ra8_crypto_pkc.c
Go to the documentation of this file.
1 /**
2  * @file ra8_crypto_pkc.c
3  * @brief RA8 public-key hardware accelerator
4  *
5  * @section License
6  *
7  * SPDX-License-Identifier: GPL-2.0-or-later
8  *
9  * Copyright (C) 2010-2024 Oryx Embedded SARL. All rights reserved.
10  *
11  * This file is part of CycloneCRYPTO Open.
12  *
13  * This program is free software; you can redistribute it and/or
14  * modify it under the terms of the GNU General Public License
15  * as published by the Free Software Foundation; either version 2
16  * of the License, or (at your option) any later version.
17  *
18  * This program is distributed in the hope that it will be useful,
19  * but WITHOUT ANY WARRANTY; without even the implied warranty of
20  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
21  * GNU General Public License for more details.
22  *
23  * You should have received a copy of the GNU General Public License
24  * along with this program; if not, write to the Free Software Foundation,
25  * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
26  *
27  * @author Oryx Embedded SARL (www.oryx-embedded.com)
28  * @version 2.4.0
29  **/
30 
31 //Switch to the appropriate trace level
32 #define TRACE_LEVEL CRYPTO_TRACE_LEVEL
33 
34 //Dependencies
35 #include "hw_sce_private.h"
36 #include "hw_sce_ra_private.h"
37 #include "hw_sce_rsa_private.h"
38 #include "hw_sce_ecc_private.h"
39 #include "core/crypto.h"
40 #include "hardware/ra8/ra8_crypto.h"
41 #include "hardware/ra8/ra8_crypto_pkc.h"
42 #include "pkc/rsa.h"
43 #include "ecc/ec.h"
44 #include "ecc/ecdsa.h"
45 #include "debug.h"
46 
47 //Check crypto library configuration
48 #if (RA8_CRYPTO_PKC_SUPPORT == ENABLED)
49 
50 //Global variables
51 extern const uint32_t sce_oem_key_size[SCE_OEM_CMD_NUM];
52 static Ra8RsaArgs rsaArgs;
53 static Ra8EcArgs ecArgs;
54 
55 
56 /**
57  * @brief Modular exponentiation (fast calculation)
58  * @param[out] r Resulting integer R = A ^ E mod P
59  * @param[in] a Pointer to a multiple precision integer
60  * @param[in] e Exponent
61  * @param[in] p Modulus
62  * @return Error code
63  **/
64 
65 error_t mpiExpModFast(Mpi *r, const Mpi *a, const Mpi *e, const Mpi *p)
66 {
67  error_t error;
68  fsp_err_t status;
69  size_t aLen;
70  size_t eLen;
71  size_t pLen;
72  sce_oem_cmd_t command;
73 
74  //Retrieve the length of the integer, in bytes
75  aLen = mpiGetByteLength(a);
76  //Retrieve the length of the exponent, in bytes
77  eLen = mpiGetByteLength(e);
78  //Retrieve the length of the modulus, in bytes
79  pLen = mpiGetByteLength(p);
80 
81  //The accelerator supports operand lengths up to 4096 bits
82  if((aLen <= 128 && eLen <= 4 && pLen == 128) ||
83  (aLen <= 256 && eLen <= 4 && pLen == 256) ||
84  (aLen <= 384 && eLen <= 4 && pLen == 384) ||
85  (aLen <= 512 && eLen <= 4 && pLen == 512))
86  {
87  //Select appropriate scalar length
88  if(pLen == 128)
89  {
90  command = SCE_OEM_CMD_RSA1024_PUBLIC;
91  }
92  else if(pLen == 256)
93  {
94  command = SCE_OEM_CMD_RSA2048_PUBLIC;
95  }
96  else if(pLen == 384)
97  {
98  command = SCE_OEM_CMD_RSA3072_PUBLIC;
99  }
100  else
101  {
102  command = SCE_OEM_CMD_RSA4096_PUBLIC;
103  }
104 
105  //Acquire exclusive access to the RSIP7 module
106  osAcquireMutex(&ra8CryptoMutex);
107 
108  //Format message representative
109  mpiWriteRaw(a, (uint8_t *) rsaArgs.m, pLen);
110 
111  //Format public key
112  mpiWriteRaw(p, (uint8_t *) rsaArgs.key, pLen);
113  mpiWriteRaw(e, (uint8_t *) rsaArgs.key + pLen, 4);
114 
115  //Install the plaintext public key and get the wrapped key
116  status = HW_SCE_GenerateOemKeyIndexPrivate(SCE_OEM_KEY_TYPE_PLAIN,
117  command, NULL, NULL, (uint8_t *) rsaArgs.key, rsaArgs.wrappedKey);
118 
119  //Check status code
120  if(status == FSP_SUCCESS)
121  {
122  //Perform RSA encryption
123  if(pLen == 128)
124  {
125  status = HW_SCE_Rsa1024ModularExponentEncryptSub(rsaArgs.wrappedKey,
126  rsaArgs.m, rsaArgs.c);
127  }
128  else if(pLen == 256)
129  {
130  status = HW_SCE_Rsa2048ModularExponentEncryptSub(rsaArgs.wrappedKey,
