commit e8bbd0e0e6bdf267b3977bb8e3145f7a71a2354c
author Jorge Ramirez-Ortiz <jorge@foundries.io> Mon Jan 30 23:20:49 2023 +0100
committer Jérôme Forissier <jerome@forissier.org> Thu Feb 02 09:34:08 2023 +0100
tree 7619fc59c07d650ec5fb939a68b031843ebfc81f
parent 450963c289fe2b6c425fd98401c9fcee1fdb3e35

crypto: versal: ecc: sign/verify fix

Both the message (hash) and the generated signatures must be swapped.

The following custom tests were executed for P384 (prime384v1) and
P521 (nistp521) curves.

Signing and verifying using pkcs#11 alone (ie like done in xtest) was
not sufficient to capture this bug.

PTOOL='pkcs11-tool --module /usr/lib/libckteec.so.0.1.0'
SO_PIN=55555555
PIN=44444444
FILE=hello

printf "OP-TEE: create key pair"
$PTOOL --id 01 --label ldts  --token-label fio --pin $PIN \
       --keypairgen \
       --key-type EC:prime384v1

printf "OP-TEE: read the public key"
$PTOOL -l --pin $PIN --id 01 \
       --read-object --type pubkey --output-file pubkey.spki

printf "Openssl: export key to PEM"
openssl ec -inform DER -outform PEM -in pubkey.spki -pubin > pubkey.pub

printf "Create file to sign"
echo "hello world" > $FILE

printf "OpenSSL: create the file sha384"
openssl dgst -binary -sha384 $FILE > $FILE.hash

printf "OP-TEE: generate signature "
$PTOOL --pin $PIN --id 01 --label ldts --token-label fio \
       --sign
       --input-file $FILE.hash
       --output-file $FILE.sig
       --mechanism ECDSA
       -f openssl

printf "OpenSSL: verify signature"
openssl dgst -sha384 -verify pubkey.pub -signature "$FILE".sig "$FILE"

printf "OP-TEE: verify signature"
$PTOOL --pin $PIN --id 01 --label ldts --token-label fio  \
       --verify \
       --input-file $FILE.hash \
       --signature-format openssl \
       --signature-file $FILE.sig \
       --mechanism ECDSA

Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>