mirror of
https://github.com/trezor/trezor-firmware.git
synced 2024-11-21 23:18:13 +00:00
feat(crypto): add wrappers for ecdsa from secp256k1_zkp
This commit is contained in:
parent
75e61da70b
commit
d2f8f4b021
@ -42,7 +42,9 @@ ZKP_CFLAGS = \
|
||||
-DUSE_FIELD_10X26 \
|
||||
-DUSE_SCALAR_8X32 \
|
||||
-DECMULT_GEN_PREC_BITS=4 \
|
||||
-DECMULT_WINDOW_SIZE=8
|
||||
-DECMULT_WINDOW_SIZE=8 \
|
||||
-DENABLE_MODULE_GENERATOR \
|
||||
-DENABLE_MODULE_RECOVERY
|
||||
ZKP_PATH = ../vendor/secp256k1-zkp
|
||||
CFLAGS += -DSECP256K1_CONTEXT_SIZE=73952
|
||||
|
||||
@ -94,6 +96,7 @@ SRCS += rfc6979.c
|
||||
SRCS += slip39.c
|
||||
SRCS += schnorr.c
|
||||
SRCS += zkp_context.c
|
||||
SRCS += zkp_ecdsa.c
|
||||
|
||||
OBJS = $(SRCS:.c=.o)
|
||||
OBJS += secp256k1-zkp.o
|
||||
|
313
crypto/zkp_ecdsa.c
Normal file
313
crypto/zkp_ecdsa.c
Normal file
@ -0,0 +1,313 @@
|
||||
/**
|
||||
* Copyright (c) SatoshiLabs
|
||||
*
|
||||
* Permission is hereby granted, free of charge, to any person obtaining
|
||||
* a copy of this software and associated documentation files (the "Software"),
|
||||
* to deal in the Software without restriction, including without limitation
|
||||
* the rights to use, copy, modify, merge, publish, distribute, sublicense,
|
||||
* and/or sell copies of the Software, and to permit persons to whom the
|
||||
* Software is furnished to do so, subject to the following conditions:
|
||||
*
|
||||
* The above copyright notice and this permission notice shall be included
|
||||
* in all copies or substantial portions of the Software.
|
||||
*
|
||||
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
|
||||
* OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
||||
* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
|
||||
* THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES
|
||||
* OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
|
||||
* ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
|
||||
* OTHER DEALINGS IN THE SOFTWARE.
|
||||
*/
|
||||
|
||||
#include <assert.h>
|
||||
#include <stdbool.h>
|
||||
#include <string.h>
|
||||
|
||||
#include "memzero.h"
|
||||
#include "secp256k1.h"
|
||||
#include "zkp_context.h"
|
||||
|
||||
#include "vendor/secp256k1-zkp/include/secp256k1.h"
|
||||
#include "vendor/secp256k1-zkp/include/secp256k1_extrakeys.h"
|
||||
#include "vendor/secp256k1-zkp/include/secp256k1_preallocated.h"
|
||||
#include "vendor/secp256k1-zkp/include/secp256k1_recovery.h"
|
||||
|
||||
#include "zkp_ecdsa.h"
|
||||
|
||||
static bool is_zero_digest(const uint8_t *digest) {
|
||||
const uint8_t zeroes[32] = {0};
|
||||
return memcmp(digest, zeroes, 32) == 0;
|
||||
}
|
||||
|
||||
// ECDSA compressed public key derivation
|
||||
// curve has to be &secp256k1
|
||||
// private_key_bytes has 32 bytes
|
||||
// public_key_bytes has 33 bytes
|
||||
void zkp_ecdsa_get_public_key33(const ecdsa_curve *curve,
|
||||
const uint8_t *private_key_bytes,
|
||||
uint8_t *public_key_bytes) {
|
||||
assert(curve == &secp256k1);
|
||||
int result = 0;
|
||||
|
||||
secp256k1_pubkey public_key = {0};
