Software APIs
ecc_p256.c
1 // Copyright lowRISC contributors (OpenTitan project).
2 // Licensed under the Apache License, Version 2.0, see LICENSE for details.
3 // SPDX-License-Identifier: Apache-2.0
4 
5 #include "sw/device/lib/crypto/include/ecc_p256.h"
6 
7 #include "sw/device/lib/crypto/drivers/entropy.h"
8 #include "sw/device/lib/crypto/drivers/hmac.h"
9 #include "sw/device/lib/crypto/impl/ecc/p256.h"
10 #include "sw/device/lib/crypto/impl/integrity.h"
11 #include "sw/device/lib/crypto/impl/keyblob.h"
12 #include "sw/device/lib/crypto/include/datatypes.h"
13 
14 // Module ID for status codes.
15 #define MODULE_ID MAKE_MODULE_ID('p', '2', '5')
16 
17 otcrypto_status_t otcrypto_ecdsa_p256_keygen(
18  otcrypto_blinded_key_t *private_key, otcrypto_unblinded_key_t *public_key) {
19  HARDENED_TRY(otcrypto_ecdsa_p256_keygen_async_start(private_key));
20  return otcrypto_ecdsa_p256_keygen_async_finalize(private_key, public_key);
21 }
22 
23 otcrypto_status_t otcrypto_ecdsa_p256_sign(
24  const otcrypto_blinded_key_t *private_key,
25  const otcrypto_hash_digest_t message_digest,
26  otcrypto_word32_buf_t signature) {
27  HARDENED_TRY(
28  otcrypto_ecdsa_p256_sign_async_start(private_key, message_digest));
29  return otcrypto_ecdsa_p256_sign_async_finalize(signature);
30 }
31 
32 otcrypto_status_t otcrypto_ecdsa_p256_verify(
33  const otcrypto_unblinded_key_t *public_key,
34  const otcrypto_hash_digest_t message_digest,
35  otcrypto_const_word32_buf_t signature,
36  hardened_bool_t *verification_result) {
37  HARDENED_TRY(otcrypto_ecdsa_p256_verify_async_start(
38  public_key, message_digest, signature));
39  return otcrypto_ecdsa_p256_verify_async_finalize(signature,
40  verification_result);
41 }
42 
43 otcrypto_status_t otcrypto_ecdh_p256_keygen(
44  otcrypto_blinded_key_t *private_key, otcrypto_unblinded_key_t *public_key) {
45  HARDENED_TRY(otcrypto_ecdh_p256_keygen_async_start(private_key));
46  return otcrypto_ecdh_p256_keygen_async_finalize(private_key, public_key);
47 }
48 
49 otcrypto_status_t otcrypto_ecdh_p256(const otcrypto_blinded_key_t *private_key,
50  const otcrypto_unblinded_key_t *public_key,
51  otcrypto_blinded_key_t *shared_secret) {
52  HARDENED_TRY(otcrypto_ecdh_p256_async_start(private_key, public_key));
53  return otcrypto_ecdh_p256_async_finalize(shared_secret);
54 }
55 
56 /**
57  * Calls P-256 key generation.
58  *
59  * Can be used for both ECDSA and ECDH. If the key is hardware-backed, loads
60  * the data from key manager and calls the sideloaded key generation routine.
61  *
62  * @param private_key Sideloaded key handle.
63  * @return OK or error.
64  */
65 OT_WARN_UNUSED_RESULT
66 static status_t internal_p256_keygen_start(
67  const otcrypto_blinded_key_t *private_key) {
68  // Check that the entropy complex is initialized.
