tls_signature.c
Go to the documentation of this file.
1 /**
2  * @file tls_signature.c
3  * @brief RSA/DSA/ECDSA/EdDSA signature generation and verification
4  *
5  * @section License
6  *
7  * SPDX-License-Identifier: GPL-2.0-or-later
8  *
9  * Copyright (C) 2010-2019 Oryx Embedded SARL. All rights reserved.
10  *
11  * This file is part of CycloneSSL Open.
12  *
13  * This program is free software; you can redistribute it and/or
14  * modify it under the terms of the GNU General Public License
15  * as published by the Free Software Foundation; either version 2
16  * of the License, or (at your option) any later version.
17  *
18  * This program is distributed in the hope that it will be useful,
19  * but WITHOUT ANY WARRANTY; without even the implied warranty of
20  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
21  * GNU General Public License for more details.
22  *
23  * You should have received a copy of the GNU General Public License
24  * along with this program; if not, write to the Free Software Foundation,
25  * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
26  *
27  * @author Oryx Embedded SARL (www.oryx-embedded.com)
28  * @version 1.9.6
29  **/
30 
31 //Switch to the appropriate trace level
32 #define TRACE_LEVEL TLS_TRACE_LEVEL
33 
34 //Dependencies
35 #include <string.h>
36 #include "tls.h"
37 #include "tls_signature.h"
38 #include "tls_transcript_hash.h"
39 #include "tls_misc.h"
40 #include "pkix/pem_import.h"
41 #include "pkc/rsa.h"
42 #include "pkc/dsa.h"
43 #include "ecc/ecdsa.h"
44 #include "ecc/ed25519.h"
45 #include "ecc/ed448.h"
46 #include "debug.h"
47 
48 //Check TLS library configuration
49 #if (TLS_SUPPORT == ENABLED)
50 
51 
52 /**
53  * @brief Select the algorithm to be used when generating digital signatures
54  * @param[in] context Pointer to the TLS context
55  * @param[in] cert End entity certificate
56  * @param[in] supportedSignAlgos List of supported signature/hash algorithm pairs
57  * @return Error code
58  **/
59 
61  const TlsSignHashAlgos *supportedSignAlgos)
62 {
63  error_t error;
64  uint_t i;
65  uint_t n;
66  const HashAlgo *hashAlgo;
67  const TlsSignHashAlgo *p;
68 
69  //Initialize status code
70  error = ERROR_HANDSHAKE_FAILED;
71 
72  //Default signature algorithm
73  context->signAlgo = TLS_SIGN_ALGO_ANONYMOUS;
74  context->signHashAlgo = TLS_HASH_ALGO_NONE;
75 
76 #if (TLS_RSA_SIGN_SUPPORT == ENABLED || TLS_RSA_PSS_SIGN_SUPPORT == ENABLED || \
77  TLS_DSA_SIGN_SUPPORT == ENABLED || TLS_ECDSA_SIGN_SUPPORT == ENABLED)
78  //RSA, DSA or ECDSA certificate?
79  if(cert->type == TLS_CERT_RSA_SIGN ||
80  cert->type == TLS_CERT_DSS_SIGN ||
81  cert->type == TLS_CERT_ECDSA_SIGN)
82  {
83  //Check whether the peer has provided a list of supported hash/signature
84  //algorithm pairs
85  if(supportedSignAlgos != NULL)
86  {
87  TlsHashAlgo hashAlgoId;
88 
89  //Process the list and select the relevant signature algorithm
90  p = supportedSignAlgos->value;
91  //Get the number of hash/signature algorithm pairs present in the list
92  n = ntohs(supportedSignAlgos->length) / sizeof(TlsSignHashAlgo);
93 
94  //The hash algorithm to be used when generating signatures must be
95  //one of those present in the list
96  for(i = 0; i < n; i++)
97  {
98  //Reset the hash algorithm identifier to its default value
99  hashAlgoId = TLS_HASH_ALGO_NONE;
100 
101 #if (TLS_RSA_SIGN_SUPPORT == ENABLED)
102  //RSA signature scheme?
103  if(cert->type == TLS_CERT_RSA_SIGN &&
104  p[i].signature == TLS_SIGN_ALGO_RSA)
105  {
106  //In TLS 1.3, RSASSA-PKCS1-v1_5 signature algorithms refer
107  //solely to signatures which appear in certificates and are
108  //not defined for use in signed TLS handshake messages
109  if(context->version <= TLS_VERSION_1_2)
110  {
111  //Select current hash algorithm
112  hashAlgoId = (TlsHashAlgo) p[i].hash;
113  }
114  }
115  else
116 #endif
117 #if (TLS_RSA_PSS_SIGN_SUPPORT == ENABLED)
118  //RSA-PSS signature scheme?
119  if(cert->type == TLS_CERT_RSA_SIGN &&
120  p[i].hash == TLS_HASH_ALGO_INTRINSIC)
121  {
122  //TLS 1.2 and TLS 1.3 support RSASSA-PSS signature schemes
123  if(context->version >= TLS_VERSION_1_2)
124  {
125  //Check RSA-PSS signature scheme
127  {
128  //RSASSA-PSS RSAE signature scheme with SHA-256
129  hashAlgoId = TLS_HASH_ALGO_SHA256;
130  }
132  {
133  //RSASSA-PSS RSAE signature scheme with SHA-384
134  hashAlgoId = TLS_HASH_ALGO_SHA384;
135  }
137  {
138  //RSASSA-PSS RSAE signature scheme with SHA-512
139  hashAlgoId = TLS_HASH_ALGO_SHA512;
140  }
141  }
142  }
143  else
144 #endif
145 #if (TLS_DSA_SIGN_SUPPORT == ENABLED)
146  //DSA signature scheme?
147  if(cert->type == TLS_CERT_DSS_SIGN &&
148  p[i].signature == TLS_SIGN_ALGO_DSA)
149  {
150  //TLS 1.3 removes support for DSA certificates
151  if(context->version <= TLS_VERSION_1_2)
152  {
153  //Select current hash algorithm
154  hashAlgoId = (TlsHashAlgo) p[i].hash;
155  }
156  }
157  else
158 #endif
159 #if (TLS_ECDSA_SIGN_SUPPORT == ENABLED)
160  //ECDSA signature scheme?
161  if(cert->type == TLS_CERT_ECDSA_SIGN &&
162  p[i].signature == TLS_SIGN_ALGO_ECDSA)
163  {
164  //Version of TLS prior to TLS 1.3?
165  if(context->version <= TLS_VERSION_1_2)
166  {
167  //Select current hash algorithm
168  hashAlgoId = (TlsHashAlgo) p[i].hash;
169  }
170  else
171  {
172  //Check elliptic curve and hash algorithm
173  if(cert->namedCurve == TLS_GROUP_SECP256R1 &&
174  p[i].hash == TLS_HASH_ALGO_SHA256)
175  {
176  //Select current hash algorithm
177  hashAlgoId = TLS_HASH_ALGO_SHA256;
178  }
179  else if(cert->namedCurve == TLS_GROUP_SECP384R1 &&
180  p[i].hash == TLS_HASH_ALGO_SHA384)
181  {
182  //Select current hash algorithm
183  hashAlgoId = TLS_HASH_ALGO_SHA384;
184  }
185  else if(cert->namedCurve == TLS_GROUP_SECP521R1 &&
186  p[i].hash == TLS_HASH_ALGO_SHA512)
187  {
188  //Select current hash algorithm
189  hashAlgoId = TLS_HASH_ALGO_SHA512;
190  }
191  }
192  }
193  else
194 #endif
195  //Unknown signature scheme?
196  {
197  //Just for sanity
198  }
199 
200  //Get the hash algorithm that matches the specified identifier
201  hashAlgo = tlsGetHashAlgo(hashAlgoId);
202 
203  //Check whether the hash algorithm is supported
204  if(hashAlgo != NULL)
205  {
206  //In TLS versions prior to 1.3, the client implementation can only
207  //generate a CertificateVerify using SHA-1 or the hash used by
208  //the PRF. Supporting all hash algorithms would require the client
209  //to maintain hashes for every possible signature algorithm that
210  //the server may request...
211  if(context->version == TLS_VERSION_1_3 ||
212  context->entity == TLS_CONNECTION_END_SERVER ||
213  hashAlgoId == TLS_HASH_ALGO_SHA1 ||
214  hashAlgo == context->cipherSuite.prfHashAlgo)
215  {
216  //The signature algorithm is acceptable
217  context->signAlgo = (TlsSignatureAlgo) p[i].signature;
218  context->signHashAlgo = (TlsHashAlgo) hashAlgoId;
219  break;
220  }
221  }
222  }
223  }
224  else
225  {
226  //Version of TLS prior to TLS 1.3?
227  if(context->version <= TLS_VERSION_1_2)
228  {
229  //Select the default hash algorithm to be used when generating RSA,
230  //DSA or ECDSA signatures
232  {
233  //Select SHA-1 hash algorithm
234  context->signAlgo = cert->signAlgo;
235  context->signHashAlgo = TLS_HASH_ALGO_SHA1;
236  }
237  else if(tlsGetHashAlgo(TLS_HASH_ALGO_SHA256) != NULL)
238  {
239  //Select SHA-256 hash algorithm
240  context->signAlgo = cert->signAlgo;
241  context->signHashAlgo = TLS_HASH_ALGO_SHA256;
242  }
243  else if(tlsGetHashAlgo(TLS_HASH_ALGO_SHA384) != NULL)
244  {
245  //Select SHA-384 hash algorithm
246  context->signAlgo = cert->signAlgo;
247  context->signHashAlgo = TLS_HASH_ALGO_SHA384;
248  }
249  else if(tlsGetHashAlgo(TLS_HASH_ALGO_SHA512) != NULL)
250  {
251  //Select SHA-512 hash algorithm
252  context->signAlgo = cert->signAlgo;
253  context->signHashAlgo = TLS_HASH_ALGO_SHA512;
254  }
255  else
256  {
257  //Just for sanity
258  }
259  }
260  }
261  }
262  else
263 #endif
264 #if (TLS_RSA_PSS_SIGN_SUPPORT == ENABLED)
265  //RSA-PSS certificate?
