2 * Copyright 2002-2020 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
11 * ECDSA low level APIs are deprecated for public use, but still ok for
14 #include "internal/deprecated.h"
18 #include <openssl/err.h>
19 #include <openssl/asn1t.h>
20 #include <openssl/objects.h>
21 #include "internal/nelem.h"
22 #include "crypto/asn1_dsa.h"
26 int EC_GROUP_get_basis_type(const EC_GROUP *group)
30 if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) !=
31 NID_X9_62_characteristic_two_field)
32 /* everything else is currently not supported */
35 /* Find the last non-zero element of group->poly[] */
37 i < (int)OSSL_NELEM(group->poly) && group->poly[i] != 0;
42 return NID_X9_62_ppBasis;
44 return NID_X9_62_tpBasis;
46 /* everything else is currently not supported */
50 #ifndef OPENSSL_NO_EC2M
51 int EC_GROUP_get_trinomial_basis(const EC_GROUP *group, unsigned int *k)
56 if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) !=
57 NID_X9_62_characteristic_two_field
58 || !((group->poly[0] != 0) && (group->poly[1] != 0)
59 && (group->poly[2] == 0))) {
60 ECerr(EC_F_EC_GROUP_GET_TRINOMIAL_BASIS,
61 ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
71 int EC_GROUP_get_pentanomial_basis(const EC_GROUP *group, unsigned int *k1,
72 unsigned int *k2, unsigned int *k3)
77 if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) !=
78 NID_X9_62_characteristic_two_field
79 || !((group->poly[0] != 0) && (group->poly[1] != 0)
80 && (group->poly[2] != 0) && (group->poly[3] != 0)
81 && (group->poly[4] == 0))) {
82 ECerr(EC_F_EC_GROUP_GET_PENTANOMIAL_BASIS,
83 ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
98 /* some structures needed for the asn1 encoding */
99 typedef struct x9_62_pentanomial_st {
105 typedef struct x9_62_characteristic_two_st {
110 /* NID_X9_62_onBasis */
112 /* NID_X9_62_tpBasis */
113 ASN1_INTEGER *tpBasis;
114 /* NID_X9_62_ppBasis */
115 X9_62_PENTANOMIAL *ppBasis;
119 } X9_62_CHARACTERISTIC_TWO;
121 typedef struct x9_62_fieldid_st {
122 ASN1_OBJECT *fieldType;
125 /* NID_X9_62_prime_field */
127 /* NID_X9_62_characteristic_two_field */
128 X9_62_CHARACTERISTIC_TWO *char_two;
134 typedef struct x9_62_curve_st {
135 ASN1_OCTET_STRING *a;
136 ASN1_OCTET_STRING *b;
137 ASN1_BIT_STRING *seed;
140 struct ec_parameters_st {
142 X9_62_FIELDID *fieldID;
144 ASN1_OCTET_STRING *base;
146 ASN1_INTEGER *cofactor;
147 } /* ECPARAMETERS */ ;
149 struct ecpk_parameters_st {
152 ASN1_OBJECT *named_curve;
153 ECPARAMETERS *parameters;
154 ASN1_NULL *implicitlyCA;
156 } /* ECPKPARAMETERS */ ;
158 /* SEC1 ECPrivateKey */
159 typedef struct ec_privatekey_st {
161 ASN1_OCTET_STRING *privateKey;
162 ECPKPARAMETERS *parameters;
163 ASN1_BIT_STRING *publicKey;
166 /* the OpenSSL ASN.1 definitions */
167 ASN1_SEQUENCE(X9_62_PENTANOMIAL) = {
168 ASN1_EMBED(X9_62_PENTANOMIAL, k1, INT32),
169 ASN1_EMBED(X9_62_PENTANOMIAL, k2, INT32),
170 ASN1_EMBED(X9_62_PENTANOMIAL, k3, INT32)
171 } static_ASN1_SEQUENCE_END(X9_62_PENTANOMIAL)
173 DECLARE_ASN1_ALLOC_FUNCTIONS(X9_62_PENTANOMIAL)
174 IMPLEMENT_ASN1_ALLOC_FUNCTIONS(X9_62_PENTANOMIAL)
176 ASN1_ADB_TEMPLATE(char_two_def) = ASN1_SIMPLE(X9_62_CHARACTERISTIC_TWO, p.other, ASN1_ANY);
178 ASN1_ADB(X9_62_CHARACTERISTIC_TWO) = {
179 ADB_ENTRY(NID_X9_62_onBasis, ASN1_SIMPLE(X9_62_CHARACTERISTIC_TWO, p.onBasis, ASN1_NULL)),
180 ADB_ENTRY(NID_X9_62_tpBasis, ASN1_SIMPLE(X9_62_CHARACTERISTIC_TWO, p.tpBasis, ASN1_INTEGER)),
181 ADB_ENTRY(NID_X9_62_ppBasis, ASN1_SIMPLE(X9_62_CHARACTERISTIC_TWO, p.ppBasis, X9_62_PENTANOMIAL))
182 } ASN1_ADB_END(X9_62_CHARACTERISTIC_TWO, 0, type, 0, &char_two_def_tt, NULL);
184 ASN1_SEQUENCE(X9_62_CHARACTERISTIC_TWO) = {
185 ASN1_EMBED(X9_62_CHARACTERISTIC_TWO, m, INT32),
186 ASN1_SIMPLE(X9_62_CHARACTERISTIC_TWO, type, ASN1_OBJECT),
187 ASN1_ADB_OBJECT(X9_62_CHARACTERISTIC_TWO)
188 } static_ASN1_SEQUENCE_END(X9_62_CHARACTERISTIC_TWO)
190 DECLARE_ASN1_ALLOC_FUNCTIONS(X9_62_CHARACTERISTIC_TWO)
