Skip to content

Commit 9bdc4ae

Browse files
dgarskedgarske
authored
Merge pull request #219 from embhorn/zd21558
Fix wolfCLU_sign_data_ecc and wolfCLU_verify_signature_ecc
2 parents c2ecece + 0aefd52 commit 9bdc4ae

3 files changed

Lines changed: 68 additions & 9 deletions

File tree

src/sign-verify/clu_sign.c

Lines changed: 33 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -388,11 +388,41 @@ int wolfCLU_sign_data_ecc(byte* data, char* out, word32 fSz, char* privKey,
388388
}
389389
}
390390
if (ret == 0) {
391+
int keySz;
392+
enum wc_HashType hashType;
393+
int digestSz;
394+
byte hashBuf[WC_MAX_DIGEST_SIZE];
395+
391396
XMEMSET(outBuf, 0, outBufSz);
392397

393-
/* signing input with ecc priv key to produce signature */
394-
outLen = (word32)outBufSz;
395-
ret = wc_ecc_sign_hash(data, fSz, outBuf, &outLen, &rng, &key);
398+
/* hash the input data before signing -- ECDSA signs a digest, not raw
399+
* data. Select a curve-appropriate hash paired with the curve
400+
* strength; ECDSA will truncate the digest as needed. */
401+
keySz = wc_ecc_size(&key);
402+
if (keySz <= 32) {
403+
hashType = WC_HASH_TYPE_SHA256;
404+
}
405+
else if (keySz <= 48) {
406+
hashType = WC_HASH_TYPE_SHA384;
407+
}
408+
else {
409+
hashType = WC_HASH_TYPE_SHA512;
410+
}
411+
digestSz = wc_HashGetDigestSize(hashType);
412+
if (digestSz <= 0 || digestSz > WC_MAX_DIGEST_SIZE) {
413+
wolfCLU_LogError("Invalid hash digest size: %d", digestSz);
414+
ret = BAD_FUNC_ARG;
415+
}
416+
else {
417+
ret = wc_Hash(hashType, data, fSz, hashBuf, digestSz);
418+
}
419+
420+
/* signing the hash with ecc priv key to produce signature */
421+
if (ret == 0) {
422+
outLen = (word32)outBufSz;
423+
ret = wc_ecc_sign_hash(hashBuf, digestSz, outBuf, &outLen,
424+
&rng, &key);
425+
}
396426
if (ret >= 0) {
397427
XFILE s;
398428
s = XFOPEN(out, "wb");

src/sign-verify/clu_verify.c

Lines changed: 31 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -566,10 +566,39 @@ int wolfCLU_verify_signature_ecc(byte* sig, int sigSz, byte* hash, int hashSz,
566566
}
567567
}
568568
if (ret == 0) {
569+
int keySz;
570+
enum wc_HashType hashType;
571+
int digestSz;
572+
byte hashBuf[WC_MAX_DIGEST_SIZE];
573+
569574
XMEMSET(outBuf, 0, outBufSz);
570575

571-
/* verify data with Ecc public key */
572-
ret = wc_ecc_verify_hash(sig, sigSz, hash, hashSz, &stat, &key);
576+
/* hash the input data before verifying -- ECDSA operates on a digest,
577+
* not raw data. Select a curve-appropriate hash paired with the curve
578+
* strength; ECDSA will truncate the digest as needed. */
579+
keySz = wc_ecc_size(&key);
580+
if (keySz <= 32) {
581+
hashType = WC_HASH_TYPE_SHA256;
582+
}
583+
else if (keySz <= 48) {
584+
hashType = WC_HASH_TYPE_SHA384;
585+
}
586+
else {
587+
hashType = WC_HASH_TYPE_SHA512;
588+
}
589+
digestSz = wc_HashGetDigestSize(hashType);
590+
if (digestSz > 0 && digestSz <= WC_MAX_DIGEST_SIZE) {
591+
ret = wc_Hash(hashType, hash, hashSz, hashBuf, digestSz);
592+
}
593+
else {
594+
ret = BAD_FUNC_ARG;
595+
}
596+
597+
/* verify the hash with Ecc public key */
598+
if (ret == 0) {
599+
ret = wc_ecc_verify_hash(sig, sigSz, hashBuf, digestSz,
600+
&stat, &key);
601+
}
573602
if (ret < 0) {
574603
wolfCLU_LogError("Failed to verify data with pub key.\nRET: %d", ret);
575604
}

src/x509/clu_x509_sign.c

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -343,7 +343,7 @@ int wolfCLU_GenChimeraCertSign(WOLFSSL_BIO *bioCaKey, WOLFSSL_BIO *bioAltCaKey,
343343

344344
/* open CA ecc private key */
345345
if (ret == WOLFCLU_SUCCESS) {
346-
ret = wolfSSL_BIO_get_fp(bioCaKey, &caKeyFp);
346+
ret = (int)wolfSSL_BIO_get_fp(bioCaKey, &caKeyFp);
347347
if (ret != WOLFCLU_SUCCESS) {
348348
wolfCLU_LogError("Error cannot get CA key fd");
349349
ret = WOLFCLU_FATAL_ERROR;
@@ -364,7 +364,7 @@ int wolfCLU_GenChimeraCertSign(WOLFSSL_BIO *bioCaKey, WOLFSSL_BIO *bioAltCaKey,
364364

365365
/* open server ecc private key */
366366
if (ret == WOLFCLU_SUCCESS && !isCA) {
367-
ret = wolfSSL_BIO_get_fp(bioSubjKey, &serverKeyFp);
367+
ret = (int)wolfSSL_BIO_get_fp(bioSubjKey, &serverKeyFp);
368368
if (ret != WOLFCLU_SUCCESS) {
369369
wolfCLU_LogError("Error cannot get server key fd");
370370
ret = WOLFCLU_FATAL_ERROR;
@@ -481,7 +481,7 @@ int wolfCLU_GenChimeraCertSign(WOLFSSL_BIO *bioCaKey, WOLFSSL_BIO *bioAltCaKey,
481481

482482
/* load alternative CA public key */
483483
if (ret == WOLFCLU_SUCCESS) {
484-
ret = wolfSSL_BIO_get_fp(bioAltSubjPubKey, &altCaPubKeyFp);
484+
ret = (int)wolfSSL_BIO_get_fp(bioAltSubjPubKey, &altCaPubKeyFp);
485485
if (ret != WOLFCLU_SUCCESS) {
486486
wolfCLU_LogError("Error get AltCAkey fd");
487487
ret = WOLFCLU_FATAL_ERROR;
@@ -530,7 +530,7 @@ int wolfCLU_GenChimeraCertSign(WOLFSSL_BIO *bioCaKey, WOLFSSL_BIO *bioAltCaKey,
530530
}
531531

532532
if (ret == WOLFCLU_SUCCESS) {
533-
ret = wolfSSL_BIO_get_fp(bioAltCaKey, &altCaKeyFp);
533+
ret = (int)wolfSSL_BIO_get_fp(bioAltCaKey, &altCaKeyFp);
534534
if (ret != WOLFCLU_SUCCESS) {
535535
wolfCLU_LogError("Error cannot get AltCA key fd");
536536
ret = WOLFCLU_FATAL_ERROR;

0 commit comments

Comments
 (0)