ike_sign_verify.c
Go to the documentation of this file.
1 /**
2  * @file ike_sign_verify.c
3  * @brief RSA/DSA/ECDSA/EdDSA signature verification
4  *
5  * @section License
6  *
7  * SPDX-License-Identifier: GPL-2.0-or-later
8  *
9  * Copyright (C) 2022-2025 Oryx Embedded SARL. All rights reserved.
10  *
11  * This file is part of CycloneIPSEC Open.
12  *
13  * This program is free software; you can redistribute it and/or
14  * modify it under the terms of the GNU General Public License
15  * as published by the Free Software Foundation; either version 2
16  * of the License, or (at your option) any later version.
17  *
18  * This program is distributed in the hope that it will be useful,
19  * but WITHOUT ANY WARRANTY; without even the implied warranty of
20  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
21  * GNU General Public License for more details.
22  *
23  * You should have received a copy of the GNU General Public License
24  * along with this program; if not, write to the Free Software Foundation,
25  * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
26  *
27  * @author Oryx Embedded SARL (www.oryx-embedded.com)
28  * @version 2.5.0
29  **/
30 
31 //Switch to the appropriate trace level
32 #define TRACE_LEVEL IKE_TRACE_LEVEL
33 
34 //Dependencies
35 #include "ike/ike.h"
36 #include "ike/ike_sign_verify.h"
37 #include "encoding/oid.h"
38 #include "pkix/x509_key_parse.h"
39 #include "pkix/x509_sign_parse.h"
40 #include "debug.h"
41 
42 //Check IKEv2 library configuration
43 #if (IKE_SUPPORT == ENABLED && IKE_CERT_AUTH_SUPPORT == ENABLED)
44 
45 
46 /**
47  * @brief Signature verification
48  * @param[in] sa Pointer to the IKE SA
49  * @param[in] id Pointer to the identification data
50  * @param[in] idLen Length of the identification data, in bytes
51  * @param[in] authMethod Authentication method
52  * @param[in] publicKeyInfo Pointer to the subject's public key
53  * @param[in] signature Signature to be verified
54  * @param[in] signatureLen Length of the signature, in bytes
55  * @return Error code
56  **/
57 
58 error_t ikeVerifySignature(IkeSaEntry *sa, const uint8_t *id, size_t idLen,
59  uint8_t authMethod, const X509SubjectPublicKeyInfo *publicKeyInfo,
60  const uint8_t *signature, size_t signatureLen)
61 {
62  error_t error;
63 
64 #if (IKE_SIGN_HASH_ALGOS_SUPPORT == ENABLED)
65  //Digital signature method?
66  if(authMethod == IKE_AUTH_METHOD_DIGITAL_SIGN)
67  {
68  //The new digital signature method is flexible enough to include all
69  //current signature methods (RSA, RSA-PSS, DSA, ECDSA and EdDSA) and add
70  //new methods in the future
71  error = ikeVerifyDigitalSignature(sa, id, idLen, publicKeyInfo,
72  (const IkeAuthData *) signature, signatureLen);
73  }
74  else
75 #endif
76 #if (IKE_RSA_SIGN_SUPPORT == ENABLED && IKE_SHA1_SUPPORT == ENABLED)
77  //RSA signature method?
78  if(authMethod == IKE_AUTH_METHOD_RSA)
79  {
80  //Verify RSA signature (RSASSA-PKCS1-v1_5 signature scheme)
81  error = ikeVerifyRsaSignature(sa, id, idLen, publicKeyInfo,
82  SHA1_HASH_ALGO, signature, signatureLen);
83  }
84  else
85 #endif
86 #if (IKE_DSA_SIGN_SUPPORT == ENABLED && IKE_SHA1_SUPPORT == ENABLED)
87  //DSA signature method?
88  if(authMethod == IKE_AUTH_METHOD_DSS)
89  {
90  //Verify DSA signature
91  error = ikeVerifyDsaSignature(sa, id, idLen, publicKeyInfo,
92  SHA1_HASH_ALGO, signature, signatureLen, IKE_SIGN_FORMAT_RAW);
93  }
94  else
95 #endif
96 #if (IKE_ECDSA_SIGN_SUPPORT == ENABLED && IKE_ECP_256_SUPPORT == ENABLED && \
97  IKE_SHA256_SUPPORT == ENABLED)
98  //ECDSA with NIST P-256 signature method?
99  if(authMethod == IKE_AUTH_METHOD_ECDSA_P256_SHA256)
100  {
101  //Verify ECDSA signature
102  error = ikeVerifyEcdsaSignature(sa, id, idLen, publicKeyInfo,
103  SECP256R1_CURVE, SHA256_HASH_ALGO, signature, signatureLen,
104  IKE_SIGN_FORMAT_RAW);
105  }
106  else
107 #endif
108 #if (IKE_ECDSA_SIGN_SUPPORT == ENABLED && IKE_ECP_384_SUPPORT == ENABLED && \
109  IKE_SHA384_SUPPORT == ENABLED)
110  //ECDSA with NIST P-384 signature method?
111  if(authMethod == IKE_AUTH_METHOD_ECDSA_P384_SHA384)
112  {
113  //Verify ECDSA signature
114  error = ikeVerifyEcdsaSignature(sa, id, idLen, publicKeyInfo,
115  SECP384R1_CURVE, SHA384_HASH_ALGO, signature, signatureLen,
116  IKE_SIGN_FORMAT_RAW);
117  }
118  else
119 #endif
120 #if (IKE_ECDSA_SIGN_SUPPORT == ENABLED && IKE_ECP_521_SUPPORT == ENABLED && \
121  IKE_SHA512_SUPPORT == ENABLED)
122  //ECDSA with NIST P-521 signature method?
