Use ECC508 for ECDSA verify if present

Author: sandeepmistry

src/BearSSLClient.cpp

@@ -1,6 +1,8 @@
 #include "ArduinoBearSSL.h"
 #include "BearSSLTrustAnchors.h"
 #include "utility/ECC508.h"
+#include "utility/ecc508_asn1.h"
+
 
 #include "BearSSLClient.h"
 
@@ -159,7 +161,11 @@ int BearSSLClient::connectSSL(const char* host)
   // inject entropy in engine
   unsigned char entropy[32];
 
-  if (!ECC508.begin() || !ECC508.random(entropy, sizeof(entropy))) {
+  if (ECC508.begin() && ECC508.random(entropy, sizeof(entropy))) {
+    // ECC508 random success, add custom ECDSA vfry
+    br_ssl_engine_set_ecdsa(&_sc.eng, ecc508_vrfy_asn1);
+    br_x509_minimal_set_ecdsa(&_xc, br_ssl_engine_get_ec(&_sc.eng), br_ssl_engine_get_ecdsa(&_sc.eng));    
+  } else {
     // no ECC508 or random failed, fallback to pseudo random
     for (size_t i = 0; i < sizeof(entropy); i++) {
       entropy[i] = random(0, 255);

src/utility/ECC508.cpp

@@ -62,6 +62,15 @@ int ECC508Class::random(byte data[], size_t length)
   return 1;
 }
 
+int ECC508Class::ecdsaVerify(const byte message[], const byte signature[], const byte pubkey[])
+{
+  if (!challenge(message)) {
+    return 0;
+  }
+
+  return verify(signature, pubkey);
+}
+
 int ECC508Class::wakeup()
 {
   _wire->beginTransmission(0x00);
@@ -126,20 +135,83 @@ int ECC508Class::version()
   return version;
 }
 
-int ECC508Class::sendCommand(uint8_t opcode, uint8_t param1, uint16_t param2)
+int ECC508Class::challenge(const byte message[])
+{
+  uint8_t status;
+
+  if (!wakeup()) {
+    return 0;
+  }
+
+  // Nounce, pass through
+  if (!sendCommand(0x16, 0x03, 0x0000, message, 32)) {
+    return 0;
+  }
+
+  delay(7);
+
+  if (!receiveResponse(&status, sizeof(status))) {
+    return 0;
+  }
+
+  delay(1);
+  idle();
+
+  if (status != 0) {
+    return 0;
+  }
+
+  return 1;
+}
+
+int ECC508Class::verify(const byte signature[], const byte pubkey[])
+{
+  uint8_t status;
+
+  if (!wakeup()) {
+    return 0;
+  }
+
+  byte data[128];
+  memcpy(&data[0], signature, 64);
+  memcpy(&data[64], pubkey, 64);
+
+  // Verify, external, P256
+  if (!sendCommand(0x45, 0x02, 0x0004, data, sizeof(data))) {
+    return 0;
+  }
+
+  delay(58);
+
+  if (!receiveResponse(&status, sizeof(status))) {
+    return 0;
+  }
+
+  delay(1);
+  idle();
+
+  if (status != 0) {
+    return 0;
+  }
+
+  return 1;
+}
+
+int ECC508Class::sendCommand(uint8_t opcode, uint8_t param1, uint16_t param2, const byte data[], size_t dataLength)
 {
-  byte command[8]; // 1 for type, 1 for length, 1 for opcode, 1 for param1, 2 for param2, 2 for crc
+  byte command[8 + dataLength]; // 1 for type, 1 for length, 1 for opcode, 1 for param1, 2 for param2, 2 for crc
 
   command[0] = 0x03;
   command[1] = sizeof(command) - 1;
   command[2] = opcode;
   command[3] = param1;
   memcpy(&command[4], &param2, sizeof(param2));
+  memcpy(&command[6], data, dataLength);
 
-  uint16_t crc = crc16(&command[1], sizeof(command) - 3);
-  memcpy(&command[6], &crc, sizeof(crc));
+  uint16_t crc = crc16(&command[1], 8 - 3 + dataLength);
+  memcpy(&command[6 + dataLength], &crc, sizeof(crc));
 
-  if (_wire->sendTo(_address, command, sizeof(command)) != 0) {
+  if (_wire->sendTo(_address, command, 8 + dataLength) != 0) {
     return 0;
   }
 
@@ -170,7 +242,7 @@ int ECC508Class::receiveResponse(void* response, size_t length)
   return 1;
 }
 
-uint16_t ECC508Class::crc16(byte data[], size_t length)
+uint16_t ECC508Class::crc16(const byte data[], size_t length)
 {
   if (data == NULL || length == 0) {
     return 0;

src/utility/ECC508.h

@@ -1,6 +1,7 @@
 #ifndef _ECC508_H_
 #define _ECC508_H_
 
+#include <Arduino.h>
 #include <Wire.h>
 
 class ECC508Class
@@ -14,16 +15,20 @@ class ECC508Class
 
   int random(byte data[], size_t length);
 
+  int ecdsaVerify(const byte message[], const byte signature[], const byte pubkey[]);
+
 private:
   int wakeup();
   int sleep();
   int idle();
 
   int version();
+  int challenge(const byte message[]);
+  int verify(const byte signature[], const byte pubkey[]);
 
-  int sendCommand(uint8_t opcode, uint8_t param1, uint16_t param2);
+  int sendCommand(uint8_t opcode, uint8_t param1, uint16_t param2, const byte data[] = NULL, size_t dataLength = 0);
   int receiveResponse(void* response, size_t length);
-  uint16_t crc16(byte data[], size_t length);
+  uint16_t crc16(const byte data[], size_t length);
 
 private:
   TwoWire* _wire;

src/utility/ecc508_asn1.h

@@ -0,0 +1,12 @@
+#ifndef _ECC508_ASN1_H_
+#define _ECC508_ASN1_H_
+
+#include "bearssl/bearssl.h"
+
+uint32_t
+ecc508_vrfy_asn1(const br_ec_impl *impl,
+  const void *hash, size_t hash_len,
+  const br_ec_public_key *pk,
+  const void *sig, size_t sig_len);
+
+#endif

src/utility/ecc508_vrfy_asn1.cpp

@@ -0,0 +1,37 @@
+#include "ecc508_asn1.h"
+
+#include "ECC508.h"
+
+#define BR_MAX_EC_SIZE   528
+#define FIELD_LEN   ((BR_MAX_EC_SIZE + 7) >> 3)
+
+uint32_t
+ecc508_vrfy_asn1(const br_ec_impl * /*impl*/,
+  const void *hash, size_t hash_len,
+  const br_ec_public_key *pk,
+  const void *sig, size_t sig_len)
+{
+  /*
+   * We use a double-sized buffer because a malformed ASN.1 signature
+   * may trigger a size expansion when converting to "raw" format.
+   */
+  unsigned char rsig[(FIELD_LEN << 2) + 24];
+
+  if (sig_len > ((sizeof rsig) >> 1)) {
+    return 0;
+  }
+
+  memcpy(rsig, sig, sig_len);
+  sig_len = br_ecdsa_asn1_to_raw(rsig, sig_len);
+
+  if (hash_len != 32 || pk->curve != BR_EC_secp256r1 || pk->qlen != 65 || sig_len != 64) {
+    return 0;
+  }
+
+  // TODO: understand why the public key is &pk->q[1] instead of &pk->q[0] ...
+  if (!ECC508.ecdsaVerify((const uint8_t*)hash, (const uint8_t*)rsig, (const uint8_t*)&pk->q[1])) {
+    return 0;
+  }
+
+  return 1;
+}