69  HARDENED_TRY(entropy_complex_check());
70 
71  if (launder32(private_key->config.hw_backed) == kHardenedBoolTrue) {
72  HARDENED_CHECK_EQ(private_key->config.hw_backed, kHardenedBoolTrue);
73  HARDENED_TRY(keyblob_sideload_key_otbn(private_key));
74  return p256_sideload_keygen_start();
75  } else if (launder32(private_key->config.hw_backed) == kHardenedBoolFalse) {
76  HARDENED_CHECK_EQ(private_key->config.hw_backed, kHardenedBoolFalse);
77  return p256_keygen_start();
78  } else {
79  return OTCRYPTO_BAD_ARGS;
80  }
81  return OTCRYPTO_OK;
82 }
83 
84 otcrypto_status_t otcrypto_ecdsa_p256_keygen_async_start(
85  const otcrypto_blinded_key_t *private_key) {
86  if (private_key == NULL || private_key->keyblob == NULL) {
87  return OTCRYPTO_BAD_ARGS;
88  }
89 
90  // Check the key mode.
91  if (launder32(private_key->config.key_mode) != kOtcryptoKeyModeEcdsaP256) {
92  return OTCRYPTO_BAD_ARGS;
93  }
94  HARDENED_CHECK_EQ(private_key->config.key_mode, kOtcryptoKeyModeEcdsaP256);
95 
96  return internal_p256_keygen_start(private_key);
97 }
98 
99 /**
100  * Check the lengths of private keys for curve P-256.
101  *
102  * Checks the length of caller-allocated buffers for a P-256 private key. This
103  * function may be used for both ECDSA and ECDH keys, since the key structure
104  * is the same.
105  *
106  * If this check passes and `hw_backed` is false, it is safe to interpret
107  * `private_key->keyblob` as a `p256_masked_scalar_t *`.
108  *
109  * @param private_key Private key struct to check.
110  * @return OK if the lengths are correct or BAD_ARGS otherwise.
111  */
112 OT_WARN_UNUSED_RESULT
113 static status_t p256_private_key_length_check(
114  const otcrypto_blinded_key_t *private_key) {
115  if (private_key->keyblob == NULL) {
116  return OTCRYPTO_BAD_ARGS;
117  }
118 
119  if (launder32(private_key->config.hw_backed) == kHardenedBoolTrue) {
120  // Skip the length check in this case; if the salt is the wrong length, the
121  // keyblob library will catch it before we sideload the key.
122  return OTCRYPTO_OK;
123  }
124  HARDENED_CHECK_NE(private_key->config.hw_backed, kHardenedBoolTrue);
125 
126  // Check the unmasked length.
127  if (launder32(private_key->config.key_length) != kP256ScalarBytes) {
128  return OTCRYPTO_BAD_ARGS;
129  }
130  HARDENED_CHECK_EQ(private_key->config.key_length, kP256ScalarBytes);
131 
132  // Check the single-share length.
133  if (launder32(keyblob_share_num_words(private_key->config)) !=
134  kP256MaskedScalarShareWords) {
135  return OTCRYPTO_BAD_ARGS;
136  }
137  HARDENED_CHECK_EQ(keyblob_share_num_words(private_key->config),
138  kP256MaskedScalarShareWords);
139 
140  // Check the keyblob length.
141  if (launder32(private_key->keyblob_length) != sizeof(p256_masked_scalar_t)) {
142  return OTCRYPTO_BAD_ARGS;
143  }
144  HARDENED_CHECK_EQ(private_key->keyblob_length, sizeof(p256_masked_scalar_t));
145 
146  return OTCRYPTO_OK;
147 }
148 
149 /**
150  * Check the lengths of public keys for curve P-256.
151  *
152  * Checks the length of caller-allocated buffers for a P-256 public key. This
153  * function may be used for both ECDSA and ECDH keys, since the key structure
154  * is the same.
155  *
156  * If this check passes, it is safe to interpret public_key->key as a
157  * `p256_point_t *`.
158  *
159  * @param public_key Public key struct to check.
160  * @return OK if the lengths are correct or BAD_ARGS otherwise.
161  */
162 OT_WARN_UNUSED_RESULT
163 static status_t p256_public_key_length_check(
164  const otcrypto_unblinded_key_t *public_key) {
165  if (launder32(public_key->key_length) != sizeof(p256_point_t)) {
166  return OTCRYPTO_BAD_ARGS;
167  }
168  HARDENED_CHECK_EQ(public_key->key_length, sizeof(p256_point_t));
169  return OTCRYPTO_OK;
170 }
171 
172 /**
173  * Finalize a keypair generation operation for curve P-256.
