diff options
Diffstat (limited to 'src/cz/crcs/ectester/applet')
| -rw-r--r-- | src/cz/crcs/ectester/applet/ECKeyGenerator.java | 381 | ||||
| -rw-r--r-- | src/cz/crcs/ectester/applet/ECKeyTester.java | 184 | ||||
| -rw-r--r-- | src/cz/crcs/ectester/applet/ECTesterApplet.java | 427 | ||||
| -rw-r--r-- | src/cz/crcs/ectester/applet/EC_Consts.java | 1298 |
4 files changed, 2290 insertions, 0 deletions
diff --git a/src/cz/crcs/ectester/applet/ECKeyGenerator.java b/src/cz/crcs/ectester/applet/ECKeyGenerator.java new file mode 100644 index 0000000..47f9c94 --- /dev/null +++ b/src/cz/crcs/ectester/applet/ECKeyGenerator.java @@ -0,0 +1,381 @@ +package cz.crcs.ectester.applet; + +import javacard.framework.ISO7816; +import javacard.framework.ISOException; +import javacard.framework.Util; +import javacard.security.CryptoException; +import javacard.security.ECPrivateKey; +import javacard.security.ECPublicKey; +import javacard.security.KeyPair; + +/** + * @author Jan Jancar johny@neuromancer.sk + */ +public class ECKeyGenerator { + + public static final byte KEY_PUBLIC = 0x01; + public static final byte KEY_PRIVATE = 0x02; + public static final byte KEY_BOTH = KEY_PUBLIC | KEY_PRIVATE; + + private short sw = ISO7816.SW_NO_ERROR; + + /** + * @param keyClass + * @param keyLength + * @return + */ + public KeyPair allocatePair(byte keyClass, short keyLength) { + sw = ISO7816.SW_NO_ERROR; + KeyPair ecKeyPair = null; + try { + ecKeyPair = new KeyPair(keyClass, keyLength); + + if (ecKeyPair.getPublic() == null || ecKeyPair.getPrivate() == null) { + try { + ecKeyPair.genKeyPair(); + } catch (Exception ignored) { + } + } + } catch (CryptoException ce) { + sw = ce.getReason(); + } catch (Exception e) { + sw = ISO7816.SW_UNKNOWN; + } + return ecKeyPair; + } + + /** + * @param keypair + * @return + */ + public short generatePair(KeyPair keypair) { + sw = ISO7816.SW_NO_ERROR; + try { + keypair.genKeyPair(); + } catch (CryptoException ce) { + sw = ce.getReason(); + } catch (Exception e) { + sw = ISO7816.SW_UNKNOWN; + } + return sw; + } + + public short setCurve(KeyPair keypair, byte curve, byte[] buffer, short offset) { + return setCurve(keypair, curve, EC_Consts.PARAMETERS_ALL, buffer, offset); + } + + public short setCurve(KeyPair keypair, byte curve, short params, byte[] buffer, short offset) { + return setCurve(keypair, KEY_BOTH, curve, params, buffer, offset); + } + + public short setCurve(KeyPair keypair, byte key, byte curve, short params, byte[] buffer, short offset) { + byte alg = EC_Consts.getCurveType(curve); + sw = ISO7816.SW_NO_ERROR; + + short length; + if (alg == KeyPair.ALG_EC_FP && (params & EC_Consts.PARAMETER_FP) != 0) { + length = EC_Consts.getCurveParameter(curve, EC_Consts.PARAMETER_FP, buffer, offset); + sw = setParameter(keypair, key, EC_Consts.PARAMETER_FP, buffer, offset, length); + } else if (alg == KeyPair.ALG_EC_F2M && (params & EC_Consts.PARAMETER_F2M) != 0) { + length = EC_Consts.getCurveParameter(curve, EC_Consts.PARAMETER_F2M, buffer, offset); + sw = setParameter(keypair, key, EC_Consts.PARAMETER_F2M, buffer, offset, length); + } + if (sw != ISO7816.SW_NO_ERROR) return sw; + + //go through all params + short paramMask = EC_Consts.PARAMETER_A; + while (paramMask <= EC_Consts.PARAMETER_S) { + short masked = (short) (paramMask & params); + if (masked != 0) { + length = EC_Consts.getCurveParameter(curve, masked, buffer, offset); + sw = setParameter(keypair, key, masked, buffer, offset, length); + if (sw != ISO7816.SW_NO_ERROR) break; + } + paramMask = (short) (paramMask << 1); + } + return sw; + } + + /** + * @param keypair + * @param corruptParams + * @param corruption + * @param buffer + * @param offset + * @return + */ + public short corruptCurve(KeyPair keypair, short corruptParams, byte corruption, byte[] buffer, short offset) { + return corruptCurve(keypair, KEY_BOTH, corruptParams, corruption, buffer, offset); + } + + /** + * @param keypair + * @param key + * @param corruptParams + * @param corruption + * @param buffer + * @param offset + * @return + */ + public short corruptCurve(KeyPair keypair, byte key, short corruptParams, byte corruption, byte[] buffer, short offset) { + sw = ISO7816.SW_NO_ERROR; + + //go through param bit by bit, and invalidate all selected params + short paramMask = EC_Consts.PARAMETER_FP; + while (paramMask <= EC_Consts.PARAMETER_S) { + short masked = (short) (paramMask & corruptParams); + if (masked != 0) { + short length = exportParameter(keypair, key, masked, buffer, offset); + EC_Consts.corruptParameter(corruption, buffer, offset, length); + sw = setParameter(keypair, key, masked, buffer, offset, length); + if (sw != ISO7816.SW_NO_ERROR) break; + } + paramMask = (short) (paramMask << 1); + } + return sw; + } + + /** + * @param key + * @param param + * @param data + * @param offset + * @param length + * @return + */ + public short setParameter(KeyPair keypair, byte key, short param, byte[] data, short offset, short length) { + sw = ISO7816.SW_NO_ERROR; + ECPublicKey ecPublicKey = (ECPublicKey) keypair.getPublic(); + ECPrivateKey ecPrivateKey = (ECPrivateKey) keypair.getPrivate(); + + try { + switch (param) { + case EC_Consts.PARAMETER_FP: { + if ((key & KEY_PUBLIC) != 0) ecPublicKey.setFieldFP(data, offset, length); + if ((key & KEY_PRIVATE) != 0) ecPrivateKey.setFieldFP(data, offset, length); + break; + } + case EC_Consts.PARAMETER_F2M: { + if (length == 2) { + short i = Util.makeShort(data[offset], data[(short) (offset + 1)]); + if ((key & KEY_PUBLIC) != 0) ecPublicKey.setFieldF2M(i); + if ((key & KEY_PRIVATE) != 0) ecPrivateKey.setFieldF2M(i); + } else if (length == 6) { + short i1 = Util.makeShort(data[offset], data[(short) (offset + 1)]); + short i2 = Util.makeShort(data[(short) (offset + 2)], data[(short) (offset + 3)]); + short i3 = Util.makeShort(data[(short) (offset + 4)], data[(short) (offset + 5)]); + if ((key & KEY_PUBLIC) != 0) ecPublicKey.setFieldF2M(i1, i2, i3); + if ((key & KEY_PRIVATE) != 0) ecPrivateKey.setFieldF2M(i1, i2, i3); + } else { + sw = ISO7816.SW_UNKNOWN; + } + break; + } + case EC_Consts.PARAMETER_A: { + if ((key & KEY_PUBLIC) != 0) ecPublicKey.setA(data, offset, length); + if ((key & KEY_PRIVATE) != 0) ecPrivateKey.setA(data, offset, length); + break; + } + case EC_Consts.PARAMETER_B: { + if ((key & KEY_PUBLIC) != 0) ecPublicKey.setB(data, offset, length); + if ((key & KEY_PRIVATE) != 0) ecPrivateKey.setB(data, offset, length); + break; + } + case EC_Consts.PARAMETER_G: { + if ((key & KEY_PUBLIC) != 0) ecPublicKey.setG(data, offset, length); + if ((key & KEY_PRIVATE) != 0) ecPrivateKey.setG(data, offset, length); + break; + } + case EC_Consts.PARAMETER_R: { + if ((key & KEY_PUBLIC) != 0) ecPublicKey.setR(data, offset, length); + if ((key & KEY_PRIVATE) != 0) ecPrivateKey.setR(data, offset, length); + break; + } + case EC_Consts.PARAMETER_K: { + short k = 0; + if (length > 2 || length <= 0) { + sw = ISO7816.SW_UNKNOWN; + break; + } else if (length == 2) { + k = Util.getShort(data, offset); + } else if (length == 1) { + k = data[offset]; + } + if ((key & KEY_PUBLIC) != 0) ecPublicKey.setK(k); + if ((key & KEY_PRIVATE) != 0) ecPrivateKey.setK(k); + break; + } + case EC_Consts.PARAMETER_S: + if ((key & KEY_PRIVATE) != 0) ecPrivateKey.setS(data, offset, length); + break; + case EC_Consts.PARAMETER_W: + if ((key & KEY_PUBLIC) != 0) ecPublicKey.setW(data, offset, length); + break; + default: { + ISOException.throwIt(ISO7816.SW_FUNC_NOT_SUPPORTED); + } + } + } catch (CryptoException ce) { + sw = ce.getReason(); + } catch (Exception e) { + sw = ISO7816.SW_UNKNOWN; + } + return sw; + } + + /** + * @param keypair + * @param params + * @param inBuffer + * @param inOffset + * @return + */ + public short setExternalCurve(KeyPair keypair, short params, byte[] inBuffer, short inOffset) { + return setExternalCurve(keypair, KEY_BOTH, params, inBuffer, inOffset); + } + + /** + * @param keypair + * @param key + * @param params + * @param inBuffer + * @param inOffset + * @return + */ + public short setExternalCurve(KeyPair keypair, byte key, short params, byte[] inBuffer, short inOffset) { + sw = ISO7816.SW_NO_ERROR; + + short paramMask = EC_Consts.PARAMETER_FP; + while (paramMask <= EC_Consts.PARAMETER_S) { + short masked = (short) (paramMask & params); + if (masked != 0) { + short paramLength = Util.getShort(inBuffer, inOffset); + inOffset += 2; + sw = setParameter(keypair, key, masked, inBuffer, inOffset, paramLength); + inOffset += paramLength; + if (sw != ISO7816.SW_NO_ERROR) break; + } + paramMask = (short) (paramMask << 1); + } + return sw; + } + + /** + * @param key + * @param param + * @param outputBuffer + * @param outputOffset + * @return + */ + public short exportParameter(KeyPair keypair, byte key, short param, byte[] outputBuffer, short outputOffset) { + sw = ISO7816.SW_NO_ERROR; + ECPublicKey ecPublicKey = (ECPublicKey) keypair.getPublic(); + ECPrivateKey ecPrivateKey = (ECPrivateKey) keypair.getPrivate(); + + short length = 0; + try { + switch (param) { + case EC_Consts.PARAMETER_FP: + case EC_Consts.PARAMETER_F2M: + if ((key & KEY_PUBLIC) != 0) length = ecPublicKey.getField(outputBuffer, outputOffset); + if ((key & KEY_PRIVATE) != 0) length = ecPrivateKey.getField(outputBuffer, outputOffset); + break; + case EC_Consts.PARAMETER_A: + if ((key & KEY_PUBLIC) != 0) length = ecPublicKey.getA(outputBuffer, outputOffset); + if ((key & KEY_PRIVATE) != 0) length = ecPrivateKey.getA(outputBuffer, outputOffset); + break; + case EC_Consts.PARAMETER_B: + if ((key & KEY_PUBLIC) != 0) length = ecPublicKey.getB(outputBuffer, outputOffset); + if ((key & KEY_PRIVATE) != 0) length = ecPrivateKey.getB(outputBuffer, outputOffset); + break; + case EC_Consts.PARAMETER_G: + if ((key & KEY_PUBLIC) != 0) length = ecPublicKey.getG(outputBuffer, outputOffset); + if ((key & KEY_PRIVATE) != 0) length = ecPrivateKey.getG(outputBuffer, outputOffset); + break; + case EC_Consts.PARAMETER_R: + if ((key & KEY_PUBLIC) != 0) length = ecPublicKey.getR(outputBuffer, outputOffset); + if ((key & KEY_PRIVATE) != 0) length = ecPrivateKey.getR(outputBuffer, outputOffset); + break; + case EC_Consts.PARAMETER_K: + if ((key & KEY_PUBLIC) != 0) Util.setShort(outputBuffer, outputOffset, ecPublicKey.getK()); + if ((key & KEY_PRIVATE) != 0) Util.setShort(outputBuffer, outputOffset, ecPrivateKey.getK()); + length = 2; + break; + case EC_Consts.PARAMETER_W: + if ((key & KEY_PUBLIC) != 0) length = ecPublicKey.getW(outputBuffer, outputOffset); + break; + case EC_Consts.PARAMETER_S: + if ((key & KEY_PRIVATE) != 0) length = ecPrivateKey.getS(outputBuffer, outputOffset); + break; + default: + ISOException.throwIt(ISO7816.SW_FUNC_NOT_SUPPORTED); + } + } catch (CryptoException ce) { + sw = ce.getReason(); + } catch (Exception e) { + sw = ISO7816.SW_UNKNOWN; + } + return length; + } + + /** + * @param keypair + * @param key + * @param params + * @param buffer + * @param offset + * @return + */ + public short exportParameters(KeyPair keypair, byte key, short params, byte[] buffer, short offset) { + sw = ISO7816.SW_NO_ERROR; + + short length = 0; + + short paramMask = EC_Consts.PARAMETER_FP; + while (paramMask <= EC_Consts.PARAMETER_S) { + short masked = (short) (paramMask & params); + if (masked != 0) { + short len = exportParameter(keypair, key, masked, buffer, (short) (offset + 2)); + if (len == 0) { + paramMask = (short) (paramMask << 1); + continue; + } + Util.setShort(buffer, offset, len); + offset += len + 2; + length += len + 2; + } + paramMask = (short) (paramMask << 1); + } + return length; + } + + /** + * Copies this KeyPairs curve parameters to another ECKeyGenerator. + * + * @param from + * @param to + * @param buffer + * @param offset + * @return + */ + public short copyCurve(KeyPair from, KeyPair to, byte[] buffer, short offset) { + sw = ISO7816.SW_NO_ERROR; + try { + short param = EC_Consts.PARAMETER_FP; + while (param <= EC_Consts.PARAMETER_K) { + short paramLength = exportParameter(from, KEY_PUBLIC, param, buffer, offset); + setParameter(to, KEY_BOTH, param, buffer, offset, paramLength); + param = (short) (param << 1); + } + } catch (CryptoException ce) { + sw = ce.getReason(); + } catch (Exception e) { + sw = ISO7816.SW_UNKNOWN; + } + return sw; + } + + public short getSW() { + return sw; + } +} diff --git a/src/cz/crcs/ectester/applet/ECKeyTester.java b/src/cz/crcs/ectester/applet/ECKeyTester.java new file mode 100644 index 0000000..72fa165 --- /dev/null +++ b/src/cz/crcs/ectester/applet/ECKeyTester.java @@ -0,0 +1,184 @@ +package cz.crcs.ectester.applet; + + +import javacard.framework.ISO7816; +import javacard.security.