grpc 1.55.3 → 1.56.0.pre3

data/third_party/boringssl-with-bazel/src/crypto/trust_token/pmbtoken.c

@@ -30,9 +30,9 @@
 #include "internal.h"
 
 
-typedef int (*hash_t_func_t)(const EC_GROUP *group, EC_RAW_POINT *out,
+typedef int (*hash_t_func_t)(const EC_GROUP *group, EC_JACOBIAN *out,
                              const uint8_t t[TRUST_TOKEN_NONCE_SIZE]);
-typedef int (*hash_s_func_t)(const EC_GROUP *group, EC_RAW_POINT *out,
+typedef int (*hash_s_func_t)(const EC_GROUP *group, EC_JACOBIAN *out,
                              const EC_AFFINE *t,
                              const uint8_t s[TRUST_TOKEN_NONCE_SIZE]);
 typedef int (*hash_c_func_t)(const EC_GROUP *group, EC_SCALAR *out,
@@ -44,7 +44,7 @@ typedef struct {
   const EC_GROUP *group;
   EC_PRECOMP g_precomp;
   EC_PRECOMP h_precomp;
-  EC_RAW_POINT h;
+  EC_JACOBIAN h;
   // hash_t implements the H_t operation in PMBTokens. It returns one on success
   // and zero on error.
   hash_t_func_t hash_t;
@@ -173,11 +173,11 @@ static int cbs_get_prefixed_point(CBS *cbs, const EC_GROUP *group,
   return 1;
 }
 
-static int mul_public_3(const EC_GROUP *group, EC_RAW_POINT *out,
-                        const EC_RAW_POINT *p0, const EC_SCALAR *scalar0,
-                        const EC_RAW_POINT *p1, const EC_SCALAR *scalar1,
-                        const EC_RAW_POINT *p2, const EC_SCALAR *scalar2) {
-  EC_RAW_POINT points[3] = {*p0, *p1, *p2};
+static int mul_public_3(const EC_GROUP *group, EC_JACOBIAN *out,
+                        const EC_JACOBIAN *p0, const EC_SCALAR *scalar0,
+                        const EC_JACOBIAN *p1, const EC_SCALAR *scalar1,
+                        const EC_JACOBIAN *p2, const EC_SCALAR *scalar2) {
+  EC_JACOBIAN points[3] = {*p0, *p1, *p2};
   EC_SCALAR scalars[3] = {*scalar0, *scalar1, *scalar2};
   return ec_point_mul_scalar_public_batch(group, out, /*g_scalar=*/NULL, points,
                                           scalars, 3);
@@ -189,7 +189,7 @@ static int pmbtoken_compute_keys(const PMBTOKEN_METHOD *method,
                                  const EC_SCALAR *x1, const EC_SCALAR *y1,
                                  const EC_SCALAR *xs, const EC_SCALAR *ys) {
   const EC_GROUP *group = method->group;
-  EC_RAW_POINT pub[3];
+  EC_JACOBIAN pub[3];
   if (!ec_point_mul_scalar_precomp(group, &pub[0], &method->g_precomp,
                                    x0, &method->h_precomp, y0, NULL, NULL) ||
       !ec_point_mul_scalar_precomp(group, &pub[1], &method->g_precomp,
@@ -303,7 +303,7 @@ static int pmbtoken_issuer_key_from_bytes(const PMBTOKEN_METHOD *method,
   }
 
   // Recompute the public key.
-  EC_RAW_POINT pub[3];
+  EC_JACOBIAN pub[3];
   EC_AFFINE pub_affine[3];
   if (!ec_point_mul_scalar_precomp(group, &pub[0], &method->g_precomp, &key->x0,
                                    &method->h_precomp, &key->y0, NULL, NULL) ||
@@ -367,7 +367,7 @@ static STACK_OF(TRUST_TOKEN_PRETOKEN) *pmbtoken_blind(
     ec_scalar_from_montgomery(group, &pretoken->r, &pretoken->r);
     ec_scalar_from_montgomery(group, &rinv, &rinv);
 