174  *
175  * This function assumes that space is already allocated for all key material
176  * and that the length parameters on the structs are set accordingly, in the
177  * same way as for `otcrypto_ecdh_p256_keygen_async_finalize` and
178  * `otcrypto_ecdsa_p256_keygen_async_finalize`.
179  *
180  * @param[out] private_key Private key to populate.
181  * @param[out] public_key Public key to populate.
182  * @return OK or error.
183  */
184 OT_WARN_UNUSED_RESULT
185 static status_t internal_p256_keygen_finalize(
186  otcrypto_blinded_key_t *private_key, otcrypto_unblinded_key_t *public_key) {
187  // Check the lengths of caller-allocated buffers.
188  HARDENED_TRY(p256_private_key_length_check(private_key));
189  HARDENED_TRY(p256_public_key_length_check(public_key));
190  p256_point_t *pk = (p256_point_t *)public_key->key;
191 
192  // Note: The `finalize` operations wipe DMEM after retrieving the keys, so if
193  // an error occurs after this point then the keys would be unrecoverable.
194  // The `finalize` call should be the last potentially error-causing line
195  // before returning to the caller.
196 
197  if (launder32(private_key->config.hw_backed) == kHardenedBoolTrue) {
198  HARDENED_CHECK_EQ(private_key->config.hw_backed, kHardenedBoolTrue);
199  HARDENED_TRY(p256_sideload_keygen_finalize(pk));
200  } else if (launder32(private_key->config.hw_backed) == kHardenedBoolFalse) {
201  HARDENED_CHECK_EQ(private_key->config.hw_backed, kHardenedBoolFalse);
202  p256_masked_scalar_t *sk = (p256_masked_scalar_t *)private_key->keyblob;
203  HARDENED_TRY(p256_keygen_finalize(sk, pk));
204  private_key->checksum = integrity_blinded_checksum(private_key);
205  } else {
206  return OTCRYPTO_BAD_ARGS;
207  }
208 
209  // Prepare the public key.
210  public_key->checksum = integrity_unblinded_checksum(public_key);
211 
212  // Clear the OTBN sideload slot (in case the seed was sideloaded).
213  return keymgr_sideload_clear_otbn();
214 }
215 
216 otcrypto_status_t otcrypto_ecdsa_p256_keygen_async_finalize(
217  otcrypto_blinded_key_t *private_key, otcrypto_unblinded_key_t *public_key) {
218  // Check for any NULL pointers.
219  if (private_key == NULL || public_key == NULL ||
220  private_key->keyblob == NULL || public_key->key == NULL) {
221  return OTCRYPTO_BAD_ARGS;
222  }
223 
224  // Check the key modes.
225  if (launder32(private_key->config.key_mode) != kOtcryptoKeyModeEcdsaP256 ||
226  launder32(public_key->key_mode) != kOtcryptoKeyModeEcdsaP256) {
227  return OTCRYPTO_BAD_ARGS;
228  }
229  HARDENED_CHECK_EQ(private_key->config.key_mode, kOtcryptoKeyModeEcdsaP256);
230  HARDENED_CHECK_EQ(public_key->key_mode, kOtcryptoKeyModeEcdsaP256);
231 
232  return internal_p256_keygen_finalize(private_key, public_key);
233 }
234 
235 otcrypto_status_t otcrypto_ecdsa_p256_sign_async_start(
236  const otcrypto_blinded_key_t *private_key,
237  const otcrypto_hash_digest_t message_digest) {
238  if (private_key == NULL || private_key->keyblob == NULL ||
239  message_digest.data == NULL) {
240  return OTCRYPTO_BAD_ARGS;
241  }
242 
243  // Check the integrity of the private key.
244  if (launder32(integrity_blinded_key_check(private_key)) !=
245  kHardenedBoolTrue) {
246  return OTCRYPTO_BAD_ARGS;
247  }
248  HARDENED_CHECK_EQ(integrity_blinded_key_check(private_key),
249  kHardenedBoolTrue);
250 
251  // Check that the entropy complex is initialized.
