1 /* Copyright (c) 2019, Google Inc.
2  *
3  * Permission to use, copy, modify, and/or distribute this software for any
4  * purpose with or without fee is hereby granted, provided that the above
5  * copyright notice and this permission notice appear in all copies.
6  *
7  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
8  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
9  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
10  * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
11  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
12  * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
13  * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
14 
15 #ifndef OPENSSL_HEADER_TRUST_TOKEN_INTERNAL_H
16 #define OPENSSL_HEADER_TRUST_TOKEN_INTERNAL_H
17 
18 #include <openssl/base.h>
19 #include <openssl/ec.h>
20 #include <openssl/ec_key.h>
21 #include <openssl/nid.h>
22 
23 #include "../fipsmodule/ec/internal.h"
24 
25 #include <openssl/trust_token.h>
26 
27 
28 #if defined(__cplusplus)
29 extern "C" {
30 #endif
31 
32 
33 // For the following cryptographic schemes, we use P-384 instead of our usual
34 // choice of P-256. See Appendix I of
35 // https://eprint.iacr.org/2020/072/20200324:214215 which describes two attacks
36 // which may affect smaller curves. In particular, p-1 for P-256 is smooth,
37 // giving a low complexity for the p-1 attack. P-384's p-1 has a 281-bit prime
38 // factor,
39 // 3055465788140352002733946906144561090641249606160407884365391979704929268480326390471.
40 // This lower-bounds the p-1 attack at O(2^140). The p+1 attack is lower-bounded
41 // by O(p^(1/3)) or O(2^128), so we do not need to check the smoothness of p+1.
42 
43 
44 // TRUST_TOKEN_NONCE_SIZE is the size of nonces used as part of the Trust_Token
45 // protocol.
46 #define TRUST_TOKEN_NONCE_SIZE 64
47 
48 typedef struct {
49   // TODO(https://crbug.com/boringssl/334): These should store |EC_PRECOMP| so
50   // that |TRUST_TOKEN_finish_issuance| can use |ec_point_mul_scalar_precomp|.
51   EC_AFFINE pub0;
52   EC_AFFINE pub1;
53   EC_AFFINE pubs;
54 } TRUST_TOKEN_CLIENT_KEY;
55 
56 typedef struct {
57   EC_SCALAR x0;
58   EC_SCALAR y0;
59   EC_SCALAR x1;
60   EC_SCALAR y1;
61   EC_SCALAR xs;
62   EC_SCALAR ys;
63   EC_AFFINE pub0;
64   EC_PRECOMP pub0_precomp;
65   EC_AFFINE pub1;
66   EC_PRECOMP pub1_precomp;
67   EC_AFFINE pubs;
68   EC_PRECOMP pubs_precomp;
69 } TRUST_TOKEN_ISSUER_KEY;
70 
71 // TRUST_TOKEN_PRETOKEN represents the intermediate state a client keeps during
72 // a Trust_Token issuance operation.
73 typedef struct pmb_pretoken_st {
74   uint8_t t[TRUST_TOKEN_NONCE_SIZE];
75   EC_SCALAR r;
76   EC_AFFINE Tp;
77 } TRUST_TOKEN_PRETOKEN;
78 
79 // TRUST_TOKEN_PRETOKEN_free releases the memory associated with |token|.
80 OPENSSL_EXPORT void TRUST_TOKEN_PRETOKEN_free(TRUST_TOKEN_PRETOKEN *token);
81 
82 DEFINE_STACK_OF(TRUST_TOKEN_PRETOKEN)
83 
84 
85 // PMBTokens.
86 //
87 // PMBTokens is described in https://eprint.iacr.org/2020/072/20200324:214215
88 // and provides anonymous tokens with private metadata. We implement the
89 // construction with validity verification, described in appendix H,
90 // construction 6.
91 
92 // The following functions implement the corresponding |TRUST_TOKENS_METHOD|
93 // functions for |TRUST_TOKENS_experiment_v1|'s PMBTokens construction which
94 // uses P-384.
