Software APIs
ecc_p384.c
1 // Copyright lowRISC contributors (OpenTitan project).
2 // Licensed under the Apache License, Version 2.0, see LICENSE for details.
3 // SPDX-License-Identifier: Apache-2.0
4 
5 #include "sw/device/lib/crypto/include/ecc_p384.h"
6 
7 #include "sw/device/lib/crypto/drivers/entropy.h"
8 #include "sw/device/lib/crypto/drivers/hmac.h"
9 #include "sw/device/lib/crypto/impl/ecc/p384.h"
10 #include "sw/device/lib/crypto/impl/integrity.h"
11 #include "sw/device/lib/crypto/impl/keyblob.h"
12 #include "sw/device/lib/crypto/include/datatypes.h"
13 
14 // Module ID for status codes.
15 #define MODULE_ID MAKE_MODULE_ID('p', '3', '8')
16 
17 otcrypto_status_t otcrypto_ecdsa_p384_keygen(
18  otcrypto_blinded_key_t *private_key, otcrypto_unblinded_key_t *public_key) {
19  HARDENED_TRY(otcrypto_ecdsa_p384_keygen_async_start(private_key));
20  return otcrypto_ecdsa_p384_keygen_async_finalize(private_key, public_key);
21 }
22 
23 otcrypto_status_t otcrypto_ecdsa_p384_sign(
24  const otcrypto_blinded_key_t *private_key,
25  const otcrypto_hash_digest_t message_digest,
26  otcrypto_word32_buf_t signature) {
27  HARDENED_TRY(
28  otcrypto_ecdsa_p384_sign_async_start(private_key, message_digest));
29  return otcrypto_ecdsa_p384_sign_async_finalize(signature);
30 }
31 
32 otcrypto_status_t otcrypto_ecdsa_p384_verify(
33  const otcrypto_unblinded_key_t *public_key,
34  const otcrypto_hash_digest_t message_digest,
35  otcrypto_const_word32_buf_t signature,
36  hardened_bool_t *verification_result) {
37  HARDENED_TRY(otcrypto_ecdsa_p384_verify_async_start(
38  public_key, message_digest, signature));
39  return otcrypto_ecdsa_p384_verify_async_finalize(signature,
40  verification_result);
41 }
42 
43 otcrypto_status_t otcrypto_ecdh_p384_keygen(
44  otcrypto_blinded_key_t *private_key, otcrypto_unblinded_key_t *public_key) {
45  HARDENED_TRY(otcrypto_ecdh_p384_keygen_async_start(private_key));
46  return otcrypto_ecdh_p384_keygen_async_finalize(private_key, public_key);
47 }
48 
49 otcrypto_status_t otcrypto_ecdh_p384(const otcrypto_blinded_key_t *private_key,
50  const otcrypto_unblinded_key_t *public_key,
51  otcrypto_blinded_key_t *shared_secret) {
52  HARDENED_TRY(otcrypto_ecdh_p384_async_start(private_key, public_key));
53  return otcrypto_ecdh_p384_async_finalize(shared_secret);
54 }
55 
56 /**
57  * Calls P-384 key generation.
58  *
59  * Can be used for both ECDSA and ECDH. If the key is hardware-backed, loads
60  * the data from key manager and calls the sideloaded key generation routine.
61  *
62  * @param private_key Sideloaded key handle.
63  * @return OK or error.
64  */
65 OT_WARN_UNUSED_RESULT
66 static status_t internal_p384_keygen_start(
67  const otcrypto_blinded_key_t *private_key) {
68  // Check that the entropy complex is initialized.
69  HARDENED_TRY(entropy_complex_check());
70 
71  if (launder32(private_key->config.hw_backed) == kHardenedBoolTrue) {
72  HARDENED_CHECK_EQ(private_key->config.hw_backed, kHardenedBoolTrue);
73  HARDENED_TRY(keyblob_sideload_key_otbn(private_key));
74  return p384_sideload_keygen_start();
75  } else if (launder32(private_key->config.hw_backed) == kHardenedBoolFalse) {
76  HARDENED_CHECK_EQ(private_key->config.hw_backed, kHardenedBoolFalse);
77  return p384_keygen_start();
78  } else {
79  return OTCRYPTO_BAD_ARGS;
80  }
81  return OTCRYPTO_OK;
82 }
83 
84 otcrypto_status_t otcrypto_ecdsa_p384_keygen_async_start(
85  const otcrypto_blinded_key_t *private_key) {
86  if (private_key == NULL || private_key->keyblob == NULL) {
87  return OTCRYPTO_BAD_ARGS;
88  }
89 
90  // Check the key mode.