266  if(cert->type == TLS_CERT_RSA_PSS_SIGN)
267  {
268  //TLS 1.2 and TLS 1.3 support RSASSA-PSS signature schemes
269  if(context->version >= TLS_VERSION_1_2)
270  {
271  //Check whether the peer has provided a list of supported hash/signature
272  //algorithm pairs
273  if(supportedSignAlgos != NULL)
274  {
275  TlsHashAlgo hashAlgoId;
276 
277  //Process the list and select the relevant signature algorithm
278  p = supportedSignAlgos->value;
279  //Get the number of hash/signature algorithm pairs present in the list
280  n = ntohs(supportedSignAlgos->length) / sizeof(TlsSignHashAlgo);
281 
282  //The hash algorithm to be used when generating signatures must be
283  //one of those present in the list
284  for(i = 0; i < n; i++)
285  {
286  //The hashing is intrinsic to the signature algorithm
287  if(p[i].hash == TLS_HASH_ALGO_INTRINSIC)
288  {
289  //Check signature scheme
291  hashAlgoId = TLS_HASH_ALGO_SHA256;
293  hashAlgoId = TLS_HASH_ALGO_SHA384;
295  hashAlgoId = TLS_HASH_ALGO_SHA512;
296  else
297  hashAlgoId = TLS_HASH_ALGO_NONE;
298 
299  //Check whether the hash algorithm is supported
300  if(tlsGetHashAlgo(hashAlgoId) != NULL)
301  {
302  //Acceptable hash algorithm found
303  context->signAlgo = (TlsSignatureAlgo) p[i].signature;
304  context->signHashAlgo = (TlsHashAlgo) p[i].hash;
305  break;
306  }
307  }
308  }
309  }
310  }
311  }
312  else
313 #endif
314 #if (TLS_EDDSA_SIGN_SUPPORT == ENABLED)
315  //EdDSA certificate?
316  if(cert->type == TLS_CERT_ED25519_SIGN ||
317  cert->type == TLS_CERT_ED448_SIGN)
318  {
319  //TLS 1.2 or TLS 1.3 currently selected?
320  if((context->version >= TLS_VERSION_1_2 &&
321  context->entity == TLS_CONNECTION_END_SERVER) ||
322  (context->version >= TLS_VERSION_1_3 &&
323  context->entity == TLS_CONNECTION_END_CLIENT))
324  {
325  //Ed25519 and Ed448 are used in PureEdDSA mode, without pre-hashing
326  context->signAlgo = cert->signAlgo;
327  context->signHashAlgo = TLS_HASH_ALGO_INTRINSIC;
328  }
329  }
330  else
331 #endif
332  //Unsupported signature algorithm?
333  {
334  //Just for sanity
335  }
336 
337  //If no acceptable choices are presented, return an error
338  if(context->signAlgo != TLS_SIGN_ALGO_ANONYMOUS &&
339  context->signHashAlgo != TLS_HASH_ALGO_NONE)
340  {
341  error = NO_ERROR;
342  }
343 
344  //Return status code
345  return error;
346 }
347 
348 
349 #if (TLS_MAX_VERSION >= SSL_VERSION_3_0 && TLS_MIN_VERSION <= TLS_VERSION_1_1)
350 
351 /**
352  * @brief Digital signature generation(SSL 3.0, TLS 1.0 or TLS 1.1)
353  * @param[in] context Pointer to the TLS context
354  * @param[out] p Buffer where to store the digitally-signed element
355  * @param[out] length Length of the digitally-signed element
356  * @return Error code
357  **/
358 
360  size_t *length)
361 {
362  error_t error;
363  size_t n;
365 
366  //The digitally-signed element does not convey the signature algorithm
367  //to use, and hence implementations need to inspect the certificate to
368  //find out the signature algorithm to use
370 
371 #if (TLS_RSA_SIGN_SUPPORT == ENABLED)
372  //RSA certificate?
373  if(context->cert->type == TLS_CERT_RSA_SIGN)
374  {
375  RsaPrivateKey privateKey;
376 
377  //Initialize RSA private key
378  rsaInitPrivateKey(&privateKey);
379 
380  //Digest all the handshake messages starting at ClientHello using MD5
381  error = tlsFinalizeTranscriptHash(context, MD5_HASH_ALGO,
382  context->transcriptMd5Context, "", context->clientVerifyData);
383 
384  //Check status code
385  if(!error)
386  {
387  //Digest all the handshake messages starting at ClientHello using SHA-1
388  error = tlsFinalizeTranscriptHash(context, SHA1_HASH_ALGO,
389  context->transcriptSha1Context, "",
390  context->clientVerifyData + MD5_DIGEST_SIZE);
391  }
392 
393  //Check status code
394  if(!error)
395  {
396  //Decode the PEM structure that holds the RSA private key
397  error = pemImportRsaPrivateKey(context->cert->privateKey,
398  context->cert->privateKeyLen, &privateKey);
399  }
400 
401  //Check status code
402  if(!error)
403  {
404  //Generate an RSA signature using the client's private key
405  error = tlsGenerateRsaSignature(&privateKey,
406  context->clientVerifyData, signature->value, &n);
407  }
408 
409  //Release previously allocated resources
410  rsaFreePrivateKey(&privateKey);
411  }
412  else
413 #endif
414 #if (TLS_DSA_SIGN_SUPPORT == ENABLED)
415  //DSA certificate?
416  if(context->cert->type == TLS_CERT_DSS_SIGN)
417  {
418  //Digest all the handshake messages starting at ClientHello
419  error = tlsFinalizeTranscriptHash(context, SHA1_HASH_ALGO,
420  context->transcriptSha1Context, "", context->clientVerifyData);
421 
422  //Check status code
423  if(!error)
424  {
425  //Generate a DSA signature using the client's private key
426  error = tlsGenerateDsaSignature(context, context->clientVerifyData,
427  SHA1_DIGEST_SIZE, signature->value, &n);
428  }
429  }
430  else
431 #endif
432 #if (TLS_ECDSA_SIGN_SUPPORT == ENABLED)
433  //ECDSA certificate?
434  if(context->cert->type == TLS_CERT_ECDSA_SIGN)
435  {
436  //Digest all the handshake messages starting at ClientHello
437  error = tlsFinalizeTranscriptHash(context, SHA1_HASH_ALGO,
438  context->transcriptSha1Context, "", context->clientVerifyData);
439 
440  //Check status code
441  if(!error)
442  {
443  //Generate an ECDSA signature using the client's private key
444  error = tlsGenerateEcdsaSignature(context, context->clientVerifyData,
445  SHA1_DIGEST_SIZE, signature->value, &n);
446  }
447  }
448  else
449 #endif
450  //Invalid certificate?
451  {
452  //Report an error
454  }
455 
456  //Check status code
457  if(!error)
458  {
459  //The signature is preceded by a 2-byte length field
460  signature->length = htons(n);
461  //Total length of the digitally-signed element
462  *length = sizeof(TlsDigitalSignature) + n;
463  }
464 
465  //Return status code
466  return error;
467 }
468 
469 
470 /**
471  * @brief Digital signature verification (SSL 3.0, TLS 1.0 and TLS 1.1)
472  * @param[in] context Pointer to the TLS context
473  * @param[in] p Pointer to the digitally-signed element to be verified
474  * @param[in] length Length of the digitally-signed element
475  * @return Error code
476  **/
477 
478 error_t tlsVerifySignature(TlsContext *context, const uint8_t *p,
479  size_t length)
480 {
481  error_t error;
483 
484  //The digitally-signed element does not convey the signature algorithm
485  //to use, and hence implementations need to inspect the certificate to
486  //find out the signature algorithm to use
488 
489  //Check the length of the digitally-signed element
490  if(length < sizeof(TlsDigitalSignature))
491  return ERROR_DECODING_FAILED;
492  if(length != (sizeof(TlsDigitalSignature) + ntohs(signature->length)))
493  return ERROR_DECODING_FAILED;
494 
495 #if (TLS_RSA_SIGN_SUPPORT == ENABLED)
496  //RSA certificate?
497  if(context->peerCertType == TLS_CERT_RSA_SIGN)
498  {
499  //Digest all the handshake messages starting at ClientHello using MD5
500  error = tlsFinalizeTranscriptHash(context, MD5_HASH_ALGO,
501  context->transcriptMd5Context, "", context->clientVerifyData);
502 
503  //Check status code
504  if(!error)
505  {
506  //Digest all the handshake messages starting at ClientHello using SHA-1
507  error = tlsFinalizeTranscriptHash(context, SHA1_HASH_ALGO,
508  context->transcriptSha1Context, "",
509  context->clientVerifyData + MD5_DIGEST_SIZE);
510  }
511 
512  //Check status code
513  if(!error)
514  {
515  //Verify RSA signature using client's public key
516  error = tlsVerifyRsaSignature(&context->peerRsaPublicKey,
517  context->clientVerifyData, signature->value,
518  ntohs(signature->length));
519  }
520  }
521  else
522 #endif
523 #if (TLS_DSA_SIGN_SUPPORT == ENABLED)
524  //DSA certificate?