-    EC_RAW_POINT T, Tp;
+    EC_JACOBIAN T, Tp;
     if (!method->hash_t(group, &T, pretoken->t) ||
         !ec_point_mul_scalar(group, &Tp, &T, &rinv) ||
         !ec_jacobian_to_affine(group, &pretoken->Tp, &Tp)) {
@@ -516,8 +516,8 @@ err:
 
 static int dleq_generate(const PMBTOKEN_METHOD *method, CBB *cbb,
                          const TRUST_TOKEN_ISSUER_KEY *priv,
-                         const EC_RAW_POINT *T, const EC_RAW_POINT *S,
-                         const EC_RAW_POINT *W, const EC_RAW_POINT *Ws,
+                         const EC_JACOBIAN *T, const EC_JACOBIAN *S,
+                         const EC_JACOBIAN *W, const EC_JACOBIAN *Ws,
                          uint8_t private_metadata) {
   const EC_GROUP *group = method->group;
 
@@ -537,7 +537,7 @@ static int dleq_generate(const PMBTOKEN_METHOD *method, CBB *cbb,
     idx_Ko1,
     num_idx,
   };
-  EC_RAW_POINT jacobians[num_idx];
+  EC_JACOBIAN jacobians[num_idx];
 
   // Setup the DLEQ proof.
   EC_SCALAR ks0, ks1;
@@ -675,11 +675,11 @@ static int dleq_generate(const PMBTOKEN_METHOD *method, CBB *cbb,
 }
 
 static int dleq_verify(const PMBTOKEN_METHOD *method, CBS *cbs,
-                       const TRUST_TOKEN_CLIENT_KEY *pub, const EC_RAW_POINT *T,
-                       const EC_RAW_POINT *S, const EC_RAW_POINT *W,
-                       const EC_RAW_POINT *Ws) {
+                       const TRUST_TOKEN_CLIENT_KEY *pub, const EC_JACOBIAN *T,
+                       const EC_JACOBIAN *S, const EC_JACOBIAN *W,
+                       const EC_JACOBIAN *Ws) {
   const EC_GROUP *group = method->group;
-  const EC_RAW_POINT *g = &group->generator->raw;
+  const EC_JACOBIAN *g = &group->generator->raw;
 
   // We verify a DLEQ proof for the validity token and a DLEQOR2 proof for the
   // private metadata token. To allow amortizing Jacobian-to-affine conversions,
@@ -699,7 +699,7 @@ static int dleq_verify(const PMBTOKEN_METHOD *method, CBS *cbs,
     idx_K11,
     num_idx,
   };
-  EC_RAW_POINT jacobians[num_idx];
+  EC_JACOBIAN jacobians[num_idx];
 
   // Decode the DLEQ proof.
   EC_SCALAR cs, us, vs;
@@ -711,7 +711,7 @@ static int dleq_verify(const PMBTOKEN_METHOD *method, CBS *cbs,
   }
 
   // Ks = us*(G;T) + vs*(H;S) - cs*(pubs;Ws)
-  EC_RAW_POINT pubs;
+  EC_JACOBIAN pubs;
   ec_affine_to_jacobian(group, &pubs, &pub->pubs);
   EC_SCALAR minus_cs;
   ec_scalar_neg(group, &minus_cs, &cs);
@@ -734,7 +734,7 @@ static int dleq_verify(const PMBTOKEN_METHOD *method, CBS *cbs,
     return 0;
   }
 
-  EC_RAW_POINT pub0, pub1;
+  EC_JACOBIAN pub0, pub1;
   ec_affine_to_jacobian(group, &pub0, &pub->pub0);
   ec_affine_to_jacobian(group, &pub1, &pub->pub1);
   EC_SCALAR minus_c0, minus_c1;
@@ -803,17 +803,17 @@ static int pmbtoken_sign(const PMBTOKEN_METHOD *method,
     return 0;
   }
 