191 IMPLEMENT_ASN1_ALLOC_FUNCTIONS(X9_62_CHARACTERISTIC_TWO)
193 ASN1_ADB_TEMPLATE(fieldID_def) = ASN1_SIMPLE(X9_62_FIELDID, p.other, ASN1_ANY);
195 ASN1_ADB(X9_62_FIELDID) = {
196 ADB_ENTRY(NID_X9_62_prime_field, ASN1_SIMPLE(X9_62_FIELDID, p.prime, ASN1_INTEGER)),
197 ADB_ENTRY(NID_X9_62_characteristic_two_field, ASN1_SIMPLE(X9_62_FIELDID, p.char_two, X9_62_CHARACTERISTIC_TWO))
198 } ASN1_ADB_END(X9_62_FIELDID, 0, fieldType, 0, &fieldID_def_tt, NULL);
200 ASN1_SEQUENCE(X9_62_FIELDID) = {
201 ASN1_SIMPLE(X9_62_FIELDID, fieldType, ASN1_OBJECT),
202 ASN1_ADB_OBJECT(X9_62_FIELDID)
203 } static_ASN1_SEQUENCE_END(X9_62_FIELDID)
205 ASN1_SEQUENCE(X9_62_CURVE) = {
206 ASN1_SIMPLE(X9_62_CURVE, a, ASN1_OCTET_STRING),
207 ASN1_SIMPLE(X9_62_CURVE, b, ASN1_OCTET_STRING),
208 ASN1_OPT(X9_62_CURVE, seed, ASN1_BIT_STRING)
209 } static_ASN1_SEQUENCE_END(X9_62_CURVE)
211 ASN1_SEQUENCE(ECPARAMETERS) = {
212 ASN1_EMBED(ECPARAMETERS, version, INT32),
213 ASN1_SIMPLE(ECPARAMETERS, fieldID, X9_62_FIELDID),
214 ASN1_SIMPLE(ECPARAMETERS, curve, X9_62_CURVE),
215 ASN1_SIMPLE(ECPARAMETERS, base, ASN1_OCTET_STRING),
216 ASN1_SIMPLE(ECPARAMETERS, order, ASN1_INTEGER),
217 ASN1_OPT(ECPARAMETERS, cofactor, ASN1_INTEGER)
218 } ASN1_SEQUENCE_END(ECPARAMETERS)
220 DECLARE_ASN1_ALLOC_FUNCTIONS(ECPARAMETERS)
221 IMPLEMENT_ASN1_ALLOC_FUNCTIONS(ECPARAMETERS)
223 ASN1_CHOICE(ECPKPARAMETERS) = {
224 ASN1_SIMPLE(ECPKPARAMETERS, value.named_curve, ASN1_OBJECT),
225 ASN1_SIMPLE(ECPKPARAMETERS, value.parameters, ECPARAMETERS),
226 ASN1_SIMPLE(ECPKPARAMETERS, value.implicitlyCA, ASN1_NULL)
227 } ASN1_CHOICE_END(ECPKPARAMETERS)
229 DECLARE_ASN1_FUNCTIONS(ECPKPARAMETERS)
230 DECLARE_ASN1_ENCODE_FUNCTIONS_name(ECPKPARAMETERS, ECPKPARAMETERS)
231 IMPLEMENT_ASN1_FUNCTIONS(ECPKPARAMETERS)
233 ASN1_SEQUENCE(EC_PRIVATEKEY) = {
234 ASN1_EMBED(EC_PRIVATEKEY, version, INT32),
235 ASN1_SIMPLE(EC_PRIVATEKEY, privateKey, ASN1_OCTET_STRING),
236 ASN1_EXP_OPT(EC_PRIVATEKEY, parameters, ECPKPARAMETERS, 0),
237 ASN1_EXP_OPT(EC_PRIVATEKEY, publicKey, ASN1_BIT_STRING, 1)
238 } static_ASN1_SEQUENCE_END(EC_PRIVATEKEY)
240 DECLARE_ASN1_FUNCTIONS(EC_PRIVATEKEY)
241 DECLARE_ASN1_ENCODE_FUNCTIONS_name(EC_PRIVATEKEY, EC_PRIVATEKEY)
242 IMPLEMENT_ASN1_FUNCTIONS(EC_PRIVATEKEY)
244 /* some declarations of internal function */
246 /* ec_asn1_group2field() sets the values in a X9_62_FIELDID object */
247 static int ec_asn1_group2fieldid(const EC_GROUP *, X9_62_FIELDID *);
248 /* ec_asn1_group2curve() sets the values in a X9_62_CURVE object */
249 static int ec_asn1_group2curve(const EC_GROUP *, X9_62_CURVE *);
251 /* the function definitions */
253 static int ec_asn1_group2fieldid(const EC_GROUP *group, X9_62_FIELDID *field)
258 if (group == NULL || field == NULL)
261 /* clear the old values (if necessary) */
262 ASN1_OBJECT_free(field->fieldType);
263 ASN1_TYPE_free(field->p.other);
265 nid = EC_METHOD_get_field_type(EC_GROUP_method_of(group));
266 /* set OID for the field */
267 if ((field->fieldType = OBJ_nid2obj(nid)) == NULL) {
268 ECerr(EC_F_EC_ASN1_GROUP2FIELDID, ERR_R_OBJ_LIB);
272 if (nid == NID_X9_62_prime_field) {
273 if ((tmp = BN_new()) == NULL) {
274 ECerr(EC_F_EC_ASN1_GROUP2FIELDID, ERR_R_MALLOC_FAILURE);
277 /* the parameters are specified by the prime number p */
278 if (!EC_GROUP_get_curve(group, tmp, NULL, NULL, NULL)) {
279 ECerr(EC_F_EC_ASN1_GROUP2FIELDID, ERR_R_EC_LIB);
282 /* set the prime number */
283 field->p.prime = BN_to_ASN1_INTEGER(tmp, NULL);
284 if (field->p.prime == NULL) {
285 ECerr(EC_F_EC_ASN1_GROUP2FIELDID, ERR_R_ASN1_LIB);
288 } else if (nid == NID_X9_62_characteristic_two_field)
289 #ifdef OPENSSL_NO_EC2M
291 ECerr(EC_F_EC_ASN1_GROUP2FIELDID, EC_R_GF2M_NOT_SUPPORTED);
297 X9_62_CHARACTERISTIC_TWO *char_two;
299 field->p.char_two = X9_62_CHARACTERISTIC_TWO_new();
300 char_two = field->p.char_two;
302 if (char_two == NULL) {
