13939744936

Committed 19 Mar 2025 05:44AM UTC coverage: 93.89% (+0.3%) from 93.585%

Build # 13939744936

Build Type

push

github

Committed by

z4yx

Commit Message

adjust ckman tests

Run Details

8 of 8 new or added lines in 1 file covered. (100.0%)

106 existing lines in 3 files now uncovered.

6515 of 6939 relevant lines covered (93.89%)

308229.16 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

85.46

/src/key.c

// SPDX-License-Identifier: Apache-2.0
#include "ecc.h"
#include "memzero.h"
#include <common.h>
#include <key.h>

#define KEY_META_ATTR 0xFF
#define CEIL_DIV_SQRT2 0xB504F334
#define MAX_KEY_TEMPLATE_LENGTH 0x16

// TODO: include_length is always TRUE
int ck_encode_public_key(ck_key_t *key, uint8_t *buf, bool include_length) {
  int off = 0;

  switch (key->meta.type) {
  case SECP256R1:
  case SECP256K1:
  case SECP384R1:
  case SM2:
    if (include_length) {
      buf[off++] = PUBLIC_KEY_LENGTH[key->meta.type] + 3; // tag, length, and 0x04
    }
    buf[off++] = 0x86;
    buf[off++] = PUBLIC_KEY_LENGTH[key->meta.type] + 1; // 0x04
    buf[off++] = 0x04;
    memcpy(&buf[off], key->ecc.pub, PUBLIC_KEY_LENGTH[key->meta.type]);
    off += PUBLIC_KEY_LENGTH[key->meta.type];
    break;

  case SECP521R1:
    if (include_length) {
      buf[off++] = 0x81; // Two-byte length
      buf[off++] = PUBLIC_KEY_LENGTH[key->meta.type] + 4; // tag, length (two bytes), and 0x04
    }
    buf[off++] = 0x86;
    buf[off++] = 0x81; // Two-byte length
    buf[off++] = PUBLIC_KEY_LENGTH[key->meta.type] + 1; // 0x04
    buf[off++] = 0x04;
    memcpy(&buf[off], key->ecc.pub, PUBLIC_KEY_LENGTH[key->meta.type]);
    off += PUBLIC_KEY_LENGTH[key->meta.type];
    break;

  case ED25519:
  case X25519:
    if (include_length) {
      buf[off++] = PUBLIC_KEY_LENGTH[key->meta.type] + 2; // tag, length
    }
    buf[off++] = 0x86;
    buf[off++] = PUBLIC_KEY_LENGTH[key->meta.type];
    memcpy(&buf[off], key->ecc.pub, PUBLIC_KEY_LENGTH[key->meta.type]);
    if (key->meta.type == X25519) {
      swap_big_number_endian(&buf[off]); // Public key of x25519 is encoded in little endian
    }
    off += PUBLIC_KEY_LENGTH[key->meta.type];
    break;

  case RSA2048:
  case RSA3072:
  case RSA4096:
    if (include_length) { // 3-byte length
      buf[off++] = 0x82;
      // 6 = modulus: tag (1), length (3); exponent: tag (1), length (1)
      buf[off++] = HI(6 + PUBLIC_KEY_LENGTH[key->meta.type] + E_LENGTH);
      buf[off++] = LO(6 + PUBLIC_KEY_LENGTH[key->meta.type] + E_LENGTH);
    }
    buf[off++] = 0x81; // modulus
    buf[off++] = 0x82;
    buf[off++] = HI(PUBLIC_KEY_LENGTH[key->meta.type]);
    buf[off++] = LO(PUBLIC_KEY_LENGTH[key->meta.type]);
    rsa_get_public_key(&key->rsa, &buf[off]);
    off += PUBLIC_KEY_LENGTH[key->meta.type];
    buf[off++] = 0x82; // exponent
    buf[off++] = E_LENGTH;
    memcpy(&buf[off], key->rsa.e, E_LENGTH);
    off += E_LENGTH;
    break;

  default:
    return -1;
  }

  return off;
}

int ck_parse_piv_policies(ck_key_t *key, const uint8_t *buf, size_t buf_len) {
  const uint8_t *end = buf + buf_len;

  while (buf < end) {
    switch (*buf++) {
    case 0xAA:
      DBG_MSG("May have pin policy\n");
      if (buf < end && *buf++ != 0x01) {
        DBG_MSG("Wrong length for pin policy\n");
        return KEY_ERR_LENGTH;
      }
      if (buf < end && (*buf > PIN_POLICY_ALWAYS || *buf < PIN_POLICY_NEVER)) {
        DBG_MSG("Wrong data for pin policy\n");
        return KEY_ERR_DATA;
      }
      key->meta.pin_policy = *buf++;
      break;

    case 0xAB:
      DBG_MSG("May have touch policy\n");
      if (buf < end && *buf++ != 0x01) {
        DBG_MSG("Wrong length for touch policy\n");
        return KEY_ERR_LENGTH;
      }
      if (buf < end && (*buf > TOUCH_POLICY_CACHED || *buf < TOUCH_POLICY_NEVER)) {
        DBG_MSG("Wrong data for touch policy\n");
        return KEY_ERR_DATA;
      }
      key->meta.touch_policy = *buf++;
      break;
    
    default:
      buf = end;
      break;
    }
  }

  return 0;
}

int ck_parse_piv(ck_key_t *key, const uint8_t *buf, size_t buf_len) {
  memzero(key->data, sizeof(rsa_key_t));
  key->meta.origin = KEY_ORIGIN_IMPORTED;

  const uint8_t *p = buf;

  switch (key->meta.type) {
  case SECP256R1:
  case SECP256K1:
  case SECP384R1:
  case SM2:
  case ED25519:
  case X25519: {

