From 2fdf82bbe98632e8f1e6396970bba74625481f0e Mon Sep 17 00:00:00 2001 From: Rob Austein Date: Mon, 24 Aug 2015 21:46:49 -0400 Subject: First stumblings towards ECDSA test code. --- .gitignore | 1 + GNUmakefile | 2 +- ecdsa.c | 53 +++++++++++- tests/GNUmakefile | 2 +- tests/test-ecdsa.c | 232 ++++++++++++++++++++++++++++++++++++++++++++++++++++ tests/test-ecdsa.h | 213 +++++++++++++++++++++++++++++++++++++++++++++++ tests/test-ecdsa.py | 61 ++++++++++++++ 7 files changed, 561 insertions(+), 3 deletions(-) create mode 100644 tests/test-ecdsa.c create mode 100644 tests/test-ecdsa.h create mode 100644 tests/test-ecdsa.py diff --git a/.gitignore b/.gitignore index 137543e..7428ea1 100644 --- a/.gitignore +++ b/.gitignore @@ -6,6 +6,7 @@ autom4te.cache config.log config.status tests/test-aes-key-wrap +tests/test-ecdsa tests/test-hash tests/test-pbkdf2 tests/test-rsa diff --git a/GNUmakefile b/GNUmakefile index 6a777cc..f425c50 100644 --- a/GNUmakefile +++ b/GNUmakefile @@ -37,7 +37,7 @@ IO_OBJ_I2C = hal_io_i2c.o IO_OBJ = ${IO_OBJ_EIM} TFMDIR := $(abspath ../thirdparty/libtfm) -CFLAGS := -g3 -Wall -fPIC -std=c99 -I${TFMDIR} +CFLAGS := -g3 -Wall -fPIC -std=c99 -I${TFMDIR} -DHAL_ECDSA_DEBUG_ONLY_STATIC_TEST_VECTOR_RANDOM=1 LDFLAGS := -g3 -L${TFMDIR} -ltfm all: ${LIB} diff --git a/ecdsa.c b/ecdsa.c index 070c668..a657aaf 100644 --- a/ecdsa.c +++ b/ecdsa.c @@ -73,6 +73,15 @@ #include #include "asn1_internal.h" +/* + * Whether we're using static test vectors instead of the random + * number generator. Do NOT enable this in production (doh). + */ + +#ifndef HAL_ECDSA_DEBUG_ONLY_STATIC_TEST_VECTOR_RANDOM +#define HAL_ECDSA_DEBUG_ONLY_STATIC_TEST_VECTOR_RANDOM 1 +#endif + /* * Whether we want debug output. */ @@ -612,6 +621,48 @@ static hal_error_t point_scalar_multiply(const fp_int * const k, return err; } +/* + * Testing only: ECDSA key generation and signature both have a + * critical dependency on random numbers, but we can't use the random + * number generator when testing against static test vectors. So add a + * wrapper around the random number generator calls, with a hook to + * let us override the generator for test purposes. Do NOT use this + * in production, kids. + */ + +#if HAL_ECDSA_DEBUG_ONLY_STATIC_TEST_VECTOR_RANDOM + +#warning hal_ecdsa random number generator overriden for test purposes +#warning DO NOT USE THIS IN PRODUCTION + +typedef hal_error_t (*rng_override_test_function_t)(void *, const size_t); + +static rng_override_test_function_t rng_test_override_function = 0; + +rng_override_test_function_t hal_ecdsa_set_rng_override_test_function(rng_override_test_function_t new_func) +{ + rng_override_test_function_t old_func = rng_test_override_function; + rng_test_override_function = new_func; + return old_func; +} + +static inline hal_error_t get_random(void *buffer, const size_t length) +{ + if (rng_test_override_function) + return rng_test_override_function(buffer, length); + else + return hal_get_random(buffer, length); +} + +#else /* HAL_ECDSA_DEBUG_ONLY_STATIC_TEST_VECTOR_RANDOM */ + +static inline hal_error_t get_random(void *buffer, const size_t length) +{ + return hal_get_random(buffer, length); +} + +#endif /* HAL_ECDSA_DEBUG_ONLY_STATIC_TEST_VECTOR_RANDOM */ + /* * Pick a random point on the curve, return random scalar and * resulting point. @@ -644,7 +695,7 @@ static hal_error_t point_pick_random(const ecdsa_curve_t * const curve, do { - if ((err = hal_get_random(k_buf, sizeof(k_buf))) != HAL_OK) + if ((err = get_random(k_buf, sizeof(k_buf))) != HAL_OK) return err; fp_read_unsigned_bin(k, k_buf, sizeof(k_buf)); diff --git a/tests/GNUmakefile b/tests/GNUmakefile index 307f23e..a1cd4b4 100644 --- a/tests/GNUmakefile +++ b/tests/GNUmakefile @@ -27,7 +27,7 @@ INC = ../hal.h LIB = ../libhal.a -BIN = test-aes-key-wrap test-hash test-pbkdf2 test-rsa +BIN = test-aes-key-wrap test-hash test-pbkdf2 test-rsa test-ecdsa CFLAGS = -g3 -Wall -fPIC -std=c99 -I.. diff --git a/tests/test-ecdsa.c b/tests/test-ecdsa.c new file mode 100644 index 0000000..65d2415 --- /dev/null +++ b/tests/test-ecdsa.c @@ -0,0 +1,232 @@ +/* + * test-ecdsa.c + * ------------ + * Test harness for Cryptech ECDSA code. + * + * At the moment, the ECDSA code is a pure software implementation, + * Verilog will be along eventually. + * + * Testing ECDSA is a bit tricky because ECDSA depends heavily on + * using a new random secret for each signature. So we can test some + * things against the normal ECDSA implemenation, but some tests + * require a side door replacement of the random number generator so + * that we can use a known values from our test vector in place of the + * random secret that would be used in real operation. Test code for + * the latter mode depends on the library having been compiled with + * the testing hook enable, which it should not be for production use. + * + * Authors: Rob Austein + * Copyright (c) 2015, SUNET + * + * Redistribution and use in source and binary forms, with or + * without modification, are permitted provided that the following + * conditions are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, + * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER + * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF + * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#include +#include +#include +#include +#include +#include + +#include + +#include + +#include "test-ecdsa.h" + +/* + * Supplied test vectors don't use ASN.1 encoding. Don't want to + * trust our own ASN.1 code for this (it's one of the things we're + * testing) so use Python pyasn1 or ecdsa.der code to build what we + * need and supply them as test vector data too. This is probably + * also the right way to test our encoding and decoding of private + * keys too. + */ + +#if HAL_ECDSA_DEBUG_ONLY_STATIC_TEST_VECTOR_RANDOM + +/* + * Code to let us replace ECDSA's random numbers with test data, if + * the ECDSA library code has been compiled with support for this. + */ + +typedef hal_error_t (*rng_override_test_function_t)(void *, const size_t); + +extern rng_override_test_function_t hal_ecdsa_set_rng_override_test_function(rng_override_test_function_t new_func); + +static const uint8_t *next_random_value = NULL; +static size_t next_random_length = 0; + +static hal_error_t next_random_handler(void *data, const size_t length) +{ + if (data == NULL) + return HAL_ERROR_BAD_ARGUMENTS; + + if (next_random_value == NULL || length < next_random_length) + return HAL_ERROR_IMPOSSIBLE; + + memset(data, 0, length); + memcpy(data + length - next_random_length, next_random_value, next_random_length); + + next_random_value = NULL; + next_random_length = 0; + + (void) hal_ecdsa_set_rng_override_test_function(0); + + return HAL_OK; +} + +static void set_next_random(const uint8_t * const data, const size_t length) +{ + (void) hal_ecdsa_set_rng_override_test_function(next_random_handler); + next_random_value = data; + next_random_length = length; +} + +/* + * Run one keygen test from test vectors. + */ + +static int test_keygen_static(const hal_ecdsa_curve_t curve) + +{ + uint8_t keybuf[hal_ecdsa_key_t_size]; + hal_ecdsa_key_t *key = NULL; + hal_error_t err; + const uint8_t *d, *Qx, *Qy; + size_t d_len, Qx_len, Qy_len; + + switch (curve) { + + case HAL_ECDSA_CURVE_P256: + printf("ECDSA P-256 key generation test\n"); + d = p256_d; d_len = sizeof(p256_d); + Qx = p256_Qx; Qx_len = sizeof(p256_Qx); + Qy = p256_Qy; Qy_len = sizeof(p256_Qy); + break; + + case HAL_ECDSA_CURVE_P384: + printf("ECDSA P-384 key generation test\n"); + d = p384_d; d_len = sizeof(p384_d); + Qx = p384_Qx; Qx_len = sizeof(p384_Qx); + Qy = p384_Qy; Qy_len = sizeof(p384_Qy); + break; + + default: + printf("Unsupported ECDSA curve type\n"); + return 0; + } + + set_next_random(d, d_len); + + if ((err = hal_ecdsa_key_gen(&key, keybuf, sizeof(keybuf), curve)) != HAL_OK) + return printf("hal_ecdsa_key_gen() failed: %s\n", hal_error_string(err)), 0; + + uint8_t Rx[Qx_len], Ry[Qy_len]; + size_t Rx_len, Ry_len; + + if ((err = hal_ecdsa_key_get_public(key, Rx, &Rx_len, sizeof(Rx), Ry, &Ry_len, sizeof(Ry))) != HAL_OK) + return printf("hal_ecdsa_key_get_public() failed: %s\n", hal_error_string(err)), 0; + + if (Qx_len != Rx_len || memcmp(Qx, Rx, Rx_len) != 0) + return printf("Qx mismatch\n"), 0; + + if (Qy_len != Ry_len || memcmp(Qy, Ry, Ry_len) != 0) + return printf("Qy mismatch\n"), 0; + + return 1; +} + +#endif /* HAL_ECDSA_DEBUG_ONLY_STATIC_TEST_VECTOR_RANDOM */ + +/* + * Time a test. + */ + +static void _time_check(const struct timeval t0, const int ok) +{ + struct timeval t; + gettimeofday(&t, NULL); + t.tv_sec -= t0.tv_sec; + t.tv_usec = t0.tv_usec; + if (t.tv_usec < 0) { + t.tv_usec += 1000000; + t.tv_sec -= 1; + } + printf("Elapsed time %lu.