303 ECerr(EC_F_EC_ASN1_GROUP2FIELDID, ERR_R_MALLOC_FAILURE);
307 char_two->m = (long)EC_GROUP_get_degree(group);
309 field_type = EC_GROUP_get_basis_type(group);
311 if (field_type == 0) {
312 ECerr(EC_F_EC_ASN1_GROUP2FIELDID, ERR_R_EC_LIB);
315 /* set base type OID */
316 if ((char_two->type = OBJ_nid2obj(field_type)) == NULL) {
317 ECerr(EC_F_EC_ASN1_GROUP2FIELDID, ERR_R_OBJ_LIB);
321 if (field_type == NID_X9_62_tpBasis) {
324 if (!EC_GROUP_get_trinomial_basis(group, &k))
327 char_two->p.tpBasis = ASN1_INTEGER_new();
328 if (char_two->p.tpBasis == NULL) {
329 ECerr(EC_F_EC_ASN1_GROUP2FIELDID, ERR_R_MALLOC_FAILURE);
332 if (!ASN1_INTEGER_set(char_two->p.tpBasis, (long)k)) {
333 ECerr(EC_F_EC_ASN1_GROUP2FIELDID, ERR_R_ASN1_LIB);
336 } else if (field_type == NID_X9_62_ppBasis) {
337 unsigned int k1, k2, k3;
339 if (!EC_GROUP_get_pentanomial_basis(group, &k1, &k2, &k3))
342 char_two->p.ppBasis = X9_62_PENTANOMIAL_new();
343 if (char_two->p.ppBasis == NULL) {
344 ECerr(EC_F_EC_ASN1_GROUP2FIELDID, ERR_R_MALLOC_FAILURE);
349 char_two->p.ppBasis->k1 = (long)k1;
350 char_two->p.ppBasis->k2 = (long)k2;
351 char_two->p.ppBasis->k3 = (long)k3;
352 } else { /* field_type == NID_X9_62_onBasis */
354 /* for ONB the parameters are (asn1) NULL */
355 char_two->p.onBasis = ASN1_NULL_new();
356 if (char_two->p.onBasis == NULL) {
357 ECerr(EC_F_EC_ASN1_GROUP2FIELDID, ERR_R_MALLOC_FAILURE);
364 ECerr(EC_F_EC_ASN1_GROUP2FIELDID, EC_R_UNSUPPORTED_FIELD);
375 static int ec_asn1_group2curve(const EC_GROUP *group, X9_62_CURVE *curve)
378 BIGNUM *tmp_1 = NULL, *tmp_2 = NULL;
379 unsigned char *a_buf = NULL, *b_buf = NULL;
382 if (!group || !curve || !curve->a || !curve->b)
385 if ((tmp_1 = BN_new()) == NULL || (tmp_2 = BN_new()) == NULL) {
386 ECerr(EC_F_EC_ASN1_GROUP2CURVE, ERR_R_MALLOC_FAILURE);
391 if (!EC_GROUP_get_curve(group, NULL, tmp_1, tmp_2, NULL)) {
392 ECerr(EC_F_EC_ASN1_GROUP2CURVE, ERR_R_EC_LIB);
397 * Per SEC 1, the curve coefficients must be padded up to size. See C.2's
398 * definition of Curve, C.1's definition of FieldElement, and 2.3.5's
399 * definition of how to encode the field elements.
401 len = ((size_t)EC_GROUP_get_degree(group) + 7) / 8;
402 if ((a_buf = OPENSSL_malloc(len)) == NULL
403 || (b_buf = OPENSSL_malloc(len)) == NULL) {
404 ECerr(EC_F_EC_ASN1_GROUP2CURVE, ERR_R_MALLOC_FAILURE);
407 if (BN_bn2binpad(tmp_1, a_buf, len) < 0
408 || BN_bn2binpad(tmp_2, b_buf, len) < 0) {
409 ECerr(EC_F_EC_ASN1_GROUP2CURVE, ERR_R_BN_LIB);
414 if (!ASN1_OCTET_STRING_set(curve->a, a_buf, len)
415 || !ASN1_OCTET_STRING_set(curve->b, b_buf, len)) {
416 ECerr(EC_F_EC_ASN1_GROUP2CURVE, ERR_R_ASN1_LIB);
420 /* set the seed (optional) */
423 if ((curve->seed = ASN1_BIT_STRING_new()) == NULL) {
424 ECerr(EC_F_EC_ASN1_GROUP2CURVE, ERR_R_MALLOC_FAILURE);
427 curve->seed->flags &= ~(ASN1_STRING_FLAG_BITS_LEFT | 0x07);
428 curve->seed->flags |= ASN1_STRING_FLAG_BITS_LEFT;
429 if (!ASN1_BIT_STRING_set(curve->seed, group->seed,
430 (int)group->seed_len)) {
431 ECerr(EC_F_EC_ASN1_GROUP2CURVE, ERR_R_ASN1_LIB);
435 ASN1_BIT_STRING_free(curve->seed);
449 ECPARAMETERS *EC_GROUP_get_ecparameters(const EC_GROUP *group,
450 ECPARAMETERS *params)
453 ECPARAMETERS *ret = NULL;
455 unsigned char *buffer = NULL;
456 const EC_POINT *point = NULL;
457 point_conversion_form_t form;
460 if (params == NULL) {
461 if ((ret = ECPARAMETERS_new()) == NULL) {
462 ECerr(EC_F_EC_GROUP_GET_ECPARAMETERS, ERR_R_MALLOC_FAILURE);
468 /* set the version (always one) */
469 ret->version = (long)0x1;
471 /* set the fieldID */
472 if (!ec_asn1_group2fieldid(group, ret->fieldID)) {
473 ECerr(EC_F_EC_GROUP_GET_ECPARAMETERS, ERR_R_EC_LIB);
478 if (!ec_asn1_group2curve(group, ret->curve)) {
479 ECerr(EC_F_EC_GROUP_GET_ECPARAMETERS, ERR_R_EC_LIB);
483 /* set the base point */
484 if ((point = EC_GROUP_get0_generator(group)) == NULL) {
485 ECerr(EC_F_EC_GROUP_GET_ECPARAMETERS, EC_R_UNDEFINED_GENERATOR);
