libcrux/
signature.rs

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
//! # Signatures
//!
//! * EcDSA P256 with Sha256, Sha384, and Sha512
//! * EdDSA 25519
//! * RSA PSS

use rand::{CryptoRng, Rng, RngCore};

use crate::{
    ecdh,
    hacl::{self, ed25519, p256},
};

use self::rsa_pss::RsaPssSignature;

/// Signature Errors
#[derive(Debug, Clone, Copy, PartialEq, Eq)]
pub enum Error {
    SigningError,
    InvalidSignature,
    KeyGenError,
    InvalidKey,
    InputTooLarge,
}

/// The digest algorithm used for the signature scheme (when required).
#[derive(Debug, Clone, Copy, PartialEq, Eq)]
pub enum DigestAlgorithm {
    Sha256,
    Sha384,
    Sha512,
}

/// The Signature Algorithm
#[derive(Debug, Clone, Copy, PartialEq, Eq)]
pub enum Algorithm {
    EcDsaP256(DigestAlgorithm),
    Ed25519,
    RsaPss(DigestAlgorithm),
}

/// The signature
#[derive(Debug)]
pub enum Signature {
    EcDsaP256(EcDsaP256Signature),
    Ed25519(Ed25519Signature),
    RsaPss(RsaPssSignature),
}

impl Signature {
    /// Convert the signature into a raw byte vector.
    ///
    /// * NIST P Curve signatures are returned as `r || s`.
    /// * RSA PSS signatures are returned as the raw bytes.
    pub fn into_vec(self) -> Vec<u8> {
        match self {
            Signature::EcDsaP256(s) => {
                let mut out = s.r.to_vec();
                out.extend_from_slice(&s.s);
                out
            }
            Signature::Ed25519(s) => s.signature.to_vec(),
            Signature::RsaPss(s) => s.value,
        }
    }
}

/// A [`Algorithm::EcDsaP256`] Signature
#[derive(Debug, Clone, Copy, PartialEq, Eq)]
pub struct EcDsaP256Signature {
    r: [u8; 32],
    s: [u8; 32],
    alg: Algorithm,
}

/// A [`Algorithm::Ed25519`] Signature
#[derive(Debug, Clone, Copy, PartialEq, Eq)]
pub struct Ed25519Signature {
    signature: [u8; 64],
}

pub mod rsa_pss {
    use libcrux_hacl::{
        hacl_free, Hacl_RSAPSS_new_rsapss_load_pkey, Hacl_RSAPSS_new_rsapss_load_skey,
        Hacl_RSAPSS_rsapss_sign, Hacl_RSAPSS_rsapss_verify,
    };

    use super::{DigestAlgorithm, Error};

    /// A [`Algorithm::RsaPss`] Signature
    #[derive(Debug, Clone, PartialEq, Eq)]
    pub struct RsaPssSignature {
        pub(super) value: Vec<u8>,
    }

    impl RsaPssSignature {
        /// Get the signature as the raw byte slice.
        pub fn as_bytes(&self) -> &[u8] {
            &self.value
        }
    }

    impl From<&[u8]> for RsaPssSignature {
        fn from(value: &[u8]) -> Self {
            Self {
                value: value.to_vec(),
            }
        }
    }

    impl<const L: usize> From<[u8; L]> for RsaPssSignature {
        fn from(value: [u8; L]) -> Self {
            Self {
                value: value.to_vec(),
            }
        }
    }

    impl From<Vec<u8>> for RsaPssSignature {
        fn from(value: Vec<u8>) -> Self {
            Self { value }
        }
    }

    /// A [`Algorithm::RsaPss`] public key.
    #[derive(Debug, Clone, PartialEq, Eq)]
    pub struct RsaPssPublicKey {
        n: Vec<u8>,
    }

    fn rsa_pss_digest(hash_algorithm: DigestAlgorithm) -> u8 {
        match hash_algorithm {
            DigestAlgorithm::Sha256 => libcrux_hacl::Spec_Hash_Definitions_SHA2_256 as u8,
            DigestAlgorithm::Sha384 => libcrux_hacl::Spec_Hash_Definitions_SHA2_384 as u8,
            DigestAlgorithm::Sha512 => libcrux_hacl::Spec_Hash_Definitions_SHA2_512 as u8,
        }
    }

