ecdsa.h File Reference

The ECDSA context structure.

Warning:

Performing multiple operations concurrently on the same ECDSA context is not supported; objects of this type should not be shared between multiple threads.

Definition at line 80 of file ecdsa.h.

Internal restart context for ecdsa_sign_det()

Note:

Opaque struct, defined in ecdsa.c

Definition at line 104 of file ecdsa.h.

Internal restart context for ecdsa_sign()

Note:

Opaque struct, defined in ecdsa.c

Definition at line 96 of file ecdsa.h.

Internal restart context for ecdsa_verify()

Note:

Opaque struct, defined in ecdsa.c

Definition at line 89 of file ecdsa.h.

This function checks whether a given group can be used for ECDSA.

Parameters:

gid	The ECP group ID to check.

Returns:

1 if the group can be used, 0 otherwise

Definition at line 386 of file ecdsa.c.

This function frees an ECDSA context.

Parameters:

ctx	The ECDSA context to free. This may be NULL, in which case this function does nothing. If it is not NULL, it must be initialized.

Definition at line 955 of file ecdsa.c.

This function sets up an ECDSA context from an EC key pair.

See also:

ecp.h

Parameters:

ctx	The ECDSA context to setup. This must be initialized.
key	The EC key to use. This must be initialized and hold a private-public key pair or a public key. In the former case, the ECDSA context may be used for signature creation and verification after this call. In the latter case, it may be used for signature verification.

Returns:

0 on success.

An MBEDTLS_ERR_ECP_XXX code on failure.

Definition at line 926 of file ecdsa.c.

This function generates an ECDSA keypair on the given curve.

See also:

ecp.h

Parameters:

ctx	The ECDSA context to store the keypair in. This must be initialized.
gid	The elliptic curve to use. One of the various MBEDTLS_ECP_DP_XXX macros depending on configuration.
f_rng	The RNG function to use. This must not be NULL.
p_rng	The RNG context to be passed to f_rng. This may be NULL if f_rng doesn't need a context argument.

Returns:

0 on success.

An MBEDTLS_ERR_ECP_XXX code on failure.

Definition at line 246 of file ecdsa_alt.c.

This function initializes an ECDSA context.

Parameters:

ctx	The ECDSA context to initialize. This must not be NULL.

Definition at line 945 of file ecdsa.c.

This function reads and verifies an ECDSA signature.

Note:

If the bitlength of the message hash is larger than the bitlength of the group order, then the hash is truncated as defined in Standards for Efficient Cryptography Group (SECG): SEC1 Elliptic Curve Cryptography, section 4.1.4, step 3.

See also:

ecp.h

Parameters:

ctx	The ECDSA context to use. This must be initialized and have a group and public key bound to it.
hash	The message hash that was signed. This must be a readable buffer of length size Bytes.
hlen	The size of the hash hash.
sig	The signature to read and verify. This must be a readable buffer of length slen Bytes.
slen	The size of sig in Bytes.

Returns:

0 on success.

MBEDTLS_ERR_ECP_BAD_INPUT_DATA if signature is invalid.

MBEDTLS_ERR_ECP_SIG_LEN_MISMATCH if there is a valid signature in sig, but its length is less than siglen.

An MBEDTLS_ERR_ECP_XXX or MBEDTLS_ERR_MPI_XXX error code on failure for any other reason.

Definition at line 829 of file ecdsa.c.

This function reads and verifies an ECDSA signature, in a restartable way.

See also:

mbedtls_ecdsa_read_signature()

Note:

This function is like mbedtls_ecdsa_read_signature() but it can return early and restart according to the limit set with mbedtls_ecp_set_max_ops() to reduce blocking.

Parameters:

ctx	The ECDSA context to use. This must be initialized and have a group and public key bound to it.
hash	The message hash that was signed. This must be a readable buffer of length size Bytes.
hlen	The size of the hash hash.
sig	The signature to read and verify. This must be a readable buffer of length slen Bytes.
slen	The size of sig in Bytes.
rs_ctx	The restart context to use. This may be NULL to disable restarting. If it is not NULL, it must point to an initialized restart context.

