From 99956039e4e93bf075d4f75f3b8adba9f2ddffec Mon Sep 17 00:00:00 2001 From: Paul Selkirk Date: Thu, 15 Mar 2018 17:41:35 -0400 Subject: Update to draft-10: clarifications and Test Case 2; add ability to export public key to xdr for interop testing --- hashsig.c | 93 ++++++++++++++++++++++++-------- hashsig.h | 3 ++ tests/test-hashsig.h | 2 + tests/test-rpc_hashsig.c | 134 ++++++++++++++++++++++++++++++++++------------- 4 files changed, 173 insertions(+), 59 deletions(-) diff --git a/hashsig.c b/hashsig.c index 0825463..5ffbb12 100644 --- a/hashsig.c +++ b/hashsig.c @@ -1,7 +1,7 @@ /* * hashsig.c * --------- - * Implementation of draft-mcgrew-hash-sigs-08.txt + * Implementation of draft-mcgrew-hash-sigs-10.txt * * Copyright (c) 2018, NORDUnet A/S All rights reserved. * @@ -706,13 +706,12 @@ static hal_error_t lms_generate(lms_key_t *key) /* record the lmots keystore name */ memcpy(&key->lmots_keys[q], &slot.name, sizeof(slot.name)); - /* compute T[r] = H(I || u32str(r) || u16str(D_LEAF) || OTS_PUB[r-2^h]) */ + /* compute T[r] = H(I || u32str(r) || u16str(D_LEAF) || OTS_PUB_HASH[r-2^h]) */ size_t r = h2 + q; check(hal_hash_initialize(NULL, hal_hash_sha256, &state, statebuf, sizeof(statebuf))); check(hal_hash_update(state, (const uint8_t *)&key->I, sizeof(key->I))); l = u32str(r); check(hal_hash_update(state, (const uint8_t *)&l, sizeof(l))); s = u16str(D_LEAF); check(hal_hash_update(state, (const uint8_t *)&s, sizeof(s))); - /* they say "OTS_PUB", but they really just mean K */ check(hal_hash_update(state, (const uint8_t *)&lmots_key.K, sizeof(lmots_key.K))); check(hal_hash_finalize(state, (uint8_t *)&key->T[r], sizeof(key->T[r]))); } @@ -851,36 +850,32 @@ static hal_error_t lms_verify(const lms_key_t * const key, return HAL_ERROR_INVALID_SIGNATURE; // Algorithm 6: LMS Signature Verification - -// 1. if the public key is not at least four bytes long, return -// INVALID // -// 2. parse pubtype, I, and T[1] from the public key as follows: +// 1. if the public key is not at least eight bytes long, return +// INVALID // -// a. pubtype = strTou32(first 4 bytes of public key) +// 2. parse pubtype, I, and T[1] from the public key as follows: // -// b. set m according to pubtype, based on Table 2 +// a. pubtype = strTou32(first 4 bytes of public key) // -// c. if the public key is not exactly 20 + m bytes -// long, return INVALID - - /* XXX THIS IS WRONG, should be 24 + m */ - - /* XXX missing from draft: pubotstype = strTou32(next 4 bytes of public key) */ - +// b. ots_typecode = strTou32(next 4 bytes of public key) // -// d. I = next 16 bytes of the public key +// c. set m according to pubtype, based on Table 2 // -// e. T[1] = next m bytes of the public key +// d. if the public key is not exactly 24 + m bytes +// long, return INVALID // -// 3. compute the candidate LMS root value Tc from the signature, -// message, identifier and pubtype using Algorithm 6b. - /* XXX and pubotstype */ +// e. I = next 16 bytes of the public key +// +// f. T[1] = next m bytes of the public key +// +// 3. compute the candidate LMS root value Tc from the signature, +// message, identifier and pubtype using Algorithm 6b. bytestring32 Tc; check(lms_public_key_candidate(key, msg, msg_len, sig, sig_len, &Tc)); -// 4. if Tc is equal to T[1], return VALID; otherwise, return INVALID +// 4. if Tc is equal to T[1], return VALID; otherwise, return INVALID return (memcmp(&Tc, &key->T1, sizeof(Tc)) ? HAL_ERROR_INVALID_SIGNATURE : HAL_OK); } @@ -1789,3 +1784,57 @@ hal_error_t hal_hashsig_key_load_public_xdr(hal_hashsig_key_t **key_, (const uint8_t * const)I, sizeof(bytestring16), (const uint8_t * const)T1, sizeof(bytestring32)); } + +hal_error_t hal_hashsig_public_key_der_to_xdr(const uint8_t * const der, const size_t der_len, + uint8_t * const xdr, size_t * const xdr_len , const size_t xdr_max) +{ + if (der == NULL || xdr == NULL) + return HAL_ERROR_BAD_ARGUMENTS; + + const uint8_t *alg_oid = NULL, *null = NULL, *pubkey = NULL; + size_t alg_oid_len, null_len, pubkey_len; + + check(hal_asn1_decode_spki(&alg_oid, &alg_oid_len, &null, &null_len, &pubkey, &pubkey_len, der, der_len)); + + if (null != NULL || null_len != 0 || alg_oid == NULL || + alg_oid_len != hal_asn1_oid_mts_hashsig_len || memcmp(alg_oid, hal_asn1_oid_mts_hashsig, alg_oid_len) != 0) + return HAL_ERROR_ASN1_PARSE_FAILED; + + size_t len, hlen, vlen; + + check(hal_asn1_decode_header(ASN1_SEQUENCE, pubkey, pubkey_len, &hlen, &vlen)); + + const uint8_t * const pubkey_end = pubkey + hlen + vlen; + const uint8_t *d = pubkey + hlen; + + // L || u32str(lms_type) || u32str(lmots_type) || I || T[1] + + size_t L; + lms_algorithm_t lms_type; + lmots_algorithm_t lmots_type; + bytestring16 I; + bytestring32 T1; + + check(hal_asn1_decode_size_t(&L, d, &len, pubkey_end - d)); d += len; + check(hal_asn1_decode_lms_algorithm(&lms_type, d, &len, pubkey_end - d)); d += len; + check(hal_asn1_decode_lmots_algorithm(&lmots_type, d, &len, pubkey_end - d)); d += len; + check(hal_asn1_decode_bytestring16(&I, d, &len, pubkey_end - d)); d += len; + check(hal_asn1_decode_bytestring32(&T1, d, &len, pubkey_end - d)); d += len; + + if (d != pubkey_end) + return HAL_ERROR_ASN1_PARSE_FAILED; + + uint8_t * xdrptr = xdr; + const uint8_t * const xdrlim = xdr + xdr_max; + + check(hal_xdr_encode_int(&xdrptr, xdrlim, L)); + check(hal_xdr_encode_int(&xdrptr, xdrlim, lms_type)); + check(hal_xdr_encode_int(&xdrptr, xdrlim, lmots_type)); + check(hal_xdr_encode_bytestring16(&xdrptr, xdrlim, &I)); + check(hal_xdr_encode_bytestring32(&xdrptr, xdrlim, &T1)); + + if (xdr_len != NULL) + *xdr_len = xdrptr - xdr; + + return HAL_OK; +} diff --git a/hashsig.h b/hashsig.h index aeb2828..7bae86e 100644 --- a/hashsig.h +++ b/hashsig.h @@ -110,6 +110,9 @@ extern size_t hal_hashsig_signature_len(const size_t L, extern size_t hal_hashsig_lmots_private_key_len(const lmots_algorithm_t lmots_type); +extern hal_error_t hal_hashsig_public_key_der_to_xdr(const uint8_t * const