2 * Copyright (C) 2012, 2013 Internet Systems Consortium, Inc. ("ISC")
4 * Permission to use, copy, modify, and/or distribute this software for any
5 * purpose with or without fee is hereby granted, provided that the above
6 * copyright notice and this permission notice appear in all copies.
8 * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
9 * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
10 * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
11 * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
12 * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
13 * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
14 * PERFORMANCE OF THIS SOFTWARE.
21 #ifdef HAVE_OPENSSL_ECDSA
23 #if !defined(HAVE_EVP_SHA256) || !defined(HAVE_EVP_SHA384)
24 #error "ECDSA without EVP for SHA2?"
27 #include <isc/entropy.h>
30 #include <isc/string.h>
33 #include <dns/keyvalues.h>
34 #include <dst/result.h>
36 #include "dst_internal.h"
37 #include "dst_openssl.h"
38 #include "dst_parse.h"
40 #include <openssl/err.h>
41 #include <openssl/objects.h>
42 #include <openssl/ecdsa.h>
43 #include <openssl/bn.h>
45 #ifndef NID_X9_62_prime256v1
46 #error "P-256 group is not known (NID_X9_62_prime256v1)"
49 #error "P-384 group is not known (NID_secp384r1)"
52 #define DST_RET(a) {ret = a; goto err;}
54 static isc_result_t opensslecdsa_todns(const dst_key_t *key,
58 opensslecdsa_createctx(dst_key_t *key, dst_context_t *dctx) {
59 EVP_MD_CTX *evp_md_ctx;
60 const EVP_MD *type = NULL;
63 REQUIRE(dctx->key->key_alg == DST_ALG_ECDSA256 ||
64 dctx->key->key_alg == DST_ALG_ECDSA384);
66 evp_md_ctx = EVP_MD_CTX_create();
67 if (evp_md_ctx == NULL)
68 return (ISC_R_NOMEMORY);
69 if (dctx->key->key_alg == DST_ALG_ECDSA256)
74 if (!EVP_DigestInit_ex(evp_md_ctx, type, NULL)) {
75 EVP_MD_CTX_destroy(evp_md_ctx);
76 return (dst__openssl_toresult3(dctx->category,
81 dctx->ctxdata.evp_md_ctx = evp_md_ctx;
83 return (ISC_R_SUCCESS);
87 opensslecdsa_destroyctx(dst_context_t *dctx) {
88 EVP_MD_CTX *evp_md_ctx = dctx->ctxdata.evp_md_ctx;
90 REQUIRE(dctx->key->key_alg == DST_ALG_ECDSA256 ||
91 dctx->key->key_alg == DST_ALG_ECDSA384);
93 if (evp_md_ctx != NULL) {
94 EVP_MD_CTX_destroy(evp_md_ctx);
95 dctx->ctxdata.evp_md_ctx = NULL;
100 opensslecdsa_adddata(dst_context_t *dctx, const isc_region_t *data) {
101 EVP_MD_CTX *evp_md_ctx = dctx->ctxdata.evp_md_ctx;
103 REQUIRE(dctx->key->key_alg == DST_ALG_ECDSA256 ||
104 dctx->key->key_alg == DST_ALG_ECDSA384);
106 if (!EVP_DigestUpdate(evp_md_ctx, data->base, data->length))
107 return (dst__openssl_toresult3(dctx->category,
111 return (ISC_R_SUCCESS);
115 BN_bn2bin_fixed(BIGNUM *bn, unsigned char *buf, int size) {
116 int bytes = size - BN_num_bytes(bn);
125 opensslecdsa_sign(dst_context_t *dctx, isc_buffer_t *sig) {
127 dst_key_t *key = dctx->key;
130 EVP_MD_CTX *evp_md_ctx = dctx->ctxdata.evp_md_ctx;
131 EVP_PKEY *pkey = key->keydata.pkey;
132 EC_KEY *eckey = EVP_PKEY_get1_EC_KEY(pkey);
133 unsigned int dgstlen, siglen;
134 unsigned char digest[EVP_MAX_MD_SIZE];