Returns:

0 on success.

MBEDTLS_ERR_ECP_BAD_INPUT_DATA if signature is invalid.

MBEDTLS_ERR_ECP_SIG_LEN_MISMATCH if there is a valid signature in sig, but its length is less than siglen.

MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of operations was reached: see mbedtls_ecp_set_max_ops().

Another MBEDTLS_ERR_ECP_XXX or MBEDTLS_ERR_MPI_XXX error code on failure for any other reason.

Definition at line 843 of file ecdsa.c.

Free the components of a restart context.

Parameters:

ctx	The restart context to free. This may be NULL, in which case this function does nothing. If it is not NULL, it must be initialized.

Definition at line 983 of file ecdsa.c.

Initialize a restart context.

Parameters:

ctx	The restart context to initialize. This must not be NULL.

Definition at line 967 of file ecdsa.c.

This function computes the ECDSA signature of a previously-hashed message.

Note:

The deterministic version implemented in mbedtls_ecdsa_sign_det() is usually preferred.

If the bitlength of the message hash is larger than the bitlength of the group order, then the hash is truncated as defined in Standards for Efficient Cryptography Group (SECG): SEC1 Elliptic Curve Cryptography, section 4.1.3, step 5.

See also:

ecp.h

Parameters:

grp	The context for the elliptic curve to use. This must be initialized and have group parameters set, for example through mbedtls_ecp_group_load().
r	The MPI context in which to store the first part the signature. This must be initialized.
s	The MPI context in which to store the second part the signature. This must be initialized.
d	The private signing key. This must be initialized.
buf	The content to be signed. This is usually the hash of the original data to be signed. This must be a readable buffer of length blen Bytes. It may be NULL if blen is zero.
blen	The length of buf in Bytes.
f_rng	The RNG function. This must not be NULL.
p_rng	The RNG context to be passed to f_rng. This may be NULL if f_rng doesn't need a context parameter.

Returns:

0 on success.

An MBEDTLS_ERR_ECP_XXX or MBEDTLS_MPI_XXX error code on failure.

Definition at line 61 of file ecdsa_alt.c.

This function computes the ECDSA signature of a previously-hashed message, deterministic version.

For more information, see RFC-6979: Deterministic Usage of the Digital Signature Algorithm (DSA) and Elliptic Curve Digital Signature Algorithm (ECDSA).

Note:

If the bitlength of the message hash is larger than the bitlength of the group order, then the hash is truncated as defined in Standards for Efficient Cryptography Group (SECG): SEC1 Elliptic Curve Cryptography, section 4.1.3, step 5.

Warning:

Since the output of the internal RNG is always the same for the same key and message, this limits the efficiency of blinding and leaks information through side channels. For secure behavior use mbedtls_ecdsa_sign_det_ext() instead.

(Optimally the blinding is a random value that is different on every execution. In this case the blinding is still random from the attackers perspective, but is the same on each execution. This means that this blinding does not prevent attackers from recovering secrets by combining several measurement traces, but may prevent some attacks that exploit relationships between secret data.)

See also:

ecp.h

Parameters:

grp	The context for the elliptic curve to use. This must be initialized and have group parameters set, for example through mbedtls_ecp_group_load().
r	The MPI context in which to store the first part the signature. This must be initialized.
s	The MPI context in which to store the second part the signature. This must be initialized.
d	The private signing key. This must be initialized and setup, for example through mbedtls_ecp_gen_privkey().
buf	The hashed content to be signed. This must be a readable buffer of length blen Bytes. It may be NULL if blen is zero.
blen	The length of buf in Bytes.
md_alg	The hash algorithm used to hash the original data.

Returns:

0 on success.

An MBEDTLS_ERR_ECP_XXX or MBEDTLS_MPI_XXX error code on failure.

