tls13_sign_verify.c
Go to the documentation of this file.
1 /**
2  * @file tls13_sign_verify.c
3  * @brief RSA/DSA/ECDSA/SM2/EdDSA signature verification (TLS 1.3)
4  *
5  * @section License
6  *
7  * SPDX-License-Identifier: GPL-2.0-or-later
8  *
9  * Copyright (C) 2010-2026 Oryx Embedded SARL. All rights reserved.
10  *
11  * This file is part of CycloneSSL Open.
12  *
13  * This program is free software; you can redistribute it and/or
14  * modify it under the terms of the GNU General Public License
15  * as published by the Free Software Foundation; either version 2
16  * of the License, or (at your option) any later version.
17  *
18  * This program is distributed in the hope that it will be useful,
19  * but WITHOUT ANY WARRANTY; without even the implied warranty of
20  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
21  * GNU General Public License for more details.
22  *
23  * You should have received a copy of the GNU General Public License
24  * along with this program; if not, write to the Free Software Foundation,
25  * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
26  *
27  * @author Oryx Embedded SARL (www.oryx-embedded.com)
28  * @version 2.6.4
29  **/
30 
31 //Switch to the appropriate trace level
32 #define TRACE_LEVEL TLS_TRACE_LEVEL
33 
34 //Dependencies
35 #include "tls/tls.h"
36 #include "tls/tls_sign_verify.h"
37 #include "tls/tls_sign_misc.h"
38 #include "tls/tls_transcript_hash.h"
39 #include "tls/tls_misc.h"
40 #include "tls13/tls13_sign_verify.h"
41 #include "debug.h"
42 
43 //Check TLS library configuration
44 #if (TLS_SUPPORT == ENABLED && TLS_MAX_VERSION >= TLS_VERSION_1_3)
45 
46 
47 /**
48  * @brief Digital signature verification (TLS 1.3)
49  * @param[in] context Pointer to the TLS context
50  * @param[in] p Pointer to the digitally-signed element to be verified
51  * @param[in] length Length of the digitally-signed element
52  * @return Error code
53  **/
54 
55 error_t tls13VerifySignature(TlsContext *context, const uint8_t *p,
56  size_t length)
57 {
58  error_t error;
59  size_t n;
60  uint8_t *buffer;
61  TlsSignatureScheme signScheme;
62  const Tls13DigitalSignature *signature;
63  const HashAlgo *hashAlgo;
64 
65  //Point to the digitally-signed element
66  signature = (Tls13DigitalSignature *) p;
67 
68  //Malformed CertificateVerify message?
69  if(length < sizeof(Tls13DigitalSignature))
70  return ERROR_DECODING_FAILED;
71  if(length != (sizeof(Tls13DigitalSignature) + ntohs(signature->length)))
72  return ERROR_DECODING_FAILED;
73 
74  //The signature algorithm must be one of those offered in the
75  //SignatureAlgorithms extension (refer to RFC 8446, section 4.4.3)
76  if(!tlsIsSignAlgoSupported(context, ntohs(signature->algorithm)))
77  return ERROR_ILLEGAL_PARAMETER;
78 
79  //The hash function used by HKDF is the cipher suite hash algorithm
80  hashAlgo = context->cipherSuite.prfHashAlgo;
81  //Make sure the hash algorithm is valid
82  if(hashAlgo == NULL)
83  return ERROR_FAILURE;
84 
85  //Calculate the length of the content covered by the digital signature
86  n = hashAlgo->digestSize + 98;
87 
88  //Allocate a memory buffer
89  buffer = tlsAllocMem(n);
90 
91  //Successful memory allocation?
92  if(buffer != NULL)
93  {
94  //Form a string that consists of octet 32 (0x20) repeated 64 times
95  osMemset(buffer, ' ', 64);
96 
97  //Append the context string. It is used to provide separation between
98  //signatures made in different contexts, helping against potential
99  //cross-protocol attacks
100  if(context->entity == TLS_CONNECTION_END_CLIENT)
101  {
102  osMemcpy(buffer + 64, "TLS 1.3, server CertificateVerify", 33);
103  }
104  else
105  {
106  osMemcpy(buffer + 64, "TLS 1.3, client CertificateVerify", 33);
107  }
108 
109  //Append a single 0 byte which serves as the separator
110  buffer[97] = 0x00;
111 
112  //Compute the transcript hash
113  error = tlsFinalizeTranscriptHash(context, hashAlgo,
114  context->transcriptHashContext, buffer + 98);
115 
116  //Check status code
117  if(!error)
118  {
119  //The algorithm field specifies the signature scheme
120  signScheme = (TlsSignatureScheme) ntohs(signature->algorithm);
121 
122 #if (TLS_RSA_PSS_SIGN_SUPPORT == ENABLED)
123  //RSASSA-PSS signature scheme?
124  if(signScheme == TLS_SIGN_SCHEME_RSA_PSS_RSAE_SHA256 ||
125  signScheme == TLS_SIGN_SCHEME_RSA_PSS_RSAE_SHA384 ||
126  signScheme == TLS_SIGN_SCHEME_RSA_PSS_RSAE_SHA512 ||
127  signScheme == TLS_SIGN_SCHEME_RSA_PSS_PSS_SHA256 ||
128  signScheme == TLS_SIGN_SCHEME_RSA_PSS_PSS_SHA384 ||
129  signScheme == TLS_SIGN_SCHEME_RSA_PSS_PSS_SHA512)
130  {
131  //Verify RSA-PSS signature
132  error = tls13VerifyRsaPssSignature(context, buffer, n, signature);
133  }
134  else
135 #endif
136 #if (TLS_ECDSA_SIGN_SUPPORT == ENABLED)
137  //ECDSA signature scheme?