*; + +/** + * Class capable of testing ECDH/C and ECDSA. + * Note that ECDH and ECDHC output should equal, only the algorithm is different. + * + * @author Jan Jancar johny@neuromancer.sk + */ +public class ECKeyTester { + + private KeyAgreement ecdhKeyAgreement = null; + private KeyAgreement ecdhcKeyAgreement = null; + private Signature ecdsaSignature = null; + + private short sw = ISO7816.SW_NO_ERROR; + + public short allocateECDH() { + sw = ISO7816.SW_NO_ERROR; + try { + ecdhKeyAgreement = KeyAgreement.getInstance(KeyAgreement.ALG_EC_SVDP_DH, false); + } catch (CryptoException ce) { + sw = ce.getReason(); + } catch (Exception e) { + sw = ISO7816.SW_UNKNOWN; + } + return sw; + } + + public short allocateECDHC() { + sw = ISO7816.SW_NO_ERROR; + try { + ecdhcKeyAgreement = KeyAgreement.getInstance(KeyAgreement.ALG_EC_SVDP_DHC, false); + } catch (CryptoException ce) { + sw = ce.getReason(); + } catch (Exception e) { + sw = ISO7816.SW_UNKNOWN; + } + return sw; + } + + public short allocateECDSA() { + sw = ISO7816.SW_NO_ERROR; + try { + ecdsaSignature = Signature.getInstance(Signature.ALG_ECDSA_SHA, false); + } catch (CryptoException ce) { + sw = ce.getReason(); + } catch (Exception e) { + sw = ISO7816.SW_UNKNOWN; + } + return sw; + } + + private short testKA(KeyAgreement ka, ECPrivateKey privateKey, byte[] pubkeyBuffer, short pubkeyOffset, short pubkeyLength, byte[] outputBuffer, short outputOffset) { + sw = ISO7816.SW_NO_ERROR; + short length = 0; + try { + ka.init(privateKey); + length = ka.generateSecret(pubkeyBuffer, pubkeyOffset, pubkeyLength, outputBuffer, outputOffset); + } catch (CryptoException ce) { + sw = ce.getReason(); + } catch (Exception e) { + sw = ISO7816.SW_UNKNOWN; + } + return length; + } + + private short testKA_validPoint(KeyAgreement ka, ECPrivateKey privateKey, byte[] pubkeyBuffer, short pubkeyOffset, short pubkeyLength, byte[] outputBuffer, short outputOffset) { + return testKA(ka, privateKey, pubkeyBuffer, pubkeyOffset, pubkeyLength, outputBuffer, outputOffset); + } + + private short testKA_invalidPoint(KeyAgreement ka, ECPrivateKey privateKey, byte[] pubkeyBuffer, short pubkeyOffset, short pubkeyLength, byte[] outputBuffer, short outputOffset) { + pubkeyBuffer[(short)(pubkeyLength - 2)] += 0xcc; + pubkeyBuffer[(short)(pubkeyLength - 3)] += 0xcc; + short result = testKA(ka, privateKey, pubkeyBuffer, pubkeyOffset, pubkeyLength, outputBuffer, outputOffset); + pubkeyBuffer[(short)(pubkeyLength - 2)] -= 0xcc; + pubkeyBuffer[(short)(pubkeyLength - 3)] -= 0xcc; + return result; + } + + public short testECDH(ECPrivateKey privateKey, byte[] pubkeyBuffer, short pubkeyOffset, short pubkeyLength, byte[] outputBuffer, short outputOffset) { + return testKA(ecdhKeyAgreement, privateKey, pubkeyBuffer, pubkeyOffset, pubkeyLength, outputBuffer, outputOffset); + } + + /** + * Tests ECDH secret generation with given {@code privateKey} and {@code publicKey}. + * Uses {@code pubkeyBuffer} at {@code pubkeyOffset} for computations. + * Output should equal with ECDHC output. + * @param privateKey + * @param publicKey + * @param pubkeyBuffer + * @param pubkeyOffset + * @param outputBuffer + * @param outputOffset + * @return derived secret length + * + **/ + public short testECDH_validPoint(ECPrivateKey privateKey, ECPublicKey publicKey, byte[] pubkeyBuffer, short pubkeyOffset, byte[] outputBuffer, short outputOffset) { + short length = publicKey.getW(pubkeyBuffer, pubkeyOffset); + return testKA_validPoint(ecdhKeyAgreement, privateKey, pubkeyBuffer, pubkeyOffset, length, outputBuffer, outputOffset); + } + + public short testECDH_invalidPoint(ECPrivateKey privateKey, ECPublicKey publicKey, byte[] pubkeyBuffer, short pubkeyOffset, byte[] outputBuffer, short outputOffset) { + short length = publicKey.getW(pubkeyBuffer, pubkeyOffset); + return testKA_invalidPoint(ecdhKeyAgreement, privateKey, pubkeyBuffer, pubkeyOffset, length, outputBuffer, outputOffset); + } + + + /** + * Tests ECDHC secret generation with given {@code privateKey} and {@code publicKey}. + * Uses {@code pubkeyBuffer} at {@code pubkeyOffset} for computations. + * Output should equal to ECDH output. + * @param privateKey + * @param publicKey + * @param pubkeyBuffer + * @param pubkeyOffset + * @param outputBuffer + * @param outputOffset + * @return ISO7816.SW_NO_ERROR on correct operation, + * exception reason otherwise + */ + public short testECDHC_validPoint(ECPrivateKey privateKey, ECPublicKey publicKey, byte[] pubkeyBuffer, short pubkeyOffset, byte[] outputBuffer, short outputOffset) { + short length = publicKey.getW(pubkeyBuffer, pubkeyOffset); + return testKA_validPoint(ecdhcKeyAgreement, privateKey, pubkeyBuffer, pubkeyOffset, length, outputBuffer, outputOffset); + } + + public short testECDHC_invalidPoint(ECPrivateKey privateKey, ECPublicKey publicKey, byte[] pubkeyBuffer, short pubkeyOffset, byte[] outputBuffer, short outputOffset) { + short length = publicKey.getW(pubkeyBuffer, pubkeyOffset); + return testKA_invalidPoint(ecdhcKeyAgreement, privateKey, pubkeyBuffer, pubkeyOffset, length, outputBuffer, outputOffset); + } + + /** + * Uses {@code signKey} to sign data from {@code inputBuffer} at {@code inputOffset} with {@code inputOffset}. + * Then checks for correct signature length. + * Then tries verifying the data with {@code verifyKey}. + * @param signKey + * @param verifyKey + * @param inputBuffer + * @param inputOffset + * @param inputLength + * @param sigBuffer + * @param sigOffset + * @return signature length + */ + public short testECDSA(ECPrivateKey signKey, ECPublicKey verifyKey, byte[] inputBuffer, short inputOffset, short inputLength, byte[] sigBuffer, short sigOffset) { + sw = ISO7816.SW_NO_ERROR; + short length = 0; + try { + ecdsaSignature.init(signKey, Signature.MODE_SIGN); + length = ecdsaSignature.sign(inputBuffer, inputOffset, inputLength, sigBuffer, sigOffset); + + ecdsaSignature.init(verifyKey, Signature.MODE_VERIFY); + boolean correct = ecdsaSignature.verify(inputBuffer, inputOffset, inputLength, sigBuffer, sigOffset, length); + if (!correct) { + sw = ECTesterApplet.SW_SIG_VERIFY_FAIL; + } + } catch (CryptoException ce) { + sw = ce.getReason(); + } catch (Exception e) { + sw = ISO7816.SW_UNKNOWN; + } + return length; + } + + public KeyAgreement getECDH() { + return ecdhKeyAgreement; + } + + public KeyAgreement getECDHC() { + return ecdhcKeyAgreement; + } + + public Signature getECDSA() { + return ecdsaSignature; + } + + public short getSW() { + return sw; + } + +} diff --git a/src/cz/crcs/ectester/applet/ECTesterApplet.java b/src/cz/crcs/ectester/applet/ECTesterApplet.java new file mode 100644 index 0000000..b461688 --- /dev/null +++ b/src/cz/crcs/ectester/applet/ECTesterApplet.java @@ -0,0 +1,427 @@ +/* + * PACKAGEID: 4C6162616B417070 + * APPLETID: 4C6162616B4170706C6574 + */ +package cz.crcs.ectester.applet; + +import javacard.framework.*; +import javacard.security.ECPrivateKey; +import javacard.security.ECPublicKey; +import javacard.security.KeyPair; +import javacard.security.RandomData; + +/** + * @author Petr Svenda petr@svenda.com + * @author Jan Jancar johny@neuromancer.sk + */ +public class ECTesterApplet extends Applet { + + // MAIN INSTRUCTION CLASS + public static final byte CLA_ECTESTERAPPLET = (byte) 0xB0; + + //INSTRUCTIONS + public static final byte INS_ALLOCATE = (byte) 0x5a; + public static final byte INS_SET = (byte) 0x5b; + public static final byte INS_GENERATE = (byte) 0x5c; + public static final byte INS_ECDH = (byte) 0x5d; + public static final byte INS_ECDSA = (byte) 0x5e; + + //PARAMETERS for P1 and P2 + public static final byte KEYPAIR_LOCAL = (byte) 0x01; + public static final byte KEYPAIR_REMOTE = (byte) 0x02; + public static final byte KEYPAIR_BOTH = KEYPAIR_LOCAL | KEYPAIR_REMOTE; + public static final byte EXPORT_PUBLIC = (byte) 0x04; + public static final byte EXPORT_PRIVATE = (byte) 0x08; + public static final byte EXPORT_BOTH = EXPORT_PUBLIC | EXPORT_PRIVATE; + public static final byte EXPORT_ECDH = (byte) 0x10; + public static final byte EXPORT_SIG = (byte) 0x20; + + //STATUS WORDS + public static final short SW_SIG_VERIFY_FAIL = (short) 0x0ee1; + + + private static final short ARRAY_LENGTH = (short) 0xff; + // TEMPORARRY ARRAY IN RAM + private byte ramArray[] = null; + private byte ramArray2[] = null; + // PERSISTENT ARRAY IN EEPROM + private byte dataArray[] = null; // unused + + + private RandomData randomData = null; + + private KeyPair localKeypair = null; + private KeyPair remoteKeypair = null; + private ECKeyTester keyTester = null; + private ECKeyGenerator keyGenerator = null; + + protected ECTesterApplet(byte[] buffer, short offset, byte length) { + if (length > 9) { + /* + short dataOffset = offset; + // shift to privilege offset + dataOffset += (short) (1 + buffer[offset]); + // finally shift to Application specific offset + dataOffset += (short) (1 + buffer[dataOffset]); + // go to proprietary data + dataOffset++; + */ + + ramArray = JCSystem.makeTransientByteArray(ARRAY_LENGTH, JCSystem.CLEAR_ON_RESET); + ramArray2 = JCSystem.makeTransientByteArray(ARRAY_LENGTH, JCSystem.CLEAR_ON_RESET); + + dataArray = new byte[ARRAY_LENGTH]; + Util.arrayFillNonAtomic(dataArray, (short) 0, ARRAY_LENGTH, (byte) 0); + + randomData = RandomData.getInstance(RandomData.ALG_SECURE_RANDOM); + EC_Consts.randomData = randomData; + + keyGenerator = new ECKeyGenerator(); + keyTester = new ECKeyTester(); + keyTester.allocateECDH(); + keyTester.allocateECDHC(); + keyTester.allocateECDSA(); + } + register(); + } + + public static void install(byte[] bArray, short bOffset, byte bLength) throws ISOException { + // applet instance creation + new ECTesterApplet(bArray, bOffset, bLength); + } + + public void process(APDU apdu) throws ISOException { + // get the APDU buffer + byte[] apduBuffer = apdu.getBuffer(); + + // ignore the applet select command dispached to the process + if (selectingApplet()) + return; + + if (apduBuffer[ISO7816.OFFSET_CLA] == CLA_ECTESTERAPPLET) { + switch (apduBuffer[ISO7816.OFFSET_INS]) { + case INS_ALLOCATE: + insAllocate(apdu); + break; + case INS_SET: + insSet(apdu); + break; + case INS_GENERATE: + insGenerate(apdu); + break; + case INS_ECDH: + insECDH(apdu); + break; + case INS_ECDSA: + insECDSA(apdu); + break; + default: + // The INS code is not supported by the dispatcher + ISOException.throwIt(ISO7816.SW_INS_NOT_SUPPORTED); + break; + } + } else ISOException.throwIt(ISO7816.SW_CLA_NOT_SUPPORTED); + } + + /** + * Allocate local and remote keypairs. + * returns allocate SWs + * + * @param apdu P1 = byte keypair (KEYPAIR_* | ...) + * P2 = + * DATA = short keyLength + * byte keyClass + */ + private void insAllocate(APDU apdu) { + apdu.setIncomingAndReceive(); + byte[] apdubuf = apdu.getBuffer(); + + byte keypair = apdubuf[ISO7816.OFFSET_P1]; + short keyLength = Util.getShort(apdubuf, ISO7816.OFFSET_CDATA); + byte keyClass = apdubuf[ISO7816.OFFSET_CDATA + 2]; + + short len = allocate(keypair, keyLength, keyClass, apdubuf, (short) 0); + + apdu.setOutgoingAndSend((short) 0, len); + } + + /** + * @param keypair which keypair to use, local/remote (KEYPAIR_* | ...) + * @param keyLength key length to set + * @param keyClass key class to allocate + * @param buffer apdu buffer + * @param offset offset into apdu buffer + * @return length of data written to the buffer + */ + private short allocate(byte keypair, short keyLength, byte keyClass, byte[] buffer, short offset) { + short length = 0; + if ((keypair & KEYPAIR_LOCAL) != 0) { + localKeypair = keyGenerator.allocatePair(keyClass, keyLength); + Util.setShort(buffer, offset, keyGenerator.getSW()); + length += 2; + } + + if ((keypair & KEYPAIR_REMOTE) != 0) { + remoteKeypair = keyGenerator.allocatePair(keyClass, keyLength); + Util.setShort(buffer, (short) (offset + length), keyGenerator.getSW()); + length += 2; + } + + return length; + } + + /** + * Sets curve parameters on local and remote keypairs. + * returns setCurve SWs, set params if export + * + * @param apdu P1 = byte keypair (KEYPAIR_* | ...) + * P2 = byte export (EXPORT_* | KEYPAIR_*) + * DATA = byte curve (EC_Consts.CURVE_*) + * short params (EC_Consts.PARAMETER_* | ...) + * short corruptedParams (EC_Consts.PARAMETER_* | ...) + * byte corruptionType (EC_Consts.CORRUPTION_*) + * <p> + * if curveID = CURVE_EXTERNAL: + * [short param_length, byte[] param], + * for all params in params, + * in order: field,a,b,g,r,k,w,s + */ + private void insSet(APDU apdu) { + apdu.setIncomingAndReceive(); + byte[] apdubuf = apdu.getBuffer(); + + byte keypair = apdubuf[ISO7816.OFFSET_P1]; + byte export = apdubuf[ISO7816.OFFSET_P2]; + byte curve = apdubuf[ISO7816.OFFSET_CDATA]; + short params = Util.getShort(apdubuf, (short) (ISO7816.OFFSET_CDATA + 1)); + short corruptedParams = Util.getShort(apdubuf, (short) (ISO7816.OFFSET_CDATA + 3)); + byte corruptionType = apdubuf[(short) (ISO7816.OFFSET_CDATA + 5)]; + + short len = 0; + + if ((keypair & KEYPAIR_LOCAL) != 0) + len += set(localKeypair, curve, params, corruptedParams, corruptionType, apdubuf, (short) (ISO7816.OFFSET_CDATA + 6), (short) 0); + if ((keypair & KEYPAIR_REMOTE) != 0) + len += set(remoteKeypair, curve, params, corruptedParams, corruptionType, apdubuf, (short) (ISO7816.OFFSET_CDATA + 6), len); + if ((export & KEYPAIR_LOCAL) != 0) + len += export(localKeypair, export, params, apdubuf, len); + if ((export & KEYPAIR_REMOTE) != 0) + len += export(remoteKeypair, export, params, apdubuf, len); + + apdu.setOutgoingAndSend((short) 0, len); + } + + /** + * @param keypair KeyPair to set params on + * @param curve curve to set (EC_Consts.CURVE_*) + * @param params parameters to set (EC_Consts.PARAMETER_* | ...) + * @param corrupted parameters to corrupt (EC_Consts.PARAMETER_* | ...) + * @param corruption corruption type (EC_Consts.CORRUPTION_*) + * @param buffer buffer to read params from and write sw to + * @param inOffset input offset in buffer + * @param outOffset output offset in buffer + * @return length of data written to the buffer + */ + private short set(KeyPair keypair, byte curve, short params, short corrupted, byte corruption, byte[] buffer, short inOffset, short outOffset) { + short sw = ISO7816.SW_NO_ERROR; + + switch (curve) { + case EC_Consts.CURVE_default: + //default, dont set anything + break; + case EC_Consts.CURVE_external: + //external + sw = keyGenerator.setExternalCurve(keypair, params, buffer, inOffset); + break; + default: + //custom + sw = keyGenerator.setCurve(keypair, curve, params, ramArray, (short) 0); + break; + } + + if (sw == ISO7816.SW_NO_ERROR) + sw = keyGenerator.corruptCurve(keypair, corrupted, corruption, ramArray, (short) 0); + Util.setShort(buffer, outOffset, sw); + return 2; + } + + /** + * Generates the local and remote keypairs. + * returns generate SWs, pubkey and privkey if export + * + * @param apdu P1 = byte keypair (KEYPAIR_* | ...) + * P2 = byte export (EXPORT_* | KEYPAIR_*) + */ + private void insGenerate(APDU apdu) { + apdu.setIncomingAndReceive(); + byte[] apdubuf = apdu.getBuffer(); + + byte keypair = apdubuf[ISO7816.OFFSET_P1]; + byte export = apdubuf[ISO7816.OFFSET_P2]; + + short len = 0; + if ((keypair & KEYPAIR_LOCAL) != 0) + len += generate(localKeypair, apdubuf, (short) 0); + if ((keypair & KEYPAIR_REMOTE) != 0) + len += generate(remoteKeypair, apdubuf, len); + if ((export & KEYPAIR_LOCAL) != 0) + len += export(localKeypair, export, (short) (EC_Consts.PARAMETER_W | EC_Consts.PARAMETER_S), apdubuf, len); + if ((export & KEYPAIR_REMOTE) != 0) + len += export(remoteKeypair, export, (short) (EC_Consts.PARAMETER_W | EC_Consts.PARAMETER_S), apdubuf, len); + + apdu.setOutgoingAndSend((short) 0, len); + } + + /** + * @param keypair KeyPair to generate + * @param buffer buffer to write sw to + * @param offset output offset in buffer + * @return length of data written to the buffer + */ + private short generate(KeyPair keypair, byte[] buffer, short offset) { + short sw = keyGenerator.generatePair(keypair); + Util.setShort(buffer, offset, sw); + + return 2; + } + + /** + * @param keypair KeyPair to export from + * @param export which key to export from (EXPORT_PUBLIC | EXPORT_PRIVATE) + * @param params which params to export (EC_Consts.PARAMETER_* | ...) + * @param buffer buffer to export params to + * @param offset output offset in buffer + * @return length of data written to the buffer + */ + private short export(KeyPair keypair, byte export, short params, byte[] buffer, short offset) { + short length = 0; + + if ((export & EXPORT_PUBLIC) != 0) { + //export params from public + length += keyGenerator.exportParameters(keypair, ECKeyGenerator.KEY_PUBLIC, params, buffer, offset); + } + + if ((export & EXPORT_PRIVATE) != 0) { + //export params from private + length += keyGenerator.exportParameters(keypair, ECKeyGenerator.KEY_PRIVATE, params, buffer, (short) (offset + length)); + + } + return length; + } + + /** + * Does ECDH, between the pubkey specified in P1(local/remote) and the privkey specified in P2(local/remote). + * returns deriveSecret SW, if export != 0 => short secretlen, byte[] secret + * + * @param apdu P1 = byte pubkey (KEYPAIR_*) + * P2 = byte privkey (KEYPAIR_*) + * DATA = byte export (EXPORT_ECDH || 0) + * byte invalid (00 = valid, !00 = invalid) + */ + private void insECDH(APDU apdu) { + apdu.setIncomingAndReceive(); + byte[] apdubuf = apdu.getBuffer(); + + byte pubkey = apdubuf[ISO7816.OFFSET_P1]; + byte privkey = apdubuf[ISO7816.OFFSET_P2]; + byte export = apdubuf[ISO7816.OFFSET_CDATA]; + byte invalid = apdubuf[(short) (ISO7816.OFFSET_CDATA + 1)]; + + short len = ecdh(pubkey, privkey, export, invalid, apdubuf, (short) 0); + + apdu.setOutgoingAndSend((short) 0, len); + } + + /** + * @param pubkey keypair to use for public key, (KEYPAIR_LOCAL || KEYPAIR_REMOTE) + * @param privkey keypair to use for private key, (KEYPAIR_LOCAL || KEYPAIR_REMOTE) + * @param export whether to export ECDH secret + * @param invalid whether to invalidate the pubkey before ECDH + * @param buffer buffer to write sw to, and export ECDH secret if (export & EXPORT_ECDH) != 0 + * @param offset output offset in buffer + * @return length of data written to the buffer + */ + private short ecdh(byte pubkey, byte privkey, byte export, byte invalid, byte[] buffer, short offset) { + short length = 0; + + KeyPair pub = ((pubkey & KEYPAIR_LOCAL) != 0) ? localKeypair : remoteKeypair; + KeyPair priv = ((privkey & KEYPAIR_LOCAL) != 0) ? localKeypair : remoteKeypair; + + short secretLength; + if (invalid != 0) { + secretLength = keyTester.testECDH_invalidPoint((ECPrivateKey) priv.getPrivate(), (ECPublicKey) pub.getPublic(), ramArray, (short) 0, ramArray2, (short) 0); + } else { + secretLength = keyTester.testECDH_validPoint((ECPrivateKey) priv.getPrivate(), (ECPublicKey) pub.getPublic(), ramArray, (short) 0, ramArray2, (short) 0); + } + + Util.setShort(buffer, offset, keyTester.getSW()); + length += 2; + + if ((export & EXPORT_ECDH) != 0) { + Util.setShort(buffer, (short) (offset + length), secretLength); + length += 2; + Util.arrayCopyNonAtomic(ramArray2, (short) 0, buffer, (short) (offset + length), secretLength); + length += secretLength; + } + + return length; + } + + /** + * Does and ECDSA signature and verification on data provided, using the keypair in P1(local/remote). + * returns ecdsa SW, if export != 0 => short signature_length, byte[] signature + * + * @param apdu P1 = byte keypair (KEYPAIR_*) + * P2 = byte export (EXPORT_SIG || 0) + * DATA = short data_length (00 = random data generated, !00 = data length) + * byte[] data + */ + private void insECDSA(APDU apdu) { + apdu.setIncomingAndReceive(); + byte[] apdubuf = apdu.getBuffer(); + + byte keypair = apdubuf[ISO7816.OFFSET_P1]; + byte export = apdubuf[ISO7816.OFFSET_P2]; + + short len = ecdsa(keypair, export, apdubuf, ISO7816.OFFSET_CDATA, (short) 0); + + apdu.setOutgoingAndSend((short) 0, len); + } + + /** + * @param keypair keypair to use for signing and verification (KEYPAIR_LOCAL || KEYPAIR_REMOTE) + * @param export whether to export ECDSA signature + * @param buffer buffer to write sw to, and export ECDSA signature if (export & EXPORT_SIG) != 0 + * @param inOffset input offset in buffer + * @param outOffset output offset in buffer + * @return length of data written to the buffer + */ + private short ecdsa(byte