[go: up one dir, main page]

ring 0.16.18

Safe, fast, small crypto using Rust.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107

// Copyright 2016 Brian Smith.
//
// Permission to use, copy, modify, and/or distribute this software for any
// purpose with or without fee is hereby granted, provided that the above
// copyright notice and this permission notice appear in all copies.
//
// THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHORS DISCLAIM ALL WARRANTIES
// WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
// MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY
// SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
// WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
// OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
// CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

//! Functionality shared by operations on public keys (ECDSA verification and
//! ECDH agreement).

use super::{ops::*, verify_affine_point_is_on_the_curve};
use crate::{arithmetic::montgomery::*, error};

/// Parses a public key encoded in uncompressed form. The key is validated
/// using the ECC Partial Public-Key Validation Routine from
/// [NIST SP 800-56A, revision 2] Section 5.6.2.3.3, the NSA's
/// "Suite B Implementer's Guide to NIST SP 800-56A," Appendix B.3, and the
/// NSA's "Suite B Implementer's Guide to FIPS 186-3 (ECDSA)," Appendix A.3.
///
/// [NIST SP 800-56A, revision 2]:
///     http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Ar2.pdf
pub fn parse_uncompressed_point(
    ops: &PublicKeyOps,
    input: untrusted::Input,
) -> Result<(Elem<R>, Elem<R>), error::Unspecified> {
    // NIST SP 800-56A Step 1: "Verify that Q is not the point at infinity.
    // This can be done by inspection if the point is entered in the standard
    // affine representation." (We do it by inspection since we only accept
    // the affine representation.)
    let (x, y) = input.read_all(error::Unspecified, |input| {
        // The encoding must be 4, which is the encoding for "uncompressed".
        let encoding = input.read_byte()?;
        if encoding != 4 {
            return Err(error::Unspecified);
        }

        // NIST SP 800-56A Step 2: "Verify that xQ and yQ are integers in the
        // interval [0, p-1] in the case that q is an odd prime p[.]"
        let x = ops.elem_parse(input)?;
        let y = ops.elem_parse(input)?;
        Ok((x, y))
    })?;

    // NIST SP 800-56A Step 3: "If q is an odd prime p, verify that
    // yQ**2 = xQ**3 + axQ + b in GF(p), where the arithmetic is performed
    // modulo p."
    verify_affine_point_is_on_the_curve(ops.common, (&x, &y))?;

    // NIST SP 800-56A Note: "Since its order is not verified, there is no
    // check that the public key is in the correct EC subgroup."
    //
    // NSA Suite B Implementer's Guide Note: "ECC Full Public-Key Validation
    // includes an additional check to ensure that the point has the correct
    // order. This check is not necessary for curves having prime order (and
    // cofactor h = 1), such as P-256 and P-384."

    Ok((x, y))
}

#[cfg(test)]
mod tests {
    use super::{super::ops, *};
    use crate::test;

    #[test]
    fn parse_uncompressed_point_test() {
        test::run(
            test_file!("suite_b_public_key_tests.txt"),
            |section, test_case| {
                assert_eq!(section, "");

                let curve_name = test_case.consume_string("Curve");

                let public_key = test_case.consume_bytes("Q");
                let public_key = untrusted::Input::from(&public_key);
                let is_valid = test_case.consume_string("Result") == "P";

                let curve_ops = public_key_ops_from_curve_name(&curve_name);

                let result = parse_uncompressed_point(curve_ops, public_key);
                assert_eq!(is_valid, result.is_ok());

                // TODO: Verify that we when we re-serialize the parsed (x, y), the
                // output is equal to the input.

                Ok(())
            },
        );
    }

    fn public_key_ops_from_curve_name(curve_name: &str) -> &'static PublicKeyOps {
        if curve_name == "P-256" {
            &ops::p256::PUBLIC_KEY_OPS
        } else if curve_name == "P-384" {
            &ops::p384::PUBLIC_KEY_OPS
        } else {
            panic!("Unsupported curve: {}", curve_name);
        }
    }
}