tls_signature.c
Go to the documentation of this file.
1 /**
2  * @file tls_signature.c
3  * @brief RSA/DSA/ECDSA/EdDSA signature generation and verification
4  *
5  * @section License
6  *
7  * Copyright (C) 2010-2018 Oryx Embedded SARL. All rights reserved.
8  *
9  * This file is part of CycloneSSL Open.
10  *
11  * This program is free software; you can redistribute it and/or
12  * modify it under the terms of the GNU General Public License
13  * as published by the Free Software Foundation; either version 2
14  * of the License, or (at your option) any later version.
15  *
16  * This program is distributed in the hope that it will be useful,
17  * but WITHOUT ANY WARRANTY; without even the implied warranty of
18  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19  * GNU General Public License for more details.
20  *
21  * You should have received a copy of the GNU General Public License
22  * along with this program; if not, write to the Free Software Foundation,
23  * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
24  *
25  * @author Oryx Embedded SARL (www.oryx-embedded.com)
26  * @version 1.9.0
27  **/
28 
29 //Switch to the appropriate trace level
30 #define TRACE_LEVEL TLS_TRACE_LEVEL
31 
32 //Dependencies
33 #include <string.h>
34 #include "tls.h"
35 #include "tls_signature.h"
36 #include "tls_transcript_hash.h"
37 #include "tls_misc.h"
38 #include "certificate/pem_import.h"
39 #include "pkc/rsa.h"
40 #include "pkc/dsa.h"
41 #include "ecc/ecdsa.h"
42 #include "ecc/ed25519.h"
43 #include "ecc/ed448.h"
44 #include "debug.h"
45 
46 //Check TLS library configuration
47 #if (TLS_SUPPORT == ENABLED)
48 
49 
50 /**
51  * @brief Select the algorithm to be used when generating digital signatures
52  * @param[in] context Pointer to the TLS context
53  * @param[in] cert End entity certificate
54  * @param[in] supportedSignAlgos List of supported signature/hash algorithm pairs
55  * @return Error code
56  **/
57 
59  const TlsSignHashAlgos *supportedSignAlgos)
60 {
61  error_t error;
62  uint_t i;
63  uint_t n;
64  const HashAlgo *hashAlgo;
65  const TlsSignHashAlgo *p;
66 
67  //Initialize status code
68  error = ERROR_HANDSHAKE_FAILED;
69 
70  //Default signature algorithm
71  context->signAlgo = TLS_SIGN_ALGO_ANONYMOUS;
72  context->signHashAlgo = TLS_HASH_ALGO_NONE;
73 
74 #if (TLS_RSA_SIGN_SUPPORT == ENABLED || TLS_RSA_PSS_SIGN_SUPPORT == ENABLED || \
75  TLS_DSA_SIGN_SUPPORT == ENABLED || TLS_ECDSA_SIGN_SUPPORT == ENABLED)
76  //RSA, DSA or ECDSA certificate?
77  if(cert->type == TLS_CERT_RSA_SIGN ||
78  cert->type == TLS_CERT_DSS_SIGN ||
79  cert->type == TLS_CERT_ECDSA_SIGN)
80  {
81  //Check whether the peer has provided a list of supported hash/signature
82  //algorithm pairs
83  if(supportedSignAlgos != NULL)
84  {
85  TlsHashAlgo hashAlgoId;
86 
87  //Process the list and select the relevant signature algorithm
88  p = supportedSignAlgos->value;
89  //Get the number of hash/signature algorithm pairs present in the list
90  n = ntohs(supportedSignAlgos->length) / sizeof(TlsSignHashAlgo);
91 
92  //The hash algorithm to be used when generating signatures must be
93  //one of those present in the list
94  for(i = 0; i < n; i++)
95  {
96  //Reset the hash algorithm identifier to its default value
97  hashAlgoId = TLS_HASH_ALGO_NONE;
98 
99 #if (TLS_RSA_SIGN_SUPPORT == ENABLED)
100  //RSA signature scheme?
101  if(cert->type == TLS_CERT_RSA_SIGN &&
102  p[i].signature == TLS_SIGN_ALGO_RSA)
103  {
104  //In TLS 1.3, RSASSA-PKCS1-v1_5 signature algorithms refer
105  //solely to signatures which appear in certificates and are
106  //not defined for use in signed TLS handshake messages
107  if(context->version <= TLS_VERSION_1_2)
108  {
109  //Select current hash algorithm
110  hashAlgoId = (TlsHashAlgo) p[i].hash;
111  }
112  }
113  else
114 #endif
115 #if (TLS_RSA_PSS_SIGN_SUPPORT == ENABLED)
116  //RSA-PSS signature scheme?
117  if(cert->type == TLS_CERT_RSA_SIGN &&
118  p[i].hash == TLS_HASH_ALGO_INTRINSIC)
119  {
120  //TLS 1.2 and TLS 1.3 support RSASSA-PSS signature schemes
121  if(context->version >= TLS_VERSION_1_2)
122  {
123  //Check RSA-PSS signature scheme
125  {
126  //RSASSA-PSS RSAE signature scheme with SHA-256
127  hashAlgoId = TLS_HASH_ALGO_SHA256;
128  }
130  {
131  //RSASSA-PSS RSAE signature scheme with SHA-384
132  hashAlgoId = TLS_HASH_ALGO_SHA384;
133  }
135  {
136  //RSASSA-PSS RSAE signature scheme with SHA-512
137  hashAlgoId = TLS_HASH_ALGO_SHA512;
138  }
139  }
140  }
141  else
142 #endif
143 #if (TLS_DSA_SIGN_SUPPORT == ENABLED)
144  //DSA signature scheme?
145  if(cert->type == TLS_CERT_DSS_SIGN &&
146  p[i].signature == TLS_SIGN_ALGO_DSA)
147  {
148  //TLS 1.3 removes support for DSA certificates
149  if(context->version <= TLS_VERSION_1_2)
150  {
151  //Select current hash algorithm
152  hashAlgoId = (TlsHashAlgo) p[i].hash;
153  }
154  }
155  else
156 #endif
157 #if (TLS_ECDSA_SIGN_SUPPORT == ENABLED)
158  //ECDSA signature scheme?
159  if(cert->type == TLS_CERT_ECDSA_SIGN &&
160  p[i].signature == TLS_SIGN_ALGO_ECDSA)
161  {
162  //Version of TLS prior to TLS 1.3?
163  if(context->version <= TLS_VERSION_1_2)
164  {
165  //Select current hash algorithm
166  hashAlgoId = (TlsHashAlgo) p[i].hash;
167  }
168  else
169  {
170  //Check elliptic curve and hash algorithm
171  if(cert->namedCurve == TLS_GROUP_SECP256R1 &&
172  p[i].hash == TLS_HASH_ALGO_SHA256)
173  {
174  //Select current hash algorithm
175  hashAlgoId = TLS_HASH_ALGO_SHA256;
176  }
177  else if(cert->namedCurve == TLS_GROUP_SECP384R1 &&
178  p[i].hash == TLS_HASH_ALGO_SHA384)
179  {
180  //Select current hash algorithm
181  hashAlgoId = TLS_HASH_ALGO_SHA384;
182  }
183  else if(cert->namedCurve == TLS_GROUP_SECP521R1 &&
184  p[i].hash == TLS_HASH_ALGO_SHA512)
185  {
186  //Select current hash algorithm
187  hashAlgoId = TLS_HASH_ALGO_SHA512;
188  }
189  }
190  }
191  else
192 #endif
193  //Unknown signature scheme?
194  {
195  //Just for sanity
196  }
197 
198  //Get the hash algorithm that matches the specified identifier
199  hashAlgo = tlsGetHashAlgo(hashAlgoId);
200 
201  //Check whether the hash algorithm is supported
202  if(hashAlgo != NULL)
203  {
204  //In TLS versions prior to 1.3, the client implementation can only
205  //generate a CertificateVerify using SHA-1 or the hash used by
206  //the PRF. Supporting all hash algorithms would require the client
207  //to maintain hashes for every possible signature algorithm that
208  //the server may request...
209  if(context->version == TLS_VERSION_1_3 ||
210  context->entity == TLS_CONNECTION_END_SERVER ||
211  hashAlgoId == TLS_HASH_ALGO_SHA1 ||
212  hashAlgo == context->cipherSuite.prfHashAlgo)
213  {
214  //The signature algorithm is acceptable
215  context->signAlgo = (TlsSignatureAlgo) p[i].signature;
216  context->signHashAlgo = (TlsHashAlgo) hashAlgoId;
217  break;
218  }
219  }
220  }
221  }
222  else
223  {
224  //Version of TLS prior to TLS 1.3?