123  if(authMethod == IKE_AUTH_METHOD_ECDSA_P521_SHA512)
124  {
125  //Verify ECDSA signature
126  error = ikeVerifyEcdsaSignature(sa, id, idLen, publicKeyInfo,
127  SECP521R1_CURVE, SHA512_HASH_ALGO, signature, signatureLen,
128  IKE_SIGN_FORMAT_RAW);
129  }
130  else
131 #endif
132  //Invalid signature method?
133  {
134  //Report an error
135  error = ERROR_INVALID_SIGNATURE_ALGO;
136  }
137 
138  //Return status code
139  return error;
140 }
141 
142 
143 /**
144  * @brief Digital signature verification
145  * @param[in] sa Pointer to the IKE SA
146  * @param[in] id Pointer to the identification data
147  * @param[in] idLen Length of the identification data, in bytes
148  * @param[in] publicKeyInfo Pointer to the subject's public key
149  * @param[in] authData Pointer to the authentication data
150  * @param[in] authDataLen Length of the authentication data, in bytes
151  * @return Error code
152  **/
153 
154 error_t ikeVerifyDigitalSignature(IkeSaEntry *sa, const uint8_t *id,
155  size_t idLen, const X509SubjectPublicKeyInfo *publicKeyInfo,
156  const IkeAuthData *authData, size_t authDataLen)
157 {
158  error_t error;
159  size_t n;
160  size_t signatureLen;
161  const uint8_t *signature;
162  const HashAlgo *hashAlgo;
163  IkeSignAlgo signAlgo;
164  X509SignAlgoId signAlgoId;
165 
166  //Check the length of the authentication data
167  if(authDataLen >= sizeof(IkeAuthData))
168  {
169  //The signature value is prefixed with an ASN.1 object indicating the
170  //algorithm used to generate the signature (refer to RFC 7427, section 3)
171  if(authDataLen >= (sizeof(IkeAuthData) + authData->algoIdLen))
172  {
173  //Parse ASN.1 object
174  error = x509ParseSignatureAlgo(authData->algoId, authData->algoIdLen,
175  &n, &signAlgoId);
176 
177  //Check status code
178  if(!error)
179  {
180  //Select the signature and hash algorithms that match the specified
181  //identifier
182  error = ikeSelectSignAlgo(&signAlgoId, &signAlgo, &hashAlgo);
183  }
184 
185  //Check status code
186  if(!error)
187  {
188  //There is no padding between the ASN.1 object and the signature value
189  signature = authData->algoId + authData->algoIdLen;
190 
191  //Determine the length of the signature, in bytes
192  signatureLen = authDataLen - sizeof(IkeAuthData) -
193  authData->algoIdLen;
194 
195 #if (IKE_RSA_SIGN_SUPPORT == ENABLED)
196  //RSA signature algorithm?
197  if(signAlgo == IKE_SIGN_ALGO_RSA)
198  {
199  //Verify RSA signature (RSASSA-PKCS1-v1_5 signature scheme)
200  error = ikeVerifyRsaSignature(sa, id, idLen, publicKeyInfo,
201  hashAlgo, signature, signatureLen);
202  }
203  else
204 #endif
205 #if (IKE_RSA_PSS_SIGN_SUPPORT == ENABLED)
206  //RSA-PSS signature algorithm?
207  if(signAlgo == IKE_SIGN_ALGO_RSA_PSS)
208  {
209  //Verify RSA signature (RSASSA-PSS signature scheme)
210  error = ikeVerifyRsaPssSignature(sa, id, idLen, publicKeyInfo,
211  hashAlgo, signAlgoId.rsaPssParams.saltLen, signature,
212  signatureLen);
213  }
214  else
215 #endif
216 #if (IKE_DSA_SIGN_SUPPORT == ENABLED)
217  //DSA signature algorithm?
218  if(signAlgo == IKE_SIGN_ALGO_DSA)
219  {
220  //Verify DSA signature
221  error = ikeVerifyDsaSignature(sa, id, idLen, publicKeyInfo,
222  hashAlgo, signature, signatureLen, IKE_SIGN_FORMAT_ASN1);
223  }
224  else
225 #endif
226 #if (IKE_ECDSA_SIGN_SUPPORT == ENABLED)
227  //ECDSA signature algorithm?
228  if(signAlgo == IKE_SIGN_ALGO_ECDSA)
229  {
230  //Verify ECDSA signature
231  error = ikeVerifyEcdsaSignature(sa, id, idLen, publicKeyInfo,
232  NULL, hashAlgo, signature, signatureLen, IKE_SIGN_FORMAT_ASN1);
233  }
234  else
235 #endif
236 #if (IKE_ED25519_SIGN_SUPPORT == ENABLED)
237  //Ed25519 signature algorithm?
238  if(signAlgo == IKE_SIGN_ALGO_ED25519)
239  {
240  //Verify Ed25519 signature (PureEdDSA mode)
241  error = ikeVerifyEd25519Signature(sa, id, idLen, publicKeyInfo,
242  signature, signatureLen);
243  }
244  else
245 #endif
246 #if (IKE_ED448_SIGN_SUPPORT == ENABLED)
247  //Ed448 signature algorithm?
248  if(signAlgo == IKE_SIGN_ALGO_ED448)
249  {
250  //Verify Ed448 signature (PureEdDSA mode)
251  error = ikeVerifyEd448Signature(sa, id, idLen, publicKeyInfo,
252  signature, signatureLen);
253  }
254  else
255 #endif
256  //Invalid signature algorithm?