91  if (launder32(private_key->config.key_mode) != kOtcryptoKeyModeEcdsaP384) {
92  return OTCRYPTO_BAD_ARGS;
93  }
94  HARDENED_CHECK_EQ(private_key->config.key_mode, kOtcryptoKeyModeEcdsaP384);
95 
96  return internal_p384_keygen_start(private_key);
97 }
98 
99 /**
100  * Check the lengths of private keys for curve P-384.
101  *
102  * Checks the length of caller-allocated buffers for a P-384 private key. This
103  * function may be used for both ECDSA and ECDH keys, since the key structure
104  * is the same.
105  *
106  * If this check passes and `hw_backed` is false, it is safe to interpret
107  * `private_key->keyblob` as a `p384_masked_scalar_t *`.
108  *
109  * @param private_key Private key struct to check.
110  * @return OK if the lengths are correct or BAD_ARGS otherwise.
111  */
112 OT_WARN_UNUSED_RESULT
113 static status_t p384_private_key_length_check(
114  const otcrypto_blinded_key_t *private_key) {
115  if (private_key->keyblob == NULL) {
116  return OTCRYPTO_BAD_ARGS;
117  }
118 
119  if (launder32(private_key->config.hw_backed) == kHardenedBoolTrue) {
120  // Skip the length check in this case; if the salt is the wrong length, the
121  // keyblob library will catch it before we sideload the key.
122  return OTCRYPTO_OK;
123  }
124  HARDENED_CHECK_NE(private_key->config.hw_backed, kHardenedBoolTrue);
125 
126  // Check the unmasked length.
127  if (launder32(private_key->config.key_length) != kP384ScalarBytes) {
128  return OTCRYPTO_BAD_ARGS;
129  }
130  HARDENED_CHECK_EQ(private_key->config.key_length, kP384ScalarBytes);
131 
132  // Check the single-share length.
133  if (launder32(keyblob_share_num_words(private_key->config)) !=
134  kP384MaskedScalarShareWords) {
135  return OTCRYPTO_BAD_ARGS;
136  }
137  HARDENED_CHECK_EQ(keyblob_share_num_words(private_key->config),
138  kP384MaskedScalarShareWords);
139 
140  // Check the keyblob length.
141  if (launder32(private_key->keyblob_length) != sizeof(p384_masked_scalar_t)) {
142  return OTCRYPTO_BAD_ARGS;
143  }
144  HARDENED_CHECK_EQ(private_key->keyblob_length, sizeof(p384_masked_scalar_t));
145 
146  return OTCRYPTO_OK;
147 }
148 
149 /**
150  * Check the lengths of public keys for curve P-384.
151  *
152  * Checks the length of caller-allocated buffers for a P-384 public key. This
153  * function may be used for both ECDSA and ECDH keys, since the key structure
154  * is the same.
155  *
156  * If this check passes, it is safe to interpret public_key->key as a
157  * `p384_point_t *`.
158  *
159  * @param public_key Public key struct to check.
160  * @return OK if the lengths are correct or BAD_ARGS otherwise.
161  */
162 OT_WARN_UNUSED_RESULT
163 static status_t p384_public_key_length_check(
164  const otcrypto_unblinded_key_t *public_key) {
165  if (launder32(public_key->key_length) != sizeof(p384_point_t)) {
166  return OTCRYPTO_BAD_ARGS;
167  }
168  HARDENED_CHECK_EQ(public_key->key_length, sizeof(p384_point_t));
169  return OTCRYPTO_OK;
170 }
171 /**
172  * Finalize a keypair generation operation for curve P-384.