131  rsaArgs.m, rsaArgs.c);
132  }
133  else if(pLen == 384)
134  {
135  status = HW_SCE_Rsa3072ModularExponentEncryptSub(rsaArgs.wrappedKey,
136  rsaArgs.m, rsaArgs.c);
137  }
138  else if(pLen == 512)
139  {
140  status = HW_SCE_Rsa4096ModularExponentEncryptSub(rsaArgs.wrappedKey,
141  rsaArgs.m, rsaArgs.c);
142  }
143  else
144  {
145  status = FSP_ERR_CRYPTO_NOT_IMPLEMENTED;
146  }
147  }
148 
149  //Check status code
150  if(status == FSP_SUCCESS)
151  {
152  //Copy the ciphertext representative
153  error = mpiReadRaw(r, (uint8_t *) rsaArgs.c, pLen);
154  }
155  else
156  {
157  //Report an error
158  error = ERROR_FAILURE;
159  }
160 
161  //Release exclusive access to the RSIP7 module
162  osReleaseMutex(&ra8CryptoMutex);
163  }
164  else
165  {
166  //Perform modular exponentiation (r = a ^ e mod p)
167  error = mpiExpModRegular(r, a, e, p);
168  }
169 
170  //Return status code
171  return error;
172 }
173 
174 
175 /**
176  * @brief Modular exponentiation (regular calculation)
177  * @param[out] r Resulting integer R = A ^ E mod P
178  * @param[in] a Pointer to a multiple precision integer
179  * @param[in] e Exponent
180  * @param[in] p Modulus
181  * @return Error code
182  **/
183 
184 error_t mpiExpModRegular(Mpi *r, const Mpi *a, const Mpi *e, const Mpi *p)
185 {
186  error_t error;
187  fsp_err_t status;
188  size_t aLen;
189  size_t eLen;
190  size_t pLen;
191  sce_oem_cmd_t command;
192 
193  //Retrieve the length of the integer, in bytes
194  aLen = mpiGetByteLength(a);
195  //Retrieve the length of the exponent, in bytes
196  eLen = mpiGetByteLength(e);
197  //Retrieve the length of the modulus, in bytes
198  pLen = mpiGetByteLength(p);
199 
200  //The accelerator supports operand lengths up to 4096 bits
201  if((aLen <= 128 && eLen <= 128 && pLen == 128) ||
202  (aLen <= 256 && eLen <= 256 && pLen == 256) ||
203  (aLen <= 384 && eLen <= 384 && pLen == 384) ||
204  (aLen <= 512 && eLen <= 512 && pLen == 512))
205  {
206  //Select appropriate scalar length
207  if(pLen == 128)
208  {
209  command = SCE_OEM_CMD_RSA1024_PRIVATE;
210  }
211  else if(pLen == 256)
212  {
213  command = SCE_OEM_CMD_RSA2048_PRIVATE;
214  }
215  else if(pLen == 384)
216  {
217  command = SCE_OEM_CMD_RSA3072_PRIVATE;
218  }
219  else
220  {
221  command = SCE_OEM_CMD_RSA4096_PRIVATE;
222  }
223 
224  //Acquire exclusive access to the RSIP7 module
225  osAcquireMutex(&ra8CryptoMutex);
226 
227  //Format ciphertext representative
228  mpiWriteRaw(a, (uint8_t *) rsaArgs.c, pLen);
229 
230  //Format private key
231  mpiWriteRaw(p, (uint8_t *) rsaArgs.key, pLen);
232  mpiWriteRaw(e, (uint8_t *) rsaArgs.key + pLen, pLen);
233 
234  //Install the plaintext private key and get the wrapped key
235  status = HW_SCE_GenerateOemKeyIndexPrivate(SCE_OEM_KEY_TYPE_PLAIN,
236  command, NULL, NULL, (uint8_t *) rsaArgs.key, rsaArgs.wrappedKey);
237 
238  //Check status code
239  if(status == FSP_SUCCESS)
240  {
241  //Perform RSA decryption
242  if(pLen == 128)
243  {
244  status = HW_SCE_Rsa1024ModularExponentDecryptSub(rsaArgs.wrappedKey,
245  rsaArgs.c, rsaArgs.m);
246  }
247  else if(pLen == 256)
248  {
249  status = HW_SCE_Rsa2048ModularExponentDecryptSub(rsaArgs.wrappedKey,
250  rsaArgs.c, rsaArgs.m);
251  }
252  else if(pLen == 384)
253  {
254  status = HW_SCE_Rsa3072ModularExponentDecryptSub(rsaArgs.wrappedKey,
255  rsaArgs.c, rsaArgs.m);
256  }
257  else if(pLen == 512)
258  {
259  status = HW_SCE_Rsa4096ModularExponentDecryptSub(rsaArgs.wrappedKey,
260  rsaArgs.c, rsaArgs.m);
261  }
262  else
263  {
264  status = FSP_ERR_CRYPTO_NOT_IMPLEMENTED;
265  }
266  }
267 
268  //Check status code
269  if(status == FSP_SUCCESS)
270  {
271  //Copy the message representative
272  error = mpiReadRaw(r, (uint8_t *) rsaArgs.m, pLen);
273  }
274  else
275  {
276  //Report an error
277  error = ERROR_FAILURE;
278  }
279 
280  //Release exclusive access to the RSIP7 module
281  osReleaseMutex(&ra8CryptoMutex);
282  }
283  else
284  {
285  //Perform modular exponentiation (r = a ^ e mod p)
286  error = mpiExpMod(r, a, e, p);
287  }
