lib/t_cose/src/t_cose_util.c

/*
 *  t_cose_util.c
 *
 * Copyright 2019, Laurence Lundblade
 *
 * SPDX-License-Identifier: BSD-3-Clause
 *
 * See BSD-3-Clause license in README.md.
 */

#include "t_cose_util.h"
#include "qcbor.h"
#include "t_cose_defines.h"
#include "t_cose_common.h"
#include "t_cose_crypto.h"


/**
 * \file t_cose_util.c
 *
 * \brief Implementation of t_cose utility functions.
 *
 * These are some functions common to signing and
 * verification.
 */


/*
 * Public function. See t_cose_util.h
 */
int32_t hash_alg_id_from_sig_alg_id(int32_t cose_sig_alg_id)
{
    /* If other hashes, particularly those that output bigger hashes
     * are added here, various other parts of this code have to be
     * changed to have larger buffers.
     */
    switch(cose_sig_alg_id) {
    case COSE_ALGORITHM_ES256:
        return COSE_ALG_SHA256_PROPRIETARY;

    default:
        return INT32_MAX;
    }
}


/*
 * Format of to-be-signed bytes used by create_tbs_hash().
 * This is defined in COSE (RFC 8152). It is the input
 * to the hash.
 *
 * Sig_structure = [
 *    context : "Signature" / "Signature1" / "CounterSignature",
 *    body_protected : empty_or_serialized_map,
 *    ? sign_protected : empty_or_serialized_map,
 *    external_aad : bstr,
 *    payload : bstr
 * ]
 *
 * body_protected refers to the protected headers from the
 * main COSE_Sign1 structure. This is a little hard to
 * to understand in the spec.
 *
 * sign_protected is not used with COSE_Sign1 since
 * there is no signer chunk.
 *
 * external_aad allows external data to be covered
 * by the hash, but is not supported by this implementation.
 */


/**
 * This is the size of the first part of the CBOR encoded TBS
 * bytes. It is around 30 bytes. See create_tbs_hash().
 */
#define T_COSE_SIZE_OF_TBS \
    1 + /* For opening the array */ \
    sizeof(COSE_SIG_CONTEXT_STRING_SIGNATURE1) + /* "Signature1" */ \
    2 + /* Overhead for encoding string */ \
    T_COSE_SIGN1_MAX_PROT_HEADER + /* entire protected headers */ \
    1 + /* Empty bstr for absent external_aad */ \
    9 /* The max CBOR length encoding for start of payload */


/*
 * Public function. See t_cose_util.h
 */
enum t_cose_err_t create_tbs_hash(int32_t cose_alg_id,
                                  struct q_useful_buf buffer_for_hash,
                                  struct q_useful_buf_c *hash,
                                  struct q_useful_buf_c protected_headers,
                                  enum t_cose_tbs_hash_mode_t payload_mode,
                                  struct q_useful_buf_c payload)
{
    /* approximate stack use on 32-bit machine:
     * local use: 210
     * total with calls: 250
     * Can be another 128 bytes or so depending on
     * t_cose_crypto_hash implementation. It sometimes
     * includes the full hashing context.
     */
    enum t_cose_err_t           return_value;
    QCBOREncodeContext          cbor_encode_ctx;
    UsefulBuf_MAKE_STACK_UB(    buffer_for_TBS_first_part, T_COSE_SIZE_OF_TBS);
    struct q_useful_buf_c       tbs_first_part;
    QCBORError                  qcbor_result;
    struct t_cose_crypto_hash   hash_ctx;
    int32_t                     hash_alg_id;
    size_t                      bytes_to_omit;

    /* This builds the CBOR-format to-be-signed bytes */
    QCBOREncode_Init(&cbor_encode_ctx, buffer_for_TBS_first_part);
    QCBOREncode_OpenArray(&cbor_encode_ctx);
    /* context */
    QCBOREncode_AddSZString(&cbor_encode_ctx,
                            COSE_SIG_CONTEXT_STRING_SIGNATURE1);
    /* body_protected */
    QCBOREncode_AddBytes(&cbor_encode_ctx,
                         protected_headers);
    /* sign_protected is not used for Sign1 */

    /* external_aad. There is none so an empty bstr */
    QCBOREncode_AddBytes(&cbor_encode_ctx, NULL_Q_USEFUL_BUF_C);

