Age | Commit message (Collapse) | Author |
|
|
|
|
|
|
|
libhal and PKCS #11 have slightly different models of private keys: in
libhal, a "private key" object is really a keypair, while in PKCS #11
a private key really is a naked private key. This was a deliberate
design decision in libhal, both for simplicity and to better support
user interfaces other than PKCS #11, so we'd rather not change it.
This difference doesn't matter very much for RSA keys in PKCS #11,
where the private key components are a superset of the public key
components anyway, but the PKCS #11 template for ECDSA private keys
doesn't allow setting public key components with C_CreateObject().
Fortunately, computing the public components of an ECDSA key pair from
the private key is straightforward, so we just do that when needed.
|
|
Attempts to use Pavel's ecdsa256 base point multiplier instead of
software point multiplier when selecting new random points (that is,
when generating P-256 keys or P-256 signatures). Resulting points
pass the point validation test (point_is_on_curve()) but the resulting
signatures are invalid. Don't know why yet. Seems like an odd
combination, as one would expect random garbage to fail validation.
In any case: this commit is intended to archive progress so far, and
perhaps see if somebody else can spot what's wrong. As presently
coded, this wouldn't be suitable for production use even if it worked.
NB: As I understand it, the ecdsa256 core is *not* a general purpose
point multiplier even just for the P-256 curve. Rather, it is
strictly a base point multiplier: it takes a single scalar as input,
and returns the X,Y affine coordinates of the curve's base point
multiplied by that scalar. This is essentially the eliptic curve
portion of the computation involved in picking a random point for key
or signature generation, but is not useful for signature validation.
See the README.md in Pavel's source repository for further details.
|
|
|
|
|
|
|
|
which was using the old (pre-hal_core_t) calling sequence.
|
|
|
|
|
|
|
|
the simpler format which PKCS #11 uses, since we have to support the
latter in any case and it's not worth the complexity of supporting both.
|
|
public key extraction functions on hold pending ASN.1 cleanup.
|
|
|
|
|
|
|
|
Compiles, not yet tested.
|
|
bit more obvious when we've forgotten to do this than when we've
forgotten to call fp_init() or memset(). Convert rsa.c to use the
one-element-array idiom so we can get stop prefixing every bignum
reference with "&".
|
|
|
|
mixed Jacobian-affine addition, so go with that. Minor additional
clean-up and comments.
|
|
mixed Jacobian-affine coordinates, per a suggestion from Pavel. Old
code still present under compile time conditional for easy comparison,
but will probably go away soon along with a bit of minor cleanup.
|
|
|
|
than necessary when writing private key to DER.
|
|
|
|
|
|
RSA code; use simpler model (pointer to incomplete structure) used in
ECDSA code. Refactor RSA code to use shared ASN.1 routines.
|
|
and code comments.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
a few bits that didn't pass self-review.
|
|
hyperelliptic.org formula database. Compiles, still not tested.
|
|
ecdsa_verify(). Untested. Point addition and doubling algorithms are
the ones from libtomcrypt, main point of this commit is to save those
before replacing them with faster algorithms from hyperelliptic.org.
|