252  HARDENED_TRY(entropy_complex_check());
253 
254  if (launder32(private_key->config.key_mode) != kOtcryptoKeyModeEcdsaP256) {
255  return OTCRYPTO_BAD_ARGS;
256  }
257  HARDENED_CHECK_EQ(private_key->config.key_mode, kOtcryptoKeyModeEcdsaP256);
258 
259  // Check the digest length.
260  if (launder32(message_digest.len) != kP256ScalarWords) {
261  return OTCRYPTO_BAD_ARGS;
262  }
263  HARDENED_CHECK_EQ(message_digest.len, kP256ScalarWords);
264 
265  // Check the key length.
266  HARDENED_TRY(p256_private_key_length_check(private_key));
267 
268  if (launder32(private_key->config.hw_backed) == kHardenedBoolFalse) {
269  // Start the asynchronous signature-generation routine.
270  HARDENED_CHECK_EQ(private_key->config.hw_backed, kHardenedBoolFalse);
271  p256_masked_scalar_t *sk = (p256_masked_scalar_t *)private_key->keyblob;
272  return p256_ecdsa_sign_start(message_digest.data, sk);
273  } else if (launder32(private_key->config.hw_backed) == kHardenedBoolTrue) {
274  // Load the key and start in sideloaded-key mode.
275  HARDENED_CHECK_EQ(private_key->config.hw_backed, kHardenedBoolTrue);
276  HARDENED_TRY(keyblob_sideload_key_otbn(private_key));
277  return p256_ecdsa_sideload_sign_start(message_digest.data);
278  }
279 
280  // Invalid value for private_key->hw_backed.
281  return OTCRYPTO_BAD_ARGS;
282 }
283 
284 /**
285  * Check the length of a signature buffer for ECDSA with P-256.
286  *
287  * If this check passes on `signature.len`, it is safe to interpret
288  * `signature.data` as `p256_ecdsa_signature_t *`.
289  *
290  * @param len Length to check.
291  * @return OK if the lengths are correct or BAD_ARGS otherwise.
292  */
293 OT_WARN_UNUSED_RESULT
294 static status_t p256_signature_length_check(size_t len) {
295  if (launder32(len) > UINT32_MAX / sizeof(uint32_t) ||
296  launder32(len) * sizeof(uint32_t) != sizeof(p256_ecdsa_signature_t)) {
297  return OTCRYPTO_BAD_ARGS;
298  }
299  HARDENED_CHECK_EQ(len * sizeof(uint32_t), sizeof(p256_ecdsa_signature_t));
300 
301  return OTCRYPTO_OK;
302 }
303 
304 otcrypto_status_t otcrypto_ecdsa_p256_sign_async_finalize(
305  otcrypto_word32_buf_t signature) {
306  if (signature.data == NULL) {
307  return OTCRYPTO_BAD_ARGS;
308  }
309 
310  HARDENED_TRY(p256_signature_length_check(signature.len));
311  p256_ecdsa_signature_t *sig_p256 = (p256_ecdsa_signature_t *)signature.data;
312  // Note: This operation wipes DMEM, so if an error occurs after this
313  // point then the signature would be unrecoverable. This should be the
314  // last potentially error-causing line before returning to the caller.
315  HARDENED_TRY(p256_ecdsa_sign_finalize(sig_p256));
316 
317  // Clear the OTBN sideload slot (in case the key was sideloaded).
318  return keymgr_sideload_clear_otbn();
319 }
320 
321 otcrypto_status_t otcrypto_ecdsa_p256_verify_async_start(
322  const otcrypto_unblinded_key_t *public_key,
323  const otcrypto_hash_digest_t message_digest,
324  otcrypto_const_word32_buf_t signature) {
325  if (public_key == NULL || signature.data == NULL ||
326  message_digest.data == NULL || public_key->key == NULL) {
327  return OTCRYPTO_BAD_ARGS;
328  }
329 
330  // Check the integrity of the public key.