225  if(context->version <= TLS_VERSION_1_2)
226  {
227  //Select the default hash algorithm to be used when generating RSA,
228  //DSA or ECDSA signatures
230  {
231  //Select SHA-1 hash algorithm
232  context->signAlgo = cert->signAlgo;
233  context->signHashAlgo = TLS_HASH_ALGO_SHA1;
234  }
235  else if(tlsGetHashAlgo(TLS_HASH_ALGO_SHA256) != NULL)
236  {
237  //Select SHA-256 hash algorithm
238  context->signAlgo = cert->signAlgo;
239  context->signHashAlgo = TLS_HASH_ALGO_SHA256;
240  }
241  else if(tlsGetHashAlgo(TLS_HASH_ALGO_SHA384) != NULL)
242  {
243  //Select SHA-384 hash algorithm
244  context->signAlgo = cert->signAlgo;
245  context->signHashAlgo = TLS_HASH_ALGO_SHA384;
246  }
247  else if(tlsGetHashAlgo(TLS_HASH_ALGO_SHA512) != NULL)
248  {
249  //Select SHA-512 hash algorithm
250  context->signAlgo = cert->signAlgo;
251  context->signHashAlgo = TLS_HASH_ALGO_SHA512;
252  }
253  else
254  {
255  //Just for sanity
256  }
257  }
258  }
259  }
260  else
261 #endif
262 #if (TLS_RSA_PSS_SIGN_SUPPORT == ENABLED)
263  //RSA-PSS certificate?
264  if(cert->type == TLS_CERT_RSA_PSS_SIGN)
265  {
266  //TLS 1.2 and TLS 1.3 support RSASSA-PSS signature schemes
267  if(context->version >= TLS_VERSION_1_2)
268  {
269  //Check whether the peer has provided a list of supported hash/signature
270  //algorithm pairs
271  if(supportedSignAlgos != NULL)
272  {
273  TlsHashAlgo hashAlgoId;
274 
275  //Process the list and select the relevant signature algorithm
276  p = supportedSignAlgos->value;
277  //Get the number of hash/signature algorithm pairs present in the list
278  n = ntohs(supportedSignAlgos->length) / sizeof(TlsSignHashAlgo);
279 
280  //The hash algorithm to be used when generating signatures must be
281  //one of those present in the list
282  for(i = 0; i < n; i++)
283  {
284  //The hashing is intrinsic to the signature algorithm
285  if(p[i].hash == TLS_HASH_ALGO_INTRINSIC)
286  {
287  //Check signature scheme
289  hashAlgoId = TLS_HASH_ALGO_SHA256;
291  hashAlgoId = TLS_HASH_ALGO_SHA384;
293  hashAlgoId = TLS_HASH_ALGO_SHA512;
294  else
295  hashAlgoId = TLS_HASH_ALGO_NONE;
296 
297  //Check whether the hash algorithm is supported
298  if(tlsGetHashAlgo(hashAlgoId) != NULL)
299  {
300  //Acceptable hash algorithm found
301  context->signAlgo = (TlsSignatureAlgo) p[i].signature;
302  context->signHashAlgo = (TlsHashAlgo) p[i].hash;
303  break;
304  }
305  }
306  }
307  }
308  }
309  }
310  else
311 #endif
312 #if (TLS_EDDSA_SIGN_SUPPORT == ENABLED)
313  //EdDSA certificate?
314  if(cert->type == TLS_CERT_ED25519_SIGN ||
315  cert->type == TLS_CERT_ED448_SIGN)
316  {
317  //TLS 1.2 or TLS 1.3 currently selected?
318  if((context->version >= TLS_VERSION_1_2 &&
319  context->entity == TLS_CONNECTION_END_SERVER) ||
320  (context->version >= TLS_VERSION_1_3 &&
321  context->entity == TLS_CONNECTION_END_CLIENT))
322  {
323  //Ed25519 and Ed448 are used in PureEdDSA mode, without pre-hashing
324  context->signAlgo = cert->signAlgo;
325  context->signHashAlgo = TLS_HASH_ALGO_INTRINSIC;
326  }
327  }
328  else
329 #endif
330  //Unsupported signature algorithm?
331  {
332  //Just for sanity
333  }
334 
335  //If no acceptable choices are presented, return an error
336  if(context->signAlgo != TLS_SIGN_ALGO_ANONYMOUS &&
337  context->signHashAlgo != TLS_HASH_ALGO_NONE)
338  {
339  error = NO_ERROR;
340  }
341 
342  //Return status code
343  return error;
344 }
345 
346 
347 #if (TLS_MAX_VERSION >= SSL_VERSION_3_0 && TLS_MIN_VERSION <= TLS_VERSION_1_1)
348 
349 /**
350  * @brief Digital signature generation(SSL 3.0, TLS 1.0 or TLS 1.1)
351  * @param[in] context Pointer to the TLS context
352  * @param[out] p Buffer where to store the digitally-signed element
353  * @param[out] length Length of the digitally-signed element
354  * @return Error code
355  **/
356 
358  size_t *length)
359 {
360  error_t error;
361  size_t n;
363 
364  //The digitally-signed element does not convey the signature algorithm
365  //to use, and hence implementations need to inspect the certificate to
366  //find out the signature algorithm to use
368 
369 #if (TLS_RSA_SIGN_SUPPORT == ENABLED)
370  //RSA certificate?
371  if(context->cert->type == TLS_CERT_RSA_SIGN)
372  {
373  RsaPrivateKey privateKey;
374 
375  //Initialize RSA private key
376  rsaInitPrivateKey(&privateKey);
377 
378  //Digest all the handshake messages starting at ClientHello using MD5
379  error = tlsFinalizeTranscriptHash(context, MD5_HASH_ALGO,
380  context->handshakeMd5Context, "", context->clientVerifyData);
381 
382  //Check status code
383  if(!error)
384  {
385  //Digest all the handshake messages starting at ClientHello using SHA-1
386  error = tlsFinalizeTranscriptHash(context, SHA1_HASH_ALGO,
387  context->handshakeSha1Context, "",
388  context->clientVerifyData + MD5_DIGEST_SIZE);
389  }
390 
391  //Check status code
392  if(!error)
393  {
394  //Decode the PEM structure that holds the RSA private key
395  error = pemImportRsaPrivateKey(context->cert->privateKey,
396  context->cert->privateKeyLen, &privateKey);
397  }
398 
399  //Check status code
400  if(!error)
401  {
402  //Generate a RSA signature using the client's private key
403  error = tlsGenerateRsaSignature(&privateKey,
404  context->clientVerifyData, signature->value, &n);
405  }
406 
407  //Release previously allocated resources
408  rsaFreePrivateKey(&privateKey);
409  }
410  else
411 #endif
412 #if (TLS_DSA_SIGN_SUPPORT == ENABLED)
413  //DSA certificate?
414  if(context->cert->type == TLS_CERT_DSS_SIGN)
415  {
416  //Digest all the handshake messages starting at ClientHello
417  error = tlsFinalizeTranscriptHash(context, SHA1_HASH_ALGO,
418  context->handshakeSha1Context, "", context->clientVerifyData);
419 
420  //Check status code
421  if(!error)
422  {
423  //Generate a DSA signature using the client's private key
424  error = tlsGenerateDsaSignature(context, context->clientVerifyData,
425  SHA1_DIGEST_SIZE, signature->value, &n);
426  }
427  }
428  else
429 #endif
430 #if (TLS_ECDSA_SIGN_SUPPORT == ENABLED)
431  //ECDSA certificate?
432  if(context->cert->type == TLS_CERT_ECDSA_SIGN)
433  {
434  //Digest all the handshake messages starting at ClientHello
435  error = tlsFinalizeTranscriptHash(context, SHA1_HASH_ALGO,
436  context->handshakeSha1Context, "", context->clientVerifyData);
437 
438  //Check status code
439  if(!error)
440  {
441  //Generate an ECDSA signature using the client's private key
442  error = tlsGenerateEcdsaSignature(context, context->clientVerifyData,
443  SHA1_DIGEST_SIZE, signature->value, &n);
444  }
445  }
446  else
447 #endif
448  //Invalid certificate?
449  {
450  //Report an error
452  }
453 
454  //Check status code
455  if(!error)
456  {
457  //The signature is preceded by a 2-byte length field
458  signature->length = htons(n);
459  //Total length of the digitally-signed element
460  *length = sizeof(TlsDigitalSignature) + n;
461  }
462 
463  //Return status code
464  return error;
465 }
466 
467 
468 /**
469  * @brief Digital signature verification (SSL 3.0, TLS 1.0 and TLS 1.1)
470  * @param[in] context Pointer to the TLS context
471  * @param[in] p Pointer to the digitally-signed element to be verified
472  * @param[in] length Length of the digitally-signed element
473  * @return Error code
474  **/
475 
476 error_t tlsVerifySignature(TlsContext *context, const uint8_t *p,
477  size_t length)
478 {
479  error_t error;
481 
482  //The digitally-signed element does not convey the signature algorithm
483  //to use, and hence implementations need to inspect the certificate to
484  //find out the signature algorithm to use
486 
487  //Check the length of the digitally-signed element
488  if(length < sizeof(TlsDigitalSignature))
489  return ERROR_DECODING_FAILED;
490  if(length != (sizeof(TlsDigitalSignature) + ntohs(signature->length)))
491  return ERROR_DECODING_FAILED;
492 
493 #if (TLS_RSA_SIGN_SUPPORT == ENABLED)
494  //RSA certificate?