keypair, byte export, byte[] buffer, short inOffset, short outOffset) { + short length = 0; + + short dataLength = Util.getShort(buffer, inOffset); + if (dataLength == 0) { //no data to sign + //generate random + dataLength = 32; + randomData.generateData(ramArray, (short) 0, dataLength); + } else { + Util.arrayCopyNonAtomic(buffer, (short) (inOffset + 2), ramArray, (short) 0, dataLength); + } + + KeyPair sign = ((keypair & KEYPAIR_LOCAL) != 0) ? localKeypair : remoteKeypair; + + short signatureLength = keyTester.testECDSA((ECPrivateKey) sign.getPrivate(), (ECPublicKey) sign.getPublic(), ramArray, (short) 0, dataLength, ramArray2, (short) 0); + Util.setShort(buffer, outOffset, keyTester.getSW()); + length += 2; + + if ((export & EXPORT_SIG) != 0) { + Util.setShort(buffer, (short) (outOffset + length), signatureLength); + length += 2; + + Util.arrayCopyNonAtomic(ramArray2, (short) 0, buffer, (short) (outOffset + length), signatureLength); + length += signatureLength; + } + + return length; + } +} diff --git a/src/cz/crcs/ectester/applet/EC_Consts.java b/src/cz/crcs/ectester/applet/EC_Consts.java new file mode 100644 index 0000000..c70919c --- /dev/null +++ b/src/cz/crcs/ectester/applet/EC_Consts.java @@ -0,0 +1,1298 @@ +package cz.crcs.ectester.applet; + +import javacard.framework.ISO7816; +import javacard.framework.ISOException; +import javacard.framework.Util; +import javacard.security.KeyPair; +import javacard.security.RandomData; + +/** + * @author Petr Svenda petr@svenda.com + * @author Jan Jancar johny@neuromancer.sk + */ +public class EC_Consts { + + private static byte[] EC_FP_P = null; //p + private static byte[] EC_A = null; //a + private static byte[] EC_B = null; //b + private static byte[] EC_G_X = null; //G[x,y] + private static byte[] EC_G_Y = null; // + private static byte[] EC_R = null; //n + private static short EC_K = 1; //h + + private static byte[] EC_W_X = null; //Pubkey[x,y] + private static byte[] EC_W_Y = null; + private static byte[] EC_S = null; //Private + + private static byte[] EC_F2M_F2M = null; //[short i1, short i2, short i3], f = x^m + x^i1 + x^i2 + x^i3 + 1 + + + public static final short PARAMETER_FP = 0x0001; + public static final short PARAMETER_F2M = 0x0002; + + public static final short PARAMETER_A = 0x0004; + public static final short PARAMETER_B = 0x0008; + public static final short PARAMETER_G = 0x0010; + public static final short PARAMETER_R = 0x0020; + public static final short PARAMETER_K = 0x0040; + public static final short PARAMETER_W = 0x0080; + public static final short PARAMETER_S = 0x0100; + + public static final short PARAMETERS_NONE = 0x0000; + public static final short PARAMETERS_DOMAIN_FP = 0x007d; + /** + * FP,A,B,G,R,K + */ + public static final short PARAMETERS_DOMAIN_F2M = 0x007e; + /** + * F2M,A,B,G,R,K + */ + public static final short PARAMETERS_KEYPAIR = 0x0180; + public static final short PARAMETERS_ALL = 0x01ff; + + public static RandomData randomData = null; + + + // secp128r1 + public static final byte[] EC128_FP_P = new byte[]{ + (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, (byte) 0xFD, + (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, + (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, + (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, (byte) 0xFF}; + + public static final byte[] EC128_FP_A = new byte[]{ + (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, (byte) 0xFD, + (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, + (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, + (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, (byte) 0xFC}; + + public static final byte[] EC128_FP_B = new byte[]{ + (byte) 0xE8, (byte) 0x75, (byte) 0x79, (byte) 0xC1, + (byte) 0x10, (byte) 0x79, (byte) 0xF4, (byte) 0x3D, + (byte) 0xD8, (byte) 0x24, (byte) 0x99, (byte) 0x3C, + (byte) 0x2C, (byte) 0xEE, (byte) 0x5E, (byte) 0xD3}; + + // G in compressed form / first part of ucompressed + public static final byte[] EC128_FP_G_X = new byte[]{ + (byte) 0x16, (byte) 0x1F, (byte) 0xF7, (byte) 0x52, + (byte) 0x8B, (byte) 0x89, (byte) 0x9B, (byte) 0x2D, + (byte) 0x0C, (byte) 0x28, (byte) 0x60, (byte) 0x7C, + (byte) 0xA5, (byte) 0x2C, (byte) 0x5B, (byte) 0x86}; + + // second part of G uncompressed + public static final byte[] EC128_FP_G_Y = new byte[]{ + (byte) 0xCF, (byte) 0x5A, (byte) 0xC8, (byte) 0x39, + (byte) 0x5B, (byte) 0xAF, (byte) 0xEB, (byte) 0x13, + (byte) 0xC0, (byte) 0x2D, (byte) 0xA2, (byte) 0x92, + (byte) 0xDD, (byte) 0xED, (byte) 0x7A, (byte) 0x83}; + // Order of G + public static final byte[] EC128_FP_R = new byte[]{ + (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, (byte) 0xFE, + (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, + (byte) 0x75, (byte) 0xA3, (byte) 0x0D, (byte) 0x1B, + (byte) 0x90, (byte) 0x38, (byte) 0xA1, (byte) 0x15}; + // cofactor of G + public static final short EC128_FP_K = 1; + + // secp160r1 + public static final byte[] EC160_FP_P = new byte[]{ + (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, + (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, + (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, + (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, + (byte) 0x7F, (byte) 0xFF, (byte) 0xFF, (byte) 0xFF}; + + public static final byte[] EC160_FP_A = new byte[]{ + (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, + (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, + (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, + (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, + (byte) 0x7F, (byte) 0xFF, (byte) 0xFF, (byte) 0xFC}; + + public static final byte[] EC160_FP_B = new byte[]{ + (byte) 0x1C, (byte) 0x97, (byte) 0xBE, (byte) 0xFC, + (byte) 0x54, (byte) 0xBD, (byte) 0x7A, (byte) 0x8B, + (byte) 0x65, (byte) 0xAC, (byte) 0xF8, (byte) 0x9F, + (byte) 0x81, (byte) 0xD4, (byte) 0xD4, (byte) 0xAD, + (byte) 0xC5, (byte) 0x65, (byte) 0xFA, (byte) 0x45}; + + // G in compressed form / first part of ucompressed + public static final byte[] EC160_FP_G_X = new byte[]{ + (byte) 0x4A, (byte) 0x96, (byte) 0xB5, (byte) 0x68, + (byte) 0x8E, (byte) 0xF5, (byte) 0x73, (byte) 0x28, + (byte) 0x46, (byte) 0x64, (byte) 0x69, (byte) 0x89, + (byte) 0x68, (byte) 0xC3, (byte) 0x8B, (byte) 0xB9, + (byte) 0x13, (byte) 0xCB, (byte) 0xFC, (byte) 0x82}; + + // second part of G uncompressed + public static final byte[] EC160_FP_G_Y = new byte[]{ + (byte) 0x23, (byte) 0xA6, (byte) 0x28, (byte) 0x55, + (byte) 0x31, (byte) 0x68, (byte) 0x94, (byte) 0x7D, + (byte) 0x59, (byte) 0xDC, (byte) 0xC9, (byte) 0x12, + (byte) 0x04, (byte) 0x23, (byte) 0x51, (byte) 0x37, + (byte) 0x7A, (byte) 0xC5, (byte) 0xFB, (byte) 0x32}; + // Order of G + public static final byte[] EC160_FP_R = new byte[]{ + (byte) 0x01, (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, + (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, + (byte) 0x00, (byte) 0x01, (byte) 0xF4, (byte) 0xC8, + (byte) 0xF9, (byte) 0x27, (byte) 0xAE, (byte) 0xD3, + (byte) 0xCA, (byte) 0x75, (byte) 0x22, (byte) 0x57}; + // cofactor of G + public static final short EC160_FP_K = 1; + + + // secp192r1 from http://www.secg.org/sec2-v2.pdf + public static final byte[] EC192_FP_P = new byte[]{ + (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, + (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, + (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, + (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, (byte) 0xFE, + (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, + (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, (byte) 0xFF}; + public static final byte[] EC192_FP_A = new byte[]{ + (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, + (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, + (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, + (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, (byte) 0xFE, + (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, + (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, (byte) 0xFC}; + public static final byte[] EC192_FP_B = new byte[]{ + (byte) 0x64, (byte) 0x21, (byte) 0x05, (byte) 0x19, + (byte) 0xE5, (byte) 0x9C, (byte) 0x80, (byte) 0xE7, + (byte) 0x0F, (byte) 0xA7, (byte) 0xE9, (byte) 0xAB, + (byte) 0x72, (byte) 0x24, (byte) 0x30, (byte) 0x49, + (byte) 0xFE, (byte) 0xB8, (byte) 0xDE, (byte) 0xEC, + (byte) 0xC1, (byte) 0x46, (byte) 0xB9, (byte) 0xB1}; + // G in compressed form / first part of ucompressed + public static final byte[] EC192_FP_G_X = new byte[]{ + (byte) 0x18, (byte) 0x8D, (byte) 0xA8, (byte) 0x0E, + (byte) 0xB0, (byte) 0x30, (byte) 0x90, (byte) 0xF6, + (byte) 0x7C, (byte) 0xBF, (byte) 0x20, (byte) 0xEB, + (byte) 0x43, (byte) 0xA1, (byte) 0x88, (byte) 0x00, + (byte) 0xF4, (byte) 0xFF, (byte) 0x0A, (byte) 0xFD, + (byte) 0x82, (byte) 0xFF, (byte) 0x10, (byte) 0x12}; + // second part of G uncompressed + public static final byte[] EC192_FP_G_Y = new byte[]{ + (byte) 0x07, (byte) 0x19, (byte) 0x2B, (byte) 0x95, + (byte) 0xFF, (byte) 0xC8, (byte) 0xDA, (byte) 0x78, + (byte) 0x63, (byte) 0x10, (byte) 0x11, (byte) 0xED, + (byte) 0x6B, (byte) 0x24, (byte) 0xCD, (byte) 0xD5, + (byte) 0x73, (byte) 0xF9, (byte) 0x77, (byte) 0xA1, + (byte) 0x1E, (byte) 0x79, (byte) 0x48, (byte) 0x11}; + // Order of G + public static final byte[] EC192_FP_R = new byte[]{ + (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, + (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, + (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, + (byte) 0x99, (byte) 0xDE, (byte) 0xF8, (byte) 0x36, + (byte) 0x14, (byte) 0x6B, (byte) 0xC9, (byte) 0xB1, + (byte) 0xB4, (byte) 0xD2, (byte) 0x28, (byte) 0x31}; + // cofactor of G + public static final short EC192_FP_K = 1; + + // secp224r1 from http://www.secg.org/sec2-v2.pdf + public static final byte[] EC224_FP_P = new byte[]{ + (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, + (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, + (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, + (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, + (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, + (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, + (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x01}; + + public static final byte[] EC224_FP_A = new byte[]{ + (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, + (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, + (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, + (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, (byte) 0xFE, + (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, + (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, + (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, (byte) 0xFE}; + + public static final byte[] EC224_FP_B = new byte[]{ + (byte) 0xB4, (byte) 0x05, (byte) 0x0A, (byte) 0x85, + (byte) 0x0C, (byte) 0x04, (byte) 0xB3, (byte) 0xAB, + (byte) 0xF5, (byte) 0x41, (byte) 0x32, (byte) 