331  if (launder32(integrity_unblinded_key_check(public_key)) !=
332  kHardenedBoolTrue) {
333  return OTCRYPTO_BAD_ARGS;
334  }
335  HARDENED_CHECK_EQ(integrity_unblinded_key_check(public_key),
336  kHardenedBoolTrue);
337 
338  // Check the public key mode.
339  if (launder32(public_key->key_mode) != kOtcryptoKeyModeEcdsaP256) {
340  return OTCRYPTO_BAD_ARGS;
341  }
342  HARDENED_CHECK_EQ(public_key->key_mode, kOtcryptoKeyModeEcdsaP256);
343 
344  // Check the public key size.
345  HARDENED_TRY(p256_public_key_length_check(public_key));
346  p256_point_t *pk = (p256_point_t *)public_key->key;
347 
348  // Check the digest length.
349  if (launder32(message_digest.len) != kP256ScalarWords) {
350  return OTCRYPTO_BAD_ARGS;
351  }
352  HARDENED_CHECK_EQ(message_digest.len, kP256ScalarWords);
353 
354  // Check the signature lengths.
355  HARDENED_TRY(p256_signature_length_check(signature.len));
356  p256_ecdsa_signature_t *sig = (p256_ecdsa_signature_t *)signature.data;
357 
358  // Start the asynchronous signature-verification routine.
359  return p256_ecdsa_verify_start(sig, message_digest.data, pk);
360 }
361 
362 otcrypto_status_t otcrypto_ecdsa_p256_verify_async_finalize(
363  otcrypto_const_word32_buf_t signature,
364  hardened_bool_t *verification_result) {
365  if (verification_result == NULL) {
366  return OTCRYPTO_BAD_ARGS;
367  }
368 
369  HARDENED_TRY(p256_signature_length_check(signature.len));
370  p256_ecdsa_signature_t *sig_p256 = (p256_ecdsa_signature_t *)signature.data;
371  return p256_ecdsa_verify_finalize(sig_p256, verification_result);
372 }
373 
374 otcrypto_status_t otcrypto_ecdh_p256_keygen_async_start(
375  const otcrypto_blinded_key_t *private_key) {
376  if (private_key == NULL || private_key->keyblob == NULL) {
377  return OTCRYPTO_BAD_ARGS;
378  }
379 
380  if (launder32(private_key->config.key_mode) != kOtcryptoKeyModeEcdhP256) {
381  return OTCRYPTO_BAD_ARGS;
382  }
383  HARDENED_CHECK_EQ(private_key->config.key_mode, kOtcryptoKeyModeEcdhP256);
384  return internal_p256_keygen_start(private_key);
385 }
386 
387 otcrypto_status_t otcrypto_ecdh_p256_keygen_async_finalize(
388  otcrypto_blinded_key_t *private_key, otcrypto_unblinded_key_t *public_key) {
389  // Check for any NULL pointers.
390  if (private_key == NULL || public_key == NULL ||
391  private_key->keyblob == NULL || public_key->key == NULL) {
392  return OTCRYPTO_BAD_ARGS;
393  }
394 
395  if (launder32(public_key->key_mode) != kOtcryptoKeyModeEcdhP256 ||
396  launder32(private_key->config.key_mode) != kOtcryptoKeyModeEcdhP256) {
397  return OTCRYPTO_BAD_ARGS;
398  }
399  HARDENED_CHECK_EQ(public_key->key_mode, kOtcryptoKeyModeEcdhP256);
400  HARDENED_CHECK_EQ(private_key->config.key_mode, kOtcryptoKeyModeEcdhP256);
401  return internal_p256_keygen_finalize(private_key, public_key);
402 }
403 
404 otcrypto_status_t otcrypto_ecdh_p256_async_start(
405  const otcrypto_blinded_key_t *private_key,
406  const otcrypto_unblinded_key_t *public_key) {
407  if (private_key == NULL || public_key == NULL || public_key->key == NULL ||
408  private_key->keyblob == NULL) {
409  return OTCRYPTO_BAD_ARGS;
410  }
411 
412  // Check the integrity of the keys.