495  if(context->peerCertType == TLS_CERT_RSA_SIGN)
496  {
497  //Digest all the handshake messages starting at ClientHello using MD5
498  error = tlsFinalizeTranscriptHash(context, MD5_HASH_ALGO,
499  context->handshakeMd5Context, "", context->clientVerifyData);
500 
501  //Check status code
502  if(!error)
503  {
504  //Digest all the handshake messages starting at ClientHello using SHA-1
505  error = tlsFinalizeTranscriptHash(context, SHA1_HASH_ALGO,
506  context->handshakeSha1Context, "",
507  context->clientVerifyData + MD5_DIGEST_SIZE);
508  }
509 
510  //Check status code
511  if(!error)
512  {
513  //Verify RSA signature using client's public key
514  error = tlsVerifyRsaSignature(&context->peerRsaPublicKey,
515  context->clientVerifyData, signature->value,
516  ntohs(signature->length));
517  }
518  }
519  else
520 #endif
521 #if (TLS_DSA_SIGN_SUPPORT == ENABLED)
522  //DSA certificate?
523  if(context->peerCertType == TLS_CERT_DSS_SIGN)
524  {
525  //Digest all the handshake messages starting at ClientHello
526  error = tlsFinalizeTranscriptHash(context, SHA1_HASH_ALGO,
527  context->handshakeSha1Context, "", context->clientVerifyData);
528 
529  //Check status code
530  if(!error)
531  {
532  //Verify DSA signature using client's public key
533  error = tlsVerifyDsaSignature(context, context->clientVerifyData,
534  SHA1_DIGEST_SIZE, signature->value, ntohs(signature->length));
535  }
536  }
537  else
538 #endif
539 #if (TLS_ECDSA_SIGN_SUPPORT == ENABLED)
540  //ECDSA certificate?
541  if(context->peerCertType == TLS_CERT_ECDSA_SIGN)
542  {
543  //Digest all the handshake messages starting at ClientHello
544  error = tlsFinalizeTranscriptHash(context, SHA1_HASH_ALGO,
545  context->handshakeSha1Context, "", context->clientVerifyData);
546 
547  //Check status code
548  if(!error)
549  {
550  //Verify ECDSA signature using client's public key
551  error = tlsVerifyEcdsaSignature(context, context->clientVerifyData,
552  SHA1_DIGEST_SIZE, signature->value, ntohs(signature->length));
553  }
554  }
555  else
556 #endif
557  //Invalid signature algorithm?
558  {
559  //Report an error
560  error = ERROR_INVALID_SIGNATURE;
561  }
562 
563  //Return status code
564  return error;
565 }
566 
567 #endif
568 #if (TLS_MAX_VERSION >= TLS_VERSION_1_2 && TLS_MIN_VERSION <= TLS_VERSION_1_2)
569 
570 /**
571  * @brief Digital signature generation(TLS 1.2)
572  * @param[in] context Pointer to the TLS context
573  * @param[out] p Buffer where to store the digitally-signed element
574  * @param[out] length Length of the digitally-signed element
575  * @return Error code
576  **/
577 
579  size_t *length)
580 {
581  error_t error;
582  size_t n;
584  const HashAlgo *hashAlgo;
585 
586  //Point to the digitally-signed element
588 
589  //Retrieve the hash algorithm used for signing
590  if(context->signAlgo == TLS_SIGN_ALGO_RSA_PSS_RSAE_SHA256 ||
591  context->signAlgo == TLS_SIGN_ALGO_RSA_PSS_PSS_SHA256)
592  {
593  //The hashing is intrinsic to the signature algorithm
595  }
596  else if(context->signAlgo == TLS_SIGN_ALGO_RSA_PSS_RSAE_SHA384 ||
597  context->signAlgo == TLS_SIGN_ALGO_RSA_PSS_PSS_SHA384)
598  {
599  //The hashing is intrinsic to the signature algorithm
601  }
602  else if(context->signAlgo == TLS_SIGN_ALGO_RSA_PSS_RSAE_SHA512 ||
603  context->signAlgo == TLS_SIGN_ALGO_RSA_PSS_PSS_SHA512)
604  {
605  //The hashing is intrinsic to the signature algorithm
607  }
608  else
609  {
610  //Select the relevant hash algorithm
611  hashAlgo = tlsGetHashAlgo(context->signHashAlgo);
612  }
613 
614  //Digest all the handshake messages starting at ClientHello
615  if(hashAlgo == SHA1_HASH_ALGO)
616  {
617  //Use SHA-1 hash algorithm
618  error = tlsFinalizeTranscriptHash(context, SHA1_HASH_ALGO,
619  context->handshakeSha1Context, "", context->clientVerifyData);
620  }
621  else if(hashAlgo == context->cipherSuite.prfHashAlgo)
622  {
623  //Use PRF hash algorithm (SHA-256 or SHA-384)
624  error = tlsFinalizeTranscriptHash(context, hashAlgo,
625  context->handshakeHashContext, "", context->clientVerifyData);
626  }
627  else
628  {
629  //The specified hash algorithm is not supported
631  }
632 
633  //Handshake message hash successfully computed?
634  if(!error)
635  {
636 #if (TLS_RSA_SIGN_SUPPORT == ENABLED)
637  //RSASSA-PKCS1-v1_5 signature scheme?
638  if(context->signAlgo == TLS_SIGN_ALGO_RSA)
639  {
640  RsaPrivateKey privateKey;
641 
642  //Initialize RSA private key
643  rsaInitPrivateKey(&privateKey);
644 
645  //Set the relevant signature algorithm
646  signature->algorithm.signature = TLS_SIGN_ALGO_RSA;
647  signature->algorithm.hash = context->signHashAlgo;
648 
649  //Decode the PEM structure that holds the RSA private key
650  error = pemImportRsaPrivateKey(context->cert->privateKey,
651  context->cert->privateKeyLen, &privateKey);
652 
653  //Check status code
654  if(!error)
655  {
656  //Generate RSA signature (RSASSA-PKCS1-v1_5 signature scheme)
657  error = rsassaPkcs1v15Sign(&privateKey, hashAlgo,
658  context->clientVerifyData, signature->value, &n);
659  }
660 
661  //Release previously allocated resources
662  rsaFreePrivateKey(&privateKey);
663  }
664  else
665 #endif
666 #if (TLS_RSA_PSS_SIGN_SUPPORT == ENABLED)
667  //RSASSA-PSS signature scheme?
668  if(context->signAlgo == TLS_SIGN_ALGO_RSA_PSS_RSAE_SHA256 ||
669  context->signAlgo == TLS_SIGN_ALGO_RSA_PSS_RSAE_SHA384 ||
670  context->signAlgo == TLS_SIGN_ALGO_RSA_PSS_RSAE_SHA512 ||
671  context->signAlgo == TLS_SIGN_ALGO_RSA_PSS_PSS_SHA256 ||
672  context->signAlgo == TLS_SIGN_ALGO_RSA_PSS_PSS_SHA384 ||
673  context->signAlgo == TLS_SIGN_ALGO_RSA_PSS_PSS_SHA512)
674  {
675  RsaPrivateKey privateKey;
676 
677  //Initialize RSA private key
678  rsaInitPrivateKey(&privateKey);
679 
680  //Set the relevant signature algorithm
681  signature->algorithm.signature = context->signAlgo;
682  signature->algorithm.hash = TLS_HASH_ALGO_INTRINSIC;
683 
684  //Decode the PEM structure that holds the RSA private key
685  error = pemImportRsaPrivateKey(context->cert->privateKey,
686  context->cert->privateKeyLen, &privateKey);
687 
688  //Check status code
689  if(!error)
690  {
691  //Generate RSA signature (RSASSA-PSS signature scheme)
692  error = rsassaPssSign(context->prngAlgo, context->prngContext,
693  &privateKey, hashAlgo, hashAlgo->digestSize,
694  context->clientVerifyData, signature->value, &n);
695  }
696 
697  //Release previously allocated resources
698  rsaFreePrivateKey(&privateKey);
699  }
700  else
701 #endif
702 #if (TLS_DSA_SIGN_SUPPORT == ENABLED)
703  //DSA signature scheme?
704  if(context->signAlgo == TLS_SIGN_ALGO_DSA)
705  {
706  //Set the relevant signature algorithm
707  signature->algorithm.signature = TLS_SIGN_ALGO_DSA;
708  signature->algorithm.hash = context->signHashAlgo;
709 
710  //Generate a DSA signature using the client's private key
711  error = tlsGenerateDsaSignature(context, context->clientVerifyData,
712  hashAlgo->digestSize, signature->value, &n);
713  }
714  else
715 #endif
716 #if (TLS_ECDSA_SIGN_SUPPORT == ENABLED)
717  //ECDSA signature scheme?
718  if(context->signAlgo == TLS_SIGN_ALGO_ECDSA)
719  {
720  //Set the relevant signature algorithm
721  signature->algorithm.signature = TLS_SIGN_ALGO_ECDSA;
722  signature->algorithm.hash = context->signHashAlgo;
723 
724  //Generate an ECDSA signature using the client's private key
725  error = tlsGenerateEcdsaSignature(context, context->clientVerifyData,
726  hashAlgo->digestSize, signature->value, &n);
727  }
728  else
729 #endif
730  //Invalid signature scheme?