489 form = EC_GROUP_get_point_conversion_form(group);
491 len = EC_POINT_point2buf(group, point, form, &buffer, NULL);
493 ECerr(EC_F_EC_GROUP_GET_ECPARAMETERS, ERR_R_EC_LIB);
496 if (ret->base == NULL && (ret->base = ASN1_OCTET_STRING_new()) == NULL) {
497 OPENSSL_free(buffer);
498 ECerr(EC_F_EC_GROUP_GET_ECPARAMETERS, ERR_R_MALLOC_FAILURE);
501 ASN1_STRING_set0(ret->base, buffer, len);
504 tmp = EC_GROUP_get0_order(group);
506 ECerr(EC_F_EC_GROUP_GET_ECPARAMETERS, ERR_R_EC_LIB);
509 ret->order = BN_to_ASN1_INTEGER(tmp, orig = ret->order);
510 if (ret->order == NULL) {
512 ECerr(EC_F_EC_GROUP_GET_ECPARAMETERS, ERR_R_ASN1_LIB);
516 /* set the cofactor (optional) */
517 tmp = EC_GROUP_get0_cofactor(group);
519 ret->cofactor = BN_to_ASN1_INTEGER(tmp, orig = ret->cofactor);
520 if (ret->cofactor == NULL) {
521 ret->cofactor = orig;
522 ECerr(EC_F_EC_GROUP_GET_ECPARAMETERS, ERR_R_ASN1_LIB);
531 ECPARAMETERS_free(ret);
535 ECPKPARAMETERS *EC_GROUP_get_ecpkparameters(const EC_GROUP *group,
536 ECPKPARAMETERS *params)
539 ECPKPARAMETERS *ret = params;
542 if ((ret = ECPKPARAMETERS_new()) == NULL) {
543 ECerr(EC_F_EC_GROUP_GET_ECPKPARAMETERS, ERR_R_MALLOC_FAILURE);
548 ASN1_OBJECT_free(ret->value.named_curve);
549 else if (ret->type == 1 && ret->value.parameters)
550 ECPARAMETERS_free(ret->value.parameters);
553 if (EC_GROUP_get_asn1_flag(group)) {
555 * use the asn1 OID to describe the elliptic curve parameters
557 tmp = EC_GROUP_get_curve_name(group);
560 if ((ret->value.named_curve = OBJ_nid2obj(tmp)) == NULL)
563 /* we don't know the nid => ERROR */
566 /* use the ECPARAMETERS structure */
568 if ((ret->value.parameters =
569 EC_GROUP_get_ecparameters(group, NULL)) == NULL)
574 ECPKPARAMETERS_free(ret);
580 EC_GROUP *EC_GROUP_new_from_ecparameters(const ECPARAMETERS *params)
583 EC_GROUP *ret = NULL, *dup = NULL;
584 BIGNUM *p = NULL, *a = NULL, *b = NULL;
585 EC_POINT *point = NULL;
587 int curve_name = NID_undef;
590 if (params->fieldID == NULL
591 || params->fieldID->fieldType == NULL
592 || params->fieldID->p.ptr == NULL) {
593 ECerr(EC_F_EC_GROUP_NEW_FROM_ECPARAMETERS, EC_R_ASN1_ERROR);
598 * Now extract the curve parameters a and b. Note that, although SEC 1
599 * specifies the length of their encodings, historical versions of OpenSSL
600 * encoded them incorrectly, so we must accept any length for backwards
603 if (params->curve == NULL
604 || params->curve->a == NULL || params->curve->a->data == NULL
605 || params->curve->b == NULL || params->curve->b->data == NULL) {
606 ECerr(EC_F_EC_GROUP_NEW_FROM_ECPARAMETERS, EC_R_ASN1_ERROR);
609 a = BN_bin2bn(params->curve->a->data, params->curve->a->length, NULL);
611 ECerr(EC_F_EC_GROUP_NEW_FROM_ECPARAMETERS, ERR_R_BN_LIB);
614 b = BN_bin2bn(params->curve->b->data, params->curve->b->length, NULL);
616 ECerr(EC_F_EC_GROUP_NEW_FROM_ECPARAMETERS, ERR_R_BN_LIB);
620 /* get the field parameters */
621 tmp = OBJ_obj2nid(params->fieldID->fieldType);
622 if (tmp == NID_X9_62_characteristic_two_field)
623 #ifdef OPENSSL_NO_EC2M
625 ECerr(EC_F_EC_GROUP_NEW_FROM_ECPARAMETERS, EC_R_GF2M_NOT_SUPPORTED);
630 X9_62_CHARACTERISTIC_TWO *char_two;
632 char_two = params->fieldID->p.char_two;
634 field_bits = char_two->m;
635 if (field_bits > OPENSSL_ECC_MAX_FIELD_BITS) {
636 ECerr(EC_F_EC_GROUP_NEW_FROM_ECPARAMETERS, EC_R_FIELD_TOO_LARGE);
640 if ((p = BN_new()) == NULL) {
641 ECerr(EC_F_EC_GROUP_NEW_FROM_ECPARAMETERS, ERR_R_MALLOC_FAILURE);
645 /* get the base type */
646 tmp = OBJ_obj2nid(char_two->type);
648 if (tmp == NID_X9_62_tpBasis) {
651 if (!char_two->p.tpBasis) {
652 ECerr(EC_F_EC_GROUP_NEW_FROM_ECPARAMETERS, EC_R_ASN1_ERROR);
656 tmp_long = ASN1_INTEGER_get(char_two->p.tpBasis);
658 if (!(char_two->m > tmp_long && tmp_long > 0)) {
659 ECerr(EC_F_EC_GROUP_NEW_FROM_ECPARAMETERS,
660 EC_R_INVALID_TRINOMIAL_BASIS);
664 /* create the polynomial */
665 if (!BN_set_bit(p, (int)char_two->m))
