PUBLIC_KEY: add support for Elliptic Curves to public_key app

author: Andreas Schultz <[email protected]> 2012-08-14 16:53:00 +0200
committer: Ingela Anderton Andin <[email protected]> 2013-05-08 10:39:16 +0200
commit: 709d0482af92ca52d26296f008b495a36161ca00 (patch)
tree: 9d5980b024fac542d22dd957dcc3fd0562ff1c5d /lib/public_key/src
parent: c6c2e82f8b94010e78bfa5fedce7629e7fd32d58 (diff)
download: otp-709d0482af92ca52d26296f008b495a36161ca00.tar.gz
otp-709d0482af92ca52d26296f008b495a36161ca00.tar.bz2
otp-709d0482af92ca52d26296f008b495a36161ca00.zip
3 files changed, 186 insertions, 8 deletions
diff --git a/lib/public_key/src/pubkey_cert_records.erl b/lib/public_key/src/pubkey_cert_records.erl
index 98004c71a3..0449129809 100644
--- a/lib/public_key/src/pubkey_cert_records.erl
+++ b/lib/public_key/src/pubkey_cert_records.erl
@@ -23,7 +23,8 @@
 
 -include("public_key.hrl").
 
--export([decode_cert/1, transform/2, supportedPublicKeyAlgorithms/1]).
+-export([decode_cert/1, transform/2, supportedPublicKeyAlgorithms/1,
+	 supportedCurvesTypes/1, namedCurves/1]).
 
 %%====================================================================
 %% Internal application API
@@ -101,6 +102,77 @@ supportedPublicKeyAlgorithms(?'dhpublicnumber') -> 'DHPublicKey';
 supportedPublicKeyAlgorithms(?'id-keyExchangeAlgorithm') -> 'KEA-PublicKey';
 supportedPublicKeyAlgorithms(?'id-ecPublicKey') -> 'ECPoint'.
 
+supportedCurvesTypes(?'characteristic-two-field') -> characteristic_two_field;
+supportedCurvesTypes(?'prime-field') -> prime_field.
+
+namedCurves(?'sect571r1') -> sect571r1;
+namedCurves(?'sect571k1') -> sect571k1;
+namedCurves(?'sect409r1') -> sect409r1;
+namedCurves(?'sect409k1') -> sect409k1;
+namedCurves(?'secp521r1') -> secp521r1;
+namedCurves(?'secp384r1') -> secp384r1;
+namedCurves(?'secp224r1') -> secp224r1;
+namedCurves(?'secp224k1') -> secp224k1;
+namedCurves(?'secp192k1') -> secp192k1;
+namedCurves(?'secp160r2') -> secp160r2;
+namedCurves(?'secp128r2') -> secp128r2;
+namedCurves(?'secp128r1') -> secp128r1;
+namedCurves(?'sect233r1') -> sect233r1;
+namedCurves(?'sect233k1') -> sect233k1;
+namedCurves(?'sect193r2') -> sect193r2;
+namedCurves(?'sect193r1') -> sect193r1;
+namedCurves(?'sect131r2') -> sect131r2;
+namedCurves(?'sect131r1') -> sect131r1;
+namedCurves(?'sect283r1') -> sect283r1;
+namedCurves(?'sect283k1') -> sect283k1;
+namedCurves(?'sect163r2') -> sect163r2;
+namedCurves(?'secp256k1') -> secp256k1;
+namedCurves(?'secp160k1') -> secp160k1;
+namedCurves(?'secp160r1') -> secp160r1;
+namedCurves(?'secp112r2') -> secp112r2;
+namedCurves(?'secp112r1') -> secp112r1;
+namedCurves(?'sect113r2') -> sect113r2;
+namedCurves(?'sect113r1') -> sect113r1;
+namedCurves(?'sect239k1') -> sect239k1;
+namedCurves(?'sect163r1') -> sect163r1;
+namedCurves(?'sect163k1') -> sect163k1;
+namedCurves(?'secp256r1') -> secp256r1;
+namedCurves(?'secp192r1') -> secp192r1;
+
+namedCurves(sect571r1) -> ?'sect571r1';
+namedCurves(sect571k1) -> ?'sect571k1';
+namedCurves(sect409r1) -> ?'sect409r1';
+namedCurves(sect409k1) -> ?'sect409k1';
+namedCurves(secp521r1) -> ?'secp521r1';
+namedCurves(secp384r1) -> ?'secp384r1';
+namedCurves(secp224r1) -> ?'secp224r1';
+namedCurves(secp224k1) -> ?'secp224k1';
+namedCurves(secp192k1) -> ?'secp192k1';
+namedCurves(secp160r2) -> ?'secp160r2';
+namedCurves(secp128r2) -> ?'secp128r2';
+namedCurves(secp128r1) -> ?'secp128r1';
+namedCurves(sect233r1) -> ?'sect233r1';
+namedCurves(sect233k1) -> ?'sect233k1';
+namedCurves(sect193r2) -> ?'sect193r2';
+namedCurves(sect193r1) -> ?'sect193r1';
+namedCurves(sect131r2) -> ?'sect131r2';
+namedCurves(sect131r1) -> ?'sect131r1';
+namedCurves(sect283r1) -> ?'sect283r1';
+namedCurves(sect283k1) -> ?'sect283k1';
+namedCurves(sect163r2) -> ?'sect163r2';
+namedCurves(secp256k1) -> ?'secp256k1';
+namedCurves(secp160k1) -> ?'secp160k1';
+namedCurves(secp160r1) -> ?'secp160r1';
+namedCurves(secp112r2) -> ?'secp112r2';
+namedCurves(secp112r1) -> ?'secp112r1';
+namedCurves(sect113r2) -> ?'sect113r2';
+namedCurves(sect113r1) -> ?'sect113r1';
+namedCurves(sect239k1) -> ?'sect239k1';
+namedCurves(sect163r1) -> ?'sect163r1';
+namedCurves(sect163k1) -> ?'sect163k1';
+namedCurves(secp256r1) -> ?'secp256r1';
+namedCurves(secp192r1) -> ?'secp192r1'.
+
 %%--------------------------------------------------------------------
 %%% Internal functions
 %%--------------------------------------------------------------------
@@ -111,14 +183,24 @@ decode_supportedPublicKey(#'OTPSubjectPublicKeyInfo'{algorithm= PA =
 						  #'PublicKeyAlgorithm'{algorithm=Algo},
 						  subjectPublicKey = {0,SPK0}}) ->
     Type = supportedPublicKeyAlgorithms(Algo),
-    {ok, SPK} = 'OTP-PUB-KEY':decode(Type, SPK0),
+    SPK = case Type of
+              'ECPoint' -> #'ECPoint'{point = SPK0};
+              _ -> {ok, SPK1} = 'OTP-PUB-KEY':decode(Type, SPK0),
+                   SPK1
+          end,
     #'OTPSubjectPublicKeyInfo'{subjectPublicKey = SPK, algorithm=PA}.
 