der, const size_t der_len, + uint8_t * const xdr, size_t * const xdr_len , const size_t xdr_max); + //extern hal_error_t hal_hashsig_restart(...); #endif /* _HAL_HASHSIG_H_ */ diff --git a/tests/test-hashsig.h b/tests/test-hashsig.h index 7d18295..4b8333f 100644 --- a/tests/test-hashsig.h +++ b/tests/test-hashsig.h @@ -43,6 +43,7 @@ static uint8_t tc1_msg[] = { }; /* Test Case 1 Signature */ +/* 2 levels, both h=5, w=8 */ static uint8_t tc1_sig[] = { 0x00, 0x00, 0x00, 0x01, @@ -419,6 +420,7 @@ static uint8_t tc2_msg[] = { }; /* Test Case 2 Signature */ +/* 2 levels: h=10, w=4; h=5, w=8 */ static uint8_t tc2_sig[] = { 0x00, 0x00, 0x00, 0x01, diff --git a/tests/test-rpc_hashsig.c b/tests/test-rpc_hashsig.c index d9dd0e7..b93f11e 100644 --- a/tests/test-rpc_hashsig.c +++ b/tests/test-rpc_hashsig.c @@ -3,8 +3,7 @@ * ------------------ * Test code for RPC interface to Cryptech public key operations. * - * Authors: Rob Austein, Paul Selkirk - * Copyright (c) 2015-2018, NORDUnet A/S + * Copyright (c) 2018, NORDUnet A/S * All rights reserved. * * Redistribution and use in source and binary forms, with or without @@ -42,6 +41,11 @@ #include #include #include +#include +#include +#include +#include +#include #include #include @@ -151,14 +155,14 @@ fail: static void hexdump(const char * const label, const uint8_t * const buf, const size_t len) { - printf("%-15s ", label); + printf("%-11s ", label); for (size_t i = 0; i < len; ++i) { printf("%02x", buf[i]); if ((i & 0x0f) == 0x0f) { printf("\n"); if (i < len - 1) - printf(" "); + printf(" "); } } if ((len & 0x0f) != 0) @@ -177,30 +181,6 @@ static inline size_t lms_type_to_h(const lms_algorithm_t lms_type) } } -static inline size_t two_to_the(const size_t n) -{ - if (n % 5 != 0) - return 0; - - size_t result, i; - for (result = 1, i = 0; i < n; i += 5) - result *= 32; - - return result; -} - -static inline size_t lms_type_to_h2(const lms_algorithm_t lms_type) -{ - switch (lms_type) { - case lms_sha256_n32_h5: return two_to_the(5); - case lms_sha256_n32_h10: return two_to_the(10); - case lms_sha256_n32_h15: return two_to_the(15); - case lms_sha256_n32_h20: return two_to_the(20); - case lms_sha256_n32_h25: return two_to_the(25); - default: return 0; - } -} - static inline size_t lmots_type_to_w(const lmots_algorithm_t lmots_type) { switch (lmots_type) { @@ -283,7 +263,8 @@ static hal_error_t dump_hss_signature(const uint8_t * const sig, const size_t le static int test_hashsig_sign(const size_t L, const lms_algorithm_t lms_type, const lmots_algorithm_t lmots_type, - size_t iterations) + size_t iterations, + int save) { const hal_client_handle_t client = {HAL_HANDLE_NONE}; const hal_session_handle_t session = {HAL_HANDLE_NONE}; @@ -293,6 +274,19 @@ static int test_hashsig_sign(const size_t L, size_t len; { + char save_name[16]; + if (save) { + sprintf(save_name, "L%d.lms%d.ots%d", (int)L, (int)lms_type, (int)lmots_type); + FILE *fp; + if ((fp = fopen(save_name, "wb")) == NULL) + lose("Error