7 #include "sw/device/lib/crypto/drivers/entropy.h"
8 #include "sw/device/lib/crypto/drivers/hmac.h"
9 #include "sw/device/lib/crypto/impl/ecc/p256.h"
10 #include "sw/device/lib/crypto/impl/integrity.h"
11 #include "sw/device/lib/crypto/impl/keyblob.h"
15 #define MODULE_ID MAKE_MODULE_ID('p', '2', '5')
38 public_key, message_digest, signature));
66 static status_t internal_p256_keygen_start(
69 HARDENED_TRY(entropy_complex_check());
73 HARDENED_TRY(keyblob_sideload_key_otbn(private_key));
74 return p256_sideload_keygen_start();
77 return p256_keygen_start();
79 return OTCRYPTO_BAD_ARGS;
86 if (private_key == NULL || private_key->keyblob == NULL) {
87 return OTCRYPTO_BAD_ARGS;
91 if (launder32(private_key->config.key_mode) != kOtcryptoKeyModeEcdsaP256) {
92 return OTCRYPTO_BAD_ARGS;
96 return internal_p256_keygen_start(private_key);
113 static status_t p256_private_key_length_check(
115 if (private_key->keyblob == NULL) {
116 return OTCRYPTO_BAD_ARGS;
127 if (launder32(private_key->config.key_length) != kP256ScalarBytes) {
128 return OTCRYPTO_BAD_ARGS;
133 if (launder32(keyblob_share_num_words(private_key->config)) !=
134 kP256MaskedScalarShareWords) {
135 return OTCRYPTO_BAD_ARGS;
138 kP256MaskedScalarShareWords);
142 return OTCRYPTO_BAD_ARGS;
163 static status_t p256_public_key_length_check(
165 if (launder32(public_key->key_length) !=
sizeof(
p256_point_t)) {
166 return OTCRYPTO_BAD_ARGS;
185 static status_t internal_p256_keygen_finalize(
188 HARDENED_TRY(p256_private_key_length_check(private_key));
189 HARDENED_TRY(p256_public_key_length_check(public_key));
199 HARDENED_TRY(p256_sideload_keygen_finalize(pk));
203 HARDENED_TRY(p256_keygen_finalize(sk, pk));
204 private_key->checksum = integrity_blinded_checksum(private_key);
206 return OTCRYPTO_BAD_ARGS;
210 public_key->checksum = integrity_unblinded_checksum(public_key);
213 return keymgr_sideload_clear_otbn();
219 if (private_key == NULL || public_key == NULL ||
220 private_key->keyblob == NULL || public_key->key == NULL) {
221 return OTCRYPTO_BAD_ARGS;
225 if (launder32(private_key->config.key_mode) != kOtcryptoKeyModeEcdsaP256 ||
226 launder32(public_key->key_mode) != kOtcryptoKeyModeEcdsaP256) {
227 return OTCRYPTO_BAD_ARGS;
232 return internal_p256_keygen_finalize(private_key, public_key);
238 if (private_key == NULL || private_key->keyblob == NULL ||
239 message_digest.data == NULL) {
240 return OTCRYPTO_BAD_ARGS;
244 if (launder32(integrity_blinded_key_check(private_key)) !=
246 return OTCRYPTO_BAD_ARGS;
252 HARDENED_TRY(entropy_complex_check());
254 if (launder32(private_key->config.key_mode) != kOtcryptoKeyModeEcdsaP256) {
255 return OTCRYPTO_BAD_ARGS;
260 if (launder32(message_digest.len) != kP256ScalarWords) {
261 return OTCRYPTO_BAD_ARGS;
266 HARDENED_TRY(p256_private_key_length_check(private_key));
272 return p256_ecdsa_sign_start(message_digest.data, sk);
276 HARDENED_TRY(keyblob_sideload_key_otbn(private_key));
277 return p256_ecdsa_sideload_sign_start(message_digest.data);
281 return OTCRYPTO_BAD_ARGS;
294 static status_t p256_signature_length_check(
size_t len) {
295 if (launder32(len) > UINT32_MAX /
sizeof(uint32_t) ||
297 return OTCRYPTO_BAD_ARGS;
