mirror of
https://github.com/trezor/trezor-firmware.git
synced 2024-11-12 18:49:07 +00:00
implement RFC 6979
This commit is contained in:
parent
047b30cf2f
commit
603acbd1be
1
.gitignore
vendored
1
.gitignore
vendored
@ -1,3 +1,4 @@
|
||||
*.o
|
||||
test-rfc6979
|
||||
test-speed
|
||||
test-verify
|
||||
|
5
Makefile
5
Makefile
@ -2,11 +2,14 @@ CC = gcc
|
||||
CFLAGS = -Wall -Os
|
||||
OBJS = aux.o ecdsa.o secp256k1.o sha2.o rand.o hmac.o
|
||||
|
||||
all: test-speed test-verify
|
||||
all: test-rfc6979 test-speed test-verify
|
||||
|
||||
%.o: %.c
|
||||
$(CC) $(CFLAGS) -o $@ -c $<
|
||||
|
||||
test-rfc6979: test-rfc6979.o $(OBJS)
|
||||
gcc test-rfc6979.o $(OBJS) -o test-rfc6979
|
||||
|
||||
test-speed: test-speed.o $(OBJS)
|
||||
gcc test-speed.o $(OBJS) -o test-speed
|
||||
|
||||
|
2
README
2
README
@ -11,6 +11,8 @@ Notes
|
||||
a) the signer only understands secp256k1 elliptic curve
|
||||
|
||||
b) there are executables:
|
||||
* test-rfc6979
|
||||
- check RFC 6979 algorithm for generating deterministic K
|
||||
* test-speed
|
||||
- check signing speed (sign 100x and compute speed from duration)
|
||||
* test-verify
|
||||
|
6
aux.h
6
aux.h
@ -27,12 +27,12 @@
|
||||
#include <stdint.h>
|
||||
|
||||
// rotate uint32 right
|
||||
inline uint32_t ror(const uint32_t x, const int n);
|
||||
uint32_t ror(const uint32_t x, const int n);
|
||||
|
||||
// read 4 big endian bytes into uint32
|
||||
inline uint32_t read_be(const uint8_t *data);
|
||||
uint32_t read_be(const uint8_t *data);
|
||||
|
||||
// write 4 big endian bytes
|
||||
inline void write_be(uint8_t *data, uint32_t x);
|
||||
void write_be(uint8_t *data, uint32_t x);
|
||||
|
||||
#endif
|
||||
|
114
ecdsa.c
114
ecdsa.c
@ -27,8 +27,8 @@
|
||||
|
||||
#include "rand.h"
|
||||
#include "sha2.h"
|
||||
#include "hmac.h"
|
||||
#include "ecdsa.h"
|
||||
#include "secp256k1.h"
|
||||
#include "aux.h"
|
||||
|
||||
#define INVERSE_FAST 1
|
||||
@ -471,11 +471,10 @@ void write_der(const bignum256 *x, uint8_t *buf)
|
||||
buf[1] = len;
|
||||
}
|
||||
|
||||
void read_32byte_big_endian(uint8_t *in_number, bignum256 *out_number)
|
||||
void read_32byte_big_endian(const uint8_t *in_number, bignum256 *out_number)
|
||||
{
|
||||
uint32_t i;
|
||||
uint64_t temp;
|
||||
temp = 0;
|
||||
int i;
|
||||
uint64_t temp = 0;
|
||||
for (i = 0; i < 8; i++) {
|
||||
temp += (((uint64_t)read_be(in_number + (7 - i) * 4)) << (2 * i));
|
||||
out_number->val[i]= temp & 0x3FFFFFFF;
|
||||
@ -484,6 +483,37 @@ void read_32byte_big_endian(uint8_t *in_number, bignum256 *out_number)
|
||||
out_number->val[8] = temp;
|
||||
}
|
||||
|
||||
void write_32byte_big_endian(const bignum256 *in_number, uint8_t *out_number)
|
||||
{
|
||||
int i, shift = 30 + 16 - 32;
|
||||
uint64_t temp = in_number->val[8];
|
||||
for (i = 0; i < 8; i++) {
|
||||
temp <<= 30;
|
||||
temp |= in_number->val[7 - i];
|
||||
write_be(out_number + i * 4, temp >> shift);