525  if(context->peerCertType == TLS_CERT_DSS_SIGN)
526  {
527  //Digest all the handshake messages starting at ClientHello
528  error = tlsFinalizeTranscriptHash(context, SHA1_HASH_ALGO,
529  context->transcriptSha1Context, "", context->clientVerifyData);
530 
531  //Check status code
532  if(!error)
533  {
534  //Verify DSA signature using client's public key
535  error = tlsVerifyDsaSignature(context, context->clientVerifyData,
536  SHA1_DIGEST_SIZE, signature->value, ntohs(signature->length));
537  }
538  }
539  else
540 #endif
541 #if (TLS_ECDSA_SIGN_SUPPORT == ENABLED)
542  //ECDSA certificate?
543  if(context->peerCertType == TLS_CERT_ECDSA_SIGN)
544  {
545  //Digest all the handshake messages starting at ClientHello
546  error = tlsFinalizeTranscriptHash(context, SHA1_HASH_ALGO,
547  context->transcriptSha1Context, "", context->clientVerifyData);
548 
549  //Check status code
550  if(!error)
551  {
552  //Verify ECDSA signature using client's public key
553  error = tlsVerifyEcdsaSignature(context, context->clientVerifyData,
554  SHA1_DIGEST_SIZE, signature->value, ntohs(signature->length));
555  }
556  }
557  else
558 #endif
559  //Invalid signature algorithm?
560  {
561  //Report an error
562  error = ERROR_INVALID_SIGNATURE;
563  }
564 
565  //Return status code
566  return error;
567 }
568 
569 #endif
570 #if (TLS_MAX_VERSION >= TLS_VERSION_1_2 && TLS_MIN_VERSION <= TLS_VERSION_1_2)
571 
572 /**
573  * @brief Digital signature generation(TLS 1.2)
574  * @param[in] context Pointer to the TLS context
575  * @param[out] p Buffer where to store the digitally-signed element
576  * @param[out] length Length of the digitally-signed element
577  * @return Error code
578  **/
579 
580 error_t tls12GenerateSignature(TlsContext *context, uint8_t *p,
581  size_t *length)
582 {
583  error_t error;
584  size_t n;
586  const HashAlgo *hashAlgo;
587 
588  //Point to the digitally-signed element
590 
591  //Retrieve the hash algorithm used for signing
592  if(context->signAlgo == TLS_SIGN_ALGO_RSA_PSS_RSAE_SHA256 ||
593  context->signAlgo == TLS_SIGN_ALGO_RSA_PSS_PSS_SHA256)
594  {
595  //The hashing is intrinsic to the signature algorithm
597  }
598  else if(context->signAlgo == TLS_SIGN_ALGO_RSA_PSS_RSAE_SHA384 ||
599  context->signAlgo == TLS_SIGN_ALGO_RSA_PSS_PSS_SHA384)
600  {
601  //The hashing is intrinsic to the signature algorithm
603  }
604  else if(context->signAlgo == TLS_SIGN_ALGO_RSA_PSS_RSAE_SHA512 ||
605  context->signAlgo == TLS_SIGN_ALGO_RSA_PSS_PSS_SHA512)
606  {
607  //The hashing is intrinsic to the signature algorithm
609  }
610  else
611  {
612  //Select the relevant hash algorithm
613  hashAlgo = tlsGetHashAlgo(context->signHashAlgo);
614  }
615 
616  //Digest all the handshake messages starting at ClientHello
617  if(hashAlgo == SHA1_HASH_ALGO)
618  {
619  //Use SHA-1 hash algorithm
620  error = tlsFinalizeTranscriptHash(context, SHA1_HASH_ALGO,
621  context->transcriptSha1Context, "", context->clientVerifyData);
622  }
623  else if(hashAlgo == context->cipherSuite.prfHashAlgo)
624  {
625  //Use PRF hash algorithm (SHA-256 or SHA-384)
626  error = tlsFinalizeTranscriptHash(context, hashAlgo,
627  context->transcriptHashContext, "", context->clientVerifyData);
628  }
629  else
630  {
631  //The specified hash algorithm is not supported
633  }
634 
635  //Handshake message hash successfully computed?
636  if(!error)
637  {
638 #if (TLS_RSA_SIGN_SUPPORT == ENABLED)
639  //RSASSA-PKCS1-v1_5 signature scheme?
640  if(context->signAlgo == TLS_SIGN_ALGO_RSA)
641  {
642  RsaPrivateKey privateKey;
643 
644  //Initialize RSA private key
645  rsaInitPrivateKey(&privateKey);
646 
647  //Set the relevant signature algorithm
648  signature->algorithm.signature = TLS_SIGN_ALGO_RSA;
649  signature->algorithm.hash = context->signHashAlgo;
650 
651  //Decode the PEM structure that holds the RSA private key
652  error = pemImportRsaPrivateKey(context->cert->privateKey,
653  context->cert->privateKeyLen, &privateKey);
654 
655  //Check status code
656  if(!error)
657  {
658  //Generate RSA signature (RSASSA-PKCS1-v1_5 signature scheme)
659  error = rsassaPkcs1v15Sign(&privateKey, hashAlgo,
660  context->clientVerifyData, signature->value, &n);
661  }
662 
663  //Release previously allocated resources
664  rsaFreePrivateKey(&privateKey);
665  }
666  else
667 #endif
668 #if (TLS_RSA_PSS_SIGN_SUPPORT == ENABLED)
669  //RSASSA-PSS signature scheme?
670  if(context->signAlgo == TLS_SIGN_ALGO_RSA_PSS_RSAE_SHA256 ||
671  context->signAlgo == TLS_SIGN_ALGO_RSA_PSS_RSAE_SHA384 ||
672  context->signAlgo == TLS_SIGN_ALGO_RSA_PSS_RSAE_SHA512 ||
673  context->signAlgo == TLS_SIGN_ALGO_RSA_PSS_PSS_SHA256 ||
674  context->signAlgo == TLS_SIGN_ALGO_RSA_PSS_PSS_SHA384 ||
675  context->signAlgo == TLS_SIGN_ALGO_RSA_PSS_PSS_SHA512)
676  {
677  RsaPrivateKey privateKey;
678 
679  //Initialize RSA private key
680  rsaInitPrivateKey(&privateKey);
681 
682  //Set the relevant signature algorithm
683  signature->algorithm.signature = context->signAlgo;
684  signature->algorithm.hash = TLS_HASH_ALGO_INTRINSIC;
685 
686  //Decode the PEM structure that holds the RSA private key
687  error = pemImportRsaPrivateKey(context->cert->privateKey,
688  context->cert->privateKeyLen, &privateKey);
689 
690  //Check status code
691  if(!error)
692  {
693  //Generate RSA signature (RSASSA-PSS signature scheme)
694  error = rsassaPssSign(context->prngAlgo, context->prngContext,
695  &privateKey, hashAlgo, hashAlgo->digestSize,
696  context->clientVerifyData, signature->value, &n);
697  }
698 
699  //Release previously allocated resources
700  rsaFreePrivateKey(&privateKey);
701  }
702  else
703 #endif
704 #if (TLS_DSA_SIGN_SUPPORT == ENABLED)
705  //DSA signature scheme?
706  if(context->signAlgo == TLS_SIGN_ALGO_DSA)
707  {
708  //Set the relevant signature algorithm
709  signature->algorithm.signature = TLS_SIGN_ALGO_DSA;
710  signature->algorithm.hash = context->signHashAlgo;
711 
712  //Generate a DSA signature using the client's private key
713  error = tlsGenerateDsaSignature(context, context->clientVerifyData,
714  hashAlgo->digestSize, signature->value, &n);
715  }
716  else
717 #endif
718 #if (TLS_ECDSA_SIGN_SUPPORT == ENABLED)
719  //ECDSA signature scheme?
720  if(context->signAlgo == TLS_SIGN_ALGO_ECDSA)
721  {
722  //Set the relevant signature algorithm
723  signature->algorithm.signature = TLS_SIGN_ALGO_ECDSA;
724  signature->algorithm.hash = context->signHashAlgo;
725 
726  //Generate an ECDSA signature using the client's private key
727  error = tlsGenerateEcdsaSignature(context, context->clientVerifyData,
728  hashAlgo->digestSize, signature->value, &n);
729  }
730  else
731 #endif
732  //Invalid signature scheme?