257  {
258  //Report an error
259  error = ERROR_UNSUPPORTED_SIGNATURE_ALGO;
260  }
261  }
262  }
263  else
264  {
265  //Malformed ASN.1 object
266  error = ERROR_INVALID_MESSAGE;
267  }
268  }
269  else
270  {
271  //Malformed authentication data
272  error = ERROR_INVALID_MESSAGE;
273  }
274 
275  //Return status code
276  return error;
277 }
278 
279 
280 /**
281  * @brief RSA signature verification
282  * @param[in] sa Pointer to the IKE SA
283  * @param[in] id Pointer to the identification data
284  * @param[in] idLen Length of the identification data, in bytes
285  * @param[in] publicKeyInfo Pointer to the subject's public key
286  * @param[in] hashAlgo Hash algorithm
287  * @param[in] signature Signature to be verified
288  * @param[in] signatureLen Length of the signature, in bytes
289  * @return Error code
290  **/
291 
292 error_t ikeVerifyRsaSignature(IkeSaEntry *sa, const uint8_t *id,
293  size_t idLen, const X509SubjectPublicKeyInfo *publicKeyInfo,
294  const HashAlgo *hashAlgo, const uint8_t *signature, size_t signatureLen)
295 {
296 #if (IKE_RSA_SIGN_SUPPORT == ENABLED)
297  error_t error;
298  uint_t k;
299  RsaPublicKey rsaPublicKey;
300  uint8_t digest[IKE_MAX_DIGEST_SIZE];
301 
302  //Check public key identifier
303  if(OID_COMP(publicKeyInfo->oid.value, publicKeyInfo->oid.length,
304  RSA_ENCRYPTION_OID) == 0)
305  {
306  //Initialize RSA public key
307  rsaInitPublicKey(&rsaPublicKey);
308 
309  //Digest signed octets
310  error = ikeDigestSignedOctets(sa, hashAlgo, id, idLen, digest,
311  !sa->originalInitiator);
312 
313  //Check status code
314  if(!error)
315  {
316  //Import RSA public key
317  error = x509ImportRsaPublicKey(&rsaPublicKey, publicKeyInfo);
318  }
319 
320  //Check status code
321  if(!error)
322  {
323  //Get the length of the modulus, in bits
324  k = mpiGetBitLength(&rsaPublicKey.n);
325 
326  //Applications should also enforce minimum and maximum key sizes
327  if(k < IKE_MIN_RSA_MODULUS_SIZE || k > IKE_MAX_RSA_MODULUS_SIZE)
328  {
329  //Report an error
330  error = ERROR_BAD_CERTIFICATE;
331  }
332  }
333 
334  //Check status code
335  if(!error)
336  {
337  //Verify RSA signature (RSASSA-PKCS1-v1_5 signature scheme)
338  error = rsassaPkcs1v15Verify(&rsaPublicKey, hashAlgo, digest,
339  signature, signatureLen);
340  }
341 
342  //Free previously allocated memory
343  rsaFreePublicKey(&rsaPublicKey);
344  }
345  else
346  {
347  //Invalid public key identifier
348  error = ERROR_INVALID_KEY;
349  }
350 
351  //Return status code
352  return error;
353 #else
354  //Not implemented
355  return ERROR_NOT_IMPLEMENTED;
356 #endif
357 }
358 
359 
360 /**
361  * @brief RSA-PSS signature verification
362  * @param[in] sa Pointer to the IKE SA
363  * @param[in] id Pointer to the identification data
364  * @param[in] idLen Length of the identification data, in bytes
365  * @param[in] publicKeyInfo Pointer to the subject's public key
366  * @param[in] hashAlgo Hash algorithm
367  * @param[in] saltLen Length of the salt, in bytes
368  * @param[in] signature Signature to be verified
369  * @param[in] signatureLen Length of the signature, in bytes
370  * @return Error code
371  **/
372 
373 error_t ikeVerifyRsaPssSignature(IkeSaEntry *sa, const uint8_t *id,
374  size_t idLen, const X509SubjectPublicKeyInfo *publicKeyInfo,
375  const HashAlgo *hashAlgo, size_t saltLen, const uint8_t *signature,
376  size_t signatureLen)
377 {
378 #if (IKE_RSA_PSS_SIGN_SUPPORT == ENABLED)
379  error_t error;
380  uint_t k;
381  size_t oidLen;
382  const uint8_t *oid;
383  RsaPublicKey rsaPublicKey;
384  uint8_t digest[IKE_MAX_DIGEST_SIZE];
385 
386  //Retrieve public key identifier
387  oid = publicKeyInfo->oid.value;
388  oidLen = publicKeyInfo->oid.length;
389 
390  //Check public key identifier
391  if(OID_COMP(oid, oidLen, RSA_ENCRYPTION_OID) == 0 ||
392  OID_COMP(oid, oidLen, RSASSA_PSS_OID) == 0)
393  {
394  //Initialize RSA public key
395  rsaInitPublicKey(&rsaPublicKey);
396 
397  //Digest signed octets
398  error = ikeDigestSignedOctets(sa, hashAlgo, id, idLen, digest,
399  !sa->originalInitiator);
400 
401  //Check status code
402  if(!error)
403  {
404  //Import RSA public key
405  error = x509ImportRsaPublicKey(&rsaPublicKey, publicKeyInfo);
406  }
407 
408  //Check status code
409  if(!error)
410  {
411  //Get the length of the modulus, in bits
412  k = mpiGetBitLength(&rsaPublicKey.n);
413 
414  //Applications should also enforce minimum and maximum key sizes
415  if(k < IKE_MIN_RSA_MODULUS_SIZE || k > IKE_MAX_RSA_MODULUS_SIZE)
416  {
417  //Report an error
418  error = ERROR_BAD_CERTIFICATE;
419  }
420  }
421 
422  //Check status code
423  if(!error)
424  {
425  //Verify RSA signature (RSASSA-PKCS1-v1_5 signature scheme)
426  error = rsassaPssVerify(&rsaPublicKey, hashAlgo, saltLen, digest,
427  signature, signatureLen);
428  }
429 
430  //Free previously allocated memory
431  rsaFreePublicKey(&rsaPublicKey);
432  }
433  else
434  {
