aboutsummaryrefslogtreecommitdiff
path: root/ecdsa.c
AgeCommit message (Collapse)Author
2018-05-20Better hal_core_alloc() semantics, assert() and printf() cleanup.Rob Austein
Various fixes extracted from the abandoned(-for-now?) reuse-cores branch, principally: * Change hal_core_alloc*() to support core reuse and to pick the least-recently-used core of a particular type otherwise; * Replace assert() and printf() calls with hal_assert() and hal_log(), respectively. assert() is particularly useless on the HSM, since it sends its error message into hyperspace then hangs the HSM.
2017-10-23Cleanup signed/unsigned mismatches, mostly in loop countersPaul Selkirk
2017-10-11Cleanup: Remove "const" qualifiers from function return types.Paul Selkirk
2017-05-23"core" arguments have not been const since we switched to core_selector.Rob Austein
2017-04-11API cleanup: pkey_open() and pkey_match().Rob Austein
pkey_open() now looks in both keystores rather than requiring the user to know. The chance of collision with randomly-generated UUID is low enough that we really ought to be able to present a single namespace. So now we do. pkey_match() now takes a couple of extra arguments which allow a single search to cover both keystores, as well as matching for specific key flags. The former interface was pretty much useless for anything involving flags, and required the user to issue a separate call for each keystore. User wheel is now exempt from the per-session key lookup constraints, Whether this is a good idea or not is an interesting question, but the whole PKCS #11 derived per-session key thing is weird to begin with, and having keystore listings on the console deliberately ignore session keys was just too confusing.
2017-04-05First cut at key backup code. Not tested yet.Rob Austein
Still missing Python script to drive backup process, and need to do something about setting the EXPORTABLE key flag for this to be useful.
2017-04-03Obscure C syntax nit.Rob Austein
2017-04-03PKCS #8 code for RSA and ECDSA.Rob Austein
Compiles, not yet tested. Existing tests need conversion to PKCS #8 before we can do anything useful with this. Once everything uses PKCS #8 instead of algorithm-specific formats, we can revisit API issues like whether hal_rpc_pkey_load() should still be taking `type` and `curve` arguments.
2017-03-09Merge branch 'hw_ecdsa_p256' into pymuxRob Austein
Support for core/pkey/ecdsa256 and core/pkey/ecdsa384.
2017-03-08Cleanup.Rob Austein
2017-03-04Don't use assert() for point-on-curve checks.Rob Austein
The stock assert() implementation turns out to be problematic in the stm32 environment, due to the lack of an output device, which makes "assert(foo)" equivalent to "if (!foo) abort()", leading to silent hangs. We probably ought to reimplement assert() to do something more useful, but, for now, avoid using it for "impossible" conditions which we do seem to be triggering anyway, like the occasional point-not-on-curve errors we get for points we ourselves have picked when testing multiple ECDSA clients in parallel. This should never happen, and we need to figure out what's causing it, but hanging the HSM when it happens does not help very much. assert() is somewhat problematic in an embedded environment in any case, since anything that can go wrong really should have some kind of recovery action, but in some of the low-probability cases it's far from obvious what sane recovery action we could possibly take.
2017-03-03Doh! Works better if one tests the right status bit.Rob Austein
2017-03-02Merge branch 'pymux' into hw_ecdsa_p256Rob Austein
2017-03-02Fix dumb copy/paste errors.Rob Austein
2017-03-02Refactor to add P384 support. Untested.Rob Austein
2017-03-01Compute public key if necessary when loading a private key.Rob Austein
libhal and PKCS #11 have slightly different models of private keys: in libhal, a "private key" object is really a keypair, while in PKCS #11 a private key really is a naked private key. This was a deliberate design decision in libhal, both for simplicity and to better support user interfaces other than PKCS #11, so we'd rather not change it. This difference doesn't matter very much for RSA keys in PKCS #11, where the private key components are a superset of the public key components anyway, but the PKCS #11 template for ECDSA private keys doesn't allow setting public key components with C_CreateObject(). Fortunately, computing the public components of an ECDSA key pair from the private key is straightforward, so we just do that when needed.