733  {
734  //Report an error
736  }
737  }
738 
739  //Check status code
740  if(!error)
741  {
742  //The signature is preceded by a 2-byte length field
743  signature->length = htons(n);
744  //Total length of the digitally-signed element
745  *length = sizeof(Tls12DigitalSignature) + n;
746  }
747 
748  //Return status code
749  return error;
750 }
751 
752 
753 /**
754  * @brief Digital signature verification (TLS 1.2)
755  * @param[in] context Pointer to the TLS context
756  * @param[in] p Pointer to the digitally-signed element to be verified
757  * @param[in] length Length of the digitally-signed element
758  * @return Error code
759  **/
760 
761 error_t tls12VerifySignature(TlsContext *context, const uint8_t *p,
762  size_t length)
763 {
764  error_t error;
766  const HashAlgo *hashAlgo;
767 
768  //Point to the digitally-signed element
770 
771  //Check the length of the digitally-signed element
772  if(length < sizeof(Tls12DigitalSignature))
773  return ERROR_DECODING_FAILED;
774  if(length != (sizeof(Tls12DigitalSignature) + ntohs(signature->length)))
775  return ERROR_DECODING_FAILED;
776 
777  //Retrieve the hash algorithm used for signing
778  if(signature->algorithm.signature == TLS_SIGN_ALGO_RSA_PSS_RSAE_SHA256 ||
779  signature->algorithm.signature == TLS_SIGN_ALGO_RSA_PSS_PSS_SHA256)
780  {
781  //The hashing is intrinsic to the signature algorithm
782  if(signature->algorithm.hash == TLS_HASH_ALGO_INTRINSIC)
784  else
785  hashAlgo = NULL;
786  }
787  else if(signature->algorithm.signature == TLS_SIGN_ALGO_RSA_PSS_RSAE_SHA384 ||
788  signature->algorithm.signature == TLS_SIGN_ALGO_RSA_PSS_PSS_SHA384)
789  {
790  //The hashing is intrinsic to the signature algorithm
791  if(signature->algorithm.hash == TLS_HASH_ALGO_INTRINSIC)
793  else
794  hashAlgo = NULL;
795  }
796  else if(signature->algorithm.signature == TLS_SIGN_ALGO_RSA_PSS_RSAE_SHA512 ||
797  signature->algorithm.signature == TLS_SIGN_ALGO_RSA_PSS_PSS_SHA512)
798  {
799  //The hashing is intrinsic to the signature algorithm
800  if(signature->algorithm.hash == TLS_HASH_ALGO_INTRINSIC)
802  else
803  hashAlgo = NULL;
804  }
805  else
806  {
807  //This field indicates the hash algorithm that is used
808  hashAlgo = tlsGetHashAlgo(signature->algorithm.hash);
809  }
810 
811  //Digest all the handshake messages starting at ClientHello
812  if(hashAlgo == SHA1_HASH_ALGO)
813  {
814  //Use SHA-1 hash algorithm
815  error = tlsFinalizeTranscriptHash(context, SHA1_HASH_ALGO,
816  context->transcriptSha1Context, "", context->clientVerifyData);
817  }
818  else if(hashAlgo == context->cipherSuite.prfHashAlgo)
819  {
820  //Use PRF hash algorithm (SHA-256 or SHA-384)
821  error = tlsFinalizeTranscriptHash(context, hashAlgo,
822  context->transcriptHashContext, "", context->clientVerifyData);
823  }
824  else
825  {
826  //The specified hash algorithm is not supported
827  error = ERROR_INVALID_SIGNATURE;
828  }
829 
830  //Check status code
831  if(!error)
832  {
833 #if (TLS_RSA_SIGN_SUPPORT == ENABLED)
834  //RSASSA-PKCS1-v1_5 signature scheme?
835  if(signature->algorithm.signature == TLS_SIGN_ALGO_RSA &&
836  context->peerCertType == TLS_CERT_RSA_SIGN)
837  {
838  //Verify RSA signature (RSASSA-PKCS1-v1_5 signature scheme)
839  error = rsassaPkcs1v15Verify(&context->peerRsaPublicKey,
840  hashAlgo, context->clientVerifyData, signature->value,
841  ntohs(signature->length));
842  }
843  else
844 #endif
845 #if (TLS_RSA_PSS_SIGN_SUPPORT == ENABLED)
846  //RSASSA-PSS signature scheme (with public key OID rsaEncryption)?
847  if(signature->algorithm.signature == TLS_SIGN_ALGO_RSA_PSS_RSAE_SHA256 ||
848  signature->algorithm.signature == TLS_SIGN_ALGO_RSA_PSS_RSAE_SHA384 ||
849  signature->algorithm.signature == TLS_SIGN_ALGO_RSA_PSS_RSAE_SHA512)
850  {
851  //Enforce the type of the certificate provided by the peer
852  if(context->peerCertType == TLS_CERT_RSA_SIGN)
853  {
854  //Verify RSA signature (RSASSA-PSS signature scheme)
855  error = rsassaPssVerify(&context->peerRsaPublicKey, hashAlgo,
856  hashAlgo->digestSize, context->clientVerifyData,
857  signature->value, ntohs(signature->length));
858  }
859  else
860  {
861  //Invalid certificate
862  error = ERROR_INVALID_SIGNATURE;
863  }
864  }
865  else
866 #endif
867 #if (TLS_RSA_PSS_SIGN_SUPPORT == ENABLED)
868  //RSASSA-PSS signature scheme (with public key OID RSASSA-PSS)?
869  if(signature->algorithm.signature == TLS_SIGN_ALGO_RSA_PSS_PSS_SHA256 ||
870  signature->algorithm.signature == TLS_SIGN_ALGO_RSA_PSS_PSS_SHA384 ||
871  signature->algorithm.signature == TLS_SIGN_ALGO_RSA_PSS_PSS_SHA512)
872  {
873  //Enforce the type of the certificate provided by the peer
874  if(context->peerCertType == TLS_CERT_RSA_PSS_SIGN)
875  {
876  //Verify RSA signature (RSASSA-PSS signature scheme)
877  error = rsassaPssVerify(&context->peerRsaPublicKey, hashAlgo,
878  hashAlgo->digestSize, context->clientVerifyData,
879  signature->value, ntohs(signature->length));
880  }
881  else
882  {
883  //Invalid certificate
884  error = ERROR_INVALID_SIGNATURE;
885  }
886  }
887  else
888 #endif
889 #if (TLS_DSA_SIGN_SUPPORT == ENABLED)
890  //DSA signature scheme?
891  if(signature->algorithm.signature == TLS_SIGN_ALGO_DSA &&
892  context->peerCertType == TLS_CERT_DSS_SIGN)
893  {
894  //Verify DSA signature using client's public key
895  error = tlsVerifyDsaSignature(context, context->clientVerifyData,
896  hashAlgo->digestSize, signature->value, ntohs(signature->length));
897  }
898  else
899 #endif
900 #if (TLS_ECDSA_SIGN_SUPPORT == ENABLED)
901  //ECDSA signature scheme?
902  if(signature->algorithm.signature == TLS_SIGN_ALGO_ECDSA &&
903  context->peerCertType == TLS_CERT_ECDSA_SIGN)
904  {
905  //Verify ECDSA signature using client's public key
906  error = tlsVerifyEcdsaSignature(context, context->clientVerifyData,
907  hashAlgo->digestSize, signature->value, ntohs(signature->length));
908  }
909  else
910 #endif
911  //Invalid signature scheme?
912  {
913  //Report an error
914  error = ERROR_INVALID_SIGNATURE;
915  }
916  }
917 
918  //Return status code
919  return error;
920 }
921 
922 #endif
923 #if (TLS_MAX_VERSION >= SSL_VERSION_3_0 && TLS_MIN_VERSION <= TLS_VERSION_1_1)
924 
925 /**
926  * @brief Generate RSA signature (SSL 3.0, TLS 1.0 and TLS 1.1)
927  * @param[in] key Signer's RSA private key
928  * @param[in] digest Digest of the message to be signed
929  * @param[out] signature Resulting signature
930  * @param[out] signatureLen Length of the resulting signature
931  * @return Error code
932  **/
933 
935  const uint8_t *digest, uint8_t *signature, size_t *signatureLen)
936 {
937 #if (TLS_RSA_SIGN_SUPPORT == ENABLED)
938  error_t error;
939  size_t k;
940  size_t paddingLen;
941  uint8_t *em;
942  Mpi m;
943  Mpi s;
944 
945  //Debug message
946  TRACE_DEBUG("RSA signature generation...\r\n");
947  TRACE_DEBUG(" Modulus:\r\n");
948  TRACE_DEBUG_MPI(" ", &key->n);
949  TRACE_DEBUG(" Public exponent:\r\n");
950  TRACE_DEBUG_MPI(" ", &key->e);
951  TRACE_DEBUG(" Private exponent:\r\n");
952  TRACE_DEBUG_MPI(" ", &key->d);
953  TRACE_DEBUG(" Prime 1:\r\n");
954  TRACE_DEBUG_MPI(" ", &key->p);
955  TRACE_DEBUG(" Prime 2:\r\n");
956  TRACE_DEBUG_MPI(" ", &key->q);
957  TRACE_DEBUG(" Prime exponent 1:\r\n");
958  TRACE_DEBUG_MPI(" ", &key->dp);
959  TRACE_DEBUG(" Prime exponent 2:\r\n");
960  TRACE_DEBUG_MPI(" ", &key->dq);
961  TRACE_DEBUG(" Coefficient:\r\n");
962  TRACE_DEBUG_MPI(" ", &key->qinv);
963  TRACE_DEBUG(" Message digest:\r\n");
965 
966  //Initialize multiple-precision integers
967  mpiInit(&m);
968  mpiInit(&s);
969 
970  //Get the length in octets of the modulus n
971  k = mpiGetByteLength(&key->n);
972 
973  //Check the length of the modulus
974  if(k < (MD5_DIGEST_SIZE + SHA1_DIGEST_SIZE + 11))
975  return ERROR_INVALID_KEY;
976 
977  //Point to the buffer where the encoded message EM will be generated
978  em = signature;
979 
980  //The leading 0x00 octet ensures that the encoded message,
981  //converted to an integer, is less than the modulus
982  em[0] = 0x00;
983  //Block type 0x01 is used for private-key operations
984  em[1] = 0x01;
985 
986  //Compute the length of the padding string PS
987  paddingLen = k - (MD5_DIGEST_SIZE + SHA1_DIGEST_SIZE + 3);
988  //Fill the padding string with 0xFF
989  memset(em + 2, 0xFF, paddingLen);
990  //Append a 0x00 octet to PS
991  em[paddingLen + 2] = 0x00;
992 
993  //Append the digest value
994  memcpy(em + paddingLen + 3, digest, MD5_DIGEST_SIZE + SHA1_DIGEST_SIZE);
995 
996  //Debug message
997  TRACE_DEBUG(" Encoded message\r\n");
998  TRACE_DEBUG_ARRAY(" ", em, k);
999 
1000  //Start of exception handling block
1001  do
1002  {
1003  //Convert the encoded message EM to an integer message representative m
1004  error = mpiImport(&m, em, k, MPI_FORMAT_BIG_ENDIAN);
1005  //Conversion failed?
1006  if(error)
1007  break;
1008 
1009  //Apply the RSASP1 signature primitive
1010  error = rsasp1(key, &m, &s);
1011  //Any error to report?
