[Cryptech-Commits] [sw/libhal] branch hashsig updated: Update to draft-10: clarifications and Test Case 2; add ability to export public key to xdr for interop testing

git at cryptech.is git at cryptech.is
Thu Mar 15 21:52:34 UTC 2018


This is an automated email from the git hooks/post-receive script.

paul at psgd.org pushed a commit to branch hashsig
in repository sw/libhal.

The following commit(s) were added to refs/heads/hashsig by this push:
     new 9995603  Update to draft-10: clarifications and Test Case 2; add ability to export public key to xdr for interop testing
9995603 is described below

commit 99956039e4e93bf075d4f75f3b8adba9f2ddffec
Author: Paul Selkirk <paul at psgd.org>
AuthorDate: Thu Mar 15 17:41:35 2018 -0400

    Update to draft-10: clarifications and Test Case 2;
    add ability to export public key to xdr for interop testing
---
 hashsig.c                |  93 ++++++++++++++++++++++++--------
 hashsig.h                |   3 ++
 tests/test-hashsig.h     |   2 +
 tests/test-rpc_hashsig.c | 134 ++++++++++++++++++++++++++++++++++-------------
 4 files changed, 173 insertions(+), 59 deletions(-)

diff --git a/hashsig.c b/hashsig.c
index 0825463..5ffbb12 100644
--- a/hashsig.c
+++ b/hashsig.c
@@ -1,7 +1,7 @@
 /*
  * hashsig.c
  * ---------
- * Implementation of draft-mcgrew-hash-sigs-08.txt
+ * Implementation of draft-mcgrew-hash-sigs-10.txt
  *
  * Copyright (c) 2018, NORDUnet A/S All rights reserved.
  *
@@ -706,13 +706,12 @@ static hal_error_t lms_generate(lms_key_t *key)
         /* record the lmots keystore name */
         memcpy(&key->lmots_keys[q], &slot.name, sizeof(slot.name));
 
-        /* compute T[r] = H(I || u32str(r) || u16str(D_LEAF) || OTS_PUB[r-2^h]) */
+        /* compute T[r] = H(I || u32str(r) || u16str(D_LEAF) || OTS_PUB_HASH[r-2^h]) */
         size_t r = h2 + q;
         check(hal_hash_initialize(NULL, hal_hash_sha256, &state, statebuf, sizeof(statebuf)));
         check(hal_hash_update(state, (const uint8_t *)&key->I, sizeof(key->I)));
         l = u32str(r); check(hal_hash_update(state, (const uint8_t *)&l, sizeof(l)));
         s = u16str(D_LEAF); check(hal_hash_update(state, (const uint8_t *)&s, sizeof(s)));
-        /* they say "OTS_PUB", but they really just mean K */
         check(hal_hash_update(state, (const uint8_t *)&lmots_key.K, sizeof(lmots_key.K)));
         check(hal_hash_finalize(state, (uint8_t *)&key->T[r], sizeof(key->T[r])));
     }
@@ -851,36 +850,32 @@ static hal_error_t lms_verify(const lms_key_t * const key,
         return HAL_ERROR_INVALID_SIGNATURE;
 
 //   Algorithm 6: LMS Signature Verification
-
-//     1. if the public key is not at least four bytes long, return
-//        INVALID
 //
-//     2. parse pubtype, I, and T[1] from the public key as follows:
+//    1. if the public key is not at least eight bytes long, return
+//       INVALID
 //
-//        a. pubtype = strTou32(first 4 bytes of public key)
+//    2. parse pubtype, I, and T[1] from the public key as follows:
 //
-//        b. set m according to pubtype, based on Table 2
+//       a. pubtype = strTou32(first 4 bytes of public key)
 //
-//        c. if the public key is not exactly 20 + m bytes
-//           long, return INVALID
-
-    /* XXX THIS IS WRONG, should be 24 + m */
-
-    /* XXX missing from draft: pubotstype = strTou32(next 4 bytes of public key) */
-
+//       b. ots_typecode = strTou32(next 4 bytes of public key)
 //
-//        d. I = next 16 bytes of the public key
+//       c. set m according to pubtype, based on Table 2
 //
-//        e. T[1] = next m bytes of the public key
+//       d. if the public key is not exactly 24 + m bytes
+//          long, return INVALID
 //
-//     3. compute the candidate LMS root value Tc from the signature,
-//        message, identifier and pubtype using Algorithm 6b.
-    /* XXX and pubotstype */
+//       e. I = next 16 bytes of the public key
+//
+//       f. T[1] = next m bytes of the public key
+//
+//    3. compute the candidate LMS root value Tc from the signature,
+//       message, identifier and pubtype using Algorithm 6b.
 
