ike_sign_verify.c
Go to the documentation of this file.
1 /**
2  * @file ike_sign_verify.c
3  * @brief RSA/DSA/ECDSA/EdDSA signature verification
4  *
5  * @section License
6  *
7  * SPDX-License-Identifier: GPL-2.0-or-later
8  *
9  * Copyright (C) 2022-2024 Oryx Embedded SARL. All rights reserved.
10  *
11  * This file is part of CycloneIPSEC Open.
12  *
13  * This program is free software; you can redistribute it and/or
14  * modify it under the terms of the GNU General Public License
15  * as published by the Free Software Foundation; either version 2
16  * of the License, or (at your option) any later version.
17  *
18  * This program is distributed in the hope that it will be useful,
19  * but WITHOUT ANY WARRANTY; without even the implied warranty of
20  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
21  * GNU General Public License for more details.
22  *
23  * You should have received a copy of the GNU General Public License
24  * along with this program; if not, write to the Free Software Foundation,
25  * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
26  *
27  * @author Oryx Embedded SARL (www.oryx-embedded.com)
28  * @version 2.4.4
29  **/
30 
31 //Switch to the appropriate trace level
32 #define TRACE_LEVEL IKE_TRACE_LEVEL
33 
34 //Dependencies
35 #include "ike/ike.h"
36 #include "ike/ike_sign_verify.h"
37 #include "encoding/oid.h"
38 #include "pkix/x509_key_parse.h"
39 #include "pkix/x509_sign_parse.h"
40 #include "debug.h"
41 
42 //Check IKEv2 library configuration
43 #if (IKE_SUPPORT == ENABLED && IKE_CERT_AUTH_SUPPORT == ENABLED)
44 
45 
46 /**
47  * @brief Signature verification
48  * @param[in] sa Pointer to the IKE SA
49  * @param[in] id Pointer to the identification data
50  * @param[in] idLen Length of the identification data, in bytes
51  * @param[in] authMethod Authentication method
52  * @param[in] publicKeyInfo Pointer to the subject's public key
53  * @param[in] signature Signature to be verified
54  * @param[in] signatureLen Length of the signature, in bytes
55  * @return Error code
56  **/
57 
58 error_t ikeVerifySignature(IkeSaEntry *sa, const uint8_t *id, size_t idLen,
59  uint8_t authMethod, const X509SubjectPublicKeyInfo *publicKeyInfo,
60  const uint8_t *signature, size_t signatureLen)
61 {
62  error_t error;
63 
64 #if (IKE_SIGN_HASH_ALGOS_SUPPORT == ENABLED)
65  //Digital signature method?
66  if(authMethod == IKE_AUTH_METHOD_DIGITAL_SIGN)
67  {
68  //The new digital signature method is flexible enough to include all
69  //current signature methods (RSA, RSA-PSS, DSA, ECDSA and EdDSA) and add
70  //new methods in the future
71  error = ikeVerifyDigitalSignature(sa, id, idLen, publicKeyInfo,
72  (const IkeAuthData *) signature, signatureLen);
73  }
74  else
75 #endif
76 #if (IKE_RSA_SIGN_SUPPORT == ENABLED && IKE_SHA1_SUPPORT == ENABLED)
77  //RSA signature method?
78  if(authMethod == IKE_AUTH_METHOD_RSA)
79  {
80  //Verify RSA signature (RSASSA-PKCS1-v1_5 signature scheme)
81  error = ikeVerifyRsaSignature(sa, id, idLen, publicKeyInfo,
82  SHA1_HASH_ALGO, signature, signatureLen);
83  }
84  else
85 #endif
86 #if (IKE_DSA_SIGN_SUPPORT == ENABLED && IKE_SHA1_SUPPORT == ENABLED)
87  //DSA signature method?
88  if(authMethod == IKE_AUTH_METHOD_DSS)
89  {
90  //Verify DSA signature
91  error = ikeVerifyDsaSignature(sa, id, idLen, publicKeyInfo,
92  SHA1_HASH_ALGO, signature, signatureLen, IKE_SIGN_FORMAT_RAW);
93  }
94  else
95 #endif
96 #if (IKE_ECDSA_SIGN_SUPPORT == ENABLED && IKE_ECP_256_SUPPORT == ENABLED && \
97  IKE_SHA256_SUPPORT == ENABLED)
98  //ECDSA with NIST P-256 signature method?
99  if(authMethod == IKE_AUTH_METHOD_ECDSA_P256_SHA256)
100  {
101  //Verify ECDSA signature
102  error = ikeVerifyEcdsaSignature(sa, id, idLen, publicKeyInfo,
103  SECP256R1_CURVE, SHA256_HASH_ALGO, signature, signatureLen,
104  IKE_SIGN_FORMAT_RAW);
105  }
106  else
107 #endif
108 #if (IKE_ECDSA_SIGN_SUPPORT == ENABLED && IKE_ECP_384_SUPPORT == ENABLED && \
109  IKE_SHA384_SUPPORT == ENABLED)
110  //ECDSA with NIST P-384 signature method?
111  if(authMethod == IKE_AUTH_METHOD_ECDSA_P384_SHA384)
112  {
113  //Verify ECDSA signature
114  error = ikeVerifyEcdsaSignature(sa, id, idLen, publicKeyInfo,
115  SECP384R1_CURVE, SHA384_HASH_ALGO, signature, signatureLen,
116  IKE_SIGN_FORMAT_RAW);
117  }
118  else
119 #endif
120 #if (IKE_ECDSA_SIGN_SUPPORT == ENABLED && IKE_ECP_521_SUPPORT == ENABLED && \
121  IKE_SHA512_SUPPORT == ENABLED)
122  //ECDSA with NIST P-521 signature method?
123  if(authMethod == IKE_AUTH_METHOD_ECDSA_P521_SHA512)
124  {
125  //Verify ECDSA signature
126  error = ikeVerifyEcdsaSignature(sa, id, idLen, publicKeyInfo,
127  SECP521R1_CURVE, SHA512_HASH_ALGO, signature, signatureLen,
128  IKE_SIGN_FORMAT_RAW);
129  }
130  else
131 #endif
132  //Invalid signature method?