    if (buf_len < PRIVATE_KEY_LENGTH[key->meta.type] + 2) {
      DBG_MSG("too short\n");
      return KEY_ERR_LENGTH;
    }
    if (*p != 0x06 && !(key->meta.type == ED25519 && *p == 0x07) && !(key->meta.type == X25519 && *p == 0x08)) {
      DBG_MSG("invalid tag\n");
      return KEY_ERR_DATA;
    }
    p++;
    if (*p++ != PRIVATE_KEY_LENGTH[key->meta.type]) {
      DBG_MSG("invalid private key length\n");
      return KEY_ERR_LENGTH;
    }
    memcpy(key->ecc.pri, p, PRIVATE_KEY_LENGTH[key->meta.type]);
    if (key->meta.type == X25519) {
      swap_big_number_endian(key->ecc.pri); // Private key of x25519 is encoded in little endian
    }
    if (!ecc_verify_private_key(key->meta.type, &key->ecc)) {
      memzero(key, sizeof(ck_key_t));
      return KEY_ERR_DATA;
    }
    if (ecc_complete_key(key->meta.type, &key->ecc) < 0) {
      memzero(key, sizeof(ck_key_t));
      return KEY_ERR_PROC;
    }
    p += PRIVATE_KEY_LENGTH[key->meta.type];
    break;
  }

  case RSA2048:
  case RSA3072:
  case RSA4096: {
    int fail;
    size_t length_size;

    key->rsa.nbits = PRIVATE_KEY_LENGTH[key->meta.type] * 16;
    *(uint32_t *)key->rsa.e = htobe32(65537);

    uint8_t *data_ptr[] = {key->rsa.p, key->rsa.q, key->rsa.dp, key->rsa.dq, key->rsa.qinv};

    for (int i = 1; i <= 5; ++i) {
      if ((size_t)(p - buf) >= buf_len) return KEY_ERR_LENGTH;
      if (*p++ != i) return KEY_ERR_DATA;
      const size_t len = tlv_get_length_safe(p, buf_len - (p - buf), &fail, &length_size);
      if (fail) return KEY_ERR_LENGTH;
      if (len > PRIVATE_KEY_LENGTH[key->meta.type]) return KEY_ERR_DATA;
      p += length_size;
      memcpy(data_ptr[i - 1] + (PRIVATE_KEY_LENGTH[key->meta.type] - len), p, len);
      p += len;
    }

    if (be32toh(*(uint32_t *)key->rsa.p) < CEIL_DIV_SQRT2 || be32toh(*(uint32_t *)key->rsa.q) < CEIL_DIV_SQRT2) {
      memzero(key, sizeof(ck_key_t));
      return KEY_ERR_DATA;
    }

    break;
  }

  default:
    return -1;
  }

  return ck_parse_piv_policies(key, p, buf + buf_len - p);
}

/*
 * RSA:
 * 7F48 xx Cardholder private key template
 *         91 xx e
 *         92 xx p
 *         93 xx q
 *         94 xx qinv
 *         95 xx dp
 *         96 xx dq
 * 5F48 xx Concatenation of key data as defined in DO 7F48
 *
 * ECC:
 * 7F48 xx Cardholder private key template
 *         92 xx private key
 *         99 xx public key (optional)
 * 5F48 xx Concatenation of key data as defined in DO 7F48
 */
int ck_parse_openpgp(ck_key_t *key, const uint8_t *buf, size_t buf_len) {
  memzero(key->data, sizeof(rsa_key_t));
  key->meta.origin = KEY_ORIGIN_IMPORTED;

  const uint8_t *p = buf;
  int fail;
  size_t length_size;

  // Cardholder private key template
  if ((size_t)(p + 2 - buf) >= buf_len) return KEY_ERR_LENGTH;
  if (*p++ != 0x7F || *p++ != 0x48) return KEY_ERR_DATA;
  DBG_MSG("first\n");
  size_t len = tlv_get_length_safe(p, buf_len - (p - buf), &fail, &length_size);
  if (fail) return KEY_ERR_LENGTH;
  if (len > MAX_KEY_TEMPLATE_LENGTH) return KEY_ERR_DATA;
  DBG_MSG("2nd\n");
  p += length_size;
  const uint8_t *data_tag = p + len; // saved for tag 5F48

  switch (key->meta.type) {
  case SECP256R1:
  case SECP256K1:
  case SECP384R1:
  case SECP521R1:
  case SM2:
  case ED25519:
  case X25519: {
    if ((size_t)(p + 1 - buf) >= buf_len) return KEY_ERR_LENGTH;
    if (*p++ != 0x92) return KEY_ERR_DATA;
    const size_t data_pri_key_len = tlv_get_length_safe(p, buf_len - (p - buf), &fail, &length_size);
    if (fail) return KEY_ERR_LENGTH;
    if (data_pri_key_len > PRIVATE_KEY_LENGTH[key->meta.type]) return KEY_ERR_DATA;
    p += length_size;

    size_t data_pub_key_len = 0; // this is optional
    if (p < data_tag) {
      if ((size_t)(p + 1 - buf) >= buf_len) return KEY_ERR_LENGTH;
      if (*p++ == 0x99) {
        data_pub_key_len = tlv_get_length_safe(p, buf_len - (p - buf), &fail, &length_size);
        if (fail) return KEY_ERR_LENGTH;
        if (data_pub_key_len > PUBLIC_KEY_LENGTH[key->meta.type] + 1) return KEY_ERR_DATA;
      }
    }

