doc/ike__sign__verify_8c_source.html

 /**

  * @file ike_sign_verify.c

  * @brief RSA/DSA/ECDSA/EdDSA signature verification

  *

  * @section License

  *

  * SPDX-License-Identifier: GPL-2.0-or-later

  *

  * Copyright (C) 2022-2024 Oryx Embedded SARL. All rights reserved.

  *

  * This file is part of CycloneIPSEC Open.

  *

  * This program is free software; you can redistribute it and/or

  * modify it under the terms of the GNU General Public License

  * as published by the Free Software Foundation; either version 2

  * of the License, or (at your option) any later version.

  *

  * This program is distributed in the hope that it will be useful,

  * but WITHOUT ANY WARRANTY; without even the implied warranty of

  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

  * GNU General Public License for more details.

  *

  * You should have received a copy of the GNU General Public License

  * along with this program; if not, write to the Free Software Foundation,

  * Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.

  *

  * @author Oryx Embedded SARL (www.oryx-embedded.com)

  * @version 2.4.0

  **/


 //Switch to the appropriate trace level

 #define TRACE_LEVEL IKE_TRACE_LEVEL


 //Dependencies

 #include "ike/ike.h"

 #include "ike/ike_sign_verify.h"

 #include "encoding/oid.h"

 #include "pkix/x509_key_parse.h"

 #include "pkix/x509_sign_parse.h"

 #include "debug.h"


 //Check IKEv2 library configuration

 #if (IKE_SUPPORT == ENABLED && IKE_CERT_AUTH_SUPPORT == ENABLED)


 /**

  * @brief Signature verification

  * @param[in] sa Pointer to the IKE SA

  * @param[in] id Pointer to the identification data

  * @param[in] idLen Length of the identification data, in bytes

  * @param[in] authMethod Authentication method

  * @param[in] publicKeyInfo Pointer to the subject's public key

  * @param[in] signature Signature to be verified

  * @param[in] signatureLen Length of the signature, in bytes

  * @return Error code

  **/


 error_t ikeVerifySignature(IkeSaEntry *sa, const uint8_t *id, size_t idLen,

    uint8_t authMethod, const X509SubjectPublicKeyInfo *publicKeyInfo,

    const uint8_t *signature, size_t signatureLen)

 {

    error_t error;


 #if (IKE_SIGN_HASH_ALGOS_SUPPORT == ENABLED)

    //Digital signature method?

    if(authMethod == IKE_AUTH_METHOD_DIGITAL_SIGN)

    {

       //The new digital signature method is flexible enough to include all

       //current signature methods (RSA, RSA-PSS, DSA, ECDSA and EdDSA) and add

       //new methods in the future

       error = ikeVerifyDigitalSignature(sa, id, idLen, publicKeyInfo,

          (const IkeAuthData *) signature, signatureLen);

    }

    else

 #endif

 #if (IKE_RSA_SIGN_SUPPORT == ENABLED && IKE_SHA1_SUPPORT == ENABLED)

    //RSA signature method?

    if(authMethod == IKE_AUTH_METHOD_RSA)

    {

       //Verify RSA signature (RSASSA-PKCS1-v1_5 signature scheme)

       error = ikeVerifyRsaSignature(sa, id, idLen, publicKeyInfo,

          SHA1_HASH_ALGO, signature, signatureLen);

    }

    else

 #endif

 #if (IKE_DSA_SIGN_SUPPORT == ENABLED && IKE_SHA1_SUPPORT == ENABLED)

    //DSA signature method?

    if(authMethod == IKE_AUTH_METHOD_DSS)

    {

       //Verify DSA signature

       error = ikeVerifyDsaSignature(sa, id, idLen, publicKeyInfo,

          SHA1_HASH_ALGO, signature, signatureLen, IKE_SIGN_FORMAT_RAW);

    }

    else

 #endif

 #if (IKE_ECDSA_SIGN_SUPPORT == ENABLED && IKE_ECP_256_SUPPORT == ENABLED && \

    IKE_SHA256_SUPPORT == ENABLED)

    //ECDSA with NIST P-256 signature method?

    if(authMethod == IKE_AUTH_METHOD_ECDSA_P256_SHA256)

    {

       //Verify ECDSA signature

       error = ikeVerifyEcdsaSignature(sa, id, idLen, publicKeyInfo,

          SECP256R1_CURVE, SHA256_HASH_ALGO, signature, signatureLen,

          IKE_SIGN_FORMAT_RAW);

    }

    else

 #endif

 #if (IKE_ECDSA_SIGN_SUPPORT == ENABLED && IKE_ECP_384_SUPPORT == ENABLED && \

    IKE_SHA384_SUPPORT == ENABLED)

    //ECDSA with NIST P-384 signature method?

    if(authMethod == IKE_AUTH_METHOD_ECDSA_P384_SHA384)

    {

       //Verify ECDSA signature

       error = ikeVerifyEcdsaSignature(sa, id, idLen, publicKeyInfo,

          SECP384R1_CURVE, SHA384_HASH_ALGO, signature, signatureLen,

          IKE_SIGN_FORMAT_RAW);

    }

    else

 #endif

 #if (IKE_ECDSA_SIGN_SUPPORT == ENABLED && IKE_ECP_521_SUPPORT == ENABLED && \

    IKE_SHA512_SUPPORT == ENABLED)

    //ECDSA with NIST P-521 signature method?

    if(authMethod == IKE_AUTH_METHOD_ECDSA_P521_SHA512)

    {

       //Verify ECDSA signature

       error = ikeVerifyEcdsaSignature(sa, id, idLen, publicKeyInfo,

          SECP521R1_CURVE, SHA512_HASH_ALGO, signature, signatureLen,

          IKE_SIGN_FORMAT_RAW);

    }

    else

 #endif

    //Invalid signature method?

