Strona główna Odkrywaj Pomoc
Zaloguj się
torambo.com
/
Momentum-Apps
2
0
Forkuj 0
Pliki Problemy 0 Oczekujące zmiany 0 Wiki
Drzewo: b3236278d9
Gałęzie Tagi
Momentum-Apps
/
crypto
/
tests
/
test_curves.py

test_curves.py 9.9 KB
Historia Czysty

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381 
  1. #!/usr/bin/py.test
    2. 

  2. import binascii
    3. 

  3. import ctypes as c
    4. 

  4. import hashlib
    5. 

  5. import os
    6. 

  6. import random
    7. 

  7. 

  8. import curve25519
    9. 

  9. import ecdsa
    10. 

  10. import pytest
    11. 

  11. 

  12. 

  13. def bytes2num(s):
    14. 

  14.     res = 0
    15. 

  15.     for i, b in enumerate(reversed(bytearray(s))):
    16. 

  16.         res += b << (i * 8)
    17. 

  17.     return res
    18. 

  18. 

  19. 

  20. curves = {"nist256p1": ecdsa.curves.NIST256p, "secp256k1": ecdsa.curves.SECP256k1}
    21. 

  21. 

  22. 

  23. class Point:
    24. 

  24.     def __init__(self, name, x, y):
    25. 

  25.         self.curve = name
    26. 

  26.         self.x = x
    27. 

  27.         self.y = y
    28. 

  28. 

  29. 

  30. points = [
    31. 

  31.     Point(
    32. 

  32.         "secp256k1",
    33. 

  33.         0x79BE667EF9DCBBAC55A06295CE870B07029BFCDB2DCE28D959F2815B16F81798,
    34. 

  34.         0x483ADA7726A3C4655DA4FBFC0E1108A8FD17B448A68554199C47D08FFB10D4B8,
    35. 

  35.     ),
    36. 

  36.     Point(
    37. 

  37.         "secp256k1",
    38. 

  38.         0x1,
    39. 

  39.         0x4218F20AE6C646B363DB68605822FB14264CA8D2587FDD6FBC750D587E76A7EE,
    40. 

  40.     ),
    41. 

  41.     Point(
    42. 

  42.         "secp256k1",
    43. 

  43.         0x2,
    44. 

  44.         0x66FBE727B2BA09E09F5A98D70A5EFCE8424C5FA425BBDA1C511F860657B8535E,
    45. 

  45.     ),
    46. 

  46.     Point(
    47. 

  47.         "secp256k1",
    48. 

  48.         0x1B,
    49. 

  49.         0x1ADCEA1CF831B0AD1653E769D1A229091D0CC68D4B0328691B9CAACC76E37C90,
    50. 

  50.     ),
    51. 

  51.     Point(
    52. 

  52.         "nist256p1",
    53. 

  53.         0x6B17D1F2E12C4247F8BCE6E563A440F277037D812DEB33A0F4A13945D898C296,
    54. 

  54.         0x4FE342E2FE1A7F9B8EE7EB4A7C0F9E162BCE33576B315ECECBB6406837BF51F5,
    55. 

  55.     ),
    56. 

  56.     Point(
    57. 

  57.         "nist256p1",
    58. 

  58.         0x0,
    59. 

  59.         0x66485C780E2F83D72433BD5D84A06BB6541C2AF31DAE871728BF856A174F93F4,
    60. 

  60.     ),
    61. 

  61.     Point(
    62. 

  62.         "nist256p1",
    63. 

  63.         0x0,
    64. 

  64.         0x99B7A386F1D07C29DBCC42A27B5F9449ABE3D50DE25178E8D7407A95E8B06C0B,
    65. 

  65.     ),
    66. 

  66.     Point(
    67. 

  67.         "nist256p1",
    68. 

  68.         0xAF8BBDFE8CDD5577ACBF345B543D28CF402F4E94D3865B97EA0787F2D3AA5D22,
    69. 

  69.         0x35802B8B376B995265918B078BC109C21A535176585C40F519ACA52D6AFC147C,
    70. 

  70.     ),
    71. 

  71.     Point(
    72. 

  72.         "nist256p1",
    73. 