%06lu seconds, %s\n", + (unsigned long) t.tv_sec, + (unsigned long) t.tv_usec, + ok ? "OK" : "FAILED"); +} + +#define time_check(_expr_) \ + do { \ + struct timeval _t; \ + gettimeofday(&_t, NULL); \ + int _ok = (_expr_); \ + _time_check(_t, _ok); \ + ok &= _ok; \ + } while (0) + +/* + * Run tests for one ECDSA curve. + */ + +static int test_ecdsa(const hal_ecdsa_curve_t curve) + +{ + int ok = 1; + + time_check(test_keygen_static(curve)); + + return ok; +} + +int main(int argc, char *argv[]) +{ + uint8_t name[8], version[4]; + hal_error_t err; + + /* + * Initialize EIM and report what core we're running. + */ + + if ((err = hal_io_read(CSPRNG_ADDR_NAME0, name, sizeof(name))) != HAL_OK || + (err = hal_io_read(CSPRNG_ADDR_VERSION, version, sizeof(version))) != HAL_OK) { + printf("Initialization failed: %s\n", hal_error_string(err)); + return 1; + } + + printf("\"%8.8s\" \"%4.4s\"\n\n", name, version); + + return !test_ecdsa(HAL_ECDSA_CURVE_P256) || !test_ecdsa(HAL_ECDSA_CURVE_P384); +} + +/* + * Local variables: + * indent-tabs-mode: nil + * End: + */ diff --git a/tests/test-ecdsa.h b/tests/test-ecdsa.h new file mode 100644 index 0000000..61124e4 --- /dev/null +++ b/tests/test-ecdsa.h @@ -0,0 +1,213 @@ +/* + * ECDSA test data. + * File automatically generated by test-ecdsa.py + */ + +static const uint8_t p256_H[] = { /* 32 bytes */ + 0x7c, 0x3e, 0x88, 0x3d, 0xdc, 0x8b, 0xd6, 0x88, 0xf9, 0x6e, 0xac, 0x5e, + 0x93, 0x24, 0x22, 0x2c, 0x8f, 0x30, 0xf9, 0xd6, 0xbb, 0x59, 0xe9, 0xc5, + 0xf0, 0x20, 0xbd, 0x39, 0xba, 0x2b, 0x83, 0x77 +}; + +static const uint8_t p256_M[] = { /* 48 bytes */ + 0x54, 0x68, 0x69, 0x73, 0x20, 0x69, 0x73, 0x20, 0x6f, 0x6e, 0x6c, 0x79, + 0x20, 0x61, 0x20, 0x74, 0x65, 0x73, 0x74, 0x20, 0x6d, 0x65, 0x73, 0x73, + 0x61, 0x67, 0x65, 0x2e, 0x20, 0x49, 0x74, 0x20, 0x69, 0x73, 0x20, 0x34, + 0x38, 0x20, 0x62, 0x79, 0x74, 0x65, 0x73, 0x20, 0x6c, 0x6f, 0x6e, 0x67 +}; + +static const uint8_t p256_Qx[] = { /* 32 bytes */ + 0x81, 0x01, 0xec, 0xe4, 0x74, 0x64, 0xa6, 0xea, 0xd7, 0x0c, 0xf6, 0x9a, + 0x6e, 0x2b, 0xd3, 0xd8, 0x86, 0x91, 0xa3, 0x26, 0x2d, 0x22, 0xcb, 0xa4, + 0xf7, 0x63, 0x5e, 0xaf, 0xf2, 0x66, 0x80, 0xa8 +}; + +static const uint8_t p256_Qy[] = { /* 32 bytes */ + 0xd8, 0xa1, 0x2b, 0xa6, 0x1d, 0x59, 0x92, 0x35, 0xf6, 0x7d, 0x9c, 0xb4, + 0xd5, 0x8f, 0x17, 0x83, 0xd3, 0xca, 0x43, 0xe7, 0x8f, 0x0a, 0x5a, 0xba, + 0xa6, 0x24, 0x07, 0x99, 0x36, 0xc0, 0xc3, 0xa9 +}; + +static const uint8_t p256_Rx[] = { /* 32 bytes */ + 0x72, 0x14, 0xbc, 0x96, 0x47, 0x16, 0x0b, 0xbd, 0x39, 0xff, 0x2f, 0x80, + 0x53, 0x3f, 0x5d, 0xc6, 0xdd, 0xd7, 0x0d, 0xdf, 0x86, 0xbb, 0x81, 0x56, + 0x61, 0xe8, 0x05, 0xd5, 0xd4, 0xe6, 0xf2, 0x7c +}; + +static const uint8_t p256_Ry[] = { /* 32 bytes */ + 0x8b, 0x81, 0xe3, 0xe9, 0x77, 0x59, 0x71, 0x10, 0xc7, 0xcf, 0x26, 0x33, + 0x43, 0x5b, 0x22, 0x94, 0xb7, 0x26, 0x42, 0x98, 0x7d, 0xef, 0xd3, 0xd4, + 0x00, 0x7e, 0x1c, 0xfc, 0x5d, 0xf8, 0x45, 0x41 +}; + +static const uint8_t p256_d[] = { /* 32 bytes */ + 0x70, 0xa1, 0x2c, 0x2d, 0xb1, 0x68, 0x45, 0xed, 0x56, 0xff, 0x68, 0xcf, + 0xc2, 0x1a, 0x47, 0x2b, 0x3f, 0x04, 0xd7, 0xd6, 0x85, 0x1b, 0xf6, 0x34, + 0x9f, 0x2d, 0x7d, 0x5b, 0x34, 0x52, 0xb3, 0x8a +}; + +static