138  if(signScheme == TLS_SIGN_SCHEME_ECDSA_SECP256R1_SHA256 ||
139  signScheme == TLS_SIGN_SCHEME_ECDSA_SECP384R1_SHA384 ||
140  signScheme == TLS_SIGN_SCHEME_ECDSA_SECP521R1_SHA512 ||
141  signScheme == TLS_SIGN_SCHEME_ECDSA_BP256R1_TLS13_SHA256 ||
142  signScheme == TLS_SIGN_SCHEME_ECDSA_BP384R1_TLS13_SHA384 ||
143  signScheme == TLS_SIGN_SCHEME_ECDSA_BP512R1_TLS13_SHA512)
144  {
145  //Verify ECDSA signature
146  error = tls13VerifyEcdsaSignature(context, buffer, n, signature);
147  }
148  else
149 #endif
150 #if (TLS_SM2_SIGN_SUPPORT == ENABLED)
151  //SM2 signature scheme?
152  if(signScheme == TLS_SIGN_SCHEME_SM2SIG_SM3)
153  {
154  //Verify SM2 signature
155  error = tls13VerifySm2Signature(context, buffer, n, signature);
156  }
157  else
158 #endif
159 #if (TLS_ED25519_SIGN_SUPPORT == ENABLED)
160  //Ed25519 signature scheme?
161  if(signScheme == TLS_SIGN_SCHEME_ED25519)
162  {
163  //Verify Ed25519 signature
164  error = tls13VerifyEd25519Signature(context, buffer, n, signature);
165  }
166  else
167 #endif
168 #if (TLS_ED448_SIGN_SUPPORT == ENABLED)
169  //Ed448 signature scheme?
170  if(signScheme == TLS_SIGN_SCHEME_ED448)
171  {
172  //Verify Ed448 signature
173  error = tls13VerifyEd448Signature(context, buffer, n, signature);
174  }
175  else
176 #endif
177 #if (TLS_MLDSA44_SIGN_SUPPORT == ENABLED)
178  //ML-DSA-44 signature scheme?
179  if(signScheme == TLS_SIGN_SCHEME_MLDSA44)
180  {
181  //Verify ML-DSA-44 signature
182  error = tls13VerifyMldsa44Signature(context, buffer, n, signature);
183  }
184  else
185 #endif
186 #if (TLS_MLDSA65_SIGN_SUPPORT == ENABLED)
187  //ML-DSA-65 signature scheme?
188  if(signScheme == TLS_SIGN_SCHEME_MLDSA65)
189  {
190  //Verify ML-DSA-65 signature
191  error = tls13VerifyMldsa65Signature(context, buffer, n, signature);
192  }
193  else
194 #endif
195 #if (TLS_MLDSA87_SIGN_SUPPORT == ENABLED)
196  //ML-DSA-87 signature scheme?
197  if(signScheme == TLS_SIGN_SCHEME_MLDSA87)
198  {
199  //Verify ML-DSA-87 signature
200  error = tls13VerifyMldsa87Signature(context, buffer, n, signature);
201  }
202  else
203 #endif
204  //Unknown signature scheme?
205  {
206  //Report an error
207  error = ERROR_ILLEGAL_PARAMETER;
208  }
209  }
210 
211  //Release memory buffer
212  tlsFreeMem(buffer);
213  }
214  else
215  {
216  //Failed to allocate memory
217  error = ERROR_OUT_OF_MEMORY;
218  }
219 
220  //Return status code
221  return error;
222 }
223 
224 
225 /**
226  * @brief RSA-PSS signature verification (TLS 1.3)
227  * @param[in] context Pointer to the TLS context
228  * @param[in] message Message whose signature is to be verified
229  * @param[in] length Length of the message, in bytes
230  * @param[in] signature Pointer to the digital signature to be verified
231  * @return Error code
232  **/
233 
234 error_t tls13VerifyRsaPssSignature(TlsContext *context, const uint8_t *message,
235  size_t length, const Tls13DigitalSignature *signature)
236 {
237 #if (TLS_RSA_PSS_SIGN_SUPPORT == ENABLED)
238  error_t error;
239  TlsSignatureScheme signScheme;
240  const HashAlgo *hashAlgo;
241 
242  //The algorithm field specifies the signature scheme
243  signScheme = (TlsSignatureScheme) ntohs(signature->algorithm);
244 
245  //The signature algorithm must be compatible with the key in the sender's
246  //end-entity certificate (refer to RFC 8446, section 4.4.3)
247  if(context->peerCertType == TLS_CERT_RSA_SIGN)
248  {
249  //Retrieve the hash algorithm used for signing
250  if(signScheme == TLS_SIGN_SCHEME_RSA_PSS_RSAE_SHA256)
251  {
252  //Select SHA-256 hash algorithm
253  hashAlgo = tlsGetHashAlgo(TLS_HASH_ALGO_SHA256);
254  }
255  else if(signScheme == TLS_SIGN_SCHEME_RSA_PSS_RSAE_SHA384)
256  {
257  //Select SHA-384 hash algorithm
258  hashAlgo = tlsGetHashAlgo(TLS_HASH_ALGO_SHA384);
259  }
260  else if(signScheme == TLS_SIGN_SCHEME_RSA_PSS_RSAE_SHA512)
261  {
262  //Select SHA-512 hash algorithm
263  hashAlgo = tlsGetHashAlgo(TLS_HASH_ALGO_SHA512);
264  }
265  else
266  {
267  //Invalid signature scheme
268  hashAlgo = NULL;
269  }
270  }
271  else if(context->peerCertType == TLS_CERT_RSA_PSS_SIGN)
272  {
273  //Retrieve the hash algorithm used for signing
274  if(signScheme == TLS_SIGN_SCHEME_RSA_PSS_PSS_SHA256)
275  {
276  //Select SHA-256 hash algorithm
277  hashAlgo = tlsGetHashAlgo(TLS_HASH_ALGO_SHA256);
278  }
279  else if(signScheme == TLS_SIGN_SCHEME_RSA_PSS_PSS_SHA384)
280  {
281  //Select SHA-384 hash algorithm
282  hashAlgo = tlsGetHashAlgo(TLS_HASH_ALGO_SHA384);
283  }
284  else if(signScheme == TLS_SIGN_SCHEME_RSA_PSS_PSS_SHA512)
285  {
286  //Select SHA-512 hash algorithm
287  hashAlgo = tlsGetHashAlgo(TLS_HASH_ALGO_SHA512);
288  }
289  else
290  {
291  //Invalid signature scheme