288 
289  //Return status code
290  return error;
291 }
292 
293 
294 /**
295  * @brief RSA decryption primitive
296  *
297  * The RSA decryption primitive recovers the message representative from
298  * the ciphertext representative under the control of a private key
299  *
300  * @param[in] key RSA private key
301  * @param[in] c Ciphertext representative
302  * @param[out] m Message representative
303  * @return Error code
304  **/
305 
306 error_t rsadp(const RsaPrivateKey *key, const Mpi *c, Mpi *m)
307 {
308  error_t error;
309  size_t nLen;
310  size_t dLen;
311  size_t pLen;
312  size_t qLen;
313  size_t dpLen;
314  size_t dqLen;
315  size_t qinvLen;
316 
317  //Retrieve the length of the private key
318  nLen = mpiGetByteLength(&key->n);
319  dLen = mpiGetByteLength(&key->d);
320  pLen = mpiGetByteLength(&key->p);
321  qLen = mpiGetByteLength(&key->q);
322  dpLen = mpiGetByteLength(&key->dp);
323  dqLen = mpiGetByteLength(&key->dq);
324  qinvLen = mpiGetByteLength(&key->qinv);
325 
326  //Sanity check
327  if(nLen == 0)
328  return ERROR_INVALID_PARAMETER;
329 
330  //The ciphertext representative c shall be between 0 and n - 1
331  if(mpiCompInt(c, 0) < 0 || mpiComp(c, &key->n) >= 0)
332  return ERROR_OUT_OF_RANGE;
333 
334  //Check the length of the private key
335  if((nLen == 128 && dLen <= 128) || (nLen == 384 && dLen <= 384))
336  {
337  //Let m = c ^ d mod n
338  error = mpiExpModRegular(m, c, &key->d, &key->n);
339  }
340  else if(nLen > 0 && pLen > 0 && qLen > 0 && dpLen > 0 && dqLen > 0 &&
341  qinvLen > 0)
342  {
343  Mpi m1;
344  Mpi m2;
345  Mpi h;
346 
347  //Initialize multiple-precision integers
348  mpiInit(&m1);
349  mpiInit(&m2);
350  mpiInit(&h);
351 
352  //Compute m1 = c ^ dP mod p
353  error = mpiMod(&m1, c, &key->p);
354 
355  if(!error)
356  {
357  error = mpiExpModRegular(&m1, &m1, &key->dp, &key->p);
358  }
359 
360  //Compute m2 = c ^ dQ mod q
361  if(!error)
362  {
363  error = mpiMod(&m2, c, &key->q);
364  }
365 
366  if(!error)
367  {
368  error = mpiExpModRegular(&m2, &m2, &key->dq, &key->q);
369  }
370 
371  //Let h = (m1 - m2) * qInv mod p
372  if(!error)
373  {
374  error = mpiSub(&h, &m1, &m2);
375  }
376 
377  if(!error)
378  {
379  error = mpiMulMod(&h, &h, &key->qinv, &key->p);
380  }
381 
382  //Let m = m2 + q * h
383  if(!error)
384  {
385  error = mpiMul(m, &key->q, &h);
386  }
387 
388  if(!error)
389  {
390  error = mpiAdd(m, m, &m2);
391  }
392 
393  //Free previously allocated memory
394  mpiFree(&m1);
395  mpiFree(&m2);
396  mpiFree(&h);
397  }
398  else if(nLen > 0 && dLen > 0)
399  {
400  //Let m = c ^ d mod n
401  error = mpiExpModRegular(m, c, &key->d, &key->n);
402  }
403  else
404  {
405  //Report an error
406  error = ERROR_INVALID_PARAMETER;
407  }
408 
409  //Return status code
410  return error;
411 }
412 
413 
414 /**
415  * @brief Scalar multiplication
416  * @param[in] params EC domain parameters
417  * @param[out] r Resulting point R = d.S
418  * @param[in] d An integer d such as 0 <= d < p
419  * @param[in] s EC point
420  * @return Error code
421  **/
422 
423 error_t ecMult(const EcDomainParameters *params, EcPoint *r, const Mpi *d,
424  const EcPoint *s)
425 {
426  error_t error;
427  fsp_err_t status;
428  size_t n;
429  uint32_t curveType;
430  uint32_t command;
431  sce_oem_cmd_t oemCommand;
432  const uint32_t *domainParams;
433 
434  //Check elliptic curve parameters
435  if(!osStrcmp(params->name, "secp256k1"))
436  {
437  curveType = SCE_ECC_CURVE_TYPE_KOBLITZ;
438  oemCommand = SCE_OEM_CMD_ECC_SECP256K1_PRIVATE;
439  domainParams = DomainParam_Koblitz_secp256k1;
440  command = 0;
441  n = 32;
442  }
443  else if(!osStrcmp(params->name, "secp256r1"))
444  {
445  curveType = SCE_ECC_CURVE_TYPE_NIST;
446  oemCommand = SCE_OEM_CMD_ECC_P256_PRIVATE;
447  domainParams = DomainParam_NIST_P256;
448  command = 0;
449  n = 32;
450  }
451  else if(!osStrcmp(params->name, "secp384r1"))
452  {
453  curveType = SCE_ECC_CURVE_TYPE_NIST;
454  oemCommand = SCE_OEM_CMD_ECC_P384_PRIVATE;
455  domainParams = DomainParam_NIST_P384;
456  command = 0;