    /// The key size is the bit/byte-size of the modulus N.
    /// Note that the values are bytes but the names are in bits.
    #[derive(Debug, Clone, Copy, PartialEq, Eq)]
    #[repr(usize)]
    pub enum RsaPssKeySize {
        /// N = 2048 bits | 256 bytes
        N2048 = 256,

        /// N = 3072 bits | 384 bytes
        N3072 = 384,

        /// N = 4096 bits | 512 bytes
        N4096 = 512,

        /// N = 6144 bits | 768 bytes
        N6144 = 768,

        /// N = 8192 bits | 1024 bytes
        N8192 = 1024,
    }

    // Size of e.
    const E_BITS: u32 = 24;

    // We only support this e.
    const E: [u8; 3] = [0x01, 0x00, 0x01];

    impl RsaPssPublicKey {
        pub fn new(key_size: RsaPssKeySize, n: &[u8]) -> Result<Self, Error> {
            if n.len() != key_size as usize {
                return Err(Error::InvalidKey);
            }
            Ok(Self { n: n.into() })
        }

        /// Verify the `signature` on the `msg` with the `public_key` using the
        /// `hash_algorithm` and `salt_len`.
        ///
        /// Returns an error if any of the inputs are invalid or the signature is
        /// invalid.
        #[must_use = "The result of the signature verification must be used."]
        pub fn verify(
            &self,
            hash_algorithm: DigestAlgorithm,
            signature: &RsaPssSignature,
            msg: &[u8],
            salt_len: usize,
        ) -> Result<(), Error> {
            let key_size_bits = (self.n.len() as u32) * 8;
            unsafe {
                let pkey = Hacl_RSAPSS_new_rsapss_load_pkey(
                    key_size_bits,
                    E_BITS,
                    self.n.as_ptr() as _,
                    E.as_ptr() as _,
                );
                if Hacl_RSAPSS_rsapss_verify(
                    rsa_pss_digest(hash_algorithm),
                    key_size_bits,
                    E_BITS,
                    pkey,
                    salt_len as u32,
                    signature.value.len() as u32,
                    signature.value.as_ptr() as _,
                    msg.len() as u32,
                    msg.as_ptr() as _,
                ) {
                    return Ok(());
                }
            }
            Err(Error::InvalidSignature)
        }
    }

    /// An RSA-PSS private key.
    /// The private key holds a [`RsaPssPublicKey`] with the public modulus.
    /// A [`Algorithm::RsaPss`] private key.
    pub struct RsaPssPrivateKey<'a> {
        pk: &'a RsaPssPublicKey,
        d: Vec<u8>,
    }

    impl<'a> RsaPssPrivateKey<'a> {
        ///Create a new [`RsaPssPrivateKey`] from a byte slice and a public key.
        ///
        /// Returns an error if the length of the byte slice is not equal to the
        /// key/modulus size.
        pub fn new(pk: &'a RsaPssPublicKey, d: &[u8]) -> Result<Self, Error> {
            if pk.n.len() != d.len() {
                return Err(Error::InvalidKey);
            }
            Ok(Self { pk, d: d.into() })
        }

        /// Sign the provided `msg` with the `private_key` using the `hash_algorithm`
        /// and `salt`.
        ///
        /// Returns an error if any of the inputs are invalid and the signature as byte
        /// array.
        pub fn sign(
            &self,
            hash_algorithm: DigestAlgorithm,
            salt: &[u8],
            msg: &[u8],
        ) -> Result<RsaPssSignature, Error> {
            if salt.len() > (u32::MAX as usize) || msg.len() > (u32::MAX as usize) {
                return Err(Error::InputTooLarge);
            }

            let key_len = self.d.len();
            let mut signature = vec![0; key_len];
            let key_size_bits = (key_len as u32) * 8;

            unsafe {
                let s_key = Hacl_RSAPSS_new_rsapss_load_skey(
                    key_size_bits,
                    E_BITS,
                    key_size_bits,
                    self.pk.n.as_ptr() as _,
                    E.as_ptr() as _,
                    self.d.as_ptr() as _,
                );

                if !Hacl_RSAPSS_rsapss_sign(
                    rsa_pss_digest(hash_algorithm),
                    key_size_bits,
                    E_BITS,
                    key_size_bits,
                    s_key,
                    salt.len() as u32,
                    salt.as_ptr() as _,
                    msg.len() as u32,
                    msg.as_ptr() as _,
                    signature.as_mut_ptr(),
                ) {
                    hacl_free(s_key as _);
                    return Err(Error::SigningError);
                }
                hacl_free(s_key as _);
            }
            Ok(RsaPssSignature { value: signature })
        }
    }
}

impl Ed25519Signature {
    /// Generate a signature from the raw 64 bytes.
    pub fn from_bytes(signature: [u8; 64]) -> Self {
        Self { signature }
    }