292  hashAlgo = NULL;
293  }
294  }
295  else
296  {
297  //Invalid certificate
298  hashAlgo = NULL;
299  }
300 
301  //Pre-hash the content covered by the digital signature
302  if(hashAlgo != NULL)
303  {
304  error = hashAlgo->compute(message, length, context->clientVerifyData);
305  }
306  else
307  {
308  error = ERROR_ILLEGAL_PARAMETER;
309  }
310 
311  //Check status code
312  if(!error)
313  {
314  //Verify RSASSA-PSS signature
315  error = rsassaPssVerify(&context->peerRsaPublicKey, hashAlgo,
316  hashAlgo->digestSize, context->clientVerifyData, signature->value,
317  ntohs(signature->length));
318  }
319 
320  //Return status code
321  return error;
322 #else
323  //RSA-PSS signature algorithm not implemented
324  return ERROR_NOT_IMPLEMENTED;
325 #endif
326 }
327 
328 
329 /**
330  * @brief ECDSA signature verification (TLS 1.3)
331  * @param[in] context Pointer to the TLS context
332  * @param[in] message Message whose signature is to be verified
333  * @param[in] length Length of the message, in bytes
334  * @param[in] signature Pointer to the digital signature to be verified
335  * @return Error code
336  **/
337 
338 error_t tls13VerifyEcdsaSignature(TlsContext *context, const uint8_t *message,
339  size_t length, const Tls13DigitalSignature *signature)
340 {
341 #if (TLS_ECDSA_SIGN_SUPPORT == ENABLED)
342  error_t error;
343  TlsSignatureScheme signScheme;
344  const HashAlgo *hashAlgo;
345  const EcCurve *curve;
346 
347  //The algorithm field specifies the signature scheme
348  signScheme = (TlsSignatureScheme) ntohs(signature->algorithm);
349 
350  //The signature algorithm must be compatible with the key in the sender's
351  //end-entity certificate (refer to RFC 8446, section 4.4.3)
352  if(context->peerCertType == TLS_CERT_ECDSA_SIGN)
353  {
354  //Get elliptic curve parameters
355  curve = context->peerEcPublicKey.curve;
356 
357  //Retrieve the hash algorithm used for signing
358  if(curve == NULL)
359  {
360  //Invalid signature scheme
361  hashAlgo = NULL;
362  }
363  else if(signScheme == TLS_SIGN_SCHEME_ECDSA_SECP256R1_SHA256 &&
364  osStrcmp(curve->name, "secp256r1") == 0)
365  {
366  //Select SHA-256 hash algorithm
367  hashAlgo = tlsGetHashAlgo(TLS_HASH_ALGO_SHA256);
368  }
369  else if(signScheme == TLS_SIGN_SCHEME_ECDSA_SECP384R1_SHA384 &&
370  osStrcmp(curve->name, "secp384r1") == 0)
371  {
372  //Select SHA-384 hash algorithm
373  hashAlgo = tlsGetHashAlgo(TLS_HASH_ALGO_SHA384);
374  }
375  else if(signScheme == TLS_SIGN_SCHEME_ECDSA_SECP521R1_SHA512 &&
376  osStrcmp(curve->name, "secp521r1") == 0)
377  {
378  //Select SHA-512 hash algorithm
379  hashAlgo = tlsGetHashAlgo(TLS_HASH_ALGO_SHA512);
380  }
381  else if(signScheme == TLS_SIGN_SCHEME_ECDSA_BP256R1_TLS13_SHA256 &&
382  osStrcmp(curve->name, "brainpoolP256r1") == 0)
383  {
384  //Select SHA-256 hash algorithm
385  hashAlgo = tlsGetHashAlgo(TLS_HASH_ALGO_SHA256);
386  }
387  else if(signScheme == TLS_SIGN_SCHEME_ECDSA_BP384R1_TLS13_SHA384 &&
388  osStrcmp(curve->name, "brainpoolP384r1") == 0)
389  {
390  //Select SHA-384 hash algorithm
391  hashAlgo = tlsGetHashAlgo(TLS_HASH_ALGO_SHA384);
392  }
393  else if(signScheme == TLS_SIGN_SCHEME_ECDSA_BP512R1_TLS13_SHA512 &&
394  osStrcmp(curve->name, "brainpoolP512r1") == 0)
395  {
396  //Select SHA-512 hash algorithm
397  hashAlgo = tlsGetHashAlgo(TLS_HASH_ALGO_SHA512);
398  }
399  else
400  {
401  //Invalid signature scheme
402  hashAlgo = NULL;
403  }
404  }
405  else
406  {
407  //Invalid certificate
408  hashAlgo = NULL;
409  }
410 
411  //Pre-hash the content covered by the digital signature
412  if(hashAlgo != NULL)
413  {
414  error = hashAlgo->compute(message, length, context->clientVerifyData);
415  }
416  else
417  {
418  error = ERROR_ILLEGAL_PARAMETER;
419  }
420 
421  //Check status code
422  if(!error)
423  {
424  //Verify ECDSA signature
425  error = tlsVerifyEcdsaSignature(context, context->clientVerifyData,
426  hashAlgo->digestSize, signature->value, ntohs(signature->length));
427  }
428 
429  //Return status code
430  return error;
431 #else
432  //ECDSA signature algorithm not implemented
433  return ERROR_NOT_IMPLEMENTED;
434 #endif
435 }
436 
437 
438 /**
439  * @brief SM2 signature verification (TLS 1.3)
440  * @param[in] context Pointer to the TLS context
441  * @param[in] message Message whose signature is to be verified
442  * @param[in] length Length of the message, in bytes
443  * @param[in] signature Pointer to the digital signature to be verified
444  * @return Error code
445  **/
446 
447 error_t tls13VerifySm2Signature(TlsContext *context, const uint8_t *message,
448  size_t length, const Tls13DigitalSignature *signature)
449 {
450 #if (TLS_SM2_SIGN_SUPPORT == ENABLED)