1012  if(error)
1013  break;
1014 
1015  //Convert the signature representative s to a signature of length k octets
1016  error = mpiExport(&s, signature, k, MPI_FORMAT_BIG_ENDIAN);
1017  //Conversion failed?
1018  if(error)
1019  break;
1020 
1021  //Length of the resulting signature
1022  *signatureLen = k;
1023 
1024  //Debug message
1025  TRACE_DEBUG(" Signature:\r\n");
1026  TRACE_DEBUG_ARRAY(" ", signature, *signatureLen);
1027 
1028  //End of exception handling block
1029  } while(0);
1030 
1031  //Free previously allocated memory
1032  mpiFree(&m);
1033  mpiFree(&s);
1034 
1035  //Return status code
1036  return error;
1037 #else
1038  //RSA signature generation is not supported
1039  return ERROR_NOT_IMPLEMENTED;
1040 #endif
1041 }
1042 
1043 
1044 /**
1045  * @brief Verify RSA signature (SSL 3.0, TLS 1.0 and TLS 1.1)
1046  * @param[in] key Signer's RSA public key
1047  * @param[in] digest Digest of the message whose signature is to be verified
1048  * @param[in] signature Signature to be verified
1049  * @param[in] signatureLen Length of the signature to be verified
1050  * @return Error code
1051  **/
1052 
1054  const uint8_t *digest, const uint8_t *signature, size_t signatureLen)
1055 {
1056 #if (TLS_RSA_SIGN_SUPPORT == ENABLED)
1057  error_t error;
1058  uint_t i;
1059  uint_t k;
1060  uint8_t *em;
1061  Mpi s;
1062  Mpi m;
1063 
1064  //Debug message
1065  TRACE_DEBUG("RSA signature verification...\r\n");
1066  TRACE_DEBUG(" Modulus:\r\n");
1067  TRACE_DEBUG_MPI(" ", &key->n);
1068  TRACE_DEBUG(" Public exponent:\r\n");
1069  TRACE_DEBUG_MPI(" ", &key->e);
1070  TRACE_DEBUG(" Message digest:\r\n");
1072  TRACE_DEBUG(" Signature:\r\n");
1073  TRACE_DEBUG_ARRAY(" ", signature, signatureLen);
1074 
1075  //Get the length in octets of the modulus n
1076  k = mpiGetByteLength(&key->n);
1077 
1078  //Check the length of the signature
1079  if(signatureLen != k)
1080  return ERROR_INVALID_SIGNATURE;
1081 
1082  //Initialize multiple-precision integers
1083  mpiInit(&s);
1084  mpiInit(&m);
1085 
1086  //Allocate a memory buffer to hold the encoded message
1087  em = tlsAllocMem(k);
1088  //Failed to allocate memory?
1089  if(em == NULL)
1090  return ERROR_OUT_OF_MEMORY;
1091 
1092  //Start of exception handling block
1093  do
1094  {
1095  //Convert the signature to an integer signature representative s
1096  error = mpiImport(&s, signature, signatureLen, MPI_FORMAT_BIG_ENDIAN);
1097  //Conversion failed?
1098  if(error)
1099  break;
1100 
1101  //Apply the RSAVP1 verification primitive
1102  error = rsavp1(key, &s, &m);
1103  //Any error to report?
1104  if(error)
1105  break;
1106 
1107  //Convert the message representative m to an encoded message EM of
1108  //length k octets
1109  error = mpiExport(&m, em, k, MPI_FORMAT_BIG_ENDIAN);
1110  //Conversion failed?
1111  if(error)
1112  break;
1113 
1114  //Debug message
1115  TRACE_DEBUG(" Encoded message\r\n");
1116  TRACE_DEBUG_ARRAY(" ", em, k);
1117 
1118  //Assume an error...
1119  error = ERROR_INVALID_SIGNATURE;
1120 
1121  //The first octet of EM must have a value of 0x00
1122  if(em[0] != 0x00)
1123  break;
1124  //The block type BT shall be 0x01
1125  if(em[1] != 0x01)
1126  break;
1127 
1128  //Check the padding string PS
1129  for(i = 2; i < k; i++)
1130  {
1131  //A 0x00 octet indicates the end of the padding string
1132  if(em[i] == 0x00)
1133  break;
1134 
1135  //Each byte of PS must be set to 0xFF when the block type is 0x01
1136  if(em[i] != 0xFF)
1137  break;
1138  }
1139 
1140  //Check whether the padding string is properly terminated
1141  if(i >= k || em[i] != 0x00)
1142  break;
1143 
1144  //The length of PS cannot be less than 8 octets
1145  if(i < 10)
1146  break;
1147 
1148  //Check the length of the digest
1149  if((k - i - 1) != (MD5_DIGEST_SIZE + SHA1_DIGEST_SIZE))
1150  break;
1151  //Check the digest value
1152  if(memcmp(digest, em + i + 1, MD5_DIGEST_SIZE + SHA1_DIGEST_SIZE))
1153  break;
1154 
1155  //The RSA signature is valid
1156  error = NO_ERROR;
1157 
1158  //End of exception handling block
1159  } while(0);
1160 
1161  //Release multiple precision integers
1162  mpiFree(&s);
1163  mpiFree(&m);
1164  //Release previously allocated memory
1165  tlsFreeMem(em);
1166 
1167  //Return status code
1168  return error;
1169 #else
1170  //RSA signature verification is not supported
1171  return ERROR_NOT_IMPLEMENTED;
1172 #endif
1173 }
1174 
1175 #endif
1176 
1177 
1178 /**
1179  * @brief Generate DSA signature
1180  * @param[in] context Pointer to the TLS context
1181  * @param[in] digest Digest of the message to be signed
1182  * @param[in] digestLen Length in octets of the digest
1183  * @param[out] signature Resulting signature
1184  * @param[out] signatureLen Length of the resulting signature
1185  * @return Error code
1186  **/
1187 
1188 error_t tlsGenerateDsaSignature(TlsContext *context, const uint8_t *digest,
1189  size_t digestLen, uint8_t *signature, size_t *signatureLen)
1190 {
1191 #if (TLS_DSA_SIGN_SUPPORT == ENABLED)
1192  error_t error;
1193  DsaPrivateKey privateKey;
1194  DsaSignature dsaSignature;
1195 
1196  //Initialize DSA private key
1197  dsaInitPrivateKey(&privateKey);
1198  //Initialize DSA signature
1199  dsaInitSignature(&dsaSignature);
1200 
1201  //Decode the PEM structure that holds the DSA private key
1202  error = pemImportDsaPrivateKey(context->cert->privateKey,
1203  context->cert->privateKeyLen, &privateKey);
1204 
1205  //Check status code
1206  if(!error)
1207  {
1208  //Generate DSA signature
1209  error = dsaGenerateSignature(context->prngAlgo, context->prngContext,
1210  &privateKey, digest, digestLen, &dsaSignature);
1211  }
1212 
1213  //Check status code
1214  if(!error)
1215  {
1216  //Encode the resulting (R, S) integer pair using ASN.1
1217  error = dsaWriteSignature(&dsaSignature, signature, signatureLen);
1218  }
1219 
1220  //Free previously allocated resources
1221  dsaFreePrivateKey(&privateKey);
1222  dsaFreeSignature(&dsaSignature);
1223 
1224  //Return status code
1225  return error;
1226 #else
1227  //DSA signature generation is not supported
1228  return ERROR_NOT_IMPLEMENTED;
1229 #endif
1230 }
1231 
1232 
1233 /**
1234  * @brief Verify DSA signature
1235  * @param[in] context Pointer to the TLS context
1236  * @param[in] digest Digest of the message whose signature is to be verified
1237  * @param[in] digestLen Length in octets of the digest
1238  * @param[in] signature Signature to be verified
1239  * @param[in] signatureLen Length of the signature to be verified
1240  * @return Error code
1241  **/
1242 
1243 error_t tlsVerifyDsaSignature(TlsContext *context, const uint8_t *digest,
1244  size_t digestLen, const uint8_t *signature, size_t signatureLen)
1245 {
1246 #if (TLS_DSA_SIGN_SUPPORT == ENABLED)
1247  error_t error;
1248  DsaSignature dsaSignature;
1249 
1250  //Initialize DSA signature
1251  dsaInitSignature(&dsaSignature);
1252 
1253  //Read the ASN.1 encoded DSA signature
1254  error = dsaReadSignature(signature, signatureLen, &dsaSignature);
1255 
1256  //Check status code
1257  if(!error)
1258  {
1259  //DSA signature verification
1260  error = dsaVerifySignature(&context->peerDsaPublicKey,
1261  digest, digestLen, &dsaSignature);
1262  }
1263  else
1264  {
1265  //Malformed DSA signature
1266  error = ERROR_INVALID_SIGNATURE;
1267  }
1268 
1269  //Free previously allocated resources
1270  dsaFreeSignature(&dsaSignature);
1271 
1272  //Return status code
1273  return error;
1274 #else
1275  //DSA signature verification is not supported
1276  return ERROR_NOT_IMPLEMENTED;
1277 #endif
1278 }
1279 
1280 
1281 /**
1282  * @brief Generate ECDSA signature
1283  * @param[in] context Pointer to the TLS context
1284  * @param[in] digest Digest of the message to be signed
1285  * @param[in] digestLen Length in octets of the digest
1286  * @param[out] signature Resulting signature
1287  * @param[out] signatureLen Length of the resulting signature
1288  * @return Error code
1289  **/
1290 
1291 error_t tlsGenerateEcdsaSignature(TlsContext *context, const uint8_t *digest,
1292  size_t digestLen, uint8_t *signature, size_t *signatureLen)
1293 {
1294 #if (TLS_ECDSA_SIGN_SUPPORT == ENABLED)
1295  error_t error;
1296  EcdsaSignature ecdsaSignature;
1297 
1298  //Initialize ECDSA signature
1299  ecdsaInitSignature(&ecdsaSignature);
1300 
1301 #if (TLS_ECC_CALLBACK_SUPPORT == ENABLED)
1302  //Any registered callback?