0x56, + (byte) 0x50, (byte) 0x44, (byte) 0xB0, (byte) 0xB7, + (byte) 0xD7, (byte) 0xBF, (byte) 0xD8, (byte) 0xBA, + (byte) 0x27, (byte) 0x0B, (byte) 0x39, (byte) 0x43, + (byte) 0x23, (byte) 0x55, (byte) 0xFF, (byte) 0xB4}; + + // G in compressed form / first part of ucompressed + public static final byte[] EC224_FP_G_X = new byte[]{ + (byte) 0xB7, (byte) 0x0E, (byte) 0x0C, (byte) 0xBD, + (byte) 0x6B, (byte) 0xB4, (byte) 0xBF, (byte) 0x7F, + (byte) 0x32, (byte) 0x13, (byte) 0x90, (byte) 0xB9, + (byte) 0x4A, (byte) 0x03, (byte) 0xC1, (byte) 0xD3, + (byte) 0x56, (byte) 0xC2, (byte) 0x11, (byte) 0x22, + (byte) 0x34, (byte) 0x32, (byte) 0x80, (byte) 0xD6, + (byte) 0x11, (byte) 0x5C, (byte) 0x1D, (byte) 0x21}; + // second part of G uncompressed + public static final byte[] EC224_FP_G_Y = new byte[]{ + (byte) 0xBD, (byte) 0x37, (byte) 0x63, (byte) 0x88, + (byte) 0xB5, (byte) 0xF7, (byte) 0x23, (byte) 0xFB, + (byte) 0x4C, (byte) 0x22, (byte) 0xDF, (byte) 0xE6, + (byte) 0xCD, (byte) 0x43, (byte) 0x75, (byte) 0xA0, + (byte) 0x5A, (byte) 0x07, (byte) 0x47, (byte) 0x64, + (byte) 0x44, (byte) 0xD5, (byte) 0x81, (byte) 0x99, + (byte) 0x85, (byte) 0x00, (byte) 0x7E, (byte) 0x34}; + // Order of G + public static final byte[] EC224_FP_R = new byte[]{ + (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, + (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, + (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, + (byte) 0xFF, (byte) 0xFF, (byte) 0x16, (byte) 0xA2, + (byte) 0xE0, (byte) 0xB8, (byte) 0xF0, (byte) 0x3E, + (byte) 0x13, (byte) 0xDD, (byte) 0x29, (byte) 0x45, + (byte) 0x5C, (byte) 0x5C, (byte) 0x2A, (byte) 0x3D}; + // cofactor of G + public static final short EC224_FP_K = 1; + + // secp256r1 from http://www.secg.org/sec2-v2.pdf + public static final byte[] EC256_FP_P = new byte[]{ + (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, + (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x01, + (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, + (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, + (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, + (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, + (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, + (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, (byte) 0xFF}; + public static final byte[] EC256_FP_A = new byte[]{ + (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, + (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x01, + (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, + (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, + (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, + (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, + (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, + (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, (byte) 0xFC}; + public static final byte[] EC256_FP_B = new byte[]{ + (byte) 0x5A, (byte) 0xC6, (byte) 0x35, (byte) 0xD8, + (byte) 0xAA, (byte) 0x3A, (byte) 0x93, (byte) 0xE7, + (byte) 0xB3, (byte) 0xEB, (byte) 0xBD, (byte) 0x55, + (byte) 0x76, (byte) 0x98, (byte) 0x86, (byte) 0xBC, + (byte) 0x65, (byte) 0x1D, (byte) 0x06, (byte) 0xB0, + (byte) 0xCC, (byte) 0x53, (byte) 0xB0, (byte) 0xF6, + (byte) 0x3B, (byte) 0xCE, (byte) 0x3C, (byte) 0x3E, + (byte) 0x27, (byte) 0xD2, (byte) 0x60, (byte) 0x4B}; + // G in compressed form / first part of ucompressed + public static final byte[] EC256_FP_G_X = new byte[]{ + (byte) 0x6B, (byte) 0x17, (byte) 0xD1, (byte) 0xF2, + (byte) 0xE1, (byte) 0x2C, (byte) 0x42, (byte) 0x47, + (byte) 0xF8, (byte) 0xBC, (byte) 0xE6, (byte) 0xE5, + (byte) 0x63, (byte) 0xA4, (byte) 0x40, (byte) 0xF2, + (byte) 0x77, (byte) 0x03, (byte) 0x7D, (byte) 0x81, + (byte) 0x2D, (byte) 0xEB, (byte) 0x33, (byte) 0xA0, + (byte) 0xF4, (byte) 0xA1, (byte) 0x39, (byte) 0x45, + (byte) 0xD8, (byte) 0x98, (byte) 0xC2, (byte) 0x96}; + // second part of G uncompressed + public static final byte[] EC256_FP_G_Y = new byte[]{ + (byte) 0x4F, (byte) 0xE3, (byte) 0x42, (byte) 0xE2, + (byte) 0xFE, (byte) 0x1A, (byte) 0x7F, (byte) 0x9B, + (byte) 0x8E, (byte) 0xE7, (byte) 0xEB, (byte) 0x4A, + (byte) 0x7C, (byte) 0x0F, (byte) 0x9E, (byte) 0x16, + (byte) 0x2B, (byte) 0xCE, (byte) 0x33, (byte) 0x57, + (byte) 0x6B, (byte) 0x31, (byte) 0x5E, (byte) 0xCE, + (byte) 0xCB, (byte) 0xB6, (byte) 0x40, (byte) 0x68, + (byte) 0x37, (byte) 0xBF, (byte) 0x51, (byte) 0xF5}; + // Order of G + public static final byte[] EC256_FP_R = new byte[]{ + (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, + (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, + (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, + (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, + (byte) 0xBC, (byte) 0xE6, (byte) 0xFA, (byte) 0xAD, + (byte) 0xA7, (byte) 0x17, (byte) 0x9E, (byte) 0x84, + (byte) 0xF3, (byte) 0xB9, (byte) 0xCA, (byte) 0xC2, + (byte) 0xFC, (byte) 0x63, (byte) 0x25, (byte) 0x51}; + // cofactor of G + public static final short EC256_FP_K = 1; + + // secp384r1 from http://www.secg.org/sec2-v2.pdf + public static final byte[] EC384_FP_P = new byte[]{ + (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, + (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, + (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, + (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, + (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, + (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, + (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, + (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, (byte) 0xFE, + (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, + (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, + (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, + (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, (byte) 0xFF}; + + public static final byte[] EC384_FP_A = new byte[]{ + (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, + (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, + (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, + (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, + (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, + (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, + (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, + (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, (byte) 0xFE, + (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, + (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, + (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, + (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, (byte) 0xFC}; + + public static final byte[] EC384_FP_B = new byte[]{ + (byte) 0xB3, (byte) 0x31, (byte) 0x2F, (byte) 0xA7, + (byte) 0xE2, (byte) 0x3E, (byte) 0xE7, (byte) 0xE4, + (byte) 0x98, (byte) 0x8E, (byte) 0x05, (byte) 0x6B, + (byte) 0xE3, (byte) 0xF8, (byte) 0x2D, (byte) 0x19, + (byte) 0x18, (byte) 0x1D, (byte) 0x9C, (byte) 0x6E, + (byte) 0xFE, (byte) 0x81, (byte) 0x41, (byte) 0x12, + (byte) 0x03, (byte) 0x14, (byte) 0x08, (byte) 0x8F, + (byte) 0x50, (byte) 0x13, (byte) 0x87, (byte) 0x5A, + (byte) 0xC6, (byte) 0x56, (byte) 0x39, (byte) 0x8D, + (byte) 0x8A, (byte) 0x2E, (byte) 0xD1, (byte) 0x9D, + (byte) 0x2A, (byte) 0x85, (byte) 0xC8, (byte) 0xED, + (byte) 0xD3, (byte) 0xEC, (byte) 0x2A, (byte) 0xEF}; + + // G in compressed form / first part of ucompressed + public static final byte[] EC384_FP_G_X = new byte[]{ + (byte) 0xAA, (byte) 0x87, (byte) 0xCA, (byte) 0x22, + (byte) 0xBE, (byte) 0x8B, (byte) 0x05, (byte) 0x37, + (byte) 0x8E, (byte) 0xB1, (byte) 0xC7, (byte) 0x1E, + (byte) 0xF3, (byte) 0x20, (byte) 0xAD, (byte) 0x74, + (byte) 0x6E, (byte) 0x1D, (byte) 0x3B, (byte) 0x62, + (byte) 0x8B, (byte) 0xA7, (byte) 0x9B, (byte) 0x98, + (byte) 0x59, (byte) 0xF7, (byte) 0x41, (byte) 0xE0, + (byte) 0x82, (byte) 0x54, (byte) 0x2A, (byte) 0x38, + (byte) 0x55, (byte) 0x02, (byte) 0xF2, (byte) 0x5D, + (byte) 0xBF, (byte) 0x55, (byte) 0x29, (byte) 0x6C, + (byte) 0x3A, (byte) 0x54, (byte) 0x5E, (byte) 0x38, + (byte) 0x72, (byte) 0x76, (byte) 0x0A, (byte) 0xB7}; + // second part of G uncompressed + public static final byte[] EC384_FP_G_Y = new byte[]{ + (byte) 0x36, (byte) 0x17, (byte) 0xDE, (byte) 0x4A, + (byte) 0x96, (byte) 0x26, (byte) 0x2C, (byte) 0x6F, + (byte) 0x5D, (byte) 0x9E, (byte) 0x98, (byte) 0xBF, + (byte) 0x92, (byte) 0x92, (byte) 0xDC, (byte) 0x29, + (byte) 0xF8, (byte) 0xF4, (byte) 0x1D, (byte) 0xBD, + (byte) 0x28, (byte) 0x9A, (byte) 0x14, (byte) 0x7C, + (byte) 0xE9, (byte) 0xDA, (byte) 0x31, (byte) 0x13, + (byte) 0xB5, (byte) 0xF0, (byte) 0xB8, (byte) 0xC0, + (byte) 0x0A, (byte) 0x60, (byte) 0xB1, (byte) 0xCE, + (byte) 0x1D, (byte) 0x7E, (byte) 0x81, (byte) 0x9D, + (byte) 0x7A, (byte) 0x43, (byte) 0x1D, (byte) 0x7C, + (byte) 0x90, (byte) 0xEA, (byte) 0x0E, (byte) 0x5F}; + + // Order of G + public static final byte[] EC384_FP_R = new byte[]{ + (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, + (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, + (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, + (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, + (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, + (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, + (byte) 0xC7, (byte) 0x63, (byte) 0x4D, (byte) 0x81, + (byte) 0xF4, (byte) 0x37, (byte) 0x2D, (byte) 0xDF, + (byte) 0x58, (byte) 0x1A, (byte) 0x0D, (byte) 0xB2, + (byte) 0x48, (byte) 0xB0, (byte) 0xA7, (byte) 0x7A, + (byte) 0xEC, (byte) 0xEC, (byte) 0x19, (byte) 0x6A, + (byte) 0xCC, (byte) 0xC5, (byte) 0x29, (byte) 0x73}; + // cofactor of G + public static final short EC384_FP_K = 1; + + + // secp521r1 from http://www.secg.org/sec2-v2.pdf + public static final byte[] EC521_FP_P = new byte[]{ + (byte) 0x01, (byte) 0xFF, + (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, + (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, + (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, + (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, + (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, + (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, + (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, + (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, + (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, + (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, + (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, + (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, + (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, + (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, + (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, + (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, (byte) 0xFF}; + + public static final byte[] EC521_FP_A = new byte[]{ + (byte) 0x01, (byte) 