    {

       //Report an error

       error = ERROR_INVALID_SIGNATURE_ALGO;

    }


    //Return status code

    return error;

 }


 /**

  * @brief Digital signature verification

  * @param[in] sa Pointer to the IKE SA

  * @param[in] id Pointer to the identification data

  * @param[in] idLen Length of the identification data, in bytes

  * @param[in] publicKeyInfo Pointer to the subject's public key

  * @param[in] authData Pointer to the authentication data

  * @param[in] authDataLen Length of the authentication data, in bytes

  * @return Error code

  **/


 error_t ikeVerifyDigitalSignature(IkeSaEntry *sa, const uint8_t *id,

    size_t idLen, const X509SubjectPublicKeyInfo *publicKeyInfo,

    const IkeAuthData *authData, size_t authDataLen)

 {

    error_t error;

    size_t n;

    size_t signatureLen;

    const uint8_t *signature;

    const HashAlgo *hashAlgo;

    IkeSignAlgo signAlgo;

    X509SignAlgoId signAlgoId;


    //Check the length of the authentication data

    if(authDataLen >= sizeof(IkeAuthData))

    {

       //The signature value is prefixed with an ASN.1 object indicating the

       //algorithm used to generate the signature (refer to RFC 7427, section 3)

       if(authDataLen >= (sizeof(IkeAuthData) + authData->algoIdLen))

       {

          //Parse ASN.1 object

          error = x509ParseSignatureAlgo(authData->algoId, authData->algoIdLen,

             &n, &signAlgoId);


          //Check status code

          if(!error)

          {

             //Select the signature and hash algorithms that match the specified

             //identifier

             error = ikeSelectSignAlgo(&signAlgoId, &signAlgo, &hashAlgo);

          }


          //Check status code

          if(!error)

          {

             //There is no padding between the ASN.1 object and the signature value

             signature = authData->algoId + authData->algoIdLen;


             //Determine the length of the signature, in bytes

             signatureLen = authDataLen - sizeof(IkeAuthData) -

                authData->algoIdLen;


 #if (IKE_RSA_SIGN_SUPPORT == ENABLED)

             //RSA signature algorithm?

             if(signAlgo == IKE_SIGN_ALGO_RSA)

             {

                //Verify RSA signature (RSASSA-PKCS1-v1_5 signature scheme)

                error = ikeVerifyRsaSignature(sa, id, idLen, publicKeyInfo,

                   hashAlgo, signature, signatureLen);

             }

             else

 #endif

 #if (IKE_RSA_PSS_SIGN_SUPPORT == ENABLED)

             //RSA-PSS signature algorithm?

             if(signAlgo == IKE_SIGN_ALGO_RSA_PSS)

             {

                //Verify RSA signature (RSASSA-PSS signature scheme)

                error = ikeVerifyRsaPssSignature(sa, id, idLen, publicKeyInfo,

                   hashAlgo, signAlgoId.rsaPssParams.saltLen, signature,

                   signatureLen);

             }

             else

 #endif

 #if (IKE_DSA_SIGN_SUPPORT == ENABLED)

             //DSA signature algorithm?

             if(signAlgo == IKE_SIGN_ALGO_DSA)

             {

                //Verify DSA signature

                error = ikeVerifyDsaSignature(sa, id, idLen, publicKeyInfo,

                   hashAlgo, signature, signatureLen, IKE_SIGN_FORMAT_ASN1);

             }

             else

 #endif

 #if (IKE_ECDSA_SIGN_SUPPORT == ENABLED)

             //ECDSA signature algorithm?

             if(signAlgo == IKE_SIGN_ALGO_ECDSA)

             {

                //Verify ECDSA signature

                error = ikeVerifyEcdsaSignature(sa, id, idLen, publicKeyInfo,

                   NULL, hashAlgo, signature, signatureLen, IKE_SIGN_FORMAT_ASN1);

             }

             else

 #endif

 #if (IKE_ED25519_SIGN_SUPPORT == ENABLED)

             //Ed25519 signature algorithm?

             if(signAlgo == IKE_SIGN_ALGO_ED25519)

             {

                //Verify Ed25519 signature (PureEdDSA mode)

                error = ikeVerifyEd25519Signature(sa, id, idLen, publicKeyInfo,

                   signature, signatureLen);

             }

             else

 #endif

 #if (IKE_ED448_SIGN_SUPPORT == ENABLED)

             //Ed448 signature algorithm?

             if(signAlgo == IKE_SIGN_ALGO_ED448)

             {

                //Verify Ed448 signature (PureEdDSA mode)

                error = ikeVerifyEd448Signature(sa, id, idLen, publicKeyInfo,

                   signature, signatureLen);

             }

             else

 #endif

             //Invalid signature algorithm?

             {

                //Report an error

                error = ERROR_UNSUPPORTED_SIGNATURE_ALGO;

             }

          }

       }

       else

       {

          //Malformed ASN.1 object

          error = ERROR_INVALID_MESSAGE;

       }

    }

    else

    {

       //Malformed authentication data

       error = ERROR_INVALID_MESSAGE;

    }


    //Return status code

    return error;

 }


 /**

  * @brief RSA signature verification

  * @param[in] sa Pointer to the IKE SA

  * @param[in] id Pointer to the identification data

  * @param[in] idLen Length of the identification data, in bytes

  * @param[in] publicKeyInfo Pointer to the subject's public key

  * @param[in] hashAlgo Hash algorithm

  * @param[in] signature Signature to be verified

  * @param[in] signatureLen Length of the signature, in bytes

  * @return Error code

  **/


 error_t ikeVerifyRsaSignature(IkeSaEntry *sa, const uint8_t *id,

    size_t idLen, const X509SubjectPublicKeyInfo *publicKeyInfo,

    const HashAlgo *hashAlgo, const uint8_t *signature, size_t signatureLen)

