From e9a007d0e10342c78178e23e216ff00dfe44938d Mon Sep 17 00:00:00 2001
From: Vincent Palatin <vpalatin@chromium.org>
Date: Fri, 30 Jun 2017 14:33:42 +0200
Subject: g: use deterministic k for individual attestation certificate ECDSA

Implement the RFC 6979 to get a deterministic integer k when doing the
ECDSA signing of the x.509 certificates used by U2F and particularly
individual attestation mechanism, rather than using the random generator
as per the original ECDSA algorithm.
So the generated certs have bit-for-bit identical signatures when the
content is identical.

Signed-off-by: Vincent Palatin <vpalatin@chromium.org>

BRANCH=cr50
BUG=b:35545754
TEST=pass U2FTest and manually dump several individual attestation certs,
run the "rfc6779" console command when enabled.

Change-Id: I7b73eee6d5a863aae9a7eec49db884151bad5ab4
Reviewed-on: https://chromium-review.googlesource.com/558073
Commit-Ready: Vadim Bendebury <vbendeb@chromium.org>
Tested-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-by: Marius Schilder <mschilder@chromium.org>
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
---
 common/u2f.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

(limited to 'common/u2f.c')

diff --git a/common/u2f.c b/common/u2f.c
index 9eda16c4f9..e5b73efc8e 100644
--- a/common/u2f.c
+++ b/common/u2f.c
@@ -104,6 +104,7 @@ static unsigned u2f_register(struct apdu apdu, void *buf,
 	int l, m_off; /* msg length and interior offset */
 
 	p256_int r, s;   /* ecdsa signature */
+	struct drbg_ctx ctx;
 	/* Origin keypair */
 	uint8_t od_seed[SHA256_DIGEST_SIZE];
 	p256_int od, opk_x, opk_y;
@@ -197,7 +198,8 @@ static unsigned u2f_register(struct apdu apdu, void *buf,
 	m_off += cert_len;
 
 	/* Sign over the response w/ the attestation key */
-	if (!dcrypto_p256_ecdsa_sign(&att_d, &h, &r, &s)) {
+	drbg_rfc6979_init(&ctx, &att_d, &h);
+	if (!dcrypto_p256_ecdsa_sign(&ctx, &att_d, &h, &r, &s)) {
 		p256_clear(&att_d);
 		p256_clear(&od);
 		CPRINTF("#ERR signing error");
@@ -221,6 +223,7 @@ static unsigned u2f_authenticate(struct apdu apdu, void *buf,
 	U2F_AUTHENTICATE_RESP *resp;
 	uint8_t unwrapped_kh[KH_LEN];
 	uint8_t od_seed[SHA256_DIGEST_SIZE];
+	struct drbg_ctx ctx;
 
 	p256_int origin_d;
 	uint8_t origin[U2F_APPID_SIZE];
@@ -280,7 +283,8 @@ static unsigned u2f_authenticate(struct apdu apdu, void *buf,
 	if (u2f_origin_key(od_seed, &origin_d))
 		return U2F_SW_WTF + 2;
 
-	if (!dcrypto_p256_ecdsa_sign(&origin_d, &h, &r, &s)) {
+	drbg_rfc6979_init(&ctx, &origin_d, &h);
+	if (!dcrypto_p256_ecdsa_sign(&ctx, &origin_d, &h, &r, &s)) {
 		p256_clear(&origin_d);
 		return U2F_SW_WTF + 3;
 	}
-- 
cgit v1.2.1