0xFF, + (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, + (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, + (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, + (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, + (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, + (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, + (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, + (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, + (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, + (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, + (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, + (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, + (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, + (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, + (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, + (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, (byte) 0xFC}; + + public static final byte[] EC521_FP_B = new byte[]{ + (byte) 0x00, (byte) 0x51, (byte) 0x95, (byte) 0x3E, + (byte) 0xB9, (byte) 0x61, (byte) 0x8E, (byte) 0x1C, + (byte) 0x9A, (byte) 0x1F, (byte) 0x92, (byte) 0x9A, + (byte) 0x21, (byte) 0xA0, (byte) 0xB6, (byte) 0x85, + (byte) 0x40, (byte) 0xEE, (byte) 0xA2, (byte) 0xDA, + (byte) 0x72, (byte) 0x5B, (byte) 0x99, (byte) 0xB3, + (byte) 0x15, (byte) 0xF3, (byte) 0xB8, (byte) 0xB4, + (byte) 0x89, (byte) 0x91, (byte) 0x8E, (byte) 0xF1, + (byte) 0x09, (byte) 0xE1, (byte) 0x56, (byte) 0x19, + (byte) 0x39, (byte) 0x51, (byte) 0xEC, (byte) 0x7E, + (byte) 0x93, (byte) 0x7B, (byte) 0x16, (byte) 0x52, + (byte) 0xC0, (byte) 0xBD, (byte) 0x3B, (byte) 0xB1, + (byte) 0xBF, (byte) 0x07, (byte) 0x35, (byte) 0x73, + (byte) 0xDF, (byte) 0x88, (byte) 0x3D, (byte) 0x2C, + (byte) 0x34, (byte) 0xF1, (byte) 0xEF, (byte) 0x45, + (byte) 0x1F, (byte) 0xD4, (byte) 0x6B, (byte) 0x50, + (byte) 0x3F, (byte) 0x00}; + + // G in compressed form / first part of ucompressed + public static final byte[] EC521_FP_G_X = new byte[]{ + (byte) 0x00, (byte) 0xC6, (byte) 0x85, (byte) 0x8E, + (byte) 0x06, (byte) 0xB7, (byte) 0x04, (byte) 0x04, + (byte) 0xE9, (byte) 0xCD, (byte) 0x9E, (byte) 0x3E, + (byte) 0xCB, (byte) 0x66, (byte) 0x23, (byte) 0x95, + (byte) 0xB4, (byte) 0x42, (byte) 0x9C, (byte) 0x64, + (byte) 0x81, (byte) 0x39, (byte) 0x05, (byte) 0x3F, + (byte) 0xB5, (byte) 0x21, (byte) 0xF8, (byte) 0x28, + (byte) 0xAF, (byte) 0x60, (byte) 0x6B, (byte) 0x4D, + (byte) 0x3D, (byte) 0xBA, (byte) 0xA1, (byte) 0x4B, + (byte) 0x5E, (byte) 0x77, (byte) 0xEF, (byte) 0xE7, + (byte) 0x59, (byte) 0x28, (byte) 0xFE, (byte) 0x1D, + (byte) 0xC1, (byte) 0x27, (byte) 0xA2, (byte) 0xFF, + (byte) 0xA8, (byte) 0xDE, (byte) 0x33, (byte) 0x48, + (byte) 0xB3, (byte) 0xC1, (byte) 0x85, (byte) 0x6A, + (byte) 0x42, (byte) 0x9B, (byte) 0xF9, (byte) 0x7E, + (byte) 0x7E, (byte) 0x31, (byte) 0xC2, (byte) 0xE5, + (byte) 0xBD, (byte) 0x66}; + + // second part of G uncompressed + public static final byte[] EC521_FP_G_Y = new byte[]{ + (byte) 0x01, (byte) 0x18, (byte) 0x39, (byte) 0x29, + (byte) 0x6A, (byte) 0x78, (byte) 0x9A, (byte) 0x3B, + (byte) 0xC0, (byte) 0x04, (byte) 0x5C, (byte) 0x8A, + (byte) 0x5F, (byte) 0xB4, (byte) 0x2C, (byte) 0x7D, + (byte) 0x1B, (byte) 0xD9, (byte) 0x98, (byte) 0xF5, + (byte) 0x44, (byte) 0x49, (byte) 0x57, (byte) 0x9B, + (byte) 0x44, (byte) 0x68, (byte) 0x17, (byte) 0xAF, + (byte) 0xBD, (byte) 0x17, (byte) 0x27, (byte) 0x3E, + (byte) 0x66, (byte) 0x2C, (byte) 0x97, (byte) 0xEE, + (byte) 0x72, (byte) 0x99, (byte) 0x5E, (byte) 0xF4, + (byte) 0x26, (byte) 0x40, (byte) 0xC5, (byte) 0x50, + (byte) 0xB9, (byte) 0x01, (byte) 0x3F, (byte) 0xAD, + (byte) 0x07, (byte) 0x61, (byte) 0x35, (byte) 0x3C, + (byte) 0x70, (byte) 0x86, (byte) 0xA2, (byte) 0x72, + (byte) 0xC2, (byte) 0x40, (byte) 0x88, (byte) 0xBE, + (byte) 0x94, (byte) 0x76, (byte) 0x9F, (byte) 0xD1, + (byte) 0x66, (byte) 0x50}; + + // Order of G + public static final byte[] EC521_FP_R = new byte[]{ + (byte) 0x01, (byte) 0xFF, + (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, + (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, + (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, + (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, + (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, + (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, + (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, + (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, (byte) 0xFA, + (byte) 0x51, (byte) 0x86, (byte) 0x87, (byte) 0x83, + (byte) 0xBF, (byte) 0x2F, (byte) 0x96, (byte) 0x6B, + (byte) 0x7F, (byte) 0xCC, (byte) 0x01, (byte) 0x48, + (byte) 0xF7, (byte) 0x09, (byte) 0xA5, (byte) 0xD0, + (byte) 0x3B, (byte) 0xB5, (byte) 0xC9, (byte) 0xB8, + (byte) 0x89, (byte) 0x9C, (byte) 0x47, (byte) 0xAE, + (byte) 0xBB, (byte) 0x6F, (byte) 0xB7, (byte) 0x1E, + (byte) 0x91, (byte) 0x38, (byte) 0x64, (byte) 0x09}; + + // cofactor of G + public static final short EC521_FP_K = 1; + + //sect163r1 from http://www.secg.org/sec2-v2.pdf + // [short i1, short i2, short i3] f = x^163 + x^i1 + x^i2 + x^i3 + 1 + public static final byte[] EC163_F2M_F = new byte[]{ + (byte) 0x00, (byte) 0x07, + (byte) 0x00, (byte) 0x06, + (byte) 0x00, (byte) 0x03 + }; + + public static final byte[] EC163_F2M_A = new byte[]{ + (byte) 0x07, (byte) 0xB6, (byte) 0x88, (byte) 0x2C, + (byte) 0xAA, (byte) 0xEF, (byte) 0xA8, (byte) 0x4F, + (byte) 0x95, (byte) 0x54, (byte) 0xFF, (byte) 0x84, + (byte) 0x28, (byte) 0xBD, (byte) 0x88, (byte) 0xE2, + (byte) 0x46, (byte) 0xD2, (byte) 0x78, (byte) 0x2A, + (byte) 0xE2 + }; + + public static final byte[] EC163_F2M_B = new byte[]{ + (byte) 0x07, (byte) 0x13, (byte) 0x61, (byte) 0x2D, + (byte) 0xCD, (byte) 0xDC, (byte) 0xB4, (byte) 0x0A, + (byte) 0xAB, (byte) 0x94, (byte) 0x6B, (byte) 0xDA, + (byte) 0x29, (byte) 0xCA, (byte) 0x91, (byte) 0xF7, + (byte) 0x3A, (byte) 0xF9, (byte) 0x58, (byte) 0xAF, + (byte) 0xD9 + }; + + // G in compressed form / first part of ucompressed + public static final byte[] EC163_F2M_G_X = new byte[]{ + (byte) 0x03, (byte) 0x69, (byte) 0x97, (byte) 0x96, + (byte) 0x97, (byte) 0xAB, (byte) 0x43, (byte) 0x89, + (byte) 0x77, (byte) 0x89, (byte) 0x56, (byte) 0x67, + (byte) 0x89, (byte) 0x56, (byte) 0x7F, (byte) 0x78, + (byte) 0x7A, (byte) 0x78, (byte) 0x76, (byte) 0xA6, + (byte) 0x54 + }; + + // second part of G uncompressed + public static final byte[] EC163_F2M_G_Y = new byte[]{ + (byte) 0x00, (byte) 0x43, (byte) 0x5E, (byte) 0xDB, + (byte) 0x42, (byte) 0xEF, (byte) 0xAF, (byte) 0xB2, + (byte) 0x98, (byte) 0x9D, (byte) 0x51, (byte) 0xFE, + (byte) 0xFC, (byte) 0xE3, (byte) 0xC8, (byte) 0x09, + (byte) 0x88, (byte) 0xF4, (byte) 0x1F, (byte) 0xF8, + (byte) 0x83 + }; + + // order of G + public static final byte[] EC163_F2M_R = new byte[]{ + (byte) 0x03, (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, + (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, + (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, (byte) 0x48, + (byte) 0xAA, (byte) 0xB6, (byte) 0x89, (byte) 0xC2, + (byte) 0x9C, (byte) 0xA7, (byte) 0x10, (byte) 0x27, + (byte) 0x9B + }; + + // cofactor of G + public static final short EC163_F2M_K = 2; + + //sect233r1 from http://www.secg.org/sec2-v2.pdf + // [short i1, short i2, short i3] f = x^233 + x^i1 + 1 + public static final byte[] EC233_F2M_F = new byte[]{ + (byte) 0x00, (byte) 0x4a + }; + + public static final byte[] EC233_F2M_A = new byte[]{ + (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, + (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, + (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, + (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, + (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, + (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, + (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, + (byte) 0x00, (byte) 0x01 + }; + + public static final byte[] EC233_F2M_B = new byte[]{ + (byte) 0x00, (byte) 0x66, (byte) 0x64, (byte) 0x7E, + (byte) 0xDE, (byte) 0x6C, (byte) 0x33, (byte) 0x2C, + (byte) 0x7F, (byte) 0x8C, (byte) 0x09, (byte) 0x23, + (byte) 0xBB, (byte) 0x58, (byte) 0x21, (byte) 0x3B, + (byte) 0x33, (byte) 0x3B, (byte) 0x20, (byte) 0xE9, + (byte) 0xCE, (byte) 0x42, (byte) 0x81, (byte) 0xFE, + (byte) 0x11, (byte) 0x5F, (byte) 0x7D, (byte) 0x8F, + (byte) 0x90, (byte) 0xAD + }; + + // G in compressed form / first part of ucompressed + public static final byte[] EC233_F2M_G_X = new byte[]{ + (byte) 0x00, (byte) 0xFA, (byte) 0xC9, (byte) 0xDF, + (byte) 0xCB, (byte) 0xAC, (byte) 0x83, (byte) 0x13, + (byte) 0xBB, (byte) 0x21, (byte) 0x39, (byte) 0xF1, + (byte) 0xBB, (byte) 0x75, (byte) 0x5F, (byte) 0xEF, + (byte) 0x65, (byte) 0xBC, (byte) 0x39, (byte) 0x1F, + (byte) 0x8B, (byte) 0x36, (byte) 0xF8, (byte) 0xF8, + (byte) 0xEB, (byte) 0x73, (byte) 0x71, (byte) 0xFD, + (byte) 0x55, (byte) 0x8B + }; + + // second part of G uncompressed + public static final byte[] EC233_F2M_G_Y = new byte[]{ + (byte) 0x01, (byte) 0x00, (byte) 0x6A, (byte) 0x08, + (byte) 0xA4, (byte) 0x19, (byte) 0x03, (byte) 0x35, + (byte) 0x06, (byte) 0x78, (byte) 0xE5, (byte) 0x85, + (byte) 0x28, (byte) 0xBE, (byte) 0xBF, (byte) 0x8A, + (byte) 0x0B, (byte) 0xEF, (byte) 0xF8, (byte) 0x67, + (byte) 0xA7, (byte) 0xCA, (byte) 0x36, (byte) 0x71, + (byte) 0x6F, (byte) 0x7E, (byte) 0x01, (byte) 0xF8, + (byte) 0x10, (byte) 0x52 + }; + + // order of G + public static final byte[] EC233_F2M_R = new byte[]{ + (byte) 0x01, (byte) 0x00, (byte) 0x00, (byte) 0x00, + (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, + (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, + (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x13, + (byte) 0xE9, (byte) 0x74, (byte) 0xE7, (byte) 0x2F, + (byte) 0x8A, (byte) 0x69, (byte) 0x22, (byte) 0x03, + (byte) 0x1D, (byte) 0x26, (byte) 0x03, (byte) 0xCF, + (byte) 0xE0, (byte) 0xD7 + }; + + // cofactor of G + public static final short EC233_F2M_K = 2; + + //sect283r1 from http://www.secg.org/sec2-v2.pdf + // [short i1, short i2, short i3] f = x^283 + x^i1 + x^i2 + x^i3 + 1 + public static final byte[] EC283_F2M_F = new byte[]{ + (byte) 0x00, (byte) 0x0c, + (byte) 0x00, (byte) 0x07, + (byte) 0x00, (byte) 0x05 + }; + + public static final byte[] EC283_F2M_A = new byte[]{ + (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, + (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, + (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, + (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, + (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, + (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, + (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, + (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, + (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x01 + }; + + public static final byte[] EC283_F2M_B = new byte[]{ + (byte) 0x02, (byte) 0x7B, (byte) 0x68, (byte) 0x0A, + (byte) 0xC8, (byte) 0xB8, (byte) 0x59, (byte) 0x6D, + (byte) 0xA5, (byte) 0xA4, (byte) 0xAF, (byte) 0x8A, + (byte) 0x19, (byte) 0xA0, (byte) 0x30, (byte) 0x3F, + (byte) 0xCA, (byte) 0x97, (byte) 0xFD, (byte) 0x76, + (byte) 0x45, (byte) 0x30, (byte) 0x9F, (byte) 