 {

 #if (IKE_RSA_SIGN_SUPPORT == ENABLED)

    error_t error;

    uint_t k;

    RsaPublicKey rsaPublicKey;

    uint8_t digest[MAX_HASH_DIGEST_SIZE];


    //Check public key identifier

    if(!oidComp(publicKeyInfo->oid.value, publicKeyInfo->oid.length,

       RSA_ENCRYPTION_OID, sizeof(RSA_ENCRYPTION_OID)))

    {

       //Initialize RSA public key

       rsaInitPublicKey(&rsaPublicKey);


       //Digest signed octets

       error = ikeDigestSignedOctets(sa, hashAlgo, id, idLen, digest,

          !sa->originalInitiator);


       //Check status code

       if(!error)

       {

          //Import RSA public key

          error = x509ImportRsaPublicKey(publicKeyInfo, &rsaPublicKey);

       }


       //Check status code

       if(!error)

       {

          //Get the length of the modulus, in bits

          k = mpiGetBitLength(&rsaPublicKey.n);


          //Applications should also enforce minimum and maximum key sizes

          if(k < IKE_MIN_RSA_MODULUS_SIZE || k > IKE_MAX_RSA_MODULUS_SIZE)

          {

             //Report an error

             error = ERROR_BAD_CERTIFICATE;

          }

       }


       //Check status code

       if(!error)

       {

          //Verify RSA signature (RSASSA-PKCS1-v1_5 signature scheme)

          error = rsassaPkcs1v15Verify(&rsaPublicKey, hashAlgo, digest,

             signature, signatureLen);

       }


       //Free previously allocated memory

       rsaFreePublicKey(&rsaPublicKey);

    }

    else

    {

       //Invalid public key identifier

       error = ERROR_INVALID_KEY;

    }


    //Return status code

    return error;

 #else

    //Not implemented

    return ERROR_NOT_IMPLEMENTED;

 #endif

 }


 /**

  * @brief RSA-PSS signature verification

  * @param[in] sa Pointer to the IKE SA

  * @param[in] id Pointer to the identification data

  * @param[in] idLen Length of the identification data, in bytes

  * @param[in] publicKeyInfo Pointer to the subject's public key

  * @param[in] hashAlgo Hash algorithm

  * @param[in] saltLen Length of the salt, in bytes

  * @param[in] signature Signature to be verified

  * @param[in] signatureLen Length of the signature, in bytes

  * @return Error code

  **/


 error_t ikeVerifyRsaPssSignature(IkeSaEntry *sa, const uint8_t *id,

    size_t idLen, const X509SubjectPublicKeyInfo *publicKeyInfo,

    const HashAlgo *hashAlgo, size_t saltLen, const uint8_t *signature,

    size_t signatureLen)

 {

 #if (IKE_RSA_PSS_SIGN_SUPPORT == ENABLED)

    error_t error;

    uint_t k;

    size_t oidLen;

    const uint8_t *oid;

    RsaPublicKey rsaPublicKey;

    uint8_t digest[MAX_HASH_DIGEST_SIZE];


    //Retrieve public key identifier

    oid = publicKeyInfo->oid.value;

    oidLen = publicKeyInfo->oid.length;


    //Check public key identifier

    if(!oidComp(oid, oidLen, RSA_ENCRYPTION_OID, sizeof(RSA_ENCRYPTION_OID)) ||

       !oidComp(oid, oidLen, RSASSA_PSS_OID, sizeof(RSASSA_PSS_OID)))

    {

       //Initialize RSA public key

       rsaInitPublicKey(&rsaPublicKey);


       //Digest signed octets

       error = ikeDigestSignedOctets(sa, hashAlgo, id, idLen, digest,

          !sa->originalInitiator);


       //Check status code

       if(!error)

       {

          //Import RSA public key

          error = x509ImportRsaPublicKey(publicKeyInfo, &rsaPublicKey);

       }


       //Check status code

       if(!error)

       {

          //Get the length of the modulus, in bits

          k = mpiGetBitLength(&rsaPublicKey.n);


          //Applications should also enforce minimum and maximum key sizes

          if(k < IKE_MIN_RSA_MODULUS_SIZE || k > IKE_MAX_RSA_MODULUS_SIZE)

          {

             //Report an error

             error = ERROR_BAD_CERTIFICATE;

          }

       }


       //Check status code

       if(!error)

       {

          //Verify RSA signature (RSASSA-PKCS1-v1_5 signature scheme)

          error = rsassaPssVerify(&rsaPublicKey, hashAlgo, saltLen, digest,

             signature, signatureLen);

       }


       //Free previously allocated memory

       rsaFreePublicKey(&rsaPublicKey);

    }

    else

    {

       //Invalid public key identifier

       error = ERROR_INVALID_KEY;

    }


    //Return status code

    return error;

 #else

    //Not implemented

    return ERROR_NOT_IMPLEMENTED;

 #endif

 }


 /**

  * @brief DSA signature verification

  * @param[in] sa Pointer to the IKE SA

  * @param[in] id Pointer to the identification data

  * @param[in] idLen Length of the identification data, in bytes

  * @param[in] publicKeyInfo Pointer to the subject's public key

  * @param[in] hashAlgo Hash algorithm

  * @param[in] signature Signature to be verified

  * @param[in] signatureLen Length of the signature, in bytes

  * @param[in] format Signature format (raw or ASN.1)

  * @return Error code

  **/


 error_t ikeVerifyDsaSignature(IkeSaEntry *sa, const uint8_t *id,

    size_t idLen, const X509SubjectPublicKeyInfo *publicKeyInfo,

    const HashAlgo *hashAlgo, const uint8_t *signature, size_t signatureLen,

    IkeSignFormat format)