133  {
134  //Report an error
135  error = ERROR_INVALID_SIGNATURE_ALGO;
136  }
137 
138  //Return status code
139  return error;
140 }
141 
142 
143 /**
144  * @brief Digital signature verification
145  * @param[in] sa Pointer to the IKE SA
146  * @param[in] id Pointer to the identification data
147  * @param[in] idLen Length of the identification data, in bytes
148  * @param[in] publicKeyInfo Pointer to the subject's public key
149  * @param[in] authData Pointer to the authentication data
150  * @param[in] authDataLen Length of the authentication data, in bytes
151  * @return Error code
152  **/
153 
154 error_t ikeVerifyDigitalSignature(IkeSaEntry *sa, const uint8_t *id,
155  size_t idLen, const X509SubjectPublicKeyInfo *publicKeyInfo,
156  const IkeAuthData *authData, size_t authDataLen)
157 {
158  error_t error;
159  size_t n;
160  size_t signatureLen;
161  const uint8_t *signature;
162  const HashAlgo *hashAlgo;
163  IkeSignAlgo signAlgo;
164  X509SignAlgoId signAlgoId;
165 
166  //Check the length of the authentication data
167  if(authDataLen >= sizeof(IkeAuthData))
168  {
169  //The signature value is prefixed with an ASN.1 object indicating the
170  //algorithm used to generate the signature (refer to RFC 7427, section 3)
171  if(authDataLen >= (sizeof(IkeAuthData) + authData->algoIdLen))
172  {
173  //Parse ASN.1 object
174  error = x509ParseSignatureAlgo(authData->algoId, authData->algoIdLen,
175  &n, &signAlgoId);
176 
177  //Check status code
178  if(!error)
179  {
180  //Select the signature and hash algorithms that match the specified
181  //identifier
182  error = ikeSelectSignAlgo(&signAlgoId, &signAlgo, &hashAlgo);
183  }
184 
185  //Check status code
186  if(!error)
187  {
188  //There is no padding between the ASN.1 object and the signature value
189  signature = authData->algoId + authData->algoIdLen;
190 
191  //Determine the length of the signature, in bytes
192  signatureLen = authDataLen - sizeof(IkeAuthData) -
193  authData->algoIdLen;
194 
195 #if (IKE_RSA_SIGN_SUPPORT == ENABLED)
196  //RSA signature algorithm?
197  if(signAlgo == IKE_SIGN_ALGO_RSA)
198  {
199  //Verify RSA signature (RSASSA-PKCS1-v1_5 signature scheme)
200  error = ikeVerifyRsaSignature(sa, id, idLen, publicKeyInfo,
201  hashAlgo, signature, signatureLen);
202  }
203  else
204 #endif
205 #if (IKE_RSA_PSS_SIGN_SUPPORT == ENABLED)
206  //RSA-PSS signature algorithm?
207  if(signAlgo == IKE_SIGN_ALGO_RSA_PSS)
208  {
209  //Verify RSA signature (RSASSA-PSS signature scheme)
210  error = ikeVerifyRsaPssSignature(sa, id, idLen, publicKeyInfo,
211  hashAlgo, signAlgoId.rsaPssParams.saltLen, signature,
212  signatureLen);
213  }
214  else
215 #endif
216 #if (IKE_DSA_SIGN_SUPPORT == ENABLED)
217  //DSA signature algorithm?
218  if(signAlgo == IKE_SIGN_ALGO_DSA)
219  {
220  //Verify DSA signature
221  error = ikeVerifyDsaSignature(sa, id, idLen, publicKeyInfo,
222  hashAlgo, signature, signatureLen, IKE_SIGN_FORMAT_ASN1);
223  }
224  else
225 #endif
226 #if (IKE_ECDSA_SIGN_SUPPORT == ENABLED)
227  //ECDSA signature algorithm?
228  if(signAlgo == IKE_SIGN_ALGO_ECDSA)
229  {
230  //Verify ECDSA signature
231  error = ikeVerifyEcdsaSignature(sa, id, idLen, publicKeyInfo,
232  NULL, hashAlgo, signature, signatureLen, IKE_SIGN_FORMAT_ASN1);
233  }
234  else
235 #endif
236 #if (IKE_ED25519_SIGN_SUPPORT == ENABLED)
237  //Ed25519 signature algorithm?
238  if(signAlgo == IKE_SIGN_ALGO_ED25519)
239  {
240  //Verify Ed25519 signature (PureEdDSA mode)
241  error = ikeVerifyEd25519Signature(sa, id, idLen, publicKeyInfo,
242  signature, signatureLen);
243  }
244  else
245 #endif
246 #if (IKE_ED448_SIGN_SUPPORT == ENABLED)
247  //Ed448 signature algorithm?
248  if(signAlgo == IKE_SIGN_ALGO_ED448)
249  {
250  //Verify Ed448 signature (PureEdDSA mode)
251  error = ikeVerifyEd448Signature(sa, id, idLen, publicKeyInfo,
252  signature, signatureLen);
253  }
254  else
255 #endif
256  //Invalid signature algorithm?