95 int pmbtoken_exp1_generate_key(CBB *out_private, CBB *out_public);
96 int pmbtoken_exp1_client_key_from_bytes(TRUST_TOKEN_CLIENT_KEY *key,
97                                         const uint8_t *in, size_t len);
98 int pmbtoken_exp1_issuer_key_from_bytes(TRUST_TOKEN_ISSUER_KEY *key,
99                                         const uint8_t *in, size_t len);
100 STACK_OF(TRUST_TOKEN_PRETOKEN) * pmbtoken_exp1_blind(CBB *cbb, size_t count);
101 int pmbtoken_exp1_sign(const TRUST_TOKEN_ISSUER_KEY *key, CBB *cbb, CBS *cbs,
102                        size_t num_requested, size_t num_to_issue,
103                        uint8_t private_metadata);
104 STACK_OF(TRUST_TOKEN) *
105     pmbtoken_exp1_unblind(const TRUST_TOKEN_CLIENT_KEY *key,
106                           const STACK_OF(TRUST_TOKEN_PRETOKEN) * pretokens,
107                           CBS *cbs, size_t count, uint32_t key_id);
108 int pmbtoken_exp1_read(const TRUST_TOKEN_ISSUER_KEY *key,
109                        uint8_t out_nonce[TRUST_TOKEN_NONCE_SIZE],
110                        uint8_t *out_private_metadata, const uint8_t *token,
111                        size_t token_len);
112 
113 // pmbtoken_exp1_get_h_for_testing returns H in uncompressed coordinates. This
114 // function is used to confirm H was computed as expected.
115 OPENSSL_EXPORT int pmbtoken_exp1_get_h_for_testing(uint8_t out[97]);
116 
117 // The following functions implement the corresponding |TRUST_TOKENS_METHOD|
118 // functions for |TRUST_TOKENS_experiment_v2|'s PMBTokens construction which
119 // uses P-384.
120 int pmbtoken_exp2_generate_key(CBB *out_private, CBB *out_public);
121 int pmbtoken_exp2_client_key_from_bytes(TRUST_TOKEN_CLIENT_KEY *key,
122                                         const uint8_t *in, size_t len);
123 int pmbtoken_exp2_issuer_key_from_bytes(TRUST_TOKEN_ISSUER_KEY *key,
124                                         const uint8_t *in, size_t len);
125 STACK_OF(TRUST_TOKEN_PRETOKEN) * pmbtoken_exp2_blind(CBB *cbb, size_t count);
126 int pmbtoken_exp2_sign(const TRUST_TOKEN_ISSUER_KEY *key, CBB *cbb, CBS *cbs,
127                        size_t num_requested, size_t num_to_issue,
128                        uint8_t private_metadata);
129 STACK_OF(TRUST_TOKEN) *
130     pmbtoken_exp2_unblind(const TRUST_TOKEN_CLIENT_KEY *key,
131                           const STACK_OF(TRUST_TOKEN_PRETOKEN) * pretokens,
132                           CBS *cbs, size_t count, uint32_t key_id);
133 int pmbtoken_exp2_read(const TRUST_TOKEN_ISSUER_KEY *key,
134                        uint8_t out_nonce[TRUST_TOKEN_NONCE_SIZE],
135                        uint8_t *out_private_metadata, const uint8_t *token,
136                        size_t token_len);
137 
138 // pmbtoken_exp2_get_h_for_testing returns H in uncompressed coordinates. This
139 // function is used to confirm H was computed as expected.
140 OPENSSL_EXPORT int pmbtoken_exp2_get_h_for_testing(uint8_t out[97]);
141 
142 
143 // VOPRF.
144 //
145 // VOPRFs are described in https://tools.ietf.org/html/draft-irtf-cfrg-voprf-04
146 // and provide anonymous tokens. This implementation uses TrustToken DSTs and
147 // the DLEQ batching primitive from
148 // https://eprint.iacr.org/2020/072/20200324:214215.