 {

 #if (IKE_DSA_SIGN_SUPPORT == ENABLED)

    error_t error;

    uint_t k;

    DsaPublicKey dsaPublicKey;

    DsaSignature dsaSignature;

    uint8_t digest[MAX_HASH_DIGEST_SIZE];


    //Check public key identifier

    if(!oidComp(publicKeyInfo->oid.value, publicKeyInfo->oid.length,

       DSA_OID, sizeof(DSA_OID)))

    {

       //Initialize DSA public key

       dsaInitPublicKey(&dsaPublicKey);

       //Initialize DSA signature

       dsaInitSignature(&dsaSignature);


       //Digest signed octets

       error = ikeDigestSignedOctets(sa, hashAlgo, id, idLen, digest,

          !sa->originalInitiator);


       //Check status code

       if(!error)

       {

          //Import DSA public key

          error = x509ImportDsaPublicKey(publicKeyInfo, &dsaPublicKey);

       }


       //Check status code

       if(!error)

       {

          //Get the length of the modulus, in bits

          k = mpiGetBitLength(&dsaPublicKey.params.p);


          //Applications should also enforce minimum and maximum key sizes

          if(k < IKE_MIN_DSA_MODULUS_SIZE || k > IKE_MAX_DSA_MODULUS_SIZE)

          {

             //Report an error

             error = ERROR_BAD_CERTIFICATE;

          }

       }


       //Check status code

       if(!error)

       {

          //Decode (R, S) integer pair

          error = ikeParseDsaSignature(signature, signatureLen, &dsaSignature,

             format);

       }


       //Check status code

       if(!error)

       {

          //Verify DSA signature

          error = dsaVerifySignature(&dsaPublicKey, digest, hashAlgo->digestSize,

             &dsaSignature);

       }


       //Free previously allocated memory

       dsaFreePublicKey(&dsaPublicKey);

       dsaFreeSignature(&dsaSignature);

    }

    else

    {

       //Invalid public key identifier

       error = ERROR_INVALID_KEY;

    }


    //Return status code

    return error;

 #else

    //Not implemented

    return ERROR_NOT_IMPLEMENTED;

 #endif

 }


 /**

  * @brief ECDSA signature verification

  * @param[in] sa Pointer to the IKE SA

  * @param[in] id Pointer to the identification data

  * @param[in] idLen Length of the identification data, in bytes

  * @param[in] publicKeyInfo Pointer to the subject's public key

  * @param[in] group Elliptic curve group

  * @param[in] hashAlgo Hash algorithm

  * @param[in] signature Signature to be verified

  * @param[in] signatureLen Length of the signature, in bytes

  * @param[in] format Signature format (raw or ASN.1)

  * @return Error code

  **/


 error_t ikeVerifyEcdsaSignature(IkeSaEntry *sa, const uint8_t *id,

    size_t idLen, const X509SubjectPublicKeyInfo *publicKeyInfo,

    const EcCurveInfo *group, const HashAlgo *hashAlgo,

    const uint8_t *signature, size_t signatureLen, IkeSignFormat format)

 {

 #if (IKE_ECDSA_SIGN_SUPPORT == ENABLED)

    error_t error;

    const EcCurveInfo *curveInfo;

    EcDomainParameters ecParams;

    EcPublicKey ecPublicKey;

    EcdsaSignature ecdsaSignature;

    uint8_t digest[MAX_HASH_DIGEST_SIZE];


    //Check public key identifier

    if(!oidComp(publicKeyInfo->oid.value, publicKeyInfo->oid.length,

       EC_PUBLIC_KEY_OID, sizeof(EC_PUBLIC_KEY_OID)))

    {

       //Retrieve EC domain parameters

       curveInfo = ecGetCurveInfo(publicKeyInfo->ecParams.namedCurve.value,

          publicKeyInfo->ecParams.namedCurve.length);


       //Make sure the specified elliptic curve is acceptable

       if(curveInfo != NULL && (curveInfo == group || group == NULL))

       {

          //Initialize EC domain parameters

          ecInitDomainParameters(&ecParams);

          //Initialize DSA public key

          ecInitPublicKey(&ecPublicKey);

          //Initialize DSA signature

          ecdsaInitSignature(&ecdsaSignature);


          //Digest signed octets

          error = ikeDigestSignedOctets(sa, hashAlgo, id, idLen, digest,

             !sa->originalInitiator);


          //Check status code

          if(!error)

          {

             //Load EC domain parameters

             error = ecLoadDomainParameters(&ecParams, curveInfo);

          }


          //Check status code

          if(!error)

          {

             //Import EC public key

             error = x509ImportEcPublicKey(publicKeyInfo, &ecPublicKey);

          }


          //Check status code

          if(!error)

          {

             //Decode (R, S) integer pair

             error = ikeParseEcdsaSignature(&ecParams, signature, signatureLen,

                &ecdsaSignature, format);

          }


          //Check status code

          if(!error)

          {

             //Verify ECDSA signature

             error = ecdsaVerifySignature(&ecParams, &ecPublicKey, digest,

                hashAlgo->digestSize, &ecdsaSignature);

          }


          //Free previously allocated memory

          ecFreeDomainParameters(&ecParams);

          ecFreePublicKey(&ecPublicKey);

          ecdsaFreeSignature(&ecdsaSignature);

       }

       else

       {

          //Unknown elliptic curve identifier

          return ERROR_INVALID_SIGNATURE;

       }

    }

    else

    {

       //Invalid public key identifier

       error = ERROR_INVALID_KEY;

    }


    //Return status code

    return error;

 #else

    //Not implemented

    return ERROR_NOT_IMPLEMENTED;