    /// Generate a signature from the raw bytes slice.
    ///
    /// Returns an error if the slice has legnth != 64.
    pub fn from_slice(bytes: &[u8]) -> Result<Self, Error> {
        Ok(Self {
            signature: bytes.try_into().map_err(|_| Error::InvalidSignature)?,
        })
    }

    /// Get the signature as the raw 64 bytes.
    pub fn as_bytes(&self) -> &[u8; 64] {
        &self.signature
    }
}

impl EcDsaP256Signature {
    /// Generate a signature from the raw values r and s.
    pub fn from_raw(r: [u8; 32], s: [u8; 32], alg: Algorithm) -> Self {
        Self { r, s, alg }
    }

    /// Generate a signature from the raw values r || s.
    pub fn from_bytes(signature_bytes: [u8; 64], alg: Algorithm) -> Self {
        Self {
            r: signature_bytes[0..32].try_into().unwrap(),
            s: signature_bytes[32..].try_into().unwrap(),
            alg,
        }
    }

    /// Get the signature as the two raw 32 bytes `(r, s)`.
    pub fn as_bytes(&self) -> (&[u8; 32], &[u8; 32]) {
        (&self.r, &self.s)
    }
}

/// Prepare the nonce for EcDSA and validate the key
fn ecdsa_p256_sign_prep(
    private_key: &[u8],
    rng: &mut (impl CryptoRng + RngCore),
) -> Result<(ecdh::p256::PrivateKey, [u8; 32]), Error> {
    let private_key = p256::validate_scalar_slice(private_key).map_err(|_| Error::SigningError)?;

    let mut nonce = [0u8; 32];
    loop {
        rng.try_fill_bytes(&mut nonce)
            .map_err(|_| Error::SigningError)?;
        // Make sure it's a valid nonce.
        if p256::validate_scalar_slice(&nonce).is_ok() {
            break;
        }
    }

    Ok((private_key, nonce))
}

/// Wrap EcDSA result into a signature
fn ecdsa_p256_sign_post(signature: [u8; 64], alg: Algorithm) -> Result<Signature, Error> {
    Ok(Signature::EcDsaP256(EcDsaP256Signature {
        r: signature[..32]
            .try_into()
            .map_err(|_| Error::SigningError)?,
        s: signature[32..]
            .try_into()
            .map_err(|_| Error::SigningError)?,
        alg,
    }))
}

fn into_signing_error(_e: impl Into<hacl::Error>) -> Error {
    Error::SigningError
}

/// Sign the `payload` with the given [`Algorithm`] and `private_key`.
///
/// Returns the [`Signature`] or an [`Error::SigningError`].
pub fn sign(
    alg: Algorithm,
    payload: &[u8],
    private_key: &[u8],
    rng: &mut (impl CryptoRng + RngCore),
) -> Result<Signature, Error> {
    let signature = match alg {
        Algorithm::EcDsaP256(DigestAlgorithm::Sha256) => {
            let (private_key, nonce) = ecdsa_p256_sign_prep(private_key, rng)?;
            ecdsa_p256_sign_post(
                p256::ecdsa::sign_sha256(payload, private_key.as_ref(), &nonce)
                    .map_err(into_signing_error)?,
                alg,
            )?
        }
        Algorithm::EcDsaP256(DigestAlgorithm::Sha384) => {
            let (private_key, nonce) = ecdsa_p256_sign_prep(private_key, rng)?;
            ecdsa_p256_sign_post(
                p256::ecdsa::sign_sha384(payload, private_key.as_ref(), &nonce)
                    .map_err(into_signing_error)?,
                alg,
            )?
        }
        Algorithm::EcDsaP256(DigestAlgorithm::Sha512) => {
            let (private_key, nonce) = ecdsa_p256_sign_prep(private_key, rng)?;
            ecdsa_p256_sign_post(
                p256::ecdsa::sign_sha512(payload, private_key.as_ref(), &nonce)
                    .map_err(into_signing_error)?,
                alg,
            )?
        }
        Algorithm::Ed25519 => {
            let signature = ed25519::sign(
                payload,
                private_key.try_into().map_err(|_| Error::SigningError)?,
            )
            .map_err(into_signing_error)?;
            Signature::Ed25519(Ed25519Signature { signature })
        }
        Algorithm::RsaPss(_) => {
            todo!()
        }
    };