     bytestring32 Tc;
     check(lms_public_key_candidate(key, msg, msg_len, sig, sig_len, &Tc));
 
-//     4. if Tc is equal to T[1], return VALID; otherwise, return INVALID
+//    4. if Tc is equal to T[1], return VALID; otherwise, return INVALID
 
     return (memcmp(&Tc, &key->T1, sizeof(Tc)) ? HAL_ERROR_INVALID_SIGNATURE : HAL_OK);
 }
@@ -1789,3 +1784,57 @@ hal_error_t hal_hashsig_key_load_public_xdr(hal_hashsig_key_t **key_,
                                        (const uint8_t * const)I, sizeof(bytestring16),
                                        (const uint8_t * const)T1, sizeof(bytestring32));
 }
+
+hal_error_t hal_hashsig_public_key_der_to_xdr(const uint8_t * const der, const size_t der_len,
+                                              uint8_t * const xdr, size_t * const xdr_len , const size_t xdr_max)
+{
+    if (der == NULL || xdr == NULL)
+        return HAL_ERROR_BAD_ARGUMENTS;
+
+    const uint8_t *alg_oid = NULL, *null = NULL, *pubkey = NULL;
+    size_t         alg_oid_len,     null_len,     pubkey_len;
+
+    check(hal_asn1_decode_spki(&alg_oid, &alg_oid_len, &null, &null_len, &pubkey, &pubkey_len, der, der_len));
+
+    if (null != NULL || null_len != 0 || alg_oid == NULL ||
+        alg_oid_len != hal_asn1_oid_mts_hashsig_len || memcmp(alg_oid, hal_asn1_oid_mts_hashsig, alg_oid_len) != 0)
+        return HAL_ERROR_ASN1_PARSE_FAILED;
+
+    size_t len, hlen, vlen;
+
+    check(hal_asn1_decode_header(ASN1_SEQUENCE, pubkey, pubkey_len, &hlen, &vlen));
+
+    const uint8_t * const pubkey_end = pubkey + hlen + vlen;
+    const uint8_t *d = pubkey + hlen;
+
+    // L || u32str(lms_type) || u32str(lmots_type) || I || T[1]
+
+    size_t L;
+    lms_algorithm_t lms_type;
+    lmots_algorithm_t lmots_type;
+    bytestring16 I;
+    bytestring32 T1;
+
+    check(hal_asn1_decode_size_t(&L, d, &len, pubkey_end - d));                   d += len;
+    check(hal_asn1_decode_lms_algorithm(&lms_type, d, &len, pubkey_end - d));     d += len;
+    check(hal_asn1_decode_lmots_algorithm(&lmots_type, d, &len, pubkey_end - d)); d += len;
+    check(hal_asn1_decode_bytestring16(&I, d, &len, pubkey_end - d));             d += len;
+    check(hal_asn1_decode_bytestring32(&T1, d, &len, pubkey_end - d));            d += len;
+
+    if (d != pubkey_end)
+        return HAL_ERROR_ASN1_PARSE_FAILED;
+
+    uint8_t * xdrptr = xdr;
+    const uint8_t * const xdrlim = xdr + xdr_max;
+
+    check(hal_xdr_encode_int(&xdrptr, xdrlim, L));
+    check(hal_xdr_encode_int(&xdrptr, xdrlim, lms_type));
+    check(hal_xdr_encode_int(&xdrptr, xdrlim, lmots_type));
+    check(hal_xdr_encode_bytestring16(&xdrptr, xdrlim, &I));
+    check(hal_xdr_encode_bytestring32(&xdrptr, xdrlim, &T1));
+
+    if (xdr_len != NULL)
+        *xdr_len = xdrptr - xdr;
+
+    return HAL_OK;
+}
diff --git a/hashsig.h b/hashsig.h
index aeb2828..7bae86e 100644
--- a/hashsig.h
+++ b/hashsig.h
@@ -110,6 +110,9 @@ extern size_t hal_hashsig_signature_len(const size_t L,
 
 extern size_t hal_hashsig_lmots_private_key_len(const lmots_algorithm_t lmots_type);
 