136 REQUIRE(key->key_alg == DST_ALG_ECDSA256 ||
137 key->key_alg == DST_ALG_ECDSA384);
140 return (ISC_R_FAILURE);
142 if (key->key_alg == DST_ALG_ECDSA256)
143 siglen = DNS_SIG_ECDSA256SIZE;
145 siglen = DNS_SIG_ECDSA384SIZE;
147 isc_buffer_availableregion(sig, &r);
148 if (r.length < siglen)
149 DST_RET(ISC_R_NOSPACE);
151 if (!EVP_DigestFinal(evp_md_ctx, digest, &dgstlen))
152 DST_RET(dst__openssl_toresult3(dctx->category,
156 ecdsasig = ECDSA_do_sign(digest, dgstlen, eckey);
157 if (ecdsasig == NULL)
158 DST_RET(dst__openssl_toresult3(dctx->category,
161 BN_bn2bin_fixed(ecdsasig->r, r.base, siglen / 2);
162 r.base += siglen / 2;
163 BN_bn2bin_fixed(ecdsasig->s, r.base, siglen / 2);
164 r.base += siglen / 2;
165 ECDSA_SIG_free(ecdsasig);
166 isc_buffer_add(sig, siglen);
176 opensslecdsa_verify(dst_context_t *dctx, const isc_region_t *sig) {
178 dst_key_t *key = dctx->key;
180 unsigned char *cp = sig->base;
181 ECDSA_SIG *ecdsasig = NULL;
182 EVP_MD_CTX *evp_md_ctx = dctx->ctxdata.evp_md_ctx;
183 EVP_PKEY *pkey = key->keydata.pkey;
184 EC_KEY *eckey = EVP_PKEY_get1_EC_KEY(pkey);
185 unsigned int dgstlen, siglen;
186 unsigned char digest[EVP_MAX_MD_SIZE];
188 REQUIRE(key->key_alg == DST_ALG_ECDSA256 ||
189 key->key_alg == DST_ALG_ECDSA384);
192 return (ISC_R_FAILURE);
194 if (key->key_alg == DST_ALG_ECDSA256)
195 siglen = DNS_SIG_ECDSA256SIZE;
197 siglen = DNS_SIG_ECDSA384SIZE;
199 if (sig->length != siglen)
200 return (DST_R_VERIFYFAILURE);
202 if (!EVP_DigestFinal_ex(evp_md_ctx, digest, &dgstlen))
203 DST_RET (dst__openssl_toresult3(dctx->category,
204 "EVP_DigestFinal_ex",
207 ecdsasig = ECDSA_SIG_new();
208 if (ecdsasig == NULL)
209 DST_RET (ISC_R_NOMEMORY);
210 if (ecdsasig->r != NULL)
211 BN_free(ecdsasig->r);
212 ecdsasig->r = BN_bin2bn(cp, siglen / 2, NULL);
214 if (ecdsasig->s != NULL)
215 BN_free(ecdsasig->s);
216 ecdsasig->s = BN_bin2bn(cp, siglen / 2, NULL);
217 /* cp += siglen / 2; */
219 status = ECDSA_do_verify(digest, dgstlen, ecdsasig, eckey);
225 ret = dst__openssl_toresult(DST_R_VERIFYFAILURE);
228 ret = dst__openssl_toresult3(dctx->category,
230 DST_R_VERIFYFAILURE);
235 if (ecdsasig != NULL)
236 ECDSA_SIG_free(ecdsasig);
243 opensslecdsa_compare(const dst_key_t *key1, const dst_key_t *key2) {
246 EVP_PKEY *pkey1 = key1->keydata.pkey;
247 EVP_PKEY *pkey2 = key2->keydata.pkey;
248 EC_KEY *eckey1 = NULL;
249 EC_KEY *eckey2 = NULL;
250 const BIGNUM *priv1, *priv2;
252 if (pkey1 == NULL && pkey2 == NULL)
254 else if (pkey1 == NULL || pkey2 == NULL)
257 eckey1 = EVP_PKEY_get1_EC_KEY(pkey1);
258 eckey2 = EVP_PKEY_get1_EC_KEY(pkey2);
259 if (eckey1 == NULL && eckey2 == NULL) {
261 } else if (eckey1 == NULL || eckey2 == NULL)
264 status = EVP_PKEY_cmp(pkey1, pkey2);
268 priv1 = EC_KEY_get0_private_key(eckey1);
269 priv2 = EC_KEY_get0_private_key(eckey2);
270 if (priv1 != NULL || priv2 != NULL) {
271 if (priv1 == NULL || priv2 == NULL)
273 if (BN_cmp(priv1, priv2) != 0)
287 opensslecdsa_generate(dst_key_t *key, int unused, void (*callback)(int)) {
290 EC_KEY *eckey = NULL;
