1 /* Copyright (c) 2014, Google Inc.
2  *
3  * Permission to use, copy, modify, and/or distribute this software for any
4  * purpose with or without fee is hereby granted, provided that the above
5  * copyright notice and this permission notice appear in all copies.
6  *
7  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
8  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
9  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
10  * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
11  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
12  * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
13  * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
14 
15 #include <stdio.h>
16 #include <string.h>
17 
18 #include <vector>
19 
20 #include <openssl/crypto.h>
21 #include <openssl/ec_key.h>
22 #include <openssl/err.h>
23 #include <openssl/mem.h>
24 
25 #include "../test/scoped_types.h"
26 #include "../test/stl_compat.h"
27 
28 
29 // kECKeyWithoutPublic is an ECPrivateKey with the optional publicKey field
30 // omitted.
31 static const uint8_t kECKeyWithoutPublic[] = {
32   0x30, 0x31, 0x02, 0x01, 0x01, 0x04, 0x20, 0xc6, 0xc1, 0xaa, 0xda, 0x15, 0xb0,
33   0x76, 0x61, 0xf8, 0x14, 0x2c, 0x6c, 0xaf, 0x0f, 0xdb, 0x24, 0x1a, 0xff, 0x2e,
34   0xfe, 0x46, 0xc0, 0x93, 0x8b, 0x74, 0xf2, 0xbc, 0xc5, 0x30, 0x52, 0xb0, 0x77,
35   0xa0, 0x0a, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07,
36 };
37 
38 // kECKeyMissingZeros is an ECPrivateKey containing a degenerate P-256 key where
39 // the private key is one. The private key is incorrectly encoded without zero
40 // padding.
41 static const uint8_t kECKeyMissingZeros[] = {
42   0x30, 0x58, 0x02, 0x01, 0x01, 0x04, 0x01, 0x01, 0xa0, 0x0a, 0x06, 0x08, 0x2a,
43   0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07, 0xa1, 0x44, 0x03, 0x42, 0x00, 0x04,
44   0x6b, 0x17, 0xd1, 0xf2, 0xe1, 0x2c, 0x42, 0x47, 0xf8, 0xbc, 0xe6, 0xe5, 0x63,
45   0xa4, 0x40, 0xf2, 0x77, 0x03, 0x7d, 0x81, 0x2d, 0xeb, 0x33, 0xa0, 0xf4, 0xa1,
46   0x39, 0x45, 0xd8, 0x98, 0xc2, 0x96, 0x4f, 0xe3, 0x42, 0xe2, 0xfe, 0x1a, 0x7f,
47   0x9b, 0x8e, 0xe7, 0xeb, 0x4a, 0x7c, 0x0f, 0x9e, 0x16, 0x2b, 0xce, 0x33, 0x57,
48   0x6b, 0x31, 0x5e, 0xce, 0xcb, 0xb6, 0x40, 0x68, 0x37, 0xbf, 0x51, 0xf5,
49 };
50 
51 // kECKeyMissingZeros is an ECPrivateKey containing a degenerate P-256 key where
52 // the private key is one. The private key is encoded with the required zero
53 // padding.
54 static const uint8_t kECKeyWithZeros[] = {
55   0x30, 0x77, 0x02, 0x01, 0x01, 0x04, 0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
56   0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
57   0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
58   0xa0, 0x0a, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07, 0xa1,
59   0x44, 0x03, 0x42, 0x00, 0x04, 0x6b, 0x17, 0xd1, 0xf2, 0xe1, 0x2c, 0x42, 0x47,
60   0xf8, 0xbc, 0xe6, 0xe5, 0x63, 0xa4, 0x40, 0xf2, 0x77, 0x03, 0x7d, 0x81, 0x2d,
61   0xeb, 0x33, 0xa0, 0xf4, 0xa1, 0x39, 0x45, 0xd8, 0x98, 0xc2, 0x96, 0x4f, 0xe3,
62   0x42, 0xe2, 0xfe, 0x1a, 0x7f, 0x9b, 0x8e, 0xe7, 0xeb, 0x4a, 0x7c, 0x0f, 0x9e,
63   0x16, 0x2b, 0xce, 0x33, 0x57, 0x6b, 0x31, 0x5e, 0xce, 0xcb, 0xb6, 0x40, 0x68,
64   0x37, 0xbf, 0x51, 0xf5,
65 };
66 
67 // DecodeECPrivateKey decodes |in| as an ECPrivateKey structure and returns the
68 // result or nullptr on error.
DecodeECPrivateKey(const uint8_t * in,size_t in_len)69 static ScopedEC_KEY DecodeECPrivateKey(const uint8_t *in, size_t in_len) {
70   const uint8_t *inp = in;
71   ScopedEC_KEY ret(d2i_ECPrivateKey(NULL, &inp, in_len));
72   if (!ret || inp != in + in_len) {
73     return nullptr;
74   }
75   return ret;
76 }
77 
78 // EncodeECPrivateKey encodes |key| as an ECPrivateKey structure into |*out|. It
79 // returns true on success or false on error.