+extern hal_error_t hal_hashsig_public_key_der_to_xdr(const uint8_t * const der, const size_t der_len,
+                                                     uint8_t * const xdr, size_t * const xdr_len , const size_t xdr_max);
+
 //extern hal_error_t hal_hashsig_restart(...);
 
 #endif /* _HAL_HASHSIG_H_ */
diff --git a/tests/test-hashsig.h b/tests/test-hashsig.h
index 7d18295..4b8333f 100644
--- a/tests/test-hashsig.h
+++ b/tests/test-hashsig.h
@@ -43,6 +43,7 @@ static uint8_t tc1_msg[] = {
 };
 
 /* Test Case 1 Signature */
+/* 2 levels, both h=5, w=8 */
 
 static uint8_t tc1_sig[] = {
     0x00, 0x00, 0x00, 0x01,
@@ -419,6 +420,7 @@ static uint8_t tc2_msg[] = {
 };
 
 /* Test Case 2 Signature */
+/* 2 levels: h=10, w=4; h=5, w=8 */
 
 static uint8_t tc2_sig[] = {
     0x00, 0x00, 0x00, 0x01, 
diff --git a/tests/test-rpc_hashsig.c b/tests/test-rpc_hashsig.c
index d9dd0e7..b93f11e 100644
--- a/tests/test-rpc_hashsig.c
+++ b/tests/test-rpc_hashsig.c
@@ -3,8 +3,7 @@
  * ------------------
  * Test code for RPC interface to Cryptech public key operations.
  *
- * Authors: Rob Austein, Paul Selkirk
- * Copyright (c) 2015-2018, NORDUnet A/S
+ * Copyright (c) 2018, NORDUnet A/S
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -42,6 +41,11 @@
 #include <stdlib.h>
 #include <getopt.h>
 #include <assert.h>
+#include <string.h>
+#include <errno.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <unistd.h>
 
 #include <hal.h>
 #include <hashsig.h>
@@ -151,14 +155,14 @@ fail:
 
 static void hexdump(const char * const label, const uint8_t * const buf, const size_t len)
 {
-    printf("%-15s ", label);
+    printf("%-11s ", label);
 
     for (size_t i = 0; i < len; ++i) {
         printf("%02x", buf[i]);
         if ((i & 0x0f) == 0x0f) {
             printf("\n");
             if (i < len - 1)
-                printf("                ");
+                printf("            ");
         }
     }
     if ((len & 0x0f) != 0)
@@ -177,30 +181,6 @@ static inline size_t lms_type_to_h(const lms_algorithm_t lms_type)
     }
 }
 
-static inline size_t two_to_the(const size_t n)
-{
-    if (n % 5 != 0)
-        return 0;
-
-    size_t result, i;
-    for (result = 1, i = 0; i < n; i += 5)
-        result *= 32;
-
-    return result;
-}
-
-static inline size_t lms_type_to_h2(const lms_algorithm_t lms_type)
-{
-    switch (lms_type) {
-    case lms_sha256_n32_h5:  return two_to_the(5);
-    case lms_sha256_n32_h10: return two_to_the(10);
-    case lms_sha256_n32_h15: return two_to_the(15);
-    case lms_sha256_n32_h20: return two_to_the(20);
-    case lms_sha256_n32_h25: return two_to_the(25);
-    default:                 return 0;
-    }
-}
-
 static inline size_t lmots_type_to_w(const lmots_algorithm_t lmots_type)
 {
     switch (lmots_type) {
@@ -283,7 +263,8 @@ static hal_error_t dump_hss_signature(const uint8_t * const sig, const size_t le
 static int test_hashsig_sign(const size_t L,
                              const lms_algorithm_t lms_type,
                              const lmots_algorithm_t lmots_type,
-                             size_t iterations)
+                             size_t iterations,
+                             int save)
 {
     const hal_client_handle_t client = {HAL_HANDLE_NONE};
     const hal_session_handle_t session = {HAL_HANDLE_NONE};
@@ -293,6 +274,19 @@ static int test_hashsig_sign(const size_t L,
     size_t len;
 