457  n = 48;
458  }
459  else if(!osStrcmp(params->name, "secp521r1") &&
460  sce_oem_key_size[SCE_OEM_CMD_ECC_P521_PRIVATE] != 0)
461  {
462  curveType = SCE_ECC_CURVE_TYPE_NIST;
463  oemCommand = SCE_OEM_CMD_ECC_P521_PRIVATE;
464  domainParams = DomainParam_NIST_P521;
465  command = 0;
466  n = 80;
467  }
468  else if(!osStrcmp(params->name, "brainpoolP256r1"))
469  {
470  curveType = SCE_ECC_CURVE_TYPE_BRAINPOOL;
471  oemCommand = SCE_OEM_CMD_ECC_P256R1_PRIVATE;
472  domainParams = DomainParam_Brainpool_256r1;
473  command = 0;
474  n = 32;
475  }
476  else if(!osStrcmp(params->name, "brainpoolP384r1"))
477  {
478  curveType = SCE_ECC_CURVE_TYPE_BRAINPOOL;
479  oemCommand = SCE_OEM_CMD_ECC_P384R1_PRIVATE;
480  domainParams = DomainParam_Brainpool_384r1;
481  command = 0;
482  n = 48;
483  }
484  else if(!osStrcmp(params->name, "brainpoolP512r1"))
485  {
486  curveType = SCE_ECC_CURVE_TYPE_BRAINPOOL;
487  oemCommand = SCE_OEM_CMD_ECC_P512R1_PRIVATE;
488  domainParams = DomainParam_Brainpool_512r1;
489  command = 0;
490  n = 64;
491  }
492  else
493  {
494  return ERROR_FAILURE;
495  }
496 
497  //Acquire exclusive access to the RSIP7 module
498  osAcquireMutex(&ra8CryptoMutex);
499 
500  //Set scalar value
501  mpiWriteRaw(d, (uint8_t *) ecArgs.d, n);
502 
503  //Set input point
504  mpiWriteRaw(&s->x, (uint8_t *) ecArgs.g, n);
505  mpiWriteRaw(&s->y, (uint8_t *) ecArgs.g + n, n);
506 
507  //Install the plaintext private key and get the wrapped key
508  status = HW_SCE_GenerateOemKeyIndexPrivate(SCE_OEM_KEY_TYPE_PLAIN,
509  oemCommand, NULL, NULL, (uint8_t *) ecArgs.d, ecArgs.wrappedKey);
510 
511  //Check status code
512  if(status == FSP_SUCCESS)
513  {
514  //Perform scalar multiplication
515  if(n == 32)
516  {
517  status = HW_SCE_Ecc256ScalarMultiplicationSub(&curveType,
518  &command, ecArgs.wrappedKey, ecArgs.g, domainParams, ecArgs.q);
519  }
520  else if(n == 48)
521  {
522  status = HW_SCE_Ecc384ScalarMultiplicationSub(&curveType,
523  ecArgs.wrappedKey, ecArgs.g, domainParams, ecArgs.q);
524  }
525  else if(n == 64)
526  {
527  status = HW_SCE_Ecc512ScalarMultiplicationSub(ecArgs.wrappedKey,
528  ecArgs.g, domainParams, ecArgs.q);
529  }
530  else if(n == 80)
531  {
532  status = HW_SCE_Ecc521ScalarMultiplicationSub(ecArgs.wrappedKey,
533  ecArgs.g, domainParams, ecArgs.q);
534  }
535  else
536  {
537  status = FSP_ERR_CRYPTO_NOT_IMPLEMENTED;
538  }
539  }
540 
541  //Check status code
542  if(status == FSP_SUCCESS)
543  {
544  //Copy the x-coordinate of the result
545  error = mpiReadRaw(&r->x, (uint8_t *) ecArgs.q, n);
546 
547  //Check status code
548  if(!error)
549  {
550  //Copy the y-coordinate of the result
551  error = mpiReadRaw(&r->y, (uint8_t *) ecArgs.q + n, n);
552  }
553 
554  //Check status code
555  if(!error)
556  {
557  //Set the z-coordinate of the result
558  error = mpiSetValue(&r->z, 1);
559  }
560  }
561  else
562  {
563  //Report an error
564  error = ERROR_FAILURE;
565  }
566 
567  //Release exclusive access to the RSIP7 module
568  osReleaseMutex(&ra8CryptoMutex);
569 
570  //Return status code
571  return error;
572 }
573 
574 
575 /**
576  * @brief ECDSA signature generation
577  * @param[in] prngAlgo PRNG algorithm
578  * @param[in] prngContext Pointer to the PRNG context
579  * @param[in] params EC domain parameters
580  * @param[in] privateKey Signer's EC private key
581  * @param[in] digest Digest of the message to be signed
582  * @param[in] digestLen Length in octets of the digest
583  * @param[out] signature (R, S) integer pair
584  * @return Error code
585  **/
586 
587 error_t ecdsaGenerateSignature(const PrngAlgo *prngAlgo, void *prngContext,
588  const EcDomainParameters *params, const EcPrivateKey *privateKey,
589  const uint8_t *digest, size_t digestLen, EcdsaSignature *signature)
590 {
591  error_t error;
592  fsp_err_t status;
593  size_t n;
594  size_t orderLen;
595  uint32_t curveType;
596  uint32_t command;
597  sce_oem_cmd_t oemCommand;
598  const uint32_t *domainParams;
599 
600  //Check parameters