413  if (launder32(integrity_blinded_key_check(private_key)) !=
414  kHardenedBoolTrue ||
415  launder32(integrity_unblinded_key_check(public_key)) !=
416  kHardenedBoolTrue) {
417  return OTCRYPTO_BAD_ARGS;
418  }
419  HARDENED_CHECK_EQ(integrity_blinded_key_check(private_key),
420  kHardenedBoolTrue);
421  HARDENED_CHECK_EQ(integrity_unblinded_key_check(public_key),
422  kHardenedBoolTrue);
423 
424  // Check the key modes.
425  if (launder32(private_key->config.key_mode) != kOtcryptoKeyModeEcdhP256 ||
426  launder32(public_key->key_mode) != kOtcryptoKeyModeEcdhP256) {
427  return OTCRYPTO_BAD_ARGS;
428  }
429  HARDENED_CHECK_EQ(private_key->config.key_mode, kOtcryptoKeyModeEcdhP256);
430  HARDENED_CHECK_EQ(public_key->key_mode, kOtcryptoKeyModeEcdhP256);
431 
432  // Check the key lengths.
433  HARDENED_TRY(p256_private_key_length_check(private_key));
434  HARDENED_TRY(p256_public_key_length_check(public_key));
435  p256_point_t *pk = (p256_point_t *)public_key->key;
436 
437  if (launder32(private_key->config.hw_backed) == kHardenedBoolTrue) {
438  HARDENED_CHECK_EQ(private_key->config.hw_backed, kHardenedBoolTrue);
439  HARDENED_TRY(keyblob_sideload_key_otbn(private_key));
440  return p256_sideload_ecdh_start(pk);
441  } else if (launder32(private_key->config.hw_backed) == kHardenedBoolFalse) {
442  HARDENED_CHECK_EQ(private_key->config.hw_backed, kHardenedBoolFalse);
443  p256_masked_scalar_t *sk = (p256_masked_scalar_t *)private_key->keyblob;
444  return p256_ecdh_start(sk, pk);
445  }
446 
447  // Invalid value for `hw_backed`.
448  return OTCRYPTO_BAD_ARGS;
449 }
450 
451 otcrypto_status_t otcrypto_ecdh_p256_async_finalize(
452  otcrypto_blinded_key_t *shared_secret) {
453  if (shared_secret == NULL || shared_secret->keyblob == NULL) {
454  return OTCRYPTO_BAD_ARGS;
455  }
456 
457  // Shared keys cannot be sideloaded because they are software-generated.
458  if (launder32(shared_secret->config.hw_backed) != kHardenedBoolFalse) {
459  return OTCRYPTO_BAD_ARGS;
460  }
461  HARDENED_CHECK_EQ(shared_secret->config.hw_backed, kHardenedBoolFalse);
462 
463  // Check shared secret length.
464  if (launder32(shared_secret->config.key_length) != kP256CoordBytes) {
465  return OTCRYPTO_BAD_ARGS;
466  }
467  HARDENED_CHECK_EQ(shared_secret->config.key_length, kP256CoordBytes);
468  if (launder32(shared_secret->keyblob_length) !=
469  keyblob_num_words(shared_secret->config) * sizeof(uint32_t)) {
470  return OTCRYPTO_BAD_ARGS;
471  }
472  HARDENED_CHECK_EQ(
473  shared_secret->keyblob_length,
474  keyblob_num_words(shared_secret->config) * sizeof(uint32_t));
475 
476  // Note: This operation wipes DMEM after retrieving the keys, so if an error
477  // occurs after this point then the keys would be unrecoverable. This should
478  // be the last potentially error-causing line before returning to the caller.
479  p256_ecdh_shared_key_t ss;
480  HARDENED_TRY(p256_ecdh_finalize(&ss));
481 
482  keyblob_from_shares(ss.share0, ss.share1, shared_secret->config,
483  shared_secret->keyblob);
484 
485  // Set the checksum.
486  shared_secret->checksum = integrity_blinded_checksum(shared_secret);
487 
488  // Clear the OTBN sideload slot (in case the seed was sideloaded).
489  return keymgr_sideload_clear_otbn();
490 }
Return to OpenTitan Documentation