    Ok(signature)
}

fn into_verify_error(_e: impl Into<hacl::Error>) -> Error {
    Error::InvalidSignature
}

/// Prepare the public key for EcDSA
fn ecdsa_p256_verify_prep(public_key: &[u8]) -> Result<[u8; 64], Error> {
    if public_key.is_empty() {
        return Err(Error::SigningError);
    }

    // Parse the public key.
    let pk = if let Ok(pk) = p256::uncompressed_to_coordinates(public_key) {
        pk
    } else {
        // Might be uncompressed
        if let Ok(pk) = p256::compressed_to_coordinates(public_key) {
            pk
        } else {
            // Might be a simple concatenation
            public_key.try_into().map_err(|_| Error::InvalidSignature)?
        }
    };

    p256::validate_point(ecdh::p256::PublicKey(pk))
        .map(|()| pk)
        .map_err(into_verify_error)
}

/// Verify the `payload` and `signature` with the `public_key`.
///
/// Return `()` or [`Error::InvalidSignature`].
pub fn verify(payload: &[u8], signature: &Signature, public_key: &[u8]) -> Result<(), Error> {
    match signature {
        Signature::EcDsaP256(signature) => match signature.alg {
            Algorithm::EcDsaP256(DigestAlgorithm::Sha256) => {
                let pk = ecdsa_p256_verify_prep(public_key)?;
                p256::ecdsa::verify_sha256(payload, &pk, &signature.r, &signature.s)
            }
            Algorithm::EcDsaP256(DigestAlgorithm::Sha384) => {
                let pk = ecdsa_p256_verify_prep(public_key)?;
                p256::ecdsa::verify_sha384(payload, &pk, &signature.r, &signature.s)
            }
            Algorithm::EcDsaP256(DigestAlgorithm::Sha512) => {
                let pk = ecdsa_p256_verify_prep(public_key)?;
                p256::ecdsa::verify_sha512(payload, &pk, &signature.r, &signature.s)
            }
            _ => Err(p256::Error::InvalidInput),
        }
        .map_err(into_verify_error),
        Signature::Ed25519(signature) => {
            let public_key = public_key.try_into().map_err(|_| Error::InvalidSignature)?;
            ed25519::verify(payload, public_key, &signature.signature).map_err(into_verify_error)
        }
        Signature::RsaPss(_) => todo!(),
    }
}

/// Generate a fresh key pair.
///
/// The function returns the (secret key, public key) tuple, or an [`Error`].
pub fn key_gen(
    alg: Algorithm,
    rng: &mut (impl CryptoRng + Rng),
) -> Result<(Vec<u8>, Vec<u8>), Error> {
    match alg {
        Algorithm::EcDsaP256(_) => {
            ecdh::key_gen(ecdh::Algorithm::P256, rng).map_err(|_| Error::KeyGenError)
        }
        Algorithm::Ed25519 => {
            const LIMIT: usize = 100;
            let mut sk = [0u8; 32];
            for _ in 0..LIMIT {
                rng.try_fill_bytes(&mut sk)
                    .map_err(|_| Error::KeyGenError)?;

                // We don't want a 0 key.
                if sk.iter().all(|&b| b == 0) {
                    sk = [0u8; 32];
                    continue;
                }

                // We clamp the key already to make sure it can't be misused.
                sk[0] = sk[0] & 248u8;
                sk[31] = sk[31] & 127u8;
                sk[31] = sk[31] | 64u8;

                break;
            }
            let pk = ed25519::secret_to_public(&sk);

            Ok((sk.to_vec(), pk.to_vec()))
        }
        Algorithm::RsaPss(_) => todo!(),
    }
}