435  //Invalid public key identifier
436  error = ERROR_INVALID_KEY;
437  }
438 
439  //Return status code
440  return error;
441 #else
442  //Not implemented
443  return ERROR_NOT_IMPLEMENTED;
444 #endif
445 }
446 
447 
448 /**
449  * @brief DSA signature verification
450  * @param[in] sa Pointer to the IKE SA
451  * @param[in] id Pointer to the identification data
452  * @param[in] idLen Length of the identification data, in bytes
453  * @param[in] publicKeyInfo Pointer to the subject's public key
454  * @param[in] hashAlgo Hash algorithm
455  * @param[in] signature Signature to be verified
456  * @param[in] signatureLen Length of the signature, in bytes
457  * @param[in] format Signature format (raw or ASN.1)
458  * @return Error code
459  **/
460 
461 error_t ikeVerifyDsaSignature(IkeSaEntry *sa, const uint8_t *id,
462  size_t idLen, const X509SubjectPublicKeyInfo *publicKeyInfo,
463  const HashAlgo *hashAlgo, const uint8_t *signature, size_t signatureLen,
464  IkeSignFormat format)
465 {
466 #if (IKE_DSA_SIGN_SUPPORT == ENABLED)
467  error_t error;
468  uint_t k;
469  DsaPublicKey dsaPublicKey;
470  DsaSignature dsaSignature;
471  uint8_t digest[IKE_MAX_DIGEST_SIZE];
472 
473  //Check public key identifier
474  if(OID_COMP(publicKeyInfo->oid.value, publicKeyInfo->oid.length,
475  DSA_OID) == 0)
476  {
477  //Initialize DSA public key
478  dsaInitPublicKey(&dsaPublicKey);
479  //Initialize DSA signature
480  dsaInitSignature(&dsaSignature);
481 
482  //Digest signed octets
483  error = ikeDigestSignedOctets(sa, hashAlgo, id, idLen, digest,
484  !sa->originalInitiator);
485 
486  //Check status code
487  if(!error)
488  {
489  //Import DSA public key
490  error = x509ImportDsaPublicKey(&dsaPublicKey, publicKeyInfo);
491  }
492 
493  //Check status code
494  if(!error)
495  {
496  //Get the length of the modulus, in bits
497  k = mpiGetBitLength(&dsaPublicKey.params.p);
498 
499  //Applications should also enforce minimum and maximum key sizes
500  if(k < IKE_MIN_DSA_MODULUS_SIZE || k > IKE_MAX_DSA_MODULUS_SIZE)
501  {
502  //Report an error
503  error = ERROR_BAD_CERTIFICATE;
504  }
505  }
506 
507  //Check status code
508  if(!error)
509  {
510  //Decode (R, S) integer pair
511  error = ikeParseDsaSignature(signature, signatureLen, &dsaSignature,
512  format);
513  }
514 
515  //Check status code
516  if(!error)
517  {
518  //Verify DSA signature
519  error = dsaVerifySignature(&dsaPublicKey, digest, hashAlgo->digestSize,
520  &dsaSignature);
521  }
522 
523  //Free previously allocated memory
524  dsaFreePublicKey(&dsaPublicKey);
525  dsaFreeSignature(&dsaSignature);
526  }
527  else
528  {
529  //Invalid public key identifier
530  error = ERROR_INVALID_KEY;
531  }
532 
533  //Return status code
534  return error;
535 #else
536  //Not implemented
537  return ERROR_NOT_IMPLEMENTED;
538 #endif
539 }
540 
541 
542 /**
543  * @brief ECDSA signature verification
544  * @param[in] sa Pointer to the IKE SA
545  * @param[in] id Pointer to the identification data
546  * @param[in] idLen Length of the identification data, in bytes
547  * @param[in] publicKeyInfo Pointer to the subject's public key
548  * @param[in] group Elliptic curve group
549  * @param[in] hashAlgo Hash algorithm
550  * @param[in] signature Signature to be verified
551  * @param[in] signatureLen Length of the signature, in bytes
552  * @param[in] format Signature format (raw or ASN.1)
553  * @return Error code
554  **/
555 
556 error_t ikeVerifyEcdsaSignature(IkeSaEntry *sa, const uint8_t *id,
557  size_t idLen, const X509SubjectPublicKeyInfo *publicKeyInfo,
558  const EcCurve *group, const HashAlgo *hashAlgo, const uint8_t *signature,
559  size_t signatureLen, IkeSignFormat format)
560 {
561 #if (IKE_ECDSA_SIGN_SUPPORT == ENABLED)
562  error_t error;
563  const EcCurve *curve;
564  EcPublicKey ecPublicKey;
565  EcdsaSignature ecdsaSignature;
566  uint8_t digest[IKE_MAX_DIGEST_SIZE];
567 
568  //Check public key identifier
569  if(OID_COMP(publicKeyInfo->oid.value, publicKeyInfo->oid.length,
570  EC_PUBLIC_KEY_OID) == 0)
571  {
572  //Retrieve EC domain parameters
573  curve = ecGetCurve(publicKeyInfo->ecParams.namedCurve.value,
574  publicKeyInfo->ecParams.namedCurve.length);
575 
576  //Make sure the specified elliptic curve is acceptable
577  if(curve != NULL && (curve == group || group == NULL))
578  {
579  //Initialize DSA public key
580  ecInitPublicKey(&ecPublicKey);
581  //Initialize DSA signature
582  ecdsaInitSignature(&ecdsaSignature);
583 
584  //Digest signed octets
585  error = ikeDigestSignedOctets(sa, hashAlgo, id, idLen, digest,
586  !sa->originalInitiator);
587 
588  //Check status code
589  if(!error)
590  {
591  //Import EC public key
592  error = x509ImportEcPublicKey(&ecPublicKey, publicKeyInfo);
593  }
594 
595  //Check status code
596  if(!error)
597  {
598  //Decode (R, S) integer pair
599  error = ikeParseEcdsaSignature(curve, signature, signatureLen,
600  &ecdsaSignature, format);