|
||||
|
||||
if (result == 0) {
|
||||
secp256k1_context *context_writable = zkp_context_acquire_writable();
|
||||
secp256k1_context_writable_randomize(context_writable);
|
||||
if (secp256k1_ec_pubkey_create(context_writable, &public_key,
|
||||
private_key_bytes) != 1) {
|
||||
result = 1;
|
||||
}
|
||||
zkp_context_release_writable();
|
||||
}
|
||||
|
||||
if (result == 0) {
|
||||
size_t written = 33;
|
||||
const secp256k1_context *context_read_only = zkp_context_get_read_only();
|
||||
int returned = secp256k1_ec_pubkey_serialize(
|
||||
context_read_only, public_key_bytes, &written, &public_key,
|
||||
SECP256K1_EC_COMPRESSED);
|
||||
|
||||
if (returned != 1 || written != 33) {
|
||||
result = 1;
|
||||
}
|
||||
}
|
||||
|
||||
memzero(&public_key, sizeof(public_key));
|
||||
assert(result == 0);
|
||||
}
|
||||
|
||||
// ECDSA uncompressed public key derivation
|
||||
// curve has to be &secp256k1
|
||||
// private_key_bytes has 32 bytes
|
||||
// public_key_bytes has 65 bytes
|
||||
void zkp_ecdsa_get_public_key65(const ecdsa_curve *curve,
|
||||
const uint8_t *private_key_bytes,
|
||||
uint8_t *public_key_bytes) {
|
||||
assert(curve == &secp256k1);
|
||||
int result = 0;
|
||||
|
||||
secp256k1_pubkey public_key = {0};
|
||||
|
||||
if (result == 0) {
|
||||
secp256k1_context *context_writable = zkp_context_acquire_writable();
|
||||
secp256k1_context_writable_randomize(context_writable);
|
||||
if (secp256k1_ec_pubkey_create(context_writable, &public_key,
|
||||
private_key_bytes) != 1) {
|
||||
result = 1;
|
||||
}
|
||||
zkp_context_release_writable();
|
||||
}
|
||||
|
||||
if (result == 0) {
|
||||
size_t written = 65;
|
||||
const secp256k1_context *context_read_only = zkp_context_get_read_only();
|
||||
int returned = secp256k1_ec_pubkey_serialize(
|
||||
context_read_only, public_key_bytes, &written, &public_key,
|
||||
SECP256K1_EC_UNCOMPRESSED);
|
||||
|
||||
if (returned != 1 || written != 65) {
|
||||
result = 1;
|
||||
}
|
||||
}
|
||||
|
||||
memzero(&public_key, sizeof(public_key));
|
||||
assert(result == 0);
|
||||
}
|
||||
|
||||
// ECDSA signing
|
||||
// curve has to be &secp256k1
|
||||
// private_key_bytes has 32 bytes
|
||||
// digest has 32 bytes
|
||||
// signature_bytes has 64 bytes
|
||||
// pby is one byte
|
||||
// is_canonical has to be NULL
|
||||
// returns 0 on success
|
||||
int zkp_ecdsa_sign_digest(
|
||||
const ecdsa_curve *curve, const uint8_t *private_key_bytes,
|
||||
const uint8_t *digest, uint8_t *signature_bytes, uint8_t *pby,
|
||||
int (*is_canonical)(uint8_t by, uint8_t signature_bytes[64])) {
|
||||
assert(curve == &secp256k1);
|
||||
assert(is_canonical == NULL);
|
||||
int result = 0;
|
||||
|
||||
if (result == 0) {
|
||||
if (is_zero_digest(digest)) {
|
||||
// The probability of the digest being all-zero by chance is
|
||||
// infinitesimal, so this is most likely an indication of a bug.
|
||||
// Furthermore, the signature has no value, because in this case it can be
|
||||
// easily forged for any public key, see zkp_ecdsa_verify_digest().