     {
+        char save_name[16];
+        if (save) {
+            sprintf(save_name, "L%d.lms%d.ots%d", (int)L, (int)lms_type, (int)lmots_type);
+            FILE *fp;
+            if ((fp = fopen(save_name, "wb")) == NULL)
+                lose("Error opening %s: %s\n", save_name, strerror(errno));
+            size_t len1;
+            if ((len1 = fwrite(tc1_msg, 1, sizeof(tc1_msg), fp)) != sizeof(tc1_msg))
+                lose("Wrote %lu bytes to %s, expected %lu\n", len1, save_name, sizeof(tc1_msg));
+            if (fclose(fp) != 0)
+                lose("Error closing %s: %s\n", save_name, strerror(errno));
+        }
+
         hal_key_flags_t flags = HAL_KEY_FLAG_USAGE_DIGITALSIGNATURE;
 
         printf("Starting hashsig key test: L %lu, lms type %u (h=%lu), lmots type %u (w=%lu)\n",
@@ -306,8 +300,7 @@ static int test_hashsig_sign(const size_t L,
         hal_uuid_t private_name, public_name;
         struct timeval tv_start, tv_end, tv_diff;
 
-        size_t Lh2 = two_to_the(L * lms_type_to_h(lms_type));
-        size_t h2 = lms_type_to_h2(lms_type);
+        size_t h = lms_type_to_h(lms_type);
 
         if (info)
             gettimeofday(&tv_start, NULL);
@@ -317,7 +310,7 @@ static int test_hashsig_sign(const size_t L,
         if (info) {
             gettimeofday(&tv_end, NULL);
             timersub(&tv_end, &tv_start, &tv_diff);
-            long per_key = (tv_diff.tv_sec * 1000000 + tv_diff.tv_usec) / (L * h2);
+            long per_key = (tv_diff.tv_sec * 1000000 + tv_diff.tv_usec) / (L * (1 << h));
             printf("Info: %ldm%ld.%03lds to generate key (%ld.%03lds per lmots key)\n",
                    tv_diff.tv_sec / 60, tv_diff.tv_sec % 60, tv_diff.tv_usec / 1000,
                    per_key / 1000000, (per_key % 1000000) / 1000);
@@ -326,7 +319,7 @@ static int test_hashsig_sign(const size_t L,
         uint8_t public_der[hal_rpc_pkey_get_public_key_len(private_key)];
 
         if ((err = hal_rpc_pkey_get_public_key(private_key, public_der, &len, sizeof(public_der))) != HAL_OK)
-            lose("Could not DER encode RPC hashsig public key from RPC hashsig private key: %s\n", hal_error_string(err));
+            lose("Could not DER encode public key from private key: %s\n", hal_error_string(err));
 
         assert(len == sizeof(public_der));
 
@@ -334,6 +327,22 @@ static int test_hashsig_sign(const size_t L,
                                      public_der, sizeof(public_der), flags)) != HAL_OK)
             lose("Could not load public key into RPC: %s\n", hal_error_string(err));
 
+        if (save) {
+            char fn[strlen(save_name) + 5];
+            sprintf(fn, "%s.pub", save_name);
+            FILE *fp;
+            if ((fp = fopen(fn, "wb")) == NULL)
+                lose("Error opening %s: %s\n", fn, strerror(errno));
+            uint8_t pub[60];
+            if ((err = hal_hashsig_public_key_der_to_xdr(public_der, sizeof(public_der), pub, &len, sizeof(pub))) != HAL_OK)
+                lose("Could not XDR encode public key: %s\n", hal_error_string(err));
+            size_t len1;
+            if ((len1 = fwrite(pub, 1, len, fp)) != len)
+                lose("Wrote %lu bytes to %s, expected %lu\n", len1, fn, len);
+            if (fclose(fp) != 0)
+                lose("Error closing %s: %s\n", fn, strerror(errno));
+        }
+
         if (iterations > 0) {
             uint8_t sig[hal_hashsig_signature_len(L, lms_type, lmots_type)];
 
@@ -350,11 +359,23 @@ static int test_hashsig_sign(const size_t L,
                     }
                 }
                 else {
-                    if (i == Lh2 && err == HAL_ERROR_HASHSIG_KEY_EXHAUSTED)
+                    if (i == (1 << (L * h)) && err == HAL_ERROR_HASHSIG_KEY_EXHAUSTED)
                         break;
                     else
                         lose("Could not sign (%d): %s\n", i, hal_error_string(err));
                 }
+                if (save) {
+                    char fn[strlen(save_name) + 16];
+                    sprintf(fn, "%s.%d.sig", save_name, i);
+                    FILE *fp;
+                    if ((fp = fopen(fn, "wb")) == NULL)
+                        lose("Error opening %s: %s\n", fn, strerror(errno));
+                    size_t len1;
+                    if ((len1 = fwrite(sig, 1, len, fp)) != len)
+                        lose("Wrote %lu bytes to %s, expected %lu\n", len1, fn, len);
+                    if (fclose(fp) != 0)
+                        lose("Error closing %s: %s\n", fn, strerror(errno));
+                }
             }
             if (info) {
                 gettimeofday(&tv_end, NULL);
@@ -400,6 +421,35 @@ fail:
     return 0;
 }
 