306 if (signature.data == NULL) {
307 return OTCRYPTO_BAD_ARGS;
310 HARDENED_TRY(p256_signature_length_check(signature.len));
315 HARDENED_TRY(p256_ecdsa_sign_finalize(sig_p256));
318 return keymgr_sideload_clear_otbn();
325 if (public_key == NULL || signature.data == NULL ||
326 message_digest.data == NULL || public_key->key == NULL) {
327 return OTCRYPTO_BAD_ARGS;
331 if (launder32(integrity_unblinded_key_check(public_key)) !=
333 return OTCRYPTO_BAD_ARGS;
339 if (launder32(public_key->key_mode) != kOtcryptoKeyModeEcdsaP256) {
340 return OTCRYPTO_BAD_ARGS;
345 HARDENED_TRY(p256_public_key_length_check(public_key));
349 if (launder32(message_digest.len) != kP256ScalarWords) {
350 return OTCRYPTO_BAD_ARGS;
355 HARDENED_TRY(p256_signature_length_check(signature.len));
359 return p256_ecdsa_verify_start(sig, message_digest.data, pk);
365 if (verification_result == NULL) {
366 return OTCRYPTO_BAD_ARGS;
369 HARDENED_TRY(p256_signature_length_check(signature.len));
371 return p256_ecdsa_verify_finalize(sig_p256, verification_result);
376 if (private_key == NULL || private_key->keyblob == NULL) {
377 return OTCRYPTO_BAD_ARGS;
380 if (launder32(private_key->config.key_mode) != kOtcryptoKeyModeEcdhP256) {
381 return OTCRYPTO_BAD_ARGS;
384 return internal_p256_keygen_start(private_key);
390 if (private_key == NULL || public_key == NULL ||
391 private_key->keyblob == NULL || public_key->key == NULL) {
392 return OTCRYPTO_BAD_ARGS;
395 if (launder32(public_key->key_mode) != kOtcryptoKeyModeEcdhP256 ||
396 launder32(private_key->config.key_mode) != kOtcryptoKeyModeEcdhP256) {
397 return OTCRYPTO_BAD_ARGS;
401 return internal_p256_keygen_finalize(private_key, public_key);
407 if (private_key == NULL || public_key == NULL || public_key->key == NULL ||
408 private_key->keyblob == NULL) {
409 return OTCRYPTO_BAD_ARGS;
413 if (launder32(integrity_blinded_key_check(private_key)) !=
415 launder32(integrity_unblinded_key_check(public_key)) !=
417 return OTCRYPTO_BAD_ARGS;
425 if (launder32(private_key->config.key_mode) != kOtcryptoKeyModeEcdhP256 ||
426 launder32(public_key->key_mode) != kOtcryptoKeyModeEcdhP256) {
427 return OTCRYPTO_BAD_ARGS;
433 HARDENED_TRY(p256_private_key_length_check(private_key));
434 HARDENED_TRY(p256_public_key_length_check(public_key));
439 HARDENED_TRY(keyblob_sideload_key_otbn(private_key));
440 return p256_sideload_ecdh_start(pk);
444 return p256_ecdh_start(sk, pk);
448 return OTCRYPTO_BAD_ARGS;
453 if (shared_secret == NULL || shared_secret->keyblob == NULL) {
454 return OTCRYPTO_BAD_ARGS;
459 return OTCRYPTO_BAD_ARGS;
464 if (launder32(shared_secret->config.key_length) != kP256CoordBytes) {
465 return OTCRYPTO_BAD_ARGS;
468 if (launder32(shared_secret->keyblob_length) !=
469 keyblob_num_words(shared_secret->config) *
sizeof(uint32_t)) {
470 return OTCRYPTO_BAD_ARGS;
473 shared_secret->keyblob_length,
474 keyblob_num_words(shared_secret->config) *
sizeof(uint32_t));
480 HARDENED_TRY(p256_ecdh_finalize(&ss));
482 keyblob_from_shares(ss.share0, ss.share1, shared_secret->config,
483 shared_secret->keyblob);
486 shared_secret->checksum = integrity_blinded_checksum(shared_secret);
489 return keymgr_sideload_clear_otbn();