451  error_t error;
452  EcdsaSignature sm2Signature;
453 
454  //The signature algorithm must be compatible with the key in the sender's
455  //end-entity certificate (refer to RFC 8446, section 4.4.3)
456  if(context->peerCertType == TLS_CERT_SM2_SIGN)
457  {
458  //Initialize SM2 signature
459  ecdsaInitSignature(&sm2Signature);
460 
461  //Read the ASN.1 encoded SM2 signature
462  error = ecdsaImportSignature(&sm2Signature,
463  context->peerEcPublicKey.curve, signature->value,
464  ntohs(signature->length), ECDSA_SIGNATURE_FORMAT_ASN1);
465 
466  //Check status code
467  if(!error)
468  {
469  //Verify SM2 signature
470  error = sm2VerifySignature(&context->peerEcPublicKey, SM3_HASH_ALGO,
471  SM2_TLS13_ID, osStrlen(SM2_TLS13_ID), message, length,
472  &sm2Signature);
473  }
474 
475  //Free previously allocated resources
476  ecdsaFreeSignature(&sm2Signature);
477  }
478  else
479  {
480  //Invalid certificate
481  error = ERROR_ILLEGAL_PARAMETER;
482  }
483 
484  //Return status code
485  return error;
486 #else
487  //SM2 signature algorithm not implemented
488  return ERROR_NOT_IMPLEMENTED;
489 #endif
490 }
491 
492 
493 /**
494  * @brief Ed25519 signature verification (TLS 1.3)
495  * @param[in] context Pointer to the TLS context
496  * @param[in] message Message whose signature is to be verified
497  * @param[in] length Length of the message, in bytes
498  * @param[in] signature Pointer to the digital signature to be verified
499  * @return Error code
500  **/
501 
502 error_t tls13VerifyEd25519Signature(TlsContext *context, const uint8_t *message,
503  size_t length, const Tls13DigitalSignature *signature)
504 {
505 #if (TLS_ED25519_SIGN_SUPPORT == ENABLED)
506  error_t error;
507  DataChunk messageChunks[1];
508 
509  //The signature algorithm must be compatible with the key in the sender's
510  //end-entity certificate (refer to RFC 8446, section 4.4.3)
511  if(context->peerCertType == TLS_CERT_ED25519_SIGN)
512  {
513  //Data to be verified is run through the EdDSA algorithm without pre-hashing
514  messageChunks[0].buffer = message;
515  messageChunks[0].length = length;
516 
517  //Verify Ed25519 signature (PureEdDSA mode)
518  error = tlsVerifyEd25519Signature(context, messageChunks,
519  arraysize(messageChunks), signature->value, ntohs(signature->length));
520  }
521  else
522  {
523  //Invalid certificate
524  error = ERROR_ILLEGAL_PARAMETER;
525  }
526 
527  //Return status code
528  return error;
529 #else
530  //Ed25519 signature algorithm not implemented
531  return ERROR_NOT_IMPLEMENTED;
532 #endif
533 }
534 
535 
536 /**
537  * @brief Ed448 signature verification (TLS 1.3)
538  * @param[in] context Pointer to the TLS context
539  * @param[in] message Message whose signature is to be verified
540  * @param[in] length Length of the message, in bytes
541  * @param[in] signature Pointer to the digital signature to be verified
542  * @return Error code
543  **/
544 
545 error_t tls13VerifyEd448Signature(TlsContext *context, const uint8_t *message,
546  size_t length, const Tls13DigitalSignature *signature)
547 {
548 #if (TLS_ED448_SIGN_SUPPORT == ENABLED)
549  error_t error;
550  DataChunk messageChunks[1];
551 
552  //The signature algorithm must be compatible with the key in the sender's
553  //end-entity certificate (refer to RFC 8446, section 4.4.3)
554  if(context->peerCertType == TLS_CERT_ED448_SIGN)
555  {
556  //Data to be verified is run through the EdDSA algorithm without pre-hashing
557  messageChunks[0].buffer = message;
558  messageChunks[0].length = length;
559 
560  //Verify Ed448 signature (PureEdDSA mode)
561  error = tlsVerifyEd448Signature(context, messageChunks,
562  arraysize(messageChunks), signature->value, ntohs(signature->length));
563  }
564  else
565  {
566  //Invalid certificate
567  error = ERROR_ILLEGAL_PARAMETER;
568  }
569 
570  //Return status code
571  return error;
572 #else
573  //Ed448 signature algorithm not implemented
574  return ERROR_NOT_IMPLEMENTED;
575 #endif
576 }
577 
578 
579 /**
580  * @brief ML-DSA-44 signature verification (TLS 1.3)
581  * @param[in] context Pointer to the TLS context
582  * @param[in] message Message whose signature is to be verified
583  * @param[in] length Length of the message, in bytes
584  * @param[in] signature Pointer to the digital signature to be verified
585  * @return Error code
586  **/
587 
588 error_t tls13VerifyMldsa44Signature(TlsContext *context, const uint8_t *message,
589  size_t length, const Tls13DigitalSignature *signature)
590 {
591 #if (TLS_MLDSA44_SIGN_SUPPORT == ENABLED)
592  error_t error;
593 
594  //The signature algorithm must be compatible with the key in the sender's