257  {
258  //Report an error
259  error = ERROR_UNSUPPORTED_SIGNATURE_ALGO;
260  }
261  }
262  }
263  else
264  {
265  //Malformed ASN.1 object
266  error = ERROR_INVALID_MESSAGE;
267  }
268  }
269  else
270  {
271  //Malformed authentication data
272  error = ERROR_INVALID_MESSAGE;
273  }
274 
275  //Return status code
276  return error;
277 }
278 
279 
280 /**
281  * @brief RSA signature verification
282  * @param[in] sa Pointer to the IKE SA
283  * @param[in] id Pointer to the identification data
284  * @param[in] idLen Length of the identification data, in bytes
285  * @param[in] publicKeyInfo Pointer to the subject's public key
286  * @param[in] hashAlgo Hash algorithm
287  * @param[in] signature Signature to be verified
288  * @param[in] signatureLen Length of the signature, in bytes
289  * @return Error code
290  **/
291 
292 error_t ikeVerifyRsaSignature(IkeSaEntry *sa, const uint8_t *id,
293  size_t idLen, const X509SubjectPublicKeyInfo *publicKeyInfo,
294  const HashAlgo *hashAlgo, const uint8_t *signature, size_t signatureLen)
295 {
296 #if (IKE_RSA_SIGN_SUPPORT == ENABLED)
297  error_t error;
298  uint_t k;
299  RsaPublicKey rsaPublicKey;
300  uint8_t digest[MAX_HASH_DIGEST_SIZE];
301 
302  //Check public key identifier
303  if(!oidComp(publicKeyInfo->oid.value, publicKeyInfo->oid.length,
304  RSA_ENCRYPTION_OID, sizeof(RSA_ENCRYPTION_OID)))
305  {
306  //Initialize RSA public key
307  rsaInitPublicKey(&rsaPublicKey);
308 
309  //Digest signed octets
310  error = ikeDigestSignedOctets(sa, hashAlgo, id, idLen, digest,
311  !sa->originalInitiator);
312 
313  //Check status code
314  if(!error)
315  {
316  //Import RSA public key
317  error = x509ImportRsaPublicKey(publicKeyInfo, &rsaPublicKey);
318  }
319 
320  //Check status code
321  if(!error)
322  {
323  //Get the length of the modulus, in bits
324  k = mpiGetBitLength(&rsaPublicKey.n);
325 
326  //Applications should also enforce minimum and maximum key sizes
327  if(k < IKE_MIN_RSA_MODULUS_SIZE || k > IKE_MAX_RSA_MODULUS_SIZE)
328  {
329  //Report an error
330  error = ERROR_BAD_CERTIFICATE;
331  }
332  }
333 
334  //Check status code
335  if(!error)
336  {
337  //Verify RSA signature (RSASSA-PKCS1-v1_5 signature scheme)
338  error = rsassaPkcs1v15Verify(&rsaPublicKey, hashAlgo, digest,
339  signature, signatureLen);
340  }
341 
342  //Free previously allocated memory
343  rsaFreePublicKey(&rsaPublicKey);
344  }
345  else
346  {
347  //Invalid public key identifier
348  error = ERROR_INVALID_KEY;
349  }
350 
351  //Return status code
352  return error;
353 #else
354  //Not implemented
355  return ERROR_NOT_IMPLEMENTED;
356 #endif
357 }
358 
359 
360 /**
361  * @brief RSA-PSS signature verification
362  * @param[in] sa Pointer to the IKE SA
363  * @param[in] id Pointer to the identification data
364  * @param[in] idLen Length of the identification data, in bytes
365  * @param[in] publicKeyInfo Pointer to the subject's public key
366  * @param[in] hashAlgo Hash algorithm
367  * @param[in] saltLen Length of the salt, in bytes
368  * @param[in] signature Signature to be verified
369  * @param[in] signatureLen Length of the signature, in bytes
370  * @return Error code
371  **/
372 
373 error_t ikeVerifyRsaPssSignature(IkeSaEntry *sa, const uint8_t *id,
374  size_t idLen, const X509SubjectPublicKeyInfo *publicKeyInfo,
375  const HashAlgo *hashAlgo, size_t saltLen, const uint8_t *signature,
376  size_t signatureLen)
377 {
378 #if (IKE_RSA_PSS_SIGN_SUPPORT == ENABLED)
379  error_t error;
380  uint_t k;
381  size_t oidLen;
382  const uint8_t *oid;
383  RsaPublicKey rsaPublicKey;
384  uint8_t digest[MAX_HASH_DIGEST_SIZE];
385 
386  //Retrieve public key identifier
387  oid = publicKeyInfo->oid.value;
388  oidLen = publicKeyInfo->oid.length;
389 
390  //Check public key identifier
391  if(!oidComp(oid, oidLen, RSA_ENCRYPTION_OID, sizeof(RSA_ENCRYPTION_OID)) ||
392  !oidComp(oid, oidLen, RSASSA_PSS_OID, sizeof(RSASSA_PSS_OID)))
393  {
394  //Initialize RSA public key
395  rsaInitPublicKey(&rsaPublicKey);
396 
397  //Digest signed octets
398  error = ikeDigestSignedOctets(sa, hashAlgo, id, idLen, digest,
399  !sa->originalInitiator);
400 
401  //Check status code
402  if(!error)
403  {
404  //Import RSA public key
405  error = x509ImportRsaPublicKey(publicKeyInfo, &rsaPublicKey);
406  }
407 
408  //Check status code
409  if(!error)
410  {
411  //Get the length of the modulus, in bits
412  k = mpiGetBitLength(&rsaPublicKey.n);
413 
414  //Applications should also enforce minimum and maximum key sizes
415  if(k < IKE_MIN_RSA_MODULUS_SIZE || k > IKE_MAX_RSA_MODULUS_SIZE)
416  {
417  //Report an error
418  error = ERROR_BAD_CERTIFICATE;
419  }
420  }
421 
422  //Check status code
423  if(!error)
424  {
425  //Verify RSA signature (RSASSA-PKCS1-v1_5 signature scheme)
426  error = rsassaPssVerify(&rsaPublicKey, hashAlgo, saltLen, digest,
427  signature, signatureLen);
428  }
429 
430  //Free previously allocated memory
431  rsaFreePublicKey(&rsaPublicKey);
432  }
433  else
434  {
435  //Invalid public key identifier
436  error = ERROR_INVALID_KEY;
437  }
438 
