4272N/A * Copyright (c) 2007, 2011, Oracle and/or its affiliates. All rights reserved. 4272N/A * Use is subject to license terms. 4272N/A * This library is free software; you can redistribute it and/or 4272N/A * modify it under the terms of the GNU Lesser General Public 4272N/A * License as published by the Free Software Foundation; either 4272N/A * version 2.1 of the License, or (at your option) any later version. 4272N/A * This library is distributed in the hope that it will be useful, 4272N/A * but WITHOUT ANY WARRANTY; without even the implied warranty of 4272N/A * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 4272N/A * Lesser General Public License for more details. 4272N/A * You should have received a copy of the GNU Lesser General Public License 4272N/A * along with this library; if not, write to the Free Software Foundation, 4272N/A * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. 4272N/A * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA 4272N/A/* ********************************************************************* 1674N/A * The Original Code is the Elliptic Curve Cryptography library. 1674N/A * The Initial Developer of the Original Code is 1674N/A * Portions created by the Initial Developer are Copyright (C) 2003 1674N/A * the Initial Developer. All Rights Reserved. 1674N/A * Dr Vipul Gupta <vipul.gupta@sun.com> and 1674N/A * Douglas Stebila <douglas@stebila.ca>, Sun Microsystems Laboratories 1674N/A *********************************************************************** */ 1674N/A * Returns true if pointP is the point at infinity, false otherwise 1674N/A * Computes scalar point multiplication pointQ = k1 * G + k2 * pointP for 1674N/A * the curve whose parameters are encoded in params with base point G. 1674N/A#
if 0
/* currently don't support non-named curves */ 1674N/A /* NOTE: We only support uncompressed points for now */ 1674N/A /* construct from named params, if possible */ 1674N/A#
if 0
/* currently don't support non-named curves */ 1674N/A /* Set up mp_ints containing the curve coefficients */ 1674N/A /* Construct the SECItem representation of point Q */ 1674N/A/* Generates a new EC key pair. The private key is a supplied 1674N/A * value and the public key is the result of performing a scalar 1674N/A * point multiplication of that value with the curve's base point. 1674N/A /* Initialize an arena for the EC key. */ 1674N/A /* Set the version number (SEC 1 section C.4 says it should be 1) */ 1674N/A /* Copy all of the fields from the ECParams argument to the 1674N/A * ECParams structure within the private key. 1674N/A /* Compute corresponding public key */ 1674N/A/* Generates a new EC key pair. The private key is a supplied 1674N/A * random value (in seed) and the public key is the result of 1674N/A * performing a scalar point multiplication of that value with 1674N/A/* Generate a random private key using the algorithm A.4.1 of ANSI X9.62, 1674N/A * modified a la FIPS 186-2 Change Notice 1 to eliminate the bias in the 1674N/A * - order: a buffer that holds the curve's group order 1674N/A * - len: the length in octets of the order buffer 1674N/A * - random: a buffer of 2 * len random bytes 1674N/A * - randomlen: the length in octets of the random buffer 1674N/A * Returns a buffer of len octets that holds the private key. The caller 1674N/A * is responsible for freeing the buffer with PORT_ZFree. 1674N/A * Reduces the 2*len buffer of random bytes modulo the group order. 1674N/A /* No need to generate - random bytes are now supplied */ 1674N/A /* CHECK_SEC_OK( RNG_GenerateGlobalRandomBytes(privKeyBytes, 2*len) );*/ 1674N/A/* Generates a new EC key pair. The private key is a random value and 1674N/A * the public key is the result of performing a scalar point multiplication 1674N/A * of that value with the curve's base point. 