667 if (!BN_set_bit(p, (int)tmp_long))
669 if (!BN_set_bit(p, 0))
671 } else if (tmp == NID_X9_62_ppBasis) {
672 X9_62_PENTANOMIAL *penta;
674 penta = char_two->p.ppBasis;
676 ECerr(EC_F_EC_GROUP_NEW_FROM_ECPARAMETERS, EC_R_ASN1_ERROR);
681 (char_two->m > penta->k3 && penta->k3 > penta->k2
682 && penta->k2 > penta->k1 && penta->k1 > 0)) {
683 ECerr(EC_F_EC_GROUP_NEW_FROM_ECPARAMETERS,
684 EC_R_INVALID_PENTANOMIAL_BASIS);
688 /* create the polynomial */
689 if (!BN_set_bit(p, (int)char_two->m))
691 if (!BN_set_bit(p, (int)penta->k1))
693 if (!BN_set_bit(p, (int)penta->k2))
695 if (!BN_set_bit(p, (int)penta->k3))
697 if (!BN_set_bit(p, 0))
699 } else if (tmp == NID_X9_62_onBasis) {
700 ECerr(EC_F_EC_GROUP_NEW_FROM_ECPARAMETERS, EC_R_NOT_IMPLEMENTED);
704 ECerr(EC_F_EC_GROUP_NEW_FROM_ECPARAMETERS, EC_R_ASN1_ERROR);
708 /* create the EC_GROUP structure */
709 ret = EC_GROUP_new_curve_GF2m(p, a, b, NULL);
712 else if (tmp == NID_X9_62_prime_field) {
713 /* we have a curve over a prime field */
714 /* extract the prime number */
715 if (params->fieldID->p.prime == NULL) {
716 ECerr(EC_F_EC_GROUP_NEW_FROM_ECPARAMETERS, EC_R_ASN1_ERROR);
719 p = ASN1_INTEGER_to_BN(params->fieldID->p.prime, NULL);
721 ECerr(EC_F_EC_GROUP_NEW_FROM_ECPARAMETERS, ERR_R_ASN1_LIB);
725 if (BN_is_negative(p) || BN_is_zero(p)) {
726 ECerr(EC_F_EC_GROUP_NEW_FROM_ECPARAMETERS, EC_R_INVALID_FIELD);
730 field_bits = BN_num_bits(p);
731 if (field_bits > OPENSSL_ECC_MAX_FIELD_BITS) {
732 ECerr(EC_F_EC_GROUP_NEW_FROM_ECPARAMETERS, EC_R_FIELD_TOO_LARGE);
736 /* create the EC_GROUP structure */
737 ret = EC_GROUP_new_curve_GFp(p, a, b, NULL);
739 ECerr(EC_F_EC_GROUP_NEW_FROM_ECPARAMETERS, EC_R_INVALID_FIELD);
744 ECerr(EC_F_EC_GROUP_NEW_FROM_ECPARAMETERS, ERR_R_EC_LIB);
748 /* extract seed (optional) */
749 if (params->curve->seed != NULL) {
750 OPENSSL_free(ret->seed);
751 if ((ret->seed = OPENSSL_malloc(params->curve->seed->length)) == NULL) {
752 ECerr(EC_F_EC_GROUP_NEW_FROM_ECPARAMETERS, ERR_R_MALLOC_FAILURE);
755 memcpy(ret->seed, params->curve->seed->data,
756 params->curve->seed->length);
757 ret->seed_len = params->curve->seed->length;
760 if (params->order == NULL
761 || params->base == NULL
762 || params->base->data == NULL) {
763 ECerr(EC_F_EC_GROUP_NEW_FROM_ECPARAMETERS, EC_R_ASN1_ERROR);
767 if ((point = EC_POINT_new(ret)) == NULL)
770 /* set the point conversion form */
771 EC_GROUP_set_point_conversion_form(ret, (point_conversion_form_t)
772 (params->base->data[0] & ~0x01));
774 /* extract the ec point */
775 if (!EC_POINT_oct2point(ret, point, params->base->data,
776 params->base->length, NULL)) {
777 ECerr(EC_F_EC_GROUP_NEW_FROM_ECPARAMETERS, ERR_R_EC_LIB);
781 /* extract the order */
782 if ((a = ASN1_INTEGER_to_BN(params->order, a)) == NULL) {
783 ECerr(EC_F_EC_GROUP_NEW_FROM_ECPARAMETERS, ERR_R_ASN1_LIB);
786 if (BN_is_negative(a) || BN_is_zero(a)) {
787 ECerr(EC_F_EC_GROUP_NEW_FROM_ECPARAMETERS, EC_R_INVALID_GROUP_ORDER);
790 if (BN_num_bits(a) > (int)field_bits + 1) { /* Hasse bound */
791 ECerr(EC_F_EC_GROUP_NEW_FROM_ECPARAMETERS, EC_R_INVALID_GROUP_ORDER);
795 /* extract the cofactor (optional) */
796 if (params->cofactor == NULL) {
799 } else if ((b = ASN1_INTEGER_to_BN(params->cofactor, b)) == NULL) {
800 ECerr(EC_F_EC_GROUP_NEW_FROM_ECPARAMETERS, ERR_R_ASN1_LIB);
803 /* set the generator, order and cofactor (if present) */
804 if (!EC_GROUP_set_generator(ret, point, a, b)) {
805 ECerr(EC_F_EC_GROUP_NEW_FROM_ECPARAMETERS, ERR_R_EC_LIB);
810 * Check if the explicit parameters group just created matches one of the
813 * We create a copy of the group just built, so that we can remove optional
814 * fields for the lookup: we do this to avoid the possibility that one of
815 * the optional parameters is used to force the library into using a less
816 * performant and less secure EC_METHOD instead of the specialized one.
