Home | History | Annotate | Download | only in libconstrainedcrypto
      1 /*
      2  * Copyright 2013 The Android Open Source Project
      3  *
      4  * Redistribution and use in source and binary forms, with or without
      5  * modification, are permitted provided that the following conditions are met:
      6  *     * Redistributions of source code must retain the above copyright
      7  *       notice, this list of conditions and the following disclaimer.
      8  *     * Redistributions in binary form must reproduce the above copyright
      9  *       notice, this list of conditions and the following disclaimer in the
     10  *       documentation and/or other materials provided with the distribution.
     11  *     * Neither the name of Google Inc. nor the names of its contributors may
     12  *       be used to endorse or promote products derived from this software
     13  *       without specific prior written permission.
     14  *
     15  * THIS SOFTWARE IS PROVIDED BY Google Inc. ``AS IS'' AND ANY EXPRESS OR
     16  * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
     17  * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO
     18  * EVENT SHALL Google Inc. BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
     19  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
     20  * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS;
     21  * OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
     22  * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
     23  * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
     24  * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
     25  */
     26 
     27 #include <string.h>
     28 
     29 #include "constrainedcrypto/dsa_sig.h"
     30 #include "constrainedcrypto/p256.h"
     31 
     32 /**
     33  * Trims off the leading zero bytes and copy it to a buffer aligning it to the end.
     34  */
     35 static inline int trim_to_p256_bytes(unsigned char dst[P256_NBYTES], unsigned char *src,
     36         int src_len) {
     37     int dst_offset;
     38     while (*src == '\0' && src_len > 0) {
     39         src++;
     40         src_len--;
     41     }
     42     if (src_len > P256_NBYTES || src_len < 1) {
     43         return 0;
     44     }
     45     dst_offset = P256_NBYTES - src_len;
     46     memset(dst, 0, dst_offset);
     47     memcpy(dst + dst_offset, src, src_len);
     48     return 1;
     49 }
     50 
     51 /**
     52  * Unpacks the ASN.1 DSA signature sequence.
     53  */
     54 int dsa_sig_unpack(unsigned char* sig, int sig_len, p256_int* r_int, p256_int* s_int) {
     55     /*
     56      * Structure is:
     57      *   0x30 0xNN  SEQUENCE + s_length
     58      *     0x02 0xNN  INTEGER + r_length
     59      *       0xAA 0xBB ..   r_length bytes of "r" (offset 4)
     60      *     0x02 0xNN  INTEGER + s_length
     61      *       0xMM 0xNN ..   s_length bytes of "s" (offset 6 + r_len)
     62      */
     63     int seq_len;
     64     unsigned char r_bytes[P256_NBYTES];
     65     unsigned char s_bytes[P256_NBYTES];
     66     int r_len;
     67     int s_len;
     68 
     69     memset(r_bytes, 0, sizeof(r_bytes));
     70     memset(s_bytes, 0, sizeof(s_bytes));
     71 
     72     /*
     73      * Must have at least:
     74      * 2 bytes sequence header and length
     75      * 2 bytes R integer header and length
     76      * 1 byte of R
     77      * 2 bytes S integer header and length
     78      * 1 byte of S
     79      *
     80      * 8 bytes total
     81      */
     82     if (sig_len < 8 || sig[0] != 0x30 || sig[2] != 0x02) {
     83         return 0;
     84     }
     85 
     86     seq_len = sig[1];
     87     if ((seq_len <= 0) || (seq_len + 2 != sig_len)) {
     88         return 0;
     89     }
     90 
     91     r_len = sig[3];
     92     /*
     93      * Must have at least:
     94      * 2 bytes for R header and length
     95      * 2 bytes S integer header and length
     96      * 1 byte of S
     97      */
     98     if ((r_len < 1) || (r_len > seq_len - 5) || (sig[4 + r_len] != 0x02)) {
     99         return 0;
    100     }
    101     s_len = sig[5 + r_len];
    102 
    103     /**
    104      * Must have:
    105      * 2 bytes for R header and length
    106      * r_len bytes for R
    107      * 2 bytes S integer header and length
    108      */
    109     if ((s_len < 1) || (s_len != seq_len - 4 - r_len)) {
    110         return 0;
    111     }
    112 
    113     /*
    114      * ASN.1 encoded integers are zero-padded for positive integers. Make sure we have
    115      * a correctly-sized buffer and that the resulting integer isn't too large.
    116      */
    117     if (!trim_to_p256_bytes(r_bytes, &sig[4], r_len)
    118             || !trim_to_p256_bytes(s_bytes, &sig[6 + r_len], s_len)) {
    119         return 0;
    120     }
    121 
    122     p256_from_bin(r_bytes, r_int);
    123     p256_from_bin(s_bytes, s_int);
    124 
    125     return 1;
    126 }
    127