595  //end-entity certificate (refer to RFC 8446, section 4.4.3)
596  if(context->peerCertType == TLS_CERT_MLDSA44_SIGN)
597  {
598  //Check security level
599  if(context->peerMldsaPublicKey.level == MLDSA44_SECURITY_LEVEL &&
600  context->peerMldsaPublicKey.pkLen == MLDSA44_PUBLIC_KEY_LEN)
601  {
602  //The ML-DSA-44 signature shall consist of 2420 octets
603  if(ntohs(signature->length) == MLDSA44_SIGNATURE_LEN)
604  {
605  //Verify ML-DSA-44 signature
606  error = mldsa44VerifySignature(context->peerMldsaPublicKey.pk,
607  message, length, NULL, 0, signature->value);
608  }
609  else
610  {
611  //The length of the ML-DSA-44 signature is not valid
612  error = ERROR_INVALID_SIGNATURE;
613  }
614  }
615  else
616  {
617  //The public key is not valid
618  error = ERROR_INVALID_KEY;
619  }
620  }
621  else
622  {
623  //Invalid certificate
624  error = ERROR_ILLEGAL_PARAMETER;
625  }
626 
627  //Return status code
628  return error;
629 #else
630  //ML-DSA-44 signature algorithm not implemented
631  return ERROR_NOT_IMPLEMENTED;
632 #endif
633 }
634 
635 
636 /**
637  * @brief ML-DSA-65 signature verification (TLS 1.3)
638  * @param[in] context Pointer to the TLS context
639  * @param[in] message Message whose signature is to be verified
640  * @param[in] length Length of the message, in bytes
641  * @param[in] signature Pointer to the digital signature to be verified
642  * @return Error code
643  **/
644 
645 error_t tls13VerifyMldsa65Signature(TlsContext *context, const uint8_t *message,
646  size_t length, const Tls13DigitalSignature *signature)
647 {
648 #if (TLS_MLDSA65_SIGN_SUPPORT == ENABLED)
649  error_t error;
650 
651  //The signature algorithm must be compatible with the key in the sender's
652  //end-entity certificate (refer to RFC 8446, section 4.4.3)
653  if(context->peerCertType == TLS_CERT_MLDSA65_SIGN)
654  {
655  //Check security level
656  if(context->peerMldsaPublicKey.level == MLDSA65_SECURITY_LEVEL &&
657  context->peerMldsaPublicKey.pkLen == MLDSA65_PUBLIC_KEY_LEN)
658  {
659  //The ML-DSA-65 signature shall consist of 3309 octets
660  if(ntohs(signature->length) == MLDSA65_SIGNATURE_LEN)
661  {
662  //Verify ML-DSA-65 signature
663  error = mldsa65VerifySignature(context->peerMldsaPublicKey.pk,
664  message, length, NULL, 0, signature->value);
665  }
666  else
667  {
668  //The length of the ML-DSA-65 signature is not valid
669  error = ERROR_INVALID_SIGNATURE;
670  }
671  }
672  else
673  {
674  //The public key is not valid
675  error = ERROR_INVALID_KEY;
676  }
677  }
678  else
679  {
680  //Invalid certificate
681  error = ERROR_ILLEGAL_PARAMETER;
682  }
683 
684  //Return status code
685  return error;
686 #else
687  //ML-DSA-65 signature algorithm not implemented
688  return ERROR_NOT_IMPLEMENTED;
689 #endif
690 }
691 
692 
693 /**
694  * @brief ML-DSA-87 signature verification (TLS 1.3)
695  * @param[in] context Pointer to the TLS context
696  * @param[in] message Message whose signature is to be verified
697  * @param[in] length Length of the message, in bytes
698  * @param[in] signature Pointer to the digital signature to be verified
699  * @return Error code
700  **/
701 
702 error_t tls13VerifyMldsa87Signature(TlsContext *context, const uint8_t *message,
703  size_t length, const Tls13DigitalSignature *signature)
704 {
705 #if (TLS_MLDSA87_SIGN_SUPPORT == ENABLED)
706  error_t error;
707 
708  //The signature algorithm must be compatible with the key in the sender's
709  //end-entity certificate (refer to RFC 8446, section 4.4.3)
710  if(context->peerCertType == TLS_CERT_MLDSA87_SIGN)
711  {
712  //Check security level
713  if(context->peerMldsaPublicKey.level == MLDSA87_SECURITY_LEVEL &&
714  context->peerMldsaPublicKey.pkLen == MLDSA87_PUBLIC_KEY_LEN)
715  {
716  //The ML-DSA-87 signature shall consist of 4627 octets
717  if(ntohs(signature->length) == MLDSA87_SIGNATURE_LEN)
718  {
719  //Verify ML-DSA-87 signature
720  error = mldsa87VerifySignature(context->peerMldsaPublicKey.pk,
721  message, length, NULL, 0, signature->value);
722  }
723  else
724  {
725  //The length of the ML-DSA-87 signature is not valid
726  error = ERROR_INVALID_SIGNATURE;
727  }
728  }
729  else
730  {
731  //The public key is not valid
732  error = ERROR_INVALID_KEY;
733  }
734  }
735  else
736  {
737  //Invalid certificate
738  error = ERROR_ILLEGAL_PARAMETER;
739  }
740 
741  //Return status code
742  return error;
743 #else
744  //ML-DSA-87 signature algorithm not implemented
745  return ERROR_NOT_IMPLEMENTED;
746 #endif
747 }
748 
749 #endif
ecdsaImportSignature
error_t ecdsaImportSignature(EcdsaSignature *signature, const EcCurve *curve, const uint8_t *input, size_t length, EcdsaSignatureFormat format)
Import an ECDSA signature.