439  //Return status code
440  return error;
441 #else
442  //Not implemented
443  return ERROR_NOT_IMPLEMENTED;
444 #endif
445 }
446 
447 
448 /**
449  * @brief DSA signature verification
450  * @param[in] sa Pointer to the IKE SA
451  * @param[in] id Pointer to the identification data
452  * @param[in] idLen Length of the identification data, in bytes
453  * @param[in] publicKeyInfo Pointer to the subject's public key
454  * @param[in] hashAlgo Hash algorithm
455  * @param[in] signature Signature to be verified
456  * @param[in] signatureLen Length of the signature, in bytes
457  * @param[in] format Signature format (raw or ASN.1)
458  * @return Error code
459  **/
460 
461 error_t ikeVerifyDsaSignature(IkeSaEntry *sa, const uint8_t *id,
462  size_t idLen, const X509SubjectPublicKeyInfo *publicKeyInfo,
463  const HashAlgo *hashAlgo, const uint8_t *signature, size_t signatureLen,
464  IkeSignFormat format)
465 {
466 #if (IKE_DSA_SIGN_SUPPORT == ENABLED)
467  error_t error;
468  uint_t k;
469  DsaPublicKey dsaPublicKey;
470  DsaSignature dsaSignature;
471  uint8_t digest[MAX_HASH_DIGEST_SIZE];
472 
473  //Check public key identifier
474  if(!oidComp(publicKeyInfo->oid.value, publicKeyInfo->oid.length,
475  DSA_OID, sizeof(DSA_OID)))
476  {
477  //Initialize DSA public key
478  dsaInitPublicKey(&dsaPublicKey);
479  //Initialize DSA signature
480  dsaInitSignature(&dsaSignature);
481 
482  //Digest signed octets
483  error = ikeDigestSignedOctets(sa, hashAlgo, id, idLen, digest,
484  !sa->originalInitiator);
485 
486  //Check status code
487  if(!error)
488  {
489  //Import DSA public key
490  error = x509ImportDsaPublicKey(publicKeyInfo, &dsaPublicKey);
491  }
492 
493  //Check status code
494  if(!error)
495  {
496  //Get the length of the modulus, in bits
497  k = mpiGetBitLength(&dsaPublicKey.params.p);
498 
499  //Applications should also enforce minimum and maximum key sizes
500  if(k < IKE_MIN_DSA_MODULUS_SIZE || k > IKE_MAX_DSA_MODULUS_SIZE)
501  {
502  //Report an error
503  error = ERROR_BAD_CERTIFICATE;
504  }
505  }
506 
507  //Check status code
508  if(!error)
509  {
510  //Decode (R, S) integer pair
511  error = ikeParseDsaSignature(signature, signatureLen, &dsaSignature,
512  format);
513  }
514 
515  //Check status code
516  if(!error)
517  {
518  //Verify DSA signature
519  error = dsaVerifySignature(&dsaPublicKey, digest, hashAlgo->digestSize,
520  &dsaSignature);
521  }
522 
523  //Free previously allocated memory
524  dsaFreePublicKey(&dsaPublicKey);
525  dsaFreeSignature(&dsaSignature);
526  }
527  else
528  {
529  //Invalid public key identifier
530  error = ERROR_INVALID_KEY;
531  }
532 
533  //Return status code
534  return error;
535 #else
536  //Not implemented
537  return ERROR_NOT_IMPLEMENTED;
538 #endif
539 }
540 
541 
542 /**
543  * @brief ECDSA signature verification
544  * @param[in] sa Pointer to the IKE SA
545  * @param[in] id Pointer to the identification data
546  * @param[in] idLen Length of the identification data, in bytes
547  * @param[in] publicKeyInfo Pointer to the subject's public key
548  * @param[in] group Elliptic curve group
549  * @param[in] hashAlgo Hash algorithm
550  * @param[in] signature Signature to be verified
551  * @param[in] signatureLen Length of the signature, in bytes
552  * @param[in] format Signature format (raw or ASN.1)
553  * @return Error code
554  **/
555 
556 error_t ikeVerifyEcdsaSignature(IkeSaEntry *sa, const uint8_t *id,
557  size_t idLen, const X509SubjectPublicKeyInfo *publicKeyInfo,
558  const EcCurveInfo *group, const HashAlgo *hashAlgo,
559  const uint8_t *signature, size_t signatureLen, IkeSignFormat format)
560 {
561 #if (IKE_ECDSA_SIGN_SUPPORT == ENABLED)
562  error_t error;
563  const EcCurveInfo *curveInfo;
564  EcDomainParameters ecParams;
565  EcPublicKey ecPublicKey;
566  EcdsaSignature ecdsaSignature;
567  uint8_t digest[MAX_HASH_DIGEST_SIZE];
568 
569  //Check public key identifier
570  if(!oidComp(publicKeyInfo->oid.value, publicKeyInfo->oid.length,
571  EC_PUBLIC_KEY_OID, sizeof(EC_PUBLIC_KEY_OID)))
572  {
573  //Retrieve EC domain parameters
574  curveInfo = ecGetCurveInfo(publicKeyInfo->ecParams.namedCurve.value,
575  publicKeyInfo->ecParams.namedCurve.length);
576 
577  //Make sure the specified elliptic curve is acceptable
578  if(curveInfo != NULL && (curveInfo == group || group == NULL))
579  {
580  //Initialize EC domain parameters
581  ecInitDomainParameters(&ecParams);
582  //Initialize DSA public key
583  ecInitPublicKey(&ecPublicKey);
584  //Initialize DSA signature
585  ecdsaInitSignature(&ecdsaSignature);
586 
587  //Digest signed octets
588  error = ikeDigestSignedOctets(sa, hashAlgo, id, idLen, digest,
589  !sa->originalInitiator);
590 
591  //Check status code
592  if(!error)
593  {
594  //Load EC domain parameters
595  error = ecLoadDomainParameters(&ecParams, curveInfo);
596  }
597 
598  //Check status code
599  if(!error)
600  {
601  //Import EC public key
602  error = x509ImportEcPublicKey(publicKeyInfo, &ecPublicKey);
603  }
604 
605  //Check status code
606  if(!error)
607  {
608  //Decode (R, S) integer pair