731  {
732  //Report an error
734  }
735  }
736 
737  //Check status code
738  if(!error)
739  {
740  //The signature is preceded by a 2-byte length field
741  signature->length = htons(n);
742  //Total length of the digitally-signed element
743  *length = sizeof(Tls12DigitalSignature) + n;
744  }
745 
746  //Return status code
747  return error;
748 }
749 
750 
751 /**
752  * @brief Digital signature verification (TLS 1.2)
753  * @param[in] context Pointer to the TLS context
754  * @param[in] p Pointer to the digitally-signed element to be verified
755  * @param[in] length Length of the digitally-signed element
756  * @return Error code
757  **/
758 
759 error_t tls12VerifySignature(TlsContext *context, const uint8_t *p,
760  size_t length)
761 {
762  error_t error;
764  const HashAlgo *hashAlgo;
765 
766  //Point to the digitally-signed element
768 
769  //Check the length of the digitally-signed element
770  if(length < sizeof(Tls12DigitalSignature))
771  return ERROR_DECODING_FAILED;
772  if(length != (sizeof(Tls12DigitalSignature) + ntohs(signature->length)))
773  return ERROR_DECODING_FAILED;
774 
775  //Retrieve the hash algorithm used for signing
776  if(signature->algorithm.signature == TLS_SIGN_ALGO_RSA_PSS_RSAE_SHA256 ||
777  signature->algorithm.signature == TLS_SIGN_ALGO_RSA_PSS_PSS_SHA256)
778  {
779  //The hashing is intrinsic to the signature algorithm
780  if(signature->algorithm.hash == TLS_HASH_ALGO_INTRINSIC)
782  else
783  hashAlgo = NULL;
784  }
785  else if(signature->algorithm.signature == TLS_SIGN_ALGO_RSA_PSS_RSAE_SHA384 ||
786  signature->algorithm.signature == TLS_SIGN_ALGO_RSA_PSS_PSS_SHA384)
787  {
788  //The hashing is intrinsic to the signature algorithm
789  if(signature->algorithm.hash == TLS_HASH_ALGO_INTRINSIC)
791  else
792  hashAlgo = NULL;
793  }
794  else if(signature->algorithm.signature == TLS_SIGN_ALGO_RSA_PSS_RSAE_SHA512 ||
795  signature->algorithm.signature == TLS_SIGN_ALGO_RSA_PSS_PSS_SHA512)
796  {
797  //The hashing is intrinsic to the signature algorithm
798  if(signature->algorithm.hash == TLS_HASH_ALGO_INTRINSIC)
800  else
801  hashAlgo = NULL;
802  }
803  else
804  {
805  //This field indicates the hash algorithm that is used
806  hashAlgo = tlsGetHashAlgo(signature->algorithm.hash);
807  }
808 
809  //Digest all the handshake messages starting at ClientHello
810  if(hashAlgo == SHA1_HASH_ALGO)
811  {
812  //Use SHA-1 hash algorithm
813  error = tlsFinalizeTranscriptHash(context, SHA1_HASH_ALGO,
814  context->handshakeSha1Context, "", context->clientVerifyData);
815  }
816  else if(hashAlgo == context->cipherSuite.prfHashAlgo)
817  {
818  //Use PRF hash algorithm (SHA-256 or SHA-384)
819  error = tlsFinalizeTranscriptHash(context, hashAlgo,
820  context->handshakeHashContext, "", context->clientVerifyData);
821  }
822  else
823  {
824  //The specified hash algorithm is not supported
825  error = ERROR_INVALID_SIGNATURE;
826  }
827 
828  //Check status code
829  if(!error)
830  {
831 #if (TLS_RSA_SIGN_SUPPORT == ENABLED)
832  //RSASSA-PKCS1-v1_5 signature scheme?
833  if(signature->algorithm.signature == TLS_SIGN_ALGO_RSA &&
834  context->peerCertType == TLS_CERT_RSA_SIGN)
835  {
836  //Verify RSA signature (RSASSA-PKCS1-v1_5 signature scheme)
837  error = rsassaPkcs1v15Verify(&context->peerRsaPublicKey,
838  hashAlgo, context->clientVerifyData, signature->value,
839  ntohs(signature->length));
840  }
841  else
842 #endif
843 #if (TLS_RSA_PSS_SIGN_SUPPORT == ENABLED)
844  //RSASSA-PSS signature scheme (with public key OID rsaEncryption)?
845  if(signature->algorithm.signature == TLS_SIGN_ALGO_RSA_PSS_RSAE_SHA256 ||
846  signature->algorithm.signature == TLS_SIGN_ALGO_RSA_PSS_RSAE_SHA384 ||
847  signature->algorithm.signature == TLS_SIGN_ALGO_RSA_PSS_RSAE_SHA512)
848  {
849  //Enforce the type of the certificate provided by the peer
850  if(context->peerCertType == TLS_CERT_RSA_SIGN)
851  {
852  //Verify RSA signature (RSASSA-PSS signature scheme)
853  error = rsassaPssVerify(&context->peerRsaPublicKey, hashAlgo,
854  hashAlgo->digestSize, context->clientVerifyData,
855  signature->value, ntohs(signature->length));
856  }
857  else
858  {
859  //Invalid certificate
860  error = ERROR_INVALID_SIGNATURE;
861  }
862  }
863  else
864 #endif
865 #if (TLS_RSA_PSS_SIGN_SUPPORT == ENABLED)
866  //RSASSA-PSS signature scheme (with public key OID RSASSA-PSS)?
867  if(signature->algorithm.signature == TLS_SIGN_ALGO_RSA_PSS_PSS_SHA256 ||
868  signature->algorithm.signature == TLS_SIGN_ALGO_RSA_PSS_PSS_SHA384 ||
869  signature->algorithm.signature == TLS_SIGN_ALGO_RSA_PSS_PSS_SHA512)
870  {
871  //Enforce the type of the certificate provided by the peer
872  if(context->peerCertType == TLS_CERT_RSA_PSS_SIGN)
873  {
874  //Verify RSA signature (RSASSA-PSS signature scheme)
875  error = rsassaPssVerify(&context->peerRsaPublicKey, hashAlgo,
876  hashAlgo->digestSize, context->clientVerifyData,
877  signature->value, ntohs(signature->length));
878  }
879  else
880  {
881  //Invalid certificate
882  error = ERROR_INVALID_SIGNATURE;
883  }
884  }
885  else
886 #endif
887 #if (TLS_DSA_SIGN_SUPPORT == ENABLED)
888  //DSA signature scheme?
889  if(signature->algorithm.signature == TLS_SIGN_ALGO_DSA &&
890  context->peerCertType == TLS_CERT_DSS_SIGN)
891  {
892  //Verify DSA signature using client's public key
893  error = tlsVerifyDsaSignature(context, context->clientVerifyData,
894  hashAlgo->digestSize, signature->value, ntohs(signature->length));
895  }
896  else
897 #endif
898 #if (TLS_ECDSA_SIGN_SUPPORT == ENABLED)
899  //ECDSA signature scheme?
900  if(signature->algorithm.signature == TLS_SIGN_ALGO_ECDSA &&
901  context->peerCertType == TLS_CERT_ECDSA_SIGN)
902  {
903  //Verify ECDSA signature using client's public key
904  error = tlsVerifyEcdsaSignature(context, context->clientVerifyData,
905  hashAlgo->digestSize, signature->value, ntohs(signature->length));
906  }
907  else
908 #endif
909  //Invalid signature scheme?
910  {
911  //Report an error
912  error = ERROR_INVALID_SIGNATURE;
913  }
914  }
915 
916  //Return status code
917  return error;
918 }
919 
920 #endif
921 #if (TLS_MAX_VERSION >= SSL_VERSION_3_0 && TLS_MIN_VERSION <= TLS_VERSION_1_1)
922 
923 /**
924  * @brief Generate RSA signature (SSL 3.0, TLS 1.0 and TLS 1.1)
925  * @param[in] key Signer's RSA private key
926  * @param[in] digest Digest of the message to be signed
927  * @param[out] signature Resulting signature
928  * @param[out] signatureLen Length of the resulting signature
929  * @return Error code
930  **/
931 
933  const uint8_t *digest, uint8_t *signature, size_t *signatureLen)
934 {
935 #if (TLS_RSA_SIGN_SUPPORT == ENABLED)
936  error_t error;
937  size_t k;
938  size_t paddingLen;
939  uint8_t *em;
940  Mpi m;
941  Mpi s;
942 
943  //Debug message
944  TRACE_DEBUG("RSA signature generation...\r\n");
945  TRACE_DEBUG(" Modulus:\r\n");
946  TRACE_DEBUG_MPI(" ", &key->n);
947  TRACE_DEBUG(" Public exponent:\r\n");
948  TRACE_DEBUG_MPI(" ", &key->e);
949  TRACE_DEBUG(" Private exponent:\r\n");
950  TRACE_DEBUG_MPI(" ", &key->d);
951  TRACE_DEBUG(" Prime 1:\r\n");
952  TRACE_DEBUG_MPI(" ", &key->p);
953  TRACE_DEBUG(" Prime 2:\r\n");
954  TRACE_DEBUG_MPI(" ", &key->q);
955  TRACE_DEBUG(" Prime exponent 1:\r\n");
956  TRACE_DEBUG_MPI(" ", &key->dp);
957  TRACE_DEBUG(" Prime exponent 2:\r\n");
958  TRACE_DEBUG_MPI(" ", &key->dq);
959  TRACE_DEBUG(" Coefficient:\r\n");
960  TRACE_DEBUG_MPI(" ", &key->qinv);
961  TRACE_DEBUG(" Message digest:\r\n");
963 
964  //Initialize multiple-precision integers
965  mpiInit(&m);
966  mpiInit(&s);
967 
968  //Get the length in octets of the modulus n
969  k = mpiGetByteLength(&key->n);
970 
971  //Check the length of the modulus
972  if(k < (MD5_DIGEST_SIZE + SHA1_DIGEST_SIZE + 11))
973  return ERROR_INVALID_KEY;
974 
975  //Point to the buffer where the encoded message EM will be generated
976  em = signature;
977 
978  //The leading 0x00 octet ensures that the encoded message,
979  //converted to an integer, is less than the modulus
980  em[0] = 0x00;
981  //Block type 0x01 is used for private-key operations
982  em[1] = 0x01;
983 
984  //Compute the length of the padding string PS
985  paddingLen = k - (MD5_DIGEST_SIZE + SHA1_DIGEST_SIZE + 3);
986  //Fill the padding string with 0xFF
987  memset(em + 2, 0xFF, paddingLen);
988  //Append a 0x00 octet to PS
989  em[paddingLen + 2] = 0x00;
990 
991  //Append the digest value
992  memcpy(em + paddingLen + 3, digest, MD5_DIGEST_SIZE + SHA1_DIGEST_SIZE);
993 
994  //Debug message
995  TRACE_DEBUG(" Encoded message\r\n");
996  TRACE_DEBUG_ARRAY(" ", em, k);
997 
998  //Start of exception handling block
999  do
1000  {
1001  //Convert the encoded message EM to an integer message representative m
1002  error = mpiImport(&m, em, k, MPI_FORMAT_BIG_ENDIAN);
1003  //Conversion failed?