Definition: ecdsa.c:107
tlsAllocMem
#define tlsAllocMem(size)
Definition: tls.h:910
EcdsaSignature
ECDSA signature.
Definition: ecdsa.h:63
tls_misc.h
TLS helper functions.
TLS_SIGN_SCHEME_ECDSA_BP256R1_TLS13_SHA256
@ TLS_SIGN_SCHEME_ECDSA_BP256R1_TLS13_SHA256
Definition: tls.h:1355
tls13VerifyEd25519Signature
error_t tls13VerifyEd25519Signature(TlsContext *context, const uint8_t *message, size_t length, const Tls13DigitalSignature *signature)
Ed25519 signature verification (TLS 1.3)
Definition: tls13_sign_verify.c:502
mldsa87VerifySignature
error_t mldsa87VerifySignature(const uint8_t *publicKey, const void *message, size_t messageLen, const void *context, uint8_t contextLen, const uint8_t *signature)
ML-DSA-87 signature verification.
Definition: mldsa.c:698
tls13_sign_verify.h
RSA/DSA/ECDSA/SM2/EdDSA signature verification (TLS 1.3)
tlsVerifyEd448Signature
error_t tlsVerifyEd448Signature(TlsContext *context, const DataChunk *message, uint_t messageLen, const uint8_t *signature, size_t signatureLen)
Verify Ed448 signature.
Definition: tls_sign_verify.c:671
MLDSA65_SIGNATURE_LEN
#define MLDSA65_SIGNATURE_LEN
Definition: mldsa.h:58
tlsGetHashAlgo
const HashAlgo * tlsGetHashAlgo(TlsHashAlgo hashAlgoId)
Get the hash algorithm that matches the specified identifier.
Definition: tls_misc.c:1431
TLS_SIGN_SCHEME_RSA_PSS_RSAE_SHA256
@ TLS_SIGN_SCHEME_RSA_PSS_RSAE_SHA256
Definition: tls.h:1345
sm2VerifySignature
error_t sm2VerifySignature(const EcPublicKey *publicKey, const HashAlgo *hashAlgo, const char_t *id, size_t idLen, const void *message, size_t messageLen, const EcdsaSignature *signature)
SM2 signature verification.
Definition: sm2.c:274
TLS_CERT_MLDSA44_SIGN
@ TLS_CERT_MLDSA44_SIGN
Definition: tls.h:1290
ERROR_NOT_IMPLEMENTED
@ ERROR_NOT_IMPLEMENTED
Definition: error.h:66
ERROR_ILLEGAL_PARAMETER
@ ERROR_ILLEGAL_PARAMETER
Definition: error.h:244
tls13VerifySignature
error_t tls13VerifySignature(TlsContext *context, const uint8_t *p, size_t length)
Digital signature verification (TLS 1.3)
Definition: tls13_sign_verify.c:55
p
uint8_t p
Definition: ndp.h:300
TLS_SIGN_SCHEME_MLDSA44
@ TLS_SIGN_SCHEME_MLDSA44
Definition: tls.h:1368
EcdsaSignature::curve
const EcCurve * curve
Elliptic curve parameters.
Definition: ecdsa.h:64
message
uint8_t message[]
Definition: chap.h:154
HashAlgo::digestSize
size_t digestSize
Definition: crypto.h:1171
DataChunk::buffer
const void * buffer
Definition: crypto.h:1094
TLS_SIGN_SCHEME_RSA_PSS_PSS_SHA512
@ TLS_SIGN_SCHEME_RSA_PSS_PSS_SHA512
Definition: tls.h:1350
ERROR_OUT_OF_MEMORY
@ ERROR_OUT_OF_MEMORY
Definition: error.h:63
SM3_HASH_ALGO
#define SM3_HASH_ALGO
Definition: sm3.h:49
rsassaPssVerify
error_t rsassaPssVerify(const RsaPublicKey *key, const HashAlgo *hash, size_t saltLen, const uint8_t *digest, const uint8_t *signature, size_t signatureLen)
RSASSA-PSS signature verification operation.