601  if(params == NULL || privateKey == NULL || digest == NULL || signature == NULL)
602  return ERROR_INVALID_PARAMETER;
603 
604  //Retrieve the length of the base point order, in bytes
605  orderLen = mpiGetByteLength(&params->q);
606 
607  //Check elliptic curve parameters
608  if(!osStrcmp(params->name, "secp256k1"))
609  {
610  curveType = SCE_ECC_CURVE_TYPE_KOBLITZ;
611  oemCommand = SCE_OEM_CMD_ECC_SECP256K1_PRIVATE;
612  domainParams = DomainParam_Koblitz_secp256k1;
613  command = 0;
614  n = 32;
615  }
616  else if(!osStrcmp(params->name, "secp256r1"))
617  {
618  curveType = SCE_ECC_CURVE_TYPE_NIST;
619  oemCommand = SCE_OEM_CMD_ECC_P256_PRIVATE;
620  domainParams = DomainParam_NIST_P256;
621  command = 0;
622  n = 32;
623  }
624  else if(!osStrcmp(params->name, "secp384r1"))
625  {
626  curveType = SCE_ECC_CURVE_TYPE_NIST;
627  oemCommand = SCE_OEM_CMD_ECC_P384_PRIVATE;
628  domainParams = DomainParam_NIST_P384;
629  command = 0;
630  n = 48;
631  }
632  else if(!osStrcmp(params->name, "secp521r1") &&
633  sce_oem_key_size[SCE_OEM_CMD_ECC_P521_PRIVATE] != 0)
634  {
635  curveType = SCE_ECC_CURVE_TYPE_NIST;
636  oemCommand = SCE_OEM_CMD_ECC_P521_PRIVATE;
637  domainParams = DomainParam_NIST_P521;
638  command = 0;
639  n = 80;
640  }
641  else if(!osStrcmp(params->name, "brainpoolP256r1"))
642  {
643  curveType = SCE_ECC_CURVE_TYPE_BRAINPOOL;
644  oemCommand = SCE_OEM_CMD_ECC_P256R1_PRIVATE;
645  domainParams = DomainParam_Brainpool_256r1;
646  command = 0;
647  n = 32;
648  }
649  else if(!osStrcmp(params->name, "brainpoolP384r1"))
650  {
651  curveType = SCE_ECC_CURVE_TYPE_BRAINPOOL;
652  oemCommand = SCE_OEM_CMD_ECC_P384R1_PRIVATE;
653  domainParams = DomainParam_Brainpool_384r1;
654  command = 0;
655  n = 48;
656  }
657  else if(!osStrcmp(params->name, "brainpoolP512r1"))
658  {
659  curveType = SCE_ECC_CURVE_TYPE_BRAINPOOL;
660  oemCommand = SCE_OEM_CMD_ECC_P512R1_PRIVATE;
661  domainParams = DomainParam_Brainpool_512r1;
662  command = 0;
663  n = 64;
664  }
665  else
666  {
667  return ERROR_FAILURE;
668  }
669 
670  //Keep the leftmost bits of the hash value
671  digestLen = MIN(digestLen, orderLen);
672 
673  //Acquire exclusive access to the RSIP7 module
674  osAcquireMutex(&ra8CryptoMutex);
675 
676  //Pad the digest with leading zeroes if necessary
677  osMemset(ecArgs.digest, 0, n);
678  osMemcpy((uint8_t *) ecArgs.digest + n - digestLen, digest, digestLen);
679 
680  //Set private key
681  mpiWriteRaw(&privateKey->d, (uint8_t *) ecArgs.d, n);
682 
683  //Install the plaintext private key and get the wrapped key
684  status = HW_SCE_GenerateOemKeyIndexPrivate(SCE_OEM_KEY_TYPE_PLAIN,
685  oemCommand, NULL, NULL, (uint8_t *) ecArgs.d, ecArgs.wrappedKey);
686 
687  //Check status code
688  if(status == FSP_SUCCESS)
689  {
690  //Verify ECDSA signature
691  if(n == 32)
692  {
693  status = HW_SCE_EcdsaSignatureGenerateSub(&curveType, &command,
694  ecArgs.wrappedKey, ecArgs.digest, domainParams, ecArgs.signature);
695  }
696  else if(n == 48)
697  {
698  status = HW_SCE_EcdsaP384SignatureGenerateSub(&curveType,
699  ecArgs.wrappedKey, ecArgs.digest, domainParams, ecArgs.signature);
700  }
701  else if(n == 64)
702  {
703  status = HW_SCE_EcdsaP512SignatureGenerateSub(ecArgs.wrappedKey,
704  ecArgs.digest, domainParams, ecArgs.signature);
705  }
706  else if(n == 80)
707  {
708  status = HW_SCE_EcdsaP521SignatureGenerateSub(ecArgs.wrappedKey,
709  ecArgs.digest, domainParams, ecArgs.signature);
710  }
711  else
712  {
713  status = FSP_ERR_CRYPTO_NOT_IMPLEMENTED;
714  }
715  }
716 
717  //Check status code
718  if(status == FSP_SUCCESS)
719  {
720  //Copy integer R
721  error = mpiReadRaw(&signature->r, (uint8_t *) ecArgs.signature, n);
722 
723  //Check status code
724  if(!error)
725  {
726  //Copy integer S
727  error = mpiReadRaw(&signature->s, (uint8_t *) ecArgs.signature + n, n);
728  }
729  }
730  else
731  {
732  //Report an error
733  error = ERROR_FAILURE;
734  }
735 
736  //Release exclusive access to the RSIP7 module
737  osReleaseMutex(&ra8CryptoMutex);
738 
739  //Return status code
740  return error;