    // Concatenation of key data
    p = data_tag;
    if ((size_t)(p + 2 - buf) >= buf_len) return KEY_ERR_LENGTH;
    if (*p++ != 0x5F || *p++ != 0x48) return KEY_ERR_DATA;
    len = tlv_get_length_safe(p, buf_len - (p - buf), &fail, &length_size);
    if (fail || len != data_pri_key_len + data_pub_key_len) return KEY_ERR_DATA;
    p += length_size;
    const int n_leading_zeros = PRIVATE_KEY_LENGTH[key->meta.type] - data_pri_key_len;
    if ((size_t)(p + data_pri_key_len - buf) > buf_len) return KEY_ERR_LENGTH;
    memcpy(key->ecc.pri + n_leading_zeros, p, data_pri_key_len);

    if (!ecc_verify_private_key(key->meta.type, &key->ecc)) {
      memzero(key, sizeof(ck_key_t));
      return KEY_ERR_DATA;
    }
    if (ecc_complete_key(key->meta.type, &key->ecc) < 0) {
      memzero(key, sizeof(ck_key_t));
      return KEY_ERR_PROC;
    }

    return 0;
  }

  case RSA2048:
  case RSA3072:
  case RSA4096: {
    // 0x91: e
  DBG_MSG("3rd\n");
    if ((size_t)(p + 1 - buf) >= buf_len) return KEY_ERR_LENGTH;
    if (*p++ != 0x91) return KEY_ERR_DATA;
    len = tlv_get_length_safe(p, buf_len - (p - buf), &fail, &length_size);
    if (fail) return KEY_ERR_LENGTH;
    if (len != E_LENGTH) return KEY_ERR_DATA;
    p += length_size;

  DBG_MSG("4\n");
    // 0x92: p
    if ((size_t)(p + 1 - buf) >= buf_len) return KEY_ERR_LENGTH;
    if (*p++ != 0x92) return KEY_ERR_DATA;
    len = tlv_get_length_safe(p, buf_len - (p - buf), &fail, &length_size);
    if (fail) return KEY_ERR_LENGTH;
    if (len != PRIVATE_KEY_LENGTH[key->meta.type]) return KEY_ERR_DATA;
    p += length_size;

  DBG_MSG("5\n");
    // 0x93: q
    if ((size_t)(p + 1 - buf) >= buf_len) return KEY_ERR_LENGTH;
    if (*p++ != 0x93) return KEY_ERR_DATA;
    len = tlv_get_length_safe(p, buf_len - (p - buf), &fail, &length_size);
    if (fail) return KEY_ERR_LENGTH;
    if (len != PRIVATE_KEY_LENGTH[key->meta.type]) return KEY_ERR_DATA;
    p += length_size;

  DBG_MSG("6\n");
    // 0x94: qinv, may be less than p/q's length
    if ((size_t)(p + 1 - buf) >= buf_len) return KEY_ERR_LENGTH;
    if (*p++ != 0x94) return KEY_ERR_DATA;
    const size_t qinv_len = tlv_get_length_safe(p, buf_len - (p - buf), &fail, &length_size);
    if (fail) return KEY_ERR_LENGTH;
    if (qinv_len > PRIVATE_KEY_LENGTH[key->meta.type]) return KEY_ERR_DATA;
    p += length_size;

    // 0x94: dp, may be less than p/q's length
    if ((size_t)(p + 1 - buf) >= buf_len) return KEY_ERR_LENGTH;
    if (*p++ != 0x95) return KEY_ERR_DATA;
    const size_t dp_len = tlv_get_length_safe(p, buf_len - (p - buf), &fail, &length_size);
    if (fail) return KEY_ERR_LENGTH;
    if (dp_len > PRIVATE_KEY_LENGTH[key->meta.type]) return KEY_ERR_DATA;
    p += length_size;

    // 0x94: dq, may be less than p/q's length
    if ((size_t)(p + 1 - buf) >= buf_len) return KEY_ERR_LENGTH;
    if (*p++ != 0x96) return KEY_ERR_DATA;
    const size_t dq_len = tlv_get_length_safe(p, buf_len - (p - buf), &fail, &length_size);
    if (fail) return KEY_ERR_LENGTH;
    if (dq_len > PRIVATE_KEY_LENGTH[key->meta.type]) return KEY_ERR_DATA;

  DBG_MSG("7\n");
    // Concatenation of key data
    p = data_tag;
    if ((size_t)(p + 2 - buf) >= buf_len) return KEY_ERR_LENGTH;
    if (*p++ != 0x5F || *p++ != 0x48) return KEY_ERR_DATA;
    len = tlv_get_length_safe(p, buf_len - (p - buf), &fail, &length_size);
    if (fail) return KEY_ERR_LENGTH;
    if (len != PRIVATE_KEY_LENGTH[key->meta.type] * 2 + qinv_len + dp_len + dq_len + E_LENGTH) return KEY_ERR_DATA;
    p += length_size;

  DBG_MSG("8\n");
    if ((size_t)(p + len - buf) > buf_len) return KEY_ERR_LENGTH;
    key->rsa.nbits = PRIVATE_KEY_LENGTH[key->meta.type] * 16;
    memcpy(key->rsa.e, p, E_LENGTH);
    p += E_LENGTH;
    memcpy(key->rsa.p, p, PRIVATE_KEY_LENGTH[key->meta.type]);
    p += PRIVATE_KEY_LENGTH[key->meta.type];
    memcpy(key->rsa.q, p, PRIVATE_KEY_LENGTH[key->meta.type]);
    p += PRIVATE_KEY_LENGTH[key->meta.type];
    memcpy(key->rsa.qinv + PRIVATE_KEY_LENGTH[key->meta.type] - qinv_len, p, qinv_len);
    p += qinv_len;
    memcpy(key->rsa.dp + PRIVATE_KEY_LENGTH[key->meta.type] - dp_len, p, dp_len);
    p += dp_len;
    memcpy(key->rsa.dq + PRIVATE_KEY_LENGTH[key->meta.type] - dq_len, p, dq_len);
    if (be32toh(*(uint32_t *)key->rsa.p) < CEIL_DIV_SQRT2 || be32toh(*(uint32_t *)key->rsa.q) < CEIL_DIV_SQRT2) {
      memzero(key, sizeof(ck_key_t));
      return KEY_ERR_DATA;
    }