149 // VOPRF only uses the |pub|' field of the TRUST_TOKEN_CLIENT_KEY and
150 // |xs|/|pubs| fields of the TRUST_TOKEN_ISSUER_KEY.
151 
152 // The following functions implement the corresponding |TRUST_TOKENS_METHOD|
153 // functions for |TRUST_TOKENS_experiment_v2|'s VOPRF construction which uses
154 // P-384.
155 int voprf_exp2_generate_key(CBB *out_private, CBB *out_public);
156 int voprf_exp2_client_key_from_bytes(TRUST_TOKEN_CLIENT_KEY *key,
157                                      const uint8_t *in, size_t len);
158 int voprf_exp2_issuer_key_from_bytes(TRUST_TOKEN_ISSUER_KEY *key,
159                                      const uint8_t *in, size_t len);
160 STACK_OF(TRUST_TOKEN_PRETOKEN) * voprf_exp2_blind(CBB *cbb, size_t count);
161 int voprf_exp2_sign(const TRUST_TOKEN_ISSUER_KEY *key, CBB *cbb, CBS *cbs,
162                     size_t num_requested, size_t num_to_issue,
163                     uint8_t private_metadata);
164 STACK_OF(TRUST_TOKEN) *
165     voprf_exp2_unblind(const TRUST_TOKEN_CLIENT_KEY *key,
166                        const STACK_OF(TRUST_TOKEN_PRETOKEN) * pretokens,
167                        CBS *cbs, size_t count, uint32_t key_id);
168 int voprf_exp2_read(const TRUST_TOKEN_ISSUER_KEY *key,
169                     uint8_t out_nonce[TRUST_TOKEN_NONCE_SIZE],
170                     uint8_t *out_private_metadata, const uint8_t *token,
171                     size_t token_len);
172 
173 
174 // Trust Tokens internals.
175 
176 struct trust_token_method_st {
177   // generate_key generates a fresh keypair and writes their serialized
178   // forms into |out_private| and |out_public|. It returns one on success and
179   // zero on failure.
180   int (*generate_key)(CBB *out_private, CBB *out_public);
181 
182   // client_key_from_bytes decodes a client key from |in| and sets |key|
183   // to the resulting key. It returns one on success and zero
184   // on failure.
185   int (*client_key_from_bytes)(TRUST_TOKEN_CLIENT_KEY *key, const uint8_t *in,
186                                size_t len);
187 
188   // issuer_key_from_bytes decodes a issuer key from |in| and sets |key|
189   // to the resulting key. It returns one on success and zero
190   // on failure.
191   int (*issuer_key_from_bytes)(TRUST_TOKEN_ISSUER_KEY *key, const uint8_t *in,
192                                size_t len);
193 
194   // blind generates a new issuance request for |count| tokens. On
195   // success, it returns a newly-allocated |STACK_OF(TRUST_TOKEN_PRETOKEN)| and
196   // writes a request to the issuer to |cbb|. On failure, it returns NULL. The
197   // |STACK_OF(TRUST_TOKEN_PRETOKEN)|s should be passed to |pmbtoken_unblind| when
198   // the server responds.
199   //
200   // This function implements the AT.Usr0 operation.
201   STACK_OF(TRUST_TOKEN_PRETOKEN) * (*blind)(CBB *cbb, size_t count);
202 
203   // sign parses a request for |num_requested| tokens from |cbs| and
204   // issues |num_to_issue| tokens with |key| and a private metadata value of
205   // |private_metadata|. It then writes the response to |cbb|. It returns one on
206   // success and zero on failure.
207   //
208   // This function implements the AT.Sig operation.
209   int (*sign)(const TRUST_TOKEN_ISSUER_KEY *key, CBB *cbb, CBS *cbs,
210               size_t num_requested, size_t num_to_issue,
211               uint8_t private_metadata);
212 
213   // unblind processes an issuance response for |count| tokens from |cbs|
214   // and unblinds the signed tokens. |pretokens| are the pre-tokens returned
215   // from the corresponding |blind| call. On success, the function returns a
216   // newly-allocated |STACK_OF(TRUST_TOKEN)| containing the resulting tokens.
