7 #include "sw/device/lib/crypto/drivers/entropy.h"
8 #include "sw/device/lib/crypto/drivers/hmac.h"
9 #include "sw/device/lib/crypto/impl/ecc/p384.h"
10 #include "sw/device/lib/crypto/impl/integrity.h"
11 #include "sw/device/lib/crypto/impl/keyblob.h"
15 #define MODULE_ID MAKE_MODULE_ID('p', '3', '8')
38 public_key, message_digest, signature));
66 static status_t internal_p384_keygen_start(
69 HARDENED_TRY(entropy_complex_check());
73 HARDENED_TRY(keyblob_sideload_key_otbn(private_key));
74 return p384_sideload_keygen_start();
77 return p384_keygen_start();
79 return OTCRYPTO_BAD_ARGS;
86 if (private_key == NULL || private_key->keyblob == NULL) {
87 return OTCRYPTO_BAD_ARGS;
91 if (launder32(private_key->config.key_mode) != kOtcryptoKeyModeEcdsaP384) {
92 return OTCRYPTO_BAD_ARGS;
96 return internal_p384_keygen_start(private_key);
113 static status_t p384_private_key_length_check(
115 if (private_key->keyblob == NULL) {
116 return OTCRYPTO_BAD_ARGS;
127 if (launder32(private_key->config.key_length) != kP384ScalarBytes) {
128 return OTCRYPTO_BAD_ARGS;
133 if (launder32(keyblob_share_num_words(private_key->config)) !=
134 kP384MaskedScalarShareWords) {
135 return OTCRYPTO_BAD_ARGS;
138 kP384MaskedScalarShareWords);
142 return OTCRYPTO_BAD_ARGS;
163 static status_t p384_public_key_length_check(
165 if (launder32(public_key->key_length) !=
sizeof(
p384_point_t)) {
166 return OTCRYPTO_BAD_ARGS;
184 static status_t internal_p384_keygen_finalize(
187 HARDENED_TRY(p384_private_key_length_check(private_key));
188 HARDENED_TRY(p384_public_key_length_check(public_key));
199 HARDENED_TRY(p384_sideload_keygen_finalize(pk));
207 HARDENED_TRY(p384_keygen_finalize(sk, pk));
208 private_key->checksum = integrity_blinded_checksum(private_key);
210 return OTCRYPTO_BAD_ARGS;
213 public_key->checksum = integrity_unblinded_checksum(public_key);
220 if (private_key == NULL || public_key == NULL ||
221 private_key->keyblob == NULL || public_key->key == NULL) {
222 return OTCRYPTO_BAD_ARGS;
226 if (launder32(private_key->config.key_mode) != kOtcryptoKeyModeEcdsaP384 ||
227 launder32(public_key->key_mode) != kOtcryptoKeyModeEcdsaP384) {
228 return OTCRYPTO_BAD_ARGS;
233 HARDENED_TRY(internal_p384_keygen_finalize(private_key, public_key));
236 return keymgr_sideload_clear_otbn();
242 if (private_key == NULL || private_key->keyblob == NULL ||
243 message_digest.data == NULL) {
244 return OTCRYPTO_BAD_ARGS;
248 if (launder32(integrity_blinded_key_check(private_key)) !=
250 return OTCRYPTO_BAD_ARGS;
256 HARDENED_TRY(entropy_complex_check());
258 if (launder32(private_key->config.key_mode) != kOtcryptoKeyModeEcdsaP384) {
259 return OTCRYPTO_BAD_ARGS;
264 if (launder32(message_digest.len) != kP384ScalarWords) {
265 return OTCRYPTO_BAD_ARGS;
270 HARDENED_TRY(p384_private_key_length_check(private_key));
276 return p384_ecdsa_sign_start(message_digest.data, sk);
280 HARDENED_TRY(keyblob_sideload_key_otbn(private_key));
281 return p384_ecdsa_sideload_sign_start(message_digest.data);
285 return OTCRYPTO_BAD_ARGS;
298 static status_t p384_signature_length_check(
size_t len) {
299 if (launder32(len) > UINT32_MAX /
sizeof(uint32_t) ||
301 return OTCRYPTO_BAD_ARGS;