    return 0;
  }

  default:
    return -1;
  }
}

int ck_read_key_metadata(const char *path, key_meta_t *meta) {
  return read_attr(path, KEY_META_ATTR, meta, sizeof(key_meta_t));
}

int ck_write_key_metadata(const char *path, const key_meta_t *meta) {
  return write_attr(path, KEY_META_ATTR, meta, sizeof(key_meta_t));
}

int ck_read_key(const char *path, ck_key_t *key) {
  const int err = ck_read_key_metadata(path, &key->meta);
  if (err < 0) return err;
  return read_file(path, key->data, 0, sizeof(rsa_key_t));
}

int ck_write_key(const char *path, const ck_key_t *key) {
  const int err = write_file(path, key->data, 0, sizeof(rsa_key_t), 1);
  if (err < 0) return err;
  return ck_write_key_metadata(path, &key->meta);
}

int ck_generate_key(ck_key_t *key) {
  key->meta.origin = KEY_ORIGIN_GENERATED;

  if (IS_ECC(key->meta.type)) {
    if (ecc_generate(key->meta.type, &key->ecc) < 0) {
      memzero(key, sizeof(ck_key_t));
      return -1;
    }
    return 0;
  } else if (IS_RSA(key->meta.type)) {
    if (rsa_generate_key(&key->rsa, PUBLIC_KEY_LENGTH[key->meta.type] * 8) < 0) {
      memzero(key, sizeof(ck_key_t));
      return -1;
    }
    return 0;
  } else {
    return -1;
  }
}

int ck_sign(const ck_key_t *key, const uint8_t *input, size_t input_len, uint8_t *sig) {
  DBG_MSG("Data: ");
  PRINT_HEX(input, input_len);
  if (IS_ECC(key->meta.type)) {
    DBG_MSG("Private Key: ");
    PRINT_HEX(key->ecc.pri, PRIVATE_KEY_LENGTH[key->meta.type]);
    DBG_MSG("Public Key: ");
    PRINT_HEX(key->ecc.pub, PUBLIC_KEY_LENGTH[key->meta.type]);
    if (ecc_sign(key->meta.type, &key->ecc, input, input_len, sig) < 0) {
      ERR_MSG("ECC signing failed\n");
      DBG_KEY_META(&key->meta);
      return -1;
    }
  } else if (IS_RSA(key->meta.type)) {
    DBG_MSG("Key: ");
    PRINT_HEX(key->rsa.p, PRIVATE_KEY_LENGTH[key->meta.type]);
    PRINT_HEX(key->rsa.q, PRIVATE_KEY_LENGTH[key->meta.type]);
    if (rsa_sign_pkcs_v15(&key->rsa, input, input_len, sig) < 0) {
      ERR_MSG("RSA signing failed\n");
      DBG_KEY_META(&key->meta);
      return -1;
    }
  } else {
    return -1;
  }
  DBG_MSG("Sig: ");
  PRINT_HEX(sig, SIGNATURE_LENGTH[key->meta.type]);
  return SIGNATURE_LENGTH[key->meta.type];
}