|
||||
shift -= 2;
|
||||
}
|
||||
}
|
||||
|
||||
int is_zero(const bignum256 *a)
|
||||
{
|
||||
int i;
|
||||
for (i = 0; i < 9; i++) {
|
||||
if (a->val[i] != 0) return 0;
|
||||
}
|
||||
return 1;
|
||||
}
|
||||
|
||||
int is_less(const bignum256 *a, const bignum256 *b)
|
||||
{
|
||||
int i;
|
||||
for (i = 8; i >= 0; i--) {
|
||||
if (a->val[i] < b->val[i]) return 1;
|
||||
if (a->val[i] > b->val[i]) return 0;
|
||||
}
|
||||
return 0;
|
||||
}
|
||||
|
||||
// generate random K for signing
|
||||
void generate_k_random(bignum256 *k) {
|
||||
int i;
|
||||
@ -501,8 +531,42 @@ void generate_k_random(bignum256 *k) {
|
||||
|
||||
// generate K in a deterministic way, according to RFC6979
|
||||
// http://tools.ietf.org/html/rfc6979
|
||||
void generate_k_rfc6979(bignum256 *k, uint8_t *priv_key, uint8_t *hash) {
|
||||
// TODO
|
||||
void generate_k_rfc6979(bignum256 *secret, const uint8_t *priv_key, const uint8_t *hash)
|
||||
{
|
||||
uint8_t v[32], k[32], bx[2*32], buf[32 + 1 + sizeof(bx)], t[32];
|
||||
bignum256 z1;
|
||||
|
||||
memcpy(bx, priv_key, 32);
|
||||
read_32byte_big_endian(hash, &z1);
|
||||
mod(&z1, &order256k1);
|
||||
write_32byte_big_endian(&z1, bx + 32);
|
||||
|
||||
memset(v, 1, sizeof(v));
|
||||
memset(k, 0, sizeof(k));
|
||||
|
||||
memcpy(buf, v, sizeof(v));
|
||||
buf[sizeof(v)] = 0x00;
|
||||
memcpy(buf + sizeof(v) + 1, bx, 64);
|
||||
hmac_sha256(k, sizeof(k), buf, sizeof(buf), k);
|
||||
hmac_sha256(k, sizeof(k), v, sizeof(v), v);
|
||||
|
||||
memcpy(buf, v, sizeof(v));
|
||||
buf[sizeof(v)] = 0x01;
|
||||
memcpy(buf + sizeof(v) + 1, bx, 64);
|
||||
hmac_sha256(k, sizeof(k), buf, sizeof(buf), k);
|
||||
hmac_sha256(k, sizeof(k), v, sizeof(k), v);
|
||||
|
||||
for (;;) {
|
||||
hmac_sha256(k, sizeof(k), v, sizeof(v), t);
|
||||
read_32byte_big_endian(t, secret);
|
||||
if ( !is_zero(secret) && is_less(secret, &order256k1) ) {
|
||||
return;
|
||||
}
|
||||
memcpy(buf, v, sizeof(v));
|
||||
buf[sizeof(v)] = 0x00;
|
||||
hmac_sha256(k, sizeof(k), buf, sizeof(v) + 1, k);
|
||||
hmac_sha256(k, sizeof(k), v, sizeof(v), v);
|
||||
}
|
||||
}
|
||||
|
||||
// uses secp256k1 curve
|
||||
@ -511,7 +575,7 @@ void generate_k_rfc6979(bignum256 *k, uint8_t *priv_key, uint8_t *hash) {
|
||||
// msg_len is the message length
|
||||
// sig is at least 70 bytes long array for the signature
|
||||
// sig_len is the pointer to a uint that will contain resulting signature length. note that ((*sig_len) == sig[1]+2)
|
||||
void ecdsa_sign(uint8_t *priv_key, uint8_t *msg, uint32_t msg_len, uint8_t *sig, uint32_t *sig_len)
|
||||
void ecdsa_sign(const uint8_t *priv_key, const uint8_t *msg, uint32_t msg_len, uint8_t *sig, uint32_t *sig_len)
|
||||
{
|
||||
int i;
|
||||
uint8_t hash[32];
|
||||
@ -525,8 +589,13 @@ void ecdsa_sign(uint8_t *priv_key, uint8_t *msg, uint32_t msg_len, uint8_t *sig,
|
||||
|
||||
read_32byte_big_endian(hash, &z);
|
||||
for (;;) {