1004  if(error)
1005  break;
1006 
1007  //Apply the RSASP1 signature primitive
1008  error = rsasp1(key, &m, &s);
1009  //Any error to report?
1010  if(error)
1011  break;
1012 
1013  //Convert the signature representative s to a signature of length k octets
1014  error = mpiExport(&s, signature, k, MPI_FORMAT_BIG_ENDIAN);
1015  //Conversion failed?
1016  if(error)
1017  break;
1018 
1019  //Length of the resulting signature
1020  *signatureLen = k;
1021 
1022  //Debug message
1023  TRACE_DEBUG(" Signature:\r\n");
1024  TRACE_DEBUG_ARRAY(" ", signature, *signatureLen);
1025 
1026  //End of exception handling block
1027  } while(0);
1028 
1029  //Free previously allocated memory
1030  mpiFree(&m);
1031  mpiFree(&s);
1032 
1033  //Return status code
1034  return error;
1035 #else
1036  //RSA signature generation is not supported
1037  return ERROR_NOT_IMPLEMENTED;
1038 #endif
1039 }
1040 
1041 
1042 /**
1043  * @brief Verify RSA signature (SSL 3.0, TLS 1.0 and TLS 1.1)
1044  * @param[in] key Signer's RSA public key
1045  * @param[in] digest Digest of the message whose signature is to be verified
1046  * @param[in] signature Signature to be verified
1047  * @param[in] signatureLen Length of the signature to be verified
1048  * @return Error code
1049  **/
1050 
1052  const uint8_t *digest, const uint8_t *signature, size_t signatureLen)
1053 {
1054 #if (TLS_RSA_SIGN_SUPPORT == ENABLED)
1055  error_t error;
1056  uint_t i;
1057  uint_t k;
1058  uint8_t *em;
1059  Mpi s;
1060  Mpi m;
1061 
1062  //Debug message
1063  TRACE_DEBUG("RSA signature verification...\r\n");
1064  TRACE_DEBUG(" Modulus:\r\n");
1065  TRACE_DEBUG_MPI(" ", &key->n);
1066  TRACE_DEBUG(" Public exponent:\r\n");
1067  TRACE_DEBUG_MPI(" ", &key->e);
1068  TRACE_DEBUG(" Message digest:\r\n");
1070  TRACE_DEBUG(" Signature:\r\n");
1071  TRACE_DEBUG_ARRAY(" ", signature, signatureLen);
1072 
1073  //Get the length in octets of the modulus n
1074  k = mpiGetByteLength(&key->n);
1075 
1076  //Check the length of the signature
1077  if(signatureLen != k)
1078  return ERROR_INVALID_SIGNATURE;
1079 
1080  //Initialize multiple-precision integers
1081  mpiInit(&s);
1082  mpiInit(&m);
1083 
1084  //Allocate a memory buffer to hold the encoded message
1085  em = tlsAllocMem(k);
1086  //Failed to allocate memory?
1087  if(em == NULL)
1088  return ERROR_OUT_OF_MEMORY;
1089 
1090  //Start of exception handling block
1091  do
1092  {
1093  //Convert the signature to an integer signature representative s
1094  error = mpiImport(&s, signature, signatureLen, MPI_FORMAT_BIG_ENDIAN);
1095  //Conversion failed?
1096  if(error)
1097  break;
1098 
1099  //Apply the RSAVP1 verification primitive
1100  error = rsavp1(key, &s, &m);
1101  //Any error to report?
1102  if(error)
1103  break;
1104 
1105  //Convert the message representative m to an encoded message EM of
1106  //length k octets
1107  error = mpiExport(&m, em, k, MPI_FORMAT_BIG_ENDIAN);
1108  //Conversion failed?
1109  if(error)
1110  break;
1111 
1112  //Debug message
1113  TRACE_DEBUG(" Encoded message\r\n");
1114  TRACE_DEBUG_ARRAY(" ", em, k);
1115 
1116  //Assume an error...
1117  error = ERROR_INVALID_SIGNATURE;
1118 
1119  //The first octet of EM must have a value of 0x00
1120  if(em[0] != 0x00)
1121  break;
1122  //The block type BT shall be 0x01
1123  if(em[1] != 0x01)
1124  break;
1125 
1126  //Check the padding string PS
1127  for(i = 2; i < k; i++)
1128  {
1129  //A 0x00 octet indicates the end of the padding string
1130  if(em[i] == 0x00)
1131  break;
1132 
1133  //Each byte of PS must be set to 0xFF when the block type is 0x01
1134  if(em[i] != 0xFF)
1135  break;
1136  }
1137 
1138  //Check whether the padding string is properly terminated
1139  if(i >= k || em[i] != 0x00)
1140  break;
1141 
1142  //The length of PS cannot be less than 8 octets
1143  if(i < 10)
1144  break;
1145 
1146  //Check the length of the digest
1147  if((k - i - 1) != (MD5_DIGEST_SIZE + SHA1_DIGEST_SIZE))
1148  break;
1149  //Check the digest value
1150  if(memcmp(digest, em + i + 1, MD5_DIGEST_SIZE + SHA1_DIGEST_SIZE))
1151  break;
1152 
1153  //The RSA signature is valid
1154  error = NO_ERROR;
1155 
1156  //End of exception handling block
1157  } while(0);
1158 
1159  //Release multiple precision integers
1160  mpiFree(&s);
1161  mpiFree(&m);
1162  //Release previously allocated memory
1163  tlsFreeMem(em);
1164 
1165  //Return status code
1166  return error;
1167 #else
1168  //RSA signature verification is not supported
1169  return ERROR_NOT_IMPLEMENTED;
1170 #endif
1171 }
1172 
1173 #endif
1174 
1175 
1176 /**
1177  * @brief Generate DSA signature
1178  * @param[in] context Pointer to the TLS context
1179  * @param[in] digest Digest of the message to be signed
1180  * @param[in] digestLen Length in octets of the digest
1181  * @param[out] signature Resulting signature
1182  * @param[out] signatureLen Length of the resulting signature
1183  * @return Error code
1184  **/
1185 
1186 error_t tlsGenerateDsaSignature(TlsContext *context, const uint8_t *digest,
1187  size_t digestLen, uint8_t *signature, size_t *signatureLen)
1188 {
1189 #if (TLS_DSA_SIGN_SUPPORT == ENABLED)
1190  error_t error;
1191  DsaPrivateKey privateKey;
1192  DsaSignature dsaSignature;
1193 
1194  //Initialize DSA private key
1195  dsaInitPrivateKey(&privateKey);
1196  //Initialize DSA signature
1197  dsaInitSignature(&dsaSignature);
1198 
1199  //Decode the PEM structure that holds the DSA private key
1200  error = pemImportDsaPrivateKey(context->cert->privateKey,
1201  context->cert->privateKeyLen, &privateKey);
1202 
1203  //Check status code
1204  if(!error)
1205  {
1206  //Generate DSA signature
1207  error = dsaGenerateSignature(context->prngAlgo, context->prngContext,
1208  &privateKey, digest, digestLen, &dsaSignature);
1209  }
1210 
1211  //Check status code
1212  if(!error)
1213  {
1214  //Encode the resulting (R, S) integer pair using ASN.1
1215  error = dsaWriteSignature(&dsaSignature, signature, signatureLen);
1216  }
1217 
1218  //Free previously allocated resources
1219  dsaFreePrivateKey(&privateKey);
1220  dsaFreeSignature(&dsaSignature);
1221 
1222  //Return status code
1223  return error;
1224 #else
1225  //DSA signature generation is not supported
1226  return ERROR_NOT_IMPLEMENTED;
1227 #endif
1228 }
1229 
1230 
1231 /**
1232  * @brief Verify DSA signature
1233  * @param[in] context Pointer to the TLS context
1234  * @param[in] digest Digest of the message whose signature is to be verified
1235  * @param[in] digestLen Length in octets of the digest
1236  * @param[in] signature Signature to be verified
1237  * @param[in] signatureLen Length of the signature to be verified
1238  * @return Error code
1239  **/
1240 
1241 error_t tlsVerifyDsaSignature(TlsContext *context, const uint8_t *digest,
1242  size_t digestLen, const uint8_t *signature, size_t signatureLen)
1243 {
1244 #if (TLS_DSA_SIGN_SUPPORT == ENABLED)
1245  error_t error;
1246  DsaSignature dsaSignature;
1247 
1248  //Initialize DSA signature
1249  dsaInitSignature(&dsaSignature);
1250 
1251  //Read the ASN.1 encoded DSA signature
1252  error = dsaReadSignature(signature, signatureLen, &dsaSignature);
1253 
1254  //Check status code
1255  if(!error)
1256  {
1257  //DSA signature verification
1258  error = dsaVerifySignature(&context->peerDsaPublicKey,
1259  digest, digestLen, &dsaSignature);
1260  }
1261 
1262  //Free previously allocated resources
1263  dsaFreeSignature(&dsaSignature);
1264 
1265  //Return status code
1266  return error;
1267 #else
1268  //DSA signature verification is not supported
1269  return ERROR_NOT_IMPLEMENTED;
1270 #endif
1271 }
1272 
1273 
1274 /**
1275  * @brief Generate ECDSA signature
1276  * @param[in] context Pointer to the TLS context
1277  * @param[in] digest Digest of the message to be signed
1278  * @param[in] digestLen Length in octets of the digest
1279  * @param[out] signature Resulting signature
1280  * @param[out] signatureLen Length of the resulting signature
1281  * @return Error code
1282  **/
1283 
1284 error_t tlsGenerateEcdsaSignature(TlsContext *context, const uint8_t *digest,
1285  size_t digestLen, uint8_t *signature, size_t *signatureLen)
1286 {
1287 #if (TLS_ECDSA_SIGN_SUPPORT == ENABLED)
1288  error_t error;
1289  EcdsaSignature ecdsaSignature;
1290 
1291  //Initialize ECDSA signature
1292  ecdsaInitSignature(&ecdsaSignature);
1293 
1294 #if (TLS_ECC_CALLBACK_SUPPORT == ENABLED)
1295  //Any registered callback?