601  }
602 
603  //Check status code
604  if(!error)
605  {
606  //Verify ECDSA signature
607  error = ecdsaVerifySignature(&ecPublicKey, digest,
608  hashAlgo->digestSize, &ecdsaSignature);
609  }
610 
611  //Free previously allocated memory
612  ecFreePublicKey(&ecPublicKey);
613  ecdsaFreeSignature(&ecdsaSignature);
614  }
615  else
616  {
617  //Unknown elliptic curve identifier
618  return ERROR_INVALID_SIGNATURE;
619  }
620  }
621  else
622  {
623  //Invalid public key identifier
624  error = ERROR_INVALID_KEY;
625  }
626 
627  //Return status code
628  return error;
629 #else
630  //Not implemented
631  return ERROR_NOT_IMPLEMENTED;
632 #endif
633 }
634 
635 
636 /**
637  * @brief Ed25519 signature verification
638  * @param[in] sa Pointer to the IKE SA
639  * @param[in] id Pointer to the identification data
640  * @param[in] idLen Length of the identification data, in bytes
641  * @param[in] publicKeyInfo Pointer to the subject's public key
642  * @param[in] signature Signature to be verified
643  * @param[in] signatureLen Length of the signature, in bytes
644  * @return Error code
645  **/
646 
647 error_t ikeVerifyEd25519Signature(IkeSaEntry *sa, const uint8_t *id,
648  size_t idLen, const X509SubjectPublicKeyInfo *publicKeyInfo,
649  const uint8_t *signature, size_t signatureLen)
650 {
651 #if (IKE_ED25519_SIGN_SUPPORT == ENABLED)
652  error_t error;
653  DataChunk messageChunks[3];
654  uint8_t macId[IKE_MAX_DIGEST_SIZE];
655 
656  //Check public key identifier
657  if(OID_COMP(publicKeyInfo->oid.value, publicKeyInfo->oid.length,
658  ED25519_OID) == 0)
659  {
660  //Valid Ed25519 public key?
661  if(publicKeyInfo->ecPublicKey.q.value != NULL &&
662  publicKeyInfo->ecPublicKey.q.length == ED25519_PUBLIC_KEY_LEN)
663  {
664  //The Ed25519 signature shall consist of 32 octets
665  if(signatureLen == ED25519_SIGNATURE_LEN)
666  {
667  //Data to be signed is run through the EdDSA algorithm without
668  //pre-hashing
669  error = ikeGetSignedOctets(sa, id, idLen, macId, messageChunks,
670  !sa->originalInitiator);
671 
672  //Check status code
673  if(!error)
674  {
675  //Verify Ed25519 signature (PureEdDSA mode)
676  error = ed25519VerifySignatureEx(publicKeyInfo->ecPublicKey.q.value,
677  messageChunks, arraysize(messageChunks), NULL, 0, 0, signature);
678  }
679  }
680  else
681  {
682  //The length of the signature is not valid
683  error = ERROR_INVALID_SIGNATURE;
684  }
685  }
686  else
687  {
688  //The public key is not valid
689  error = ERROR_INVALID_KEY;
690  }
691  }
692  else
693  {
694  //Invalid public key identifier
695  error = ERROR_INVALID_KEY;
696  }
697 
698  //Return status code
699  return error;
700 #else
701  //Not implemented
702  return ERROR_NOT_IMPLEMENTED;
703 #endif
704 }
705 
706 
707 /**
708  * @brief Ed448 signature verification
709  * @param[in] sa Pointer to the IKE SA
710  * @param[in] id Pointer to the identification data
711  * @param[in] idLen Length of the identification data, in bytes
712  * @param[in] publicKeyInfo Pointer to the subject's public key
713  * @param[in] signature Signature to be verified
714  * @param[in] signatureLen Length of the signature, in bytes
715  * @return Error code
716  **/
717 
718 error_t ikeVerifyEd448Signature(IkeSaEntry *sa, const uint8_t *id,
719  size_t idLen, const X509SubjectPublicKeyInfo *publicKeyInfo,
720  const uint8_t *signature, size_t signatureLen)
721 {
722 #if (IKE_ED448_SIGN_SUPPORT == ENABLED)
723  error_t error;
724  DataChunk messageChunks[3];
725  uint8_t macId[IKE_MAX_DIGEST_SIZE];
726 
727  //Check public key identifier
728  if(OID_COMP(publicKeyInfo->oid.value, publicKeyInfo->oid.length,
729  ED448_OID) == 0)
730  {
731  //Valid Ed448 public key?
732  if(publicKeyInfo->ecPublicKey.q.value != NULL &&
733  publicKeyInfo->ecPublicKey.q.length == ED448_PUBLIC_KEY_LEN)
734  {
735  //The Ed448 signature shall consist of 57 octets
736  if(signatureLen == ED448_SIGNATURE_LEN)
737  {
738  //Data to be signed is run through the EdDSA algorithm without
739  //pre-hashing
740  error = ikeGetSignedOctets(sa, id, idLen, macId, messageChunks,
741  !sa->originalInitiator);
742 
743  //Check status code
744  if(!error)
745  {
746  //Verify Ed448 signature (PureEdDSA mode)
747  error = ed448VerifySignatureEx(publicKeyInfo->ecPublicKey.q.value,
748  messageChunks, arraysize(messageChunks), NULL, 0, 0, signature);
749  }
750  }
751  else
752  {
753  //The length of the signature is not valid
754  error = ERROR_INVALID_SIGNATURE;
755  }
756  }
757  else
758  {
759  //The public key is not valid
760  error = ERROR_INVALID_KEY;
761  }
762  }
763  else
764  {
765  //Invalid public key identifier
766  error = ERROR_INVALID_KEY;
767  }
768 
769  //Return status code
770  return error;
771 #else
772  //Not implemented
773  return ERROR_NOT_IMPLEMENTED;
774 #endif
775 }
776 
777 #endif
IKE_SIGN_ALGO_ED448
@ IKE_SIGN_ALGO_ED448
Definition: ike_sign_misc.h:66
EcdsaSignature
ECDSA signature.
