1 /*
2  *  Copyright (c) 2020, The OpenThread Authors.
3  *  All rights reserved.
4  *
5  *  Redistribution and use in source and binary forms, with or without
6  *  modification, are permitted provided that the following conditions are met:
7  *  1. Redistributions of source code must retain the above copyright
8  *     notice, this list of conditions and the following disclaimer.
9  *  2. Redistributions in binary form must reproduce the above copyright
10  *     notice, this list of conditions and the following disclaimer in the
11  *     documentation and/or other materials provided with the distribution.
12  *  3. Neither the name of the copyright holder nor the
13  *     names of its contributors may be used to endorse or promote products
14  *     derived from this software without specific prior written permission.
15  *
16  *  THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
17  *  AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
18  *  IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
19  *  ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
20  *  LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
21  *  CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
22  *  SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
23  *  INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
24  *  CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
25  *  ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
26  *  POSSIBILITY OF SUCH DAMAGE.
27  */
28 
29 #include <openthread/config.h>
30 
31 #include "test_platform.h"
32 #include "test_util.hpp"
33 
34 #include "common/debug.hpp"
35 #include "common/random.hpp"
36 #include "crypto/ecdsa.hpp"
37 
38 #include <mbedtls/ctr_drbg.h>
39 #include <mbedtls/ecdsa.h>
40 #include <mbedtls/pk.h>
41 
42 #if OPENTHREAD_CONFIG_ECDSA_ENABLE
43 
44 namespace ot {
45 namespace Crypto {
46 
TestEcdsaVector(void)47 void TestEcdsaVector(void)
48 {
49     // This case is derived from the test vector from RFC 6979 - section A.2.5 (for NIST P-256 and SHA-256 hash).
50 
51     const uint8_t kKeyPairInfo[] = {
52         0x30, 0x78, 0x02, 0x01, 0x01, 0x04, 0x21, 0x00, 0xC9, 0xAF, 0xA9, 0xD8, 0x45, 0xBA, 0x75, 0x16, 0x6B, 0x5C,
53         0x21, 0x57, 0x67, 0xB1, 0xD6, 0x93, 0x4E, 0x50, 0xC3, 0xDB, 0x36, 0xE8, 0x9B, 0x12, 0x7B, 0x8A, 0x62, 0x2B,
54         0x12, 0x0F, 0x67, 0x21, 0xA0, 0x0A, 0x06, 0x08, 0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x03, 0x01, 0x07, 0xA1, 0x44,
55         0x03, 0x42, 0x00, 0x04, 0x60, 0xFE, 0xD4, 0xBA, 0x25, 0x5A, 0x9D, 0x31, 0xC9, 0x61, 0xEB, 0x74, 0xC6, 0x35,
56         0x6D, 0x68, 0xC0, 0x49, 0xB8, 0x92, 0x3B, 0x61, 0xFA, 0x6C, 0xE6, 0x69, 0x62, 0x2E, 0x60, 0xF2, 0x9F, 0xB6,
57         0x79, 0x03, 0xFE, 0x10, 0x08, 0xB8, 0xBC, 0x99, 0xA4, 0x1A, 0xE9, 0xE9, 0x56, 0x28, 0xBC, 0x64, 0xF2, 0xF1,
58         0xB2, 0x0C, 0x2D, 0x7E, 0x9F, 0x51, 0x77, 0xA3, 0xC2, 0x94, 0xD4, 0x46, 0x22, 0x99};
59 
60     const uint8_t kPublicKey[] = {
61         0x60, 0xFE, 0xD4, 0xBA, 0x25, 0x5A, 0x9D, 0x31, 0xC9, 0x61, 0xEB, 0x74, 0xC6, 0x35, 0x6D, 0x68,
62         0xC0, 0x49, 0xB8, 0x92, 0x3B, 0x61, 0xFA, 0x6C, 0xE6, 0x69, 0x62, 0x2E, 0x60, 0xF2, 0x9F, 0xB6,
63         0x79, 0x03, 0xFE, 0x10, 0x08, 0xB8, 0xBC, 0x99, 0xA4, 0x1A, 0xE9, 0xE9, 0x56, 0x28, 0xBC, 0x64,
64         0xF2, 0xF1, 0xB2, 0x0C, 0x2D, 0x7E, 0x9F, 0x51, 0x77, 0xA3, 0xC2, 0x94, 0xD4, 0x46, 0x22, 0x99,
65     };
66 
67     const uint8_t kMessage[] = {'s', 'a', 'm', 'p', 'l', 'e'};
68 
69 #if OPENTHREAD_CONFIG_DETERMINISTIC_ECDSA_ENABLE
70     const uint8_t kExpectedSignature[] = {
71         0xEF, 0xD4, 0x8B, 0x2A, 0xAC, 0xB6, 0xA8, 0xFD, 0x11, 0x40, 0xDD, 0x9C, 0xD4, 0x5E, 0x81, 0xD6,
72         0x9D, 0x2C, 0x87, 0x7B, 0x56, 0xAA, 0xF9, 0x91, 0xC3, 0x4D, 0x0E, 0xA8, 0x4E, 0xAF, 0x37, 0x16,
73         0xF7, 0xCB, 0x1C, 0x94, 0x2D, 0x65, 0x7C, 0x41, 0xD4, 0x36, 0xC7, 0xA1, 0xB6, 0xE2, 0x9F, 0x65,
74         0xF3, 0xE9, 0x00, 0xDB, 0xB9, 0xAF, 0xF4, 0x06, 0x4D, 0xC4, 0xAB, 0x2F, 0x84, 0x3A, 0xCD, 0xA8,
75     };
76 #endif
77 
78     Instance *instance = testInitInstance();
79 
80     Ecdsa::P256::KeyPair   keyPair;
81     Ecdsa::P256::PublicKey publicKey;
82     Ecdsa::P256::Signature signature;
83     Sha256                 sha256;
84     Sha256::Hash           hash;
85 
86     VerifyOrQuit(instance != nullptr, "Null OpenThread instance");
87 
88     printf("\n===========================================================================\n");
89     printf("Test ECDA with test vector from RFC 6979 (A.2.5)\n");
90 
