1 // SPDX-License-Identifier: GPL-2.0+
3 * ECDSA X9.62 signature encoding
5 * Copyright (c) 2021 IBM Corporation
6 * Copyright (c) 2024 Intel Corporation
9 #include <linux/asn1_decoder.h>
10 #include <linux/err.h>
11 #include <linux/module.h>
12 #include <crypto/algapi.h>
13 #include <crypto/sig.h>
14 #include <crypto/internal/ecc.h>
15 #include <crypto/internal/sig.h>
17 #include "ecdsasignature.asn1.h"
19 struct ecdsa_x962_ctx
{
20 struct crypto_sig
*child
;
23 struct ecdsa_x962_signature_ctx
{
24 struct ecdsa_raw_sig sig
;
28 /* Get the r and s components of a signature from the X.509 certificate. */
29 static int ecdsa_get_signature_rs(u64
*dest
, size_t hdrlen
, unsigned char tag
,
30 const void *value
, size_t vlen
,
33 size_t bufsize
= ndigits
* sizeof(u64
);
34 const char *d
= value
;
36 if (!value
|| !vlen
|| vlen
> bufsize
+ 1)
40 * vlen may be 1 byte larger than bufsize due to a leading zero byte
41 * (necessary if the most significant bit of the integer is set).
44 /* skip over leading zeros that make 'value' a positive int */
53 ecc_digits_from_bytes(d
, vlen
, dest
, ndigits
);
58 int ecdsa_get_signature_r(void *context
, size_t hdrlen
, unsigned char tag
,
59 const void *value
, size_t vlen
)
61 struct ecdsa_x962_signature_ctx
*sig_ctx
= context
;
63 return ecdsa_get_signature_rs(sig_ctx
->sig
.r
, hdrlen
, tag
, value
, vlen
,
67 int ecdsa_get_signature_s(void *context
, size_t hdrlen
, unsigned char tag
,
68 const void *value
, size_t vlen
)
70 struct ecdsa_x962_signature_ctx
*sig_ctx
= context
;
72 return ecdsa_get_signature_rs(sig_ctx
->sig
.s
, hdrlen
, tag
, value
, vlen
,
76 static int ecdsa_x962_verify(struct crypto_sig
*tfm
,
77 const void *src
, unsigned int slen
,
78 const void *digest
, unsigned int dlen
)
80 struct ecdsa_x962_ctx
*ctx
= crypto_sig_ctx(tfm
);
81 struct ecdsa_x962_signature_ctx sig_ctx
;
84 sig_ctx
.ndigits
= DIV_ROUND_UP(crypto_sig_keysize(ctx
->child
),
87 err
= asn1_ber_decoder(&ecdsasignature_decoder
, &sig_ctx
, src
, slen
);
91 return crypto_sig_verify(ctx
->child
, &sig_ctx
.sig
, sizeof(sig_ctx
.sig
),
95 static unsigned int ecdsa_x962_key_size(struct crypto_sig
*tfm
)
97 struct ecdsa_x962_ctx
*ctx
= crypto_sig_ctx(tfm
);
99 return crypto_sig_keysize(ctx
->child
);
102 static unsigned int ecdsa_x962_max_size(struct crypto_sig
*tfm
)
104 struct ecdsa_x962_ctx
*ctx
= crypto_sig_ctx(tfm
);
105 struct sig_alg
*alg
= crypto_sig_alg(ctx
->child
);
106 int slen
= crypto_sig_keysize(ctx
->child
);
109 * Verify takes ECDSA-Sig-Value (described in RFC 5480) as input,
110 * which is actually 2 'key_size'-bit integers encoded in ASN.1.
111 * Account for the ASN.1 encoding overhead here.
113 * NIST P192/256/384 may prepend a '0' to a coordinate to indicate
114 * a positive integer. NIST P521 never needs it.
116 if (strcmp(alg
->base
.cra_name
, "ecdsa-nist-p521") != 0)
119 /* Length of encoding the x & y coordinates */
120 slen
= 2 * (slen
+ 2);
123 * If coordinate encoding takes at least 128 bytes then an
124 * additional byte for length encoding is needed.