 encode_supportedPublicKey(#'OTPSubjectPublicKeyInfo'{algorithm= PA =
 						     #'PublicKeyAlgorithm'{algorithm=Algo},
 						     subjectPublicKey = SPK0}) ->
     Type = supportedPublicKeyAlgorithms(Algo),
-    {ok, SPK} = 'OTP-PUB-KEY':encode(Type, SPK0),
+    SPK = case Type of
+              'ECPoint' ->
+                  SPK0#'ECPoint'.point;
+              _ ->
+                  {ok, SPK1} = 'OTP-PUB-KEY':encode(Type, SPK0),
+                  SPK1
+          end,
     #'OTPSubjectPublicKeyInfo'{subjectPublicKey = {0,SPK}, algorithm=PA}.
 
 %%% Extensions
diff --git a/lib/public_key/src/pubkey_pem.erl b/lib/public_key/src/pubkey_pem.erl
index 6bdc35fb79..746d142ec3 100644
--- a/lib/public_key/src/pubkey_pem.erl
+++ b/lib/public_key/src/pubkey_pem.erl
@@ -202,7 +202,11 @@ pem_start('CertificationRequest') ->
 pem_start('ContentInfo') ->
     <<"-----BEGIN PKCS7-----">>;
 pem_start('CertificateList') ->
-     <<"-----BEGIN X509 CRL-----">>.
+     <<"-----BEGIN X509 CRL-----">>;
+pem_start('OTPEcpkParameters') ->
+    <<"-----BEGIN EC PARAMETERS-----">>;
+pem_start('ECPrivateKey') ->
+    <<"-----BEGIN EC PRIVATE KEY-----">>.
 
 pem_end(<<"-----BEGIN CERTIFICATE-----">>) ->
     <<"-----END CERTIFICATE-----">>;
@@ -226,6 +230,10 @@ pem_end(<<"-----BEGIN PKCS7-----">>) ->
     <<"-----END PKCS7-----">>;
 pem_end(<<"-----BEGIN X509 CRL-----">>) ->
     <<"-----END X509 CRL-----">>;
+pem_end(<<"-----BEGIN EC PARAMETERS-----">>) ->
+    <<"-----END EC PARAMETERS-----">>;
+pem_end(<<"-----BEGIN EC PRIVATE KEY-----">>) ->
+    <<"-----END EC PRIVATE KEY-----">>;
 pem_end(_) ->
     undefined.
 