Definition: ecdsa.h:63
IkeAuthData
IkeAuthData
Definition: ike.h:1538
x509ImportEcPublicKey
error_t x509ImportEcPublicKey(EcPublicKey *publicKey, const X509SubjectPublicKeyInfo *publicKeyInfo)
Import an EC public key.
Definition: x509_key_parse.c:718
SHA256_HASH_ALGO
#define SHA256_HASH_ALGO
Definition: sha256.h:49
rsaFreePublicKey
void rsaFreePublicKey(RsaPublicKey *key)
Release an RSA public key.
Definition: rsa.c:113
SHA1_HASH_ALGO
#define SHA1_HASH_ALGO
Definition: sha1.h:49
SECP521R1_CURVE
#define SECP521R1_CURVE
Definition: ec_curves.h:53
SHA512_HASH_ALGO
#define SHA512_HASH_ALGO
Definition: sha512.h:49
ERROR_NOT_IMPLEMENTED
@ ERROR_NOT_IMPLEMENTED
Definition: error.h:66
ED25519_PUBLIC_KEY_LEN
#define ED25519_PUBLIC_KEY_LEN
Definition: ed25519.h:42
oid.h
OID (Object Identifier)
SECP384R1_CURVE
#define SECP384R1_CURVE
Definition: ec_curves.h:52
IkeSignAlgo
IkeSignAlgo
Signature algorithms.
Definition: ike_sign_misc.h:59
X509SubjectPublicKeyInfo::oid
X509OctetString oid
Definition: x509_common.h:840
IKE_AUTH_METHOD_ECDSA_P521_SHA512
@ IKE_AUTH_METHOD_ECDSA_P521_SHA512
ECDSA with SHA-512 on the P-521 curve.
Definition: ike.h:1113
SECP256R1_CURVE
#define SECP256R1_CURVE
Definition: ec_curves.h:51
ED448_PUBLIC_KEY_LEN
#define ED448_PUBLIC_KEY_LEN
Definition: ed448.h:42
HashAlgo::digestSize
size_t digestSize
Definition: crypto.h:1088
EC_PUBLIC_KEY_OID
const uint8_t EC_PUBLIC_KEY_OID[7]
Definition: ec.c:44
ikeParseDsaSignature
error_t ikeParseDsaSignature(const uint8_t *data, size_t length, DsaSignature *signature, IkeSignFormat format)
DSA signature parsing.
Definition: ike_sign_misc.c:157
IKE_AUTH_METHOD_RSA
@ IKE_AUTH_METHOD_RSA
RSA Digital Signature.
Definition: ike.h:1108
X509SubjectPublicKeyInfo::ecParams
X509EcParameters ecParams
Definition: x509_common.h:850
ED448_SIGNATURE_LEN
#define ED448_SIGNATURE_LEN
Definition: ed448.h:44
ikeDigestSignedOctets
error_t ikeDigestSignedOctets(IkeSaEntry *sa, const HashAlgo *hashAlgo, const uint8_t *id, size_t idLen, uint8_t *digest, bool_t initiator)
Digest signed octets.
Definition: ike_sign_misc.c:882
IKE_SIGN_ALGO_RSA
@ IKE_SIGN_ALGO_RSA
Definition: ike_sign_misc.h:61
ED25519_SIGNATURE_LEN
#define ED25519_SIGNATURE_LEN
Definition: ed25519.h:44
ikeParseEcdsaSignature
error_t ikeParseEcdsaSignature(const EcCurve *curve, const uint8_t *data, size_t length, EcdsaSignature *signature, IkeSignFormat format)
ECDSA signature parsing.
Definition: ike_sign_misc.c:217
ikeVerifySignature
error_t ikeVerifySignature(IkeSaEntry *sa, const uint8_t *id, size_t idLen, uint8_t authMethod, const X509SubjectPublicKeyInfo *publicKeyInfo, const uint8_t *signature, size_t signatureLen)
Signature verification.
Definition: ike_sign_verify.c:58
IKE_MAX_DSA_MODULUS_SIZE
#define IKE_MAX_DSA_MODULUS_SIZE
Definition: ike.h:705
ERROR_INVALID_MESSAGE
@ ERROR_INVALID_MESSAGE
Definition: error.h:105
DsaDomainParameters::p
Mpi p
Prime modulus.
Definition: dsa.h:50
RSASSA_PSS_OID
const uint8_t RSASSA_PSS_OID[9]
Definition: rsa.c:85
x509ImportDsaPublicKey
error_t x509ImportDsaPublicKey(DsaPublicKey *publicKey, const X509SubjectPublicKeyInfo *publicKeyInfo)
Import a DSA public key.
Definition: x509_key_parse.c:633
IKE_MAX_RSA_MODULUS_SIZE
#define IKE_MAX_RSA_MODULUS_SIZE
Definition: ike.h:691
IKE_MAX_DIGEST_SIZE
#define IKE_MAX_DIGEST_SIZE
Definition: ike.h:736
x509_sign_parse.h
oid
uint8_t oid[]
Definition: lldp_tlv.h:300
RsaPublicKey::n
Mpi n
Modulus.
Definition: rsa.h:58
DSA_OID
const uint8_t DSA_OID[7]
Definition: dsa.c:51
ikeGetSignedOctets
error_t ikeGetSignedOctets(IkeSaEntry *sa, const uint8_t *id, size_t idLen, uint8_t *macId, DataChunk *messageChunks, bool_t initiator)
Retrieve the octets to be signed using EdDSA.
Definition: ike_sign_misc.c:812
ecdsaFreeSignature
void ecdsaFreeSignature(EcdsaSignature *signature)
Release an ECDSA signature.
Definition: ecdsa.c:86
DsaPublicKey
DSA public key.