0xA2, + (byte) 0xA5, (byte) 0x81, (byte) 0x48, (byte) 0x5A, + (byte) 0xF6, (byte) 0x26, (byte) 0x3E, (byte) 0x31, + (byte) 0x3B, (byte) 0x79, (byte) 0xA2, (byte) 0xF5 + }; + + // G in compressed form / first part of ucompressed + public static final byte[] EC283_F2M_G_X = new byte[]{ + (byte) 0x05, (byte) 0xF9, (byte) 0x39, (byte) 0x25, + (byte) 0x8D, (byte) 0xB7, (byte) 0xDD, (byte) 0x90, + (byte) 0xE1, (byte) 0x93, (byte) 0x4F, (byte) 0x8C, + (byte) 0x70, (byte) 0xB0, (byte) 0xDF, (byte) 0xEC, + (byte) 0x2E, (byte) 0xED, (byte) 0x25, (byte) 0xB8, + (byte) 0x55, (byte) 0x7E, (byte) 0xAC, (byte) 0x9C, + (byte) 0x80, (byte) 0xE2, (byte) 0xE1, (byte) 0x98, + (byte) 0xF8, (byte) 0xCD, (byte) 0xBE, (byte) 0xCD, + (byte) 0x86, (byte) 0xB1, (byte) 0x20, (byte) 0x53 + }; + + // second part of G uncompressed + public static final byte[] EC283_F2M_G_Y = new byte[]{ + (byte) 0x03, (byte) 0x67, (byte) 0x68, (byte) 0x54, + (byte) 0xFE, (byte) 0x24, (byte) 0x14, (byte) 0x1C, + (byte) 0xB9, (byte) 0x8F, (byte) 0xE6, (byte) 0xD4, + (byte) 0xB2, (byte) 0x0D, (byte) 0x02, (byte) 0xB4, + (byte) 0x51, (byte) 0x6F, (byte) 0xF7, (byte) 0x02, + (byte) 0x35, (byte) 0x0E, (byte) 0xDD, (byte) 0xB0, + (byte) 0x82, (byte) 0x67, (byte) 0x79, (byte) 0xC8, + (byte) 0x13, (byte) 0xF0, (byte) 0xDF, (byte) 0x45, + (byte) 0xBE, (byte) 0x81, (byte) 0x12, (byte) 0xF4 + }; + + // order of G + public static final byte[] EC283_F2M_R = new byte[]{ + (byte) 0x03, (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, + (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, + (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, + (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, + (byte) 0xFF, (byte) 0xFF, (byte) 0xEF, (byte) 0x90, + (byte) 0x39, (byte) 0x96, (byte) 0x60, (byte) 0xFC, + (byte) 0x93, (byte) 0x8A, (byte) 0x90, (byte) 0x16, + (byte) 0x5B, (byte) 0x04, (byte) 0x2A, (byte) 0x7C, + (byte) 0xEF, (byte) 0xAD, (byte) 0xB3, (byte) 0x07 + }; + + // cofactor of G + public static final short EC283_F2M_K = 2; + + //sect409r1 from http://www.secg.org/sec2-v2.pdf + // [short i1, short i2, short i3] f = x^409 + x^i1 + 1 + public static final byte[] EC409_F2M_F = new byte[]{ + (byte) 0x00, (byte) 0x57 + }; + + public static final byte[] EC409_F2M_A = new byte[]{ + (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, + (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, + (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, + (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, + (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, + (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, + (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, + (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, + (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, + (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, + (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, + (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, + (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x01 + }; + + public static final byte[] EC409_F2M_B = new byte[]{ + (byte) 0x00, (byte) 0x21, (byte) 0xA5, (byte) 0xC2, + (byte) 0xC8, (byte) 0xEE, (byte) 0x9F, (byte) 0xEB, + (byte) 0x5C, (byte) 0x4B, (byte) 0x9A, (byte) 0x75, + (byte) 0x3B, (byte) 0x7B, (byte) 0x47, (byte) 0x6B, + (byte) 0x7F, (byte) 0xD6, (byte) 0x42, (byte) 0x2E, + (byte) 0xF1, (byte) 0xF3, (byte) 0xDD, (byte) 0x67, + (byte) 0x47, (byte) 0x61, (byte) 0xFA, (byte) 0x99, + (byte) 0xD6, (byte) 0xAC, (byte) 0x27, (byte) 0xC8, + (byte) 0xA9, (byte) 0xA1, (byte) 0x97, (byte) 0xB2, + (byte) 0x72, (byte) 0x82, (byte) 0x2F, (byte) 0x6C, + (byte) 0xD5, (byte) 0x7A, (byte) 0x55, (byte) 0xAA, + (byte) 0x4F, (byte) 0x50, (byte) 0xAE, (byte) 0x31, + (byte) 0x7B, (byte) 0x13, (byte) 0x54, (byte) 0x5F + }; + + // G in compressed form / first part of ucompressed + public static final byte[] EC409_F2M_G_X = new byte[]{ + (byte) 0x01, (byte) 0x5D, (byte) 0x48, (byte) 0x60, + (byte) 0xD0, (byte) 0x88, (byte) 0xDD, (byte) 0xB3, + (byte) 0x49, (byte) 0x6B, (byte) 0x0C, (byte) 0x60, + (byte) 0x64, (byte) 0x75, (byte) 0x62, (byte) 0x60, + (byte) 0x44, (byte) 0x1C, (byte) 0xDE, (byte) 0x4A, + (byte) 0xF1, (byte) 0x77, (byte) 0x1D, (byte) 0x4D, + (byte) 0xB0, (byte) 0x1F, (byte) 0xFE, (byte) 0x5B, + (byte) 0x34, (byte) 0xE5, (byte) 0x97, (byte) 0x03, + (byte) 0xDC, (byte) 0x25, (byte) 0x5A, (byte) 0x86, + (byte) 0x8A, (byte) 0x11, (byte) 0x80, (byte) 0x51, + (byte) 0x56, (byte) 0x03, (byte) 0xAE, (byte) 0xAB, + (byte) 0x60, (byte) 0x79, (byte) 0x4E, (byte) 0x54, + (byte) 0xBB, (byte) 0x79, (byte) 0x96, (byte) 0xA7 + }; + + // second part of G uncompressed + public static final byte[] EC409_F2M_G_Y = new byte[]{ + (byte) 0x00, (byte) 0x61, (byte) 0xB1, (byte) 0xCF, + (byte) 0xAB, (byte) 0x6B, (byte) 0xE5, (byte) 0xF3, + (byte) 0x2B, (byte) 0xBF, (byte) 0xA7, (byte) 0x83, + (byte) 0x24, (byte) 0xED, (byte) 0x10, (byte) 0x6A, + (byte) 0x76, (byte) 0x36, (byte) 0xB9, (byte) 0xC5, + (byte) 0xA7, (byte) 0xBD, (byte) 0x19, (byte) 0x8D, + (byte) 0x01, (byte) 0x58, (byte) 0xAA, (byte) 0x4F, + (byte) 0x54, (byte) 0x88, (byte) 0xD0, (byte) 0x8F, + (byte) 0x38, (byte) 0x51, (byte) 0x4F, (byte) 0x1F, + (byte) 0xDF, (byte) 0x4B, (byte) 0x4F, (byte) 0x40, + (byte) 0xD2, (byte) 0x18, (byte) 0x1B, (byte) 0x36, + (byte) 0x81, (byte) 0xC3, (byte) 0x64, (byte) 0xBA, + (byte) 0x02, (byte) 0x73, (byte) 0xC7, (byte) 0x06 + }; + + // order of G + public static final byte[] EC409_F2M_R = new byte[]{ + (byte) 0x01, (byte) 0x00, (byte) 0x00, (byte) 0x00, + (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, + (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, + (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, + (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, + (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, + (byte) 0x00, (byte) 0x00, (byte) 0x01, (byte) 0xE2, + (byte) 0xAA, (byte) 0xD6, (byte) 0xA6, (byte) 0x12, + (byte) 0xF3, (byte) 0x33, (byte) 0x07, (byte) 0xBE, + (byte) 0x5F, (byte) 0xA4, (byte) 0x7C, (byte) 0x3C, + (byte) 0x9E, (byte) 0x05, (byte) 0x2F, (byte) 0x83, + (byte) 0x81, (byte) 0x64, (byte) 0xCD, (byte) 0x37, + (byte) 0xD9, (byte) 0xA2, (byte) 0x11, (byte) 0x73 + }; + + // cofactor of G + public static final short EC409_F2M_K = 2; + + //sect571r1 from http://www.secg.org/sec2-v2.pdf + // [short i1, short i2, short i3] f = x^571 + x^i1 + x^i2 + x^i3 + 1 + public static final byte[] EC571_F2M_F = new byte[]{ + (byte) 0x00, (byte) 0x0a, + (byte) 0x00, (byte) 0x05, + (byte) 0x00, (byte) 0x02, + }; + + public static final byte[] EC571_F2M_A = new byte[]{ + (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, + (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, + (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, + (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, + (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, + (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, + (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, + (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, + (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, + (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, + (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, + (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, + (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, + (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, + (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, + (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, + (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, + (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x01 + }; + + public static final byte[] EC571_F2M_B = new byte[]{ + (byte) 0x02, (byte) 0xF4, (byte) 0x0E, (byte) 0x7E, + (byte) 0x22, (byte) 0x21, (byte) 0xF2, (byte) 0x95, + (byte) 0xDE, (byte) 0x29, (byte) 0x71, (byte) 0x17, + (byte) 0xB7, (byte) 0xF3, (byte) 0xD6, (byte) 0x2F, + (byte) 0x5C, (byte) 0x6A, (byte) 0x97, (byte) 0xFF, + (byte) 0xCB, (byte) 0x8C, (byte) 0xEF, (byte) 0xF1, + (byte) 0xCD, (byte) 0x6B, (byte) 0xA8, (byte) 0xCE, + (byte) 0x4A, (byte) 0x9A, (byte) 0x18, (byte) 0xAD, + (byte) 0x84, (byte) 0xFF, (byte) 0xAB, (byte) 0xBD, + (byte) 0x8E, (byte) 0xFA, (byte) 0x59, (byte) 0x33, + (byte) 0x2B, (byte) 0xE7, (byte) 0xAD, (byte) 0x67, + (byte) 0x56, (byte) 0xA6, (byte) 0x6E, (byte) 0x29, + (byte) 0x4A, (byte) 0xFD, (byte) 0x18, (byte) 0x5A, + (byte) 0x78, (byte) 0xFF, (byte) 0x12, (byte) 0xAA, + (byte) 0x52, (byte) 0x0E, (byte) 0x4D, (byte) 0xE7, + (byte) 0x39, (byte) 0xBA, (byte) 0xCA, (byte) 0x0C, + (byte) 0x7F, (byte) 0xFE, (byte) 0xFF, (byte) 0x7F, + (byte) 0x29, (byte) 0x55, (byte) 0x72, (byte) 0x7A + }; + + // G in compressed form / first part of ucompressed + public static final byte[] EC571_F2M_G_X = new byte[]{ + (byte) 0x03, (byte) 0x03, (byte) 0x00, (byte) 0x1D, + (byte) 0x34, (byte) 0xB8, (byte) 0x56, (byte) 0x29, + (byte) 0x6C, (byte) 0x16, (byte) 0xC0, (byte) 0xD4, + (byte) 0x0D, (byte) 0x3C, (byte) 0xD7, (byte) 0x75, + (byte) 0x0A, (byte) 0x93, (byte) 0xD1, (byte) 0xD2, + (byte) 0x95, (byte) 0x5F, (byte) 0xA8, (byte) 0x0A, + (byte) 0xA5, (byte) 0xF4, (byte) 0x0F, (byte) 0xC8, + (byte) 0xDB, (byte) 0x7B, (byte) 0x2A, (byte) 0xBD, + (byte) 0xBD, (byte) 0xE5, (byte) 0x39, (byte) 0x50, + (byte) 0xF4, (byte) 0xC0, (byte) 0xD2, (byte) 0x93, + (byte) 0xCD, (byte) 0xD7, (byte) 0x11, (byte) 0xA3, + (byte) 0x5B, (byte) 0x67, (byte) 0xFB, (byte) 0x14, + (byte) 0x99, (byte) 0xAE, (byte) 0x60, (byte) 0x03, + (byte) 0x86, (byte) 0x14, (byte) 0xF1, (byte) 0x39, + (byte) 0x4A, (byte) 0xBF, (byte) 0xA3, (byte) 0xB4, + (byte) 0xC8, (byte) 0x50, (byte) 0xD9, (byte) 0x27, + (byte) 0xE1, (byte) 0xE7, (byte) 0x76, (byte) 0x9C, + (byte) 0x8E, (byte) 0xEC, (byte) 0x2D, (byte) 0x19 + }; + + // second part of G uncompressed + public static final byte[] EC571_F2M_G_Y = new byte[]{ + (byte) 0x03, (byte) 0x7B, (byte) 0xF2, (byte) 0x73, + (byte) 0x42, (byte) 0xDA, (byte) 0x63, (byte) 0x9B, + (byte) 0x6D, (byte) 0xCC, (byte) 0xFF, (byte) 0xFE, + (byte) 0xB7, (byte) 0x3D, (byte) 0x69, (byte) 0xD7, + (byte) 0x8C, (byte) 0x6C, (byte) 0x27, (byte) 0xA6, + (byte) 0x00, (byte) 0x9C, (byte) 0xBB, (byte) 0xCA, + (byte) 0x19, (byte) 0x80, (byte) 0xF8, (byte) 0x53, + (byte) 0x39, (byte) 0x21, (byte) 0xE8, (byte) 0xA6, + (byte) 0x84, (byte) 0x42, (byte) 0x3E, (byte) 0x43, + (byte) 0xBA, (byte) 0xB0, (byte) 0x8A, (byte) 0x57, + (byte) 0x62, (byte) 0x91, (byte) 0xAF, (byte) 0x8F, + (byte) 0x46, (byte) 0x1B, (byte) 0xB2, (byte) 0xA8, + (byte) 0xB3, (byte) 0x53, (byte) 0x1D, (byte) 0x2F, + (byte) 0x04, (byte) 0x85, (byte) 0xC1, (byte) 0x9B, + (byte) 0x16, (byte) 0xE2, (byte) 0xF1, (byte) 0x51, + (byte) 0x6E, (byte) 0x23, (byte) 0xDD, (byte) 0x3C, + (byte) 0x1A, (byte) 0x48, (byte) 0x27, (byte) 0xAF, + (byte) 0x1B, (byte) 0x8A, (byte) 0xC1, (byte) 0x5B + }; + + // order of G + public static final byte[] EC571_F2M_R = new byte[]{ + (byte) 