Merge pull request #39 from dgarske/ecc_verify

Fixes for ECC public key handling

examples/wrap/wrap_test.c

@@ -102,6 +102,7 @@ int TPM2_Wrapper_Test(void* userCtx)
     WOLFTPM2_KEY storageKey;
     WOLFTPM2_KEY rsaKey;
     WOLFTPM2_KEY eccKey;
+    WOLFTPM2_KEY publicKey;
     WOLFTPM2_BUFFER message;
     WOLFTPM2_BUFFER cipher;
     WOLFTPM2_BUFFER plain;
@@ -113,7 +114,6 @@ int TPM2_Wrapper_Test(void* userCtx)
 #endif
 
 #ifndef WOLFTPM2_NO_WOLFCRYPT
-    WOLFTPM2_KEY publicKey;
     int tpmDevId = INVALID_DEVID;
 #ifndef NO_RSA
     word32 idx = 0;
@@ -356,6 +356,48 @@ int TPM2_Wrapper_Test(void* userCtx)
     rc = wolfTPM2_UnloadHandle(&dev, &eccKey.handle);
     if (rc != 0) goto exit;
 
+    /* ECC Public Key Signature Verify Test/Example */
+    {
+        /* [P-256,SHA-1] vector from FIPS 186-3 NIST vectors */
+        const byte msg[] =   {
+            /* Test messsage */
+            0xa3, 0xf9, 0x1a, 0xe2, 0x1b, 0xa6, 0xb3, 0x03, 0x98, 0x64, 0x47,
+            0x2f, 0x18, 0x41, 0x44, 0xc6, 0xaf, 0x62, 0xcd, 0x0e
+        };
+        const byte pubQX[] = {
+            /* Public ECC Key X */
+            0xFA, 0x27, 0x37, 0xFB, 0x93, 0x48, 0x8D, 0x19, 0xCA, 0xEF, 0x11,
+            0xAE, 0x7F, 0xAF, 0x6B, 0x7F, 0x4B, 0xCD, 0x67, 0xB2, 0x86, 0xE3,
+            0xFC, 0x54, 0xE8, 0xA6, 0x5C, 0x2B, 0x74, 0xAE, 0xCC, 0xB0
+        };
+        const byte pubQY[] = {
+            /* Public ECC Key Y */
+            0xD4, 0xCC, 0xD6, 0xDA, 0xE6, 0x98, 0x20, 0x8A, 0xA8, 0xC3, 0xA6,
+            0xF3, 0x9E, 0x45, 0x51, 0x0D, 0x03, 0xBE, 0x09, 0xB2, 0xF1, 0x24,
+            0xBF, 0xC0, 0x67, 0x85, 0x6C, 0x32, 0x4F, 0x9B, 0x4D, 0x09
+        };
+        const byte sigRS[] = {
+            /* Signature R */
+            0x2B, 0x82, 0x6F, 0x5D, 0x44, 0xE2, 0xD0, 0xB6, 0xDE, 0x53, 0x1A,
+            0xD9, 0x6B, 0x51, 0xE8, 0xF0, 0xC5, 0x6F, 0xDF, 0xEA, 0xD3, 0xC2,
+            0x36, 0x89, 0x2E, 0x4D, 0x84, 0xEA, 0xCF, 0xC3, 0xB7, 0x5C,
+            /* Signature S */
+            0xA2, 0x24, 0x8B, 0x62, 0xC0, 0x3D, 0xB3, 0x5A, 0x7C, 0xD6, 0x3E,
+            0x8A, 0x12, 0x0A, 0x35, 0x21, 0xA8, 0x9D, 0x3D, 0x2F, 0x61, 0xFF,
+            0x99, 0x03, 0x5A, 0x21, 0x48, 0xAE, 0x32, 0xE3, 0xA2, 0x48
+        };
+
+        rc = wolfTPM2_LoadEccPublicKey(&dev, &publicKey, TPM_ECC_NIST_P256,
+            pubQX, sizeof(pubQX), pubQY, sizeof(pubQY));
+        if (rc != 0) goto exit;
+
+        rc = wolfTPM2_VerifyHash(&dev, &publicKey, sigRS, sizeof(sigRS),
+            msg, sizeof(msg));
+        if (rc != 0) goto exit;
+
+        rc = wolfTPM2_UnloadHandle(&dev, &publicKey.handle);
+        if (rc != 0) goto exit;
+    }
 
