1 /* $OpenBSD: ec_asn1.c,v 1.31 2018/09/01 16:23:15 tb Exp $ */
3 * Written by Nils Larsch for the OpenSSL project.
5 /* ====================================================================
6 * Copyright (c) 2000-2003 The OpenSSL Project. All rights reserved.
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
34 * 6. Redistributions of any form whatsoever must retain the following
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
61 #include <openssl/opensslconf.h>
64 #include <openssl/err.h>
65 #include <openssl/asn1t.h>
66 #include <openssl/objects.h>
69 EC_GROUP_get_basis_type(const EC_GROUP * group)
73 if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) !=
74 NID_X9_62_characteristic_two_field)
75 /* everything else is currently not supported */
78 while (group->poly[i] != 0)
82 return NID_X9_62_ppBasis;
84 return NID_X9_62_tpBasis;
86 /* everything else is currently not supported */
90 #ifndef OPENSSL_NO_EC2M
92 EC_GROUP_get_trinomial_basis(const EC_GROUP * group, unsigned int *k)
97 if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) !=
98 NID_X9_62_characteristic_two_field
99 || !((group->poly[0] != 0) && (group->poly[1] != 0) && (group->poly[2] == 0))) {
100 ECerror(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
110 EC_GROUP_get_pentanomial_basis(const EC_GROUP * group, unsigned int *k1,
111 unsigned int *k2, unsigned int *k3)
116 if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) !=
117 NID_X9_62_characteristic_two_field
118 || !((group->poly[0] != 0) && (group->poly[1] != 0) && (group->poly[2] != 0) && (group->poly[3] != 0) && (group->poly[4] == 0))) {
119 ECerror(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
123 *k1 = group->poly[3];
125 *k2 = group->poly[2];
127 *k3 = group->poly[1];
133 /* some structures needed for the asn1 encoding */
134 typedef struct x9_62_pentanomial_st {
140 typedef struct x9_62_characteristic_two_st {
145 /* NID_X9_62_onBasis */
147 /* NID_X9_62_tpBasis */
148 ASN1_INTEGER *tpBasis;
149 /* NID_X9_62_ppBasis */
150 X9_62_PENTANOMIAL *ppBasis;
154 } X9_62_CHARACTERISTIC_TWO;
156 typedef struct x9_62_fieldid_st {
157 ASN1_OBJECT *fieldType;
160 /* NID_X9_62_prime_field */
162 /* NID_X9_62_characteristic_two_field */
163 X9_62_CHARACTERISTIC_TWO *char_two;
169 typedef struct x9_62_curve_st {
170 ASN1_OCTET_STRING *a;
171 ASN1_OCTET_STRING *b;
172 ASN1_BIT_STRING *seed;
175 typedef struct ec_parameters_st {
177 X9_62_FIELDID *fieldID;
179 ASN1_OCTET_STRING *base;
181 ASN1_INTEGER *cofactor;
184 struct ecpk_parameters_st {
187 ASN1_OBJECT *named_curve;
188 ECPARAMETERS *parameters;
189 ASN1_NULL *implicitlyCA;
191 } /* ECPKPARAMETERS */ ;
193 /* SEC1 ECPrivateKey */
194 typedef struct ec_privatekey_st {
196 ASN1_OCTET_STRING *privateKey;
197 ECPKPARAMETERS *parameters;
198 ASN1_BIT_STRING *publicKey;
201 /* the OpenSSL ASN.1 definitions */
202 static const ASN1_TEMPLATE X9_62_PENTANOMIAL_seq_tt[] = {
206 .offset = offsetof(X9_62_PENTANOMIAL, k1),
213 .offset = offsetof(X9_62_PENTANOMIAL, k2),
220 .offset = offsetof(X9_62_PENTANOMIAL, k3),
226 const ASN1_ITEM X9_62_PENTANOMIAL_it = {
227 .itype = ASN1_ITYPE_SEQUENCE,
228 .utype = V_ASN1_SEQUENCE,
229 .templates = X9_62_PENTANOMIAL_seq_tt,
230 .tcount = sizeof(X9_62_PENTANOMIAL_seq_tt) / sizeof(ASN1_TEMPLATE),
232 .size = sizeof(X9_62_PENTANOMIAL),
233 .sname = "X9_62_PENTANOMIAL",
236 X9_62_PENTANOMIAL *X9_62_PENTANOMIAL_new(void);
237 void X9_62_PENTANOMIAL_free(X9_62_PENTANOMIAL *a);
240 X9_62_PENTANOMIAL_new(void)
242 return (X9_62_PENTANOMIAL*)ASN1_item_new(&X9_62_PENTANOMIAL_it);
246 X9_62_PENTANOMIAL_free(X9_62_PENTANOMIAL *a)
248 ASN1_item_free((ASN1_VALUE *)a, &X9_62_PENTANOMIAL_it);
251 static const ASN1_TEMPLATE char_two_def_tt = {
254 .offset = offsetof(X9_62_CHARACTERISTIC_TWO, p.other),
255 .field_name = "p.other",
256 .item = &ASN1_ANY_it,
259 static const ASN1_ADB_TABLE X9_62_CHARACTERISTIC_TWO_adbtbl[] = {