609  error = ikeParseEcdsaSignature(&ecParams, signature, signatureLen,
610  &ecdsaSignature, format);
611  }
612 
613  //Check status code
614  if(!error)
615  {
616  //Verify ECDSA signature
617  error = ecdsaVerifySignature(&ecParams, &ecPublicKey, digest,
618  hashAlgo->digestSize, &ecdsaSignature);
619  }
620 
621  //Free previously allocated memory
622  ecFreeDomainParameters(&ecParams);
623  ecFreePublicKey(&ecPublicKey);
624  ecdsaFreeSignature(&ecdsaSignature);
625  }
626  else
627  {
628  //Unknown elliptic curve identifier
629  return ERROR_INVALID_SIGNATURE;
630  }
631  }
632  else
633  {
634  //Invalid public key identifier
635  error = ERROR_INVALID_KEY;
636  }
637 
638  //Return status code
639  return error;
640 #else
641  //Not implemented
642  return ERROR_NOT_IMPLEMENTED;
643 #endif
644 }
645 
646 
647 /**
648  * @brief Ed25519 signature verification
649  * @param[in] sa Pointer to the IKE SA
650  * @param[in] id Pointer to the identification data
651  * @param[in] idLen Length of the identification data, in bytes
652  * @param[in] publicKeyInfo Pointer to the subject's public key
653  * @param[in] signature Signature to be verified
654  * @param[in] signatureLen Length of the signature, in bytes
655  * @return Error code
656  **/
657 
658 error_t ikeVerifyEd25519Signature(IkeSaEntry *sa, const uint8_t *id,
659  size_t idLen, const X509SubjectPublicKeyInfo *publicKeyInfo,
660  const uint8_t *signature, size_t signatureLen)
661 {
662 #if (IKE_ED25519_SIGN_SUPPORT == ENABLED)
663  error_t error;
664  DataChunk messageChunks[4];
665  uint8_t macId[MAX_HASH_DIGEST_SIZE];
666 
667  //Check public key identifier
668  if(!oidComp(publicKeyInfo->oid.value, publicKeyInfo->oid.length,
669  ED25519_OID, sizeof(ED25519_OID)))
670  {
671  //Valid Ed25519 public key?
672  if(publicKeyInfo->ecPublicKey.q.value != NULL &&
673  publicKeyInfo->ecPublicKey.q.length == ED25519_PUBLIC_KEY_LEN)
674  {
675  //The Ed25519 signature shall consist of 32 octets
676  if(signatureLen == ED25519_SIGNATURE_LEN)
677  {
678  //Data to be signed is run through the EdDSA algorithm without
679  //pre-hashing
680  error = ikeGetSignedOctets(sa, id, idLen, macId, messageChunks,
681  !sa->originalInitiator);
682 
683  //Check status code
684  if(!error)
685  {
686  //Verify Ed25519 signature (PureEdDSA mode)
687  error = ed25519VerifySignatureEx(publicKeyInfo->ecPublicKey.q.value,
688  messageChunks, NULL, 0, 0, signature);
689  }
690  }
691  else
692  {
693  //The length of the signature is not valid
694  error = ERROR_INVALID_SIGNATURE;
695  }
696  }
697  else
698  {
699  //The public key is not valid
700  error = ERROR_INVALID_KEY;
701  }
702  }
703  else
704  {
705  //Invalid public key identifier
706  error = ERROR_INVALID_KEY;
707  }
708 
709  //Return status code
710  return error;
711 #else
712  //Not implemented
713  return ERROR_NOT_IMPLEMENTED;
714 #endif
715 }
716 
717 
718 /**
719  * @brief Ed448 signature verification
720  * @param[in] sa Pointer to the IKE SA
721  * @param[in] id Pointer to the identification data
722  * @param[in] idLen Length of the identification data, in bytes
723  * @param[in] publicKeyInfo Pointer to the subject's public key
724  * @param[in] signature Signature to be verified
725  * @param[in] signatureLen Length of the signature, in bytes
726  * @return Error code
727  **/
728 
729 error_t ikeVerifyEd448Signature(IkeSaEntry *sa, const uint8_t *id,
730  size_t idLen, const X509SubjectPublicKeyInfo *publicKeyInfo,
731  const uint8_t *signature, size_t signatureLen)
732 {
733 #if (IKE_ED448_SIGN_SUPPORT == ENABLED)
734  error_t error;
735  DataChunk messageChunks[4];
736  uint8_t macId[MAX_HASH_DIGEST_SIZE];
737 
738  //Check public key identifier
739  if(!oidComp(publicKeyInfo->oid.value, publicKeyInfo->oid.length,
740  ED448_OID, sizeof(ED448_OID)))
741  {
742  //Valid Ed448 public key?
743  if(publicKeyInfo->ecPublicKey.q.value != NULL &&
744  publicKeyInfo->ecPublicKey.q.length == ED448_PUBLIC_KEY_LEN)
745  {
746  //The Ed448 signature shall consist of 57 octets
747  if(signatureLen == ED448_SIGNATURE_LEN)
748  {
749  //Data to be signed is run through the EdDSA algorithm without
750  //pre-hashing
751  error = ikeGetSignedOctets(sa, id, idLen, macId, messageChunks,
752  !sa->originalInitiator);
753 
754  //Check status code
755  if(!error)
756  {
757  //Verify Ed448 signature (PureEdDSA mode)
758  error = ed448VerifySignatureEx(publicKeyInfo->ecPublicKey.q.value,
759  messageChunks, NULL, 0, 0, signature);
760  }
761  }
762  else
763  {
764  //The length of the signature is not valid
765  error = ERROR_INVALID_SIGNATURE;
766  }
767  }
768  else
769  {
770  //The public key is not valid
771  error = ERROR_INVALID_KEY;
772  }
773  }
774  else
775  {
776  //Invalid public key identifier
777  error = ERROR_INVALID_KEY;
778  }
779 
780  //Return status code
781  return error;
782 #else
783  //Not implemented
784  return ERROR_NOT_IMPLEMENTED;
785 #endif
786 }
787 
788 #endif
IKE_SIGN_ALGO_ED448
@ IKE_SIGN_ALGO_ED448
Definition: ike_sign_misc.h:66
EcdsaSignature
ECDSA signature.