Definition: dsa.h:61
error_t
error_t
Error codes.
Definition: error.h:43
dsaInitSignature
void dsaInitSignature(DsaSignature *signature)
Initialize a DSA signature.
Definition: dsa.c:168
IKE_SIGN_ALGO_RSA_PSS
@ IKE_SIGN_ALGO_RSA_PSS
Definition: ike_sign_misc.h:62
ecInitPublicKey
void ecInitPublicKey(EcPublicKey *key)
Initialize an EC public key.
Definition: ec.c:52
IKE_AUTH_METHOD_DIGITAL_SIGN
@ IKE_AUTH_METHOD_DIGITAL_SIGN
Digital Signature.
Definition: ike.h:1116
ikeVerifyDsaSignature
error_t ikeVerifyDsaSignature(IkeSaEntry *sa, const uint8_t *id, size_t idLen, const X509SubjectPublicKeyInfo *publicKeyInfo, const HashAlgo *hashAlgo, const uint8_t *signature, size_t signatureLen, IkeSignFormat format)
DSA signature verification.
Definition: ike_sign_verify.c:461
ikeSelectSignAlgo
error_t ikeSelectSignAlgo(const X509SignAlgoId *signAlgoId, IkeSignAlgo *signAlgo, const HashAlgo **hashAlgo)
Select the signature and hash algorithms that match the specified identifier.
Definition: ike_sign_misc.c:501
RsaPublicKey
RSA public key.
Definition: rsa.h:57
ecdsaInitSignature
void ecdsaInitSignature(EcdsaSignature *signature)
Initialize an ECDSA signature.
Definition: ecdsa.c:73
ERROR_BAD_CERTIFICATE
@ ERROR_BAD_CERTIFICATE
Definition: error.h:236
IKE_SIGN_FORMAT_ASN1
@ IKE_SIGN_FORMAT_ASN1
Definition: ike_sign_misc.h:50
authMethod
uint8_t authMethod
Definition: ike.h:1524
DsaPublicKey::params
DsaDomainParameters params
DSA domain parameters.
Definition: dsa.h:62
ikeVerifyEd25519Signature
error_t ikeVerifyEd25519Signature(IkeSaEntry *sa, const uint8_t *id, size_t idLen, const X509SubjectPublicKeyInfo *publicKeyInfo, const uint8_t *signature, size_t signatureLen)
Ed25519 signature verification.
Definition: ike_sign_verify.c:647
ENABLED
#define ENABLED
Definition: os_port.h:37
IKE_SIGN_ALGO_DSA
@ IKE_SIGN_ALGO_DSA
Definition: ike_sign_misc.h:63
X509EcParameters::namedCurve
X509OctetString namedCurve
Definition: x509_common.h:819
ED448_OID
const uint8_t ED448_OID[3]
Definition: ec_curves.c:114
mpiGetBitLength
uint_t mpiGetBitLength(const Mpi *a)
Get the actual length in bits.
Definition: mpi.c:254
ED25519_OID
const uint8_t ED25519_OID[3]
Definition: ec_curves.c:112
RSA_ENCRYPTION_OID
const uint8_t RSA_ENCRYPTION_OID[9]
Definition: rsa.c:54
ike.h
IKEv2 (Internet Key Exchange Protocol)
IkeSignFormat
IkeSignFormat
Signature format.
Definition: ike_sign_misc.h:48
DataChunk
Data chunk descriptor.
Definition: crypto.h:1017
EcPublicKey
EC public key.
Definition: ec.h:421
SHA384_HASH_ALGO
#define SHA384_HASH_ALGO
Definition: sha384.h:45
ed448VerifySignatureEx
error_t ed448VerifySignatureEx(const uint8_t *publicKey, const DataChunk *message, uint_t messageLen, const void *context, uint8_t contextLen, uint8_t flag, const uint8_t *signature)
EdDSA signature verification.
Definition: ed448.c:437
dsaVerifySignature
error_t dsaVerifySignature(const DsaPublicKey *key, const uint8_t *digest, size_t digestLen, const DsaSignature *signature)
DSA signature verification.
Definition: dsa.c:601
ikeVerifyRsaSignature
error_t ikeVerifyRsaSignature(IkeSaEntry *sa, const uint8_t *id, size_t idLen, const X509SubjectPublicKeyInfo *publicKeyInfo, const HashAlgo *hashAlgo, const uint8_t *signature, size_t signatureLen)
RSA signature verification.
Definition: ike_sign_verify.c:292
rsassaPkcs1v15Verify
error_t rsassaPkcs1v15Verify(const RsaPublicKey *key, const HashAlgo *hash, const uint8_t *digest, const uint8_t *signature, size_t signatureLen)
RSASSA-PKCS1-v1_5 signature verification operation.
Definition: rsa.c:1068
ERROR_INVALID_SIGNATURE_ALGO
@ ERROR_INVALID_SIGNATURE_ALGO
Definition: error.h:135
IkeSaEntry
#define IkeSaEntry
Definition: ike.h:800
X509EcPublicKey::q
X509OctetString q
Definition: x509_common.h:829
OID_COMP
#define OID_COMP(oid1, oidLen1, oid2)
Definition: oid.h:42
x509ImportRsaPublicKey
error_t x509ImportRsaPublicKey(RsaPublicKey *publicKey, const X509SubjectPublicKeyInfo *publicKeyInfo)
Import an RSA public key.
Definition: x509_key_parse.c:563
n
uint8_t n
Definition: dhcpv6_common.h:416
X509SubjectPublicKeyInfo
Subject Public Key Information extension.
Definition: x509_common.h:838
rsassaPssVerify
error_t rsassaPssVerify(const RsaPublicKey *key, const HashAlgo *hash, size_t saltLen, const uint8_t *digest, const uint8_t *signature, size_t signatureLen)
RSASSA-PSS signature verification operation.