1303  if(context->ecdsaSignCallback != NULL)
1304  {
1305  //Invoke user callback function
1306  error = context->ecdsaSignCallback(context, digest, digestLen,
1307  &ecdsaSignature);
1308  }
1309  else
1310 #endif
1311  {
1312  EcDomainParameters params;
1313  Mpi privateKey;
1314 
1315  //Initialize EC domain parameters
1316  ecInitDomainParameters(&params);
1317  //Initialize EC private key
1318  mpiInit(&privateKey);
1319 
1320  //Decode the PEM structure that holds the EC domain parameters
1321  error = pemImportEcParameters(context->cert->privateKey,
1322  context->cert->privateKeyLen, &params);
1323 
1324  //Check status code
1325  if(!error)
1326  {
1327  //Decode the PEM structure that holds the EC private key
1328  error = pemImportEcPrivateKey(context->cert->privateKey,
1329  context->cert->privateKeyLen, &privateKey);
1330  }
1331 
1332  //Check status code
1333  if(!error)
1334  {
1335  //Generate ECDSA signature
1336  error = ecdsaGenerateSignature(context->prngAlgo, context->prngContext,
1337  &params, &privateKey, digest, digestLen, &ecdsaSignature);
1338  }
1339 
1340  //Release previously allocated resources
1341  ecFreeDomainParameters(&params);
1342  mpiFree(&privateKey);
1343  }
1344 
1345  //Check status code
1346  if(!error)
1347  {
1348  //Encode the resulting (R, S) integer pair using ASN.1
1349  error = ecdsaWriteSignature(&ecdsaSignature, signature, signatureLen);
1350  }
1351 
1352  //Release previously allocated resources
1353  ecdsaFreeSignature(&ecdsaSignature);
1354 
1355  //Return status code
1356  return error;
1357 #else
1358  //ECDSA signature generation is not supported
1359  return ERROR_NOT_IMPLEMENTED;
1360 #endif
1361 }
1362 
1363 
1364 /**
1365  * @brief Verify ECDSA signature
1366  * @param[in] context Pointer to the TLS context
1367  * @param[in] digest Digest of the message whose signature is to be verified
1368  * @param[in] digestLen Length in octets of the digest
1369  * @param[in] signature Signature to be verified
1370  * @param[in] signatureLen Length of the signature to be verified
1371  * @return Error code
1372  **/
1373 
1374 error_t tlsVerifyEcdsaSignature(TlsContext *context, const uint8_t *digest,
1375  size_t digestLen, const uint8_t *signature, size_t signatureLen)
1376 {
1377 #if (TLS_ECDSA_SIGN_SUPPORT == ENABLED)
1378  error_t error;
1379  EcdsaSignature ecdsaSignature;
1380 
1381  //Initialize ECDSA signature
1382  ecdsaInitSignature(&ecdsaSignature);
1383 
1384  //Read the ASN.1 encoded ECDSA signature
1385  error = ecdsaReadSignature(signature, signatureLen, &ecdsaSignature);
1386 
1387  //Check status code
1388  if(!error)
1389  {
1390 #if (TLS_ECC_CALLBACK_SUPPORT == ENABLED)
1391  //Any registered callback?
1392  if(context->ecdsaVerifyCallback != NULL)
1393  {
1394  //Invoke user callback function
1395  error = context->ecdsaVerifyCallback(context, digest, digestLen,
1396  &ecdsaSignature);
1397  }
1398  else
1399 #endif
1400  {
1401  //No callback function defined
1403  }
1404 
1405  //Check status code
1406  if(error == ERROR_UNSUPPORTED_ELLIPTIC_CURVE ||
1407  error == ERROR_UNSUPPORTED_HASH_ALGO)
1408  {
1409  //ECDSA signature verification
1410  error = ecdsaVerifySignature(&context->peerEcParams,
1411  &context->peerEcPublicKey, digest, digestLen, &ecdsaSignature);
1412  }
1413  }
1414  else
1415  {
1416  //Malformed ECDSA signature
1417  error = ERROR_INVALID_SIGNATURE;
1418  }
1419 
1420  //Free previously allocated resources
1421  ecdsaFreeSignature(&ecdsaSignature);
1422 
1423  //Return status code
1424  return error;
1425 #else
1426  //ECDSA signature verification is not supported
1427  return ERROR_NOT_IMPLEMENTED;
1428 #endif
1429 }
1430 
1431 
1432 /**
1433  * @brief Generate EdDSA signature
1434  * @param[in] context Pointer to the TLS context
1435  * @param[in] message Pointer to the message to be signed
1436  * @param[in] messageLen Length of the message, in bytes
1437  * @param[out] signature Resulting signature
1438  * @param[out] signatureLen Length of the resulting signature
1439  * @return Error code
1440  **/
1441 
1443  size_t messageLen, uint8_t *signature, size_t *signatureLen)
1444 {
1445 #if (TLS_EDDSA_SIGN_SUPPORT == ENABLED)
1446  error_t error;
1447 
1448 #if (TLS_ED25519_SUPPORT == ENABLED)
1449  //Ed25519 elliptic curve?
1450  if(context->cert->type == TLS_CERT_ED25519_SIGN)
1451  {
1452  EddsaPrivateKey privateKey;
1453 
1454  //Initialize EdDSA private key
1455  eddsaInitPrivateKey(&privateKey);
1456 
1457  //Decode the PEM structure that holds the EdDSA private key
1458  error = pemImportEddsaPrivateKey(context->cert->privateKey,
1459  context->cert->privateKeyLen, &privateKey);
1460 
1461  //Check the length of the EdDSA private key
1462  if(mpiGetByteLength(&privateKey.d) == ED25519_PRIVATE_KEY_LEN)
1463  {
1464  uint8_t d[ED25519_PRIVATE_KEY_LEN];
1465 
1466  //Retrieve private key
1467  error = mpiExport(&privateKey.d, d, ED25519_PRIVATE_KEY_LEN,
1469 
1470  //Check status code
1471  if(!error)
1472  {
1473  //Generate Ed25519 signature (PureEdDSA mode)
1474  error = ed25519GenerateSignature(d, NULL, message, messageLen,
1475  NULL, 0, 0, signature);
1476  }
1477 
1478  //Length of the resulting EdDSA signature
1479  *signatureLen = ED25519_SIGNATURE_LEN;
1480  }
1481  else
1482  {
1483  //The length of the EdDSA private key is not valid
1484  error = ERROR_INVALID_KEY;
1485  }
1486 
1487  //Free previously allocated resources
1488  eddsaFreePrivateKey(&privateKey);
1489  }
1490  else
1491 #endif
1492 #if (TLS_ED448_SUPPORT == ENABLED)
1493  //Ed448 elliptic curve?
1494  if(context->cert->type == TLS_CERT_ED448_SIGN)
1495  {
1496  EddsaPrivateKey privateKey;
1497 
1498  //Initialize EdDSA private key
1499  eddsaInitPrivateKey(&privateKey);
1500 
1501  //Decode the PEM structure that holds the EdDSA private key
1502  error = pemImportEddsaPrivateKey(context->cert->privateKey,
1503  context->cert->privateKeyLen, &privateKey);
1504 
1505  //Check the length of the EdDSA private key
1506  if(mpiGetByteLength(&privateKey.d) == ED448_PRIVATE_KEY_LEN)
1507  {
1508  uint8_t d[ED448_PRIVATE_KEY_LEN];
1509 
1510  //Retrieve private key
1511  error = mpiExport(&privateKey.d, d, ED448_PRIVATE_KEY_LEN,
1513 
1514  //Check status code
1515  if(!error)
1516  {
1517  //Generate Ed448 signature (PureEdDSA mode)
1518  error = ed448GenerateSignature(d, NULL, message, messageLen,
1519  NULL, 0, 0, signature);
1520  }
1521 
1522  //Length of the resulting EdDSA signature
1523  *signatureLen = ED448_SIGNATURE_LEN;
1524  }
1525  else
1526  {
1527  //The length of the EdDSA private key is not valid
1528  error = ERROR_INVALID_KEY;
1529  }
1530 
1531  //Free previously allocated resources
1532  eddsaFreePrivateKey(&privateKey);
1533  }
1534  else
1535 #endif
1536  //Invalid signature algorithm?
1537  {
1538  //Report an error
1540  }
1541 
1542  //Return status code
1543  return error;
1544 #else
1545  //EdDSA signature generation is not supported
1546  return ERROR_NOT_IMPLEMENTED;
1547 #endif
1548 }
1549 
1550 
1551 /**
1552  * @brief Verify EdDSA signature
1553  * @param[in] context Pointer to the TLS context
1554  * @param[in] message Message whose signature is to be verified
1555  * @param[in] messageLen Length of the message, in bytes
1556  * @param[in] signature Signature to be verified
1557  * @param[in] signatureLen Length of the signature to be verified
1558  * @return Error code
1559  **/
1560 
1562  size_t messageLen, const uint8_t *signature, size_t signatureLen)
1563 {
1564 #if (TLS_EDDSA_SIGN_SUPPORT == ENABLED)
1565  error_t error;
1566 
1567 #if (TLS_ED25519_SUPPORT == ENABLED)
1568  //Ed25519 elliptic curve?