Definition: mimxrt1180_crypto_pkc.c:1032
MLDSA87_SECURITY_LEVEL
#define MLDSA87_SECURITY_LEVEL
Definition: mldsa.h:61
TLS_SIGN_SCHEME_RSA_PSS_RSAE_SHA512
@ TLS_SIGN_SCHEME_RSA_PSS_RSAE_SHA512
Definition: tls.h:1347
osStrcmp
#define osStrcmp(s1, s2)
Definition: os_port.h:177
TLS_SIGN_SCHEME_ED25519
@ TLS_SIGN_SCHEME_ED25519
Definition: tls.h:1359
osStrlen
#define osStrlen(s)
Definition: os_port.h:171
tlsFinalizeTranscriptHash
error_t tlsFinalizeTranscriptHash(TlsContext *context, const HashAlgo *hash, const void *hashContext, uint8_t *output)
Finalize hash calculation from previous handshake messages.
Definition: tls_transcript_hash.c:275
mldsa65VerifySignature
error_t mldsa65VerifySignature(const uint8_t *publicKey, const void *message, size_t messageLen, const void *context, uint8_t contextLen, const uint8_t *signature)
ML-DSA-65 signature verification.
Definition: mldsa.c:667
MLDSA65_SECURITY_LEVEL
#define MLDSA65_SECURITY_LEVEL
Definition: mldsa.h:50
TLS_SIGN_SCHEME_RSA_PSS_PSS_SHA384
@ TLS_SIGN_SCHEME_RSA_PSS_PSS_SHA384
Definition: tls.h:1349
TLS_SIGN_SCHEME_RSA_PSS_RSAE_SHA384
@ TLS_SIGN_SCHEME_RSA_PSS_RSAE_SHA384
Definition: tls.h:1346
TLS_SIGN_SCHEME_MLDSA65
@ TLS_SIGN_SCHEME_MLDSA65
Definition: tls.h:1369
TLS_SIGN_SCHEME_MLDSA87
@ TLS_SIGN_SCHEME_MLDSA87
Definition: tls.h:1370
ecdsaFreeSignature
void ecdsaFreeSignature(EcdsaSignature *signature)
Release an ECDSA signature.
Definition: ecdsa.c:90
TLS_HASH_ALGO_SHA512
@ TLS_HASH_ALGO_SHA512
Definition: tls.h:1308
MLDSA44_SECURITY_LEVEL
#define MLDSA44_SECURITY_LEVEL
Definition: mldsa.h:39
tlsIsSignAlgoSupported
bool_t tlsIsSignAlgoSupported(TlsContext *context, uint16_t signScheme)
Check whether a signature algorithm can be used for digital signatures.
Definition: tls_sign_misc.c:731
osMemcpy
#define osMemcpy(dest, src, length)
Definition: os_port.h:147
TlsContext
#define TlsContext
Definition: tls.h:36
error_t
error_t
Error codes.
Definition: error.h:43
TLS_SIGN_SCHEME_RSA_PSS_PSS_SHA256
@ TLS_SIGN_SCHEME_RSA_PSS_PSS_SHA256
Definition: tls.h:1348
TLS_SIGN_SCHEME_ECDSA_SECP521R1_SHA512
@ TLS_SIGN_SCHEME_ECDSA_SECP521R1_SHA512
Definition: tls.h:1354
TLS_CERT_ED25519_SIGN
@ TLS_CERT_ED25519_SIGN
Definition: tls.h:1288
HashAlgo::compute
HashAlgoCompute compute
Definition: crypto.h:1174
TLS_CERT_MLDSA65_SIGN
@ TLS_CERT_MLDSA65_SIGN
Definition: tls.h:1291
tlsVerifyEd25519Signature
error_t tlsVerifyEd25519Signature(TlsContext *context, const DataChunk *message, uint_t messageLen, const uint8_t *signature, size_t signatureLen)
Verify Ed25519 signature.
Definition: tls_sign_verify.c:622
ERROR_FAILURE
@ ERROR_FAILURE
Generic error code.
Definition: error.h:45
tls13VerifyEd448Signature
error_t tls13VerifyEd448Signature(TlsContext *context, const uint8_t *message, size_t length, const Tls13DigitalSignature *signature)
Ed448 signature verification (TLS 1.3)
Definition: tls13_sign_verify.c:545
ecdsaInitSignature
void ecdsaInitSignature(EcdsaSignature *signature)
Initialize an ECDSA signature.
Definition: ecdsa.c:74
tls13VerifyMldsa87Signature
error_t tls13VerifyMldsa87Signature(TlsContext *context, const uint8_t *message, size_t length, const Tls13DigitalSignature *signature)
ML-DSA-87 signature verification (TLS 1.3)
Definition: tls13_sign_verify.c:702
MLDSA44_SIGNATURE_LEN
#define MLDSA44_SIGNATURE_LEN
Definition: mldsa.h:47
TLS_HASH_ALGO_SHA384
@ TLS_HASH_ALGO_SHA384
Definition: tls.h:1307
TLS_CERT_RSA_PSS_SIGN
@ TLS_CERT_RSA_PSS_SIGN
Definition: tls.h:1286
TLS_CERT_MLDSA87_SIGN
@ TLS_CERT_MLDSA87_SIGN
Definition: tls.h:1292
tls13VerifyMldsa44Signature
error_t tls13VerifyMldsa44Signature(TlsContext *context, const uint8_t *message, size_t length, const Tls13DigitalSignature *signature)
ML-DSA-44 signature verification (TLS 1.3)
Definition: tls13_sign_verify.c:588
TLS_SIGN_SCHEME_ECDSA_BP512R1_TLS13_SHA512
@ TLS_SIGN_SCHEME_ECDSA_BP512R1_TLS13_SHA512
Definition: tls.h:1357
TLS_HASH_ALGO_SHA256
@ TLS_HASH_ALGO_SHA256
Definition: tls.h:1306
MLDSA44_PUBLIC_KEY_LEN
#define MLDSA44_PUBLIC_KEY_LEN
Definition: mldsa.h:45
TLS_CERT_ED448_SIGN
@ TLS_CERT_ED448_SIGN
Definition: tls.h:1289
TLS_CERT_RSA_SIGN
@ TLS_CERT_RSA_SIGN
Definition: tls.h:1274
length
uint8_t length
Definition: tcp.h:375
TLS_CERT_SM2_SIGN
@ TLS_CERT_SM2_SIGN
Definition: tls.h:1287
tls_sign_verify.h
RSA/DSA/ECDSA/EdDSA signature verification.