    /* The short fake payload. */
    if(payload_mode == T_COSE_TBS_PAYLOAD_IS_BSTR_WRAPPED) {
        /* Fake payload is just an empty bstr. It is here only
         * to make the array count right. It must be ommitted
         * in the actual hashing below
         */
        bytes_to_omit = 1;
        QCBOREncode_AddBytes(&cbor_encode_ctx, NULL_Q_USEFUL_BUF_C);
    } else {
        /* Fake payload is the type and length of the wrapping
         * bstr. It gets hashed with the first part, so no
         * bytes to omit.
         */
        bytes_to_omit = 0;
        QCBOREncode_AddBytesLenOnly(&cbor_encode_ctx, payload);
    }
    /* Cleverness only works because the payload is last in the array */

    /* Close of the array */
    QCBOREncode_CloseArray(&cbor_encode_ctx);

    /* get the encoded results, except for payload */
    qcbor_result = QCBOREncode_Finish(&cbor_encode_ctx, &tbs_first_part);
    if(qcbor_result) {
        /* Mainly means that the protected_headers were too big
         * (which should never happen) */
        return_value = T_COSE_ERR_SIG_STRUCT;
        goto Done;
    }

    /* Start the hashing */
    hash_alg_id = hash_alg_id_from_sig_alg_id(cose_alg_id);
    /* Don't check hash_alg_id for failure. t_cose_crypto_hash_start()
     * will handle it properly.
     */
    return_value = t_cose_crypto_hash_start(&hash_ctx, hash_alg_id);
    if(return_value) {
        goto Done;
    }

    /* This structure is hashed in two parts. The first part is
     * the CBOR-formatted array with protected headers and such.
     * The last part is the actual bytes of the payload. Doing it
     * this way avoids having to allocate a big buffer to hold
     * these two parts together.  It avoids having two copies of
     * the payload in the implementaiton as the payload as formatted
     * in the output buffer can be what is hashed. They payload
     * is the largest memory use, so this saves a lot.
     *
     * This is further complicated because the the payload
     * does have to be wrapped in a bstr. It is done one way
     * when signing and another when verifying.
     */

    /* This is hashing of the first part, all the CBOR
     * except the payload.
     */
    t_cose_crypto_hash_update(&hash_ctx,
                              q_useful_buf_head(tbs_first_part,
                                        tbs_first_part.len - bytes_to_omit));

    /* Hash the payload, the second part. This may or may not
     * have the bstr wrapping. If not, it was hashed above.
     */
    t_cose_crypto_hash_update(&hash_ctx, payload);

    /* Finish the hash and set up to return it */
    return_value = t_cose_crypto_hash_finish(&hash_ctx,
                                             buffer_for_hash,
                                             hash);
Done:
    return return_value;
}


/*
 * Public function. See t_cose_util.h
 */
enum t_cose_err_t
get_short_circuit_kid(struct q_useful_buf buffer_for_kid,
                      struct q_useful_buf_c *kid)
{
    /* This is a random hard coded key ID that is used to indicate
     * short-circuit signing. It is OK to hard code this as the
     * probability of collision with this ID is very low and the same
     * as for collision between any two key IDs of any sort.
     */
    uint8_t defined_short_circuit_kid[] = {
        0xef, 0x95, 0x4b, 0x4b, 0xd9, 0xbd, 0xf6, 0x70,
        0xd0, 0x33, 0x60, 0x82, 0xf5, 0xef, 0x15, 0x2a,
        0xf8, 0xf3, 0x5b, 0x6a, 0x6c, 0x00, 0xef, 0xa6,
        0xa9, 0xa7, 0x1f, 0x49, 0x51, 0x7e, 0x18, 0xc6};

    /* Prevent a dumb error where the size constant in the header is
     * wrong.This check will be evaluated at compile time and optimize
     * out when all is correct.
     */
    if(sizeof(defined_short_circuit_kid) != T_COSE_SHORT_CIRCUIT_KID_SIZE) {
        return T_COSE_ERR_BAD_SHORT_CIRCUIT_KID;
    }

    *kid = q_useful_buf_copy(buffer_for_kid,
                             Q_USEFUL_BUF_FROM_BYTE_ARRAY_LITERAL(
                                 defined_short_circuit_kid));

    return q_useful_buf_c_is_null(*kid) ?
              T_COSE_ERR_KEY_BUFFER_SIZE :
              T_COSE_SUCCESS;
}