293 REQUIRE(key->key_alg == DST_ALG_ECDSA256 ||
294 key->key_alg == DST_ALG_ECDSA384);
298 if (key->key_alg == DST_ALG_ECDSA256)
299 group_nid = NID_X9_62_prime256v1;
301 group_nid = NID_secp384r1;
303 eckey = EC_KEY_new_by_curve_name(group_nid);
305 return (dst__openssl_toresult2("EC_KEY_new_by_curve_name",
306 DST_R_OPENSSLFAILURE));
308 if (EC_KEY_generate_key(eckey) != 1)
309 DST_RET (dst__openssl_toresult2("EC_KEY_generate_key",
310 DST_R_OPENSSLFAILURE));
312 pkey = EVP_PKEY_new();
314 DST_RET (ISC_R_NOMEMORY);
315 if (!EVP_PKEY_set1_EC_KEY(pkey, eckey)) {
317 DST_RET (ISC_R_FAILURE);
319 key->keydata.pkey = pkey;
329 opensslecdsa_isprivate(const dst_key_t *key) {
331 EVP_PKEY *pkey = key->keydata.pkey;
332 EC_KEY *eckey = EVP_PKEY_get1_EC_KEY(pkey);
334 ret = ISC_TF(eckey != NULL && EC_KEY_get0_private_key(eckey) != NULL);
341 opensslecdsa_destroy(dst_key_t *key) {
342 EVP_PKEY *pkey = key->keydata.pkey;
345 key->keydata.pkey = NULL;
349 opensslecdsa_todns(const dst_key_t *key, isc_buffer_t *data) {
352 EC_KEY *eckey = NULL;
356 unsigned char buf[DNS_KEY_ECDSA384SIZE + 1];
358 REQUIRE(key->keydata.pkey != NULL);
360 pkey = key->keydata.pkey;
361 eckey = EVP_PKEY_get1_EC_KEY(pkey);
363 return (dst__openssl_toresult(ISC_R_FAILURE));
364 len = i2o_ECPublicKey(eckey, NULL);
368 isc_buffer_availableregion(data, &r);
369 if (r.length < (unsigned int) len)
370 DST_RET (ISC_R_NOSPACE);
372 if (!i2o_ECPublicKey(eckey, &cp))
373 DST_RET (dst__openssl_toresult(ISC_R_FAILURE));
374 memcpy(r.base, buf + 1, len);
375 isc_buffer_add(data, len);
385 opensslecdsa_fromdns(dst_key_t *key, isc_buffer_t *data) {
388 EC_KEY *eckey = NULL;
392 const unsigned char *cp;
393 unsigned char buf[DNS_KEY_ECDSA384SIZE + 1];
395 REQUIRE(key->key_alg == DST_ALG_ECDSA256 ||
396 key->key_alg == DST_ALG_ECDSA384);
398 if (key->key_alg == DST_ALG_ECDSA256) {
399 len = DNS_KEY_ECDSA256SIZE;
400 group_nid = NID_X9_62_prime256v1;
402 len = DNS_KEY_ECDSA384SIZE;
403 group_nid = NID_secp384r1;
406 isc_buffer_remainingregion(data, &r);
408 return (ISC_R_SUCCESS);
410 return (DST_R_INVALIDPUBLICKEY);
412 eckey = EC_KEY_new_by_curve_name(group_nid);
414 return (dst__openssl_toresult(DST_R_OPENSSLFAILURE));
416 buf[0] = POINT_CONVERSION_UNCOMPRESSED;
417 memcpy(buf + 1, r.base, len);
419 if (o2i_ECPublicKey(&eckey,
420 (const unsigned char **) &cp,
421 (long) len + 1) == NULL)
422 DST_RET (dst__openssl_toresult(DST_R_INVALIDPUBLICKEY));
423 if (EC_KEY_check_key(eckey) != 1)
424 DST_RET (dst__openssl_toresult(DST_R_INVALIDPUBLICKEY));
426 pkey = EVP_PKEY_new();
428 DST_RET (ISC_R_NOMEMORY);
429 if (!EVP_PKEY_set1_EC_KEY(pkey, eckey)) {
431 DST_RET (dst__openssl_toresult(ISC_R_FAILURE));
434 isc_buffer_forward(data, len);
435 key->keydata.pkey = pkey;
445 opensslecdsa_tofile(const dst_key_t *key, const char *directory) {
448 EC_KEY *eckey = NULL;
449 const BIGNUM *privkey;
451 unsigned char *buf = NULL;
453 if (key->keydata.pkey == NULL)
454 return (DST_R_NULLKEY);
456 pkey = key->keydata.pkey;
457 eckey = EVP_PKEY_get1_EC_KEY(pkey);