261 .value = NID_X9_62_onBasis,
265 .offset = offsetof(X9_62_CHARACTERISTIC_TWO, p.onBasis),
266 .field_name = "p.onBasis",
267 .item = &ASN1_NULL_it,
272 .value = NID_X9_62_tpBasis,
276 .offset = offsetof(X9_62_CHARACTERISTIC_TWO, p.tpBasis),
277 .field_name = "p.tpBasis",
278 .item = &ASN1_INTEGER_it,
283 .value = NID_X9_62_ppBasis,
287 .offset = offsetof(X9_62_CHARACTERISTIC_TWO, p.ppBasis),
288 .field_name = "p.ppBasis",
289 .item = &X9_62_PENTANOMIAL_it,
295 static const ASN1_ADB X9_62_CHARACTERISTIC_TWO_adb = {
297 .offset = offsetof(X9_62_CHARACTERISTIC_TWO, type),
299 .tbl = X9_62_CHARACTERISTIC_TWO_adbtbl,
300 .tblcount = sizeof(X9_62_CHARACTERISTIC_TWO_adbtbl) / sizeof(ASN1_ADB_TABLE),
301 .default_tt = &char_two_def_tt,
305 static const ASN1_TEMPLATE X9_62_CHARACTERISTIC_TWO_seq_tt[] = {
309 .offset = offsetof(X9_62_CHARACTERISTIC_TWO, m),
316 .offset = offsetof(X9_62_CHARACTERISTIC_TWO, type),
317 .field_name = "type",
318 .item = &ASN1_OBJECT_it,
321 .flags = ASN1_TFLG_ADB_OID,
324 .field_name = "X9_62_CHARACTERISTIC_TWO",
325 .item = (const ASN1_ITEM *)&X9_62_CHARACTERISTIC_TWO_adb,
329 const ASN1_ITEM X9_62_CHARACTERISTIC_TWO_it = {
330 .itype = ASN1_ITYPE_SEQUENCE,
331 .utype = V_ASN1_SEQUENCE,
332 .templates = X9_62_CHARACTERISTIC_TWO_seq_tt,
333 .tcount = sizeof(X9_62_CHARACTERISTIC_TWO_seq_tt) / sizeof(ASN1_TEMPLATE),
335 .size = sizeof(X9_62_CHARACTERISTIC_TWO),
336 .sname = "X9_62_CHARACTERISTIC_TWO",
339 X9_62_CHARACTERISTIC_TWO *X9_62_CHARACTERISTIC_TWO_new(void);
340 void X9_62_CHARACTERISTIC_TWO_free(X9_62_CHARACTERISTIC_TWO *a);
342 X9_62_CHARACTERISTIC_TWO *
343 X9_62_CHARACTERISTIC_TWO_new(void)
345 return (X9_62_CHARACTERISTIC_TWO*)ASN1_item_new(&X9_62_CHARACTERISTIC_TWO_it);
349 X9_62_CHARACTERISTIC_TWO_free(X9_62_CHARACTERISTIC_TWO *a)
351 ASN1_item_free((ASN1_VALUE *)a, &X9_62_CHARACTERISTIC_TWO_it);
354 static const ASN1_TEMPLATE fieldID_def_tt = {
357 .offset = offsetof(X9_62_FIELDID, p.other),
358 .field_name = "p.other",
359 .item = &ASN1_ANY_it,
362 static const ASN1_ADB_TABLE X9_62_FIELDID_adbtbl[] = {
364 .value = NID_X9_62_prime_field,
368 .offset = offsetof(X9_62_FIELDID, p.prime),
369 .field_name = "p.prime",
370 .item = &ASN1_INTEGER_it,
375 .value = NID_X9_62_characteristic_two_field,
379 .offset = offsetof(X9_62_FIELDID, p.char_two),
380 .field_name = "p.char_two",
381 .item = &X9_62_CHARACTERISTIC_TWO_it,
387 static const ASN1_ADB X9_62_FIELDID_adb = {
389 .offset = offsetof(X9_62_FIELDID, fieldType),
391 .tbl = X9_62_FIELDID_adbtbl,
392 .tblcount = sizeof(X9_62_FIELDID_adbtbl) / sizeof(ASN1_ADB_TABLE),
393 .default_tt = &fieldID_def_tt,
397 static const ASN1_TEMPLATE X9_62_FIELDID_seq_tt[] = {
401 .offset = offsetof(X9_62_FIELDID, fieldType),
402 .field_name = "fieldType",
403 .item = &ASN1_OBJECT_it,
406 .flags = ASN1_TFLG_ADB_OID,
409 .field_name = "X9_62_FIELDID",
410 .item = (const ASN1_ITEM *)&X9_62_FIELDID_adb,
414 const ASN1_ITEM X9_62_FIELDID_it = {
415 .itype = ASN1_ITYPE_SEQUENCE,
416 .utype = V_ASN1_SEQUENCE,
417 .templates = X9_62_FIELDID_seq_tt,
418 .tcount = sizeof(X9_62_FIELDID_seq_tt) / sizeof(ASN1_TEMPLATE),
420 .size = sizeof(X9_62_FIELDID),
421 .sname = "X9_62_FIELDID",
424 static const ASN1_TEMPLATE X9_62_CURVE_seq_tt[] = {
428 .offset = offsetof(X9_62_CURVE, a),
430 .item = &ASN1_OCTET_STRING_it,
435 .offset = offsetof(X9_62_CURVE, b),
437 .item = &ASN1_OCTET_STRING_it,
440 .flags = ASN1_TFLG_OPTIONAL,
442 .offset = offsetof(X9_62_CURVE, seed),
443 .field_name = "seed",
444 .item = &ASN1_BIT_STRING_it,
448 const ASN1_ITEM X9_62_CURVE_it = {
449 .itype = ASN1_ITYPE_SEQUENCE,
450 .utype = V_ASN1_SEQUENCE,
451 .templates = X9_62_CURVE_seq_tt,
452 .tcount = sizeof(X9_62_CURVE_seq_tt) / sizeof(ASN1_TEMPLATE),
454 .size = sizeof(X9_62_CURVE),
455 .sname = "X9_62_CURVE",
458 static const ASN1_TEMPLATE ECPARAMETERS_seq_tt[] = {
462 .offset = offsetof(ECPARAMETERS, version),
