From a3384dc79705f03319e2d8b480a51f9afb5cfba2 Mon Sep 17 00:00:00 2001 From: Tony Arcieri Date: Thu, 3 Sep 2020 17:39:42 -0700 Subject: [PATCH] Impl ecdsa::CheckSignatureBytes-related changes (#159) Corresponding `ecdsa` crate PR is RustCrypto/signatures#151 This implements the changes which eagerly validate that ECDSA signature `r` and `s` components are in-range `NonZeroScalar` values. This eliminates the need to do these checks as part of each ECDSA verification implementation. --- Cargo.lock | 2 +- k256/src/ecdsa.rs | 3 +++ k256/src/ecdsa/sign.rs | 2 +- k256/src/ecdsa/verify.rs | 17 ++++------------- p256/src/ecdsa.rs | 30 +++++++++++------------------- p384/src/ecdsa.rs | 2 ++ 6 files changed, 22 insertions(+), 34 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index bbdf5471..99fab962 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -243,7 +243,7 @@ dependencies = [ [[package]] name = "ecdsa" version = "0.7.2" -source = "git+https://github.com/RustCrypto/signatures#b724ece13a0b39e8a8cc39cb0a2adfe366d8f44e" +source = "git+https://github.com/RustCrypto/signatures#5046c9244904a8a6f0200d1c89024199c17e7582" dependencies = [ "elliptic-curve", "hmac", diff --git a/k256/src/ecdsa.rs b/k256/src/ecdsa.rs index 0e8453fa..c1a226fb 100644 --- a/k256/src/ecdsa.rs +++ b/k256/src/ecdsa.rs @@ -71,6 +71,9 @@ use core::convert::TryInto; /// ECDSA/secp256k1 signature (fixed-size) pub type Signature = ecdsa_core::Signature; +#[cfg(not(feature = "ecdsa"))] +impl ecdsa_core::CheckSignatureBytes for Secp256k1 {} + #[cfg(all(feature = "ecdsa", feature = "sha256"))] impl ecdsa_core::hazmat::DigestPrimitive for Secp256k1 { type Digest = sha2::Sha256; diff --git a/k256/src/ecdsa/sign.rs b/k256/src/ecdsa/sign.rs index b5edac7d..3dc47428 100644 --- a/k256/src/ecdsa/sign.rs +++ b/k256/src/ecdsa/sign.rs @@ -186,7 +186,7 @@ impl Scalar { return Err(Error::new()); } - let mut signature = Signature::from_scalars(&r.into(), &s.into()); + let mut signature = Signature::from_scalars(r, s)?; let is_r_odd = bool::from(R.y.normalize().is_odd()); let is_s_high = signature.normalize_s()?; let recovery_id = recoverable::Id((is_r_odd ^ is_s_high) as u8); diff --git a/k256/src/ecdsa/verify.rs b/k256/src/ecdsa/verify.rs index 52ec7f33..98b7a454 100644 --- a/k256/src/ecdsa/verify.rs +++ b/k256/src/ecdsa/verify.rs @@ -1,12 +1,10 @@ //! ECDSA verifier use super::{recoverable, Error, Signature}; -use crate::{ - AffinePoint, CompressedPoint, EncodedPoint, NonZeroScalar, ProjectivePoint, Scalar, Secp256k1, -}; +use crate::{AffinePoint, CompressedPoint, EncodedPoint, ProjectivePoint, Scalar, Secp256k1}; use core::convert::TryFrom; use ecdsa_core::{hazmat::VerifyPrimitive, signature}; -use elliptic_curve::{consts::U32, ops::Invert, sec1::ToEncodedPoint, FromBytes}; +use elliptic_curve::{consts::U32, ops::Invert, sec1::ToEncodedPoint}; use signature::{digest::Digest, DigestVerifier, PrehashSignature}; /// ECDSA/secp256k1 verification key (i.e. public key) @@ -87,15 +85,8 @@ impl TryFrom<&EncodedPoint> for VerifyKey { impl VerifyPrimitive for AffinePoint { fn verify_prehashed(&self, z: &Scalar, signature: &Signature) -> Result<(), Error> { - let maybe_r = NonZeroScalar::from_bytes(signature.r()); - let maybe_s = NonZeroScalar::from_bytes(signature.s()); - - // TODO(tarcieri): replace with into conversion when available (see subtle#73) - let (r, s) = if maybe_r.is_some().into() && maybe_s.is_some().into() { - (maybe_r.unwrap(), maybe_s.unwrap()) - } else { - return Err(Error::new()); - }; + let r = signature.r(); + let s = signature.s(); // Ensure signature is "low S" normalized ala BIP 0062 if s.is_high().into() { diff --git a/p256/src/ecdsa.rs b/p256/src/ecdsa.rs index 6b59a42c..a5419d26 100644 --- a/p256/src/ecdsa.rs +++ b/p256/src/ecdsa.rs @@ -48,7 +48,7 @@ use { crate::{AffinePoint, ProjectivePoint, Scalar}, core::borrow::Borrow, ecdsa_core::hazmat::{SignPrimitive, VerifyPrimitive}, - elliptic_curve::{ops::Invert, subtle::CtOption, FromBytes}, + elliptic_curve::ops::Invert, }; /// ECDSA/P-256 signature (fixed-size) @@ -64,6 +64,9 @@ pub type SigningKey = ecdsa_core::SigningKey; #[cfg_attr(docsrs, doc(cfg(feature = "ecdsa")))] pub type VerifyKey = ecdsa_core::VerifyKey; +#[cfg(not(feature = "ecdsa"))] +impl ecdsa_core::CheckSignatureBytes for NistP256 {} + #[cfg(all(feature = "ecdsa", feature = "sha256"))] impl ecdsa_core::hazmat::DigestPrimitive for NistP256 { type Digest = sha2::Sha256; @@ -99,36 +102,25 @@ impl SignPrimitive for Scalar { return Err(Error::new()); } - Ok(Signature::from_scalars(&r.into(), &s.into())) + Signature::from_scalars(r, s) } } #[cfg(feature = "ecdsa")] impl VerifyPrimitive for AffinePoint { fn verify_prehashed(&self, z: &Scalar, signature: &Signature) -> Result<(), Error> { - let maybe_r = - Scalar::from_bytes(signature.r()).and_then(|r| CtOption::new(r, !r.is_zero())); - - let maybe_s = - Scalar::from_bytes(signature.s()).and_then(|s| CtOption::new(s, !s.is_zero())); - - // TODO(tarcieri): replace with into conversion when available (see subtle#73) - let (r, s) = if maybe_r.is_some().into() && maybe_s.is_some().into() { - (maybe_r.unwrap(), maybe_s.unwrap()) - } else { - return Err(Error::new()); - }; - + let r = signature.r(); + let s = signature.s(); let s_inv = s.invert().unwrap(); let u1 = z * &s_inv; - let u2 = r * &s_inv; + let u2 = *r * &s_inv; let x = ((&ProjectivePoint::generator() * &u1) + &(ProjectivePoint::from(*self) * &u2)) .to_affine() .unwrap() .x; - if Scalar::from_bytes_reduced(&x.to_bytes()) == r { + if Scalar::from_bytes_reduced(&x.to_bytes()) == *r { Ok(()) } else { Err(Error::new()) @@ -177,8 +169,8 @@ mod tests { let z = Scalar::from_bytes(vector.m.try_into().unwrap()).unwrap(); let sig = d.try_sign_prehashed(&k_blinded, &z).unwrap(); - assert_eq!(vector.r, sig.r().as_slice()); - assert_eq!(vector.s, sig.s().as_slice()); + assert_eq!(vector.r, sig.r().to_bytes().as_slice()); + assert_eq!(vector.s, sig.s().to_bytes().as_slice()); } } diff --git a/p384/src/ecdsa.rs b/p384/src/ecdsa.rs index e43d9006..552f1fe6 100644 --- a/p384/src/ecdsa.rs +++ b/p384/src/ecdsa.rs @@ -5,6 +5,8 @@ pub use crate::NistP384; /// ECDSA/P-384 signature (fixed-size) pub type Signature = ecdsa::Signature; +impl ecdsa::CheckSignatureBytes for NistP384 {} + #[cfg(feature = "sha384")] #[cfg_attr(docsrs, doc(cfg(feature = "sha384")))] impl ecdsa::hazmat::DigestPrimitive for NistP384 {