const uint8_t p256_e[] = { /* 32 bytes */ + 0x7c, 0x3e, 0x88, 0x3d, 0xdc, 0x8b, 0xd6, 0x88, 0xf9, 0x6e, 0xac, 0x5e, + 0x93, 0x24, 0x22, 0x2c, 0x8f, 0x30, 0xf9, 0xd6, 0xbb, 0x59, 0xe9, 0xc5, + 0xf0, 0x20, 0xbd, 0x39, 0xba, 0x2b, 0x83, 0x77 +}; + +static const uint8_t p256_k[] = { /* 32 bytes */ + 0x58, 0x0e, 0xc0, 0x0d, 0x85, 0x64, 0x34, 0x33, 0x4c, 0xef, 0x3f, 0x71, + 0xec, 0xae, 0xd4, 0x96, 0x5b, 0x12, 0xae, 0x37, 0xfa, 0x47, 0x05, 0x5b, + 0x19, 0x65, 0xc7, 0xb1, 0x34, 0xee, 0x45, 0xd0 +}; + +static const uint8_t p256_kinv[] = { /* 32 bytes */ + 0x6a, 0x66, 0x4f, 0xa1, 0x15, 0x35, 0x6d, 0x33, 0xf1, 0x63, 0x31, 0xb5, + 0x4c, 0x4e, 0x7c, 0xe9, 0x67, 0x96, 0x53, 0x86, 0xc7, 0xdc, 0xbf, 0x29, + 0x04, 0x60, 0x4d, 0x0c, 0x13, 0x2b, 0x4a, 0x74 +}; + +static const uint8_t p256_r[] = { /* 32 bytes */ + 0x72, 0x14, 0xbc, 0x96, 0x47, 0x16, 0x0b, 0xbd, 0x39, 0xff, 0x2f, 0x80, + 0x53, 0x3f, 0x5d, 0xc6, 0xdd, 0xd7, 0x0d, 0xdf, 0x86, 0xbb, 0x81, 0x56, + 0x61, 0xe8, 0x05, 0xd5, 0xd4, 0xe6, 0xf2, 0x7c +}; + +static const uint8_t p256_s[] = { /* 32 bytes */ + 0x7d, 0x1f, 0xf9, 0x61, 0x98, 0x0f, 0x96, 0x1b, 0xda, 0xa3, 0x23, 0x3b, + 0x62, 0x09, 0xf4, 0x01, 0x33, 0x17, 0xd3, 0xe3, 0xf9, 0xe1, 0x49, 0x35, + 0x92, 0xdb, 0xea, 0xa1, 0xaf, 0x2b, 0xc3, 0x67 +}; + +static const uint8_t p256_u1[] = { /* 32 bytes */ + 0xbb, 0x25, 0x24, 0x01, 0xd6, 0xfb, 0x32, 0x2b, 0xb7, 0x47, 0x18, 0x4c, + 0xf2, 0xac, 0x52, 0xbf, 0x8d, 0x54, 0xb9, 0x5a, 0x15, 0x15, 0x06, 0x2a, + 0x2f, 0x61, 0x41, 0xf2, 0xe2, 0x09, 0x2e, 0xd8 +}; + +static const uint8_t p256_u2[] = { /* 32 bytes */ + 0xaa, 0xe7, 0xd1, 0xc7, 0xf2, 0xc2, 0x32, 0xdf, 0xc6, 0x41, 0x94, 0x8a, + 0xf3, 0xdb, 0xa1, 0x41, 0xd4, 0xde, 0x86, 0x34, 0xe5, 0x71, 0xcf, 0x84, + 0xc4, 0x86, 0x30, 0x1b, 0x51, 0x0c, 0xfc, 0x04 +}; + +static const uint8_t p256_v[] = { /* 32 bytes */ + 0x72, 0x14, 0xbc, 0x96, 0x47, 0x16, 0x0b, 0xbd, 0x39, 0xff, 0x2f, 0x80, + 0x53, 0x3f, 0x5d, 0xc6, 0xdd, 0xd7, 0x0d, 0xdf, 0x86, 0xbb, 0x81, 0x56, + 0x61, 0xe8, 0x05, 0xd5, 0xd4, 0xe6, 0xf2, 0x7c +}; + +static const uint8_t p256_w[] = { /* 32 bytes */ + 0xd6, 0x9b, 0xe7, 0x5f, 0x67, 0xee, 0x53, 0x94, 0xca, 0xbb, 0x6c, 0x28, + 0x6f, 0x36, 0x10, 0xcf, 0x62, 0xd7, 0x22, 0xcb, 0xa9, 0xee, 0xa7, 0x0f, + 0xae, 0xe7, 0x70, 0xa6, 0xb2, 0xed, 0x72, 0xdc +}; + +static const uint8_t p384_H[] = { /* 48 bytes */ + 0xb9, 0x21, 0x0c, 0x9d, 0x7e, 0x20, 0x89, 0x7a, 0xb8, 0x65, 0x97, 0x26, + 0x6a, 0x9d, 0x50, 0x77, 0xe8, 0xdb, 0x1b, 0x06, 0xf7, 0x22, 0x0e, 0xd6, + 0xee, 0x75, 0xbd, 0x8b, 0x45, 0xdb, 0x37, 0x89, 0x1f, 0x8b, 0xa5, 0x55, + 0x03, 0x04, 0x00, 0x41, 0x59, 0xf4, 0x45, 0x3d, 0xc5, 0xb3, 0xf5, 0xa1 +}; + +static const uint8_t p384_M[] = { /* 48 bytes */ + 0x54, 0x68, 0x69, 0x73, 0x20, 0x69, 0x73, 0x20, 0x6f, 0x6e, 0x6c, 0x79, + 0x20, 0x61, 0x20, 0x74, 0x65, 0x73, 0x74, 0x20, 0x6d, 0x65, 0x73, 0x73, + 0x61, 0x67, 0x65, 0x2e, 0x20, 0x49, 0x74, 0x20, 0x69, 0x73, 0x20, 0x34, + 0x38, 0x20, 0x62, 0x79, 0x74, 0x65, 0x73, 0x20, 0x6c, 0x6f, 0x6e, 0x67 +}; + +static