463 .field_name = "version",
469 .offset = offsetof(ECPARAMETERS, fieldID),
470 .field_name = "fieldID",
471 .item = &X9_62_FIELDID_it,
476 .offset = offsetof(ECPARAMETERS, curve),
477 .field_name = "curve",
478 .item = &X9_62_CURVE_it,
483 .offset = offsetof(ECPARAMETERS, base),
484 .field_name = "base",
485 .item = &ASN1_OCTET_STRING_it,
490 .offset = offsetof(ECPARAMETERS, order),
491 .field_name = "order",
492 .item = &ASN1_INTEGER_it,
495 .flags = ASN1_TFLG_OPTIONAL,
497 .offset = offsetof(ECPARAMETERS, cofactor),
498 .field_name = "cofactor",
499 .item = &ASN1_INTEGER_it,
503 const ASN1_ITEM ECPARAMETERS_it = {
504 .itype = ASN1_ITYPE_SEQUENCE,
505 .utype = V_ASN1_SEQUENCE,
506 .templates = ECPARAMETERS_seq_tt,
507 .tcount = sizeof(ECPARAMETERS_seq_tt) / sizeof(ASN1_TEMPLATE),
509 .size = sizeof(ECPARAMETERS),
510 .sname = "ECPARAMETERS",
513 ECPARAMETERS *ECPARAMETERS_new(void);
514 void ECPARAMETERS_free(ECPARAMETERS *a);
517 ECPARAMETERS_new(void)
519 return (ECPARAMETERS*)ASN1_item_new(&ECPARAMETERS_it);
523 ECPARAMETERS_free(ECPARAMETERS *a)
525 ASN1_item_free((ASN1_VALUE *)a, &ECPARAMETERS_it);
528 static const ASN1_TEMPLATE ECPKPARAMETERS_ch_tt[] = {
532 .offset = offsetof(ECPKPARAMETERS, value.named_curve),
533 .field_name = "value.named_curve",
534 .item = &ASN1_OBJECT_it,
539 .offset = offsetof(ECPKPARAMETERS, value.parameters),
540 .field_name = "value.parameters",
541 .item = &ECPARAMETERS_it,
546 .offset = offsetof(ECPKPARAMETERS, value.implicitlyCA),
547 .field_name = "value.implicitlyCA",
548 .item = &ASN1_NULL_it,
552 const ASN1_ITEM ECPKPARAMETERS_it = {
553 .itype = ASN1_ITYPE_CHOICE,
554 .utype = offsetof(ECPKPARAMETERS, type),
555 .templates = ECPKPARAMETERS_ch_tt,
556 .tcount = sizeof(ECPKPARAMETERS_ch_tt) / sizeof(ASN1_TEMPLATE),
558 .size = sizeof(ECPKPARAMETERS),
559 .sname = "ECPKPARAMETERS",
562 ECPKPARAMETERS *ECPKPARAMETERS_new(void);
563 void ECPKPARAMETERS_free(ECPKPARAMETERS *a);
564 ECPKPARAMETERS *d2i_ECPKPARAMETERS(ECPKPARAMETERS **a, const unsigned char **in, long len);
565 int i2d_ECPKPARAMETERS(const ECPKPARAMETERS *a, unsigned char **out);
568 d2i_ECPKPARAMETERS(ECPKPARAMETERS **a, const unsigned char **in, long len)
570 return (ECPKPARAMETERS *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
575 i2d_ECPKPARAMETERS(const ECPKPARAMETERS *a, unsigned char **out)
577 return ASN1_item_i2d((ASN1_VALUE *)a, out, &ECPKPARAMETERS_it);
581 ECPKPARAMETERS_new(void)
583 return (ECPKPARAMETERS *)ASN1_item_new(&ECPKPARAMETERS_it);
587 ECPKPARAMETERS_free(ECPKPARAMETERS *a)
589 ASN1_item_free((ASN1_VALUE *)a, &ECPKPARAMETERS_it);
592 static const ASN1_TEMPLATE EC_PRIVATEKEY_seq_tt[] = {
596 .offset = offsetof(EC_PRIVATEKEY, version),
597 .field_name = "version",
603 .offset = offsetof(EC_PRIVATEKEY, privateKey),
604 .field_name = "privateKey",
605 .item = &ASN1_OCTET_STRING_it,
608 .flags = ASN1_TFLG_EXPLICIT | ASN1_TFLG_OPTIONAL,
610 .offset = offsetof(EC_PRIVATEKEY, parameters),
611 .field_name = "parameters",
612 .item = &ECPKPARAMETERS_it,
615 .flags = ASN1_TFLG_EXPLICIT | ASN1_TFLG_OPTIONAL,
617 .offset = offsetof(EC_PRIVATEKEY, publicKey),
618 .field_name = "publicKey",
619 .item = &ASN1_BIT_STRING_it,
623 const ASN1_ITEM EC_PRIVATEKEY_it = {
624 .itype = ASN1_ITYPE_SEQUENCE,
625 .utype = V_ASN1_SEQUENCE,
626 .templates = EC_PRIVATEKEY_seq_tt,
627 .tcount = sizeof(EC_PRIVATEKEY_seq_tt) / sizeof(ASN1_TEMPLATE),
629 .size = sizeof(EC_PRIVATEKEY),
630 .sname = "EC_PRIVATEKEY",
633 EC_PRIVATEKEY *EC_PRIVATEKEY_new(void);
634 void EC_PRIVATEKEY_free(EC_PRIVATEKEY *a);
635 EC_PRIVATEKEY *d2i_EC_PRIVATEKEY(EC_PRIVATEKEY **a, const unsigned char **in, long len);
636 int i2d_EC_PRIVATEKEY(const EC_PRIVATEKEY *a, unsigned char **out);
639 d2i_EC_PRIVATEKEY(EC_PRIVATEKEY **a, const unsigned char **in, long len)
641 return (EC_PRIVATEKEY *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