  73.         0x80000,
    74. 

  74.         0x580610071F440F0DCC14A22E2D5D5AFC1224C0CD11A3B4B51B8ECD2224EE1CE2,
    75. 

  75.     ),
    76. 

  76. ]
    77. 

  77. 

  78. random_iters = int(os.environ.get("ITERS", 1))
    79. 

  79. 

  80. DIR = os.path.abspath(os.path.dirname(__file__))
    81. 

  81. lib = c.cdll.LoadLibrary(os.path.join(DIR, "libtrezor-crypto.so"))
    82. 

  82. if not lib.zkp_context_is_initialized():
    83. 

  83.     assert lib.zkp_context_init() == 0
    84. 

  84. 

  85. BIGNUM = c.c_uint32 * 9
    86. 

  86. 

  87. 

  88. class curve_info(c.Structure):
    89. 

  89.     _fields_ = [("bip32_name", c.c_char_p), ("params", c.c_void_p)]
    90. 

  90. 

  91. 

  92. class curve_point(c.Structure):
    93. 

  93.     _fields_ = [("x", BIGNUM), ("y", BIGNUM)]
    94. 

  94. 

  95. 

  96. class ecdsa_curve(c.Structure):
    97. 

  97.     _fields_ = [
    98. 

  98.         ("prime", BIGNUM),
    99. 

  99.         ("G", curve_point),
    100. 

  100.         ("order", BIGNUM),
    101. 

  101.         ("order_half", BIGNUM),
    102. 

  102.         ("a", c.c_int),
    103. 

  103.         ("b", BIGNUM),
    104. 

  104.     ]
    105. 

  105. 

  106. 

  107. lib.get_curve_by_name.restype = c.POINTER(curve_info)
    108. 

  108. 

  109. 

  110. class Random(random.Random):
    111. 

  111.     def randbytes(self, n):
    112. 

  112.         buf = (c.c_uint8 * n)()
    113. 

  113.         for i in range(n):
    114. 

  114.             buf[i] = self.randrange(0, 256)
    115. 

  115.         return buf
    116. 

  116. 

  117.     def randpoint(self, curve):
    118. 

  118.         k = self.randrange(0, curve.order)
    119. 

  119.         return k * curve.generator
    120. 

  120. 

  121. 

  122. def int2bn(x, bn_type=BIGNUM):
    123. 

  123.     b = bn_type()
    124. 

  124.     b._int = x
    125. 

  125.     for i in range(len(b)):
    126. 

  126.         b[i] = x % (1 << 29)
    127. 

  127.         x = x >> 29
    128. 

  128.     return b
    129. 

  129. 

  130. 

  131. def bn2int(b):
    132. 

  132.     x = 0
    133. 

  133.     for i in range(len(b)):
    134. 

  134.         x += b[i] << (29 * i)
    135. 

  135.     return x
    136. 

  136. 

  137. 

  138. @pytest.fixture(params=range(random_iters))
    139. 

  139. def r(request):
    140. 

  140.     seed = request.param
    141. 

  141.     return Random(seed + int(os.environ.get("SEED", 0)))
    142. 

  142. 

  143. 

  144. def get_curve_obj(name):
    145. 

  145.     curve_ptr = lib.get_curve_by_name(bytes(name, "ascii")).contents.params
    146. 

  146.     assert curve_ptr, "curve {} not found".format(name)
    147. 

  147.     curve_obj = curves[name]
    148. 

  148.     curve_obj.ptr = c.cast(curve_ptr, c.POINTER(ecdsa_curve))
    149. 

  149.     curve_obj.p = curve_obj.curve.p()  # shorthand
    150. 

  150.     return curve_obj
    151. 

  151. 

  152. 

  153. @pytest.fixture(params=list(sorted(curves)))
    154. 

  154. def curve(request):
    155. 

  155.     return get_curve_obj(request.param)
    156. 

  156. 

  157. 

  158. @pytest.fixture(params=points)
    159. 

  159. def point(request):
    160. 

  160.     name = request.param.curve
    161. 

  161.     curve_ptr = lib.get_curve_by_name(bytes(name, "ascii")).contents.params
    162. 