Definition: ecdsa.h:49
IkeAuthData
IkeAuthData
Definition: ike.h:1414
SHA256_HASH_ALGO
#define SHA256_HASH_ALGO
Definition: sha256.h:49
rsaFreePublicKey
void rsaFreePublicKey(RsaPublicKey *key)
Release an RSA public key.
Definition: rsa.c:118
ecGetCurveInfo
const EcCurveInfo * ecGetCurveInfo(const uint8_t *oid, size_t length)
Get the elliptic curve that matches the specified OID.
Definition: ec_curves.c:2422
SHA1_HASH_ALGO
#define SHA1_HASH_ALGO
Definition: sha1.h:49
SECP521R1_CURVE
#define SECP521R1_CURVE
Definition: ec_curves.h:249
SHA512_HASH_ALGO
#define SHA512_HASH_ALGO
Definition: sha512.h:49
x509ImportRsaPublicKey
error_t x509ImportRsaPublicKey(const X509SubjectPublicKeyInfo *publicKeyInfo, RsaPublicKey *publicKey)
Import an RSA public key.
Definition: x509_key_parse.c:563
ERROR_NOT_IMPLEMENTED
@ ERROR_NOT_IMPLEMENTED
Definition: error.h:66
ecInitDomainParameters
void ecInitDomainParameters(EcDomainParameters *params)
Initialize EC domain parameters.
Definition: ec.c:51
ED25519_PUBLIC_KEY_LEN
#define ED25519_PUBLIC_KEY_LEN
Definition: ed25519.h:42
oid.h
OID (Object Identifier)
SECP384R1_CURVE
#define SECP384R1_CURVE
Definition: ec_curves.h:248
IkeSignAlgo
IkeSignAlgo
Signature algorithms.
Definition: ike_sign_misc.h:59
X509SubjectPublicKeyInfo::oid
X509OctetString oid
Definition: x509_common.h:792
IKE_AUTH_METHOD_ECDSA_P521_SHA512
@ IKE_AUTH_METHOD_ECDSA_P521_SHA512
ECDSA with SHA-512 on the P-521 curve.
Definition: ike.h:992
SECP256R1_CURVE
#define SECP256R1_CURVE
Definition: ec_curves.h:247
ED448_PUBLIC_KEY_LEN
#define ED448_PUBLIC_KEY_LEN
Definition: ed448.h:42
ikeParseEcdsaSignature
error_t ikeParseEcdsaSignature(EcDomainParameters *params, const uint8_t *data, size_t length, EcdsaSignature *signature, IkeSignFormat format)
ECDSA signature parsing.
Definition: ike_sign_misc.c:236
HashAlgo::digestSize
size_t digestSize
Definition: crypto.h:1052
EC_PUBLIC_KEY_OID
const uint8_t EC_PUBLIC_KEY_OID[7]
Definition: ec.c:43
ikeParseDsaSignature
error_t ikeParseDsaSignature(const uint8_t *data, size_t length, DsaSignature *signature, IkeSignFormat format)
DSA signature parsing.
Definition: ike_sign_misc.c:176
IKE_AUTH_METHOD_RSA
@ IKE_AUTH_METHOD_RSA
RSA Digital Signature.
Definition: ike.h:987
X509SubjectPublicKeyInfo::ecParams
X509EcParameters ecParams
Definition: x509_common.h:802
ED448_SIGNATURE_LEN
#define ED448_SIGNATURE_LEN
Definition: ed448.h:44
ikeDigestSignedOctets
error_t ikeDigestSignedOctets(IkeSaEntry *sa, const HashAlgo *hashAlgo, const uint8_t *id, size_t idLen, uint8_t *digest, bool_t initiator)
Digest signed octets.
Definition: ike_sign_misc.c:937
IKE_SIGN_ALGO_RSA
@ IKE_SIGN_ALGO_RSA
Definition: ike_sign_misc.h:61
ED25519_SIGNATURE_LEN
#define ED25519_SIGNATURE_LEN
Definition: ed25519.h:44
ikeVerifySignature
error_t ikeVerifySignature(IkeSaEntry *sa, const uint8_t *id, size_t idLen, uint8_t authMethod, const X509SubjectPublicKeyInfo *publicKeyInfo, const uint8_t *signature, size_t signatureLen)
Signature verification.
Definition: ike_sign_verify.c:58
IKE_MAX_DSA_MODULUS_SIZE
#define IKE_MAX_DSA_MODULUS_SIZE
Definition: ike.h:607
ERROR_INVALID_MESSAGE
@ ERROR_INVALID_MESSAGE
Definition: error.h:105
DsaDomainParameters::p
Mpi p
Prime modulus.
Definition: dsa.h:50
RSASSA_PSS_OID
const uint8_t RSASSA_PSS_OID[9]
Definition: rsa.c:88
IKE_MAX_RSA_MODULUS_SIZE
#define IKE_MAX_RSA_MODULUS_SIZE
Definition: ike.h:593
x509_sign_parse.h
EcDomainParameters
EC domain parameters.
Definition: ec.h:76
ecFreeDomainParameters
void ecFreeDomainParameters(EcDomainParameters *params)
Release EC domain parameters.
Definition: ec.c:72
oidComp
int_t oidComp(const uint8_t *oid1, size_t oidLen1, const uint8_t *oid2, size_t oidLen2)
Compare object identifiers.
Definition: oid.c:103
oid
uint8_t oid[]
Definition: lldp_tlv.h:300
RsaPublicKey::n
Mpi n
Modulus.
Definition: rsa.h:58
DSA_OID
const uint8_t DSA_OID[7]
Definition: dsa.c:51
ikeGetSignedOctets
error_t ikeGetSignedOctets(IkeSaEntry *sa, const uint8_t *id, size_t idLen, uint8_t *macId, DataChunk *messageChunks, bool_t initiator)
Retrieve the octets to be signed using EdDSA.
Definition: ike_sign_misc.c:863
ecdsaFreeSignature
void ecdsaFreeSignature(EcdsaSignature *signature)
Release an ECDSA signature.