1296  if(context->ecdsaSignCallback != NULL)
1297  {
1298  //Invoke user callback function
1299  error = context->ecdsaSignCallback(context, digest, digestLen,
1300  &ecdsaSignature);
1301  }
1302  else
1303 #endif
1304  {
1305  EcDomainParameters params;
1306  Mpi privateKey;
1307 
1308  //Initialize EC domain parameters
1309  ecInitDomainParameters(&params);
1310  //Initialize EC private key
1311  mpiInit(&privateKey);
1312 
1313  //Decode the PEM structure that holds the EC domain parameters
1314  error = pemImportEcParameters(context->cert->privateKey,
1315  context->cert->privateKeyLen, &params);
1316 
1317  //Check status code
1318  if(!error)
1319  {
1320  //Decode the PEM structure that holds the EC private key
1321  error = pemImportEcPrivateKey(context->cert->privateKey,
1322  context->cert->privateKeyLen, &privateKey);
1323  }
1324 
1325  //Check status code
1326  if(!error)
1327  {
1328  //Generate ECDSA signature
1329  error = ecdsaGenerateSignature(&params, context->prngAlgo,
1330  context->prngContext, &privateKey, digest, digestLen,
1331  &ecdsaSignature);
1332  }
1333 
1334  //Release previously allocated resources
1335  ecFreeDomainParameters(&params);
1336  mpiFree(&privateKey);
1337  }
1338 
1339  //Check status code
1340  if(!error)
1341  {
1342  //Encode the resulting (R, S) integer pair using ASN.1
1343  error = ecdsaWriteSignature(&ecdsaSignature, signature, signatureLen);
1344  }
1345 
1346  //Release previously allocated resources
1347  ecdsaFreeSignature(&ecdsaSignature);
1348 
1349  //Return status code
1350  return error;
1351 #else
1352  //ECDSA signature generation is not supported
1353  return ERROR_NOT_IMPLEMENTED;
1354 #endif
1355 }
1356 
1357 
1358 /**
1359  * @brief Verify ECDSA signature
1360  * @param[in] context Pointer to the TLS context
1361  * @param[in] digest Digest of the message whose signature is to be verified
1362  * @param[in] digestLen Length in octets of the digest
1363  * @param[in] signature Signature to be verified
1364  * @param[in] signatureLen Length of the signature to be verified
1365  * @return Error code
1366  **/
1367 
1368 error_t tlsVerifyEcdsaSignature(TlsContext *context, const uint8_t *digest,
1369  size_t digestLen, const uint8_t *signature, size_t signatureLen)
1370 {
1371 #if (TLS_ECDSA_SIGN_SUPPORT == ENABLED)
1372  error_t error;
1373  EcdsaSignature ecdsaSignature;
1374 
1375  //Initialize ECDSA signature
1376  ecdsaInitSignature(&ecdsaSignature);
1377 
1378  //Read the ASN.1 encoded ECDSA signature
1379  error = ecdsaReadSignature(signature, signatureLen, &ecdsaSignature);
1380 
1381  //Check status code
1382  if(!error)
1383  {
1384 #if (TLS_ECC_CALLBACK_SUPPORT == ENABLED)
1385  //Any registered callback?
1386  if(context->ecdsaVerifyCallback != NULL)
1387  {
1388  //Invoke user callback function
1389  error = context->ecdsaVerifyCallback(context, digest, digestLen,
1390  &ecdsaSignature);
1391  }
1392  else
1393 #endif
1394  {
1395  //No callback function defined
1397  }
1398 
1399  //Check status code
1400  if(error == ERROR_UNSUPPORTED_ELLIPTIC_CURVE ||
1401  error == ERROR_UNSUPPORTED_HASH_ALGO)
1402  {
1403  //ECDSA signature verification
1404  error = ecdsaVerifySignature(&context->peerEcParams,
1405  &context->peerEcPublicKey, digest, digestLen, &ecdsaSignature);
1406  }
1407  }
1408 
1409  //Free previously allocated resources
1410  ecdsaFreeSignature(&ecdsaSignature);
1411 
1412  //Return status code
1413  return error;
1414 #else
1415  //ECDSA signature verification is not supported
1416  return ERROR_NOT_IMPLEMENTED;
1417 #endif
1418 }
1419 
1420 
1421 /**
1422  * @brief Generate EdDSA signature
1423  * @param[in] context Pointer to the TLS context
1424  * @param[in] message Pointer to the message to be signed
1425  * @param[in] messageLen Length of the message, in bytes
1426  * @param[out] signature Resulting signature
1427  * @param[out] signatureLen Length of the resulting signature
1428  * @return Error code
1429  **/
1430 
1432  size_t messageLen, uint8_t *signature, size_t *signatureLen)
1433 {
1434 #if (TLS_EDDSA_SIGN_SUPPORT == ENABLED)
1435  error_t error;
1436 
1437 #if (TLS_ED25519_SUPPORT == ENABLED)
1438  //Ed25519 elliptic curve?
1439  if(context->cert->type == TLS_CERT_ED25519_SIGN)
1440  {
1441  EddsaPrivateKey privateKey;
1442 
1443  //Initialize EdDSA private key
1444  eddsaInitPrivateKey(&privateKey);
1445 
1446  //Decode the PEM structure that holds the EdDSA private key
1447  error = pemImportEddsaPrivateKey(context->cert->privateKey,
1448  context->cert->privateKeyLen, &privateKey);
1449 
1450  //Check the length of the EdDSA private key
1451  if(mpiGetByteLength(&privateKey.d) == ED25519_PRIVATE_KEY_LEN)
1452  {
1453  uint8_t d[ED25519_PRIVATE_KEY_LEN];
1454 
1455  //Retrieve private key
1456  error = mpiExport(&privateKey.d, d, ED25519_PRIVATE_KEY_LEN,
1458 
1459  //Check status code
1460  if(!error)
1461  {
1462  //Generate Ed25519 signature (PureEdDSA mode)
1463  error = ed25519GenerateSignature(d, NULL, message, messageLen,
1464  NULL, 0, 0, signature);
1465  }
1466 
1467  //Length of the resulting EdDSA signature
1468  *signatureLen = ED25519_SIGNATURE_LEN;
1469  }
1470  else
1471  {
1472  //The length of the EdDSA private key is not valid
1473  error = ERROR_INVALID_KEY;
1474  }
1475 
1476  //Free previously allocated resources
1477  eddsaFreePrivateKey(&privateKey);
1478  }
1479  else
1480 #endif
1481 #if (TLS_ED448_SUPPORT == ENABLED)
1482  //Ed448 elliptic curve?