646 i2d_EC_PRIVATEKEY(const EC_PRIVATEKEY *a, unsigned char **out)
648 return ASN1_item_i2d((ASN1_VALUE *)a, out, &EC_PRIVATEKEY_it);
652 EC_PRIVATEKEY_new(void)
654 return (EC_PRIVATEKEY *)ASN1_item_new(&EC_PRIVATEKEY_it);
658 EC_PRIVATEKEY_free(EC_PRIVATEKEY *a)
660 ASN1_item_free((ASN1_VALUE *)a, &EC_PRIVATEKEY_it);
663 /* some declarations of internal function */
665 /* ec_asn1_group2field() sets the values in a X9_62_FIELDID object */
666 static int ec_asn1_group2fieldid(const EC_GROUP *, X9_62_FIELDID *);
667 /* ec_asn1_group2curve() sets the values in a X9_62_CURVE object */
668 static int ec_asn1_group2curve(const EC_GROUP *, X9_62_CURVE *);
669 /* ec_asn1_parameters2group() creates a EC_GROUP object from a
670 * ECPARAMETERS object */
671 static EC_GROUP *ec_asn1_parameters2group(const ECPARAMETERS *);
672 /* ec_asn1_group2parameters() creates a ECPARAMETERS object from a
674 static ECPARAMETERS *ec_asn1_group2parameters(const EC_GROUP *, ECPARAMETERS *);
675 /* ec_asn1_pkparameters2group() creates a EC_GROUP object from a
676 * ECPKPARAMETERS object */
677 static EC_GROUP *ec_asn1_pkparameters2group(const ECPKPARAMETERS *);
678 /* ec_asn1_group2pkparameters() creates a ECPKPARAMETERS object from a
680 static ECPKPARAMETERS *ec_asn1_group2pkparameters(const EC_GROUP *,
683 /* the function definitions */
686 ec_asn1_group2fieldid(const EC_GROUP * group, X9_62_FIELDID * field)
691 if (group == NULL || field == NULL)
694 /* clear the old values (if necessary) */
695 if (field->fieldType != NULL)
696 ASN1_OBJECT_free(field->fieldType);
697 if (field->p.other != NULL)
698 ASN1_TYPE_free(field->p.other);
700 nid = EC_METHOD_get_field_type(EC_GROUP_method_of(group));
701 /* set OID for the field */
702 if ((field->fieldType = OBJ_nid2obj(nid)) == NULL) {
703 ECerror(ERR_R_OBJ_LIB);
706 if (nid == NID_X9_62_prime_field) {
707 if ((tmp = BN_new()) == NULL) {
708 ECerror(ERR_R_MALLOC_FAILURE);
711 /* the parameters are specified by the prime number p */
712 if (!EC_GROUP_get_curve_GFp(group, tmp, NULL, NULL, NULL)) {
713 ECerror(ERR_R_EC_LIB);
716 /* set the prime number */
717 field->p.prime = BN_to_ASN1_INTEGER(tmp, NULL);
718 if (field->p.prime == NULL) {
719 ECerror(ERR_R_ASN1_LIB);
722 } else /* nid == NID_X9_62_characteristic_two_field */
723 #ifdef OPENSSL_NO_EC2M
725 ECerror(EC_R_GF2M_NOT_SUPPORTED);
731 X9_62_CHARACTERISTIC_TWO *char_two;
733 field->p.char_two = X9_62_CHARACTERISTIC_TWO_new();
734 char_two = field->p.char_two;
736 if (char_two == NULL) {
737 ECerror(ERR_R_MALLOC_FAILURE);
740 char_two->m = (long) EC_GROUP_get_degree(group);
742 field_type = EC_GROUP_get_basis_type(group);
744 if (field_type == 0) {
745 ECerror(ERR_R_EC_LIB);
748 /* set base type OID */
749 if ((char_two->type = OBJ_nid2obj(field_type)) == NULL) {
750 ECerror(ERR_R_OBJ_LIB);
753 if (field_type == NID_X9_62_tpBasis) {
756 if (!EC_GROUP_get_trinomial_basis(group, &k))
759 char_two->p.tpBasis = ASN1_INTEGER_new();
760 if (!char_two->p.tpBasis) {
761 ECerror(ERR_R_MALLOC_FAILURE);
764 if (!ASN1_INTEGER_set(char_two->p.tpBasis, (long) k)) {
765 ECerror(ERR_R_ASN1_LIB);
768 } else if (field_type == NID_X9_62_ppBasis) {
769 unsigned int k1, k2, k3;
771 if (!EC_GROUP_get_pentanomial_basis(group, &k1, &k2, &k3))
774 char_two->p.ppBasis = X9_62_PENTANOMIAL_new();
775 if (!char_two->p.ppBasis) {
776 ECerror(ERR_R_MALLOC_FAILURE);
780 char_two->p.ppBasis->k1 = (long) k1;
781 char_two->p.ppBasis->k2 = (long) k2;
782 char_two->p.ppBasis->k3 = (long) k3;
783 } else { /* field_type == NID_X9_62_onBasis */
784 /* for ONB the parameters are (asn1) NULL */
785 char_two->p.onBasis = ASN1_NULL_new();
786 if (!char_two->p.onBasis) {
787 ECerror(ERR_R_MALLOC_FAILURE);
802 ec_asn1_group2curve(const EC_GROUP * group, X9_62_CURVE * curve)
805 BIGNUM *tmp_1 = NULL, *tmp_2 = NULL;
806 unsigned char *buffer_1 = NULL, *buffer_2 = NULL, *a_buf = NULL,
809 unsigned char char_zero = 0;