Definition: ecdsa.c:82
MAX_HASH_DIGEST_SIZE
#define MAX_HASH_DIGEST_SIZE
Definition: hash_algorithms.h:231
ecLoadDomainParameters
error_t ecLoadDomainParameters(EcDomainParameters *params, const EcCurveInfo *curveInfo)
Load EC domain parameters.
Definition: ec.c:90
EcCurveInfo
Elliptic curve parameters.
Definition: ec_curves.h:302
DsaPublicKey
DSA public key.
Definition: dsa.h:61
x509ImportDsaPublicKey
error_t x509ImportDsaPublicKey(const X509SubjectPublicKeyInfo *publicKeyInfo, DsaPublicKey *publicKey)
Import a DSA public key.
Definition: x509_key_parse.c:633
error_t
error_t
Error codes.
Definition: error.h:43
dsaInitSignature
void dsaInitSignature(DsaSignature *signature)
Initialize a DSA signature.
Definition: dsa.c:164
IKE_SIGN_ALGO_RSA_PSS
@ IKE_SIGN_ALGO_RSA_PSS
Definition: ike_sign_misc.h:62
ecInitPublicKey
void ecInitPublicKey(EcPublicKey *key)
Initialize an EC public key.
Definition: ec.c:153
IKE_AUTH_METHOD_DIGITAL_SIGN
@ IKE_AUTH_METHOD_DIGITAL_SIGN
Digital Signature.
Definition: ike.h:995
ikeVerifyDsaSignature
error_t ikeVerifyDsaSignature(IkeSaEntry *sa, const uint8_t *id, size_t idLen, const X509SubjectPublicKeyInfo *publicKeyInfo, const HashAlgo *hashAlgo, const uint8_t *signature, size_t signatureLen, IkeSignFormat format)
DSA signature verification.
Definition: ike_sign_verify.c:461
ikeSelectSignAlgo
error_t ikeSelectSignAlgo(const X509SignAlgoId *signAlgoId, IkeSignAlgo *signAlgo, const HashAlgo **hashAlgo)
Select the signature and hash algorithms that match the specified identifier.
Definition: ike_sign_misc.c:539
RsaPublicKey
RSA public key.
Definition: rsa.h:57
ecdsaInitSignature
void ecdsaInitSignature(EcdsaSignature *signature)
Initialize an ECDSA signature.
Definition: ecdsa.c:69
ecdsaVerifySignature
__weak_func error_t ecdsaVerifySignature(const EcDomainParameters *params, const EcPublicKey *publicKey, const uint8_t *digest, size_t digestLen, const EcdsaSignature *signature)
ECDSA signature verification.
Definition: ecdsa.c:507
ed448VerifySignatureEx
error_t ed448VerifySignatureEx(const uint8_t *publicKey, const DataChunk *messageChunks, const void *context, uint8_t contextLen, uint8_t flag, const uint8_t *signature)
EdDSA signature verification.
Definition: ed448.c:438
ERROR_BAD_CERTIFICATE
@ ERROR_BAD_CERTIFICATE
Definition: error.h:235
IKE_SIGN_FORMAT_ASN1
@ IKE_SIGN_FORMAT_ASN1
Definition: ike_sign_misc.h:50
authMethod
uint8_t authMethod
Definition: ike.h:1400
DsaPublicKey::params
DsaDomainParameters params
DSA domain parameters.
Definition: dsa.h:62
ikeVerifyEd25519Signature
error_t ikeVerifyEd25519Signature(IkeSaEntry *sa, const uint8_t *id, size_t idLen, const X509SubjectPublicKeyInfo *publicKeyInfo, const uint8_t *signature, size_t signatureLen)
Ed25519 signature verification.
Definition: ike_sign_verify.c:658
ENABLED
#define ENABLED
Definition: os_port.h:37
IKE_SIGN_ALGO_DSA
@ IKE_SIGN_ALGO_DSA
Definition: ike_sign_misc.h:63
X509EcParameters::namedCurve
X509OctetString namedCurve
Definition: x509_common.h:771
ED448_OID
const uint8_t ED448_OID[3]
Definition: ec_curves.c:102
mpiGetBitLength
uint_t mpiGetBitLength(const Mpi *a)
Get the actual length in bits.
Definition: mpi.c:234
ED25519_OID
const uint8_t ED25519_OID[3]
Definition: ec_curves.c:100
RSA_ENCRYPTION_OID
const uint8_t RSA_ENCRYPTION_OID[9]
Definition: rsa.c:57
ike.h
IKEv2 (Internet Key Exchange Protocol)
IkeSignFormat
IkeSignFormat
Signature format.
Definition: ike_sign_misc.h:48
DataChunk
Data chunk descriptor.
Definition: crypto.h:981
EcPublicKey
EC public key.
Definition: ec.h:94
SHA384_HASH_ALGO
#define SHA384_HASH_ALGO
Definition: sha384.h:45
dsaVerifySignature
error_t dsaVerifySignature(const DsaPublicKey *key, const uint8_t *digest, size_t digestLen, const DsaSignature *signature)
DSA signature verification.
Definition: dsa.c:585
ikeVerifyRsaSignature
error_t ikeVerifyRsaSignature(IkeSaEntry *sa, const uint8_t *id, size_t idLen, const X509SubjectPublicKeyInfo *publicKeyInfo, const HashAlgo *hashAlgo, const uint8_t *signature, size_t signatureLen)
RSA signature verification.
Definition: ike_sign_verify.c:292
rsassaPkcs1v15Verify
error_t rsassaPkcs1v15Verify(const RsaPublicKey *key, const HashAlgo *hash, const uint8_t *digest, const uint8_t *signature, size_t signatureLen)
RSASSA-PKCS1-v1_5 signature verification operation.
Definition: rsa.c:838
x509ImportEcPublicKey
error_t x509ImportEcPublicKey(const X509SubjectPublicKeyInfo *publicKeyInfo, EcPublicKey *publicKey)
Import an EC public key.