opening %s: %s\n", save_name, strerror(errno)); + size_t len1; + if ((len1 = fwrite(tc1_msg, 1, sizeof(tc1_msg), fp)) != sizeof(tc1_msg)) + lose("Wrote %lu bytes to %s, expected %lu\n", len1, save_name, sizeof(tc1_msg)); + if (fclose(fp) != 0) + lose("Error closing %s: %s\n", save_name, strerror(errno)); + } + hal_key_flags_t flags = HAL_KEY_FLAG_USAGE_DIGITALSIGNATURE; printf("Starting hashsig key test: L %lu, lms type %u (h=%lu), lmots type %u (w=%lu)\n", @@ -306,8 +300,7 @@ static int test_hashsig_sign(const size_t L, hal_uuid_t private_name, public_name; struct timeval tv_start, tv_end, tv_diff; - size_t Lh2 = two_to_the(L * lms_type_to_h(lms_type)); - size_t h2 = lms_type_to_h2(lms_type); + size_t h = lms_type_to_h(lms_type); if (info) gettimeofday(&tv_start, NULL); @@ -317,7 +310,7 @@ static int test_hashsig_sign(const size_t L, if (info) { gettimeofday(&tv_end, NULL); timersub(&tv_end, &tv_start, &tv_diff); - long per_key = (tv_diff.tv_sec * 1000000 + tv_diff.tv_usec) / (L * h2); + long per_key = (tv_diff.tv_sec * 1000000 + tv_diff.tv_usec) / (L * (1 << h)); printf("Info: %ldm%ld.%03lds to generate key (%ld.%03lds per lmots key)\n", tv_diff.tv_sec / 60, tv_diff.tv_sec % 60, tv_diff.tv_usec / 1000, per_key / 1000000, (per_key % 1000000) / 1000); @@ -326,7 +319,7 @@ static int test_hashsig_sign(const size_t L, uint8_t public_der[hal_rpc_pkey_get_public_key_len(private_key)]; if ((err = hal_rpc_pkey_get_public_key(private_key, public_der, &len, sizeof(public_der))) != HAL_OK) - lose("Could not DER encode RPC hashsig public key from RPC hashsig private key: %s\n", hal_error_string(err)); + lose("Could not DER encode public key from private key: %s\n", hal_error_string(err)); assert(len == sizeof(public_der)); @@ -334,6 +327,22 @@ static int test_hashsig_sign(const size_t L, public_der, sizeof(public_der), flags)) != HAL_OK) lose("Could not load public key into RPC: %s\n", hal_error_string(err)); + if (save) { + char fn[strlen(save_name) + 5]; + sprintf(fn, "%s.pub", save_name); + FILE *fp; + if ((fp = fopen(fn, "wb")) == NULL) + lose("Error opening %s: %s\n", fn, strerror(errno)); + uint8_t pub[60]; + if ((err = hal_hashsig_public_key_der_to_xdr(public_der, sizeof(public_der), pub, &len, sizeof(pub))) != HAL_OK) + lose("Could not XDR encode public key: %s\n", hal_error_string(err)); + size_t len1; + if ((len1 = fwrite(pub, 1, len, fp)) != len) + lose("Wrote %lu bytes to %s, expected %lu\n", len1, fn, len); + if (fclose(fp) != 0) + lose("Error closing %s: %s\n", fn, strerror(errno)); + } + if (iterations > 0) { uint8_t sig[hal_hashsig_signature_len(L, lms_type, lmots_type)]; @@ -350,11 +359,23 @@ static int test_hashsig_sign(const size_t L, } } else { - if (i == Lh2 && err == HAL_ERROR_HASHSIG_KEY_EXHAUSTED) + if (i == (1 << (L * h)) && err == HAL_ERROR_HASHSIG_KEY_EXHAUSTED) break; else lose("Could not sign (%d): %s\n", i, hal_error_string(err)); } + if (save) { + char fn[strlen(save_name) + 16]; + sprintf(fn, "%s.