741 }
742 
743 
744 /**
745  * @brief ECDSA signature verification
746  * @param[in] params EC domain parameters
747  * @param[in] publicKey Signer's EC public key
748  * @param[in] digest Digest of the message whose signature is to be verified
749  * @param[in] digestLen Length in octets of the digest
750  * @param[in] signature (R, S) integer pair
751  * @return Error code
752  **/
753 
754 error_t ecdsaVerifySignature(const EcDomainParameters *params,
755  const EcPublicKey *publicKey, const uint8_t *digest, size_t digestLen,
756  const EcdsaSignature *signature)
757 {
758  fsp_err_t status;
759  size_t n;
760  size_t orderLen;
761  uint32_t curveType;
762  uint32_t command;
763  sce_oem_cmd_t oemCommand;
764  const uint32_t *domainParams;
765 
766  //Check parameters
767  if(params == NULL || publicKey == NULL || digest == NULL || signature == NULL)
768  return ERROR_INVALID_PARAMETER;
769 
770  //The verifier shall check that 0 < r < q
771  if(mpiCompInt(&signature->r, 0) <= 0 ||
772  mpiComp(&signature->r, &params->q) >= 0)
773  {
774  //If the condition is violated, the signature shall be rejected as invalid
775  return ERROR_INVALID_SIGNATURE;
776  }
777 
778  //The verifier shall check that 0 < s < q
779  if(mpiCompInt(&signature->s, 0) <= 0 ||
780  mpiComp(&signature->s, &params->q) >= 0)
781  {
782  //If the condition is violated, the signature shall be rejected as invalid
783  return ERROR_INVALID_SIGNATURE;
784  }
785 
786  //Retrieve the length of the base point order, in bytes
787  orderLen = mpiGetByteLength(&params->q);
788 
789  //Check elliptic curve parameters
790  if(!osStrcmp(params->name, "secp256k1"))
791  {
792  curveType = SCE_ECC_CURVE_TYPE_KOBLITZ;
793  oemCommand = SCE_OEM_CMD_ECC_SECP256K1_PUBLIC;
794  domainParams = DomainParam_Koblitz_secp256k1;
795  command = 0;
796  n = 32;
797  }
798  else if(!osStrcmp(params->name, "secp256r1"))
799  {
800  curveType = SCE_ECC_CURVE_TYPE_NIST;
801  oemCommand = SCE_OEM_CMD_ECC_P256_PUBLIC;
802  domainParams = DomainParam_NIST_P256;
803  command = 0;
804  n = 32;
805  }
806  else if(!osStrcmp(params->name, "secp384r1"))
807  {
808  curveType = SCE_ECC_CURVE_TYPE_NIST;
809  oemCommand = SCE_OEM_CMD_ECC_P384_PUBLIC;
810  domainParams = DomainParam_NIST_P384;
811  command = 0;
812  n = 48;
813  }
814  else if(!osStrcmp(params->name, "secp521r1") &&
815  sce_oem_key_size[SCE_OEM_CMD_ECC_P521_PUBLIC] != 0)
816  {
817  curveType = SCE_ECC_CURVE_TYPE_NIST;
818  oemCommand = SCE_OEM_CMD_ECC_P521_PUBLIC;
819  domainParams = DomainParam_NIST_P521;
820  command = 0;
821  n = 80;
822  }
823  else if(!osStrcmp(params->name, "brainpoolP256r1"))
824  {
825  curveType = SCE_ECC_CURVE_TYPE_BRAINPOOL;
826  oemCommand = SCE_OEM_CMD_ECC_P256R1_PUBLIC;
827  domainParams = DomainParam_Brainpool_256r1;
828  command = 0;
829  n = 32;
830  }
831  else if(!osStrcmp(params->name, "brainpoolP384r1"))
832  {
833  curveType = SCE_ECC_CURVE_TYPE_BRAINPOOL;
834  oemCommand = SCE_OEM_CMD_ECC_P384R1_PUBLIC;
835  domainParams = DomainParam_Brainpool_384r1;
836  command = 0;
837  n = 48;
838  }
839  else if(!osStrcmp(params->name, "brainpoolP512r1"))
840  {
841  curveType = SCE_ECC_CURVE_TYPE_BRAINPOOL;
842  oemCommand = SCE_OEM_CMD_ECC_P512R1_PUBLIC;
843  domainParams = DomainParam_Brainpool_512r1;
844  command = 0;
845  n = 64;
846  }
847  else
848  {
849  return ERROR_FAILURE;
850  }
851 
852  //Keep the leftmost bits of the hash value
853  digestLen = MIN(digestLen, orderLen);
854 
855  //Acquire exclusive access to the RSIP7 module
856  osAcquireMutex(&ra8CryptoMutex);
857 
858  //Pad the digest with leading zeroes if necessary
859  osMemset(ecArgs.digest, 0, n);
860  osMemcpy((uint8_t *) ecArgs.digest + n - digestLen, digest, digestLen);
861 
862  //Set public key
863  mpiWriteRaw(&publicKey->q.x, (uint8_t *) ecArgs.q, n);
864  mpiWriteRaw(&publicKey->q.y, (uint8_t *) ecArgs.q + n, n);
865 
866  //Set signature
867  mpiWriteRaw(&signature->r, (uint8_t *) ecArgs.signature, n);
868  mpiWriteRaw(&signature->s, (uint8_t *) ecArgs.signature + n, n);
869 
