1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
|
/* Microsoft Reference Implementation for TPM 2.0
*
* The copyright in this software is being made available under the BSD License,
* included below. This software may be subject to other third party and
* contributor rights, including patent rights, and no such rights are granted
* under this license.
*
* Copyright (c) Microsoft Corporation
*
* All rights reserved.
*
* BSD License
*
* Redistribution and use in source and binary forms, with or without modification,
* are permitted provided that the following conditions are met:
*
* Redistributions of source code must retain the above copyright notice, this list
* of conditions and the following disclaimer.
*
* Redistributions in binary form must reproduce the above copyright notice, this
* list of conditions and the following disclaimer in the documentation and/or other
* materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS ""AS IS""
* AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
* DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR
* ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
* (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
* ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
* SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
//** Includes and Defines
#include "Tpm.h"
#ifdef TPM_ALG_ECC
// This version requires that the new format for ECC data be used
#ifndef USE_BN_ECC_DATA
#error "Need to define USE_BN_ECC_DATA in Implementaion.h"
#endif
//** Functions
#ifdef SIMULATION
void
EccSimulationEnd(
void
)
{
#ifdef SIMULATION
// put things to be printed at the end of the simulation here
#endif
}
#endif // SIMULATION
//*** CryptEccInit()
// This function is called at _TPM_Init
BOOL
CryptEccInit(
void
)
{
return TRUE;
}
//*** CryptEccStartup()
// This function is called at TPM2_Startup().
BOOL
CryptEccStartup(
void
)
{
return TRUE;
}
//*** ClearPoint2B(generic)
// Initialize the size values of a TPMS_ECC_POINT structure.
void
ClearPoint2B(
TPMS_ECC_POINT *p // IN: the point
)
{
if(p != NULL)
{
p->x.t.size = 0;
p->y.t.size = 0;
}
}
//*** CryptEccGetParametersByCurveId()
// This function returns a pointer to the curve data that is associated with
// the indicated curveId.
// If there is no curve with the indicated ID, the function returns NULL. This
// function is in this module so that it can be called by GetCurve data.
// return type: const ECC_CURVE_DATA
// NULL curve with the indicated TPM_ECC_CURVE value is not implemented
// non-NULL pointer to the curve data
LIB_EXPORT const ECC_CURVE *
CryptEccGetParametersByCurveId(
TPM_ECC_CURVE curveId // IN: the curveID
)
{
int i;
for(i = 0; i < ECC_CURVE_COUNT; i++)
{
if(eccCurves[i].curveId == curveId)
return &eccCurves[i];
}
return NULL;
}
//*** CryptEccGetKeySizeForCurve()
// This function returns the key size in bits of the indicated curve
LIB_EXPORT UINT16
CryptEccGetKeySizeForCurve(
TPM_ECC_CURVE curveId // IN: the curve
)
{
const ECC_CURVE *curve = CryptEccGetParametersByCurveId(curveId);
UINT16 keySizeInBits;
//
keySizeInBits = (curve != NULL) ? curve->keySizeBits : 0;
return keySizeInBits;
}
//*** GetCurveData()
// This function returns the a pointer for the parameter data
// associated with a curve.
const ECC_CURVE_DATA *
GetCurveData(
TPM_ECC_CURVE curveId // IN: the curveID
)
{
const ECC_CURVE *curve = CryptEccGetParametersByCurveId(curveId);
return (curve != NULL) ? curve->curveData : NULL;
}
//*** CryptEccGetCurveByIndex()
// This function returns the number of the i-th implemented curve. The normal
// use would be to call this function with 'i' starting at 0. When the i is greater
// than or equal to the number of implemented curves, TPM_ECC_NONE is returned.
LIB_EXPORT TPM_ECC_CURVE
CryptEccGetCurveByIndex(
UINT16 i
)
{
if(i >= ECC_CURVE_COUNT)
return TPM_ECC_NONE;
return eccCurves[i].curveId;
}
//*** CryptEccGetParameter()
// This function returns an ECC curve parameter. The parameter is
// selected by a single character designator from the set of {PNABXYH}.
