27ec893092dea1e1bd2ccfed3cf945c8134ed0c9f81311a0f4a05942db8dbed8dd59f267471d5462aa14fe72de856
+p384_Ry = 0x855649409815bb91424eaca5fd76c97375d575d1422ec53d343bd33b847fdf0c11569685b528ab25493015428d7cf72b
+p384_r = p384_Rx
+p384_M = 0x54686973206973206f6e6c7920612074657374206d6573736167652e204974206973203438206279746573206c6f6e67
+p384_H = 0xb9210c9d7e20897ab86597266a9d5077e8db1b06f7220ed6ee75bd8b45db37891f8ba5550304004159f4453dc5b3f5a1
+p384_e = 28493976155450475404302482243066463769180620629462008675793884393889401828800663731864240088367206094074919580333473
+p384_s = 0x20ab3f45b74f10b6e11f96a2c8eb694d206b9dda86d3c7e331c26b22c987b7537726577667adadf168ebbe803794a402
+p384_w = 0x1798845cd0a6cea5327c501a71a4baf2f7be882cfbc303750a7c861af8fe8225467a257f5bf91a4aaa5a79a8637d218a
+p384_u1 = 0x6ce25649d42d223e020c11140fe772326612bb11b686d35ee98ed4550e0635d9dd3a2afbca0cf2c4baedcd23313b189e
+p384_u2 = 0xf3b240751d5d8ed394a4b5bf8e2a4c0e1e21aa51f2620a08b8c55a2bc334c9689923162648f06e5f4659fc526d9c1fd6
+p384_v = 0xa0c27ec893092dea1e1bd2ccfed3cf945c8134ed0c9f81311a0f4a05942db8dbed8dd59f267471d5462aa14fe72de856
+
+from textwrap import TextWrapper
+from os.path import basename
+from sys import argv
+
+wrapper = TextWrapper(width = 78, initial_indent = " " * 2, subsequent_indent = " " * 2)
+
+print "/*"
+print " * ECDSA test data."
+print " * File automatically generated by", basename(argv[0])
+print " */"
+
+for name in sorted(dir()):
+ if name.startswith("p256_") or name.startswith("p384_"):
+ value = "%x" % globals()[name]
+ value = ("0" + value if len(value) & 1 else value).decode("hex")
+ print
+ print "static const uint8_t %s[] = { /* %d bytes */" % (name, len(value))
+ print wrapper.fill(", ".join("0x%02x" % ord(v) for v in value))
+ print "};"