173  *
174  * This function assumes that space is already allocated for all key material
175  * and that the length parameters on the structs are set accordingly, in the
176  * same way as for `otcrypto_ecdh_p384_keygen_async_finalize` and
177  * `otcrypto_ecdsa_p384_keygen_async_finalize`.
178  *
179  * @param[out] private_key Private key to populate.
180  * @param[out] public_key Public key to populate.
181  * @return OK or error.
182  */
183 OT_WARN_UNUSED_RESULT
184 static status_t internal_p384_keygen_finalize(
185  otcrypto_blinded_key_t *private_key, otcrypto_unblinded_key_t *public_key) {
186  // Check the lengths of caller-allocated buffers.
187  HARDENED_TRY(p384_private_key_length_check(private_key));
188  HARDENED_TRY(p384_public_key_length_check(public_key));
189 
190  // Interpret the key buffer as a P-384 point.
191  p384_point_t *pk = (p384_point_t *)public_key->key;
192 
193  if (launder32(private_key->config.hw_backed) == kHardenedBoolTrue) {
194  // Note: This operation wipes DMEM after retrieving the keys, so if an error
195  // occurs after this point then the keys would be unrecoverable. This should
196  // be the last potentially error-causing line before returning to the
197  // caller.
198  HARDENED_CHECK_EQ(private_key->config.hw_backed, kHardenedBoolTrue);
199  HARDENED_TRY(p384_sideload_keygen_finalize(pk));
200  } else if (launder32(private_key->config.hw_backed) == kHardenedBoolFalse) {
201  p384_masked_scalar_t *sk = (p384_masked_scalar_t *)private_key->keyblob;
202  // Note: This operation wipes DMEM after retrieving the keys, so if an error
203  // occurs after this point then the keys would be unrecoverable. This should
204  // be the last potentially error-causing line before returning to the
205  // caller.
206  HARDENED_CHECK_EQ(private_key->config.hw_backed, kHardenedBoolFalse);
207  HARDENED_TRY(p384_keygen_finalize(sk, pk));
208  private_key->checksum = integrity_blinded_checksum(private_key);
209  } else {
210  return OTCRYPTO_BAD_ARGS;
211  }
212 
213  public_key->checksum = integrity_unblinded_checksum(public_key);
214  return OTCRYPTO_OK;
215 }
216 
217 otcrypto_status_t otcrypto_ecdsa_p384_keygen_async_finalize(
218  otcrypto_blinded_key_t *private_key, otcrypto_unblinded_key_t *public_key) {
219  // Check for any NULL pointers.
220  if (private_key == NULL || public_key == NULL ||
221  private_key->keyblob == NULL || public_key->key == NULL) {
222  return OTCRYPTO_BAD_ARGS;
223  }
224 
225  // Check the key modes.
226  if (launder32(private_key->config.key_mode) != kOtcryptoKeyModeEcdsaP384 ||
227  launder32(public_key->key_mode) != kOtcryptoKeyModeEcdsaP384) {
228  return OTCRYPTO_BAD_ARGS;
229  }
230  HARDENED_CHECK_EQ(private_key->config.key_mode, kOtcryptoKeyModeEcdsaP384);
231  HARDENED_CHECK_EQ(public_key->key_mode, kOtcryptoKeyModeEcdsaP384);
232 
233  HARDENED_TRY(internal_p384_keygen_finalize(private_key, public_key));
234 
235  // Clear the OTBN sideload slot (in case the seed was sideloaded).
236  return keymgr_sideload_clear_otbn();
237 }
238 
239 otcrypto_status_t otcrypto_ecdsa_p384_sign_async_start(
240  const otcrypto_blinded_key_t *private_key,
241  const otcrypto_hash_digest_t message_digest) {
242  if (private_key == NULL || private_key->keyblob == NULL ||
243  message_digest.data == NULL) {
244  return OTCRYPTO_BAD_ARGS;
245  }
246 
247  // Check the integrity of the private key.
248  if (launder32(integrity_blinded_key_check(private_key)) !=
249  kHardenedBoolTrue) {
250  return OTCRYPTO_BAD_ARGS;
251  }
252  HARDENED_CHECK_EQ(integrity_blinded_key_check(private_key),
253  kHardenedBoolTrue);
254 
255  // Check that the entropy complex is initialized.