1674N/A/* Validates an EC public key as described in Section 5.2.2 of 1674N/A * X9.62. The ECDH primitive when used without the cofactor does 1674N/A * not address small subgroup attacks, which may occur when the 1674N/A * public key is not valid. These attacks can be prevented by 1674N/A * validating the public key before using ECDH. 1674N/A /* NOTE: We only support uncompressed points for now */ 1674N/A /* construct from named params */ 1674N/A * ECGroup_fromName fails if ecParams->name is not a valid 1674N/A * ECCurveName value, or if we run out of memory, or perhaps 1674N/A * for other reasons. Unfortunately if ecParams->name is a 1674N/A * valid ECCurveName value, we don't know what the right error 1674N/A * code should be because ECGroup_fromName doesn't return an 1674N/A * error code to the caller. Set err to MP_UNDEF because 1674N/A * that's what ECGroup_fromName uses internally. 1674N/A /* validate public point */ 1674N/A** Performs an ECDH key derivation by computing the scalar point 1674N/A** multiplication of privateValue and publicValue (with or without the 1674N/A** cofactor) and returns the x-coordinate of the resulting elliptic 1674N/A** curve point in derived secret. If successful, derivedSecret->data 1674N/A** is set to the address of the newly allocated buffer containing the 1674N/A** derived secret, and derivedSecret->len is the size of the secret 1674N/A** produced. It is the caller's responsibility to free the allocated 1674N/A** buffer containing the derived secret. 1674N/A /* multiply k with the cofactor */ 1674N/A /* Multiply our private key and peer's public point */ 1674N/A /* Allocate memory for the derived secret and copy 1674N/A * the x co-ordinate of pointQ into it. 1674N/A/* Computes the ECDSA signature (a concatenation of two values r and s) 1674N/A * on the digest using the given key and the random value kb (used in 1674N/A int flen = 0;
/* length in bytes of the field size */ 1674N/A unsigned olen;
/* length in bytes of the base point order */ 1674N/A /* Initialize MPI integers. */ 1674N/A /* must happen before the first potential call to cleanup */ 1674N/A /* a call to get the signature length only */ 1674N/A /* Make sure k is in the interval [1, n-1] */ 1674N/A ** ANSI X9.62, Section 5.3.2, Step 2 1674N/A ** ANSI X9.62, Section 5.3.3, Step 1 1674N/A ** Extract the x co-ordinate of kG into x1 1674N/A ** ANSI X9.62, Section 5.3.3, Step 2 1674N/A ** r = x1 mod n NOTE: n is the order of the curve 1674N/A ** ANSI X9.62, Section 5.3.3, Step 3 1674N/A ** ANSI X9.62, Section 5.3.3, Step 4 1674N/A ** s = (k**-1 * (HASH(M) + d*r)) mod n 1674N/A /* In the definition of EC signing, digests are truncated 1674N/A * to the length of n in bits. 1674N/A * (see SEC 1 "Elliptic Curve Digit Signature Algorithm" section 4.1.*/ 1674N/A ** ANSI X9.62, Section 5.3.3, Step 5 1674N/A ** Signature is tuple (r, s) 1674N/A** Computes the ECDSA signature on the digest using the given key 1674N/A /* Generate random value k */ 1674N/A /* Generate ECDSA signature with the specified k value */ 1674N/A** Checks the signature on the given digest using the key provided. 1674N/A int slen;
/* length in bytes of a half signature (r or s) */ 1674N/A int flen;
/* length in bytes of the field size */ 1674N/A unsigned olen;
/* length in bytes of the base point order */ 1674N/A /* Initialize MPI integers. */ 1674N/A /* must happen before the first potential call to cleanup */ 1674N/A ** Convert received signature (r', s') into MPI integers. 1674N/A ** ANSI X9.62, Section 5.4.2, Steps 1 and 2 1674N/A ** Verify that 0 < r' < n and 0 < s' < n 1674N/A ** ANSI X9.62, Section 5.4.2, Step 3 1674N/A ** ANSI X9.62, Section 5.4.2, Step 4 1674N/A ** u1 = ((HASH(M')) * c) mod n 1674N/A /* In the definition of EC signing, digests are truncated 1674N/A * to the length of n in bits. 1674N/A * (see SEC 1 "Elliptic Curve Digit Signature Algorithm" section 4.1.*/ 1674N/A ** ANSI X9.62, Section 5.4.2, Step 4 1674N/A ** ANSI X9.62, Section 5.4.3, Step 1 1674N/A ** Here, A = u1.G B = u2.Q and C = A + B 1674N/A ** If the result, C, is the point at infinity, reject the signature 1674N/A ** ANSI X9.62, Section 5.4.4, Step 2 1674N/A ** ANSI X9.62, Section 5.4.4, Step 3