1569  if(context->peerEcParams.type == EC_CURVE_TYPE_ED25519)
1570  {
1571  //Check the length of the EdDSA signature
1572  if(signatureLen == ED25519_SIGNATURE_LEN)
1573  {
1574  uint8_t publicKey[ED25519_PUBLIC_KEY_LEN];
1575 
1576  //Get peer's public key
1577  error = mpiExport(&context->peerEcPublicKey.x, publicKey,
1579 
1580  //Check status code
1581  if(!error)
1582  {
1583  //Verify Ed25519 signature (PureEdDSA mode)
1584  error = ed25519VerifySignature(publicKey, message, messageLen,
1585  NULL, 0, 0, signature);
1586  }
1587  }
1588  else
1589  {
1590  //The length of the EdDSA signature is not valid
1591  error = ERROR_INVALID_SIGNATURE;
1592  }
1593  }
1594  else
1595 #endif
1596 #if (TLS_ED448_SUPPORT == ENABLED)
1597  //Ed448 elliptic curve?
1598  if(context->peerEcParams.type == EC_CURVE_TYPE_ED448)
1599  {
1600  //Check the length of the EdDSA signature
1601  if(signatureLen == ED448_SIGNATURE_LEN)
1602  {
1603  uint8_t publicKey[ED448_PUBLIC_KEY_LEN];
1604 
1605  //Get peer's public key
1606  error = mpiExport(&context->peerEcPublicKey.x, publicKey,
1608 
1609  //Check status code
1610  if(!error)
1611  {
1612  //Verify Ed448 signature (PureEdDSA mode)
1613  error = ed448VerifySignature(publicKey, message, messageLen,
1614  NULL, 0, 0, signature);
1615  }
1616  }
1617  else
1618  {
1619  //The length of the EdDSA signature is not valid
1620  error = ERROR_INVALID_SIGNATURE;
1621  }
1622  }
1623  else
1624 #endif
1625  //Invalid signature algorithm?
1626  {
1627  //Report an error
1629  }
1630 
1631  //Return status code
1632  return error;
1633 #else
1634  //EdDSA signature verification is not supported
1635  return ERROR_NOT_IMPLEMENTED;
1636 #endif
1637 }
1638 
1639 #endif
#define tlsAllocMem(size)
Definition: tls.h:757
@ TLS_SIGN_ALGO_RSA_PSS_RSAE_SHA256
Definition: tls.h:1115
#define htons(value)
Definition: cpu_endian.h:392
ECDSA signature.
Definition: ecdsa.h:48
@ TLS_SIGN_ALGO_DSA
Definition: tls.h:1113
TLS helper functions.
uint8_t length
Definition: dtls_misc.h:149
Ed25519 elliptic curve (constant-time implementation)
@ ERROR_UNSUPPORTED_ELLIPTIC_CURVE
Definition: error.h:131
__start_packed struct @82 Tls12DigitalSignature
Digitally-signed element (TLS 1.2)
#define SHA1_HASH_ALGO
Definition: sha1.h:46
error_t pemImportRsaPrivateKey(const char_t *input, size_t length, RsaPrivateKey *privateKey)
Decode a PEM file containing an RSA private key.
Definition: pem_import.c:382
Mpi p
First factor.
Definition: rsa.h:64
@ TLS_SIGN_ALGO_ANONYMOUS
Definition: tls.h:1111
Arbitrary precision integer.
Definition: mpi.h:69
error_t rsasp1(const RsaPrivateKey *key, const Mpi *m, Mpi *s)
RSA signature primitive.
Definition: rsa.c:1248
@ ERROR_NOT_IMPLEMENTED
Definition: error.h:66
void ecInitDomainParameters(EcDomainParameters *params)
Initialize EC domain parameters.
Definition: ec.c:55
RSA/DSA/ECDSA/EdDSA signature generation and verification.
#define ED25519_PUBLIC_KEY_LEN
Definition: ed25519.h:41
error_t tlsFinalizeTranscriptHash(TlsContext *context, const HashAlgo *hash, const void *hashContext, const char_t *label, uint8_t *output)
Finalize hash calculation from previous handshake messages.
error_t tlsSelectSignatureScheme(TlsContext *context, const TlsCertDesc *cert, const TlsSignHashAlgos *supportedSignAlgos)
Select the algorithm to be used when generating digital signatures.
Definition: tls_signature.c:60
void eddsaFreePrivateKey(EddsaPrivateKey *key)
Release a DSA private key.
Definition: eddsa.c:86
void eddsaInitPrivateKey(EddsaPrivateKey *key)
Initialize a DSA private key.
Definition: eddsa.c:73
ECDSA (Elliptic Curve Digital Signature Algorithm)
uint8_t p
Definition: ndp.h:298
void dsaFreePrivateKey(DsaPrivateKey *key)
Release a DSA private key.
Definition: dsa.c:122
#define ED448_PUBLIC_KEY_LEN
Definition: ed448.h:41
@ TLS_SIGN_ALGO_RSA_PSS_PSS_SHA384
Definition: tls.h:1121
@ TLS_GROUP_SECP256R1
Definition: tls.h:1230
size_t digestSize
Definition: crypto.h:1135
TlsCertificateType type
End entity certificate type.
Definition: tls.h:1883
__start_packed struct @81 TlsDigitalSignature
Digitally-signed element (SSL 3.0, TLS 1.0 and TLS 1.1)
uint8_t signature
Definition: tls.h:1370
Mpi n
Modulus.
Definition: rsa.h:61
error_t ed448VerifySignature(const uint8_t *publicKey, const void *message, size_t messageLen, const void *context, uint8_t contextLen, uint8_t flag, const uint8_t *signature)
EdDSA signature verification.
Definition: ed448.c:286
@ TLS_HASH_ALGO_SHA1
Definition: tls.h:1096
#define ED448_SIGNATURE_LEN
Definition: ed448.h:43
TlsHashAlgo
Hash algorithms.
Definition: tls.h:1092
@ ERROR_HANDSHAKE_FAILED
Definition: error.h:228
@ ERROR_OUT_OF_MEMORY
Definition: error.h:63
@ TLS_CERT_DSS_SIGN
Definition: tls.h:1073
#define ED25519_SIGNATURE_LEN
Definition: ed25519.h:43
Mpi e
Public exponent.
Definition: rsa.h:51
@ TLS_SIGN_ALGO_RSA_PSS_PSS_SHA512
Definition: tls.h:1122
@ EC_CURVE_TYPE_ED25519
Definition: ec_curves.h:276
error_t mpiImport(Mpi *r, const uint8_t *data, uint_t length, MpiFormat format)
Octet string to integer conversion.
Definition: mpi.c:533
EC domain parameters.
Definition: ec.h:63
error_t pemImportEddsaPrivateKey(const char_t *input, size_t length, EddsaPrivateKey *privateKey)
Decode a PEM file containing a EdDSA private key.
Definition: pem_import.c:1186
void ecFreeDomainParameters(EcDomainParameters *params)
Release EC domain parameters.
Definition: ec.c:75
void mpiInit(Mpi *r)
Initialize a multiple precision integer.
Definition: mpi.c:48
#define ED25519_PRIVATE_KEY_LEN
Definition: ed25519.h:39
void rsaInitPrivateKey(RsaPrivateKey *key)
Initialize an RSA private key.
Definition: rsa.c:131
Mpi d
Private exponent.
Definition: rsa.h:63
__weak error_t ecdsaVerifySignature(const EcDomainParameters *params, const EcPoint *publicKey, const uint8_t *digest, size_t digestLen, const EcdsaSignature *signature)
ECDSA signature verification.
Definition: ecdsa.c:562
Mpi n
Modulus.
Definition: rsa.h:50
@ TLS_HASH_ALGO_NONE
Definition: tls.h:1094
error_t pemImportDsaPrivateKey(const char_t *input, size_t length, DsaPrivateKey *privateKey)
Decode a PEM file containing a DSA private key.
Definition: pem_import.c:585
void ecdsaFreeSignature(EcdsaSignature *signature)
Release an ECDSA signature.
Definition: ecdsa.c:82
error_t tlsGenerateRsaSignature(const RsaPrivateKey *key, const uint8_t *digest, uint8_t *signature, size_t *signatureLen)
Generate RSA signature (SSL 3.0, TLS 1.0 and TLS 1.1)
@ TLS_HASH_ALGO_SHA512
Definition: tls.h:1100
error_t ed25519GenerateSignature(const uint8_t *privateKey, const uint8_t *publicKey, const void *message, size_t messageLen, const void *context, uint8_t contextLen, uint8_t flag, uint8_t *signature)
EdDSA signature generation.
Definition: ed25519.c:185
@ ERROR_UNSUPPORTED_HASH_ALGO
Definition: error.h:128
error_t mpiExport(const Mpi *a, uint8_t *data, uint_t length, MpiFormat format)
Integer to octet string conversion.
Definition: mpi.c:618
PEM file import functions.
__start_packed struct @65 TlsSignHashAlgos
List of signature algorithms.
#define TlsContext
Definition: tls.h:36
@ MPI_FORMAT_LITTLE_ENDIAN
Definition: mpi.h:60
error_t
Error codes.
Definition: error.h:42
void dsaInitSignature(DsaSignature *signature)
Initialize a DSA signature.
Definition: dsa.c:137
@ TLS_CERT_ED25519_SIGN
Definition: tls.h:1083
@ TLS_CONNECTION_END_SERVER
Definition: tls.h:862
void rsaFreePrivateKey(RsaPrivateKey *key)
Release an RSA private key.
Definition: rsa.c:150
error_t rsavp1(const RsaPublicKey *key, const Mpi *s, Mpi *m)
RSA verification primitive.
Definition: rsa.c:1269
const HashAlgo * tlsGetHashAlgo(uint8_t hashAlgoId)
Get the hash algorithm that matches the specified identifier.
Definition: tls_misc.c:829
#define TLS_VERSION_1_2
Definition: tls.h:94
error_t pemImportEcPrivateKey(const char_t *input, size_t length, Mpi *privateKey)
Decode a PEM file containing an EC private key.
Definition: pem_import.c:983
Mpi q
Second factor.