817 * In any case, `seed` is not really used in any computation, while a
818 * cofactor different from the one in the built-in table is just
819 * mathematically wrong anyway and should not be used.
821 if ((ctx = BN_CTX_new()) == NULL) {
822 ECerr(EC_F_EC_GROUP_NEW_FROM_ECPARAMETERS, ERR_R_BN_LIB);
825 if ((dup = EC_GROUP_dup(ret)) == NULL
826 || EC_GROUP_set_seed(dup, NULL, 0) != 1
827 || !EC_GROUP_set_generator(dup, point, a, NULL)) {
828 ECerr(EC_F_EC_GROUP_NEW_FROM_ECPARAMETERS, ERR_R_EC_LIB);
831 if ((curve_name = ec_curve_nid_from_params(dup, ctx)) != NID_undef) {
833 * The input explicit parameters successfully matched one of the
834 * built-in curves: often for built-in curves we have specialized
835 * methods with better performance and hardening.
837 * In this case we replace the `EC_GROUP` created through explicit
838 * parameters with one created from a named group.
840 EC_GROUP *named_group = NULL;
842 #ifndef OPENSSL_NO_EC_NISTP_64_GCC_128
844 * NID_wap_wsg_idm_ecid_wtls12 and NID_secp224r1 are both aliases for
845 * the same curve, we prefer the SECP nid when matching explicit
846 * parameters as that is associated with a specialized EC_METHOD.
848 if (curve_name == NID_wap_wsg_idm_ecid_wtls12)
849 curve_name = NID_secp224r1;
850 #endif /* !def(OPENSSL_NO_EC_NISTP_64_GCC_128) */
852 if ((named_group = EC_GROUP_new_by_curve_name(curve_name)) == NULL) {
853 ECerr(EC_F_EC_GROUP_NEW_FROM_ECPARAMETERS, ERR_R_EC_LIB);
860 * Set the flag so that EC_GROUPs created from explicit parameters are
861 * serialized using explicit parameters by default.
863 EC_GROUP_set_asn1_flag(ret, OPENSSL_EC_EXPLICIT_CURVE);
866 * If the input params do not contain the optional seed field we make
867 * sure it is not added to the returned group.
869 * The seed field is not really used inside libcrypto anyway, and
870 * adding it to parsed explicit parameter keys would alter their DER
871 * encoding output (because of the extra field) which could impact
872 * applications fingerprinting keys by their DER encoding.
874 if (params->curve->seed == NULL) {
875 if (EC_GROUP_set_seed(ret, NULL, 0) != 1)
892 EC_POINT_free(point);
899 EC_GROUP *EC_GROUP_new_from_ecpkparameters(const ECPKPARAMETERS *params)
901 EC_GROUP *ret = NULL;
904 if (params == NULL) {
905 ECerr(EC_F_EC_GROUP_NEW_FROM_ECPKPARAMETERS, EC_R_MISSING_PARAMETERS);
909 if (params->type == 0) { /* the curve is given by an OID */
910 tmp = OBJ_obj2nid(params->value.named_curve);
911 if ((ret = EC_GROUP_new_by_curve_name(tmp)) == NULL) {
912 ECerr(EC_F_EC_GROUP_NEW_FROM_ECPKPARAMETERS,
913 EC_R_EC_GROUP_NEW_BY_NAME_FAILURE);
916 EC_GROUP_set_asn1_flag(ret, OPENSSL_EC_NAMED_CURVE);
917 } else if (params->type == 1) { /* the parameters are given by a
918 * ECPARAMETERS structure */
919 ret = EC_GROUP_new_from_ecparameters(params->value.parameters);
921 ECerr(EC_F_EC_GROUP_NEW_FROM_ECPKPARAMETERS, ERR_R_EC_LIB);
924 EC_GROUP_set_asn1_flag(ret, OPENSSL_EC_EXPLICIT_CURVE);
925 } else if (params->type == 2) { /* implicitlyCA */
928 ECerr(EC_F_EC_GROUP_NEW_FROM_ECPKPARAMETERS, EC_R_ASN1_ERROR);
935 /* EC_GROUP <-> DER encoding of ECPKPARAMETERS */
937 EC_GROUP *d2i_ECPKParameters(EC_GROUP **a, const unsigned char **in, long len)
939 EC_GROUP *group = NULL;
940 ECPKPARAMETERS *params = NULL;
941 const unsigned char *p = *in;
943 if ((params = d2i_ECPKPARAMETERS(NULL, &p, len)) == NULL) {
944 ECerr(EC_F_D2I_ECPKPARAMETERS, EC_R_D2I_ECPKPARAMETERS_FAILURE);
945 ECPKPARAMETERS_free(params);
949 if ((group = EC_GROUP_new_from_ecpkparameters(params)) == NULL) {
950 ECerr(EC_F_D2I_ECPKPARAMETERS, EC_R_PKPARAMETERS2GROUP_FAILURE);
