dsa_sig.c revision f03f8485e7d1a5258e16e0e376229f431d2c53ac
1/* 2 * Copyright 2013 The Android Open Source Project 3 * 4 * Redistribution and use in source and binary forms, with or without 5 * modification, are permitted provided that the following conditions are met: 6 * * Redistributions of source code must retain the above copyright 7 * notice, this list of conditions and the following disclaimer. 8 * * Redistributions in binary form must reproduce the above copyright 9 * notice, this list of conditions and the following disclaimer in the 10 * documentation and/or other materials provided with the distribution. 11 * * Neither the name of Google Inc. nor the names of its contributors may 12 * be used to endorse or promote products derived from this software 13 * without specific prior written permission. 14 * 15 * THIS SOFTWARE IS PROVIDED BY Google Inc. ``AS IS'' AND ANY EXPRESS OR 16 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF 17 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO 18 * EVENT SHALL Google Inc. BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 19 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, 20 * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; 21 * OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 22 * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR 23 * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF 24 * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 25 */ 26 27#include <string.h> 28 29#include "mincrypt/dsa_sig.h" 30#include "mincrypt/p256.h" 31 32/** 33 * Trims off the leading zero bytes and copy it to a buffer aligning it to the end. 34 */ 35static inline int trim_to_p256_bytes(unsigned char dst[P256_NBYTES], unsigned char *src, 36 int src_len) { 37 int dst_offset; 38 while (*src == '\0' && src_len > 0) { 39 src++; 40 src_len--; 41 } 42 if (src_len > P256_NBYTES || src_len < 1) { 43 return 0; 44 } 45 dst_offset = P256_NBYTES - src_len; 46 memset(dst, 0, dst_offset); 47 memcpy(dst + dst_offset, src, src_len); 48 return 1; 49} 50 51/** 52 * Unpacks the ASN.1 DSA signature sequence. 53 */ 54int dsa_sig_unpack(unsigned char* sig, int sig_len, p256_int* r_int, p256_int* s_int) { 55 /* 56 * Structure is: 57 * 0x30 0xNN SEQUENCE + s_length 58 * 0x02 0xNN INTEGER + r_length 59 * 0xAA 0xBB .. r_length bytes of "r" (offset 4) 60 * 0x02 0xNN INTEGER + s_length 61 * 0xMM 0xNN .. s_length bytes of "s" (offset 6 + r_len) 62 */ 63 int seq_len; 64 unsigned char r_bytes[P256_NBYTES]; 65 unsigned char s_bytes[P256_NBYTES]; 66 int r_len; 67 int s_len; 68 69 memset(r_bytes, 0, sizeof(r_bytes)); 70 memset(s_bytes, 0, sizeof(s_bytes)); 71 72 /* 73 * Must have at least: 74 * 2 bytes sequence header and length 75 * 2 bytes R integer header and length 76 * 1 byte of R 77 * 2 bytes S integer header and length 78 * 1 byte of S 79 * 80 * 8 bytes total 81 */ 82 if (sig_len < 8 || sig[0] != 0x30 || sig[2] != 0x02) { 83 return 0; 84 } 85 86 seq_len = sig[1]; 87 if ((seq_len <= 0) || (seq_len + 2 != sig_len)) { 88 return 0; 89 } 90 91 r_len = sig[3]; 92 /* 93 * Must have at least: 94 * 2 bytes for R header and length 95 * 2 bytes S integer header and length 96 * 1 byte of S 97 */ 98 if ((r_len < 1) || (r_len > seq_len - 5) || (sig[4 + r_len] != 0x02)) { 99 return 0; 100 } 101 s_len = sig[5 + r_len]; 102 103 /** 104 * Must have: 105 * 2 bytes for R header and length 106 * r_len bytes for R 107 * 2 bytes S integer header and length 108 */ 109 if ((s_len < 1) || (s_len != seq_len - 4 - r_len)) { 110 return 0; 111 } 112 113 /* 114 * ASN.1 encoded integers are zero-padded for positive integers. Make sure we have 115 * a correctly-sized buffer and that the resulting integer isn't too large. 116 */ 117 if (!trim_to_p256_bytes(r_bytes, &sig[4], r_len) 118 || !trim_to_p256_bytes(s_bytes, &sig[6 + r_len], s_len)) { 119 return 0; 120 } 121 122 p256_from_bin(r_bytes, r_int); 123 p256_from_bin(s_bytes, s_int); 124 125 return 1; 126} 127