 #endif

 }


 /**

  * @brief Ed25519 signature verification

  * @param[in] sa Pointer to the IKE SA

  * @param[in] id Pointer to the identification data

  * @param[in] idLen Length of the identification data, in bytes

  * @param[in] publicKeyInfo Pointer to the subject's public key

  * @param[in] signature Signature to be verified

  * @param[in] signatureLen Length of the signature, in bytes

  * @return Error code

  **/


 error_t ikeVerifyEd25519Signature(IkeSaEntry *sa, const uint8_t *id,

    size_t idLen, const X509SubjectPublicKeyInfo *publicKeyInfo,

    const uint8_t *signature, size_t signatureLen)

 {

 #if (IKE_ED25519_SIGN_SUPPORT == ENABLED)

    error_t error;

    EddsaMessageChunk messageChunks[4];

    uint8_t macId[MAX_HASH_DIGEST_SIZE];


    //Check public key identifier

    if(!oidComp(publicKeyInfo->oid.value, publicKeyInfo->oid.length,

       ED25519_OID, sizeof(ED25519_OID)))

    {

       //Valid Ed25519 public key?

       if(publicKeyInfo->ecPublicKey.q.value != NULL &&

          publicKeyInfo->ecPublicKey.q.length == ED25519_PUBLIC_KEY_LEN)

       {

          //The Ed25519 signature shall consist of 32 octets

          if(signatureLen == ED25519_SIGNATURE_LEN)

          {

             //Data to be signed is run through the EdDSA algorithm without

             //pre-hashing

             error = ikeGetSignedOctets(sa, id, idLen, macId, messageChunks,

                !sa->originalInitiator);


             //Check status code

             if(!error)

             {

                //Verify Ed25519 signature (PureEdDSA mode)

                error = ed25519VerifySignatureEx(publicKeyInfo->ecPublicKey.q.value,

                   messageChunks, NULL, 0, 0, signature);

             }

          }

          else

          {

             //The length of the signature is not valid

             error = ERROR_INVALID_SIGNATURE;

          }

       }

       else

       {

          //The public key is not valid

          error = ERROR_INVALID_KEY;

       }

    }

    else

    {

       //Invalid public key identifier

       error = ERROR_INVALID_KEY;

    }


    //Return status code

    return error;

 #else

    //Not implemented

    return ERROR_NOT_IMPLEMENTED;

 #endif

 }


 /**

  * @brief Ed448 signature verification

  * @param[in] sa Pointer to the IKE SA

  * @param[in] id Pointer to the identification data

  * @param[in] idLen Length of the identification data, in bytes

  * @param[in] publicKeyInfo Pointer to the subject's public key

  * @param[in] signature Signature to be verified

  * @param[in] signatureLen Length of the signature, in bytes

  * @return Error code

  **/


 error_t ikeVerifyEd448Signature(IkeSaEntry *sa, const uint8_t *id,

    size_t idLen, const X509SubjectPublicKeyInfo *publicKeyInfo,

    const uint8_t *signature, size_t signatureLen)

 {

 #if (IKE_ED448_SIGN_SUPPORT == ENABLED)

    error_t error;

    EddsaMessageChunk messageChunks[4];

    uint8_t macId[MAX_HASH_DIGEST_SIZE];


    //Check public key identifier

    if(!oidComp(publicKeyInfo->oid.value, publicKeyInfo->oid.length,

       ED448_OID, sizeof(ED448_OID)))

    {

       //Valid Ed448 public key?

       if(publicKeyInfo->ecPublicKey.q.value != NULL &&

          publicKeyInfo->ecPublicKey.q.length == ED448_PUBLIC_KEY_LEN)

       {

          //The Ed448 signature shall consist of 57 octets

          if(signatureLen == ED448_SIGNATURE_LEN)

          {

             //Data to be signed is run through the EdDSA algorithm without

             //pre-hashing

             error = ikeGetSignedOctets(sa, id, idLen, macId, messageChunks,

                !sa->originalInitiator);


             //Check status code

             if(!error)

             {

                //Verify Ed448 signature (PureEdDSA mode)

                error = ed448VerifySignatureEx(publicKeyInfo->ecPublicKey.q.value,

                   messageChunks, NULL, 0, 0, signature);

             }

          }

          else

          {

             //The length of the signature is not valid

             error = ERROR_INVALID_SIGNATURE;

          }

       }

       else

       {

          //The public key is not valid

          error = ERROR_INVALID_KEY;

       }

    }

    else

    {

       //Invalid public key identifier

       error = ERROR_INVALID_KEY;

    }


    //Return status code

    return error;

 #else

    //Not implemented

    return ERROR_NOT_IMPLEMENTED;

 #endif

 }


 #endif

uint_t
unsigned int uint_t
Definition: compiler_port.h:50

debug.h
Debugging facilities.

n
uint8_t n
Definition: dhcpv6_common.h:416

dsaVerifySignature
error_t dsaVerifySignature(const DsaPublicKey *key, const uint8_t *digest, size_t digestLen, const DsaSignature *signature)
DSA signature verification.
Definition: dsa.c:585

dsaInitSignature
void dsaInitSignature(DsaSignature *signature)
Initialize a DSA signature.
Definition: dsa.c:164

dsaFreeSignature
void dsaFreeSignature(DsaSignature *signature)
Release a DSA signature.
Definition: dsa.c:177

dsaInitPublicKey
void dsaInitPublicKey(DsaPublicKey *key)
Initialize a DSA public key.
Definition: dsa.c:105

DSA_OID
const uint8_t DSA_OID[7]
Definition: dsa.c:51

dsaFreePublicKey
void dsaFreePublicKey(DsaPublicKey *key)
Release a DSA public key.
Definition: dsa.c:119

ecFreeDomainParameters
void ecFreeDomainParameters(EcDomainParameters *params)
Release EC domain parameters.
Definition: ec.c:72

ecInitDomainParameters
void ecInitDomainParameters(EcDomainParameters *params)
Initialize EC domain parameters.
Definition: ec.c:51