@@ -250,7 +258,11 @@ asn1_type(<<"-----BEGIN CERTIFICATE REQUEST-----">>) ->
 asn1_type(<<"-----BEGIN PKCS7-----">>) ->
     'ContentInfo';
 asn1_type(<<"-----BEGIN X509 CRL-----">>) ->
-    'CertificateList'.
+    'CertificateList';
+asn1_type(<<"-----BEGIN EC PARAMETERS-----">>) ->
+    'OTPEcpkParameters';
+asn1_type(<<"-----BEGIN EC PRIVATE KEY-----">>) ->
+    'ECPrivateKey'.
 
 pem_decrypt() ->
     <<"Proc-Type: 4,ENCRYPTED">>.
diff --git a/lib/public_key/src/public_key.erl b/lib/public_key/src/public_key.erl
index 736c18cdd4..6c25428ea4 100644
--- a/lib/public_key/src/public_key.erl
+++ b/lib/public_key/src/public_key.erl
@@ -94,7 +94,9 @@ pem_entry_decode({'SubjectPublicKeyInfo', Der, _}) ->
             der_decode(KeyType, Key0);
         'DSAPublicKey' ->
             {params, DssParams} = der_decode('DSAParams', Params),
-            {der_decode(KeyType, Key0), DssParams}
+            {der_decode(KeyType, Key0), DssParams};
+        'ECPrivateKey' ->
+            der_decode(KeyType, Key0)
     end;
 pem_entry_decode({Asn1Type, Der, not_encrypted}) when is_atom(Asn1Type),
 						      is_binary(Der) ->
@@ -336,6 +338,40 @@ format_rsa_private_key(#'RSAPrivateKey'{modulus = N, publicExponent = E,
 					privateExponent = D}) ->
    [crypto:mpint(K) || K <- [E, N, D]].
 
+%%
+%% Description: convert a ECPrivate key into resource Key
+%%--------------------------------------------------------------------
+list2int(L) ->
+    S = length(L) * 8,
+    <<R:S/integer>> = erlang:iolist_to_binary(L),
+    R.
+
+ec_private_key_to_eckey(#'ECPrivateKey'{privateKey = PrivKey,
+					parameters = Param,
+					publicKey = _PubKey}) ->
+    ECCurve = case Param of
+                  #'OTPECParameters'{ fieldID = FieldId, curve = PCurve, base = Base, order = Order, cofactor = CoFactor } ->
+                      Field = {pubkey_cert_records:supportedCurvesTypes(FieldId#'OTPFieldID'.fieldType), FieldId#'OTPFieldID'.parameters},
+                      Curve = {list2int(PCurve#'Curve'.a), list2int(PCurve#'Curve'.b), none},
+                      {Field, Curve, erlang:list_to_binary(Base), Order, CoFactor};
+                  {namedCurve, OID} ->
+                      pubkey_cert_records:namedCurves(OID)
+              end,
+    Key = {ECCurve, list2int(PrivKey), undefined},
+    {'ECKey', crypto:term_to_ec_key(Key)}.
+
+ec_public_key_to_eckey({#'ECPoint'{point = ECPoint}, Param}) ->
+    ECCurve = case Param of
+                  #'OTPECParameters'{ fieldID = FieldId, curve = PCurve, base = Base, order = Order, cofactor = CoFactor } ->
+                      Field = {pubkey_cert_records:supportedCurvesTypes(FieldId#'OTPFieldID'.fieldType), FieldId#'OTPFieldID'.parameters},
+                      Curve = {list2int(PCurve#'Curve'.a), list2int(PCurve#'Curve'.b), none},
+                      {Field, Curve, erlang:list_to_binary(Base), Order, CoFactor};
+                  {namedCurve, OID} ->
+                      pubkey_cert_records:namedCurves(OID)
+              end,
+    Key = {ECCurve, undefined, ECPoint},
+    {'ECKey', crypto:term_to_ec_key(Key)}.
+
 %%--------------------------------------------------------------------
 
 -spec pkix_sign_types(SignatureAlg::oid()) ->
@@ -362,7 +398,15 @@ pkix_sign_types(?md5WithRSAEncryption) ->
 pkix_sign_types(?'id-dsa-with-sha1') ->
     {sha, dsa};
 pkix_sign_types(?'id-dsaWithSHA1') ->
-    {sha, dsa}.
+    {sha, dsa};
+pkix_sign_types(?'ecdsa-with-SHA1') ->
+    {sha, ecdsa};
+pkix_sign_types(?'ecdsa-with-SHA256') ->
+    {sha256, ecdsa};
+pkix_sign_types(?'ecdsa-with-SHA384') ->
+    {sha384, ecdsa};
+pkix_sign_types(?'ecdsa-with-SHA512') ->
+    {sha512, ecdsa}.
 
