Don't depend on crypto/bytestring for ECDSA self-tests.

This will let us keep CBS/CBB out of the module. It also makes the PWCT actually use a hard-coded public key since kEC was using the private-key-only serialization. Change-Id: I3769fa26fc789c4797a56534df73f810cf5441c4 Reviewed-on: https://boringssl-review.googlesource.com/15830 Reviewed-by: Adam Langley <agl@google.com>
2017-05-02 16:37:51 -04:00 · 2017-05-02 16:37:51 -04:00 · fa839dcac0
commit fa839dcac0
parent 09ffa773dd
1 changed files with 44 additions and 13 deletions
--- a/crypto/fipsmodule/bcm.c
+++ b/crypto/fipsmodule/bcm.c
@ -26,6 +26,7 @@
 #include <openssl/ecdsa.h>
 #include <openssl/ec_key.h>
 #include <openssl/hmac.h>
+#include <openssl/nid.h>
 #include <openssl/rsa.h>

 #include "../internal.h"
@ -242,6 +243,41 @@ static RSA *self_test_rsa_key(void) {
  return rsa;
 }

+static EC_KEY *self_test_ecdsa_key(void) {
+  static const uint8_t kQx[] = {
+      0xc8, 0x15, 0x61, 0xec, 0xf2, 0xe5, 0x4e, 0xde, 0xfe, 0x66, 0x17,
+      0xdb, 0x1c, 0x7a, 0x34, 0xa7, 0x07, 0x44, 0xdd, 0xb2, 0x61, 0xf2,
+      0x69, 0xb8, 0x3d, 0xac, 0xfc, 0xd2, 0xad, 0xe5, 0xa6, 0x81,
+  };
+  static const uint8_t kQy[] = {
+      0xe0, 0xe2, 0xaf, 0xa3, 0xf9, 0xb6, 0xab, 0xe4, 0xc6, 0x98, 0xef,
+      0x64, 0x95, 0xf1, 0xbe, 0x49, 0xa3, 0x19, 0x6c, 0x50, 0x56, 0xac,
+      0xb3, 0x76, 0x3f, 0xe4, 0x50, 0x7e, 0xec, 0x59, 0x6e, 0x88,
+  };
+  static const uint8_t kD[] = {
+      0xc6, 0xc1, 0xaa, 0xda, 0x15, 0xb0, 0x76, 0x61, 0xf8, 0x14, 0x2c,
+      0x6c, 0xaf, 0x0f, 0xdb, 0x24, 0x1a, 0xff, 0x2e, 0xfe, 0x46, 0xc0,
+      0x93, 0x8b, 0x74, 0xf2, 0xbc, 0xc5, 0x30, 0x52, 0xb0, 0x77,
+  };
+
+  EC_KEY *ec_key = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
+  BIGNUM *qx = BN_bin2bn(kQx, sizeof(kQx), NULL);
+  BIGNUM *qy = BN_bin2bn(kQy, sizeof(kQy), NULL);
+  BIGNUM *d = BN_bin2bn(kD, sizeof(kD), NULL);
+  if (ec_key == NULL || qx == NULL || qy == NULL || d == NULL ||
+      !EC_KEY_set_public_key_affine_coordinates(ec_key, qx, qy) ||
+      !EC_KEY_set_private_key(ec_key, d) ||
+      !EC_KEY_check_fips(ec_key)) {
+    EC_KEY_free(ec_key);
+    ec_key = NULL;
+  }
+
+  BN_free(qx);
+  BN_free(qy);
+  BN_free(d);
+  return ec_key;
+}
+
 #ifndef OPENSSL_ASAN
 /* These symbols are filled in by delocate.go. They point to the start and end
 * of the module, and the location of the integrity hash, respectively. */
@ -350,13 +386,6 @@ static void BORINGSSL_bcm_power_on_self_test(void) {
      0x75, 0x4b, 0xac, 0x67, 0xb1, 0x3c, 0xbf, 0x5e, 0xde, 0x73, 0x02, 0x6d,
      0xd2, 0x0c, 0xb1, 0x64,
  };
-  static const uint8_t kEC[] = {
-      0x30, 0x31, 0x02, 0x01, 0x01, 0x04, 0x20, 0xc6, 0xc1, 0xaa, 0xda,
-      0x15, 0xb0, 0x76, 0x61, 0xf8, 0x14, 0x2c, 0x6c, 0xaf, 0x0f, 0xdb,
-      0x24, 0x1a, 0xff, 0x2e, 0xfe, 0x46, 0xc0, 0x93, 0x8b, 0x74, 0xf2,
-      0xbc, 0xc5, 0x30, 0x52, 0xb0, 0x77, 0xa0, 0x0a, 0x06, 0x08, 0x2a,
-      0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07
-  };
  const uint8_t kDRBGEntropy[48] =
      "BCM Known Answer Test DBRG Initial Entropy      ";
  const uint8_t kDRBGPersonalization[18] = "BCMPersonalization";
@ -506,20 +535,22 @@ static void BORINGSSL_bcm_power_on_self_test(void) {

  RSA_free(rsa_key);

-  CBS ec_cbs;
-  CBS_init(&ec_cbs, kEC, sizeof(kEC));
-  EC_KEY *ec_key = EC_KEY_parse_private_key(&ec_cbs, NULL);
+  EC_KEY *ec_key = self_test_ecdsa_key();
  if (ec_key == NULL) {
    goto err;
  }

-  /* EC Sign/Verify PWCT */
-  if (!ECDSA_sign(0, kPlaintext, sizeof(kPlaintext), output, &sig_len, ec_key) ||
-      !ECDSA_verify(0, kPlaintext, sizeof(kPlaintext), output, sig_len, ec_key)) {
+  /* ECDSA Sign/Verify PWCT */
+  ECDSA_SIG *sig =
+      ECDSA_do_sign(kPlaintextSHA256, sizeof(kPlaintextSHA256), ec_key);
+  if (sig == NULL ||
+      !ECDSA_do_verify(kPlaintextSHA256, sizeof(kPlaintextSHA256), sig,
+                       ec_key)) {
    printf("ECDSA Sign/Verify PWCT failed.\n");
    goto err;
  }

+  ECDSA_SIG_free(sig);
  EC_KEY_free(ec_key);

  /* DBRG KAT */