EncodeECPrivateKey(std::vector<uint8_t> * out,EC_KEY * key)80 static bool EncodeECPrivateKey(std::vector<uint8_t> *out, EC_KEY *key) {
81   int len = i2d_ECPrivateKey(key, NULL);
82   out->resize(len);
83   uint8_t *outp = bssl::vector_data(out);
84   return i2d_ECPrivateKey(key, &outp) == len;
85 }
86 
Testd2i_ECPrivateKey()87 bool Testd2i_ECPrivateKey() {
88   ScopedEC_KEY key = DecodeECPrivateKey(kECKeyWithoutPublic,
89                                         sizeof(kECKeyWithoutPublic));
90   if (!key) {
91     fprintf(stderr, "Failed to parse private key.\n");
92     ERR_print_errors_fp(stderr);
93     return false;
94   }
95 
96   std::vector<uint8_t> out;
97   if (!EncodeECPrivateKey(&out, key.get())) {
98     fprintf(stderr, "Failed to serialize private key.\n");
99     ERR_print_errors_fp(stderr);
100     return false;
101   }
102 
103   if (std::vector<uint8_t>(kECKeyWithoutPublic,
104                            kECKeyWithoutPublic + sizeof(kECKeyWithoutPublic)) !=
105       out) {
106     fprintf(stderr, "Serialisation of key doesn't match original.\n");
107     return false;
108   }
109 
110   const EC_POINT *pub_key = EC_KEY_get0_public_key(key.get());
111   if (pub_key == NULL) {
112     fprintf(stderr, "Public key missing.\n");
113     return false;
114   }
115 
116   ScopedBIGNUM x(BN_new());
117   ScopedBIGNUM y(BN_new());
118   if (!x || !y) {
119     return false;
120   }
121   if (!EC_POINT_get_affine_coordinates_GFp(EC_KEY_get0_group(key.get()),
122                                            pub_key, x.get(), y.get(), NULL)) {
123     fprintf(stderr, "Failed to get public key in affine coordinates.\n");
124     return false;
125   }
126   ScopedOpenSSLString x_hex(BN_bn2hex(x.get()));
127   ScopedOpenSSLString y_hex(BN_bn2hex(y.get()));
128   if (!x_hex || !y_hex) {
129     return false;
130   }
131   if (0 != strcmp(
132           x_hex.get(),
133           "c81561ecf2e54edefe6617db1c7a34a70744ddb261f269b83dacfcd2ade5a681") ||
134       0 != strcmp(
135           y_hex.get(),
136           "e0e2afa3f9b6abe4c698ef6495f1be49a3196c5056acb3763fe4507eec596e88")) {
137     fprintf(stderr, "Incorrect public key: %s %s\n", x_hex.get(), y_hex.get());
138     return false;
139   }
140 
141   return true;
142 }
143 
TestZeroPadding()144 static bool TestZeroPadding() {
145   // Check that the correct encoding round-trips.
146   ScopedEC_KEY key = DecodeECPrivateKey(kECKeyWithZeros,
147                                         sizeof(kECKeyWithZeros));
148   std::vector<uint8_t> out;
149   if (!key || !EncodeECPrivateKey(&out, key.get())) {
150     ERR_print_errors_fp(stderr);
151     return false;
152   }
153 
154   if (std::vector<uint8_t>(kECKeyWithZeros,
155                            kECKeyWithZeros + sizeof(kECKeyWithZeros)) != out) {
156     fprintf(stderr, "Serialisation of key was incorrect.\n");
157     return false;
158   }
159 
160   // Keys without leading zeros also parse, but they encode correctly.
161   key = DecodeECPrivateKey(kECKeyMissingZeros, sizeof(kECKeyMissingZeros));
162   if (!key || !EncodeECPrivateKey(&out, key.get())) {
163     ERR_print_errors_fp(stderr);
164     return false;
165   }
166 
167   if (std::vector<uint8_t>(kECKeyWithZeros,
168                            kECKeyWithZeros + sizeof(kECKeyWithZeros)) != out) {
169     fprintf(stderr, "Serialisation of key was incorrect.\n");
170     return false;
171   }
172 
173   return true;
174 }
175 
main(void)176 int main(void) {
177   CRYPTO_library_init();
178   ERR_load_crypto_strings();
179 
180   if (!Testd2i_ECPrivateKey() ||
181       !TestZeroPadding()) {
182     fprintf(stderr, "failed\n");
183     return 1;
184   }
185 
186   printf("PASS\n");
187   return 0;
188 }
189