811 if (!group || !curve || !curve->a || !curve->b)
814 if ((tmp_1 = BN_new()) == NULL || (tmp_2 = BN_new()) == NULL) {
815 ECerror(ERR_R_MALLOC_FAILURE);
818 nid = EC_METHOD_get_field_type(EC_GROUP_method_of(group));
821 if (nid == NID_X9_62_prime_field) {
822 if (!EC_GROUP_get_curve_GFp(group, NULL, tmp_1, tmp_2, NULL)) {
823 ECerror(ERR_R_EC_LIB);
827 #ifndef OPENSSL_NO_EC2M
828 else { /* nid == NID_X9_62_characteristic_two_field */
829 if (!EC_GROUP_get_curve_GF2m(group, NULL, tmp_1, tmp_2, NULL)) {
830 ECerror(ERR_R_EC_LIB);
835 len_1 = (size_t) BN_num_bytes(tmp_1);
836 len_2 = (size_t) BN_num_bytes(tmp_2);
839 /* len_1 == 0 => a == 0 */
843 if ((buffer_1 = malloc(len_1)) == NULL) {
844 ECerror(ERR_R_MALLOC_FAILURE);
847 if ((len_1 = BN_bn2bin(tmp_1, buffer_1)) == 0) {
848 ECerror(ERR_R_BN_LIB);
855 /* len_2 == 0 => b == 0 */
859 if ((buffer_2 = malloc(len_2)) == NULL) {
860 ECerror(ERR_R_MALLOC_FAILURE);
863 if ((len_2 = BN_bn2bin(tmp_2, buffer_2)) == 0) {
864 ECerror(ERR_R_BN_LIB);
871 if (!ASN1_STRING_set(curve->a, a_buf, len_1) ||
872 !ASN1_STRING_set(curve->b, b_buf, len_2)) {
873 ECerror(ERR_R_ASN1_LIB);
876 /* set the seed (optional) */
879 if ((curve->seed = ASN1_BIT_STRING_new()) == NULL) {
880 ECerror(ERR_R_MALLOC_FAILURE);
883 curve->seed->flags &= ~(ASN1_STRING_FLAG_BITS_LEFT | 0x07);
884 curve->seed->flags |= ASN1_STRING_FLAG_BITS_LEFT;
885 if (!ASN1_BIT_STRING_set(curve->seed, group->seed,
886 (int) group->seed_len)) {
887 ECerror(ERR_R_ASN1_LIB);
892 ASN1_BIT_STRING_free(curve->seed);
907 static ECPARAMETERS *
908 ec_asn1_group2parameters(const EC_GROUP * group, ECPARAMETERS * param)
912 ECPARAMETERS *ret = NULL;
914 unsigned char *buffer = NULL;
915 const EC_POINT *point = NULL;
916 point_conversion_form_t form;
918 if ((tmp = BN_new()) == NULL) {
919 ECerror(ERR_R_MALLOC_FAILURE);
923 if ((ret = ECPARAMETERS_new()) == NULL) {
924 ECerror(ERR_R_MALLOC_FAILURE);
930 /* set the version (always one) */
931 ret->version = (long) 0x1;
933 /* set the fieldID */
934 if (!ec_asn1_group2fieldid(group, ret->fieldID)) {
935 ECerror(ERR_R_EC_LIB);
939 if (!ec_asn1_group2curve(group, ret->curve)) {
940 ECerror(ERR_R_EC_LIB);
943 /* set the base point */
944 if ((point = EC_GROUP_get0_generator(group)) == NULL) {
945 ECerror(EC_R_UNDEFINED_GENERATOR);
948 form = EC_GROUP_get_point_conversion_form(group);
950 len = EC_POINT_point2oct(group, point, form, NULL, len, NULL);
952 ECerror(ERR_R_EC_LIB);
955 if ((buffer = malloc(len)) == NULL) {
956 ECerror(ERR_R_MALLOC_FAILURE);
959 if (!EC_POINT_point2oct(group, point, form, buffer, len, NULL)) {
960 ECerror(ERR_R_EC_LIB);
963 if (ret->base == NULL && (ret->base = ASN1_OCTET_STRING_new()) == NULL) {
964 ECerror(ERR_R_MALLOC_FAILURE);
967 if (!ASN1_OCTET_STRING_set(ret->base, buffer, len)) {
968 ECerror(ERR_R_ASN1_LIB);
972 if (!EC_GROUP_get_order(group, tmp, NULL)) {
973 ECerror(ERR_R_EC_LIB);
976 ret->order = BN_to_ASN1_INTEGER(tmp, ret->order);
977 if (ret->order == NULL) {
978 ECerror(ERR_R_ASN1_LIB);
981 /* set the cofactor (optional) */
982 if (EC_GROUP_get_cofactor(group, tmp, NULL)) {
983 ret->cofactor = BN_to_ASN1_INTEGER(tmp, ret->cofactor);
984 if (ret->cofactor == NULL) {
985 ECerror(ERR_R_ASN1_LIB);
994 ECPARAMETERS_free(ret);
1003 ec_asn1_group2pkparameters(const EC_GROUP * group, ECPKPARAMETERS * params)
1006 ECPKPARAMETERS *ret = params;
1009 if ((ret = ECPKPARAMETERS_new()) == NULL) {
1010 ECerror(ERR_R_MALLOC_FAILURE);
1014 if (ret->type == 0 && ret->value.named_curve)
1015 ASN1_OBJECT_free(ret->value.named_curve);
1016 else if (ret->type == 1 && ret->value.parameters)
1017 ECPARAMETERS_free(ret->value.parameters);
1020 if (EC_GROUP_get_asn1_flag(group)) {
1022 * use the asn1 OID to describe the elliptic curve
1025 tmp = EC_GROUP_get_curve_name(group);
1028 if ((ret->value.named_curve = OBJ_nid2obj(tmp)) == NULL)
1031 /* we don't kmow the nid => ERROR */
