aboutsummaryrefslogtreecommitdiff
path: root/ecdsa.c
AgeCommit message (Collapse)Author
2017-03-03Doh! Works better if one tests the right status bit.Rob Austein
2017-03-02Merge branch 'pymux' into hw_ecdsa_p256Rob Austein
2017-03-02Fix dumb copy/paste errors.Rob Austein
2017-03-02Refactor to add P384 support. Untested.Rob Austein
2017-03-01Compute public key if necessary when loading a private key.Rob Austein
libhal and PKCS #11 have slightly different models of private keys: in libhal, a "private key" object is really a keypair, while in PKCS #11 a private key really is a naked private key. This was a deliberate design decision in libhal, both for simplicity and to better support user interfaces other than PKCS #11, so we'd rather not change it. This difference doesn't matter very much for RSA keys in PKCS #11, where the private key components are a superset of the public key components anyway, but the PKCS #11 template for ECDSA private keys doesn't allow setting public key components with C_CreateObject(). Fortunately, computing the public components of an ECDSA key pair from the private key is straightforward, so we just do that when needed.
2017-01-26First attempt at using Pavel's ecdsa256 core. Not working yet.Rob Austein
Attempts to use Pavel's ecdsa256 base point multiplier instead of software point multiplier when selecting new random points (that is, when generating P-256 keys or P-256 signatures). Resulting points pass the point validation test (point_is_on_curve()) but the resulting signatures are invalid. Don't know why yet. Seems like an odd combination, as one would expect random garbage to fail validation. In any case: this commit is intended to archive progress so far, and perhaps see if somebody else can spot what's wrong. As presently coded, this wouldn't be suitable for production use even if it worked. NB: As I understand it, the ecdsa256 core is *not* a general purpose point multiplier even just for the P-256 curve. Rather, it is strictly a base point multiplier: it takes a single scalar as input, and returns the X,Y affine coordinates of the curve's base point multiplied by that scalar. This is essentially the eliptic curve portion of the computation involved in picking a random point for key or signature generation, but is not useful for signature validation. See the README.md in Pavel's source repository for further details.
2016-09-20Clean up the defines around rpc client, software hash cores, etc.Paul Selkirk
2016-03-29Client-side rsa and ecdsa need to call remote get_random.Paul Selkirk
2016-03-12Merge branch 'master' into rpcRob Austein
2016-03-12Disable ECDSA static-test-vectors hack, fix call to hal_get_random()Rob Austein
which was using the old (pre-hal_core_t) calling sequence.
2015-12-22Add ASN.1 support for public keys (X.509 SubjectPublicKeyInfo format).Rob Austein
2015-12-21Fix names of private key DER functions.Rob Austein
2015-12-20Consolidating curve names broke the ASN.1 code.Rob Austein
2015-12-20Drop support for the ASN.1-based ECDSA signature format in favor ofRob Austein
the simpler format which PKCS #11 uses, since we have to support the latter in any case and it's not worth the complexity of supporting both.
2015-12-20RPC server stuff mostly written. Compiles, not yet tested. RPCRob Austein
public key extraction functions on hold pending ASN.1 cleanup.
2015-12-13whack copyrightsPaul Selkirk
2015-11-13Merge branch 'config_core_selector'Paul Selkirk
2015-10-29Remove unused includes.Paul Selkirk
2015-10-04Whack libhal API to use current configure_core_selector mechanism.Rob Austein
Compiles, not yet tested.
2015-10-03Use initializers for automatic variables of type fp_int because it's aRob Austein
bit more obvious when we've forgotten to do this than when we've forgotten to call fp_init() or memset(). Convert rsa.c to use the one-element-array idiom so we can get stop prefixing every bignum reference with "&".
2015-10-02Impressive how much trouble one can get into with one uninitialized bignum.Rob Austein
2015-10-02Testing shows that signature and verification are both faster withRob Austein
mixed Jacobian-affine addition, so go with that. Minor additional clean-up and comments.
2015-10-02Revise point addition and point scalar multiplication routines to useRob Austein
mixed Jacobian-affine coordinates, per a suggestion from Pavel. Old code still present under compile time conditional for easy comparison, but will probably go away soon along with a bit of minor cleanup.
2015-09-14Fencepost error in hal_ecdas_key_from_ecpoint().Rob Austein
2015-09-11Avoid gratuitous assertion failure if caller gives us a larger bufferRob Austein
than necessary when writing private key to DER.
2015-09-06Add ECPoint I/O functions. ASN.1 cleanup.Rob Austein
2015-09-02Add PKCS11 ECDSA signature format.Rob Austein
2015-09-02Clean up excessively complicated handling of opaque types in hash andRob Austein
RSA code; use simpler model (pointer to incomplete structure) used in ECDSA code. Refactor RSA code to use shared ASN.1 routines.
2015-08-27Add point validation check to hal_ecdsa_verify(). Update README.mdRob Austein
and code comments.
2015-08-26Signature works better if we read the entire hash.Rob Austein
2015-08-25More ASN.1 fixes.Rob Austein
2015-08-25Rework RFC 5915 ASN.1.Rob Austein
2015-08-25ASN.1 bugfixes.Rob Austein
2015-08-24First stumblings towards ECDSA test code.Rob Austein
2015-08-22Rework point_scalar_multiply() to avoid a timing leak with small scalars.Rob Austein
2015-08-22Add hal_ecdsa_verify(). Move hashing out of ECDSA routines. Clean upRob Austein
a few bits that didn't pass self-review.
2015-08-21Updated point doubling and addition to use algorithms from theRob Austein
hyperelliptic.org formula database. Compiles, still not tested.
2015-08-21Snapshot along the way to ECDSA. Code mostly written, except forRob Austein
ecdsa_verify(). Untested. Point addition and doubling algorithms are the ones from libtomcrypt, main point of this commit is to save those before replacing them with faster algorithms from hyperelliptic.org.