// return type: BOOL
// TRUE curve exists and parameter returned
// FALSE curve does not exist or parameter selector
LIB_EXPORT BOOL
CryptEccGetParameter(
TPM2B_ECC_PARAMETER *out, // OUT: place to put parameter
char p, // IN: the parameter selector
TPM_ECC_CURVE curveId // IN: the curve id
)
{
const ECC_CURVE_DATA *curve = GetCurveData(curveId);
bigConst parameter = NULL;
if(curve != NULL)
{
switch(p)
{
case 'p':
parameter = CurveGetPrime(curve);
break;
case 'n':
parameter = CurveGetOrder(curve);
break;
case 'a':
parameter = CurveGet_a(curve);
break;
case 'b':
parameter = CurveGet_b(curve);
break;
case 'x':
parameter = CurveGetGx(curve);
break;
case 'y':
parameter = CurveGetGy(curve);
break;
case 'h':
parameter = CurveGetCofactor(curve);
break;
default:
FAIL(FATAL_ERROR_INTERNAL);
break;
}
}
// If not debugging and we get here with parameter still NULL, had better
// not try to convert so just return FALSE instead.
return (parameter != NULL) ? BnTo2B(parameter, &out->b, 0) : 0;
}
//*** CryptCapGetECCCurve()
// This function returns the list of implemented ECC curves.
// return type: TPMI_YES_NO
// YES if no more ECC curve is available
// NO if there are more ECC curves not reported
TPMI_YES_NO
CryptCapGetECCCurve(
TPM_ECC_CURVE curveID, // IN: the starting ECC curve
UINT32 maxCount, // IN: count of returned curves
TPML_ECC_CURVE *curveList // OUT: ECC curve list
)
{
TPMI_YES_NO more = NO;
UINT16 i;
UINT32 count = ECC_CURVE_COUNT;
TPM_ECC_CURVE curve;
// Initialize output property list
curveList->count = 0;
// The maximum count of curves we may return is MAX_ECC_CURVES
if(maxCount > MAX_ECC_CURVES) maxCount = MAX_ECC_CURVES;
// Scan the eccCurveValues array
for(i = 0; i < count; i++)
{
curve = CryptEccGetCurveByIndex(i);
// If curveID is less than the starting curveID, skip it
if(curve < curveID)
continue;
if(curveList->count < maxCount)
{
// If we have not filled up the return list, add more curves to
// it
curveList->eccCurves[curveList->count] = curve;
curveList->count++;
}
else
{
// If the return list is full but we still have curves
// available, report this and stop iterating
more = YES;
break;
}
}
return more;
}
//*** CryptGetCurveSignScheme()
// This function will return a pointer to the scheme of the curve.
const TPMT_ECC_SCHEME *
CryptGetCurveSignScheme(
TPM_ECC_CURVE curveId // IN: The curve selector
)
{
const ECC_CURVE *curve = CryptEccGetParametersByCurveId(curveId);
if(curve != NULL)
return &(curve->sign);
else
return NULL;
}
//*** CryptGenerateR()
// This function computes the commit random value for a split signing scheme.
//
// If 'c' is NULL, it indicates that 'r' is being generated
// for TPM2_Commit.
// If 'c' is not NULL, the TPM will validate that the gr.commitArray
// bit associated with the input value of 'c' is SET. If not, the TPM
// returns FALSE and no 'r' value is generated.
// return type: BOOL
// TRUE r value computed
// FALSE no r value computed
BOOL
CryptGenerateR(
TPM2B_ECC_PARAMETER *r, // OUT: the generated random value
UINT16 *c, // IN/OUT: count value.
TPMI_ECC_CURVE curveID, // IN: the curve for the value
TPM2B_NAME *name // IN: optional name of a key to
// associate with 'r'
)
{
// This holds the marshaled g_commitCounter.