Definition: rsa.h:65
@ TLS_HASH_ALGO_INTRINSIC
Definition: tls.h:1101
error_t rsassaPssSign(const PrngAlgo *prngAlgo, void *prngContext, const RsaPrivateKey *key, const HashAlgo *hash, size_t saltLen, const uint8_t *digest, uint8_t *signature, size_t *signatureLen)
RSASSA-PSS signature generation operation.
Definition: rsa.c:920
RSA public key.
Definition: rsa.h:48
void ecdsaInitSignature(EcdsaSignature *signature)
Initialize an ECDSA signature.
Definition: ecdsa.c:69
#define MD5_HASH_ALGO
Definition: md5.h:46
error_t dsaGenerateSignature(const PrngAlgo *prngAlgo, void *prngContext, const DsaPrivateKey *key, const uint8_t *digest, size_t digestLen, DsaSignature *signature)
DSA signature generation.
Definition: dsa.c:457
#define TLS_VERSION_1_3
Definition: tls.h:95
@ TLS_HASH_ALGO_SHA384
Definition: tls.h:1099
void dsaInitPrivateKey(DsaPrivateKey *key)
Initialize a DSA private key.
Definition: dsa.c:107
@ TLS_CERT_RSA_PSS_SIGN
Definition: tls.h:1082
@ TLS_GROUP_SECP384R1
Definition: tls.h:1231
RSA public-key cryptography standard.
error_t tls12GenerateSignature(TlsContext *context, uint8_t *p, size_t *length)
DSA (Digital Signature Algorithm)
@ TLS_HASH_ALGO_SHA256
Definition: tls.h:1098
@ TLS_CERT_ED448_SIGN
Definition: tls.h:1084
DSA private key.
Definition: dsa.h:73
@ TLS_CERT_RSA_SIGN
Definition: tls.h:1072
Mpi e
Public exponent.
Definition: rsa.h:62
#define MD5_DIGEST_SIZE
Definition: md5.h:40
error_t pemImportEcParameters(const char_t *input, size_t length, EcDomainParameters *params)
Decode a PEM file containing EC domain parameters.
Definition: pem_import.c:709
@ TLS_GROUP_SECP521R1
Definition: tls.h:1232
error_t dsaWriteSignature(const DsaSignature *signature, uint8_t *data, size_t *length)
Encode DSA signature using ASN.1.
Definition: dsa.c:166
Mpi qinv
CRT coefficient.
Definition: rsa.h:68
error_t tlsVerifySignature(TlsContext *context, const uint8_t *p, size_t length)
Digital signature verification (SSL 3.0, TLS 1.0 and TLS 1.1)
__weak error_t ecdsaGenerateSignature(const PrngAlgo *prngAlgo, void *prngContext, const EcDomainParameters *params, const Mpi *privateKey, const uint8_t *digest, size_t digestLen, EcdsaSignature *signature)
ECDSA signature generation.
Definition: ecdsa.c:447
EdDSA private key.
Definition: eddsa.h:58
Mpi dq
second factor's CRT exponent
Definition: rsa.h:67
Certificate descriptor.
Definition: tls.h:1877
Transcript hash calculation.
#define ED448_PRIVATE_KEY_LEN
Definition: ed448.h:39
uint8_t hash
Definition: tls.h:1369
#define ntohs(value)
Definition: cpu_endian.h:398
@ EC_CURVE_TYPE_ED448
Definition: ec_curves.h:277
error_t ecdsaWriteSignature(const EcdsaSignature *signature, uint8_t *data, size_t *length)
Encode ECDSA signature using ASN.1.
Definition: ecdsa.c:98
#define TRACE_DEBUG(...)
Definition: debug.h:106
TlsSignatureAlgo signAlgo
Signature algorithm used to sign the end entity certificate.
Definition: tls.h:1884
error_t dsaVerifySignature(const DsaPublicKey *key, const uint8_t *digest, size_t digestLen, const DsaSignature *signature)
DSA signature verification.
Definition: dsa.c:563
error_t tlsVerifyEddsaSignature(TlsContext *context, const uint8_t *message, size_t messageLen, const uint8_t *signature, size_t signatureLen)
Verify EdDSA signature.
error_t rsassaPkcs1v15Verify(const RsaPublicKey *key, const HashAlgo *hash, const uint8_t *digest, const uint8_t *signature, size_t signatureLen)
RSASSA-PKCS1-v1_5 signature verification operation.
Definition: rsa.c:811
#define SHA1_DIGEST_SIZE
Definition: sha1.h:40
__start_packed struct @64 TlsSignHashAlgo
Signature algorithm.
#define TRACE_DEBUG_ARRAY(p, a, n)
Definition: debug.h:107
Mpi d
Private key.
Definition: eddsa.h:60
uint8_t m
Definition: ndp.h:302
uint8_t n
RSA private key.
Definition: rsa.h:59
error_t rsassaPssVerify(const RsaPublicKey *key, const HashAlgo *hash, size_t saltLen, const uint8_t *digest, const uint8_t *signature, size_t signatureLen)
RSASSA-PSS signature verification operation.
Definition: rsa.c:1040
@ TLS_SIGN_ALGO_RSA_PSS_RSAE_SHA512
Definition: tls.h:1117
@ TLS_SIGN_ALGO_RSA_PSS_PSS_SHA256
Definition: tls.h:1120
void dsaFreeSignature(DsaSignature *signature)
Release a DSA signature.
Definition: dsa.c:150
TlsSignatureAlgo
Signature algorithms.
Definition: tls.h:1109
@ TLS_CONNECTION_END_CLIENT
Definition: tls.h:861
error_t dsaReadSignature(const uint8_t *data, size_t length, DsaSignature *signature)
Read an ASN.1 encoded DSA signature.
Definition: dsa.c:322
uint8_t s
uint8_t message[]
Definition: chap.h:152
error_t tlsVerifyRsaSignature(const RsaPublicKey *key, const uint8_t *digest, const uint8_t *signature, size_t signatureLen)
Verify RSA signature (SSL 3.0, TLS 1.0 and TLS 1.1)
@ MPI_FORMAT_BIG_ENDIAN
Definition: mpi.h:61
TLS (Transport Layer Security)
@ TLS_SIGN_ALGO_RSA
Definition: tls.h:1112
error_t tlsVerifyDsaSignature(TlsContext *context, const uint8_t *digest, size_t digestLen, const uint8_t *signature, size_t signatureLen)
Verify DSA signature.
@ TLS_CERT_ECDSA_SIGN
Definition: tls.h:1079
error_t tlsGenerateEcdsaSignature(TlsContext *context, const uint8_t *digest, size_t digestLen, uint8_t *signature, size_t *signatureLen)
Generate ECDSA signature.
error_t tlsGenerateEddsaSignature(TlsContext *context, const uint8_t *message, size_t messageLen, uint8_t *signature, size_t *signatureLen)
Generate EdDSA signature.
error_t ecdsaReadSignature(const uint8_t *data, size_t length, EcdsaSignature *signature)
Read an ASN.1 encoded ECDSA signature.
Definition: ecdsa.c:255
error_t tlsGenerateDsaSignature(TlsContext *context, const uint8_t *digest, size_t digestLen, uint8_t *signature, size_t *signatureLen)
Generate DSA signature.
Common interface for hash algorithms.
Definition: crypto.h:1128
error_t ed25519VerifySignature(const uint8_t *publicKey, const void *message, size_t messageLen, const void *context, uint8_t contextLen, uint8_t flag, const uint8_t *signature)
EdDSA signature verification.
Definition: ed25519.c:315
error_t rsassaPkcs1v15Sign(const RsaPrivateKey *key, const HashAlgo *hash, const uint8_t *digest, uint8_t *signature, size_t *signatureLen)
RSASSA-PKCS1-v1_5 signature generation operation.
Definition: rsa.c:678
DSA signature.
Definition: dsa.h:86
Mpi dp
First factor's CRT exponent.
Definition: rsa.h:66
@ ERROR_UNSUPPORTED_SIGNATURE_ALGO
Definition: error.h:130
@ ERROR_DECODING_FAILED
Definition: error.h:235
error_t tlsGenerateSignature(TlsContext *context, uint8_t *p, size_t *length)
Digital signature generation(SSL 3.0, TLS 1.0 or TLS 1.1)
unsigned int uint_t
Definition: compiler_port.h:45
#define TRACE_DEBUG_MPI(p, a)
Definition: debug.h:109
#define tlsFreeMem(p)
Definition: tls.h:762
@ ERROR_INVALID_SIGNATURE
Definition: error.h:223
@ TLS_SIGN_ALGO_ECDSA
Definition: tls.h:1114
error_t tls12VerifySignature(TlsContext *context, const uint8_t *p, size_t length)
Ed448 elliptic curve (constant-time implementation)
error_t ed448GenerateSignature(const uint8_t *privateKey, const uint8_t *publicKey, const void *message, size_t messageLen, const void *context, uint8_t contextLen, uint8_t flag, uint8_t *signature)
EdDSA signature generation.
Definition: ed448.c:172
@ TLS_SIGN_ALGO_RSA_PSS_RSAE_SHA384
Definition: tls.h:1116
TlsNamedGroup namedCurve
Named curve used to generate the EC public key.
Definition: tls.h:1886
@ ERROR_INVALID_KEY
Definition: error.h:104
@ NO_ERROR
Success.
Definition: error.h:44
error_t tlsVerifyEcdsaSignature(TlsContext *context, const uint8_t *digest, size_t digestLen, const uint8_t *signature, size_t signatureLen)
Verify ECDSA signature.
Debugging facilities.
uint_t mpiGetByteLength(const Mpi *a)
Get the actual length in bytes.
Definition: mpi.c:156
void mpiFree(Mpi *r)
Release a multiple precision integer.
Definition: mpi.c:62