tls_transcript_hash.h
Transcript hash calculation.
tls13VerifyMldsa65Signature
error_t tls13VerifyMldsa65Signature(TlsContext *context, const uint8_t *message, size_t length, const Tls13DigitalSignature *signature)
ML-DSA-65 signature verification (TLS 1.3)
Definition: tls13_sign_verify.c:645
DataChunk
Data chunk descriptor.
Definition: crypto.h:1093
ntohs
#define ntohs(value)
Definition: cpu_endian.h:421
tlsVerifyEcdsaSignature
error_t tlsVerifyEcdsaSignature(TlsContext *context, const uint8_t *digest, size_t digestLen, const uint8_t *signature, size_t signatureLen)
Verify ECDSA signature.
Definition: tls_sign_verify.c:551
SM2_TLS13_ID
#define SM2_TLS13_ID
Definition: sm2.h:41
ECDSA_SIGNATURE_FORMAT_ASN1
@ ECDSA_SIGNATURE_FORMAT_ASN1
Definition: ecdsa.h:51
tls13VerifyEcdsaSignature
error_t tls13VerifyEcdsaSignature(TlsContext *context, const uint8_t *message, size_t length, const Tls13DigitalSignature *signature)
ECDSA signature verification (TLS 1.3)
Definition: tls13_sign_verify.c:338
tls13VerifyRsaPssSignature
error_t tls13VerifyRsaPssSignature(TlsContext *context, const uint8_t *message, size_t length, const Tls13DigitalSignature *signature)
RSA-PSS signature verification (TLS 1.3)
Definition: tls13_sign_verify.c:234
n
uint8_t n
Definition: dhcpv6_common.h:416
TLS_SIGN_SCHEME_SM2SIG_SM3
@ TLS_SIGN_SCHEME_SM2SIG_SM3
Definition: tls.h:1358
TLS_SIGN_SCHEME_ECDSA_BP384R1_TLS13_SHA384
@ TLS_SIGN_SCHEME_ECDSA_BP384R1_TLS13_SHA384
Definition: tls.h:1356
TLS_SIGN_SCHEME_ED448
@ TLS_SIGN_SCHEME_ED448
Definition: tls.h:1360
TLS_SIGN_SCHEME_ECDSA_SECP384R1_SHA384
@ TLS_SIGN_SCHEME_ECDSA_SECP384R1_SHA384
Definition: tls.h:1353
Tls13DigitalSignature
Tls13DigitalSignature
Definition: tls13_misc.h:298
TLS_CONNECTION_END_CLIENT
@ TLS_CONNECTION_END_CLIENT
Definition: tls.h:1050
tls13VerifySm2Signature
error_t tls13VerifySm2Signature(TlsContext *context, const uint8_t *message, size_t length, const Tls13DigitalSignature *signature)
SM2 signature verification (TLS 1.3)
Definition: tls13_sign_verify.c:447
tls_sign_misc.h
Helper functions for signature generation and verification.
MLDSA65_PUBLIC_KEY_LEN
#define MLDSA65_PUBLIC_KEY_LEN
Definition: mldsa.h:56
tls.h
TLS (Transport Layer Security)
TLS_CERT_ECDSA_SIGN
@ TLS_CERT_ECDSA_SIGN
Definition: tls.h:1281
DataChunk::length
size_t length
Definition: crypto.h:1095
HashAlgo
Common interface for hash algorithms.
Definition: crypto.h:1165
mldsa44VerifySignature
error_t mldsa44VerifySignature(const uint8_t *publicKey, const void *message, size_t messageLen, const void *context, uint8_t contextLen, const uint8_t *signature)
ML-DSA-44 signature verification.
Definition: mldsa.c:636
EcCurve
#define EcCurve
Definition: ec.h:346
TLS_SIGN_SCHEME_ECDSA_SECP256R1_SHA256
@ TLS_SIGN_SCHEME_ECDSA_SECP256R1_SHA256
Definition: tls.h:1352
TlsSignatureScheme
TlsSignatureScheme
Signature schemes.
Definition: tls.h:1336
ERROR_DECODING_FAILED
@ ERROR_DECODING_FAILED
Definition: error.h:242
osMemset
#define osMemset(p, value, length)
Definition: os_port.h:141
tlsFreeMem
#define tlsFreeMem(p)
Definition: tls.h:915
ERROR_INVALID_SIGNATURE
@ ERROR_INVALID_SIGNATURE
Definition: error.h:228
MLDSA87_PUBLIC_KEY_LEN
#define MLDSA87_PUBLIC_KEY_LEN
Definition: mldsa.h:67
ERROR_INVALID_KEY
@ ERROR_INVALID_KEY
Definition: error.h:106
debug.h
Debugging facilities.
MLDSA87_SIGNATURE_LEN
#define MLDSA87_SIGNATURE_LEN
Definition: mldsa.h:69
arraysize
#define arraysize(a)
Definition: os_port.h:71