TPM2B_TYPE(8B, 8);
TPM2B_8B cntr = {{8,{0}}};
UINT32 iterations;
TPM2B_ECC_PARAMETER n;
UINT64 currentCount = gr.commitCounter;
UINT16 t1;
//
if(!CryptEccGetParameter(&n, 'n', curveID))
return FALSE;
// If this is the commit phase, use the current value of the commit counter
if(c != NULL)
{
// if the array bit is not set, can't use the value.
if(!TEST_BIT((*c & COMMIT_INDEX_MASK), gr.commitArray))
return FALSE;
// If it is the sign phase, figure out what the counter value was
// when the commitment was made.
//
// When gr.commitArray has less than 64K bits, the extra
// bits of 'c' are used as a check to make sure that the
// signing operation is not using an out of range count value
t1 = (UINT16)currentCount;
// If the lower bits of c are greater or equal to the lower bits of t1
// then the upper bits of t1 must be one more than the upper bits
// of c
if((*c & COMMIT_INDEX_MASK) >= (t1 & COMMIT_INDEX_MASK))
// Since the counter is behind, reduce the current count
currentCount = currentCount - (COMMIT_INDEX_MASK + 1);
t1 = (UINT16)currentCount;
if((t1 & ~COMMIT_INDEX_MASK) != (*c & ~COMMIT_INDEX_MASK))
return FALSE;
// set the counter to the value that was
// present when the commitment was made
currentCount = (currentCount & 0xffffffffffff0000) | *c;
}
// Marshal the count value to a TPM2B buffer for the KDF
cntr.t.size = sizeof(currentCount);
UINT64_TO_BYTE_ARRAY(currentCount, cntr.t.buffer);
// Now can do the KDF to create the random value for the signing operation
// During the creation process, we may generate an r that does not meet the
// requirements of the random value.
// want to generate a new r.
r->t.size = n.t.size;
for(iterations = 1; iterations < 1000000;)
{
int i;
CryptKDFa(CONTEXT_INTEGRITY_HASH_ALG, &gr.commitNonce.b, COMMIT_STRING,
&name->b, &cntr.b, n.t.size * 8, r->t.buffer, &iterations, FALSE);
// "random" value must be less than the prime
if(UnsignedCompareB(r->b.size, r->b.buffer, n.t.size, n.t.buffer) >= 0)
continue;
// in this implementation it is required that at least bit
// in the upper half of the number be set
for(i = n.t.size / 2; i >= 0; i--)
if(r->b.buffer[i] != 0)
return TRUE;
}
return FALSE;
}
//*** CryptCommit()
// This function is called when the count value is committed. The gr.commitArray
// value associated with the current count value is SET and g_commitCounter is
// incremented. The low-order 16 bits of old value of the counter is returned.
UINT16
CryptCommit(
void
)
{
UINT16 oldCount = (UINT16)gr.commitCounter;
gr.commitCounter++;
SET_BIT(oldCount & COMMIT_INDEX_MASK, gr.commitArray);
return oldCount;
}
//*** CryptEndCommit()
// This function is called when the signing operation using the committed value
// is completed. It clears the gr.commitArray bit associated with the count
// value so that it can't be used again.