|
||||
|
||||
// generate random number k
|
||||
generate_k_random(&k);
|
||||
//generate_k_random(&k);
|
||||
|
||||
// generate K deterministically
|
||||
generate_k_rfc6979(&k, priv_key, hash);
|
||||
|
||||
// compute k*G
|
||||
scalar_multiply(&k, &R);
|
||||
// r = (rx mod n)
|
||||
@ -566,7 +635,7 @@ void ecdsa_sign(uint8_t *priv_key, uint8_t *msg, uint32_t msg_len, uint8_t *sig,
|
||||
// uses secp256k1 curve
|
||||
// priv_key is a 32 byte big endian stored number
|
||||
// pub_key is at least 70 bytes long array for the public key
|
||||
void ecdsa_get_public_key(uint8_t *priv_key, uint8_t *pub_key, uint32_t *pub_key_len)
|
||||
void ecdsa_get_public_key(const uint8_t *priv_key, uint8_t *pub_key, uint32_t *pub_key_len)
|
||||
{
|
||||
uint32_t i;
|
||||
curve_point R;
|
||||
@ -586,7 +655,7 @@ void ecdsa_get_public_key(uint8_t *priv_key, uint8_t *pub_key, uint32_t *pub_key
|
||||
|
||||
// does not validate that this is valid der encoding
|
||||
// assumes it is der encoding containing 1 number
|
||||
void read_der_single(uint8_t *der, bignum256 *elem)
|
||||
void read_der_single(const uint8_t *der, bignum256 *elem)
|
||||
{
|
||||
int i, j;
|
||||
uint8_t val[32];
|
||||
@ -605,38 +674,19 @@ void read_der_single(uint8_t *der, bignum256 *elem)
|
||||
|
||||
// does not validate that this is valid der encoding
|
||||
// assumes it is der encoding containing 2 numbers (either public key or ecdsa signature)
|
||||
void read_der_pair(uint8_t *der, bignum256 *elem1, bignum256 *elem2)
|
||||
void read_der_pair(const uint8_t *der, bignum256 *elem1, bignum256 *elem2)
|
||||
{
|
||||
read_der_single(der + 2, elem1);
|
||||
read_der_single(der + 4 + der[3], elem2);
|
||||
}
|
||||
|
||||
int is_zero(const bignum256 *a)
|
||||
{
|
||||
int i;
|
||||
for (i = 0; i < 9; i++) {
|
||||
if (a->val[i] != 0) return 0;
|
||||
}
|
||||
return 1;
|
||||
}
|
||||
|
||||
int is_less(const bignum256 *a, const bignum256 *b)
|
||||
{
|
||||
int i;
|
||||
for (i = 8; i >= 0; i--) {
|
||||
if (a->val[i] < b->val[i]) return 1;
|
||||
if (a->val[i] > b->val[i]) return 0;
|
||||
}
|
||||
return 0;
|
||||
}
|
||||
|
||||
// uses secp256k1 curve
|
||||
// pub_key and signature are DER encoded
|
||||
// msg is a data that was signed
|
||||
// msg_len is the message length
|
||||
// returns 0 if verification succeeded
|
||||
// it is assumed that public key is valid otherwise calling this does not make much sense
|
||||
int ecdsa_verify(uint8_t *pub_key, uint8_t *signature, uint8_t *msg, uint32_t msg_len)
|
||||
int ecdsa_verify(const uint8_t *pub_key, const uint8_t *signature, const uint8_t *msg, uint32_t msg_len)
|
||||
{
|
||||
int i, j;
|
||||
uint8_t hash[32];
|
||||
|
8
ecdsa.h
8
ecdsa.h
@ -26,9 +26,11 @@
|
||||
|
||||
#include <stdint.h>
|
||||
|
||||
#include "secp256k1.h"
|
||||
|
||||
// uses secp256k1 curve
|
||||
void ecdsa_sign(uint8_t *priv_key, uint8_t *msg, uint32_t msg_len, uint8_t *sig, uint32_t *sig_len);