310 if (signature.data == NULL) {
311 return OTCRYPTO_BAD_ARGS;
314 HARDENED_TRY(p384_signature_length_check(signature.len));
319 HARDENED_TRY(p384_ecdsa_sign_finalize(sig_p384));
322 return keymgr_sideload_clear_otbn();
328 if (public_key == NULL || signature.data == NULL ||
329 message_digest.data == NULL || public_key->key == NULL) {
330 return OTCRYPTO_BAD_ARGS;
334 if (launder32(integrity_unblinded_key_check(public_key)) !=
336 return OTCRYPTO_BAD_ARGS;
342 if (launder32(public_key->key_mode) != kOtcryptoKeyModeEcdsaP384) {
343 return OTCRYPTO_BAD_ARGS;
348 HARDENED_TRY(p384_public_key_length_check(public_key));
352 if (launder32(message_digest.len) != kP384ScalarWords) {
353 return OTCRYPTO_BAD_ARGS;
358 HARDENED_TRY(p384_signature_length_check(signature.len));
362 return p384_ecdsa_verify_start(sig, message_digest.data, pk);
368 if (verification_result == NULL) {
369 return OTCRYPTO_BAD_ARGS;
372 HARDENED_TRY(p384_signature_length_check(signature.len));
374 return p384_ecdsa_verify_finalize(sig_p384, verification_result);
379 if (private_key == NULL || private_key->keyblob == NULL) {
380 return OTCRYPTO_BAD_ARGS;
383 if (launder32(private_key->config.key_mode) != kOtcryptoKeyModeEcdhP384) {
384 return OTCRYPTO_BAD_ARGS;
387 return internal_p384_keygen_start(private_key);
393 if (private_key == NULL || public_key == NULL ||
394 private_key->keyblob == NULL || public_key->key == NULL) {
395 return OTCRYPTO_BAD_ARGS;
398 if (launder32(public_key->key_mode) != kOtcryptoKeyModeEcdhP384 ||
399 launder32(private_key->config.key_mode) != kOtcryptoKeyModeEcdhP384) {
400 return OTCRYPTO_BAD_ARGS;
404 return internal_p384_keygen_finalize(private_key, public_key);
409 if (private_key == NULL || public_key == NULL || public_key->key == NULL ||
410 private_key->keyblob == NULL) {
411 return OTCRYPTO_BAD_ARGS;
415 if (launder32(integrity_blinded_key_check(private_key)) !=
417 launder32(integrity_unblinded_key_check(public_key)) !=
419 return OTCRYPTO_BAD_ARGS;
427 if (launder32(private_key->config.key_mode) != kOtcryptoKeyModeEcdhP384 ||
428 launder32(public_key->key_mode) != kOtcryptoKeyModeEcdhP384) {
429 return OTCRYPTO_BAD_ARGS;
435 HARDENED_TRY(p384_private_key_length_check(private_key));
436 HARDENED_TRY(p384_public_key_length_check(public_key));
441 HARDENED_TRY(keyblob_sideload_key_otbn(private_key));
442 return p384_sideload_ecdh_start(pk);
446 return p384_ecdh_start(sk, pk);
450 return OTCRYPTO_BAD_ARGS;
455 if (shared_secret == NULL || shared_secret->keyblob == NULL) {
456 return OTCRYPTO_BAD_ARGS;
461 return OTCRYPTO_BAD_ARGS;
466 if (launder32(shared_secret->config.key_length) != kP384CoordBytes) {
467 return OTCRYPTO_BAD_ARGS;
470 if (launder32(shared_secret->keyblob_length) !=
471 keyblob_num_words(shared_secret->config) *
sizeof(uint32_t)) {
472 return OTCRYPTO_BAD_ARGS;
475 shared_secret->keyblob_length,
476 keyblob_num_words(shared_secret->config) *
sizeof(uint32_t));
482 HARDENED_TRY(p384_ecdh_finalize(&ss));
484 keyblob_from_shares(ss.share0, ss.share1, shared_secret->config,
485 shared_secret->keyblob);
488 shared_secret->checksum = integrity_blinded_checksum(shared_secret);
491 return keymgr_sideload_clear_otbn();