const uint8_t p384_Qx[] = { /* 48 bytes */ + 0x1f, 0xba, 0xc8, 0xee, 0xbd, 0x0c, 0xbf, 0x35, 0x64, 0x0b, 0x39, 0xef, + 0xe0, 0x80, 0x8d, 0xd7, 0x74, 0xde, 0xbf, 0xf2, 0x0a, 0x2a, 0x32, 0x9e, + 0x91, 0x71, 0x3b, 0xaf, 0x7d, 0x7f, 0x3c, 0x3e, 0x81, 0x54, 0x6d, 0x88, + 0x37, 0x30, 0xbe, 0xe7, 0xe4, 0x86, 0x78, 0xf8, 0x57, 0xb0, 0x2c, 0xa0 +}; + +static const uint8_t p384_Qy[] = { /* 48 bytes */ + 0xeb, 0x21, 0x31, 0x03, 0xbd, 0x68, 0xce, 0x34, 0x33, 0x65, 0xa8, 0xa4, + 0xc3, 0xd4, 0x55, 0x5f, 0xa3, 0x85, 0xf5, 0x33, 0x02, 0x03, 0xbd, 0xd7, + 0x6f, 0xfa, 0xd1, 0xf3, 0xaf, 0xfb, 0x95, 0x75, 0x1c, 0x13, 0x20, 0x07, + 0xe1, 0xb2, 0x40, 0x35, 0x3c, 0xb0, 0xa4, 0xcf, 0x16, 0x93, 0xbd, 0xf9 +}; + +static const uint8_t p384_Rx[] = { /* 48 bytes */ + 0xa0, 0xc2, 0x7e, 0xc8, 0x93, 0x09, 0x2d, 0xea, 0x1e, 0x1b, 0xd2, 0xcc, + 0xfe, 0xd3, 0xcf, 0x94, 0x5c, 0x81, 0x34, 0xed, 0x0c, 0x9f, 0x81, 0x31, + 0x1a, 0x0f, 0x4a, 0x05, 0x94, 0x2d, 0xb8, 0xdb, 0xed, 0x8d, 0xd5, 0x9f, + 0x26, 0x74, 0x71, 0xd5, 0x46, 0x2a, 0xa1, 0x4f, 0xe7, 0x2d, 0xe8, 0x56 +}; + +static const uint8_t p384_Ry[] = { /* 48 bytes */ + 0x85, 0x56, 0x49, 0x40, 0x98, 0x15, 0xbb, 0x91, 0x42, 0x4e, 0xac, 0xa5, + 0xfd, 0x76, 0xc9, 0x73, 0x75, 0xd5, 0x75, 0xd1, 0x42, 0x2e, 0xc5, 0x3d, + 0x34, 0x3b, 0xd3, 0x3b, 0x84, 0x7f, 0xdf, 0x0c, 0x11, 0x56, 0x96, 0x85, + 0xb5, 0x28, 0xab, 0x25, 0x49, 0x30, 0x15, 0x42, 0x8d, 0x7c, 0xf7, 0x2b +}; + +static const uint8_t p384_d[] = { /* 48 bytes */ + 0xc8, 0x38, 0xb8, 0x52, 0x53, 0xef, 0x8d, 0xc7, 0x39, 0x4f, 0xa5, 0x80, + 0x8a, 0x51, 0x83, 0x98, 0x1c, 0x7d, 0xee, 0xf5, 0xa6, 0x9b, 0xa8, 0xf4, + 0xf2, 0x11, 0x7f, 0xfe, 0xa3, 0x9c, 0xfc, 0xd9, 0x0e, 0x95, 0xf6, 0xcb, + 0xc8, 0x54, 0xab, 0xac, 0xab, 0x70, 0x1d, 0x50, 0xc1, 0xf3, 0xcf, 0x24 +}; + +static const uint8_t p384_e[] = { /* 48 bytes */ + 0xb9, 0x21, 0x0c, 0x9d, 0x7e, 0x20, 0x89, 0x7a, 0xb8, 0x65, 0x97, 0x26, + 0x6a, 0x9d, 0x50, 0x77, 0xe8, 0xdb, 0x1b, 0x06, 0xf7, 0x22, 0x0e, 0xd6, + 0xee, 0x75, 0xbd, 0x8b, 0x45, 0xdb, 0x37, 0x89, 0x1f, 0x8b, 0xa5, 0x55, + 0x03, 0x04, 0x00, 0x41, 0x59, 0xf4, 0x45, 0x3d, 0xc5, 0xb3, 0xf5, 0xa1 +}; + +static const uint8_t p384_k[] = { /* 48 bytes */ + 0xdc, 0x6b, 0x44, 0x03, 0x69, 0x89, 0xa1, 0x96, 0xe3, 0x9d, 0x1c, 0xda, + 0xc0, 0x00, 0x81, 0x2f, 0x4b, 0xdd, 0x8b, 0x2d, 0xb4, 0x1b, 0xb3, 0x3a, + 0xf5, 0x13, 0x72, 0x58, 0x5e, 0xbd, 0x1d, 0xb6, 0x3f, 0x0c, 0xe8, 0x27, + 0x5a, 0xa1, 0xfd, 0x45, 0xe2, 0xd2, 0xa7, 0x35, 0xf8, 0x74, 0x93, 0x59 +}; + +static const uint8_t p384_kinv[] = { /* 48 bytes */ + 0x74, 0x36, 0xf0, 0x30, 0x88, 0xe6, 0x5c, 0x37, 0xba, 0x8e, 0x7b, 0x33, + 0x88, 0x7f, 0xbc, 0x87, 0x75, 0x75, 0x14, 0xd6, 0x11, 0xf7, 0xd1, 0xfb, + 0xdf, 0x6d, 0x21, 0x04, 0xa2, 0x97, 0xad, 0x31, 0x8c, 0xdb, 0xf7, 0x40, + 0x4e, 0x4b, 0xa3, 0x7e, 0x59, 0x96, 0x66, 0xdf, 0x37, 0xb8, 0xd8, 0xbe +}; + +static const uint8_t p384_r[] = { /* 48 bytes */ + 0xa0, 0xc2, 0x7e, 0xc8, 0x93, 0x09, 0x2d, 0xea, 0x1e, 0x1b, 0xd2, 0xcc, + 0xfe, 0xd3, 0xcf, 0x94, 0x5c, 0x81, 