%d.sig", save_name, i); + FILE *fp; + if ((fp = fopen(fn, "wb")) == NULL) + lose("Error opening %s: %s\n", fn, strerror(errno)); + size_t len1; + if ((len1 = fwrite(sig, 1, len, fp)) != len) + lose("Wrote %lu bytes to %s, expected %lu\n", len1, fn, len); + if (fclose(fp) != 0) + lose("Error closing %s: %s\n", fn, strerror(errno)); + } } if (info) { gettimeofday(&tv_end, NULL); @@ -400,6 +421,35 @@ fail: return 0; } +static int read_sig(char *fn) +{ + { + FILE *fp; + if ((fp = fopen(fn, "rb")) == NULL) + lose("Error opening %s: %s\n", fn, strerror(errno)); + + struct stat statbuf; + if (stat(fn, &statbuf) != 0) + lose("Error statting %s: %s\n", fn, strerror(errno)); + + uint8_t sig[statbuf.st_size]; + size_t len; + if ((len = fread(sig, 1, sizeof(sig), fp)) != sizeof(sig)) + lose("Read %lu bytes from %s, expected %lu\n", len, fn, sizeof(sig)); + + if (fclose(fp) != 0) + lose("Error closing %s: %s\n", fn, strerror(errno)); + + hal_error_t err; + if ((err = dump_hss_signature(sig, len)) != HAL_OK) + lose("Error parsing signature: %s\n", hal_error_string(err)); + } + + return 1; +fail: + return 0; +} + int main(int argc, char *argv[]) { const hal_client_handle_t client = {HAL_HANDLE_NONE}; @@ -410,12 +460,13 @@ int main(int argc, char *argv[]) size_t L_lo = 0, L_hi = 0; size_t lms_lo = 5, lms_hi = 0; size_t lmots_lo = 3, lmots_hi = 0; + int save = 0; char *p; hal_error_t err; int ok = 1; char usage[] = "\ -Usage: %s [-d] [-i] [-p pin] [-t] [-L n] [-l n] [-o n] [-n n]\n\ +Usage: %s [-d] [-i] [-p pin] [-t] [-L n] [-l n] [-o n] [-n n] [-s] [-r file]\n\ -d: enable debugging - hexdump signatures\n\ -i: enable informational messages - runtimes and signature lengths\n\ -p: user PIN\n\ @@ -424,10 +475,12 @@ Usage: %s [-d] [-i] [-p pin] [-t] [-L n] [-l n] [-o n] [-n n]\n\ -l: LMS type (5..9)\n\ -o: LM-OTS type (1..4)\n\ -n: number of signatures to generate (0..'max')\n\ + -s: save generated public key and signatures\n\ + -r: read and pretty-print a saved signature file\n\ Numeric arguments can be a single number or a range, e.g. '1..4'\n"; int opt; - while ((opt = getopt(argc, argv, "ditp:L:l:o:n:h?")) != -1) { + while ((opt = getopt(argc, argv, "ditp:L:l:o:n:sr:h?")) != -1) { switch (opt) { case 'd': debug = 1; @@ -470,6 +523,13 @@ Numeric arguments can be a single number or a range, e.g. '1..4'\n"; lmots_hi = (size_t)atoi(p); do_default = 0; break; + case's': + save = 1; + break; + case 'r': + ok &= read_sig(optarg); + do_default = 0; + break; case 'h': case '?': fprintf(stdout, usage, argv[0]); @@ -512,7 +572,7 @@ Numeric arguments can be a single number or a range, e.g. '1..4'\n"; for (size_t L = L_lo; L <= L_hi; ++L) { for (lms_algorithm_t lms_type = lms_lo; lms_type <= lms_hi; ++lms_type) { for (lmots_algorithm_t lmots_type = lmots_lo; lmots_type <= lmots_hi; ++lmots_type) { - ok &= test_hashsig_sign(L, lms_type, lmots_type, iterations); + ok &= test_hashsig_sign(L, lms_type, lmots_type, iterations, save); } } } -- cgit v1.2.3