Definition at line 555 of file ecdsa.c.

This function computes the ECDSA signature of a previously-hashed message, deterministic version.

For more information, see RFC-6979: Deterministic Usage of the Digital Signature Algorithm (DSA) and Elliptic Curve Digital Signature Algorithm (ECDSA).

Note:

If the bitlength of the message hash is larger than the bitlength of the group order, then the hash is truncated as defined in Standards for Efficient Cryptography Group (SECG): SEC1 Elliptic Curve Cryptography, section 4.1.3, step 5.

See also:

ecp.h

Parameters:

grp	The context for the elliptic curve to use. This must be initialized and have group parameters set, for example through mbedtls_ecp_group_load().
r	The MPI context in which to store the first part the signature. This must be initialized.
s	The MPI context in which to store the second part the signature. This must be initialized.
d	The private signing key. This must be initialized and setup, for example through mbedtls_ecp_gen_privkey().
buf	The hashed content to be signed. This must be a readable buffer of length blen Bytes. It may be NULL if blen is zero.
blen	The length of buf in Bytes.
md_alg	The hash algorithm used to hash the original data.
f_rng_blind	The RNG function used for blinding. This must not be NULL.
p_rng_blind	The RNG context to be passed to f_rng. This may be NULL if f_rng doesn't need a context parameter.

Returns:

0 on success.

An MBEDTLS_ERR_ECP_XXX or MBEDTLS_MPI_XXX error code on failure.

Definition at line 571 of file ecdsa.c.

This function verifies the ECDSA signature of a previously-hashed message.

Note:

If the bitlength of the message hash is larger than the bitlength of the group order, then the hash is truncated as defined in Standards for Efficient Cryptography Group (SECG): SEC1 Elliptic Curve Cryptography, section 4.1.4, step 3.

See also:

ecp.h

Parameters:

grp	The ECP group to use. This must be initialized and have group parameters set, for example through mbedtls_ecp_group_load().
buf	The hashed content that was signed. This must be a readable buffer of length blen Bytes. It may be NULL if blen is zero.
blen	The length of buf in Bytes.
Q	The public key to use for verification. This must be initialized and setup.
r	The first integer of the signature. This must be initialized.
s	The second integer of the signature. This must be initialized.

Returns:

0 on success.

MBEDTLS_ERR_ECP_BAD_INPUT_DATA if the signature is invalid.

An MBEDTLS_ERR_ECP_XXX or MBEDTLS_MPI_XXX error code on failure for any other reason.

Definition at line 160 of file ecdsa_alt.c.

This function computes the ECDSA signature and writes it to a buffer, serialized as defined in RFC-4492: Elliptic Curve Cryptography (ECC) Cipher Suites for Transport Layer Security (TLS).

Warning:

It is not thread-safe to use the same context in multiple threads.

Note:

The deterministic version is used if MBEDTLS_ECDSA_DETERMINISTIC is defined. For more information, see RFC-6979: Deterministic Usage of the Digital Signature Algorithm (DSA) and Elliptic Curve Digital Signature Algorithm (ECDSA).

If the bitlength of the message hash is larger than the bitlength of the group order, then the hash is truncated as defined in Standards for Efficient Cryptography Group (SECG): SEC1 Elliptic Curve Cryptography, section 4.1.3, step 5.

See also:

ecp.h

Parameters:

ctx	The ECDSA context to use. This must be initialized and have a group and private key bound to it, for example via mbedtls_ecdsa_genkey() or mbedtls_ecdsa_from_keypair().
md_alg	The message digest that was used to hash the message.
hash	The message hash to be signed. This must be a readable buffer of length blen Bytes.
hlen	The length of the hash hash in Bytes.
sig	The buffer to which to write the signature. This must be a writable buffer of length at least twice as large as the size of the curve used, plus 9. For example, 73 Bytes if a 256-bit curve is used. A buffer length of MBEDTLS_ECDSA_MAX_LEN is always safe.
slen	The address at which to store the actual length of the signature written. Must not be NULL.
f_rng	The RNG function. This must not be NULL if MBEDTLS_ECDSA_DETERMINISTIC is unset. Otherwise, it is used only for blinding and may be set to NULL, but doing so is DEPRECATED.
p_rng	The RNG context to be passed to f_rng. This may be NULL if f_rng is NULL or doesn't use a context.