0x03, (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, + (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, + (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, + (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, + (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, + (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, + (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, + (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, + (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, + (byte) 0xE6, (byte) 0x61, (byte) 0xCE, (byte) 0x18, + (byte) 0xFF, (byte) 0x55, (byte) 0x98, (byte) 0x73, + (byte) 0x08, (byte) 0x05, (byte) 0x9B, (byte) 0x18, + (byte) 0x68, (byte) 0x23, (byte) 0x85, (byte) 0x1E, + (byte) 0xC7, (byte) 0xDD, (byte) 0x9C, (byte) 0xA1, + (byte) 0x16, (byte) 0x1D, (byte) 0xE9, (byte) 0x3D, + (byte) 0x51, (byte) 0x74, (byte) 0xD6, (byte) 0x6E, + (byte) 0x83, (byte) 0x82, (byte) 0xE9, (byte) 0xBB, + (byte) 0x2F, (byte) 0xE8, (byte) 0x4E, (byte) 0x47 + }; + + // cofactor of G + public static final short EC571_F2M_K = 2; + + + // getCorruptCurveParameter PARAMETER_CORRUPTION TYPES + public static final byte CORRUPTION_NONE = (byte) 0x00; + public static final byte CORRUPTION_FIXED = (byte) 0x01; + public static final byte CORRUPTION_FULLRANDOM = (byte) 0x02; + public static final byte CORRUPTION_ONEBYTERANDOM = (byte) 0x03; + public static final byte CORRUPTION_ZERO = (byte) 0x04; + public static final byte CORRUPTION_ONE = (byte) 0x05; + + + // Supported embedded curves, getCurveParameter + public static final byte CURVE_default = (byte) 0; + public static final byte CURVE_external = (byte) 0xff; + + // SECP recommended curves over FP + public static final byte CURVE_secp128r1 = (byte) 1; + public static final byte CURVE_secp160r1 = (byte) 2; + public static final byte CURVE_secp192r1 = (byte) 3; + public static final byte CURVE_secp224r1 = (byte) 4; + public static final byte CURVE_secp256r1 = (byte) 5; + public static final byte CURVE_secp384r1 = (byte) 6; + public static final byte CURVE_secp521r1 = (byte) 7; + + public static final byte FP_CURVES = (byte) 7; + + // SECP recommended curves over F2M + public static final byte CURVE_sect163r1 = (byte) 8; + public static final byte CURVE_sect233r1 = (byte) 9; + public static final byte CURVE_sect283r1 = (byte) 10; + public static final byte CURVE_sect409r1 = (byte) 11; + public static final byte CURVE_sect571r1 = (byte) 12; + + public static final byte F2M_CURVES = (byte) 12; + + public static final short[] FP_SIZES = new short[]{128, 160, 192, 224, 256, 384, 521}; + public static final short[] F2M_SIZES = new short[]{163, 233, 283, 409, 571}; + + public static byte getCurve(short keyLength, byte keyClass) { + if (keyClass == KeyPair.ALG_EC_FP) { + switch (keyLength) { + case (short) 128: + return CURVE_secp128r1; + case (short) 160: + return CURVE_secp160r1; + case (short) 192: + return CURVE_secp192r1; + case (short) 224: + return CURVE_secp224r1; + case (short) 256: + return CURVE_secp256r1; + case (short) 384: + return CURVE_secp384r1; + case (short) 521: + return CURVE_secp521r1; + default: + ISOException.throwIt(ISO7816.SW_FUNC_NOT_SUPPORTED); + } + } else if (keyClass == KeyPair.ALG_EC_F2M) { + switch (keyLength) { + case (short) 163: + return CURVE_sect163r1; + case (short) 233: + return CURVE_sect233r1; + case (short) 283: + return CURVE_sect283r1; + case (short) 409: + return CURVE_sect409r1; + case (short) 571: + return CURVE_sect571r1; + default: + ISOException.throwIt(ISO7816.SW_FUNC_NOT_SUPPORTED); + } + } else { + ISOException.throwIt(ISO7816.SW_FUNC_NOT_SUPPORTED); + } + return 0; + } + + public static short getCurveParameter(byte curve, short param, byte[] outputBuffer, short outputOffset) { + byte alg = getCurveType(curve); + switch (curve) { + case CURVE_secp128r1: { + EC_FP_P = EC128_FP_P; + EC_A = EC128_FP_A; + EC_B = EC128_FP_B; + EC_G_X = EC128_FP_G_X; + EC_G_Y = EC128_FP_G_Y; + EC_R = EC128_FP_R; + EC_K = EC128_FP_K; + EC_W_X = null; + EC_W_Y = null; + EC_S = null; + break; + } + case CURVE_secp160r1: { + EC_FP_P = EC160_FP_P; + EC_A = EC160_FP_A; + EC_B = EC160_FP_B; + EC_G_X = EC160_FP_G_X; + EC_G_Y = EC160_FP_G_Y; + EC_R = EC160_FP_R; + EC_K = EC160_FP_K; + EC_W_X = null; + EC_W_Y = null; + EC_S = null; + break; + } + case CURVE_secp192r1: { + EC_FP_P = EC192_FP_P; + EC_A = EC192_FP_A; + EC_B = EC192_FP_B; + EC_G_X = EC192_FP_G_X; + EC_G_Y = EC192_FP_G_Y; + EC_R = EC192_FP_R; + EC_K = EC192_FP_K; + EC_W_X = null; + EC_W_Y = null; + EC_S = null; + break; + } + case CURVE_secp224r1: { + EC_FP_P = EC224_FP_P; + EC_A = EC224_FP_A; + EC_B = EC224_FP_B; + EC_G_X = EC224_FP_G_X; + EC_G_Y = EC224_FP_G_Y; + EC_R = EC224_FP_R; + EC_K = EC224_FP_K; + EC_S = null; + break; + } + case CURVE_secp256r1: { + EC_FP_P = EC256_FP_P; + EC_A = EC256_FP_A; + EC_B = EC256_FP_B; + EC_G_X = EC256_FP_G_X; + EC_G_Y = EC256_FP_G_Y; + EC_R = EC256_FP_R; + EC_K = EC256_FP_K; + EC_W_X = null; + EC_W_Y = null; + EC_S = null; + break; + } + case CURVE_secp384r1: { + EC_FP_P = EC384_FP_P; + EC_A = EC384_FP_A; + EC_B = EC384_FP_B; + EC_G_X = EC384_FP_G_X; + EC_G_Y = EC384_FP_G_Y; + EC_R = EC384_FP_R; + EC_K = EC384_FP_K; + EC_W_X = null; + EC_W_Y = null; + EC_S = null; + break; + } + case CURVE_secp521r1: { + EC_FP_P = EC521_FP_P; + EC_A = EC521_FP_A; + EC_B = EC521_FP_B; + EC_G_X = EC521_FP_G_X; + EC_G_Y = EC521_FP_G_Y; + EC_R = EC521_FP_R; + EC_K = EC521_FP_K; + EC_W_X = null; + EC_W_Y = null; + EC_S = null; + break; + } + case CURVE_sect163r1: { + EC_F2M_F2M = EC163_F2M_F; + EC_A = EC163_F2M_A; + EC_B = EC163_F2M_B; + EC_G_X = EC163_F2M_G_X; + EC_G_Y = EC163_F2M_G_Y; + EC_R = EC163_F2M_R; + EC_K = EC163_F2M_K; + EC_W_X = null; + EC_W_Y = null; + EC_S = null; + break; + } + case CURVE_sect233r1: { + EC_F2M_F2M = EC233_F2M_F; + EC_A = EC233_F2M_A; + EC_B = EC233_F2M_B; + EC_G_X = EC233_F2M_G_X; + EC_G_Y = EC233_F2M_G_Y; + EC_R = EC233_F2M_R; + EC_K = EC233_F2M_K; + EC_W_X = null; + EC_W_Y = null; + EC_S = null; + break; + } + case CURVE_sect283r1: { + EC_F2M_F2M = EC283_F2M_F; + EC_A = EC283_F2M_A; + EC_B = EC283_F2M_B; + EC_G_X = EC283_F2M_G_X; + EC_G_Y = EC283_F2M_G_Y; + EC_R = EC283_F2M_R; + EC_K = EC283_F2M_K; + EC_W_X = null; + EC_W_Y = null; + EC_S = null; + break; + } + case CURVE_sect409r1: { + EC_F2M_F2M = EC409_F2M_F; + EC_A = EC409_F2M_A; + EC_B = EC409_F2M_B; + EC_G_X = EC409_F2M_G_X; + EC_G_Y = EC409_F2M_G_Y; + EC_R = EC409_F2M_R; + EC_K = EC409_F2M_K; + EC_W_X = null; + EC_W_Y = null; + EC_S = null; + break; + } + case CURVE_sect571r1: { + EC_F2M_F2M = EC571_F2M_F; + EC_A = EC571_F2M_A; + EC_B = EC571_F2M_B; + EC_G_X = EC571_F2M_G_X; + EC_G_Y = EC571_F2M_G_Y; + EC_R = EC571_F2M_R; + EC_K = EC571_F2M_K; + EC_W_X = null; + EC_W_Y = null; + EC_S = null; + break; + } + default: + ISOException.throwIt(ISO7816.SW_FUNC_NOT_SUPPORTED); + } + short length = 0; + switch (param) { + case PARAMETER_FP: + if (alg == KeyPair.ALG_EC_FP) { + length = Util.arrayCopyNonAtomic(EC_FP_P, (short) 0, outputBuffer, outputOffset, (short) EC_FP_P.length); + } + break; + case PARAMETER_F2M: + if (alg == KeyPair.ALG_EC_F2M) { + length = Util.arrayCopyNonAtomic(EC_F2M_F2M, (short) 0, outputBuffer, outputOffset, (short) EC_F2M_F2M.length); + } + break; + case PARAMETER_A: + length = Util.arrayCopyNonAtomic(EC_A, (short) 0, outputBuffer, outputOffset, (short) EC_A.length); + break; + case PARAMETER_B: + length = Util.arrayCopyNonAtomic(EC_B, (short) 0, outputBuffer, outputOffset, (short) EC_B.length); + break; + case PARAMETER_G: + length = toX962(outputBuffer, outputOffset, EC_G_X, (short) 0, (short) EC_G_X.length, EC_G_Y, (short) 0, (short) EC_G_Y.length); + break; + case PARAMETER_R: + length = Util.arrayCopyNonAtomic(EC_R, (short) 0, outputBuffer, outputOffset, (short) EC_R.length); + break; + case PARAMETER_K: + length = 2; + Util.setShort(outputBuffer, outputOffset, EC_K); + break; + case PARAMETER_W: + if (EC_W_X == null || EC_W_Y == null) { + return 0; + } + length = toX962(outputBuffer, outputOffset, EC_W_X, (short) 0, (short) EC_W_X.length, EC_W_Y, (short) 0, (short) EC_W_Y.length); + break; + case PARAMETER_S: + if (EC_S == null) { + return 0; + } + length = Util.arrayCopyNonAtomic(EC_S, (short) 0, outputBuffer, outputOffset, (short) EC_S.length); + break; + default: + ISOException.throwIt(ISO7816.SW_FUNC_NOT_SUPPORTED); + } + return length; + } + + public static short getCorruptCurveParameter(byte curve, short param, byte[] outputBuffer, short outputOffset, byte corruptionType) { + short length = getCurveParameter(curve, param, outputBuffer, outputOffset); + if (length <= 0) { + return length; + } + corruptParameter(corruptionType, outputBuffer, outputOffset, length); + return length; + } + + public static void corruptParameter(byte corruption, byte[] buffer, short offset, short length) { + switch (corruption) { + case CORRUPTION_NONE: + break; + case CORRUPTION_FIXED: + if (length >= 1) { + buffer[offset] = (byte) 0xcc; + buffer[(short) (offset + length - 1)] = (byte) 0xcc; + } + break; + case CORRUPTION_FULLRANDOM: + randomData.generateData(buffer, offset, length); + break; + case CORRUPTION_ONEBYTERANDOM: + short first = Util.getShort(buffer, (short) 0); // save first two bytes + + randomData.generateData(buffer, (short) 0, (short) 2); // generate position + short rngPos = Util.getShort(buffer, (short) 0); // save generated position + + Util.setShort(buffer, (short) 0, first); // restore first two bytes + + if (rngPos < 0) { // make positive + rngPos = (short) -rngPos; + } + rngPos %= length; // make < param length + + byte original = buffer[rngPos]; + do { + randomData.generateData(buffer, rngPos, (short) 1); + } while (original == buffer[rngPos]); + break; + case CORRUPTION_ZERO: + Util.arrayFillNonAtomic(buffer, offset, length, (byte) 0); + break; + case CORRUPTION_ONE: + Util.arrayFillNonAtomic(buffer, offset, length, (byte) 1); + break; + default: + ISOException.throwIt(ISO7816.SW_FUNC_NOT_SUPPORTED); + /* //TODO implement CORRUPT_B_LASTBYTEINCREMENT somehow + case CORRUPT_B_LASTBYTEINCREMENT: + m_ramArray2[(short) (m_lenB - 1)] += 1; + // Make sure its not the valid byte again + if (m_ramArray[(short) (m_lenB - 1)] == m_ramArray2[(short) (m_lenB - 1)]) { + m_ramArray2[(short) (m_lenB - 1)] += 1; // if yes, increment once more + } + break; + } + */ + } + } + + public static byte getCurveType(byte curve) { + return curve <= FP_CURVES ? KeyPair.ALG_EC_FP : KeyPair.ALG_EC_F2M; + } + + public static short toX962(byte[] outputBuffer, short outputOffset, byte[] xBuffer, short xOffset, short xLength, byte[] yBuffer, short yOffset, short yLength) { + short size = 1; + size += xLength; + size += yLength; + + short offset = outputOffset; + outputBuffer[offset] = 0x04; + offset += 1; + + offset = Util.arrayCopyNonAtomic(xBuffer, xOffset, outputBuffer, offset, xLength); + Util.arrayCopyNonAtomic(yBuffer, yOffset, outputBuffer, offset, yLength); + return size; + } + +} |