|
||||
void ecdsa_get_public_key(uint8_t *priv_key, uint8_t *pub_key, uint32_t *pub_key_len);
|
||||
int ecdsa_verify(uint8_t *pub_key, uint8_t *signature, uint8_t *msg, uint32_t msg_len);
|
||||
void ecdsa_sign(const uint8_t *priv_key, const uint8_t *msg, uint32_t msg_len, uint8_t *sig, uint32_t *sig_len);
|
||||
void ecdsa_get_public_key(const uint8_t *priv_key, uint8_t *pub_key, uint32_t *pub_key_len);
|
||||
int ecdsa_verify(const uint8_t *pub_key, const uint8_t *signature, const uint8_t *msg, uint32_t msg_len);
|
||||
|
||||
#endif
|
||||
|
51
test-rfc6979.c
Normal file
51
test-rfc6979.c
Normal file
@ -0,0 +1,51 @@
|
||||
/**
|
||||
* Copyright (c) 2013 Pavol Rusnak
|
||||
*
|
||||
* Permission is hereby granted, free of charge, to any person obtaining
|
||||
* a copy of this software and associated documentation files (the "Software"),
|
||||
* to deal in the Software without restriction, including without limitation
|
||||
* the rights to use, copy, modify, merge, publish, distribute, sublicense,
|
||||
* and/or sell copies of the Software, and to permit persons to whom the
|
||||
* Software is furnished to do so, subject to the following conditions:
|
||||
*
|
||||
* The above copyright notice and this permission notice shall be included
|
||||
* in all copies or substantial portions of the Software.
|
||||
*
|
||||
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
|
||||
* OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
||||
* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
|
||||
* THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES
|
||||
* OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
|
||||
* ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
|
||||
* OTHER DEALINGS IN THE SOFTWARE.
|
||||
*/
|
||||
|
||||
#include <stdio.h>
|
||||
#include "ecdsa.h"
|
||||
#include "sha2.h"
|
||||
|
||||
bignum256 k;
|
||||
uint8_t kb[32];
|
||||
uint8_t priv[32] = {0xcc, 0xa9, 0xfb, 0xcc, 0x1b, 0x41, 0xe5, 0xa9, 0x5d, 0x36, 0x9e, 0xaa, 0x6d, 0xdc, 0xff, 0x73, 0xb6, 0x1a, 0x4e, 0xfa, 0xa2, 0x79, 0xcf, 0xc6, 0x56, 0x7e, 0x8d, 0xaa, 0x39, 0xcb, 0xaf, 0x50};
|
||||
uint8_t hash[32];
|
||||
|
||||
void write_32byte_big_endian(const bignum256 *in_number, uint8_t *out_number);
|
||||
void generate_k_rfc6979(bignum256 *k, const uint8_t *priv_key, const uint8_t *hash);
|
||||
|
||||
int main()
|
||||
{
|
||||
int i;
|
||||
|
||||
SHA256_Raw((uint8_t *)"sample", 6, hash);
|
||||
printf("hash : ");
|
||||
for (i = 0; i < 32; i++) printf("%02x", hash[i]); printf("\n");
|
||||
generate_k_rfc6979(&k, priv, hash);
|
||||
write_32byte_big_endian(&k, kb);
|
||||
|
||||
printf("expected : 2df40ca70e639d89528a6b670d9d48d9165fdc0febc0974056bdce192b8e16a3\n");
|
||||
printf("got : ");
|
||||
for (i = 0; i < 32; i++) printf("%02x", kb[i]);
|
||||
printf("\n");
|
||||
|
||||
return 0;
|
||||
}
|
Loading…
Reference in New Issue
Block a user