Definition: x509_key_parse.c:718
ERROR_INVALID_SIGNATURE_ALGO
@ ERROR_INVALID_SIGNATURE_ALGO
Definition: error.h:134
IkeSaEntry
#define IkeSaEntry
Definition: ike.h:682
ikeVerifyEcdsaSignature
error_t ikeVerifyEcdsaSignature(IkeSaEntry *sa, const uint8_t *id, size_t idLen, const X509SubjectPublicKeyInfo *publicKeyInfo, const EcCurveInfo *group, const HashAlgo *hashAlgo, const uint8_t *signature, size_t signatureLen, IkeSignFormat format)
ECDSA signature verification.
Definition: ike_sign_verify.c:556
X509EcPublicKey::q
X509OctetString q
Definition: x509_common.h:781
n
uint8_t n
Definition: dhcpv6_common.h:416
X509SubjectPublicKeyInfo
Subject Public Key Information extension.
Definition: x509_common.h:790
rsassaPssVerify
error_t rsassaPssVerify(const RsaPublicKey *key, const HashAlgo *hash, size_t saltLen, const uint8_t *digest, const uint8_t *signature, size_t signatureLen)
RSASSA-PSS signature verification operation.
Definition: rsa.c:1079
IKE_SIGN_FORMAT_RAW
@ IKE_SIGN_FORMAT_RAW
Definition: ike_sign_misc.h:49
authData
uint8_t authData[]
Definition: ipv6.h:353
ed25519VerifySignatureEx
error_t ed25519VerifySignatureEx(const uint8_t *publicKey, const DataChunk *messageChunks, const void *context, uint8_t contextLen, uint8_t flag, const uint8_t *signature)
EdDSA signature verification.
Definition: ed25519.c:463
IKE_SIGN_ALGO_ECDSA
@ IKE_SIGN_ALGO_ECDSA
Definition: ike_sign_misc.h:64
dsaFreeSignature
void dsaFreeSignature(DsaSignature *signature)
Release a DSA signature.
Definition: dsa.c:177
IKE_AUTH_METHOD_DSS
@ IKE_AUTH_METHOD_DSS
DSS Digital Signature.
Definition: ike.h:989
oidLen
uint8_t oidLen
Definition: lldp_tlv.h:299
x509ParseSignatureAlgo
error_t x509ParseSignatureAlgo(const uint8_t *data, size_t length, size_t *totalLength, X509SignAlgoId *signatureAlgo)
Parse SignatureAlgorithm structure.
Definition: x509_sign_parse.c:53
IKE_AUTH_METHOD_ECDSA_P256_SHA256
@ IKE_AUTH_METHOD_ECDSA_P256_SHA256
ECDSA with SHA-256 on the P-256 curve.
Definition: ike.h:990
X509OctetString::value
const uint8_t * value
Definition: x509_common.h:654
HashAlgo
Common interface for hash algorithms.
Definition: crypto.h:1046
DsaSignature
DSA signature.
Definition: dsa.h:84
x509_key_parse.h
Parsing of ASN.1 encoded keys.
ERROR_UNSUPPORTED_SIGNATURE_ALGO
@ ERROR_UNSUPPORTED_SIGNATURE_ALGO
Definition: error.h:132
uint_t
unsigned int uint_t
Definition: compiler_port.h:50
ikeVerifyRsaPssSignature
error_t ikeVerifyRsaPssSignature(IkeSaEntry *sa, const uint8_t *id, size_t idLen, const X509SubjectPublicKeyInfo *publicKeyInfo, const HashAlgo *hashAlgo, size_t saltLen, const uint8_t *signature, size_t signatureLen)
RSA-PSS signature verification.
Definition: ike_sign_verify.c:373
X509SubjectPublicKeyInfo::ecPublicKey
X509EcPublicKey ecPublicKey
Definition: x509_common.h:803
ERROR_INVALID_SIGNATURE
@ ERROR_INVALID_SIGNATURE
Definition: error.h:227
X509SignAlgoId::rsaPssParams
X509RsaPssParameters rsaPssParams
Definition: x509_common.h:1043
IKE_AUTH_METHOD_ECDSA_P384_SHA384
@ IKE_AUTH_METHOD_ECDSA_P384_SHA384
ECDSA with SHA-384 on the P-384 curve.
Definition: ike.h:991
dsaFreePublicKey
void dsaFreePublicKey(DsaPublicKey *key)
Release a DSA public key.
Definition: dsa.c:119
IKE_RSA_SIGN_SUPPORT
#define IKE_RSA_SIGN_SUPPORT
Definition: ike.h:453
ike_sign_verify.h
RSA/DSA/ECDSA/EdDSA signature verification.
IKE_SIGN_ALGO_ED25519
@ IKE_SIGN_ALGO_ED25519
Definition: ike_sign_misc.h:65
dsaInitPublicKey
void dsaInitPublicKey(DsaPublicKey *key)
Initialize a DSA public key.
Definition: dsa.c:105
X509SignAlgoId
Signature algorithm identifier.
Definition: x509_common.h:1040
ERROR_INVALID_KEY
@ ERROR_INVALID_KEY
Definition: error.h:106
ikeVerifyEd448Signature
error_t ikeVerifyEd448Signature(IkeSaEntry *sa, const uint8_t *id, size_t idLen, const X509SubjectPublicKeyInfo *publicKeyInfo, const uint8_t *signature, size_t signatureLen)
Ed448 signature verification.
Definition: ike_sign_verify.c:729
debug.h
Debugging facilities.
rsaInitPublicKey
void rsaInitPublicKey(RsaPublicKey *key)
Initialize an RSA public key.
Definition: rsa.c:105
ecFreePublicKey
void ecFreePublicKey(EcPublicKey *key)
Release an EC public key.
Definition: ec.c:165
ikeVerifyDigitalSignature
error_t ikeVerifyDigitalSignature(IkeSaEntry *sa, const uint8_t *id, size_t idLen, const X509SubjectPublicKeyInfo *publicKeyInfo, const IkeAuthData *authData, size_t authDataLen)
Digital signature verification.
Definition: ike_sign_verify.c:154