1034 /* use the ECPARAMETERS structure */
1036 if ((ret->value.parameters = ec_asn1_group2parameters(
1037 group, NULL)) == NULL)
1042 ECPKPARAMETERS_free(ret);
1049 ec_asn1_parameters2group(const ECPARAMETERS * params)
1052 EC_GROUP *ret = NULL;
1053 BIGNUM *p = NULL, *a = NULL, *b = NULL;
1054 EC_POINT *point = NULL;
1057 if (!params->fieldID || !params->fieldID->fieldType ||
1058 !params->fieldID->p.ptr) {
1059 ECerror(EC_R_ASN1_ERROR);
1062 /* now extract the curve parameters a and b */
1063 if (!params->curve || !params->curve->a ||
1064 !params->curve->a->data || !params->curve->b ||
1065 !params->curve->b->data) {
1066 ECerror(EC_R_ASN1_ERROR);
1069 a = BN_bin2bn(params->curve->a->data, params->curve->a->length, NULL);
1071 ECerror(ERR_R_BN_LIB);
1074 b = BN_bin2bn(params->curve->b->data, params->curve->b->length, NULL);
1076 ECerror(ERR_R_BN_LIB);
1079 /* get the field parameters */
1080 tmp = OBJ_obj2nid(params->fieldID->fieldType);
1081 if (tmp == NID_X9_62_characteristic_two_field)
1082 #ifdef OPENSSL_NO_EC2M
1084 ECerror(EC_R_GF2M_NOT_SUPPORTED);
1089 X9_62_CHARACTERISTIC_TWO *char_two;
1091 char_two = params->fieldID->p.char_two;
1093 field_bits = char_two->m;
1094 if (field_bits > OPENSSL_ECC_MAX_FIELD_BITS) {
1095 ECerror(EC_R_FIELD_TOO_LARGE);
1098 if ((p = BN_new()) == NULL) {
1099 ECerror(ERR_R_MALLOC_FAILURE);
1102 /* get the base type */
1103 tmp = OBJ_obj2nid(char_two->type);
1105 if (tmp == NID_X9_62_tpBasis) {
1108 if (!char_two->p.tpBasis) {
1109 ECerror(EC_R_ASN1_ERROR);
1112 tmp_long = ASN1_INTEGER_get(char_two->p.tpBasis);
1114 if (!(char_two->m > tmp_long && tmp_long > 0)) {
1115 ECerror(EC_R_INVALID_TRINOMIAL_BASIS);
1118 /* create the polynomial */
1119 if (!BN_set_bit(p, (int) char_two->m))
1121 if (!BN_set_bit(p, (int) tmp_long))
1123 if (!BN_set_bit(p, 0))
1125 } else if (tmp == NID_X9_62_ppBasis) {
1126 X9_62_PENTANOMIAL *penta;
1128 penta = char_two->p.ppBasis;
1130 ECerror(EC_R_ASN1_ERROR);
1133 if (!(char_two->m > penta->k3 && penta->k3 > penta->k2 && penta->k2 > penta->k1 && penta->k1 > 0)) {
1134 ECerror(EC_R_INVALID_PENTANOMIAL_BASIS);
1137 /* create the polynomial */
1138 if (!BN_set_bit(p, (int) char_two->m))
1140 if (!BN_set_bit(p, (int) penta->k1))
1142 if (!BN_set_bit(p, (int) penta->k2))
1144 if (!BN_set_bit(p, (int) penta->k3))
1146 if (!BN_set_bit(p, 0))
1148 } else if (tmp == NID_X9_62_onBasis) {
1149 ECerror(EC_R_NOT_IMPLEMENTED);
1151 } else { /* error */
1152 ECerror(EC_R_ASN1_ERROR);
1156 /* create the EC_GROUP structure */
1157 ret = EC_GROUP_new_curve_GF2m(p, a, b, NULL);
1160 else if (tmp == NID_X9_62_prime_field) {
1161 /* we have a curve over a prime field */
1162 /* extract the prime number */
1163 if (!params->fieldID->p.prime) {
1164 ECerror(EC_R_ASN1_ERROR);
1167 p = ASN1_INTEGER_to_BN(params->fieldID->p.prime, NULL);
1169 ECerror(ERR_R_ASN1_LIB);
1172 if (BN_is_negative(p) || BN_is_zero(p)) {
1173 ECerror(EC_R_INVALID_FIELD);
1176 field_bits = BN_num_bits(p);
1177 if (field_bits > OPENSSL_ECC_MAX_FIELD_BITS) {
1178 ECerror(EC_R_FIELD_TOO_LARGE);
1181 /* create the EC_GROUP structure */
1182 ret = EC_GROUP_new_curve_GFp(p, a, b, NULL);
1184 ECerror(EC_R_INVALID_FIELD);
1189 ECerror(ERR_R_EC_LIB);
1192 /* extract seed (optional) */
1193 if (params->curve->seed != NULL) {
1195 if (!(ret->seed = malloc(params->curve->seed->length))) {
1196 ECerror(ERR_R_MALLOC_FAILURE);
1199 memcpy(ret->seed, params->curve->seed->data,
1200 params->curve->seed->length);
1201 ret->seed_len = params->curve->seed->length;
1203 if (!params->order || !params->base || !params->base->data) {
1204 ECerror(EC_R_ASN1_ERROR);
1207 if ((point = EC_POINT_new(ret)) == NULL)
1210 /* set the point conversion form */
1211 EC_GROUP_set_point_conversion_form(ret, (point_conversion_form_t)
1212 (params->base->data[0] & ~0x01));
1214 /* extract the ec point */
1215 if (!EC_POINT_oct2point(ret, point, params->base->data,