void
CryptEndCommit(
UINT16 c // IN: the counter value of the commitment
)
{
ClearBit((c & COMMIT_INDEX_MASK), gr.commitArray, sizeof(gr.commitArray));
}
//*** CryptEccGetParameters()
// This function returns the ECC parameter details of the given curve
// return type: BOOL
// TRUE Get parameters success
// FALSE Unsupported ECC curve ID
BOOL
CryptEccGetParameters(
TPM_ECC_CURVE curveId, // IN: ECC curve ID
TPMS_ALGORITHM_DETAIL_ECC *parameters // OUT: ECC parameters
)
{
const ECC_CURVE *curve = CryptEccGetParametersByCurveId(curveId);
const ECC_CURVE_DATA *data;
BOOL found = curve != NULL;
if(found)
{
data = curve->curveData;
parameters->curveID = curve->curveId;
parameters->keySize = curve->keySizeBits;
parameters->kdf = curve->kdf;
parameters->sign = curve->sign;
BnTo2B(data->prime, ¶meters->p.b, 0);
BnTo2B(data->a, ¶meters->a.b, 0);
BnTo2B(data->b, ¶meters->b.b, 0);
BnTo2B(data->base.x, ¶meters->gX.b, parameters->p.t.size);
BnTo2B(data->base.y, ¶meters->gY.b, parameters->p.t.size);
// BnTo2B(data->base.x, ¶meters->gX.b, 0);
// BnTo2B(data->base.y, ¶meters->gY.b, 0);
BnTo2B(data->order, ¶meters->n.b, 0);
BnTo2B(data->h, ¶meters->h.b, 0);
}
return found;
}
//*** BnGetCurvePrime()
// This function is used to get just the prime modulus associated with a curve
const bignum_t *
BnGetCurvePrime(
TPM_ECC_CURVE curveId
)
{
const ECC_CURVE_DATA *C = GetCurveData(curveId);
return (C != NULL) ? CurveGetPrime(C) : NULL;
}
//*** BnGetCurveOrder()
// This function is used to get just the curve order
const bignum_t *
BnGetCurveOrder(
TPM_ECC_CURVE curveId
)
{
const ECC_CURVE_DATA *C = GetCurveData(curveId);
return (C != NULL) ? CurveGetOrder(C) : NULL;
}
//*** BnIsOnCurve()
// This function checks if a point is on the curve.
BOOL
BnIsOnCurve(
pointConst Q,
const ECC_CURVE_DATA *C
)
{
BN_VAR(right, (MAX_ECC_KEY_BITS * 3));
BN_VAR(left, (MAX_ECC_KEY_BITS * 2));
bigConst prime = CurveGetPrime(C);
//
// Show that point is on the curve y^2 = x^3 + ax + b;
// Or y^2 = x(x^2 + a) + b
// y^2
BnMult(left, Q->y, Q->y);
BnMod(left, prime);
// x^2
BnMult(right, Q->x, Q->x);
// x^2 + a
BnAdd(right, right, CurveGet_a(C));
// BnMod(right, CurveGetPrime(C));
// x(x^2 + a)
BnMult(right, right, Q->x);
// x(x^2 + a) + b
BnAdd(right, right, CurveGet_b(C));
BnMod(right, prime);
if(BnUnsignedCmp(left, right) == 0)
return TRUE;
else
return FALSE;
}
//*** BnIsValidPrivateEcc()
// Checks that 0 < x < q
BOOL
BnIsValidPrivateEcc(
bigConst x, // IN: private key to check
bigCurve E // IN: the curve to check
)
{
BOOL retVal;
retVal = (!BnEqualZero(x)
&& (BnUnsignedCmp(x, CurveGetOrder(AccessCurveData(E))) < 0));
return retVal;
}
LIB_EXPORT BOOL
CryptEccIsValidPrivateKey(
TPM2B_ECC_PARAMETER *d,
TPM_ECC_CURVE curveId
)
{
BN_INITIALIZED(bnD, MAX_ECC_PARAMETER_BYTES * 8, d);
return !BnEqualZero(bnD) && (BnUnsignedCmp(bnD, BnGetCurveOrder(curveId)) < 0);
}
//*** BnPointMul()
// This function does a point multiply of the form R = [d]S + [u]Q where the
// parameters are bigNum values. If S is NULL and d is not NULL, then it computes
// R = [d]G + [u]Q or just R = [d]G if u and Q are NULL. If 'skipChecks' is TRUE,
// then the function will not verify that the inputs are correct for the domain.
// This would be the case when the values were created by the CryptoEngine code.
// It will return TPM_RC_NO_RESULTS if the resulting point is the point at infinity.