870  //Install the plaintext public key and get the wrapped key
871  status = HW_SCE_GenerateOemKeyIndexPrivate(SCE_OEM_KEY_TYPE_PLAIN,
872  oemCommand, NULL, NULL, (uint8_t *) ecArgs.q, ecArgs.wrappedKey);
873 
874  //Check status code
875  if(status == FSP_SUCCESS)
876  {
877  //Verify ECDSA signature
878  if(n == 32)
879  {
880  status = HW_SCE_EcdsaSignatureVerificationSub(&curveType, &command,
881  ecArgs.wrappedKey, ecArgs.digest, ecArgs.signature, domainParams);
882  }
883  else if(n == 48)
884  {
885  status = HW_SCE_EcdsaP384SignatureVerificationSub(&curveType,
886  ecArgs.wrappedKey, ecArgs.digest, ecArgs.signature, domainParams);
887  }
888  else if(n == 64)
889  {
890  status = HW_SCE_EcdsaP512SignatureVerificationSub(ecArgs.wrappedKey,
891  ecArgs.digest, ecArgs.signature, domainParams);
892  }
893  else if(n == 80)
894  {
895  status = HW_SCE_EcdsaP521SignatureVerificationSub(ecArgs.wrappedKey,
896  ecArgs.digest, ecArgs.signature, domainParams);
897  }
898  else
899  {
900  status = FSP_ERR_CRYPTO_NOT_IMPLEMENTED;
901  }
902  }
903 
904  //Release exclusive access to the RSIP7 module
905  osReleaseMutex(&ra8CryptoMutex);
906 
907  //Return status code
908  return (status == FSP_SUCCESS) ? NO_ERROR : ERROR_INVALID_SIGNATURE;
909 }
910 
911 #endif
crypto.h
General definitions for cryptographic algorithms.
PrngAlgo
#define PrngAlgo
Definition: crypto.h:917
mpiReadRaw
#define mpiReadRaw(r, data, length)
Definition: crypto_legacy.h:35
mpiWriteRaw
#define mpiWriteRaw(a, data, length)
Definition: crypto_legacy.h:36
debug.h
Debugging facilities.
n
uint8_t n
Definition: dhcpv6_common.h:416
ec.h
ECC (Elliptic Curve Cryptography)
ecdsa.h
ECDSA (Elliptic Curve Digital Signature Algorithm)
error_t
error_t
Error codes.
Definition: error.h:43
ERROR_INVALID_SIGNATURE
@ ERROR_INVALID_SIGNATURE
Definition: error.h:226
ERROR_OUT_OF_RANGE
@ ERROR_OUT_OF_RANGE
Definition: error.h:137
NO_ERROR
@ NO_ERROR
Success.
Definition: error.h:44
ERROR_FAILURE
@ ERROR_FAILURE
Generic error code.
Definition: error.h:45
ERROR_INVALID_PARAMETER
@ ERROR_INVALID_PARAMETER
Invalid parameter.
Definition: error.h:47
mpiMul
error_t mpiMul(Mpi *r, const Mpi *a, const Mpi *b)
Multiple precision multiplication.
Definition: esp32_crypto_pkc.c:75
mpiExpMod
error_t mpiExpMod(Mpi *r, const Mpi *a, const Mpi *e, const Mpi *p)
Modular exponentiation.
Definition: esp32_crypto_pkc.c:202
mpiMulMod
error_t mpiMulMod(Mpi *r, const Mpi *a, const Mpi *b, const Mpi *p)
Modular multiplication.
Definition: mimxrt1160_crypto_pkc.c:60
mpiSetValue
error_t mpiSetValue(Mpi *r, int_t a)
Set the value of a multiple precision integer.
Definition: mpi.c:484
mpiSub
error_t mpiSub(Mpi *r, const Mpi *a, const Mpi *b)
Multiple precision subtraction.
Definition: mpi.c:864
mpiCompInt
int_t mpiCompInt(const Mpi *a, int_t b)
Compare a multiple precision integer with an integer.
Definition: mpi.c:382
mpiComp
int_t mpiComp(const Mpi *a, const Mpi *b)
Compare two multiple precision integers.
Definition: mpi.c:338
mpiInit
void mpiInit(Mpi *r)
Initialize a multiple precision integer.
Definition: mpi.c:48
mpiGetByteLength
uint_t mpiGetByteLength(const Mpi *a)
Get the actual length in bytes.
Definition: mpi.c:195
mpiFree
void mpiFree(Mpi *r)
Release a multiple precision integer.
Definition: mpi.c:64
mpiAdd
error_t mpiAdd(Mpi *r, const Mpi *a, const Mpi *b)
Multiple precision addition.
Definition: mpi.c:787
mpiMod
error_t mpiMod(Mpi *r, const Mpi *a, const Mpi *p)
Modulo operation.
Definition: mpi.c:1444
h
uint8_t h
Definition: ndp.h:302
c
uint8_t c
Definition: ndp.h:514
r
uint8_t r
Definition: ndp.h:346
s
uint8_t s
Definition: ndp.h:345
p
uint8_t p
Definition: ndp.h:300
m
uint8_t m
Definition: ndp.h:304
a
uint8_t a
Definition: ndp.h:411
osMemset
#define osMemset(p, value, length)
Definition: os_port.h:135
osStrcmp
#define osStrcmp(s1, s2)
Definition: os_port.h:171
osMemcpy
#define osMemcpy(dest, src, length)
Definition: os_port.h:141
MIN
#define MIN(a, b)
Definition: os_port.h:63
osAcquireMutex
void osAcquireMutex(OsMutex *mutex)
Acquire ownership of the specified mutex object.