256  HARDENED_TRY(entropy_complex_check());
257 
258  if (launder32(private_key->config.key_mode) != kOtcryptoKeyModeEcdsaP384) {
259  return OTCRYPTO_BAD_ARGS;
260  }
261  HARDENED_CHECK_EQ(private_key->config.key_mode, kOtcryptoKeyModeEcdsaP384);
262 
263  // Check the digest length.
264  if (launder32(message_digest.len) != kP384ScalarWords) {
265  return OTCRYPTO_BAD_ARGS;
266  }
267  HARDENED_CHECK_EQ(message_digest.len, kP384ScalarWords);
268 
269  // Check the key length.
270  HARDENED_TRY(p384_private_key_length_check(private_key));
271 
272  if (launder32(private_key->config.hw_backed) == kHardenedBoolFalse) {
273  // Start the asynchronous signature-generation routine.
274  HARDENED_CHECK_EQ(private_key->config.hw_backed, kHardenedBoolFalse);
275  p384_masked_scalar_t *sk = (p384_masked_scalar_t *)private_key->keyblob;
276  return p384_ecdsa_sign_start(message_digest.data, sk);
277  } else if (launder32(private_key->config.hw_backed) == kHardenedBoolTrue) {
278  // Load the key and start in sideloaded-key mode.
279  HARDENED_CHECK_EQ(private_key->config.hw_backed, kHardenedBoolTrue);
280  HARDENED_TRY(keyblob_sideload_key_otbn(private_key));
281  return p384_ecdsa_sideload_sign_start(message_digest.data);
282  }
283 
284  // Invalid value for private_key->hw_backed.
285  return OTCRYPTO_BAD_ARGS;
286 }
287 
288 /**
289  * Check the length of a signature buffer for ECDSA with P-384.
290  *
291  * If this check passes on `signature.len`, it is safe to interpret
292  * `signature.data` as `p384_ecdsa_signature_t *`.
293  *
294  * @param len Length to check.
295  * @return OK if the lengths are correct or BAD_ARGS otherwise.
296  */
297 OT_WARN_UNUSED_RESULT
298 static status_t p384_signature_length_check(size_t len) {
299  if (launder32(len) > UINT32_MAX / sizeof(uint32_t) ||
300  launder32(len) * sizeof(uint32_t) != sizeof(p384_ecdsa_signature_t)) {
301  return OTCRYPTO_BAD_ARGS;
302  }
303  HARDENED_CHECK_EQ(len * sizeof(uint32_t), sizeof(p384_ecdsa_signature_t));
304 
305  return OTCRYPTO_OK;
306 }
307 
308 otcrypto_status_t otcrypto_ecdsa_p384_sign_async_finalize(
309  otcrypto_word32_buf_t signature) {
310  if (signature.data == NULL) {
311  return OTCRYPTO_BAD_ARGS;
312  }
313 
314  HARDENED_TRY(p384_signature_length_check(signature.len));
315  p384_ecdsa_signature_t *sig_p384 = (p384_ecdsa_signature_t *)signature.data;
316  // Note: This operation wipes DMEM, so if an error occurs after this
317  // point then the signature would be unrecoverable. This should be the
318  // last potentially error-causing line before returning to the caller.
319  HARDENED_TRY(p384_ecdsa_sign_finalize(sig_p384));
320 
321  // Clear the OTBN sideload slot (in case the key was sideloaded).
322  return keymgr_sideload_clear_otbn();
323 }
324 otcrypto_status_t otcrypto_ecdsa_p384_verify_async_start(
325  const otcrypto_unblinded_key_t *public_key,
326  const otcrypto_hash_digest_t message_digest,
327  otcrypto_const_word32_buf_t signature) {
328  if (public_key == NULL || signature.data == NULL ||
329  message_digest.data == NULL || public_key->key == NULL) {
330  return OTCRYPTO_BAD_ARGS;
331  }
332 
333  // Check the integrity of the public key.