951 ECPKPARAMETERS_free(params);
960 ECPKPARAMETERS_free(params);
965 int i2d_ECPKParameters(const EC_GROUP *a, unsigned char **out)
968 ECPKPARAMETERS *tmp = EC_GROUP_get_ecpkparameters(a, NULL);
970 ECerr(EC_F_I2D_ECPKPARAMETERS, EC_R_GROUP2PKPARAMETERS_FAILURE);
973 if ((ret = i2d_ECPKPARAMETERS(tmp, out)) == 0) {
974 ECerr(EC_F_I2D_ECPKPARAMETERS, EC_R_I2D_ECPKPARAMETERS_FAILURE);
975 ECPKPARAMETERS_free(tmp);
978 ECPKPARAMETERS_free(tmp);
982 /* some EC_KEY functions */
984 EC_KEY *d2i_ECPrivateKey(EC_KEY **a, const unsigned char **in, long len)
987 EC_PRIVATEKEY *priv_key = NULL;
988 const unsigned char *p = *in;
990 if ((priv_key = d2i_EC_PRIVATEKEY(NULL, &p, len)) == NULL) {
991 ECerr(EC_F_D2I_ECPRIVATEKEY, ERR_R_EC_LIB);
995 if (a == NULL || *a == NULL) {
996 if ((ret = EC_KEY_new()) == NULL) {
997 ECerr(EC_F_D2I_ECPRIVATEKEY, ERR_R_MALLOC_FAILURE);
1003 if (priv_key->parameters) {
1004 EC_GROUP_free(ret->group);
1005 ret->group = EC_GROUP_new_from_ecpkparameters(priv_key->parameters);
1008 if (ret->group == NULL) {
1009 ECerr(EC_F_D2I_ECPRIVATEKEY, ERR_R_EC_LIB);
1013 ret->version = priv_key->version;
1015 if (priv_key->privateKey) {
1016 ASN1_OCTET_STRING *pkey = priv_key->privateKey;
1017 if (EC_KEY_oct2priv(ret, ASN1_STRING_get0_data(pkey),
1018 ASN1_STRING_length(pkey)) == 0)
1021 ECerr(EC_F_D2I_ECPRIVATEKEY, EC_R_MISSING_PRIVATE_KEY);
1025 EC_POINT_clear_free(ret->pub_key);
1026 ret->pub_key = EC_POINT_new(ret->group);
1027 if (ret->pub_key == NULL) {
1028 ECerr(EC_F_D2I_ECPRIVATEKEY, ERR_R_EC_LIB);
1032 if (priv_key->publicKey) {
1033 const unsigned char *pub_oct;
1036 pub_oct = ASN1_STRING_get0_data(priv_key->publicKey);
1037 pub_oct_len = ASN1_STRING_length(priv_key->publicKey);
1038 if (!EC_KEY_oct2key(ret, pub_oct, pub_oct_len, NULL)) {
1039 ECerr(EC_F_D2I_ECPRIVATEKEY, ERR_R_EC_LIB);
1043 if (ret->group->meth->keygenpub == NULL
1044 || ret->group->meth->keygenpub(ret) == 0)
1046 /* Remember the original private-key-only encoding. */
1047 ret->enc_flag |= EC_PKEY_NO_PUBKEY;
1052 EC_PRIVATEKEY_free(priv_key);
1058 if (a == NULL || *a != ret)
1060 EC_PRIVATEKEY_free(priv_key);
1064 int i2d_ECPrivateKey(const EC_KEY *a, unsigned char **out)
1066 int ret = 0, ok = 0;
1067 unsigned char *priv= NULL, *pub= NULL;
1068 size_t privlen = 0, publen = 0;
1070 EC_PRIVATEKEY *priv_key = NULL;
1072 if (a == NULL || a->group == NULL ||
1073 (!(a->enc_flag & EC_PKEY_NO_PUBKEY) && a->pub_key == NULL)) {
1074 ECerr(EC_F_I2D_ECPRIVATEKEY, ERR_R_PASSED_NULL_PARAMETER);
1078 if ((priv_key = EC_PRIVATEKEY_new()) == NULL) {
1079 ECerr(EC_F_I2D_ECPRIVATEKEY, ERR_R_MALLOC_FAILURE);
1083 priv_key->version = a->version;
1085 privlen = EC_KEY_priv2buf(a, &priv);
1088 ECerr(EC_F_I2D_ECPRIVATEKEY, ERR_R_EC_LIB);
1092 ASN1_STRING_set0(priv_key->privateKey, priv, privlen);
1095 if (!(a->enc_flag & EC_PKEY_NO_PARAMETERS)) {
1096 if ((priv_key->parameters =
1097 EC_GROUP_get_ecpkparameters(a->group,
1098 priv_key->parameters)) == NULL) {
1099 ECerr(EC_F_I2D_ECPRIVATEKEY, ERR_R_EC_LIB);
1104 if (!(a->enc_flag & EC_PKEY_NO_PUBKEY)) {
1105 priv_key->publicKey = ASN1_BIT_STRING_new();
1106 if (priv_key->publicKey == NULL) {
1107 ECerr(EC_F_I2D_ECPRIVATEKEY, ERR_R_MALLOC_FAILURE);
1111 publen = EC_KEY_key2buf(a, a->conv_form, &pub, NULL);
1114 ECerr(EC_F_I2D_ECPRIVATEKEY, ERR_R_EC_LIB);
1118 priv_key->publicKey->flags &= ~(ASN1_STRING_FLAG_BITS_LEFT | 0x07);
1119 priv_key->publicKey->flags |= ASN1_STRING_FLAG_BITS_LEFT;
1120 ASN1_STRING_set0(priv_key->publicKey, pub, publen);
1124 if ((ret = i2d_EC_PRIVATEKEY(priv_key, out)) == 0) {
1125 ECerr(EC_F_I2D_ECPRIVATEKEY, ERR_R_EC_LIB);