// return type: TPM_RC
// TPM_RC_NO_RESULTS result of multiplication is a point at infinity
// TPM_RC_ECC_POINT 'S' or 'Q' is not on the curve
// TPM_RC_VALUE 'd' or 'u' is not < n
TPM_RC
BnPointMult(
bigPoint R, // OUT: computed point
pointConst S, // IN: optional point to multiply by 'd'
bigConst d, // IN: scalar for [d]S or [d]G
pointConst Q, // IN: optional second point
bigConst u, // IN: optional second scalar
bigCurve E // IN: curve parameters
)
{
BOOL OK;
//
TEST(TPM_ALG_ECDH);
// Need one scalar
OK = (d != NULL || u != NULL);
// If S is present, then d has to be present. If S is not
// present, then d may or may not be present
OK = OK && (((S == NULL) == (d == NULL)) || (d != NULL));
// either both u and Q have to be provided or neither can be provided (don't
// know what to do if only one is provided.
OK = OK && ((u == NULL) == (Q == NULL));
OK = OK && (E != NULL);
if(!OK)
return TPM_RC_VALUE;
OK = (S == NULL) || BnIsOnCurve(S, AccessCurveData(E));
OK = OK && ((Q == NULL) || BnIsOnCurve(Q, AccessCurveData(E)));
if(!OK)
return TPM_RC_ECC_POINT;
if((d != NULL) && (S == NULL))
S = CurveGetG(AccessCurveData(E));
// If only one scalar, don't need Shamir's trick
if((d == NULL) || (u == NULL))
{
if(d == NULL)
OK = BnEccModMult(R, Q, u, E);
else
OK = BnEccModMult(R, S, d, E);
}
else
{
OK = BnEccModMult2(R, S, d, Q, u, E);
}
return (OK ? TPM_RC_SUCCESS : TPM_RC_NO_RESULT);
}
//***BnEccGetPrivate()
// This function gets random values with no more bits than are in 'q' (the curve
// order) until it finds a value ('d') such that 1 <= 'd' < 'q'. This is the method
// of FIPS 186-3 Section B.1.2 'Key Pair Generation by Testing Candidates' with
// minor optimizations to reduce the need for a local parameter to hold the value
// of 'q' - 2.
//
// The execution time of this function is non-deterministic. However, the
// probability that the search will take more than one iteration is very small. As
// a consequence, the weighted-average run time for this function is significantly
// less than the method of key pair generation with extra random bits.
// return type: BOOL
// TRUE value generated
// FALSE failure generating private key
BOOL
BnEccGetPrivate(
bigNum dOut, // OUT: the qualified random value
const ECC_CURVE_DATA *C, // IN: curve for which the private key
// needs to be appropriate
RAND_STATE *rand // IN: state for DRBG
)
{
bigConst order = CurveGetOrder(C);
BOOL OK;
UINT32 orderBits = BnSizeInBits(order);
#if 1 // This is the "extra bits" method of key generation
UINT32 orderBytes = BITS_TO_BYTES(orderBits);
BN_VAR(bnExtraBits, MAX_ECC_KEY_BITS + 64);
BN_VAR(nMinus1, MAX_ECC_KEY_BITS);
//
OK = BnGetRandomBits(bnExtraBits, (orderBytes * 8) + 64, rand);
OK = OK && BnSubWord(nMinus1, order, 1);
OK = OK && BnMod(bnExtraBits, nMinus1);
OK = OK && BnAddWord(dOut, bnExtraBits, 1);
#else
// This is the "testing candidates" version of key generation
do
{
OK = BnGetRandomBits(dOut, BnSizeInBits(order), rand);
OK = OK && BnAddWord(dOut, dOut, 1);
} while(OK && BnUnsignedCmp(dOut, order) >= 0);
#endif
return OK;
}
//*** BnEccGenearateKeyPair()
// This function gets a private scalar from the source of random bits and does
// the point multiply to get the public key.