Returns:

0 on success.

An MBEDTLS_ERR_ECP_XXX, MBEDTLS_ERR_MPI_XXX or MBEDTLS_ERR_ASN1_XXX error code on failure.

Definition at line 795 of file ecdsa.c.

This function computes an ECDSA signature and writes it to a buffer, serialized as defined in RFC-4492: Elliptic Curve Cryptography (ECC) Cipher Suites for Transport Layer Security (TLS).

The deterministic version is defined in RFC-6979: Deterministic Usage of the Digital Signature Algorithm (DSA) and Elliptic Curve Digital Signature Algorithm (ECDSA).

Warning:

It is not thread-safe to use the same context in multiple threads.

Note:

If the bitlength of the message hash is larger than the bitlength of the group order, then the hash is truncated as defined in Standards for Efficient Cryptography Group (SECG): SEC1 Elliptic Curve Cryptography, section 4.1.3, step 5.

See also:

ecp.h

Parameters:

ctx	The ECDSA context to use. This must be initialized and have a group and private key bound to it, for example via mbedtls_ecdsa_genkey() or mbedtls_ecdsa_from_keypair().
hash	The message hash to be signed. This must be a readable buffer of length blen Bytes.
hlen	The length of the hash hash in Bytes.
sig	The buffer to which to write the signature. This must be a writable buffer of length at least twice as large as the size of the curve used, plus 9. For example, 73 Bytes if a 256-bit curve is used. A buffer length of MBEDTLS_ECDSA_MAX_LEN is always safe.
slen	The address at which to store the actual length of the signature written. Must not be NULL.
md_alg	The message digest that was used to hash the message.

Returns:

0 on success.

An MBEDTLS_ERR_ECP_XXX, MBEDTLS_ERR_MPI_XXX or MBEDTLS_ERR_ASN1_XXX error code on failure.

Definition at line 812 of file ecdsa.c.

This function computes the ECDSA signature and writes it to a buffer, in a restartable way.

See also:

mbedtls_ecdsa_write_signature()

Note:

This function is like mbedtls_ecdsa_write_signature() but it can return early and restart according to the limit set with mbedtls_ecp_set_max_ops() to reduce blocking.

Parameters:

ctx	The ECDSA context to use. This must be initialized and have a group and private key bound to it, for example via mbedtls_ecdsa_genkey() or mbedtls_ecdsa_from_keypair().
md_alg	The message digest that was used to hash the message.
hash	The message hash to be signed. This must be a readable buffer of length blen Bytes.
hlen	The length of the hash hash in Bytes.
sig	The buffer to which to write the signature. This must be a writable buffer of length at least twice as large as the size of the curve used, plus 9. For example, 73 Bytes if a 256-bit curve is used. A buffer length of MBEDTLS_ECDSA_MAX_LEN is always safe.
slen	The address at which to store the actual length of the signature written. Must not be NULL.
f_rng	The RNG function. This must not be NULL if MBEDTLS_ECDSA_DETERMINISTIC is unset. Otherwise, it is unused and may be set to NULL.
p_rng	The RNG context to be passed to f_rng. This may be NULL if f_rng is NULL or doesn't use a context.
rs_ctx	The restart context to use. This may be NULL to disable restarting. If it is not NULL, it must point to an initialized restart context.

Returns:

0 on success.

MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of operations was reached: see mbedtls_ecp_set_max_ops().

Another MBEDTLS_ERR_ECP_XXX, MBEDTLS_ERR_MPI_XXX or MBEDTLS_ERR_ASN1_XXX error code on failure.

Definition at line 747 of file ecdsa.c.