1483  if(context->cert->type == TLS_CERT_ED448_SIGN)
1484  {
1485  EddsaPrivateKey privateKey;
1486 
1487  //Initialize EdDSA private key
1488  eddsaInitPrivateKey(&privateKey);
1489 
1490  //Decode the PEM structure that holds the EdDSA private key
1491  error = pemImportEddsaPrivateKey(context->cert->privateKey,
1492  context->cert->privateKeyLen, &privateKey);
1493 
1494  //Check the length of the EdDSA private key
1495  if(mpiGetByteLength(&privateKey.d) == ED448_PRIVATE_KEY_LEN)
1496  {
1497  uint8_t d[ED448_PRIVATE_KEY_LEN];
1498 
1499  //Retrieve private key
1500  error = mpiExport(&privateKey.d, d, ED448_PRIVATE_KEY_LEN,
1502 
1503  //Check status code
1504  if(!error)
1505  {
1506  //Generate Ed448 signature (PureEdDSA mode)
1507  error = ed448GenerateSignature(d, NULL, message, messageLen,
1508  NULL, 0, 0, signature);
1509  }
1510 
1511  //Length of the resulting EdDSA signature
1512  *signatureLen = ED448_SIGNATURE_LEN;
1513  }
1514  else
1515  {
1516  //The length of the EdDSA private key is not valid
1517  error = ERROR_INVALID_KEY;
1518  }
1519 
1520  //Free previously allocated resources
1521  eddsaFreePrivateKey(&privateKey);
1522  }
1523  else
1524 #endif
1525  //Invalid signature algorithm?
1526  {
1527  //Report an error
1529  }
1530 
1531  //Return status code
1532  return error;
1533 #else
1534  //EdDSA signature generation is not supported
1535  return ERROR_NOT_IMPLEMENTED;
1536 #endif
1537 }
1538 
1539 
1540 /**
1541  * @brief Verify EdDSA signature
1542  * @param[in] context Pointer to the TLS context
1543  * @param[in] message Message whose signature is to be verified
1544  * @param[in] messageLen Length of the message, in bytes
1545  * @param[in] signature Signature to be verified
1546  * @param[in] signatureLen Length of the signature to be verified
1547  * @return Error code
1548  **/
1549 
1551  size_t messageLen, const uint8_t *signature, size_t signatureLen)
1552 {
1553 #if (TLS_EDDSA_SIGN_SUPPORT == ENABLED)
1554  error_t error;
1555 
1556 #if (TLS_ED25519_SUPPORT == ENABLED)
1557  //Ed25519 elliptic curve?
1558  if(context->peerEcParams.type == EC_CURVE_TYPE_ED25519)
1559  {
1560  //Check the length of the EdDSA signature
1561  if(signatureLen == ED25519_SIGNATURE_LEN)
1562  {
1563  uint8_t publicKey[ED25519_PUBLIC_KEY_LEN];
1564 
1565  //Get peer's public key
1566  error = mpiExport(&context->peerEcPublicKey.x, publicKey,
1568 
1569  //Check status code
1570  if(!error)
1571  {
1572  //Verify Ed25519 signature (PureEdDSA mode)
1573  error = ed25519VerifySignature(publicKey, message, messageLen,
1574  NULL, 0, 0, signature);
1575  }
1576  }
1577  else
1578  {
1579  //The length of the EdDSA signature is not valid
1580  error = ERROR_INVALID_SIGNATURE;
1581  }
1582  }
1583  else
1584 #endif
1585 #if (TLS_ED448_SUPPORT == ENABLED)
1586  //Ed448 elliptic curve?
1587  if(context->peerEcParams.type == EC_CURVE_TYPE_ED448)
1588  {
1589  //Check the length of the EdDSA signature
1590  if(signatureLen == ED448_SIGNATURE_LEN)
1591  {
1592  uint8_t publicKey[ED448_PUBLIC_KEY_LEN];
1593 
1594  //Get peer's public key
1595  error = mpiExport(&context->peerEcPublicKey.x, publicKey,
1597 
1598  //Check status code
1599  if(!error)
1600  {
1601  //Verify Ed448 signature (PureEdDSA mode)
1602  error = ed448VerifySignature(publicKey, message, messageLen,
1603  NULL, 0, 0, signature);
1604  }
1605  }
1606  else
1607  {
1608  //The length of the EdDSA signature is not valid
1609  error = ERROR_INVALID_SIGNATURE;
1610  }
1611  }
1612  else
1613 #endif
1614  //Invalid signature algorithm?
1615  {
1616  //Report an error
1618  }
1619 
1620  //Return status code
1621  return error;
1622 #else
1623  //EdDSA signature verification is not supported
1624  return ERROR_NOT_IMPLEMENTED;
1625 #endif
1626 }
1627 
1628 #endif
TLS (Transport Layer Security)
#define ED448_PUBLIC_KEY_LEN
Definition: ed448.h:39
error_t tlsVerifyDsaSignature(TlsContext *context, const uint8_t *digest, size_t digestLen, const uint8_t *signature, size_t signatureLen)
Verify DSA signature.
error_t tlsSelectSignatureScheme(TlsContext *context, const TlsCertDesc *cert, const TlsSignHashAlgos *supportedSignAlgos)
Select the algorithm to be used when generating digital signatures.
Definition: tls_signature.c:58
error_t tlsVerifyEcdsaSignature(TlsContext *context, const uint8_t *digest, size_t digestLen, const uint8_t *signature, size_t signatureLen)
Verify ECDSA signature.
error_t dsaGenerateSignature(const PrngAlgo *prngAlgo, void *prngContext, const DsaPrivateKey *key, const uint8_t *digest, size_t digestLen, DsaSignature *signature)
DSA signature generation.
Definition: dsa.c:420
void rsaInitPrivateKey(RsaPrivateKey *key)
Initialize a RSA private key.
Definition: rsa.c:126
EC domain parameters.
Definition: ec.h:61
void mpiFree(Mpi *r)
Release a multiple precision integer.
Definition: mpi.c:60
Arbitrary precision integer.
Definition: mpi.h:67
error_t tls12GenerateSignature(TlsContext *context, uint8_t *p, size_t *length)
Digital signature generation(TLS 1.2)
Mpi p
First factor.
Definition: rsa.h:62
#define ED25519_PRIVATE_KEY_LEN
Definition: ed25519.h:37
Debugging facilities.
#define tlsFreeMem(p)
Definition: tls.h:760
Mpi n
Modulus.
Definition: rsa.h:48
uint8_t hash
Definition: tls.h:1363
TlsHashAlgo
Hash algorithms.
Definition: tls.h:1087
uint8_t p
Definition: ndp.h:295
Mpi d
Private exponent.
Definition: rsa.h:61
uint8_t message[]
Definition: chap.h:150
ECDSA (Elliptic Curve Digital Signature Algorithm)
TlsSignatureAlgo
Signature algorithms.
Definition: tls.h:1104
const HashAlgo * tlsGetHashAlgo(uint8_t hashAlgoId)
Get the hash algorithm that matches the specified identifier.
Definition: tls_misc.c:836
error_t pemImportEcPrivateKey(const char_t *input, size_t length, Mpi *key)
Decode a PEM file containing an EC private key.
Definition: pem_import.c:1231
error_t tlsVerifyRsaSignature(const RsaPublicKey *key, const uint8_t *digest, const uint8_t *signature, size_t signatureLen)
Verify RSA signature (SSL 3.0, TLS 1.0 and TLS 1.1)
error_t ed25519GenerateSignature(const uint8_t *privateKey, const uint8_t *publicKey, const void *message, size_t messageLen, const void *context, uint8_t contextLen, uint8_t flag, uint8_t *signature)
EdDSA signature generation.
Definition: ed25519.c:183
error_t pemImportEddsaPrivateKey(const char_t *input, size_t length, EddsaPrivateKey *key)
Decode a PEM file containing a EdDSA private key.
Definition: pem_import.c:1485
error_t tlsGenerateRsaSignature(const RsaPrivateKey *key, const uint8_t *digest, uint8_t *signature, size_t *signatureLen)
Generate RSA signature (SSL 3.0, TLS 1.0 and TLS 1.1)
error_t ed448GenerateSignature(const uint8_t *privateKey, const uint8_t *publicKey, const void *message, size_t messageLen, const void *context, uint8_t contextLen, uint8_t flag, uint8_t *signature)
EdDSA signature generation.
Definition: ed448.c:168
error_t tlsGenerateDsaSignature(TlsContext *context, const uint8_t *digest, size_t digestLen, uint8_t *signature, size_t *signatureLen)
Generate DSA signature.
#define TLS_VERSION_1_3
Definition: tls.h:90
void eddsaFreePrivateKey(EddsaPrivateKey *key)
Release a DSA private key.
Definition: eddsa.c:84
#define htons(value)
Definition: cpu_endian.h:390
#define SHA1_DIGEST_SIZE
Definition: sha1.h:38
#define TRACE_DEBUG_ARRAY(p, a, n)
Definition: debug.h:99
#define ED25519_SIGNATURE_LEN
Definition: ed25519.h:41
error_t ecdsaVerifySignature(const EcDomainParameters *params, const EcPoint *publicKey, const uint8_t *digest, size_t digestLen, const EcdsaSignature *signature)
ECDSA signature verification.
Definition: ecdsa.c:524
Mpi e
Public exponent.
Definition: rsa.h:49
uint8_t m
Definition: ndp.h:299
error_t mpiImport(Mpi *r, const uint8_t *data, uint_t length, MpiFormat format)
Octet string to integer conversion.
Definition: mpi.c:511
error_t pemImportRsaPrivateKey(const char_t *input, size_t length, RsaPrivateKey *key)
Decode a PEM file containing a RSA private key.