459 return (dst__openssl_toresult(DST_R_OPENSSLFAILURE));
460 privkey = EC_KEY_get0_private_key(eckey);
462 DST_RET (ISC_R_FAILURE);
464 buf = isc_mem_get(key->mctx, BN_num_bytes(privkey));
466 DST_RET (ISC_R_NOMEMORY);
468 priv.elements[0].tag = TAG_ECDSA_PRIVATEKEY;
469 priv.elements[0].length = BN_num_bytes(privkey);
470 BN_bn2bin(privkey, buf);
471 priv.elements[0].data = buf;
472 priv.nelements = ECDSA_NTAGS;
473 ret = dst__privstruct_writefile(key, &priv, directory);
479 isc_mem_put(key->mctx, buf, BN_num_bytes(privkey));
484 ecdsa_check(EC_KEY *eckey, dst_key_t *pub)
486 isc_result_t ret = ISC_R_FAILURE;
488 EC_KEY *pubeckey = NULL;
489 const EC_POINT *pubkey;
492 return (ISC_R_SUCCESS);
493 pkey = pub->keydata.pkey;
495 return (ISC_R_SUCCESS);
496 pubeckey = EVP_PKEY_get1_EC_KEY(pkey);
497 if (pubeckey == NULL)
498 return (ISC_R_SUCCESS);
499 pubkey = EC_KEY_get0_public_key(pubeckey);
501 DST_RET (ISC_R_SUCCESS);
502 if (EC_KEY_set_public_key(eckey, pubkey) != 1)
503 DST_RET (ISC_R_SUCCESS);
504 if (EC_KEY_check_key(eckey) == 1)
505 DST_RET (ISC_R_SUCCESS);
508 if (pubeckey != NULL)
509 EC_KEY_free(pubeckey);
514 opensslecdsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
518 EC_KEY *eckey = NULL;
521 isc_mem_t *mctx = key->mctx;
523 REQUIRE(key->key_alg == DST_ALG_ECDSA256 ||
524 key->key_alg == DST_ALG_ECDSA384);
526 if (key->key_alg == DST_ALG_ECDSA256)
527 group_nid = NID_X9_62_prime256v1;
529 group_nid = NID_secp384r1;
531 eckey = EC_KEY_new_by_curve_name(group_nid);
533 return (dst__openssl_toresult(DST_R_OPENSSLFAILURE));
535 /* read private key file */
536 ret = dst__privstruct_parse(key, DST_ALG_ECDSA256, lexer, mctx, &priv);
537 if (ret != ISC_R_SUCCESS)
540 privkey = BN_bin2bn(priv.elements[0].data,
541 priv.elements[0].length, NULL);
543 DST_RET(ISC_R_NOMEMORY);
544 if (!EC_KEY_set_private_key(eckey, privkey))
545 DST_RET(ISC_R_NOMEMORY);
546 if (ecdsa_check(eckey, pub) != ISC_R_SUCCESS)
547 DST_RET(DST_R_INVALIDPRIVATEKEY);
548 dst__privstruct_free(&priv, mctx);
549 memset(&priv, 0, sizeof(priv));
551 pkey = EVP_PKEY_new();
553 DST_RET (ISC_R_NOMEMORY);
554 if (!EVP_PKEY_set1_EC_KEY(pkey, eckey)) {
556 DST_RET (dst__openssl_toresult(DST_R_OPENSSLFAILURE));
558 key->keydata.pkey = pkey;
564 dst__privstruct_free(&priv, mctx);
565 memset(&priv, 0, sizeof(priv));
569 static dst_func_t opensslecdsa_functions = {
570 opensslecdsa_createctx,
571 opensslecdsa_destroyctx,
572 opensslecdsa_adddata,
575 NULL, /*%< verify2 */
576 NULL, /*%< computesecret */
577 opensslecdsa_compare,
578 NULL, /*%< paramcompare */
579 opensslecdsa_generate,
580 opensslecdsa_isprivate,
581 opensslecdsa_destroy,
583 opensslecdsa_fromdns,
586 NULL, /*%< cleanup */
587 NULL, /*%< fromlabel */
589 NULL, /*%< restore */
593 dst__opensslecdsa_init(dst_func_t **funcp) {
594 REQUIRE(funcp != NULL);
596 *funcp = &opensslecdsa_functions;
597 return (ISC_R_SUCCESS);
600 #else /* HAVE_OPENSSL_ECDSA */
602 #include <isc/util.h>
604 EMPTY_TRANSLATION_UNIT
606 #endif /* HAVE_OPENSSL_ECDSA */