-  if (num_to_issue > ((size_t)-1) / sizeof(EC_RAW_POINT) ||
+  if (num_to_issue > ((size_t)-1) / sizeof(EC_JACOBIAN) ||
       num_to_issue > ((size_t)-1) / sizeof(EC_SCALAR)) {
     OPENSSL_PUT_ERROR(TRUST_TOKEN, ERR_R_OVERFLOW);
     return 0;
   }
 
   int ret = 0;
-  EC_RAW_POINT *Tps = OPENSSL_malloc(num_to_issue * sizeof(EC_RAW_POINT));
-  EC_RAW_POINT *Sps = OPENSSL_malloc(num_to_issue * sizeof(EC_RAW_POINT));
-  EC_RAW_POINT *Wps = OPENSSL_malloc(num_to_issue * sizeof(EC_RAW_POINT));
-  EC_RAW_POINT *Wsps = OPENSSL_malloc(num_to_issue * sizeof(EC_RAW_POINT));
+  EC_JACOBIAN *Tps = OPENSSL_malloc(num_to_issue * sizeof(EC_JACOBIAN));
+  EC_JACOBIAN *Sps = OPENSSL_malloc(num_to_issue * sizeof(EC_JACOBIAN));
+  EC_JACOBIAN *Wps = OPENSSL_malloc(num_to_issue * sizeof(EC_JACOBIAN));
+  EC_JACOBIAN *Wsps = OPENSSL_malloc(num_to_issue * sizeof(EC_JACOBIAN));
   EC_SCALAR *es = OPENSSL_malloc(num_to_issue * sizeof(EC_SCALAR));
   CBB batch_cbb;
   CBB_zero(&batch_cbb);
@@ -831,7 +831,7 @@ static int pmbtoken_sign(const PMBTOKEN_METHOD *method,
 
   for (size_t i = 0; i < num_to_issue; i++) {
     EC_AFFINE Tp_affine;
-    EC_RAW_POINT Tp;
+    EC_JACOBIAN Tp;
     if (!cbs_get_prefixed_point(cbs, group, &Tp_affine, method->prefix_point)) {
       OPENSSL_PUT_ERROR(TRUST_TOKEN, TRUST_TOKEN_R_DECODE_FAILURE);
       goto err;
@@ -846,7 +846,7 @@ static int pmbtoken_sign(const PMBTOKEN_METHOD *method,
     uint8_t s[TRUST_TOKEN_NONCE_SIZE];
     RAND_bytes(s, TRUST_TOKEN_NONCE_SIZE);
     // The |jacobians| and |affines| contain Sp, Wp, and Wsp.
-    EC_RAW_POINT jacobians[3];
+    EC_JACOBIAN jacobians[3];
     EC_AFFINE affines[3];
     if (!method->hash_s(group, &jacobians[0], &Tp_affine, s) ||
         !ec_point_mul_scalar_batch(group, &jacobians[1], &Tp, &xb,
@@ -887,7 +887,7 @@ static int pmbtoken_sign(const PMBTOKEN_METHOD *method,
     }
   }
 
-  EC_RAW_POINT Tp_batch, Sp_batch, Wp_batch, Wsp_batch;
+  EC_JACOBIAN Tp_batch, Sp_batch, Wp_batch, Wsp_batch;
   if (!ec_point_mul_scalar_public_batch(group, &Tp_batch,
                                         /*g_scalar=*/NULL, Tps, es,
                                         num_to_issue) ||
@@ -944,7 +944,7 @@ static STACK_OF(TRUST_TOKEN) *pmbtoken_unblind(
     return NULL;
   }
 
-  if (count > ((size_t)-1) / sizeof(EC_RAW_POINT) ||
+  if (count > ((size_t)-1) / sizeof(EC_JACOBIAN) ||
       count > ((size_t)-1) / sizeof(EC_SCALAR)) {
     OPENSSL_PUT_ERROR(TRUST_TOKEN, ERR_R_OVERFLOW);
     return NULL;
@@ -952,10 +952,10 @@ static STACK_OF(TRUST_TOKEN) *pmbtoken_unblind(
 