126 return 1 + (slen
>= 128) + 1 + slen
;
129 static unsigned int ecdsa_x962_digest_size(struct crypto_sig
*tfm
)
131 struct ecdsa_x962_ctx
*ctx
= crypto_sig_ctx(tfm
);
133 return crypto_sig_digestsize(ctx
->child
);
136 static int ecdsa_x962_set_pub_key(struct crypto_sig
*tfm
,
137 const void *key
, unsigned int keylen
)
139 struct ecdsa_x962_ctx
*ctx
= crypto_sig_ctx(tfm
);
141 return crypto_sig_set_pubkey(ctx
->child
, key
, keylen
);
144 static int ecdsa_x962_init_tfm(struct crypto_sig
*tfm
)
146 struct sig_instance
*inst
= sig_alg_instance(tfm
);
147 struct crypto_sig_spawn
*spawn
= sig_instance_ctx(inst
);
148 struct ecdsa_x962_ctx
*ctx
= crypto_sig_ctx(tfm
);
149 struct crypto_sig
*child_tfm
;
151 child_tfm
= crypto_spawn_sig(spawn
);
152 if (IS_ERR(child_tfm
))
153 return PTR_ERR(child_tfm
);
155 ctx
->child
= child_tfm
;
160 static void ecdsa_x962_exit_tfm(struct crypto_sig
*tfm
)
162 struct ecdsa_x962_ctx
*ctx
= crypto_sig_ctx(tfm
);
164 crypto_free_sig(ctx
->child
);
167 static void ecdsa_x962_free(struct sig_instance
*inst
)
169 struct crypto_sig_spawn
*spawn
= sig_instance_ctx(inst
);
171 crypto_drop_sig(spawn
);
175 static int ecdsa_x962_create(struct crypto_template
*tmpl
, struct rtattr
**tb
)
177 struct crypto_sig_spawn
*spawn
;
178 struct sig_instance
*inst
;
179 struct sig_alg
*ecdsa_alg
;
183 err
= crypto_check_attr_type(tb
, CRYPTO_ALG_TYPE_SIG
, &mask
);
187 inst
= kzalloc(sizeof(*inst
) + sizeof(*spawn
), GFP_KERNEL
);
191 spawn
= sig_instance_ctx(inst
);
193 err
= crypto_grab_sig(spawn
, sig_crypto_instance(inst
),
194 crypto_attr_alg_name(tb
[1]), 0, mask
);
198 ecdsa_alg
= crypto_spawn_sig_alg(spawn
);
201 if (strncmp(ecdsa_alg
->base
.cra_name
, "ecdsa", 5) != 0)
204 err
= crypto_inst_setname(sig_crypto_instance(inst
), tmpl
->name
,
209 inst
->alg
.base
.cra_priority
= ecdsa_alg
->base
.cra_priority
;
210 inst
->alg
.base
.cra_ctxsize
= sizeof(struct ecdsa_x962_ctx
);
212 inst
->alg
.init
= ecdsa_x962_init_tfm
;
213 inst
->alg
.exit
= ecdsa_x962_exit_tfm
;
215 inst
->alg
.verify
= ecdsa_x962_verify
;
216 inst
->alg
.key_size
= ecdsa_x962_key_size
;
217 inst
->alg
.max_size
= ecdsa_x962_max_size
;
218 inst
->alg
.digest_size
= ecdsa_x962_digest_size
;
219 inst
->alg
.set_pub_key
= ecdsa_x962_set_pub_key
;
221 inst
->free
= ecdsa_x962_free
;
223 err
= sig_register_instance(tmpl
, inst
);
226 ecdsa_x962_free(inst
);
231 struct crypto_template ecdsa_x962_tmpl
= {
233 .create
= ecdsa_x962_create
,
234 .module
= THIS_MODULE
,
237 MODULE_ALIAS_CRYPTO("x962");