334  if (launder32(integrity_unblinded_key_check(public_key)) !=
335  kHardenedBoolTrue) {
336  return OTCRYPTO_BAD_ARGS;
337  }
338  HARDENED_CHECK_EQ(integrity_unblinded_key_check(public_key),
339  kHardenedBoolTrue);
340 
341  // Check the public key mode.
342  if (launder32(public_key->key_mode) != kOtcryptoKeyModeEcdsaP384) {
343  return OTCRYPTO_BAD_ARGS;
344  }
345  HARDENED_CHECK_EQ(public_key->key_mode, kOtcryptoKeyModeEcdsaP384);
346 
347  // Check the public key size.
348  HARDENED_TRY(p384_public_key_length_check(public_key));
349  p384_point_t *pk = (p384_point_t *)public_key->key;
350 
351  // Check the digest length.
352  if (launder32(message_digest.len) != kP384ScalarWords) {
353  return OTCRYPTO_BAD_ARGS;
354  }
355  HARDENED_CHECK_EQ(message_digest.len, kP384ScalarWords);
356 
357  // Check the signature lengths.
358  HARDENED_TRY(p384_signature_length_check(signature.len));
359  p384_ecdsa_signature_t *sig = (p384_ecdsa_signature_t *)signature.data;
360 
361  // Start the asynchronous signature-verification routine.
362  return p384_ecdsa_verify_start(sig, message_digest.data, pk);
363 }
364 
365 otcrypto_status_t otcrypto_ecdsa_p384_verify_async_finalize(
366  otcrypto_const_word32_buf_t signature,
367  hardened_bool_t *verification_result) {
368  if (verification_result == NULL) {
369  return OTCRYPTO_BAD_ARGS;
370  }
371 
372  HARDENED_TRY(p384_signature_length_check(signature.len));
373  p384_ecdsa_signature_t *sig_p384 = (p384_ecdsa_signature_t *)signature.data;
374  return p384_ecdsa_verify_finalize(sig_p384, verification_result);
375 }
376 
377 otcrypto_status_t otcrypto_ecdh_p384_keygen_async_start(
378  const otcrypto_blinded_key_t *private_key) {
379  if (private_key == NULL || private_key->keyblob == NULL) {
380  return OTCRYPTO_BAD_ARGS;
381  }
382 
383  if (launder32(private_key->config.key_mode) != kOtcryptoKeyModeEcdhP384) {
384  return OTCRYPTO_BAD_ARGS;
385  }
386  HARDENED_CHECK_EQ(private_key->config.key_mode, kOtcryptoKeyModeEcdhP384);
387  return internal_p384_keygen_start(private_key);
388 }
389 
390 otcrypto_status_t otcrypto_ecdh_p384_keygen_async_finalize(
391  otcrypto_blinded_key_t *private_key, otcrypto_unblinded_key_t *public_key) {
392  // Check for any NULL pointers.
393  if (private_key == NULL || public_key == NULL ||
394  private_key->keyblob == NULL || public_key->key == NULL) {
395  return OTCRYPTO_BAD_ARGS;
396  }
397 
398  if (launder32(public_key->key_mode) != kOtcryptoKeyModeEcdhP384 ||
399  launder32(private_key->config.key_mode) != kOtcryptoKeyModeEcdhP384) {
400  return OTCRYPTO_BAD_ARGS;
401  }
402  HARDENED_CHECK_EQ(public_key->key_mode, kOtcryptoKeyModeEcdhP384);
403  HARDENED_CHECK_EQ(private_key->config.key_mode, kOtcryptoKeyModeEcdhP384);
404  return internal_p384_keygen_finalize(private_key, public_key);
405 }
406 otcrypto_status_t otcrypto_ecdh_p384_async_start(
407  const otcrypto_blinded_key_t *private_key,
408  const otcrypto_unblinded_key_t *public_key) {
409  if (private_key == NULL || public_key == NULL || public_key->key == NULL ||
410  private_key->keyblob == NULL) {
411  return OTCRYPTO_BAD_ARGS;
412  }
413 
414  // Check the integrity of the keys.