2017-01-26First attempt at using Pavel's ecdsa256 core. Not working yet.Rob Austein
Attempts to use Pavel's ecdsa256 base point multiplier instead of software point multiplier when selecting new random points (that is, when generating P-256 keys or P-256 signatures). Resulting points pass the point validation test (point_is_on_curve()) but the resulting signatures are invalid. Don't know why yet. Seems like an odd combination, as one would expect random garbage to fail validation. In any case: this commit is intended to archive progress so far, and perhaps see if somebody else can spot what's wrong. As presently coded, this wouldn't be suitable for production use even if it worked. NB: As I understand it, the ecdsa256 core is *not* a general purpose point multiplier even just for the P-256 curve. Rather, it is strictly a base point multiplier: it takes a single scalar as input, and returns the X,Y affine coordinates of the curve's base point multiplied by that scalar. This is essentially the eliptic curve portion of the computation involved in picking a random point for key or signature generation, but is not useful for signature validation. See the README.md in Pavel's source repository for further details.
2016-09-20Clean up the defines around rpc client, software hash cores, etc.Paul Selkirk
2016-03-29Client-side rsa and ecdsa need to call remote get_random.Paul Selkirk
2016-03-12Merge branch 'master' into rpcRob Austein
2016-03-12Disable ECDSA static-test-vectors hack, fix call to hal_get_random()Rob Austein
which was using the old (pre-hal_core_t) calling sequence.
2015-12-22Add ASN.1 support for public keys (X.509 SubjectPublicKeyInfo format).Rob Austein
2015-12-21Fix names of private key DER functions.Rob Austein
2015-12-20Consolidating curve names broke the ASN.1 code.Rob Austein
2015-12-20Drop support for the ASN.1-based ECDSA signature format in favor ofRob Austein
the simpler format which PKCS #11 uses, since we have to support the latter in any case and it's not worth the complexity of supporting both.
2015-12-20RPC server stuff mostly written. Compiles, not yet tested. RPCRob Austein
public key extraction functions on hold pending ASN.1 cleanup.
2015-12-13whack copyrightsPaul Selkirk
2015-11-13Merge branch 'config_core_selector'Paul Selkirk
2015-10-29Remove unused includes.Paul Selkirk
2015-10-04Whack libhal API to use current configure_core_selector mechanism.Rob Austein
Compiles, not yet tested.
2015-10-03Use initializers for automatic variables of type fp_int because it's aRob Austein
bit more obvious when we've forgotten to do this than when we've forgotten to call fp_init() or memset(). Convert rsa.c to use the one-element-array idiom so we can get stop prefixing every bignum reference with "&".
2015-10-02Impressive how much trouble one can get into with one uninitialized bignum.Rob Austein
2015-10-02Testing shows that signature and verification are both faster withRob Austein
mixed Jacobian-affine addition, so go with that. Minor additional clean-up and comments.
2015-10-02Revise point addition and point scalar multiplication routines to useRob Austein
mixed Jacobian-affine coordinates, per a suggestion from Pavel. Old code still present under compile time conditional for easy comparison, but will probably go away soon along with a bit of minor cleanup.
2015-09-14Fencepost error in hal_ecdas_key_from_ecpoint().Rob Austein
2015-09-11Avoid gratuitous assertion failure if caller gives us a larger bufferRob Austein
than necessary when writing private key to DER.
2015-09-06Add ECPoint I/O functions. ASN.1 cleanup.Rob Austein
2015-09-02Add PKCS11 ECDSA signature format.Rob Austein
2015-09-02Clean up excessively complicated handling of opaque types in hash andRob Austein
RSA code; use simpler model (pointer to incomplete structure) used in ECDSA code. Refactor RSA code to use shared ASN.1 routines.
2015-08-27Add point validation check to hal_ecdsa_verify(). Update README.mdRob Austein
and code comments.
2015-08-26Signature works better if we read the entire hash.Rob Austein
2015-08-25More ASN.1 fixes.Rob Austein
2015-08-25Rework RFC 5915 ASN.1.Rob Austein
2015-08-25ASN.1 bugfixes.Rob Austein
2015-08-24First stumblings towards ECDSA test code.Rob Austein
2015-08-22Rework point_scalar_multiply() to avoid a timing leak with small scalars.Rob Austein
2015-08-22Add hal_ecdsa_verify(). Move hashing out of ECDSA routines. Clean upRob Austein
a few bits that didn't pass self-review.
2015-08-21Updated point doubling and addition to use algorithms from theRob Austein
hyperelliptic.org formula database. Compiles, still not tested.
2015-08-21Snapshot along the way to ECDSA. Code mostly written, except forRob Austein
ecdsa_verify(). Untested. Point addition and doubling algorithms are the ones from libtomcrypt, main point of this commit is to save those before replacing them with faster algorithms from hyperelliptic.org.