Definition: pem_import.c:211
__start_packed struct @65 TlsSignHashAlgos
List of signature algorithms.
error_t rsasp1(const RsaPrivateKey *key, const Mpi *m, Mpi *s)
RSA signature primitive.
Definition: rsa.c:1212
error_t dsaWriteSignature(const DsaSignature *signature, uint8_t *data, size_t *length)
Encode DSA signature using ASN.1.
Definition: dsa.c:164
#define ED448_SIGNATURE_LEN
Definition: ed448.h:41
error_t tlsVerifySignature(TlsContext *context, const uint8_t *p, size_t length)
Digital signature verification (SSL 3.0, TLS 1.0 and TLS 1.1)
#define TRACE_DEBUG_MPI(p, a)
Definition: debug.h:101
Mpi n
Modulus.
Definition: rsa.h:59
Mpi q
Second factor.
Definition: rsa.h:63
void dsaFreePrivateKey(DsaPrivateKey *key)
Release a DSA private key.
Definition: dsa.c:120
error_t rsassaPssSign(const PrngAlgo *prngAlgo, void *prngContext, const RsaPrivateKey *key, const HashAlgo *hash, size_t saltLen, const uint8_t *digest, uint8_t *signature, size_t *signatureLen)
RSASSA-PSS signature generation operation.
Definition: rsa.c:884
TLS helper functions.
ECDSA signature.
Definition: ecdsa.h:46
void ecdsaInitSignature(EcdsaSignature *signature)
Initialize an ECDSA signature.
Definition: ecdsa.c:67
error_t dsaVerifySignature(const DsaPublicKey *key, const uint8_t *digest, size_t digestLen, const DsaSignature *signature)
DSA signature verification.
Definition: dsa.c:526
Mpi e
Public exponent.
Definition: rsa.h:60
#define ntohs(value)
Definition: cpu_endian.h:396
error_t tlsVerifyEddsaSignature(TlsContext *context, const uint8_t *message, size_t messageLen, const uint8_t *signature, size_t signatureLen)
Verify EdDSA signature.
error_t tls12VerifySignature(TlsContext *context, const uint8_t *p, size_t length)
Digital signature verification (TLS 1.2)
RSA public key.
Definition: rsa.h:46
void dsaFreeSignature(DsaSignature *signature)
Release a DSA signature.
Definition: dsa.c:148
void ecFreeDomainParameters(EcDomainParameters *params)
Release EC domain parameters.
Definition: ec.c:73
__start_packed struct @64 TlsSignHashAlgo
Signature algorithm.
PEM file import functions.
TlsSignatureAlgo signAlgo
Signature algorithm used to sign the end entity certificate.
Definition: tls.h:1868
error_t pemImportEcParameters(const char_t *input, size_t length, EcDomainParameters *params)
Decode a PEM file containing EC domain parameters.
Definition: pem_import.c:1012
void dsaInitPrivateKey(DsaPrivateKey *key)
Initialize a DSA private key.
Definition: dsa.c:105
Ed25519 elliptic curve (constant-time implementation)
error_t ecdsaGenerateSignature(const EcDomainParameters *params, const PrngAlgo *prngAlgo, void *prngContext, const Mpi *privateKey, const uint8_t *digest, size_t digestLen, EcdsaSignature *signature)
ECDSA signature generation.
Definition: ecdsa.c:409
EdDSA private key.
Definition: eddsa.h:56
uint8_t signature
Definition: tls.h:1364
void ecInitDomainParameters(EcDomainParameters *params)
Initialize EC domain parameters.
Definition: ec.c:53
DSA (Digital Signature Algorithm)
error_t pemImportDsaPrivateKey(const char_t *input, size_t length, DsaPrivateKey *key)
Decode a PEM file containing a DSA private key.
Definition: pem_import.c:637
#define TLS_VERSION_1_2
Definition: tls.h:83
uint8_t s
__start_packed struct @82 Tls12DigitalSignature
Digitally-signed element (TLS 1.2)
void rsaFreePrivateKey(RsaPrivateKey *key)
Release a RSA private key.
Definition: rsa.c:145
Mpi dq
second factor&#39;s CRT exponent
Definition: rsa.h:65
error_t rsavp1(const RsaPublicKey *key, const Mpi *s, Mpi *m)
RSA verification primitive.
Definition: rsa.c:1233
Success.
Definition: error.h:42
void ecdsaFreeSignature(EcdsaSignature *signature)
Release an ECDSA signature.
Definition: ecdsa.c:80
error_t
Error codes.
Definition: error.h:40
error_t rsassaPkcs1v15Sign(const RsaPrivateKey *key, const HashAlgo *hash, const uint8_t *digest, uint8_t *signature, size_t *signatureLen)
RSASSA-PKCS1-v1_5 signature generation operation.
Definition: rsa.c:642
error_t mpiExport(const Mpi *a, uint8_t *data, uint_t length, MpiFormat format)
Integer to octet string conversion.
Definition: mpi.c:596
RSA public-key cryptography standard.
error_t rsassaPkcs1v15Verify(const RsaPublicKey *key, const HashAlgo *hash, const uint8_t *digest, const uint8_t *signature, size_t signatureLen)
RSASSA-PKCS1-v1_5 signature verification operation.
Definition: rsa.c:775
unsigned int uint_t
Definition: compiler_port.h:43
Mpi d
Private key.
Definition: eddsa.h:58
error_t tlsFinalizeTranscriptHash(TlsContext *context, const HashAlgo *hash, const void *hashContext, const char_t *label, uint8_t *output)
Finalize hash calculation from previous handshake messages.
Mpi qinv
CRT coefficient.
Definition: rsa.h:66
error_t ed448VerifySignature(const uint8_t *publicKey, const void *message, size_t messageLen, const void *context, uint8_t contextLen, uint8_t flag, const uint8_t *signature)
EdDSA signature verification.
Definition: ed448.c:282
DSA private key.
Definition: dsa.h:59
__start_packed struct @81 TlsDigitalSignature
Digitally-signed element (SSL 3.0, TLS 1.0 and TLS 1.1)
Certificate descriptor.
Definition: tls.h:1861
#define ED448_PRIVATE_KEY_LEN
Definition: ed448.h:37
error_t ecdsaWriteSignature(const EcdsaSignature *signature, uint8_t *data, size_t *length)
Encode ECDSA signature using ASN.1.
Definition: ecdsa.c:96
error_t tlsGenerateSignature(TlsContext *context, uint8_t *p, size_t *length)
Digital signature generation(SSL 3.0, TLS 1.0 or TLS 1.1)
Mpi dp
First factor&#39;s CRT exponent.
Definition: rsa.h:64
error_t ed25519VerifySignature(const uint8_t *publicKey, const void *message, size_t messageLen, const void *context, uint8_t contextLen, uint8_t flag, const uint8_t *signature)
EdDSA signature verification.
Definition: ed25519.c:313
#define SHA1_HASH_ALGO
Definition: sha1.h:42
error_t tlsGenerateEcdsaSignature(TlsContext *context, const uint8_t *digest, size_t digestLen, uint8_t *signature, size_t *signatureLen)
Generate ECDSA signature.
error_t tlsGenerateEddsaSignature(TlsContext *context, const uint8_t *message, size_t messageLen, uint8_t *signature, size_t *signatureLen)
Generate EdDSA signature.
void eddsaInitPrivateKey(EddsaPrivateKey *key)
Initialize a DSA private key.
Definition: eddsa.c:71
#define MD5_DIGEST_SIZE
Definition: md5.h:38
TlsNamedGroup namedCurve
Named curve used to generate the EC public key.
Definition: tls.h:1870
Transcript hash calculation.
RSA/DSA/ECDSA/EdDSA signature generation and verification.
#define tlsAllocMem(size)
Definition: tls.h:755
void dsaInitSignature(DsaSignature *signature)
Initialize a DSA signature.
Definition: dsa.c:135
error_t rsassaPssVerify(const RsaPublicKey *key, const HashAlgo *hash, size_t saltLen, const uint8_t *digest, const uint8_t *signature, size_t signatureLen)
RSASSA-PSS signature verification operation.
Definition: rsa.c:1004
Ed448 elliptic curve (constant-time implementation)
TlsCertificateType type
End entity certificate type.
Definition: tls.h:1867
error_t dsaReadSignature(const uint8_t *data, size_t length, DsaSignature *signature)
Read an ASN.1 encoded DSA signature.
Definition: dsa.c:320
size_t digestSize
Definition: crypto.h:1061
Common interface for hash algorithms.
Definition: crypto.h:1054
uint8_t length
Definition: dtls_misc.h:140
uint8_t n
DSA signature.
Definition: dsa.h:72
void mpiInit(Mpi *r)
Initialize a multiple precision integer.
Definition: mpi.c:46
RSA private key.
Definition: rsa.h:57
uint_t mpiGetByteLength(const Mpi *a)
Get the actual length in bytes.
Definition: mpi.c:154
#define TlsContext
Definition: tls.h:34
error_t ecdsaReadSignature(const uint8_t *data, size_t length, EcdsaSignature *signature)
Read an ASN.1 encoded ECDSA signature.
Definition: ecdsa.c:253
#define ED25519_PUBLIC_KEY_LEN
Definition: ed25519.h:39
#define MD5_HASH_ALGO
Definition: md5.h:42
#define TRACE_DEBUG(...)
Definition: debug.h:98