91     printf("\nLoading key-pair ----------------------------------------------------------\n");
92     memcpy(keyPair.GetDerBytes(), kKeyPairInfo, sizeof(kKeyPairInfo));
93     keyPair.SetDerLength(sizeof(kKeyPairInfo));
94 
95     DumpBuffer("KeyPair", keyPair.GetDerBytes(), keyPair.GetDerLength());
96 
97     SuccessOrQuit(keyPair.GetPublicKey(publicKey));
98     DumpBuffer("PublicKey", publicKey.GetBytes(), Ecdsa::P256::PublicKey::kSize);
99 
100     VerifyOrQuit(sizeof(kPublicKey) == Ecdsa::P256::PublicKey::kSize, "Example public key is invalid");
101     VerifyOrQuit(memcmp(publicKey.GetBytes(), kPublicKey, sizeof(kPublicKey)) == 0,
102                  "KeyPair::GetPublicKey() did not return the expected key");
103 
104     printf("\nHash the message ----------------------------------------------------------\n");
105     sha256.Start();
106     sha256.Update(kMessage);
107     sha256.Finish(hash);
108 
109     DumpBuffer("Hash", hash.GetBytes(), sizeof(hash));
110 
111     printf("\nSign the message ----------------------------------------------------------\n");
112     SuccessOrQuit(keyPair.Sign(hash, signature));
113     DumpBuffer("Signature", signature.GetBytes(), sizeof(signature));
114 
115 #if OPENTHREAD_CONFIG_DETERMINISTIC_ECDSA_ENABLE
116     printf("\nCheck signature against expected sequence----------------------------------\n");
117     DumpBuffer("Expected signature", kExpectedSignature, sizeof(kExpectedSignature));
118 
119     VerifyOrQuit(sizeof(kExpectedSignature) == sizeof(signature));
120     VerifyOrQuit(memcmp(signature.GetBytes(), kExpectedSignature, sizeof(kExpectedSignature)) == 0);
121 
122     printf("Signature matches expected sequence.\n");
123 #endif
124 
125     printf("\nVerify the signature ------------------------------------------------------\n");
126     SuccessOrQuit(publicKey.Verify(hash, signature));
127     printf("\nSignature was verified successfully.\n\n");
128 
129     testFreeInstance(instance);
130 }
131 
TestEcdsaKeyGenerationSignAndVerify(void)132 void TestEcdsaKeyGenerationSignAndVerify(void)
133 {
134     Instance *instance = testInitInstance();
135 
136     const char kMessage[] = "You are not a drop in the ocean. You are the entire ocean in a drop.";
137 
138     Ecdsa::P256::KeyPair   keyPair;
139     Ecdsa::P256::PublicKey publicKey;
140     Ecdsa::P256::Signature signature;
141     Sha256                 sha256;
142     Sha256::Hash           hash;
143 
144     VerifyOrQuit(instance != nullptr, "Null OpenThread instance");
145 
146     printf("\n===========================================================================\n");
147     printf("Test ECDA key generation, signing and verification\n");
148 
149     printf("\nGenerating key-pair -------------------------------------------------------\n");
150     SuccessOrQuit(keyPair.Generate());
151 
152     DumpBuffer("KeyPair", keyPair.GetDerBytes(), keyPair.GetDerLength());
153 
154     SuccessOrQuit(keyPair.GetPublicKey(publicKey));
155     DumpBuffer("PublicKey", publicKey.GetBytes(), Ecdsa::P256::PublicKey::kSize);
156 
157     printf("\nHash the message ----------------------------------------------------------\n");
158     sha256.Start();
159     sha256.Update(kMessage, sizeof(kMessage) - 1);
160     sha256.Finish(hash);
161 
162     DumpBuffer("Hash", hash.GetBytes(), sizeof(hash));
163 
164     printf("\nSign the message ----------------------------------------------------------\n");
165     SuccessOrQuit(keyPair.Sign(hash, signature));
166     DumpBuffer("Signature", signature.GetBytes(), sizeof(signature));
167 
168     printf("\nVerify the signature ------------------------------------------------------\n");
169     SuccessOrQuit(publicKey.Verify(hash, signature));
170     printf("\nSignature was verified successfully.");
171 
172     sha256.Start();
173     sha256.Update(kMessage, sizeof(kMessage)); // include null char
174     sha256.Finish(hash);
175     VerifyOrQuit(publicKey.Verify(hash, signature) != kErrorNone, "PublicKey::Verify() passed for invalid signature");
176     printf("\nSignature verification correctly failed with incorrect hash/signature.\n\n");
177 
178     testFreeInstance(instance);
179 }
180 
181 } // namespace Crypto
182 } // namespace ot
183 
184 #endif // OPENTHREAD_CONFIG_ECDSA_ENABLE
185 
main(void)186 int main(void)
187 {
188 #if OPENTHREAD_CONFIG_ECDSA_ENABLE
189     ot::Crypto::TestEcdsaVector();
190     ot::Crypto::TestEcdsaKeyGenerationSignAndVerify();
191     printf("All tests passed\n");
192 #else
193     printf("ECDSA feature is not enabled\n");
194 #endif
195 
196     return 0;
197 }
198