  162.     assert curve_ptr, "curve {} not found".format(name)
    163. 

  163.     curve_obj = curves[name]
    164. 

  164.     curve_obj.ptr = c.c_void_p(curve_ptr)
    165. 

  165.     curve_obj.p = ecdsa.ellipticcurve.Point(
    166. 

  166.         curve_obj.curve, request.param.x, request.param.y
    167. 

  167.     )
    168. 

  168.     return curve_obj
    169. 

  169. 

  170. 

  171. POINT = BIGNUM * 2
    172. 

  172. 

  173. 

  174. def to_POINT(p):
    175. 

  175.     return POINT(int2bn(p.x()), int2bn(p.y()))
    176. 

  176. 

  177. 

  178. def from_POINT(p):
    179. 

  179.     return (bn2int(p[0]), bn2int(p[1]))
    180. 

  180. 

  181. 

  182. JACOBIAN = BIGNUM * 3
    183. 

  183. 

  184. 

  185. def to_JACOBIAN(jp):
    186. 

  186.     return JACOBIAN(int2bn(jp[0]), int2bn(jp[1]), int2bn(jp[2]))
    187. 

  187. 

  188. 

  189. def from_JACOBIAN(p):
    190. 

  190.     return (bn2int(p[0]), bn2int(p[1]), bn2int(p[2]))
    191. 

  191. 

  192. 

  193. def test_curve_parameters(curve):
    194. 

  194.     assert curve.curve.p() == bn2int(curve.ptr.contents.prime)
    195. 

  195.     assert curve.generator.x() == bn2int(curve.ptr.contents.G.x)
    196. 

  196.     assert curve.generator.y() == bn2int(curve.ptr.contents.G.y)
    197. 

  197.     assert curve.order == bn2int(curve.ptr.contents.order)
    198. 

  198.     assert curve.order // 2 == bn2int(curve.ptr.contents.order_half)
    199. 

  199.     assert curve.curve.a() == curve.ptr.contents.a
    200. 

  200.     assert curve.curve.b() == bn2int(curve.ptr.contents.b)
    201. 

  201. 

  202. 

  203. def test_point_multiply(curve, r):
    204. 

  204.     p = r.randpoint(curve)
    205. 

  205.     k = r.randrange(0, 2**256)
    206. 

  206.     kp = k * p
    207. 

  207.     res = POINT(int2bn(0), int2bn(0))
    208. 

  208.     lib.point_multiply(curve.ptr, int2bn(k), to_POINT(p), res)
    209. 

  209.     res = from_POINT(res)
    210. 

  210.     assert res == (kp.x(), kp.y())
    211. 

  211. 

  212. 

  213. def test_point_add(curve, r):
    214. 

  214.     p1 = r.randpoint(curve)
    215. 

  215.     p2 = r.randpoint(curve)
    216. 

  216.     # print '-' * 80
    217. 

  217.     q = p1 + p2
    218. 

  218.     q1 = to_POINT(p1)
    219. 

  219.     q2 = to_POINT(p2)
    220. 

  220.     lib.point_add(curve.ptr, q1, q2)
    221. 

  221.     q_ = from_POINT(q2)
    222. 

  222.     assert q_ == (q.x(), q.y())
    223. 

  223. 

  224. 

  225. def test_point_double(curve, r):
    226. 

  226.     p = r.randpoint(curve)
    227. 

  227.     q = p.double()
    228. 

  228.     q_ = to_POINT(p)
    229. 

  229.     lib.point_double(curve.ptr, q_)
    230. 

  230.     q_ = from_POINT(q_)
    231. 

  231.     assert q_ == (q.x(), q.y())
    232. 

  232. 

  233. 

  234. def test_point_to_jacobian(curve, r):
    235. 

  235.     p = r.randpoint(curve)
    236. 

  236.     jp = JACOBIAN()
    237. 

  237.     lib.curve_to_jacobian(to_POINT(p), jp, int2bn(curve.p))
    238. 

  238.     jx, jy, jz = from_JACOBIAN(jp)
    239. 

  239.     assert jx % curve.p == (p.x() * jz**2) % curve.p
    240. 