EC_PUBLIC_KEY_OID
const uint8_t EC_PUBLIC_KEY_OID[7]
Definition: ec.c:43

ecInitPublicKey
void ecInitPublicKey(EcPublicKey *key)
Initialize an EC public key.
Definition: ec.c:153

ecLoadDomainParameters
error_t ecLoadDomainParameters(EcDomainParameters *params, const EcCurveInfo *curveInfo)
Load EC domain parameters.
Definition: ec.c:90

ecFreePublicKey
void ecFreePublicKey(EcPublicKey *key)
Release an EC public key.
Definition: ec.c:165

ED25519_OID
const uint8_t ED25519_OID[3]
Definition: ec_curves.c:98

ecGetCurveInfo
const EcCurveInfo * ecGetCurveInfo(const uint8_t *oid, size_t length)
Get the elliptic curve that matches the specified OID.
Definition: ec_curves.c:2374

ED448_OID
const uint8_t ED448_OID[3]
Definition: ec_curves.c:100

SECP521R1_CURVE
#define SECP521R1_CURVE
Definition: ec_curves.h:242

SECP256R1_CURVE
#define SECP256R1_CURVE
Definition: ec_curves.h:240

SECP384R1_CURVE
#define SECP384R1_CURVE
Definition: ec_curves.h:241

ecdsaVerifySignature
__weak_func error_t ecdsaVerifySignature(const EcDomainParameters *params, const EcPublicKey *publicKey, const uint8_t *digest, size_t digestLen, const EcdsaSignature *signature)
ECDSA signature verification.
Definition: ecdsa.c:507

ecdsaFreeSignature
void ecdsaFreeSignature(EcdsaSignature *signature)
Release an ECDSA signature.
Definition: ecdsa.c:82

ecdsaInitSignature
void ecdsaInitSignature(EcdsaSignature *signature)
Initialize an ECDSA signature.
Definition: ecdsa.c:69

ed25519VerifySignatureEx
error_t ed25519VerifySignatureEx(const uint8_t *publicKey, const EddsaMessageChunk *messageChunks, const void *context, uint8_t contextLen, uint8_t flag, const uint8_t *signature)
EdDSA signature verification.
Definition: ed25519.c:463

ED25519_PUBLIC_KEY_LEN
#define ED25519_PUBLIC_KEY_LEN
Definition: ed25519.h:42

ED25519_SIGNATURE_LEN
#define ED25519_SIGNATURE_LEN
Definition: ed25519.h:44

ed448VerifySignatureEx
error_t ed448VerifySignatureEx(const uint8_t *publicKey, const EddsaMessageChunk *messageChunks, const void *context, uint8_t contextLen, uint8_t flag, const uint8_t *signature)
EdDSA signature verification.
Definition: ed448.c:438

ED448_PUBLIC_KEY_LEN
#define ED448_PUBLIC_KEY_LEN
Definition: ed448.h:42

ED448_SIGNATURE_LEN
#define ED448_SIGNATURE_LEN
Definition: ed448.h:44

error_t
error_t
Error codes.
Definition: error.h:43

ERROR_INVALID_KEY
@ ERROR_INVALID_KEY
Definition: error.h:106

ERROR_UNSUPPORTED_SIGNATURE_ALGO
@ ERROR_UNSUPPORTED_SIGNATURE_ALGO
Definition: error.h:132

ERROR_INVALID_MESSAGE
@ ERROR_INVALID_MESSAGE
Definition: error.h:105

ERROR_INVALID_SIGNATURE
@ ERROR_INVALID_SIGNATURE
Definition: error.h:226

ERROR_INVALID_SIGNATURE_ALGO
@ ERROR_INVALID_SIGNATURE_ALGO
Definition: error.h:134

ERROR_NOT_IMPLEMENTED
@ ERROR_NOT_IMPLEMENTED
Definition: error.h:66

ERROR_BAD_CERTIFICATE
@ ERROR_BAD_CERTIFICATE
Definition: error.h:234

MAX_HASH_DIGEST_SIZE
#define MAX_HASH_DIGEST_SIZE
Definition: hash_algorithms.h:231

ike.h
IKEv2 (Internet Key Exchange Protocol)

IKE_AUTH_METHOD_DSS
@ IKE_AUTH_METHOD_DSS
DSS Digital Signature.
Definition: ike.h:989

IKE_AUTH_METHOD_ECDSA_P256_SHA256
@ IKE_AUTH_METHOD_ECDSA_P256_SHA256
ECDSA with SHA-256 on the P-256 curve.
Definition: ike.h:990

IKE_AUTH_METHOD_DIGITAL_SIGN
@ IKE_AUTH_METHOD_DIGITAL_SIGN
Digital Signature.
Definition: ike.h:995

IKE_AUTH_METHOD_ECDSA_P384_SHA384
@ IKE_AUTH_METHOD_ECDSA_P384_SHA384
ECDSA with SHA-384 on the P-384 curve.
Definition: ike.h:991

IKE_AUTH_METHOD_RSA
@ IKE_AUTH_METHOD_RSA
RSA Digital Signature.
Definition: ike.h:987

IKE_AUTH_METHOD_ECDSA_P521_SHA512
@ IKE_AUTH_METHOD_ECDSA_P521_SHA512
ECDSA with SHA-512 on the P-521 curve.
Definition: ike.h:992