|
||||
result = 1;
|
||||
}
|
||||
}
|
||||
|
||||
secp256k1_ecdsa_recoverable_signature recoverable_signature = {0};
|
||||
|
||||
if (result == 0) {
|
||||
secp256k1_context *ctx_writable = zkp_context_acquire_writable();
|
||||
secp256k1_context_writable_randomize(ctx_writable);
|
||||
if (secp256k1_ecdsa_sign_recoverable(ctx_writable, &recoverable_signature,
|
||||
digest, private_key_bytes, NULL,
|
||||
NULL) != 1) {
|
||||
result = 1;
|
||||
}
|
||||
zkp_context_release_writable();
|
||||
}
|
||||
|
||||
if (result == 0) {
|
||||
int recid = 0;
|
||||
const secp256k1_context *context_read_only = zkp_context_get_read_only();
|
||||
if (secp256k1_ecdsa_recoverable_signature_serialize_compact(
|
||||
context_read_only, signature_bytes, &recid,
|
||||
&recoverable_signature) != 1) {
|
||||
result = 1;
|
||||
}
|
||||
if (pby != NULL) {
|
||||
*pby = (uint8_t)recid;
|
||||
}
|
||||
}
|
||||
|
||||
memzero(&recoverable_signature, sizeof(recoverable_signature));
|
||||
|
||||
return result;
|
||||
}
|
||||
|
||||
// ECDSA public key recovery
|
||||
// public_key_bytes has 65 bytes
|
||||
// signature_bytes has 64 bytes
|
||||
// digest has 32 bytes
|
||||
// recid is 0, 1, 2 or 3
|
||||
// returns 0 on success
|
||||
int zkp_ecdsa_recover_pub_from_sig(const ecdsa_curve *curve,
|
||||
uint8_t *public_key_bytes,
|
||||
const uint8_t *signature_bytes,
|
||||
const uint8_t *digest, int recid) {
|
||||
assert(curve == &secp256k1);
|
||||
int result = 0;
|
||||
|
||||
const secp256k1_context *context_read_only = zkp_context_get_read_only();
|
||||
secp256k1_ecdsa_recoverable_signature recoverable_signature = {0};
|
||||
|
||||
if (result == 0) {
|
||||
if (secp256k1_ecdsa_recoverable_signature_parse_compact(
|
||||
context_read_only, &recoverable_signature, signature_bytes,
|
||||
recid) != 1) {
|
||||
result = 1;
|
||||
}
|
||||
}
|
||||
|
||||
secp256k1_pubkey public_key = {0};
|
||||
|
||||
if (result == 0) {
|
||||
if (secp256k1_ecdsa_recover(context_read_only, &public_key,
|
||||
&recoverable_signature, digest) != 1) {
|
||||
result = 1;
|
||||
}
|
||||
}
|
||||
|
||||
memzero(&recoverable_signature, sizeof(recoverable_signature));
|
||||
|
||||
if (result == 0) {
|
||||
size_t written = 65;
|
||||
int returned = secp256k1_ec_pubkey_serialize(
|
||||
context_read_only, public_key_bytes, &written, &public_key,
|
||||
SECP256K1_EC_UNCOMPRESSED);
|
||||
if (returned != 1 || written != 65) {
|
||||
result = 1;
|
||||
}
|
||||
}
|
||||
|
||||
memzero(&public_key, sizeof(public_key));
|
||||
|
||||
return result;
|
||||
}
|
||||
|
||||
// ECDSA verification
|
||||
// curve has to be &secp256k1
|
||||
// public_key_bytes has 33 or 65 bytes
|
||||
// signature_bytes has 64 bytes
|
||||
// digest has 32 bytes
|
||||
// returns 0 if verification succeeded
|
||||
int zkp_ecdsa_verify_digest(const ecdsa_curve *curve,
|
||||
const uint8_t *public_key_bytes,
|
||||
const uint8_t *signature_bytes,
|
||||
const uint8_t *digest) {
|
||||
assert(curve == &secp256k1);
|
||||
int result = 0;
|
||||
|
||||
int public_key_length = 0;
|
||||
|
||||
if (result == 0) {
|
||||
if (public_key_bytes[0] == 0x04) {
|
||||
public_key_length = 65;
|
||||
} else if (public_key_bytes[0] == 0x02 || public_key_bytes[0] == 0x03) {
|
||||
public_key_length = 33;
|
||||
} else {
|
||||
result = 1;
|
||||
}
|
||||
}
|
||||
|
||||
if (result == 0) {
|
||||
if (is_zero_digest(digest)) {
|
||||
// The digest was all-zero. The probability of this happening by chance is
|
||||
// infinitesimal, but it could be induced by a fault injection. In this
|
||||
// case the signature (r,s) can be forged by taking r := (t * Q).x mod n
|
||||
// and s := r * t^-1 mod n for any t in [1, n-1]. We fail verification,
|
||||
// because there is no guarantee that the signature was created by the
|
||||
// owner of the private key.