1	// SPDX-License-Identifier: Apache-2.0
2	#include "ecc.h"
3	#include "memzero.h"
4	#include <common.h>
5	#include <key.h>
6
7	#define KEY_META_ATTR 0xFF
8	#define CEIL_DIV_SQRT2 0xB504F334
9	#define MAX_KEY_TEMPLATE_LENGTH 0x16
10
11	// TODO: include_length is always TRUE
12	int ck_encode_public_key(ck_key_t key, uint8_t buf, bool include_length) {
13	int off = 0;	186✔
14
15	switch (key->meta.type) {	186✔
16	case SECP256R1:	91✔
17	case SECP256K1:
18	case SECP384R1:
19	case SM2:
20	if (include_length) {	91✔
21	buf[off++] = PUBLIC_KEY_LENGTH[key->meta.type] + 3; // tag, length, and 0x04	91✔
22	}
23	buf[off++] = 0x86;	91✔
24	buf[off++] = PUBLIC_KEY_LENGTH[key->meta.type] + 1; // 0x04	91✔
25	buf[off++] = 0x04;	91✔
26	memcpy(&buf[off], key->ecc.pub, PUBLIC_KEY_LENGTH[key->meta.type]);	91✔
27	off += PUBLIC_KEY_LENGTH[key->meta.type];	91✔
28	break;	91✔
29
30	case SECP521R1:	10✔
31	if (include_length) {	10✔
32	buf[off++] = 0x81; // Two-byte length	10✔
33	buf[off++] = PUBLIC_KEY_LENGTH[key->meta.type] + 4; // tag, length (two bytes), and 0x04	10✔
34	}
35	buf[off++] = 0x86;	10✔
36	buf[off++] = 0x81; // Two-byte length	10✔
37	buf[off++] = PUBLIC_KEY_LENGTH[key->meta.type] + 1; // 0x04	10✔
38	buf[off++] = 0x04;	10✔
39	memcpy(&buf[off], key->ecc.pub, PUBLIC_KEY_LENGTH[key->meta.type]);	10✔
40	off += PUBLIC_KEY_LENGTH[key->meta.type];	10✔
41	break;	10✔
42
43	case ED25519:	34✔
44	case X25519:
45	if (include_length) {	34✔
46	buf[off++] = PUBLIC_KEY_LENGTH[key->meta.type] + 2; // tag, length	34✔
47	}
48	buf[off++] = 0x86;	34✔
49	buf[off++] = PUBLIC_KEY_LENGTH[key->meta.type];	34✔
50	memcpy(&buf[off], key->ecc.pub, PUBLIC_KEY_LENGTH[key->meta.type]);	34✔
51	if (key->meta.type == X25519) {	34✔
52	swap_big_number_endian(&buf[off]); // Public key of x25519 is encoded in little endian	13✔
53	}
54	off += PUBLIC_KEY_LENGTH[key->meta.type];	34✔
55	break;	34✔
56
57	case RSA2048:	51✔
58	case RSA3072:
59	case RSA4096:
60	if (include_length) { // 3-byte length	51✔
61	buf[off++] = 0x82;	51✔
62	// 6 = modulus: tag (1), length (3); exponent: tag (1), length (1)
63	buf[off++] = HI(6 + PUBLIC_KEY_LENGTH[key->meta.type] + E_LENGTH);	51✔
64	buf[off++] = LO(6 + PUBLIC_KEY_LENGTH[key->meta.type] + E_LENGTH);	51✔
65	}
66	buf[off++] = 0x81; // modulus	51✔
67	buf[off++] = 0x82;	51✔
68	buf[off++] = HI(PUBLIC_KEY_LENGTH[key->meta.type]);	51✔
69	buf[off++] = LO(PUBLIC_KEY_LENGTH[key->meta.type]);	51✔
70	rsa_get_public_key(&key->rsa, &buf[off]);	51✔
71	off += PUBLIC_KEY_LENGTH[key->meta.type];	51✔
72	buf[off++] = 0x82; // exponent	51✔
73	buf[off++] = E_LENGTH;	51✔
74	memcpy(&buf[off], key->rsa.e, E_LENGTH);	51✔
75	off += E_LENGTH;	51✔
76	break;	51✔
77
UNCOV 78	default:	×
UNCOV 79	return -1;	×
80	}
81
82	return off;	186✔
83	}
84
85	int ck_parse_piv_policies(ck_key_t key, const uint8_t buf, size_t buf_len) {
86	const uint8_t *end = buf + buf_len;	105✔
87
88	while (buf < end) {	183✔
89	switch (*buf++) {	79✔
90	case 0xAA:	40✔
91	DBG_MSG("May have pin policy\n");	40✔
92	if (buf < end && *buf++ != 0x01) {	40✔
93	DBG_MSG("Wrong length for pin policy\n");	1✔
94	return KEY_ERR_LENGTH;	1✔
95	}
96	if (buf < end && (buf > PIN_POLICY_ALWAYS \|\| buf < PIN_POLICY_NEVER)) {	39✔
97	DBG_MSG("Wrong data for pin policy\n");	×
UNCOV 98	return KEY_ERR_DATA;	×
99	}
100	key->meta.pin_policy = *buf++;	39✔
101	break;	39✔
102
103	case 0xAB:	39✔
104	DBG_MSG("May have touch policy\n");	39✔
105	if (buf < end && *buf++ != 0x01) {	39✔
UNCOV 106	DBG_MSG("Wrong length for touch policy\n");	×
UNCOV 107	return KEY_ERR_LENGTH;	×
108	}
109	if (buf < end && (buf > TOUCH_POLICY_CACHED \|\| buf < TOUCH_POLICY_NEVER)) {	39✔
UNCOV 110	DBG_MSG("Wrong data for touch policy\n");	×
UNCOV 111	return KEY_ERR_DATA;	×
112	}
113	key->meta.touch_policy = *buf++;	39✔
114	break;	39✔
115
UNCOV 116	default:	×
UNCOV 117	buf = end;	×
UNCOV 118	break;	×
119	}
120	}
121
122	return 0;	104✔
123	}
124
125	int ck_parse_piv(ck_key_t key, const uint8_t buf, size_t buf_len) {
126	memzero(key->data, sizeof(rsa_key_t));	24✔
127	key->meta.origin = KEY_ORIGIN_IMPORTED;	24✔
128