IKE_MAX_RSA_MODULUS_SIZE
#define IKE_MAX_RSA_MODULUS_SIZE
Definition: ike.h:593

IkeSaEntry
#define IkeSaEntry
Definition: ike.h:682

IKE_MAX_DSA_MODULUS_SIZE
#define IKE_MAX_DSA_MODULUS_SIZE
Definition: ike.h:607

IkeAuthData
IkeAuthData
Definition: ike.h:1414

IKE_RSA_SIGN_SUPPORT
#define IKE_RSA_SIGN_SUPPORT
Definition: ike.h:453

authMethod
uint8_t authMethod
Definition: ike.h:1400

ikeGetSignedOctets
error_t ikeGetSignedOctets(IkeSaEntry *sa, const uint8_t *id, size_t idLen, uint8_t *macId, EddsaMessageChunk *messageChunks, bool_t initiator)
Retrieve the octets to be signed using EdDSA.
Definition: ike_sign_misc.c:863

ikeDigestSignedOctets
error_t ikeDigestSignedOctets(IkeSaEntry *sa, const HashAlgo *hashAlgo, const uint8_t *id, size_t idLen, uint8_t *digest, bool_t initiator)
Digest signed octets.
Definition: ike_sign_misc.c:937

ikeParseEcdsaSignature
error_t ikeParseEcdsaSignature(EcDomainParameters *params, const uint8_t *data, size_t length, EcdsaSignature *signature, IkeSignFormat format)
ECDSA signature parsing.
Definition: ike_sign_misc.c:236

ikeParseDsaSignature
error_t ikeParseDsaSignature(const uint8_t *data, size_t length, DsaSignature *signature, IkeSignFormat format)
DSA signature parsing.
Definition: ike_sign_misc.c:176

ikeSelectSignAlgo
error_t ikeSelectSignAlgo(const X509SignAlgoId *signAlgoId, IkeSignAlgo *signAlgo, const HashAlgo **hashAlgo)
Select the signature and hash algorithms that match the specified identifier.
Definition: ike_sign_misc.c:539

IkeSignFormat
IkeSignFormat
Signature format.
Definition: ike_sign_misc.h:48

IKE_SIGN_FORMAT_RAW
@ IKE_SIGN_FORMAT_RAW
Definition: ike_sign_misc.h:49

IKE_SIGN_FORMAT_ASN1
@ IKE_SIGN_FORMAT_ASN1
Definition: ike_sign_misc.h:50

IkeSignAlgo
IkeSignAlgo
Signature algorithms.
Definition: ike_sign_misc.h:59

IKE_SIGN_ALGO_ECDSA
@ IKE_SIGN_ALGO_ECDSA
Definition: ike_sign_misc.h:64

IKE_SIGN_ALGO_RSA
@ IKE_SIGN_ALGO_RSA
Definition: ike_sign_misc.h:61

IKE_SIGN_ALGO_DSA
@ IKE_SIGN_ALGO_DSA
Definition: ike_sign_misc.h:63

IKE_SIGN_ALGO_ED25519
@ IKE_SIGN_ALGO_ED25519
Definition: ike_sign_misc.h:65

IKE_SIGN_ALGO_RSA_PSS
@ IKE_SIGN_ALGO_RSA_PSS
Definition: ike_sign_misc.h:62

IKE_SIGN_ALGO_ED448
@ IKE_SIGN_ALGO_ED448
Definition: ike_sign_misc.h:66

ikeVerifyEd25519Signature
error_t ikeVerifyEd25519Signature(IkeSaEntry *sa, const uint8_t *id, size_t idLen, const X509SubjectPublicKeyInfo *publicKeyInfo, const uint8_t *signature, size_t signatureLen)
Ed25519 signature verification.
Definition: ike_sign_verify.c:658

ikeVerifyRsaSignature
error_t ikeVerifyRsaSignature(IkeSaEntry *sa, const uint8_t *id, size_t idLen, const X509SubjectPublicKeyInfo *publicKeyInfo, const HashAlgo *hashAlgo, const uint8_t *signature, size_t signatureLen)
RSA signature verification.
Definition: ike_sign_verify.c:292

ikeVerifyDsaSignature
error_t ikeVerifyDsaSignature(IkeSaEntry *sa, const uint8_t *id, size_t idLen, const X509SubjectPublicKeyInfo *publicKeyInfo, const HashAlgo *hashAlgo, const uint8_t *signature, size_t signatureLen, IkeSignFormat format)
DSA signature verification.
Definition: ike_sign_verify.c:461

ikeVerifyEd448Signature
error_t ikeVerifyEd448Signature(IkeSaEntry *sa, const uint8_t *id, size_t idLen, const X509SubjectPublicKeyInfo *publicKeyInfo, const uint8_t *signature, size_t signatureLen)
Ed448 signature verification.
Definition: ike_sign_verify.c:729

ikeVerifyEcdsaSignature
error_t ikeVerifyEcdsaSignature(IkeSaEntry *sa, const uint8_t *id, size_t idLen, const X509SubjectPublicKeyInfo *publicKeyInfo, const EcCurveInfo *group, const HashAlgo *hashAlgo, const uint8_t *signature, size_t signatureLen, IkeSignFormat format)
ECDSA signature verification.
Definition: ike_sign_verify.c:556

ikeVerifyRsaPssSignature
error_t ikeVerifyRsaPssSignature(IkeSaEntry *sa, const uint8_t *id, size_t idLen, const X509SubjectPublicKeyInfo *publicKeyInfo, const HashAlgo *hashAlgo, size_t saltLen, const uint8_t *signature, size_t signatureLen)
RSA-PSS signature verification.
Definition: ike_sign_verify.c:373

ikeVerifySignature
error_t ikeVerifySignature(IkeSaEntry *sa, const uint8_t *id, size_t idLen, uint8_t authMethod, const X509SubjectPublicKeyInfo *publicKeyInfo, const uint8_t *signature, size_t signatureLen)
Signature verification.
Definition: ike_sign_verify.c:58

ikeVerifyDigitalSignature
error_t ikeVerifyDigitalSignature(IkeSaEntry *sa, const uint8_t *id, size_t idLen, const X509SubjectPublicKeyInfo *publicKeyInfo, const IkeAuthData *authData, size_t authDataLen)
Digital signature verification.
Definition: ike_sign_verify.c:154

ike_sign_verify.h
RSA/DSA/ECDSA/EdDSA signature verification.