|
||||
result = 3;
|
||||
}
|
||||
}
|
||||
|
||||
const secp256k1_context *context_read_only = zkp_context_get_read_only();
|
||||
secp256k1_pubkey public_key = {0};
|
||||
|
||||
if (result == 0) {
|
||||
if (secp256k1_ec_pubkey_parse(context_read_only, &public_key,
|
||||
public_key_bytes, public_key_length) != 1) {
|
||||
result = 1;
|
||||
}
|
||||
}
|
||||
|
||||
secp256k1_ecdsa_signature signature = {0};
|
||||
|
||||
if (result == 0) {
|
||||
if (secp256k1_ecdsa_signature_parse_compact(context_read_only, &signature,
|
||||
signature_bytes) != 1) {
|
||||
result = 2;
|
||||
}
|
||||
}
|
||||
|
||||
if (result == 0) {
|
||||
secp256k1_ecdsa_signature_normalize(context_read_only, &signature,
|
||||
&signature);
|
||||
|
||||
if (secp256k1_ecdsa_verify(context_read_only, &signature, digest,
|
||||
&public_key) != 1) {
|
||||
result = 5;
|
||||
}
|
||||
}
|
||||
|
||||
memzero(&public_key, sizeof(public_key));
|
||||
memzero(&signature, sizeof(signature));
|
||||
|
||||
return result;
|
||||
}
|
||||
|
||||
// ECDSA verification
|
||||
// curve has to be &secp256k1
|
||||
// public_key_bytes has 33 or 65 bytes
|
||||
// signature_bytes has 64 bytes
|
||||
// returns 0 if verification succeeded
|
||||
int zkp_ecdsa_verify(const ecdsa_curve *curve, HasherType hasher_type,
|
||||
const uint8_t *public_key_bytes,
|
||||
const uint8_t *signature_bytes, const uint8_t *message,
|
||||
uint32_t message_length) {
|
||||
uint8_t hash[32] = {0};
|
||||
hasher_Raw(hasher_type, message, message_length, hash);
|
||||
int result =
|
||||
zkp_ecdsa_verify_digest(curve, public_key_bytes, signature_bytes, hash);
|
||||
memzero(hash, sizeof(hash));
|
||||
return result;
|
||||
}
|
30
crypto/zkp_ecdsa.h
Normal file
30
crypto/zkp_ecdsa.h
Normal file
@ -0,0 +1,30 @@
|
||||
#ifndef __ZKP_ECDSA_H__
|
||||
#define __ZKP_ECDSA_H__
|
||||
|
||||
#include <stdint.h>
|
||||
|
||||
#include "hasher.h"
|
||||
|
||||
void zkp_ecdsa_get_public_key33(const ecdsa_curve *curve,
|
||||
const uint8_t *private_key_bytes,
|
||||
uint8_t *public_key_bytes);
|
||||
void zkp_ecdsa_get_public_key65(const ecdsa_curve *curve,
|
||||
const uint8_t *private_key_bytes,
|
||||
uint8_t *public_key_bytes);
|
||||
int zkp_ecdsa_sign_digest(const ecdsa_curve *curve,
|
||||
const uint8_t *private_key_bytes,
|
||||
const uint8_t *digest, uint8_t *signature_bytes,
|
||||
uint8_t *pby,
|
||||
int (*is_canonical)(uint8_t by, uint8_t sig[64]));
|
||||
int zkp_ecdsa_recover_pub_from_sig(const ecdsa_curve *curve,
|
||||
uint8_t *public_key_bytes,
|
||||
const uint8_t *signature_bytes,
|
||||
const uint8_t *digest, int recid);
|
||||
int zkp_ecdsa_verify_digest(const ecdsa_curve *curve,
|
||||
const uint8_t *public_key_bytes,
|
||||
const uint8_t *signature_bytes,
|
||||
const uint8_t *digest);
|
||||
int zkp_ecdsa_verify(const ecdsa_curve *curve, HasherType hasher_sign,
|
||||
const uint8_t *pub_key, const uint8_t *sig,
|
||||
const uint8_t *msg, uint32_t msg_len);
|
||||
#endif
|
Loading…
Reference in New Issue
Block a user