129	const uint8_t *p = buf;	24✔
130
131	switch (key->meta.type) {	24✔
132	case SECP256R1:	15✔
133	case SECP256K1:
134	case SECP384R1:
135	case SM2:
136	case ED25519:
137	case X25519: {
138
139	if (buf_len < PRIVATE_KEY_LENGTH[key->meta.type] + 2) {	15✔
UNCOV 140	DBG_MSG("too short\n");	×
UNCOV 141	return KEY_ERR_LENGTH;	×
142	}
143	if (p != 0x06 && !(key->meta.type == ED25519 && p == 0x07) && !(key->meta.type == X25519 && *p == 0x08)) {	15✔
144	DBG_MSG("invalid tag\n");	×
UNCOV 145	return KEY_ERR_DATA;	×
146	}
147	p++;	15✔
148	if (*p++ != PRIVATE_KEY_LENGTH[key->meta.type]) {	15✔
149	DBG_MSG("invalid private key length\n");	1✔
150	return KEY_ERR_LENGTH;	1✔
151	}
152	memcpy(key->ecc.pri, p, PRIVATE_KEY_LENGTH[key->meta.type]);	14✔
153	if (key->meta.type == X25519) {	14✔
154	swap_big_number_endian(key->ecc.pri); // Private key of x25519 is encoded in little endian	2✔
155	}
156	if (!ecc_verify_private_key(key->meta.type, &key->ecc)) {	14✔
UNCOV 157	memzero(key, sizeof(ck_key_t));	×
UNCOV 158	return KEY_ERR_DATA;	×
159	}
160	if (ecc_complete_key(key->meta.type, &key->ecc) < 0) {	14✔
UNCOV 161	memzero(key, sizeof(ck_key_t));	×
UNCOV 162	return KEY_ERR_PROC;	×
163	}
164	p += PRIVATE_KEY_LENGTH[key->meta.type];	14✔
165	break;	14✔
166	}
167
168	case RSA2048:	8✔
169	case RSA3072:
170	case RSA4096: {
171	int fail;	8✔
172	size_t length_size;	8✔
173
174	key->rsa.nbits = PRIVATE_KEY_LENGTH[key->meta.type] * 16;	8✔
175	(uint32_t )key->rsa.e = htobe32(65537);	8✔
176
177	uint8_t *data_ptr[] = {key->rsa.p, key->rsa.q, key->rsa.dp, key->rsa.dq, key->rsa.qinv};	8✔
178
179	for (int i = 1; i <= 5; ++i) {	38✔
180	if ((size_t)(p - buf) >= buf_len) return KEY_ERR_LENGTH;	32✔
181	if (*p++ != i) return KEY_ERR_DATA;	32✔
182	const size_t len = tlv_get_length_safe(p, buf_len - (p - buf), &fail, &length_size);	31✔
183	if (fail) return KEY_ERR_LENGTH;	31✔
184	if (len > PRIVATE_KEY_LENGTH[key->meta.type]) return KEY_ERR_DATA;	30✔
185	p += length_size;	30✔
186	memcpy(data_ptr[i - 1] + (PRIVATE_KEY_LENGTH[key->meta.type] - len), p, len);	30✔
187	p += len;	30✔
188	}
189
190	if (be32toh((uint32_t )key->rsa.p) < CEIL_DIV_SQRT2 \|\| be32toh((uint32_t )key->rsa.q) < CEIL_DIV_SQRT2) {	6✔
UNCOV 191	memzero(key, sizeof(ck_key_t));	×
UNCOV 192	return KEY_ERR_DATA;	×
193	}
194
195	break;	6✔
196	}
197
198	default:	1✔
199	return -1;	1✔
200	}
201
202	return ck_parse_piv_policies(key, p, buf + buf_len - p);	20✔
203	}
204
205	/*
206	* RSA:
207	* 7F48 xx Cardholder private key template
208	* 91 xx e
209	* 92 xx p
210	* 93 xx q
211	* 94 xx qinv
212	* 95 xx dp
213	* 96 xx dq
214	* 5F48 xx Concatenation of key data as defined in DO 7F48
215	*
216	* ECC:
217	* 7F48 xx Cardholder private key template
218	* 92 xx private key
219	* 99 xx public key (optional)
220	* 5F48 xx Concatenation of key data as defined in DO 7F48
221	*/
222	int ck_parse_openpgp(ck_key_t key, const uint8_t buf, size_t buf_len) {
223	memzero(key->data, sizeof(rsa_key_t));	30✔
224	key->meta.origin = KEY_ORIGIN_IMPORTED;	30✔
225
226	const uint8_t *p = buf;	30✔
227	int fail;	30✔
228	size_t length_size;	30✔
229
230	// Cardholder private key template
231	if ((size_t)(p + 2 - buf) >= buf_len) return KEY_ERR_LENGTH;	30✔
232	if (p++ != 0x7F \|\| p++ != 0x48) return KEY_ERR_DATA;	30✔
233	DBG_MSG("first\n");	30✔
234	size_t len = tlv_get_length_safe(p, buf_len - (p - buf), &fail, &length_size);	30✔
235	if (fail) return KEY_ERR_LENGTH;	30✔
236	if (len > MAX_KEY_TEMPLATE_LENGTH) return KEY_ERR_DATA;	30✔
237	DBG_MSG("2nd\n");	30✔
238	p += length_size;	30✔
239	const uint8_t *data_tag = p + len; // saved for tag 5F48	30✔
240
241	switch (key->meta.type) {	30✔
242	case SECP256R1:	18✔
243	case SECP256K1:
244	case SECP384R1:
245	case SECP521R1:
246	case SM2:
247	case ED25519:
248	case X25519: {
249	if ((size_t)(p + 1 - buf) >= buf_len) return KEY_ERR_LENGTH;	18✔
250	if (*p++ != 0x92) return KEY_ERR_DATA;	18✔
251	const size_t data_pri_key_len = tlv_get_length_safe(p, buf_len - (p - buf), &fail, &length_size);	18✔
252	if (fail) return KEY_ERR_LENGTH;	18✔