 %%--------------------------------------------------------------------
 -spec sign(binary() | {digest, binary()},  rsa_digest_type() | dss_digest_type(),
@@ -386,6 +430,18 @@ sign(PlainText, sha, #'DSAPrivateKey'{p = P, q = Q, g = G, x = X}) ->
           [crypto:mpint(P), crypto:mpint(Q),
            crypto:mpint(G), crypto:mpint(X)]);
 
+sign(Digest, DigestType, Key = {?'id-ecPublicKey', _, _}) ->
+    sign(Digest, DigestType, ec_public_key_to_eckey(Key));
+
+sign(Digest, DigestType, Key = #'ECPrivateKey'{}) ->
+    sign(Digest, DigestType, ec_private_key_to_eckey(Key));
+
+sign({digest,_}=Digest, DigestType, {'ECKey', Key}) ->
+    crypto:ecdsa_sign(DigestType, Digest, Key);
+
+sign(PlainText, DigestType, {'ECKey', Key}) ->
+    crypto:ecdsa_sign(DigestType, sized_binary(PlainText), Key);
+
 %% Backwards compatible
 sign(Digest, none, #'DSAPrivateKey'{} = Key) ->
     sign({digest,Digest}, sha, Key).
@@ -414,6 +470,24 @@ verify({digest,_}=Digest, sha, Signature, {Key,  #'Dss-Parms'{p = P, q = Q, g =
     crypto:dss_verify(Digest, sized_binary(Signature),
 		      [crypto:mpint(P), crypto:mpint(Q), 
 		       crypto:mpint(G), crypto:mpint(Key)]);
+
+verify({digest,_}=Digest, DigestType, Signature, {'ECKey', Key}) ->
+    crypto:ecdsa_verify(DigestType, Digest,
+			sized_binary(Signature),
+			Key);
+
+verify(PlainText, DigestType, Signature, Key = #'ECPrivateKey'{}) ->
+    verify(PlainText, DigestType, Signature, ec_private_key_to_eckey(Key));
+
+verify(PlainText, DigestType, Signature, Key = {#'ECPoint'{}, _}) ->
+    verify(PlainText, DigestType, Signature, ec_public_key_to_eckey(Key));
+
+verify(PlainText, DigestType, Signature, {'ECKey', Key}) ->
+    crypto:ecdsa_verify(DigestType,
+			sized_binary(PlainText),
+			sized_binary(Signature),
+			Key);
+
 %% Backwards compatibility
 verify(Digest, none, Signature, {_,  #'Dss-Parms'{}} = Key ) ->
     verify({digest,Digest}, sha, Signature, Key);
@@ -458,7 +532,17 @@ pkix_verify(DerCert, {Key, #'Dss-Parms'{}} = DSAKey)
 pkix_verify(DerCert,  #'RSAPublicKey'{} = RSAKey) 
   when is_binary(DerCert) ->
     {DigestType, PlainText, Signature} = pubkey_cert:verify_data(DerCert),
-    verify(PlainText, DigestType, Signature, RSAKey).
+    verify(PlainText, DigestType, Signature, RSAKey);
+
+pkix_verify(DerCert,  #'ECPrivateKey'{} = ECKey)
+  when is_binary(DerCert) ->
+    {DigestType, PlainText, Signature} = pubkey_cert:verify_data(DerCert),
+    verify(PlainText, DigestType, Signature, ECKey);
+
+pkix_verify(DerCert, Key = {'ECKey', _})
+  when is_binary(DerCert) ->
+    {DigestType, PlainText, Signature} = pubkey_cert:verify_data(DerCert),
+    verify(PlainText, DigestType, Signature,  Key).
 
 %%--------------------------------------------------------------------
 -spec pkix_is_issuer(Cert :: der_encoded()| #'OTPCertificate'{} | #'CertificateList'{},
author	Andreas Schultz <[email protected]>	2012-08-14 16:53:00 +0200
committer	Ingela Anderton Andin <[email protected]>	2013-05-08 10:39:16 +0200
commit	709d0482af92ca52d26296f008b495a36161ca00 (patch)
tree	9d5980b024fac542d22dd957dcc3fd0562ff1c5d /lib/public_key/src
parent	c6c2e82f8b94010e78bfa5fedce7629e7fd32d58 (diff)
download	otp-709d0482af92ca52d26296f008b495a36161ca00.tar.gz otp-709d0482af92ca52d26296f008b495a36161ca00.tar.bz2 otp-709d0482af92ca52d26296f008b495a36161ca00.zip