1130 OPENSSL_clear_free(priv, privlen);
1132 EC_PRIVATEKEY_free(priv_key);
1133 return (ok ? ret : 0);
1136 int i2d_ECParameters(const EC_KEY *a, unsigned char **out)
1139 ECerr(EC_F_I2D_ECPARAMETERS, ERR_R_PASSED_NULL_PARAMETER);
1142 return i2d_ECPKParameters(a->group, out);
1145 EC_KEY *d2i_ECParameters(EC_KEY **a, const unsigned char **in, long len)
1149 if (in == NULL || *in == NULL) {
1150 ECerr(EC_F_D2I_ECPARAMETERS, ERR_R_PASSED_NULL_PARAMETER);
1154 if (a == NULL || *a == NULL) {
1155 if ((ret = EC_KEY_new()) == NULL) {
1156 ECerr(EC_F_D2I_ECPARAMETERS, ERR_R_MALLOC_FAILURE);
1162 if (!d2i_ECPKParameters(&ret->group, in, len)) {
1163 ECerr(EC_F_D2I_ECPARAMETERS, ERR_R_EC_LIB);
1164 if (a == NULL || *a != ret)
1178 EC_KEY *o2i_ECPublicKey(EC_KEY **a, const unsigned char **in, long len)
1182 if (a == NULL || (*a) == NULL || (*a)->group == NULL) {
1184 * sorry, but a EC_GROUP-structure is necessary to set the public key
1186 ECerr(EC_F_O2I_ECPUBLICKEY, ERR_R_PASSED_NULL_PARAMETER);
1190 /* EC_KEY_opt2key updates dirty_cnt */
1191 if (!EC_KEY_oct2key(ret, *in, len, NULL)) {
1192 ECerr(EC_F_O2I_ECPUBLICKEY, ERR_R_EC_LIB);
1199 int i2o_ECPublicKey(const EC_KEY *a, unsigned char **out)
1205 ECerr(EC_F_I2O_ECPUBLICKEY, ERR_R_PASSED_NULL_PARAMETER);
1209 buf_len = EC_POINT_point2oct(a->group, a->pub_key,
1210 a->conv_form, NULL, 0, NULL);
1212 if (out == NULL || buf_len == 0)
1213 /* out == NULL => just return the length of the octet string */
1217 if ((*out = OPENSSL_malloc(buf_len)) == NULL) {
1218 ECerr(EC_F_I2O_ECPUBLICKEY, ERR_R_MALLOC_FAILURE);
1223 if (!EC_POINT_point2oct(a->group, a->pub_key, a->conv_form,
1224 *out, buf_len, NULL)) {
1225 ECerr(EC_F_I2O_ECPUBLICKEY, ERR_R_EC_LIB);
1237 DECLARE_ASN1_FUNCTIONS(ECDSA_SIG)
1238 DECLARE_ASN1_ENCODE_FUNCTIONS_name(ECDSA_SIG, ECDSA_SIG)
1240 #endif /* FIPS_MODULE */
1242 ECDSA_SIG *ECDSA_SIG_new(void)
1244 ECDSA_SIG *sig = OPENSSL_zalloc(sizeof(*sig));
1246 ECerr(EC_F_ECDSA_SIG_NEW, ERR_R_MALLOC_FAILURE);
1250 void ECDSA_SIG_free(ECDSA_SIG *sig)
1254 BN_clear_free(sig->r);
1255 BN_clear_free(sig->s);
1259 ECDSA_SIG *d2i_ECDSA_SIG(ECDSA_SIG **psig, const unsigned char **ppin, long len)
1265 if (psig != NULL && *psig != NULL) {
1268 sig = ECDSA_SIG_new();
1276 if (decode_der_dsa_sig(sig->r, sig->s, ppin, (size_t)len) == 0) {
1277 if (psig == NULL || *psig == NULL)
1278 ECDSA_SIG_free(sig);
1281 if (psig != NULL && *psig == NULL)
1286 int i2d_ECDSA_SIG(const ECDSA_SIG *sig, unsigned char **ppout)
1288 BUF_MEM *buf = NULL;
1292 if (ppout == NULL) {
1293 if (!WPACKET_init_null(&pkt, 0))
1295 } else if (*ppout == NULL) {
1296 if ((buf = BUF_MEM_new()) == NULL
1297 || !WPACKET_init_len(&pkt, buf, 0)) {
1302 if (!WPACKET_init_static_len(&pkt, *ppout, SIZE_MAX, 0))
1306 if (!encode_der_dsa_sig(&pkt, sig->r, sig->s)
1307 || !WPACKET_get_total_written(&pkt, &encoded_len)
1308 || !WPACKET_finish(&pkt)) {
1310 WPACKET_cleanup(&pkt);
1314 if (ppout != NULL) {
1315 if (*ppout == NULL) {
1316 *ppout = (unsigned char *)buf->data;
1320 *ppout += encoded_len;
1324 return (int)encoded_len;
1327 void ECDSA_SIG_get0(const ECDSA_SIG *sig, const BIGNUM **pr, const BIGNUM **ps)
1335 const BIGNUM *ECDSA_SIG_get0_r(const ECDSA_SIG *sig)
1340 const BIGNUM *ECDSA_SIG_get0_s(const ECDSA_SIG *sig)
1345 int ECDSA_SIG_set0(ECDSA_SIG *sig, BIGNUM *r, BIGNUM *s)
1347 if (r == NULL || s == NULL)
1349 BN_clear_free(sig->r);
1350 BN_clear_free(sig->s);
1356 int ECDSA_size(const EC_KEY *ec)
1360 const EC_GROUP *group;
1365 group = EC_KEY_get0_group(ec);
1369 bn = EC_GROUP_get0_order(group);
1373 sig.r = sig.s = (BIGNUM *)bn;
1374 ret = i2d_ECDSA_SIG(&sig, NULL);