TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mcuboot / 351a0b231b845b76e8b70be3a3f929d3f9c0889d / . / boot / bootutil / src / image_ec.c
blob: f0c5d359494de888fb6b877b1a53622b035674b5 [file] [log] [blame]
Christopher Collins92ea77f2016-12-12 15:59:26 -0800[diff] [blame]1/*
2 * Licensed to the Apache Software Foundation (ASF) under one
3 * or more contributor license agreements. See the NOTICE file
4 * distributed with this work for additional information
5 * regarding copyright ownership. The ASF licenses this file
6 * to you under the Apache License, Version 2.0 (the
7 * "License"); you may not use this file except in compliance
8 * with the License. You may obtain a copy of the License at
9 *
10 * http://www.apache.org/licenses/LICENSE-2.0
11 *
12 * Unless required by applicable law or agreed to in writing,
13 * software distributed under the License is distributed on an
14 * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
15 * KIND, either express or implied. See the License for the
16 * specific language governing permissions and limitations
17 * under the License.
18 */
19
20#include "syscfg/syscfg.h"
21
22#if MYNEWT_VAL(BOOTUTIL_SIGN_EC)
23#include "bootutil/sign_key.h"
24
Christopher Collins92ea77f2016-12-12 15:59:26 -0800[diff] [blame]25#include "mbedtls/ecdsa.h"
26#include "mbedtls/oid.h"
27#include "mbedtls/asn1.h"
28
29#include "bootutil_priv.h"
30
31/*
32 * Declaring these like this adds NULL termination.
33 */
34static const uint8_t ec_pubkey_oid[] = MBEDTLS_OID_EC_ALG_UNRESTRICTED;
35static const uint8_t ec_secp224r1_oid[] = MBEDTLS_OID_EC_GRP_SECP224R1;
36
37/*
Marko Kiiskila351a0b22016-12-29 17:31:00 -0800[diff] [blame^]38 * Parse the public key used for signing.
Christopher Collins92ea77f2016-12-12 15:59:26 -0800[diff] [blame]39 */
40static int
41bootutil_parse_eckey(mbedtls_ecdsa_context *ctx, uint8_t **p, uint8_t *end)
42{
43 size_t len;
44 mbedtls_asn1_buf alg;
45 mbedtls_asn1_buf param;
46
47 if (mbedtls_asn1_get_tag(p, end, &len,
48 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) {
49 return -1;
50 }
51 end = *p + len;
52
53 if (mbedtls_asn1_get_alg(p, end, &alg, &param)) {
54 return -2;
55 }
56 if (alg.len != sizeof(ec_pubkey_oid) - 1 ||
57 memcmp(alg.p, ec_pubkey_oid, sizeof(ec_pubkey_oid) - 1)) {
58 return -3;
59 }
60 if (param.len != sizeof(ec_secp224r1_oid) - 1||
61 memcmp(param.p, ec_secp224r1_oid, sizeof(ec_secp224r1_oid) - 1)) {
62 return -4;
63 }
64
65 if (mbedtls_ecp_group_load_secp224r1(&ctx->grp)) {
66 return -5;
67 }
68
69 if (mbedtls_asn1_get_bitstring_null(p, end, &len)) {
70 return -6;
71 }
72 if (*p + len != end) {
73 return -7;
74 }
75
76 if (mbedtls_ecp_point_read_binary(&ctx->grp, &ctx->Q, *p, end - *p)) {
77 return -8;
78 }
79
80 if (mbedtls_ecp_check_pubkey(&ctx->grp, &ctx->Q)) {
81 return -9;
82 }
83 return 0;
84}
85
86static int
87bootutil_cmp_sig(mbedtls_ecdsa_context *ctx, uint8_t *hash, uint32_t hlen,
88 uint8_t *sig, int slen)
89{
90 return mbedtls_ecdsa_read_signature(ctx, hash, hlen, sig, slen);
91}
92
93int
94bootutil_verify_sig(uint8_t *hash, uint32_t hlen, uint8_t *sig, int slen,
95 uint8_t key_id)
96{
97 int rc;
98 uint8_t *cp;
99 uint8_t *end;
100 mbedtls_ecdsa_context ctx;
101
102 mbedtls_ecdsa_init(&ctx);
103
104 cp = (uint8_t *)bootutil_keys[key_id].key;
105 end = cp + *bootutil_keys[key_id].len;
106
107 rc = bootutil_parse_eckey(&ctx, &cp, end);
108 if (rc) {
109 return -1;
110 }
111
112 while (sig[slen - 1] == '\0') {
113 slen--;
114 }
115 rc = bootutil_cmp_sig(&ctx, hash, hlen, sig, slen);
116 mbedtls_ecdsa_free(&ctx);
117
118 return rc;
119}
120#endif /* MYNEWT_VAL(BOOTUTIL_SIGN_EC) */