Definition: os_port_chibios.c:388
osReleaseMutex
void osReleaseMutex(OsMutex *mutex)
Release ownership of the specified mutex object.
Definition: os_port_chibios.c:400
ra8CryptoMutex
OsMutex ra8CryptoMutex
Definition: ra8_crypto.c:41
ra8_crypto.h
RA8 hardware cryptographic accelerator (RSIP7)
mpiExpModRegular
error_t mpiExpModRegular(Mpi *r, const Mpi *a, const Mpi *e, const Mpi *p)
Modular exponentiation (regular calculation)
Definition: ra8_crypto_pkc.c:184
sce_oem_key_size
const uint32_t sce_oem_key_size[SCE_OEM_CMD_NUM]
ecMult
error_t ecMult(const EcDomainParameters *params, EcPoint *r, const Mpi *d, const EcPoint *s)
Scalar multiplication.
Definition: ra8_crypto_pkc.c:423
rsadp
error_t rsadp(const RsaPrivateKey *key, const Mpi *c, Mpi *m)
RSA decryption primitive.
Definition: ra8_crypto_pkc.c:306
ecdsaGenerateSignature
error_t ecdsaGenerateSignature(const PrngAlgo *prngAlgo, void *prngContext, const EcDomainParameters *params, const EcPrivateKey *privateKey, const uint8_t *digest, size_t digestLen, EcdsaSignature *signature)
ECDSA signature generation.
Definition: ra8_crypto_pkc.c:587
ecdsaVerifySignature
error_t ecdsaVerifySignature(const EcDomainParameters *params, const EcPublicKey *publicKey, const uint8_t *digest, size_t digestLen, const EcdsaSignature *signature)
ECDSA signature verification.
Definition: ra8_crypto_pkc.c:754
mpiExpModFast
error_t mpiExpModFast(Mpi *r, const Mpi *a, const Mpi *e, const Mpi *p)
Modular exponentiation (fast calculation)
Definition: ra8_crypto_pkc.c:65
ra8_crypto_pkc.h
RA8 public-key hardware accelerator.
rsa.h
RSA public-key cryptography standard.
EcDomainParameters
EC domain parameters.
Definition: ec.h:76
EcDomainParameters::name
const char_t * name
Curve name.
Definition: ec.h:77
EcDomainParameters::q
Mpi q
Order of the point G.
Definition: ec.h:83
EcPoint
EC point.
Definition: ec.h:64
EcPoint::y
Mpi y
y-coordinate
Definition: ec.h:66
EcPoint::x
Mpi x
x-coordinate
Definition: ec.h:65
EcPrivateKey
EC private key.
Definition: ec.h:104
EcPrivateKey::d
Mpi d
Private key.
Definition: ec.h:105
EcPublicKey
EC public key.
Definition: ec.h:94
EcPublicKey::q
EcPoint q
Public key.
Definition: ec.h:95
EcdsaSignature
ECDSA signature.
Definition: ecdsa.h:49
Mpi
Arbitrary precision integer.
Definition: mpi.h:80
Ra8EcArgs
EC primitive arguments.
Definition: ra8_crypto_pkc.h:69
Ra8EcArgs::q
uint32_t q[40]
Definition: ra8_crypto_pkc.h:72
Ra8EcArgs::digest
uint32_t digest[20]
Definition: ra8_crypto_pkc.h:73
Ra8EcArgs::g
uint32_t g[40]
Definition: ra8_crypto_pkc.h:70
Ra8EcArgs::wrappedKey
uint32_t wrappedKey[100]
Definition: ra8_crypto_pkc.h:75
Ra8EcArgs::d
uint32_t d[20]
Definition: ra8_crypto_pkc.h:71
Ra8EcArgs::signature
uint32_t signature[40]
Definition: ra8_crypto_pkc.h:74
Ra8RsaArgs
RSA primitive arguments.
Definition: ra8_crypto_pkc.h:56
Ra8RsaArgs::wrappedKey
uint32_t wrappedKey[300]
Definition: ra8_crypto_pkc.h:60
Ra8RsaArgs::c
uint32_t c[128]
Definition: ra8_crypto_pkc.h:58
Ra8RsaArgs::key
uint32_t key[256]
Definition: ra8_crypto_pkc.h:59
Ra8RsaArgs::m
uint32_t m[128]
Definition: ra8_crypto_pkc.h:57
RsaPrivateKey
RSA private key.
Definition: rsa.h:68
RsaPrivateKey::p
Mpi p
First factor.
Definition: rsa.h:72
RsaPrivateKey::dq
Mpi dq
Second factor's CRT exponent.
Definition: rsa.h:75
RsaPrivateKey::q
Mpi q
Second factor.
Definition: rsa.h:73
RsaPrivateKey::d
Mpi d
Private exponent.
Definition: rsa.h:71
RsaPrivateKey::dp
Mpi dp
First factor's CRT exponent.
Definition: rsa.h:74
RsaPrivateKey::qinv
Mpi qinv
CRT coefficient.
Definition: rsa.h:76
RsaPrivateKey::n
Mpi n
Modulus.
Definition: rsa.h:69