authData
uint8_t authData[]
Definition: ipv6.h:344

oid
uint8_t oid[]
Definition: lldp_tlv.h:300

oidLen
uint8_t oidLen
Definition: lldp_tlv.h:299

mpiGetBitLength
uint_t mpiGetBitLength(const Mpi *a)
Get the actual length in bits.
Definition: mpi.c:234

oidComp
int_t oidComp(const uint8_t *oid1, size_t oidLen1, const uint8_t *oid2, size_t oidLen2)
Compare object identifiers.
Definition: oid.c:103

oid.h
OID (Object Identifier)

ENABLED
#define ENABLED
Definition: os_port.h:37

RSA_ENCRYPTION_OID
const uint8_t RSA_ENCRYPTION_OID[9]
Definition: rsa.c:57

rsassaPssVerify
error_t rsassaPssVerify(const RsaPublicKey *key, const HashAlgo *hash, size_t saltLen, const uint8_t *digest, const uint8_t *signature, size_t signatureLen)
RSASSA-PSS signature verification operation.
Definition: rsa.c:1079

rsaFreePublicKey
void rsaFreePublicKey(RsaPublicKey *key)
Release an RSA public key.
Definition: rsa.c:118

RSASSA_PSS_OID
const uint8_t RSASSA_PSS_OID[9]
Definition: rsa.c:88

rsassaPkcs1v15Verify
error_t rsassaPkcs1v15Verify(const RsaPublicKey *key, const HashAlgo *hash, const uint8_t *digest, const uint8_t *signature, size_t signatureLen)
RSASSA-PKCS1-v1_5 signature verification operation.
Definition: rsa.c:838

rsaInitPublicKey
void rsaInitPublicKey(RsaPublicKey *key)
Initialize an RSA public key.
Definition: rsa.c:105

SHA1_HASH_ALGO
#define SHA1_HASH_ALGO
Definition: sha1.h:49

SHA256_HASH_ALGO
#define SHA256_HASH_ALGO
Definition: sha256.h:49

SHA384_HASH_ALGO
#define SHA384_HASH_ALGO
Definition: sha384.h:45

SHA512_HASH_ALGO
#define SHA512_HASH_ALGO
Definition: sha512.h:49

DsaDomainParameters::p
Mpi p
Prime modulus.
Definition: dsa.h:50

DsaPublicKey
DSA public key.
Definition: dsa.h:61

DsaPublicKey::params
DsaDomainParameters params
DSA domain parameters.
Definition: dsa.h:62

DsaSignature
DSA signature.
Definition: dsa.h:84

EcCurveInfo
Elliptic curve parameters.
Definition: ec_curves.h:295

EcDomainParameters
EC domain parameters.
Definition: ec.h:76

EcPublicKey
EC public key.
Definition: ec.h:94

EcdsaSignature
ECDSA signature.
Definition: ecdsa.h:49

EddsaMessageChunk
Message chunk descriptor.
Definition: eddsa.h:71

HashAlgo
Common interface for hash algorithms.
Definition: crypto.h:1014

HashAlgo::digestSize
size_t digestSize
Definition: crypto.h:1020

RsaPublicKey
RSA public key.
Definition: rsa.h:57

RsaPublicKey::n
Mpi n
Modulus.
Definition: rsa.h:58

X509EcParameters::namedCurve
X509OctetString namedCurve
Definition: x509_common.h:764

X509EcPublicKey::q
X509OctetString q
Definition: x509_common.h:774

X509OctetString::value
const uint8_t * value
Definition: x509_common.h:647

X509OctetString::length
size_t length
Definition: x509_common.h:648

X509RsaPssParameters::saltLen
size_t saltLen
Definition: x509_common.h:1024

X509SignAlgoId
Signature algorithm identifier.
Definition: x509_common.h:1033

X509SignAlgoId::rsaPssParams
X509RsaPssParameters rsaPssParams
Definition: x509_common.h:1036

X509SubjectPublicKeyInfo
Subject Public Key Information extension.
Definition: x509_common.h:783

X509SubjectPublicKeyInfo::ecPublicKey
X509EcPublicKey ecPublicKey
Definition: x509_common.h:796

X509SubjectPublicKeyInfo::oid
X509OctetString oid
Definition: x509_common.h:785

X509SubjectPublicKeyInfo::ecParams
X509EcParameters ecParams
Definition: x509_common.h:795

x509ImportEcPublicKey
error_t x509ImportEcPublicKey(const X509SubjectPublicKeyInfo *publicKeyInfo, EcPublicKey *publicKey)
Import an EC public key.
Definition: x509_key_parse.c:718

x509ImportRsaPublicKey
error_t x509ImportRsaPublicKey(const X509SubjectPublicKeyInfo *publicKeyInfo, RsaPublicKey *publicKey)
Import an RSA public key.
Definition: x509_key_parse.c:563

x509ImportDsaPublicKey
error_t x509ImportDsaPublicKey(const X509SubjectPublicKeyInfo *publicKeyInfo, DsaPublicKey *publicKey)
Import a DSA public key.
Definition: x509_key_parse.c:633

x509_key_parse.h
Parsing of ASN.1 encoded keys.

x509ParseSignatureAlgo
error_t x509ParseSignatureAlgo(const uint8_t *data, size_t length, size_t *totalLength, X509SignAlgoId *signatureAlgo)
Parse SignatureAlgorithm structure.
Definition: x509_sign_parse.c:53

x509_sign_parse.h