0x34, 0xed, 0x0c, 0x9f, 0x81, 0x31, + 0x1a, 0x0f, 0x4a, 0x05, 0x94, 0x2d, 0xb8, 0xdb, 0xed, 0x8d, 0xd5, 0x9f, + 0x26, 0x74, 0x71, 0xd5, 0x46, 0x2a, 0xa1, 0x4f, 0xe7, 0x2d, 0xe8, 0x56 +}; + +static const uint8_t p384_s[] = { /* 48 bytes */ + 0x20, 0xab, 0x3f, 0x45, 0xb7, 0x4f, 0x10, 0xb6, 0xe1, 0x1f, 0x96, 0xa2, + 0xc8, 0xeb, 0x69, 0x4d, 0x20, 0x6b, 0x9d, 0xda, 0x86, 0xd3, 0xc7, 0xe3, + 0x31, 0xc2, 0x6b, 0x22, 0xc9, 0x87, 0xb7, 0x53, 0x77, 0x26, 0x57, 0x76, + 0x67, 0xad, 0xad, 0xf1, 0x68, 0xeb, 0xbe, 0x80, 0x37, 0x94, 0xa4, 0x02 +}; + +static const uint8_t p384_u1[] = { /* 48 bytes */ + 0x6c, 0xe2, 0x56, 0x49, 0xd4, 0x2d, 0x22, 0x3e, 0x02, 0x0c, 0x11, 0x14, + 0x0f, 0xe7, 0x72, 0x32, 0x66, 0x12, 0xbb, 0x11, 0xb6, 0x86, 0xd3, 0x5e, + 0xe9, 0x8e, 0xd4, 0x55, 0x0e, 0x06, 0x35, 0xd9, 0xdd, 0x3a, 0x2a, 0xfb, + 0xca, 0x0c, 0xf2, 0xc4, 0xba, 0xed, 0xcd, 0x23, 0x31, 0x3b, 0x18, 0x9e +}; + +static const uint8_t p384_u2[] = { /* 48 bytes */ + 0xf3, 0xb2, 0x40, 0x75, 0x1d, 0x5d, 0x8e, 0xd3, 0x94, 0xa4, 0xb5, 0xbf, + 0x8e, 0x2a, 0x4c, 0x0e, 0x1e, 0x21, 0xaa, 0x51, 0xf2, 0x62, 0x0a, 0x08, + 0xb8, 0xc5, 0x5a, 0x2b, 0xc3, 0x34, 0xc9, 0x68, 0x99, 0x23, 0x16, 0x26, + 0x48, 0xf0, 0x6e, 0x5f, 0x46, 0x59, 0xfc, 0x52, 0x6d, 0x9c, 0x1f, 0xd6 +}; + +static const uint8_t p384_v[] = { /* 48 bytes */ + 0xa0, 0xc2, 0x7e, 0xc8, 0x93, 0x09, 0x2d, 0xea, 0x1e, 0x1b, 0xd2, 0xcc, + 0xfe, 0xd3, 0xcf, 0x94, 0x5c, 0x81, 0x34, 0xed, 0x0c, 0x9f, 0x81, 0x31, + 0x1a, 0x0f, 0x4a, 0x05, 0x94, 0x2d, 0xb8, 0xdb, 0xed, 0x8d, 0xd5, 0x9f, + 0x26, 0x74, 0x71, 0xd5, 0x46, 0x2a, 0xa1, 0x4f, 0xe7, 0x2d, 0xe8, 0x56 +}; + +static const uint8_t p384_w[] = { /* 48 bytes */ + 0x17, 0x98, 0x84, 0x5c, 0xd0, 0xa6, 0xce, 0xa5, 0x32, 0x7c, 0x50, 0x1a, + 0x71, 0xa4, 0xba, 0xf2, 0xf7, 0xbe, 0x88, 0x2c, 0xfb, 0xc3, 0x03, 0x75, + 0x0a, 0x7c, 0x86, 0x1a, 0xf8, 0xfe, 0x82, 0x25, 0x46, 0x7a, 0x25, 0x7f, + 0x5b, 0xf9, 0x1a, 0x4a, 0xaa, 0x5a, 0x79, 0xa8, 0x63, 0x7d, 0x21, 0x8a +}; diff --git a/tests/test-ecdsa.py b/tests/test-ecdsa.py new file mode 100644 index 0000000..8fb33f1 --- /dev/null +++ b/tests/test-ecdsa.py @@ -0,0 +1,61 @@ +# Test vectors from "Suite B Implementer's Guide to FIPS 186-3". +# +# e is given in decimal, all other values are hex, because that's how +# these were given in the paper +# +# This script will probably become a bit more elaborate at some later date, eg, +# to add ASN.1 encoding. + +p256_d = 0x70a12c2db16845ed56ff68cfc21a472b3f04d7d6851bf6349f2d7d5b3452b38a +p256_Qx = 0x8101ece47464a6ead70cf69a6e2bd3d88691a3262d22cba4f7635eaff26680a8 +p256_Qy = 0xd8a12ba61d599235f67d9cb4d58f1783d3ca43e78f0a5abaa624079936c0c3a9 +p256_k = 0x580ec00d856434334cef3f71ecaed4965b12ae37fa47055b1965c7b134ee45d0 +p256_kinv = 0x6a664fa115356d33f16331b54c4e7ce967965386c7dcbf2904604d0c132b4a74 +p256_Rx = 0x7214bc9647160bbd39ff2f80533f5dc6ddd70ddf86bb815661e805d5d4e6f27c +p256_Ry = 0x8b81e3e977597110c7cf2633435b2294b72642987defd3d4007e1cfc5df84541 +p256_r = p256_Rx +p256_M = 