1216 params->base->length, NULL)) {
1217 ECerror(ERR_R_EC_LIB);
1220 /* extract the order */
1221 if ((a = ASN1_INTEGER_to_BN(params->order, a)) == NULL) {
1222 ECerror(ERR_R_ASN1_LIB);
1225 if (BN_is_negative(a) || BN_is_zero(a)) {
1226 ECerror(EC_R_INVALID_GROUP_ORDER);
1229 if (BN_num_bits(a) > (int) field_bits + 1) { /* Hasse bound */
1230 ECerror(EC_R_INVALID_GROUP_ORDER);
1233 /* extract the cofactor (optional) */
1234 if (params->cofactor == NULL) {
1237 } else if ((b = ASN1_INTEGER_to_BN(params->cofactor, b)) == NULL) {
1238 ECerror(ERR_R_ASN1_LIB);
1241 /* set the generator, order and cofactor (if present) */
1242 if (!EC_GROUP_set_generator(ret, point, a, b)) {
1243 ECerror(ERR_R_EC_LIB);
1250 EC_GROUP_clear_free(ret);
1256 EC_POINT_free(point);
1261 ec_asn1_pkparameters2group(const ECPKPARAMETERS * params)
1263 EC_GROUP *ret = NULL;
1266 if (params == NULL) {
1267 ECerror(EC_R_MISSING_PARAMETERS);
1270 if (params->type == 0) {/* the curve is given by an OID */
1271 tmp = OBJ_obj2nid(params->value.named_curve);
1272 if ((ret = EC_GROUP_new_by_curve_name(tmp)) == NULL) {
1273 ECerror(EC_R_EC_GROUP_NEW_BY_NAME_FAILURE);
1276 EC_GROUP_set_asn1_flag(ret, OPENSSL_EC_NAMED_CURVE);
1277 } else if (params->type == 1) { /* the parameters are given by a
1278 * ECPARAMETERS structure */
1279 ret = ec_asn1_parameters2group(params->value.parameters);
1281 ECerror(ERR_R_EC_LIB);
1284 EC_GROUP_set_asn1_flag(ret, 0x0);
1285 } else if (params->type == 2) { /* implicitlyCA */
1288 ECerror(EC_R_ASN1_ERROR);
1295 /* EC_GROUP <-> DER encoding of ECPKPARAMETERS */
1298 d2i_ECPKParameters(EC_GROUP ** a, const unsigned char **in, long len)
1300 EC_GROUP *group = NULL;
1301 ECPKPARAMETERS *params = NULL;
1303 if ((params = d2i_ECPKPARAMETERS(NULL, in, len)) == NULL) {
1304 ECerror(EC_R_D2I_ECPKPARAMETERS_FAILURE);
1307 if ((group = ec_asn1_pkparameters2group(params)) == NULL) {
1308 ECerror(EC_R_PKPARAMETERS2GROUP_FAILURE);
1313 EC_GROUP_clear_free(*a);
1318 ECPKPARAMETERS_free(params);
1323 i2d_ECPKParameters(const EC_GROUP * a, unsigned char **out)
1326 ECPKPARAMETERS *tmp = ec_asn1_group2pkparameters(a, NULL);
1328 ECerror(EC_R_GROUP2PKPARAMETERS_FAILURE);
1331 if ((ret = i2d_ECPKPARAMETERS(tmp, out)) == 0) {
1332 ECerror(EC_R_I2D_ECPKPARAMETERS_FAILURE);
1333 ECPKPARAMETERS_free(tmp);
1336 ECPKPARAMETERS_free(tmp);
1340 /* some EC_KEY functions */
1343 d2i_ECPrivateKey(EC_KEY ** a, const unsigned char **in, long len)
1346 EC_PRIVATEKEY *priv_key = NULL;
1348 if ((priv_key = EC_PRIVATEKEY_new()) == NULL) {
1349 ECerror(ERR_R_MALLOC_FAILURE);
1352 if ((priv_key = d2i_EC_PRIVATEKEY(&priv_key, in, len)) == NULL) {
1353 ECerror(ERR_R_EC_LIB);
1354 EC_PRIVATEKEY_free(priv_key);
1357 if (a == NULL || *a == NULL) {
1358 if ((ret = EC_KEY_new()) == NULL) {
1359 ECerror(ERR_R_MALLOC_FAILURE);
1365 if (priv_key->parameters) {
1366 EC_GROUP_clear_free(ret->group);
1367 ret->group = ec_asn1_pkparameters2group(priv_key->parameters);
1369 if (ret->group == NULL) {
1370 ECerror(ERR_R_EC_LIB);
1373 ret->version = priv_key->version;
1375 if (priv_key->privateKey) {
1376 ret->priv_key = BN_bin2bn(
1377 ASN1_STRING_data(priv_key->privateKey),
1378 ASN1_STRING_length(priv_key->privateKey),
1380 if (ret->priv_key == NULL) {
1381 ECerror(ERR_R_BN_LIB);
1385 ECerror(EC_R_MISSING_PRIVATE_KEY);
1390 EC_POINT_clear_free(ret->pub_key);
1391 ret->pub_key = EC_POINT_new(ret->group);
1392 if (ret->pub_key == NULL) {
1393 ECerror(ERR_R_EC_LIB);
1397 if (priv_key->publicKey) {
1398 const unsigned char *pub_oct;
1401 pub_oct = ASN1_STRING_data(priv_key->publicKey);
1402 pub_oct_len = ASN1_STRING_length(priv_key->publicKey);
1403 if (pub_oct == NULL || pub_oct_len <= 0) {
1404 ECerror(EC_R_BUFFER_TOO_SMALL);
1408 /* save the point conversion form */
1409 ret->conv_form = (point_conversion_form_t) (pub_oct[0] & ~0x01);
1410 if (!EC_POINT_oct2point(ret->group, ret->pub_key,