+static int read_sig(char *fn)
+{
+    {
+        FILE *fp;
+        if ((fp = fopen(fn, "rb")) == NULL)
+            lose("Error opening %s: %s\n", fn, strerror(errno));
+
+        struct stat statbuf;
+        if (stat(fn, &statbuf) != 0)
+            lose("Error statting %s: %s\n", fn, strerror(errno));
+
+        uint8_t sig[statbuf.st_size];
+        size_t len;
+        if ((len = fread(sig, 1, sizeof(sig), fp)) != sizeof(sig))
+            lose("Read %lu bytes from %s, expected %lu\n", len, fn, sizeof(sig));
+
+        if (fclose(fp) != 0)
+            lose("Error closing %s: %s\n", fn, strerror(errno));
+
+        hal_error_t err;
+        if ((err = dump_hss_signature(sig, len)) != HAL_OK)
+            lose("Error parsing signature: %s\n", hal_error_string(err));
+    }
+
+    return 1;
+fail:
+    return 0;        
+}
+
 int main(int argc, char *argv[])
 {
     const hal_client_handle_t client = {HAL_HANDLE_NONE};
@@ -410,12 +460,13 @@ int main(int argc, char *argv[])
     size_t L_lo = 0, L_hi = 0;
     size_t lms_lo = 5, lms_hi = 0;
     size_t lmots_lo = 3, lmots_hi = 0;
+    int save = 0;
     char *p;
     hal_error_t err;
     int ok = 1;
 
 char usage[] = "\
-Usage: %s [-d] [-i] [-p pin] [-t] [-L n] [-l n] [-o n] [-n n]\n\
+Usage: %s [-d] [-i] [-p pin] [-t] [-L n] [-l n] [-o n] [-n n] [-s] [-r file]\n\
        -d: enable debugging - hexdump signatures\n\
        -i: enable informational messages - runtimes and signature lengths\n\
        -p: user PIN\n\
@@ -424,10 +475,12 @@ Usage: %s [-d] [-i] [-p pin] [-t] [-L n] [-l n] [-o n] [-n n]\n\
        -l: LMS type (5..9)\n\
        -o: LM-OTS type (1..4)\n\
        -n: number of signatures to generate (0..'max')\n\
+       -s: save generated public key and signatures\n\
+       -r: read and pretty-print a saved signature file\n\
 Numeric arguments can be a single number or a range, e.g. '1..4'\n";
 
     int opt;
-    while ((opt = getopt(argc, argv, "ditp:L:l:o:n:h?")) != -1) {
+    while ((opt = getopt(argc, argv, "ditp:L:l:o:n:sr:h?")) != -1) {
         switch (opt) {
         case 'd':
             debug = 1;
@@ -470,6 +523,13 @@ Numeric arguments can be a single number or a range, e.g. '1..4'\n";
                 lmots_hi = (size_t)atoi(p);
             do_default = 0;
             break;
+        case's':
+            save = 1;
+            break;
+        case 'r':
+            ok &= read_sig(optarg);
+            do_default = 0;
+            break;
         case 'h':
         case '?':
             fprintf(stdout, usage, argv[0]);
@@ -512,7 +572,7 @@ Numeric arguments can be a single number or a range, e.g. '1..4'\n";
         for (size_t L = L_lo; L <= L_hi; ++L) {
             for (lms_algorithm_t lms_type = lms_lo; lms_type <= lms_hi; ++lms_type) {
                 for (lmots_algorithm_t lmots_type = lmots_lo; lmots_type <= lmots_hi; ++lmots_type) {
-                    ok &= test_hashsig_sign(L, lms_type, lmots_type, iterations);
+                    ok &= test_hashsig_sign(L, lms_type, lmots_type, iterations, save);
                 }
             }
         }

-- 
To stop receiving notification emails like this one, please contact
the administrator of this repository.


More information about the Commits mailing list