415  if (launder32(integrity_blinded_key_check(private_key)) !=
416  kHardenedBoolTrue ||
417  launder32(integrity_unblinded_key_check(public_key)) !=
418  kHardenedBoolTrue) {
419  return OTCRYPTO_BAD_ARGS;
420  }
421  HARDENED_CHECK_EQ(integrity_blinded_key_check(private_key),
422  kHardenedBoolTrue);
423  HARDENED_CHECK_EQ(integrity_unblinded_key_check(public_key),
424  kHardenedBoolTrue);
425 
426  // Check the key modes.
427  if (launder32(private_key->config.key_mode) != kOtcryptoKeyModeEcdhP384 ||
428  launder32(public_key->key_mode) != kOtcryptoKeyModeEcdhP384) {
429  return OTCRYPTO_BAD_ARGS;
430  }
431  HARDENED_CHECK_EQ(private_key->config.key_mode, kOtcryptoKeyModeEcdhP384);
432  HARDENED_CHECK_EQ(public_key->key_mode, kOtcryptoKeyModeEcdhP384);
433 
434  // Check the key lengths.
435  HARDENED_TRY(p384_private_key_length_check(private_key));
436  HARDENED_TRY(p384_public_key_length_check(public_key));
437  p384_point_t *pk = (p384_point_t *)public_key->key;
438 
439  if (launder32(private_key->config.hw_backed) == kHardenedBoolTrue) {
440  HARDENED_CHECK_EQ(private_key->config.hw_backed, kHardenedBoolTrue);
441  HARDENED_TRY(keyblob_sideload_key_otbn(private_key));
442  return p384_sideload_ecdh_start(pk);
443  } else if (launder32(private_key->config.hw_backed) == kHardenedBoolFalse) {
444  HARDENED_CHECK_EQ(private_key->config.hw_backed, kHardenedBoolFalse);
445  p384_masked_scalar_t *sk = (p384_masked_scalar_t *)private_key->keyblob;
446  return p384_ecdh_start(sk, pk);
447  }
448 
449  // Invalid value for `hw_backed`.
450  return OTCRYPTO_BAD_ARGS;
451 }
452 
453 otcrypto_status_t otcrypto_ecdh_p384_async_finalize(
454  otcrypto_blinded_key_t *shared_secret) {
455  if (shared_secret == NULL || shared_secret->keyblob == NULL) {
456  return OTCRYPTO_BAD_ARGS;
457  }
458 
459  // Shared keys cannot be sideloaded because they are software-generated.
460  if (launder32(shared_secret->config.hw_backed) != kHardenedBoolFalse) {
461  return OTCRYPTO_BAD_ARGS;
462  }
463  HARDENED_CHECK_EQ(shared_secret->config.hw_backed, kHardenedBoolFalse);
464 
465  // Check shared secret length.
466  if (launder32(shared_secret->config.key_length) != kP384CoordBytes) {
467  return OTCRYPTO_BAD_ARGS;
468  }
469  HARDENED_CHECK_EQ(shared_secret->config.key_length, kP384CoordBytes);
470  if (launder32(shared_secret->keyblob_length) !=
471  keyblob_num_words(shared_secret->config) * sizeof(uint32_t)) {
472  return OTCRYPTO_BAD_ARGS;
473  }
474  HARDENED_CHECK_EQ(
475  shared_secret->keyblob_length,
476  keyblob_num_words(shared_secret->config) * sizeof(uint32_t));
477 
478  // Note: This operation wipes DMEM after retrieving the keys, so if an error
479  // occurs after this point then the keys would be unrecoverable. This should
480  // be the last potentially error-causing line before returning to the caller.
481  p384_ecdh_shared_key_t ss;
482  HARDENED_TRY(p384_ecdh_finalize(&ss));
483 
484  keyblob_from_shares(ss.share0, ss.share1, shared_secret->config,
485  shared_secret->keyblob);
486 
487  // Set the checksum.
488  shared_secret->checksum = integrity_blinded_checksum(shared_secret);
489 
490  // Clear the OTBN sideload slot (in case the seed was sideloaded).
491  return keymgr_sideload_clear_otbn();
492 }
Return to OpenTitan Documentation