253	if (data_pri_key_len > PRIVATE_KEY_LENGTH[key->meta.type]) return KEY_ERR_DATA;	18✔
254	p += length_size;	18✔
255
256	size_t data_pub_key_len = 0; // this is optional	18✔
257	if (p < data_tag) {	18✔
258	if ((size_t)(p + 1 - buf) >= buf_len) return KEY_ERR_LENGTH;	1✔
259	if (*p++ == 0x99) {	1✔
260	data_pub_key_len = tlv_get_length_safe(p, buf_len - (p - buf), &fail, &length_size);	1✔
261	if (fail) return KEY_ERR_LENGTH;	1✔
262	if (data_pub_key_len > PUBLIC_KEY_LENGTH[key->meta.type] + 1) return KEY_ERR_DATA;	1✔
263	}
264	}
265
266	// Concatenation of key data
267	p = data_tag;	18✔
268	if ((size_t)(p + 2 - buf) >= buf_len) return KEY_ERR_LENGTH;	18✔
269	if (p++ != 0x5F \|\| p++ != 0x48) return KEY_ERR_DATA;	18✔
270	len = tlv_get_length_safe(p, buf_len - (p - buf), &fail, &length_size);	18✔
271	if (fail \|\| len != data_pri_key_len + data_pub_key_len) return KEY_ERR_DATA;	18✔
272	p += length_size;	18✔
273	const int n_leading_zeros = PRIVATE_KEY_LENGTH[key->meta.type] - data_pri_key_len;	18✔
274	if ((size_t)(p + data_pri_key_len - buf) > buf_len) return KEY_ERR_LENGTH;	18✔
275	memcpy(key->ecc.pri + n_leading_zeros, p, data_pri_key_len);	18✔
276
277	if (!ecc_verify_private_key(key->meta.type, &key->ecc)) {	18✔
UNCOV 278	memzero(key, sizeof(ck_key_t));	×
UNCOV 279	return KEY_ERR_DATA;	×
280	}
281	if (ecc_complete_key(key->meta.type, &key->ecc) < 0) {	18✔
UNCOV 282	memzero(key, sizeof(ck_key_t));	×
UNCOV 283	return KEY_ERR_PROC;	×
284	}
285
286	return 0;	18✔
287	}
288
289	case RSA2048:	12✔
290	case RSA3072:
291	case RSA4096: {
292	// 0x91: e
293	DBG_MSG("3rd\n");	12✔
294	if ((size_t)(p + 1 - buf) >= buf_len) return KEY_ERR_LENGTH;	12✔
295	if (*p++ != 0x91) return KEY_ERR_DATA;	12✔
296	len = tlv_get_length_safe(p, buf_len - (p - buf), &fail, &length_size);	12✔
297	if (fail) return KEY_ERR_LENGTH;	12✔
298	if (len != E_LENGTH) return KEY_ERR_DATA;	12✔
299	p += length_size;	12✔
300
301	DBG_MSG("4\n");	12✔
302	// 0x92: p
303	if ((size_t)(p + 1 - buf) >= buf_len) return KEY_ERR_LENGTH;	12✔
304	if (*p++ != 0x92) return KEY_ERR_DATA;	12✔
305	len = tlv_get_length_safe(p, buf_len - (p - buf), &fail, &length_size);	12✔
306	if (fail) return KEY_ERR_LENGTH;	12✔
307	if (len != PRIVATE_KEY_LENGTH[key->meta.type]) return KEY_ERR_DATA;	12✔
308	p += length_size;	12✔
309
310	DBG_MSG("5\n");	12✔
311	// 0x93: q
312	if ((size_t)(p + 1 - buf) >= buf_len) return KEY_ERR_LENGTH;	12✔
313	if (*p++ != 0x93) return KEY_ERR_DATA;	12✔
314	len = tlv_get_length_safe(p, buf_len - (p - buf), &fail, &length_size);	12✔
315	if (fail) return KEY_ERR_LENGTH;	12✔
316	if (len != PRIVATE_KEY_LENGTH[key->meta.type]) return KEY_ERR_DATA;	12✔
317	p += length_size;	12✔
318
319	DBG_MSG("6\n");	12✔
320	// 0x94: qinv, may be less than p/q's length
321	if ((size_t)(p + 1 - buf) >= buf_len) return KEY_ERR_LENGTH;	12✔
322	if (*p++ != 0x94) return KEY_ERR_DATA;	12✔
323	const size_t qinv_len = tlv_get_length_safe(p, buf_len - (p - buf), &fail, &length_size);	12✔
324	if (fail) return KEY_ERR_LENGTH;	12✔
325	if (qinv_len > PRIVATE_KEY_LENGTH[key->meta.type]) return KEY_ERR_DATA;	12✔
326	p += length_size;	12✔
327
328	// 0x94: dp, may be less than p/q's length
329	if ((size_t)(p + 1 - buf) >= buf_len) return KEY_ERR_LENGTH;	12✔
330	if (*p++ != 0x95) return KEY_ERR_DATA;	12✔
331	const size_t dp_len = tlv_get_length_safe(p, buf_len - (p - buf), &fail, &length_size);	12✔
332	if (fail) return KEY_ERR_LENGTH;	12✔
333	if (dp_len > PRIVATE_KEY_LENGTH[key->meta.type]) return KEY_ERR_DATA;	12✔
334	p += length_size;	12✔
335
336	// 0x94: dq, may be less than p/q's length
337	if ((size_t)(p + 1 - buf) >= buf_len) return KEY_ERR_LENGTH;	12✔
338	if (*p++ != 0x96) return KEY_ERR_DATA;	12✔
339	const size_t dq_len = tlv_get_length_safe(p, buf_len - (p - buf), &fail, &length_size);	12✔
340	if (fail) return KEY_ERR_LENGTH;	12✔
341	if (dq_len > PRIVATE_KEY_LENGTH[key->meta.type]) return KEY_ERR_DATA;	12✔
342
343	DBG_MSG("7\n");	12✔
344	// Concatenation of key data
345	p = data_tag;	12✔
346	if ((size_t)(p + 2 - buf) >= buf_len) return KEY_ERR_LENGTH;	12✔