217   // Each token's serialization will have |key_id| prepended. Otherwise, it
218   // returns NULL.
219   //
220   // This function implements the AT.Usr1 operation.
221   STACK_OF(TRUST_TOKEN) *
222       (*unblind)(const TRUST_TOKEN_CLIENT_KEY *key,
223                  const STACK_OF(TRUST_TOKEN_PRETOKEN) * pretokens, CBS *cbs,
224                  size_t count, uint32_t key_id);
225 
226   // read parses a PMBToken from |token| and verifies it using |key|. On
227   // success, it returns one and stores the nonce and private metadata bit in
228   // |out_nonce| and |*out_private_metadata|. Otherwise, it returns zero. Note
229   // that, unlike the output of |unblind|, |token| does not have a
230   // four-byte key ID prepended.
231   int (*read)(const TRUST_TOKEN_ISSUER_KEY *key,
232               uint8_t out_nonce[TRUST_TOKEN_NONCE_SIZE],
233               uint8_t *out_private_metadata, const uint8_t *token,
234               size_t token_len);
235 
236   // whether the construction supports private metadata.
237   int has_private_metadata;
238 
239   // max keys that can be configured.
240   size_t max_keys;
241 
242   // whether the SRR is part of the protocol.
243   int has_srr;
244 };
245 
246 // Structure representing a single Trust Token public key with the specified ID.
247 struct trust_token_client_key_st {
248   uint32_t id;
249   TRUST_TOKEN_CLIENT_KEY key;
250 };
251 
252 // Structure representing a single Trust Token private key with the specified
253 // ID.
254 struct trust_token_issuer_key_st {
255   uint32_t id;
256   TRUST_TOKEN_ISSUER_KEY key;
257 };
258 
259 struct trust_token_client_st {
260   const TRUST_TOKEN_METHOD *method;
261 
262   // max_batchsize is the maximum supported batchsize.
263   uint16_t max_batchsize;
264 
265   // keys is the set of public keys that are supported by the client for
266   // issuance/redemptions.
267   struct trust_token_client_key_st keys[6];
268 
269   // num_keys is the number of keys currently configured.
270   size_t num_keys;
271 
272   // pretokens is the intermediate state during an active issuance.
273   STACK_OF(TRUST_TOKEN_PRETOKEN)* pretokens;
274 
275   // srr_key is the public key used to verify the signature of the SRR.
276   EVP_PKEY *srr_key;
277 };
278 
279 
280 struct trust_token_issuer_st {
281   const TRUST_TOKEN_METHOD *method;
282 
283   // max_batchsize is the maximum supported batchsize.
284   uint16_t max_batchsize;
285 
286   // keys is the set of private keys that are supported by the issuer for
287   // issuance/redemptions. The public metadata is an index into this list of
288   // keys.
289   struct trust_token_issuer_key_st keys[6];
290 
291   // num_keys is the number of keys currently configured.
292   size_t num_keys;
293 
294   // srr_key is the private key used to sign the SRR.
295   EVP_PKEY *srr_key;
296 
297   // metadata_key is the secret material used to encode the private metadata bit
298   // in the SRR.
299   uint8_t *metadata_key;
300   size_t metadata_key_len;
301 };
302 
303 
304 #if defined(__cplusplus)
305 }  // extern C
306 
307 extern "C++" {
308 
309 BSSL_NAMESPACE_BEGIN
310 
311 BORINGSSL_MAKE_DELETER(TRUST_TOKEN_PRETOKEN, TRUST_TOKEN_PRETOKEN_free)
312 
313 BSSL_NAMESPACE_END
314 
315 }  // extern C++
316 #endif
317 
318 #endif  // OPENSSL_HEADER_TRUST_TOKEN_INTERNAL_H
319