     /* NV Tests */
     rc = wolfTPM2_GetNvAttributesTemplate(TPM_RH_OWNER, &nvAttributes);
@@ -411,6 +453,7 @@ int TPM2_Wrapper_Test(void* userCtx)
 #endif
 #endif /* !WOLFTPM2_NO_WOLFCRYPT */
 
+    wolfTPM2_UnloadHandle(&dev, &publicKey.handle);
     wolfTPM2_UnloadHandle(&dev, &rsaKey.handle);
     wolfTPM2_UnloadHandle(&dev, &eccKey.handle);
     wolfTPM2_UnloadHandle(&dev, &ekKey.handle);

src/tpm2.c

@@ -4554,8 +4554,9 @@ int TPM2_GetHashDigestSize(TPMI_ALG_HASH hashAlg)
         case TPM_ALG_SHA512:
             return TPM_SHA512_DIGEST_SIZE;
         default:
-            return 0;
+            break;
     }
+    return 0;
 }
 
 int TPM2_GetNonce(byte* nonceBuf, int nonceSz)

src/tpm2_wrap.c

@@ -400,9 +400,9 @@ int wolfTPM2_LoadEccPublicKey(WOLFTPM2_DEV* dev, WOLFTPM2_KEY* key, int curveId,
     XMEMSET(&pub, 0, sizeof(pub));
     pub.publicArea.type = TPM_ALG_ECC;
     pub.publicArea.nameAlg = TPM_ALG_NULL;
-    pub.publicArea.objectAttributes = 0;
+    pub.publicArea.objectAttributes = TPMA_OBJECT_sign;
     pub.publicArea.parameters.eccDetail.symmetric.algorithm = TPM_ALG_NULL;
-    pub.publicArea.parameters.eccDetail.scheme.scheme = TPM_ALG_NULL;
+    pub.publicArea.parameters.eccDetail.scheme.scheme = TPM_ALG_ECDSA;
     pub.publicArea.parameters.eccDetail.scheme.details.ecdsa.hashAlg =
         WOLFTPM2_WRAP_DIGEST;
     pub.publicArea.parameters.eccDetail.curveID = curveId;
@@ -774,6 +774,23 @@ int wolfTPM2_SignHash(WOLFTPM2_DEV* dev, WOLFTPM2_KEY* key,
     return rc;
 }
 
+static TPMI_ALG_HASH wolfTPM2_GetHashType(int digestSz)
+{
+    switch (digestSz) {
+        case TPM_SHA_DIGEST_SIZE:
+            return TPM_ALG_SHA1;
+        case TPM_SHA256_DIGEST_SIZE:
+            return TPM_ALG_SHA256;
+        case TPM_SHA384_DIGEST_SIZE:
+            return TPM_ALG_SHA384;
+        case TPM_SHA512_DIGEST_SIZE:
+            return TPM_ALG_SHA512;
+        default:
+            break;
+    }
+    return TPM_ALG_NULL;
+}
+
 int wolfTPM2_VerifyHash(WOLFTPM2_DEV* dev, WOLFTPM2_KEY* key,
     const byte* sig, int sigSz, const byte* digest, int digestSz)
 {
@@ -804,7 +821,9 @@ int wolfTPM2_VerifyHash(WOLFTPM2_DEV* dev, WOLFTPM2_KEY* key,
     XMEMCPY(verifySigIn.digest.buffer, digest, digestSz);
     verifySigIn.signature.sigAlgo =
         key->pub.publicArea.parameters.eccDetail.scheme.scheme;
-    verifySigIn.signature.signature.ecdsa.hash = WOLFTPM2_WRAP_DIGEST;
+    verifySigIn.signature.signature.ecdsa.hash = wolfTPM2_GetHashType(digestSz);
+    if (verifySigIn.signature.signature.ecdsa.hash == TPM_ALG_NULL)
+        verifySigIn.signature.signature.ecdsa.hash = WOLFTPM2_WRAP_DIGEST;
 
     /* Signature is R then S */
     verifySigIn.signature.signature.ecdsa.signatureR.size = curveSize;
@@ -1620,7 +1639,7 @@ int wolfTPM2_CryptoDevCb(int devId, wc_CryptoInfo* info, void* ctx)
                     info->pk.eccverify.key, &eccPub);
                 if (rc == 0) {
                     rc = wolfTPM2_VerifyHash(tlsCtx->dev, &eccPub,
-                        info->pk.eccverify.sig, info->pk.eccverify.siglen,
+                        sigRS, rLen + sLen,
                         info->pk.eccverify.hash, info->pk.eccverify.hashlen);
 
                     wolfTPM2_UnloadHandle(tlsCtx->dev, &eccPub.handle);