1411 pub_oct, pub_oct_len, NULL)) {
1412 ECerror(ERR_R_EC_LIB);
1416 if (!EC_POINT_mul(ret->group, ret->pub_key, ret->priv_key,
1417 NULL, NULL, NULL)) {
1418 ECerror(ERR_R_EC_LIB);
1421 /* Remember the original private-key-only encoding. */
1422 ret->enc_flag |= EC_PKEY_NO_PUBKEY;
1425 EC_PRIVATEKEY_free(priv_key);
1431 if (a == NULL || *a != ret)
1434 EC_PRIVATEKEY_free(priv_key);
1440 i2d_ECPrivateKey(EC_KEY * a, unsigned char **out)
1442 int ret = 0, ok = 0;
1443 unsigned char *buffer = NULL;
1444 size_t buf_len = 0, tmp_len;
1445 EC_PRIVATEKEY *priv_key = NULL;
1447 if (a == NULL || a->group == NULL || a->priv_key == NULL ||
1448 (!(a->enc_flag & EC_PKEY_NO_PUBKEY) && a->pub_key == NULL)) {
1449 ECerror(ERR_R_PASSED_NULL_PARAMETER);
1452 if ((priv_key = EC_PRIVATEKEY_new()) == NULL) {
1453 ECerror(ERR_R_MALLOC_FAILURE);
1456 priv_key->version = a->version;
1458 buf_len = (size_t) BN_num_bytes(a->priv_key);
1459 buffer = malloc(buf_len);
1460 if (buffer == NULL) {
1461 ECerror(ERR_R_MALLOC_FAILURE);
1464 if (!BN_bn2bin(a->priv_key, buffer)) {
1465 ECerror(ERR_R_BN_LIB);
1468 if (!ASN1_STRING_set(priv_key->privateKey, buffer, buf_len)) {
1469 ECerror(ERR_R_ASN1_LIB);
1472 if (!(a->enc_flag & EC_PKEY_NO_PARAMETERS)) {
1473 if ((priv_key->parameters = ec_asn1_group2pkparameters(
1474 a->group, priv_key->parameters)) == NULL) {
1475 ECerror(ERR_R_EC_LIB);
1479 if (!(a->enc_flag & EC_PKEY_NO_PUBKEY) && a->pub_key != NULL) {
1480 priv_key->publicKey = ASN1_BIT_STRING_new();
1481 if (priv_key->publicKey == NULL) {
1482 ECerror(ERR_R_MALLOC_FAILURE);
1485 tmp_len = EC_POINT_point2oct(a->group, a->pub_key,
1486 a->conv_form, NULL, 0, NULL);
1488 if (tmp_len > buf_len) {
1489 unsigned char *tmp_buffer = realloc(buffer, tmp_len);
1491 ECerror(ERR_R_MALLOC_FAILURE);
1494 buffer = tmp_buffer;
1497 if (!EC_POINT_point2oct(a->group, a->pub_key,
1498 a->conv_form, buffer, buf_len, NULL)) {
1499 ECerror(ERR_R_EC_LIB);
1502 priv_key->publicKey->flags &= ~(ASN1_STRING_FLAG_BITS_LEFT | 0x07);
1503 priv_key->publicKey->flags |= ASN1_STRING_FLAG_BITS_LEFT;
1504 if (!ASN1_STRING_set(priv_key->publicKey, buffer,
1506 ECerror(ERR_R_ASN1_LIB);
1510 if ((ret = i2d_EC_PRIVATEKEY(priv_key, out)) == 0) {
1511 ECerror(ERR_R_EC_LIB);
1518 EC_PRIVATEKEY_free(priv_key);
1519 return (ok ? ret : 0);
1523 i2d_ECParameters(EC_KEY * a, unsigned char **out)
1526 ECerror(ERR_R_PASSED_NULL_PARAMETER);
1529 return i2d_ECPKParameters(a->group, out);
1533 d2i_ECParameters(EC_KEY ** a, const unsigned char **in, long len)
1537 if (in == NULL || *in == NULL) {
1538 ECerror(ERR_R_PASSED_NULL_PARAMETER);
1541 if (a == NULL || *a == NULL) {
1542 if ((ret = EC_KEY_new()) == NULL) {
1543 ECerror(ERR_R_MALLOC_FAILURE);
1549 if (!d2i_ECPKParameters(&ret->group, in, len)) {
1550 ECerror(ERR_R_EC_LIB);
1551 if (a == NULL || *a != ret)
1562 o2i_ECPublicKey(EC_KEY ** a, const unsigned char **in, long len)
1566 if (a == NULL || (*a) == NULL || (*a)->group == NULL) {
1567 /* An EC_GROUP structure is necessary to set the public key. */
1568 ECerror(ERR_R_PASSED_NULL_PARAMETER);
1572 if (ret->pub_key == NULL &&
1573 (ret->pub_key = EC_POINT_new(ret->group)) == NULL) {
1574 ECerror(ERR_R_MALLOC_FAILURE);
1577 if (!EC_POINT_oct2point(ret->group, ret->pub_key, *in, len, NULL)) {
1578 ECerror(ERR_R_EC_LIB);
1581 /* save the point conversion form */
1582 ret->conv_form = (point_conversion_form_t) (*in[0] & ~0x01);
1588 i2o_ECPublicKey(const EC_KEY * a, unsigned char **out)
1594 ECerror(ERR_R_PASSED_NULL_PARAMETER);
1597 buf_len = EC_POINT_point2oct(a->group, a->pub_key,
1598 a->conv_form, NULL, 0, NULL);
1600 if (out == NULL || buf_len == 0)
1601 /* out == NULL => just return the length of the octet string */
1605 if ((*out = malloc(buf_len)) == NULL) {
1606 ECerror(ERR_R_MALLOC_FAILURE);
1611 if (!EC_POINT_point2oct(a->group, a->pub_key, a->conv_form,
1612 *out, buf_len, NULL)) {
1613 ECerror(ERR_R_EC_LIB);