Definition: rsa.c:1309
IKE_SIGN_FORMAT_RAW
@ IKE_SIGN_FORMAT_RAW
Definition: ike_sign_misc.h:49
authData
uint8_t authData[]
Definition: ipv6.h:353
ecdsaVerifySignature
__weak_func error_t ecdsaVerifySignature(const EcPublicKey *publicKey, const uint8_t *digest, size_t digestLen, const EcdsaSignature *signature)
ECDSA signature verification.
Definition: ecdsa.c:655
IKE_SIGN_ALGO_ECDSA
@ IKE_SIGN_ALGO_ECDSA
Definition: ike_sign_misc.h:64
dsaFreeSignature
void dsaFreeSignature(DsaSignature *signature)
Release a DSA signature.
Definition: dsa.c:181
IKE_AUTH_METHOD_DSS
@ IKE_AUTH_METHOD_DSS
DSS Digital Signature.
Definition: ike.h:1110
oidLen
uint8_t oidLen
Definition: lldp_tlv.h:299
x509ParseSignatureAlgo
error_t x509ParseSignatureAlgo(const uint8_t *data, size_t length, size_t *totalLength, X509SignAlgoId *signatureAlgo)
Parse SignatureAlgorithm structure.
Definition: x509_sign_parse.c:53
ecGetCurve
const EcCurve * ecGetCurve(const uint8_t *oid, size_t length)
Get the elliptic curve that matches the specified OID.
Definition: ec_curves.c:5888
IKE_AUTH_METHOD_ECDSA_P256_SHA256
@ IKE_AUTH_METHOD_ECDSA_P256_SHA256
ECDSA with SHA-256 on the P-256 curve.
Definition: ike.h:1111
X509OctetString::value
const uint8_t * value
Definition: x509_common.h:702
HashAlgo
Common interface for hash algorithms.
Definition: crypto.h:1082
DsaSignature
DSA signature.
Definition: dsa.h:85
EcCurve
#define EcCurve
Definition: ec.h:346
x509_key_parse.h
Parsing of ASN.1 encoded keys.
ERROR_UNSUPPORTED_SIGNATURE_ALGO
@ ERROR_UNSUPPORTED_SIGNATURE_ALGO
Definition: error.h:132
ikeVerifyEcdsaSignature
error_t ikeVerifyEcdsaSignature(IkeSaEntry *sa, const uint8_t *id, size_t idLen, const X509SubjectPublicKeyInfo *publicKeyInfo, const EcCurve *group, const HashAlgo *hashAlgo, const uint8_t *signature, size_t signatureLen, IkeSignFormat format)
ECDSA signature verification.
Definition: ike_sign_verify.c:556
uint_t
unsigned int uint_t
Definition: compiler_port.h:57
ikeVerifyRsaPssSignature
error_t ikeVerifyRsaPssSignature(IkeSaEntry *sa, const uint8_t *id, size_t idLen, const X509SubjectPublicKeyInfo *publicKeyInfo, const HashAlgo *hashAlgo, size_t saltLen, const uint8_t *signature, size_t signatureLen)
RSA-PSS signature verification.
Definition: ike_sign_verify.c:373
X509SubjectPublicKeyInfo::ecPublicKey
X509EcPublicKey ecPublicKey
Definition: x509_common.h:851
ERROR_INVALID_SIGNATURE
@ ERROR_INVALID_SIGNATURE
Definition: error.h:228
X509SignAlgoId::rsaPssParams
X509RsaPssParameters rsaPssParams
Definition: x509_common.h:1091
IKE_AUTH_METHOD_ECDSA_P384_SHA384
@ IKE_AUTH_METHOD_ECDSA_P384_SHA384
ECDSA with SHA-384 on the P-384 curve.
Definition: ike.h:1112
dsaFreePublicKey
void dsaFreePublicKey(DsaPublicKey *key)
Release a DSA public key.
Definition: dsa.c:119
IKE_RSA_SIGN_SUPPORT
#define IKE_RSA_SIGN_SUPPORT
Definition: ike.h:516
ike_sign_verify.h
RSA/DSA/ECDSA/EdDSA signature verification.
IKE_SIGN_ALGO_ED25519
@ IKE_SIGN_ALGO_ED25519
Definition: ike_sign_misc.h:65
dsaInitPublicKey
void dsaInitPublicKey(DsaPublicKey *key)
Initialize a DSA public key.
Definition: dsa.c:105
X509SignAlgoId
Signature algorithm identifier.
Definition: x509_common.h:1088
ERROR_INVALID_KEY
@ ERROR_INVALID_KEY
Definition: error.h:106
ikeVerifyEd448Signature
error_t ikeVerifyEd448Signature(IkeSaEntry *sa, const uint8_t *id, size_t idLen, const X509SubjectPublicKeyInfo *publicKeyInfo, const uint8_t *signature, size_t signatureLen)
Ed448 signature verification.
Definition: ike_sign_verify.c:718
debug.h
Debugging facilities.
rsaInitPublicKey
void rsaInitPublicKey(RsaPublicKey *key)
Initialize an RSA public key.
Definition: rsa.c:100
ecFreePublicKey
void ecFreePublicKey(EcPublicKey *key)
Release an EC public key.
Definition: ec.c:68
arraysize
#define arraysize(a)
Definition: os_port.h:71
ikeVerifyDigitalSignature
error_t ikeVerifyDigitalSignature(IkeSaEntry *sa, const uint8_t *id, size_t idLen, const X509SubjectPublicKeyInfo *publicKeyInfo, const IkeAuthData *authData, size_t authDataLen)
Digital signature verification.
Definition: ike_sign_verify.c:154
ed25519VerifySignatureEx
error_t ed25519VerifySignatureEx(const uint8_t *publicKey, const DataChunk *message, uint_t messageLen, const void *context, uint8_t contextLen, uint8_t flag, const uint8_t *signature)
EdDSA signature verification.
Definition: ed25519.c:459