347	if (p++ != 0x5F \|\| p++ != 0x48) return KEY_ERR_DATA;	12✔
348	len = tlv_get_length_safe(p, buf_len - (p - buf), &fail, &length_size);	12✔
349	if (fail) return KEY_ERR_LENGTH;	12✔
350	if (len != PRIVATE_KEY_LENGTH[key->meta.type] * 2 + qinv_len + dp_len + dq_len + E_LENGTH) return KEY_ERR_DATA;	12✔
351	p += length_size;	12✔
352
353	DBG_MSG("8\n");	12✔
354	if ((size_t)(p + len - buf) > buf_len) return KEY_ERR_LENGTH;	12✔
355	key->rsa.nbits = PRIVATE_KEY_LENGTH[key->meta.type] * 16;	12✔
356	memcpy(key->rsa.e, p, E_LENGTH);	12✔
357	p += E_LENGTH;	12✔
358	memcpy(key->rsa.p, p, PRIVATE_KEY_LENGTH[key->meta.type]);	12✔
359	p += PRIVATE_KEY_LENGTH[key->meta.type];	12✔
360	memcpy(key->rsa.q, p, PRIVATE_KEY_LENGTH[key->meta.type]);	12✔
361	p += PRIVATE_KEY_LENGTH[key->meta.type];	12✔
362	memcpy(key->rsa.qinv + PRIVATE_KEY_LENGTH[key->meta.type] - qinv_len, p, qinv_len);	12✔
363	p += qinv_len;	12✔
364	memcpy(key->rsa.dp + PRIVATE_KEY_LENGTH[key->meta.type] - dp_len, p, dp_len);	12✔
365	p += dp_len;	12✔
366	memcpy(key->rsa.dq + PRIVATE_KEY_LENGTH[key->meta.type] - dq_len, p, dq_len);	12✔
367	if (be32toh((uint32_t )key->rsa.p) < CEIL_DIV_SQRT2 \|\| be32toh((uint32_t )key->rsa.q) < CEIL_DIV_SQRT2) {	12✔
UNCOV 368	memzero(key, sizeof(ck_key_t));	×
UNCOV 369	return KEY_ERR_DATA;	×
370	}
371
372	return 0;	12✔
373	}
374
UNCOV 375	default:	×
UNCOV 376	return -1;	×
377	}
378	}
379
380	int ck_read_key_metadata(const char path, key_meta_t meta) {
381	return read_attr(path, KEY_META_ATTR, meta, sizeof(key_meta_t));	5,087✔
382	}
383
384	int ck_write_key_metadata(const char path, const key_meta_t meta) {
385	return write_attr(path, KEY_META_ATTR, meta, sizeof(key_meta_t));	464✔
386	}
387
388	int ck_read_key(const char path, ck_key_t key) {
389	const int err = ck_read_key_metadata(path, &key->meta);	2,025✔
390	if (err < 0) return err;	2,025✔
391	return read_file(path, key->data, 0, sizeof(rsa_key_t));	2,025✔
392	}
393
394	int ck_write_key(const char path, const ck_key_t key) {
395	const int err = write_file(path, key->data, 0, sizeof(rsa_key_t), 1);	395✔
396	if (err < 0) return err;	395✔
397	return ck_write_key_metadata(path, &key->meta);	395✔
398	}
399
400	int ck_generate_key(ck_key_t *key) {
401	key->meta.origin = KEY_ORIGIN_GENERATED;	121✔
402
403	if (IS_ECC(key->meta.type)) {	121✔
404	if (ecc_generate(key->meta.type, &key->ecc) < 0) {	80✔
UNCOV 405	memzero(key, sizeof(ck_key_t));	×
UNCOV 406	return -1;	×
407	}
408	return 0;	80✔
409	} else if (IS_RSA(key->meta.type)) {	41✔
410	if (rsa_generate_key(&key->rsa, PUBLIC_KEY_LENGTH[key->meta.type] * 8) < 0) {	41✔
UNCOV 411	memzero(key, sizeof(ck_key_t));	×
UNCOV 412	return -1;	×
413	}
414	return 0;	41✔
415	} else {
416	return -1;	×
417	}
418	}
419
420	int ck_sign(const ck_key_t key, const uint8_t input, size_t input_len, uint8_t *sig) {
421	DBG_MSG("Data: ");	110✔
422	PRINT_HEX(input, input_len);	110✔
423	if (IS_ECC(key->meta.type)) {	110✔
424	DBG_MSG("Private Key: ");	95✔
425	PRINT_HEX(key->ecc.pri, PRIVATE_KEY_LENGTH[key->meta.type]);	95✔
426	DBG_MSG("Public Key: ");	95✔
427	PRINT_HEX(key->ecc.pub, PUBLIC_KEY_LENGTH[key->meta.type]);	95✔
428	if (ecc_sign(key->meta.type, &key->ecc, input, input_len, sig) < 0) {	95✔
UNCOV 429	ERR_MSG("ECC signing failed\n");	×
UNCOV 430	DBG_KEY_META(&key->meta);	×
UNCOV 431	return -1;	×
432	}
433	} else if (IS_RSA(key->meta.type)) {	15✔
434	DBG_MSG("Key: ");	15✔
435	PRINT_HEX(key->rsa.p, PRIVATE_KEY_LENGTH[key->meta.type]);	15✔
436	PRINT_HEX(key->rsa.q, PRIVATE_KEY_LENGTH[key->meta.type]);	15✔
437	if (rsa_sign_pkcs_v15(&key->rsa, input, input_len, sig) < 0) {	15✔
UNCOV 438	ERR_MSG("RSA signing failed\n");	×
UNCOV 439	DBG_KEY_META(&key->meta);	×
UNCOV 440	return -1;	×
441	}
442	} else {
UNCOV 443	return -1;	×
444	}
445	DBG_MSG("Sig: ");	110✔
446	PRINT_HEX(sig, SIGNATURE_LENGTH[key->meta.type]);	110✔
447	return SIGNATURE_LENGTH[key->meta.type];	110✔
448	}

canokeys / canokey-core / 13939744936

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source File
Press 'n' to go to next uncovered line, 'b' for previous