  240.     assert jy % curve.p == (p.y() * jz**3) % curve.p
    241. 

  241. 

  242.     q = POINT()
    243. 

  243.     lib.jacobian_to_curve(jp, q, int2bn(curve.p))
    244. 

  244.     q = from_POINT(q)
    245. 

  245.     assert q == (p.x(), p.y())
    246. 

  246. 

  247. 

  248. def test_jacobian_add(curve, r):
    249. 

  249.     p1 = r.randpoint(curve)
    250. 

  250.     p2 = r.randpoint(curve)
    251. 

  251.     prime = int2bn(curve.p)
    252. 

  252.     q = POINT()
    253. 

  253.     jp2 = JACOBIAN()
    254. 

  254.     lib.curve_to_jacobian(to_POINT(p2), jp2, prime)
    255. 

  255.     lib.point_jacobian_add(to_POINT(p1), jp2, curve.ptr)
    256. 

  256.     lib.jacobian_to_curve(jp2, q, prime)
    257. 

  257.     q = from_POINT(q)
    258. 

  258.     p_ = p1 + p2
    259. 

  259.     assert (p_.x(), p_.y()) == q
    260. 

  260. 

  261. 

  262. def test_jacobian_add_double(curve, r):
    263. 

  263.     p1 = r.randpoint(curve)
    264. 

  264.     p2 = p1
    265. 

  265.     prime = int2bn(curve.p)
    266. 

  266.     q = POINT()
    267. 

  267.     jp2 = JACOBIAN()
    268. 

  268.     lib.curve_to_jacobian(to_POINT(p2), jp2, prime)
    269. 

  269.     lib.point_jacobian_add(to_POINT(p1), jp2, curve.ptr)
    270. 

  270.     lib.jacobian_to_curve(jp2, q, prime)
    271. 

  271.     q = from_POINT(q)
    272. 

  272.     p_ = p1 + p2
    273. 

  273.     assert (p_.x(), p_.y()) == q
    274. 

  274. 

  275. 

  276. def test_jacobian_double(curve, r):
    277. 

  277.     p = r.randpoint(curve)
    278. 

  278.     p2 = p.double()
    279. 

  279.     prime = int2bn(curve.p)
    280. 

  280.     q = POINT()
    281. 

  281.     jp = JACOBIAN()
    282. 

  282.     lib.curve_to_jacobian(to_POINT(p), jp, prime)
    283. 

  283.     lib.point_jacobian_double(jp, curve.ptr)
    284. 

  284.     lib.jacobian_to_curve(jp, q, prime)
    285. 

  285.     q = from_POINT(q)
    286. 

  286.     assert (p2.x(), p2.y()) == q
    287. 

  287. 

  288. 

  289. def sigdecode(sig, _):
    290. 

  290.     return map(bytes2num, [sig[:32], sig[32:]])
    291. 

  291. 

  292. 

  293. def test_sign(curve, r):
    294. 

  294.     priv = r.randbytes(32)
    295. 

  295.     digest = r.randbytes(32)
    296. 

  296.     sig = r.randbytes(64)
    297. 

  297. 

  298.     lib.ecdsa_sign_digest(curve.ptr, priv, digest, sig, c.c_void_p(0), c.c_void_p(0))
    299. 

  299. 

  300.     exp = bytes2num(priv)
    301. 

  301.     sk = ecdsa.SigningKey.from_secret_exponent(exp, curve, hashfunc=hashlib.sha256)
    302. 

  302.     vk = sk.get_verifying_key()
    303. 

  303. 

  304.     sig_ref = sk.sign_digest_deterministic(
    305. 

  305.         digest, hashfunc=hashlib.sha256, sigencode=ecdsa.util.sigencode_string_canonize
    306. 

  306.     )
    307. 

  307.     assert binascii.hexlify(sig) == binascii.hexlify(sig_ref)
    308. 

  308. 

  309.     assert vk.verify_digest(sig, digest, sigdecode)
    310. 

  310. 

  311. 

  312. def test_sign_zkp(r):
    313. 

  313.     curve = get_curve_obj("secp256k1")
    314. 

  314. 

  315.     priv = r.randbytes(32)
    316. 