BOOL
BnEccGenerateKeyPair(
bigNum bnD, // OUT: private scalar
bn_point_t *ecQ, // OUT: public point
bigCurve E, // IN: curve for the point
RAND_STATE *rand // IN: DRBG state to use
)
{
BOOL OK = FALSE;
// Get a private scalar
OK = BnEccGetPrivate(bnD, AccessCurveData(E), rand);
// Do a point multiply
OK = OK && BnEccModMult(ecQ, NULL, bnD, E);
if(!OK)
BnSetWord(ecQ->z, 0);
else
BnSetWord(ecQ->z, 1);
return OK;
}
//***CryptEccNewKeyPair(***)
// This function creates an ephemeral ECC. It is ephemeral in that
// is expected that the private part of the key will be discarded
LIB_EXPORT TPM_RC
CryptEccNewKeyPair(
TPMS_ECC_POINT *Qout, // OUT: the public point
TPM2B_ECC_PARAMETER *dOut, // OUT: the private scalar
TPM_ECC_CURVE curveId // IN: the curve for the key
)
{
CURVE_INITIALIZED(E, curveId);
POINT(ecQ);
ECC_NUM(bnD);
BOOL OK;
if(E == NULL)
return TPM_RC_CURVE;
TEST(TPM_ALG_ECDH);
OK = BnEccGenerateKeyPair(bnD, ecQ, E, NULL);
if(OK)
{
BnPointTo2B(Qout, ecQ, E);
BnTo2B(bnD, &dOut->b, Qout->x.t.size);
}
else
{
Qout->x.t.size = Qout->y.t.size = dOut->t.size = 0;
}
CURVE_FREE(E);
return OK ? TPM_RC_SUCCESS : TPM_RC_NO_RESULT;
}
//*** CryptEccPointMultiply()
// This function computes 'R := ['dIn']'G' + ['uIn']'QIn'. Where 'dIn' and
// 'uIn' are scalars, 'G' and 'QIn' are points on the specified curve and G is the
// default generator of the curve.
//
// The 'xOut' and 'yOut' parameters are optional and may be set to NULL if not
// used.
//
// It is not necessary to provide 'uIn' if 'QIn' is specified but one of 'uIn' and
// 'dIn' must be provided. If 'dIn' and 'QIn' are specified but 'uIn' is not
// provided, then 'R' = ['dIn']'QIn'.
//
// If the multiply produces the point at infinity, the TPM_RC_NO_RESULTS is returned.
//
// The sizes of 'xOut' and yOut' will be set to be the size of the degree of
// the curve
//
// It is a fatal error if 'dIn' and 'uIn' are both unspecified (NULL) or if 'Qin'
// or 'Rout' is unspecified.
//
// return type: TPM_RC
// TPM_RC_ECC_POINT the point 'Pin' or 'Qin' is not on the curve
// TPM_RC_NO_RESULT the product point is at infinity
// TPM_RC_CURVE bad curve
// TPM_RC_VALUE 'dIn' or 'uIn' out of range
//
LIB_EXPORT TPM_RC
CryptEccPointMultiply(
TPMS_ECC_POINT *Rout, // OUT: the product point R
TPM_ECC_CURVE curveId, // IN: the curve to use
TPMS_ECC_POINT *Pin, // IN: first point (can be null)
TPM2B_ECC_PARAMETER *dIn, // IN: scalar value for [dIn]Qin
// the Pin
TPMS_ECC_POINT *Qin, // IN: point Q
TPM2B_ECC_PARAMETER *uIn // IN: scalar value for the multiplier
// of Q
)
{
CURVE_INITIALIZED(E, curveId);
POINT_INITIALIZED(ecP, Pin);
ECC_INITIALIZED(bnD, dIn); // If dIn is null, then bnD is null
ECC_INITIALIZED(bnU, uIn);
POINT_INITIALIZED(ecQ, Qin);
POINT(ecR);
TPM_RC retVal;
//
retVal = BnPointMult(ecR, ecP, bnD, ecQ, bnU, E);
if(retVal == TPM_RC_SUCCESS)
BnPointTo2B(Rout, ecR, E);
else
ClearPoint2B(Rout);
CURVE_FREE(E);
return retVal;
}
//*** CryptEccIsPointOnCurve()
// This function is used to test if a point is on a defined curve. It does this
// by checking that y^2 mod p = x^3 + a*x + b mod p
//
// It is a fatal error if Q is not specified (is NULL).