0x54686973206973206f6e6c7920612074657374206d6573736167652e204974206973203438206279746573206c6f6e67 +p256_H = 0x7c3e883ddc8bd688f96eac5e9324222c8f30f9d6bb59e9c5f020bd39ba2b8377 +p256_e = 56197278047627432394583341962843287937266210957576322469816113796290471232375 +p256_s = 0x7d1ff961980f961bdaa3233b6209f4013317d3e3f9e1493592dbeaa1af2bc367 +p256_w = 0xd69be75f67ee5394cabb6c286f3610cf62d722cba9eea70faee770a6b2ed72dc +p256_u1 = 0xbb252401d6fb322bb747184cf2ac52bf8d54b95a1515062a2f6141f2e2092ed8 +p256_u2 = 0xaae7d1c7f2c232dfc641948af3dba141d4de8634e571cf84c486301b510cfc04 +p256_v = 0x7214bc9647160bbd39ff2f80533f5dc6ddd70ddf86bb815661e805d5d4e6f27c + +p384_d = 0xc838b85253ef8dc7394fa5808a5183981c7deef5a69ba8f4f2117ffea39cfcd90e95f6cbc854abacab701d50c1f3cf24 +p384_Qx = 0x1fbac8eebd0cbf35640b39efe0808dd774debff20a2a329e91713baf7d7f3c3e81546d883730bee7e48678f857b02ca0 +p384_Qy = 0xeb213103bd68ce343365a8a4c3d4555fa385f5330203bdd76ffad1f3affb95751c132007e1b240353cb0a4cf1693bdf9 +p384_k = 0xdc6b44036989a196e39d1cdac000812f4bdd8b2db41bb33af51372585ebd1db63f0ce8275aa1fd45e2d2a735f8749359 +p384_kinv = 0x7436f03088e65c37ba8e7b33887fbc87757514d611f7d1fbdf6d2104a297ad318cdbf7404e4ba37e599666df37b8d8be +p384_Rx = 0xa0c27ec893092dea1e1bd2ccfed3cf945c8134ed0c9f81311a0f4a05942db8dbed8dd59f267471d5462aa14fe72de856 +p384_Ry = 0x855649409815bb91424eaca5fd76c97375d575d1422ec53d343bd33b847fdf0c11569685b528ab25493015428d7cf72b +p384_r = p384_Rx +p384_M = 0x54686973206973206f6e6c7920612074657374206d6573736167652e204974206973203438206279746573206c6f6e67 +p384_H = 0xb9210c9d7e20897ab86597266a9d5077e8db1b06f7220ed6ee75bd8b45db37891f8ba5550304004159f4453dc5b3f5a1 +p384_e = 28493976155450475404302482243066463769180620629462008675793884393889401828800663731864240088367206094074919580333473 +p384_s = 0x20ab3f45b74f10b6e11f96a2c8eb694d206b9dda86d3c7e331c26b22c987b7537726577667adadf168ebbe803794a402 +p384_w = 0x1798845cd0a6cea5327c501a71a4baf2f7be882cfbc303750a7c861af8fe8225467a257f5bf91a4aaa5a79a8637d218a +p384_u1 = 0x6ce25649d42d223e020c11140fe772326612bb11b686d35ee98ed4550e0635d9dd3a2afbca0cf2c4baedcd23313b189e +p384_u2 = 0xf3b240751d5d8ed394a4b5bf8e2a4c0e1e21aa51f2620a08b8c55a2bc334c9689923162648f06e5f4659fc526d9c1fd6 +p384_v = 0xa0c27ec893092dea1e1bd2ccfed3cf945c8134ed0c9f81311a0f4a05942db8dbed8dd59f267471d5462aa14fe72de856 + +from textwrap import TextWrapper +from os.path import basename +from sys import argv + +wrapper = TextWrapper(width = 78, initial_indent = " " * 2, subsequent_indent = " " * 2) + +print "/*" +print " * ECDSA test data." +print " * File automatically generated by", basename(argv[0]) +print " */" + +for name in sorted(dir()): + if name.startswith("p256_") or name.startswith("p384_"): + value = "%x" % globals()[name] + value = ("0" + value if len(value) & 1 else value).decode("hex") + print + print "static const uint8_t %s[] = { /* %d bytes */" % (name, len(value)) + print wrapper.fill(", ".join("0x%02x" % ord(v) for v in value)) + print "};" -- cgit v1.2.3