  316.     digest = r.randbytes(32)
    317. 

  317.     sig = r.randbytes(64)
    318. 

  318. 

  319.     lib.zkp_ecdsa_sign_digest(
    320. 

  320.         curve.ptr, priv, digest, sig, c.c_void_p(0), c.c_void_p(0)
    321. 

  321.     )
    322. 

  322. 

  323.     exp = bytes2num(priv)
    324. 

  324.     sk = ecdsa.SigningKey.from_secret_exponent(exp, curve, hashfunc=hashlib.sha256)
    325. 

  325.     vk = sk.get_verifying_key()
    326. 

  326. 

  327.     sig_ref = sk.sign_digest_deterministic(
    328. 

  328.         digest, hashfunc=hashlib.sha256, sigencode=ecdsa.util.sigencode_string_canonize
    329. 

  329.     )
    330. 

  330.     assert binascii.hexlify(sig) == binascii.hexlify(sig_ref)
    331. 

  331. 

  332.     assert vk.verify_digest(sig, digest, sigdecode)
    333. 

  333. 

  334. 

  335. def test_validate_pubkey(curve, r):
    336. 

  336.     p = r.randpoint(curve)
    337. 

  337.     assert lib.ecdsa_validate_pubkey(curve.ptr, to_POINT(p))
    338. 

  338. 

  339. 

  340. def test_validate_pubkey_direct(point):
    341. 

  341.     assert lib.ecdsa_validate_pubkey(point.ptr, to_POINT(point.p))
    342. 

  342. 

  343. 

  344. def test_curve25519(r):
    345. 

  345.     sec1 = bytes(bytearray(r.randbytes(32)))
    346. 

  346.     sec2 = bytes(bytearray(r.randbytes(32)))
    347. 

  347.     pub1 = curve25519.Private(sec1).get_public()
    348. 

  348.     pub2 = curve25519.Private(sec2).get_public()
    349. 

  349. 

  350.     session1 = r.randbytes(32)
    351. 

  351.     lib.curve25519_scalarmult(session1, sec2, pub1.public)
    352. 

  352.     session2 = r.randbytes(32)
    353. 

  353.     lib.curve25519_scalarmult(session2, sec1, pub2.public)
    354. 

  354.     assert bytearray(session1) == bytearray(session2)
    355. 

  355. 

  356.     shared1 = curve25519.Private(sec2).get_shared_key(pub1, hashfunc=lambda x: x)
    357. 

  357.     shared2 = curve25519.Private(sec1).get_shared_key(pub2, hashfunc=lambda x: x)
    358. 

  358.     assert shared1 == shared2
    359. 

  359.     assert bytearray(session1) == shared1
    360. 

  360.     assert bytearray(session2) == shared2
    361. 

  361. 

  362. 

  363. def test_curve25519_pubkey(r):
    364. 

  364.     sec = bytes(bytearray(r.randbytes(32)))
    365. 

  365.     pub = curve25519.Private(sec).get_public()
    366. 

  366.     res = r.randbytes(32)
    367. 

  367.     lib.curve25519_scalarmult_basepoint(res, sec)
    368. 

  368.     assert bytearray(res) == pub.public
    369. 

  369. 

  370. 

  371. def test_curve25519_scalarmult_from_gpg(r):
    372. 

  372.     sec = binascii.unhexlify(
    373. 

  373.         "4a1e76f133afb29dbc7860bcbc16d0e829009cc15c2f81ed26de1179b1d9c938"
    374. 

  374.     )
    375. 

  375.     pub = binascii.unhexlify(
    376. 

  376.         "5d6fc75c016e85b17f54e0128a216d5f9229f25bac1ec85cecab8daf48621b31"
    377. 

  377.     )
    378. 

  378.     res = r.randbytes(32)
    379. 

  379.     lib.curve25519_scalarmult(res, sec[::-1], pub[::-1])
    380. 

  380.     expected = "a93dbdb23e5c99da743e203bd391af79f2b83fb8d0fd6ec813371c71f08f2d4d"
    381. 

  381.     assert binascii.hexlify(bytearray(res)) == bytes(expected, "ascii")
    382.