// return type: BOOL
// TRUE point is on curve
// FALSE point is not on curve or curve is not supported
LIB_EXPORT BOOL
CryptEccIsPointOnCurve(
TPM_ECC_CURVE curveId, // IN: the curve selector
TPMS_ECC_POINT *Qin // IN: the point.
)
{
const ECC_CURVE_DATA *C = GetCurveData(curveId);
POINT_INITIALIZED(ecQ, Qin);
BOOL OK;
//
pAssert(Qin != NULL);
OK = (C != NULL && (BnIsOnCurve(ecQ, C)));
return OK;
}
//*** CryptEccGenerateKey()
// This function generates an ECC key pair based on the input parameters.
// This routine uses KDFa to produce candidate numbers. The method is according
// to FIPS 186-3, section B.1.2 "Key Pair Generation by Testing Candidates."
// According to the method in FIPS 186-3, the resulting private value 'd' should be
// 1 <= 'd' < 'n' where 'n' is the order of the base point.
//
// It is a fatal error if 'Qout', 'dOut', is not provided (is NULL).
//
// If the curve is not supported
// If 'seed' is not provided, then a random number will be used for the key
// return type: TPM_RC
// TPM_RC_CURVE curve is not supported
// TPM_RC_NO_RESULT could not verify key with signature (FIPS only)
LIB_EXPORT TPM_RC
CryptEccGenerateKey(
TPMT_PUBLIC *publicArea, // IN/OUT: The public area template for
// the new key. The public key
// area will be replaced computed
// ECC public key
TPMT_SENSITIVE *sensitive, // OUT: the sensitive area will be
// updated to contain the private
// ECC key and the symmetric
// encryption key
RAND_STATE *rand // IN: if not NULL, the deterministic
// RNG state
)
{
CURVE_INITIALIZED(E, publicArea->parameters.eccDetail.curveID);
ECC_NUM(bnD);
POINT(ecQ);
BOOL OK;
TPM_RC retVal;
TEST(TPM_ALG_ECDSA); // ECDSA is used to verify each key
// Validate parameters
if(E == NULL)
ERROR_RETURN(TPM_RC_CURVE);
publicArea->unique.ecc.x.t.size = 0;
publicArea->unique.ecc.y.t.size = 0;
sensitive->sensitive.ecc.t.size = 0;
OK = BnEccGenerateKeyPair(bnD, ecQ, E, rand);
if(OK)
{
BnPointTo2B(&publicArea->unique.ecc, ecQ, E);
BnTo2B(bnD, &sensitive->sensitive.ecc.b, publicArea->unique.ecc.x.t.size);
}
#if defined FIPS_COMPLIANT || 1
// See if PWCT is required
if(OK && publicArea->objectAttributes.sign)
{
ECC_NUM(bnT);
ECC_NUM(bnS);
TPM2B_DIGEST digest;
TEST(TPM_ALG_ECDSA);
digest.t.size =
(UINT16)BITS_TO_BYTES(BnSizeInBits(CurveGetPrime(
AccessCurveData(E))));
// Get a random value to sign using the built in DRBG state
DRBG_Generate(NULL, digest.t.buffer, digest.t.size);
BnSignEcdsa(bnT, bnS, E, bnD, &digest, NULL);
// and make sure that we can validate the signature
OK = BnValidateSignatureEcdsa(bnT, bnS, E, ecQ, &digest) == TPM_RC_SUCCESS;
}
#endif
retVal = (OK) ? TPM_RC_SUCCESS : TPM_RC_NO_RESULT;
Exit:
CURVE_FREE(E);
return retVal;
}
#endif // TPM_ALG_ECC
|
