blob: 6edd111232def5928f34a0b51a6a24e10ae70209 [file] [log] [blame]
/* Copyright (c) 2019, Google Inc.
*
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
* SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
* OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
* CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
#ifndef OPENSSL_HEADER_TRUST_TOKEN_INTERNAL_H
#define OPENSSL_HEADER_TRUST_TOKEN_INTERNAL_H
#include <openssl/base.h>
#include <openssl/ec.h>
#include <openssl/ec_key.h>
#include <openssl/nid.h>
#include "../fipsmodule/ec/internal.h"
#include <openssl/trust_token.h>
// PMBTokens is described in https://eprint.iacr.org/2020/072/20200324:214215
// and provides anonymous tokens with private metadata. We implement the
// construction with validity verification, described in appendix H,
// construction 6, using P-521 as the group.
// PMBTOKEN_NONCE_SIZE is the size of nonces used as part of the PMBToken
// protocol.
#define PMBTOKEN_NONCE_SIZE 64
// Structure representing a single Trust Token public key with the specified ID.
struct trust_token_client_key_st {
uint32_t id;
EC_RAW_POINT pub0;
EC_RAW_POINT pub1;
EC_RAW_POINT pubs;
};
// Structure representing a single Trust Token private key with the specified
// ID.
struct trust_token_issuer_key_st {
uint32_t id;
EC_SCALAR x0;
EC_SCALAR y0;
EC_SCALAR x1;
EC_SCALAR y1;
EC_SCALAR xs;
EC_SCALAR ys;
EC_RAW_POINT pub0;
EC_RAW_POINT pub1;
EC_RAW_POINT pubs;
};
// PMBTOKEN_PRETOKEN represents the intermediate state a client keeps during a
// PMBToken issuance operation.
typedef struct pmb_pretoken_st {
uint8_t t[PMBTOKEN_NONCE_SIZE];
EC_SCALAR r;
EC_RAW_POINT T;
EC_RAW_POINT Tp;
} PMBTOKEN_PRETOKEN;
// PMBTOKEN_PRETOKEN_free releases the memory associated with |token|.
void PMBTOKEN_PRETOKEN_free(PMBTOKEN_PRETOKEN *token);
DEFINE_STACK_OF(PMBTOKEN_PRETOKEN)
// PMBTOKEN_TOKEN represents the final token generated as part of a PMBToken
// issuance operation.
typedef struct pmb_token_st {
uint8_t t[PMBTOKEN_NONCE_SIZE];
EC_RAW_POINT S;
EC_RAW_POINT W;
EC_RAW_POINT Ws;
} PMBTOKEN_TOKEN;
// PMBTOKEN_TOKEN_free releases the memory associated with |token|.
void PMBTOKEN_TOKEN_free(PMBTOKEN_TOKEN *token);
// pmbtoken_compute_public computes the public keypairs from the private
// keypairs in |key|. It returns one on success and zero on failure.
int pmbtoken_compute_public(struct trust_token_issuer_key_st *key);
// pmbtoken_blind generates a new blinded pretoken based on the configuration of
// |ctx| as per the first stage of the AT.Usr operation and returns the
// resulting pretoken.
PMBTOKEN_PRETOKEN *pmbtoken_blind(void);
// pmbtoken_sign signs a blinded point based on the configuration of |ctx|
// and the key specified by |key_id| with a private metadata value of
// |private_metadata| as per the AT.Sig operation and stores the resulting nonce
// and points in |*out_s|, |*out_Wp|, and |*out_Wsp| and the resulting DLEQ
// proof in |*out_proof|. The caller takes ownership of |*out_proof| and is
// responsible for freeing it using |OPENSSL_free|. It returns one on success
// and zero on failure.
int pmbtoken_sign(const TRUST_TOKEN_ISSUER *ctx,
uint8_t out_s[PMBTOKEN_NONCE_SIZE], EC_RAW_POINT *out_Wp,
EC_RAW_POINT *out_Wsp, uint8_t **out_proof,
size_t *out_proof_len, const EC_RAW_POINT *Tp,
uint32_t key_id, uint8_t private_metadata);
// pmbtoken_unblind unblinds the result of an AT.Sig operation as per the final
// stage of the AT.Usr operation and sets |*out_token| to the resulting token.
// It returns one on success and zero on failure.
int pmbtoken_unblind(PMBTOKEN_TOKEN *out_token,
const struct trust_token_client_key_st *key,
const uint8_t s[PMBTOKEN_NONCE_SIZE],
const EC_RAW_POINT *Wp, const EC_RAW_POINT *Wsp,
const uint8_t *proof, size_t proof_len,
const PMBTOKEN_PRETOKEN *pretoken);
// pmbtoken_read verifies the validity of a PMBToken |token| using the key
// specified by |key_id| and stores the value of the private metadata
// bit in |*out_private_metadata|. It returns one if the token is valid and zero
// otherwise.
int pmbtoken_read(const TRUST_TOKEN_ISSUER *ctx, uint8_t *out_private_metadata,
const PMBTOKEN_TOKEN *token, uint32_t key_id);
struct trust_token_client_st {
// max_batchsize is the maximum supported batchsize.
uint16_t max_batchsize;
// keys is the set of public keys that are supported by the client for
// issuance/redemptions.
struct trust_token_client_key_st keys[3];
// num_keys is the number of keys currently configured.
size_t num_keys;
// pretokens is the intermediate state during an active issuance.
STACK_OF(PMBTOKEN_PRETOKEN)* pretokens;
// srr_key is the public key used to verify the signature of the SRR.
EVP_PKEY *srr_key;
};
struct trust_token_issuer_st {
// max_batchsize is the maximum supported batchsize.
uint16_t max_batchsize;
// keys is the set of private keys that are supported by the issuer for
// issuance/redemptions. The public metadata is an index into this list of
// keys.
struct trust_token_issuer_key_st keys[3];
// num_keys is the number of keys currently configured.
size_t num_keys;
// srr_key is the private key used to sign the SRR.
EVP_PKEY *srr_key;
// metadata_key is the secret material used to encode the private metadata bit
// in the SRR.
uint8_t *metadata_key;
size_t metadata_key_len;
};
#endif // OPENSSL_HEADER_TRUST_TOKEN_INTERNAL_H