   int ok = 0;
   STACK_OF(TRUST_TOKEN) *ret = sk_TRUST_TOKEN_new_null();
-  EC_RAW_POINT *Tps = OPENSSL_malloc(count * sizeof(EC_RAW_POINT));
-  EC_RAW_POINT *Sps = OPENSSL_malloc(count * sizeof(EC_RAW_POINT));
-  EC_RAW_POINT *Wps = OPENSSL_malloc(count * sizeof(EC_RAW_POINT));
-  EC_RAW_POINT *Wsps = OPENSSL_malloc(count * sizeof(EC_RAW_POINT));
+  EC_JACOBIAN *Tps = OPENSSL_malloc(count * sizeof(EC_JACOBIAN));
+  EC_JACOBIAN *Sps = OPENSSL_malloc(count * sizeof(EC_JACOBIAN));
+  EC_JACOBIAN *Wps = OPENSSL_malloc(count * sizeof(EC_JACOBIAN));
+  EC_JACOBIAN *Wsps = OPENSSL_malloc(count * sizeof(EC_JACOBIAN));
   EC_SCALAR *es = OPENSSL_malloc(count * sizeof(EC_SCALAR));
   CBB batch_cbb;
   CBB_zero(&batch_cbb);
@@ -1003,7 +1003,7 @@ static STACK_OF(TRUST_TOKEN) *pmbtoken_unblind(
     }
 
     // Unblind the token.
-    EC_RAW_POINT jacobians[3];
+    EC_JACOBIAN jacobians[3];
     EC_AFFINE affines[3];
     if (!ec_point_mul_scalar(group, &jacobians[0], &Sps[i], &pretoken->r) ||
         !ec_point_mul_scalar(group, &jacobians[1], &Wps[i], &pretoken->r) ||
@@ -1050,7 +1050,7 @@ static STACK_OF(TRUST_TOKEN) *pmbtoken_unblind(
     }
   }
 
-  EC_RAW_POINT Tp_batch, Sp_batch, Wp_batch, Wsp_batch;
+  EC_JACOBIAN Tp_batch, Sp_batch, Wp_batch, Wsp_batch;
   if (!ec_point_mul_scalar_public_batch(group, &Tp_batch,
                                         /*g_scalar=*/NULL, Tps, es, count) ||
       !ec_point_mul_scalar_public_batch(group, &Sp_batch,
@@ -1116,14 +1116,14 @@ static int pmbtoken_read(const PMBTOKEN_METHOD *method,
     OPENSSL_memcpy(out_nonce, CBS_data(&salt), CBS_len(&salt));
   }
 
-  EC_RAW_POINT T;
+  EC_JACOBIAN T;
   if (!method->hash_t(group, &T, out_nonce)) {
     return 0;
   }
 
   // We perform three multiplications with S and T. This is enough that it is
   // worth using |ec_point_mul_scalar_precomp|.
-  EC_RAW_POINT S_jacobian;
+  EC_JACOBIAN S_jacobian;
   EC_PRECOMP S_precomp, T_precomp;
   ec_affine_to_jacobian(group, &S_jacobian, &S);
   if (!ec_init_precomp(group, &S_precomp, &S_jacobian) ||
@@ -1131,7 +1131,7 @@ static int pmbtoken_read(const PMBTOKEN_METHOD *method,
     return 0;
   }
 
-  EC_RAW_POINT Ws_calculated;
+  EC_JACOBIAN Ws_calculated;
   // Check the validity of the token.
   if (!ec_point_mul_scalar_precomp(group, &Ws_calculated, &T_precomp, &key->xs,
                                    &S_precomp, &key->ys, NULL, NULL) ||
@@ -1140,7 +1140,7 @@ static int pmbtoken_read(const PMBTOKEN_METHOD *method,
     return 0;
   }
 
-  EC_RAW_POINT W0, W1;
+  EC_JACOBIAN W0, W1;
   if (!ec_point_mul_scalar_precomp(group, &W0, &T_precomp, &key->x0, &S_precomp,
                                    &key->y0, NULL, NULL) ||
       !ec_point_mul_scalar_precomp(group, &W1, &T_precomp, &key->x1, &S_precomp,
@@ -1164,14 +1164,14 @@ static int pmbtoken_read(const PMBTOKEN_METHOD *method,
 
 // PMBTokens experiment v1.
 
-static int pmbtoken_exp1_hash_t(const EC_GROUP *group, EC_RAW_POINT *out,
+static int pmbtoken_exp1_hash_t(const EC_GROUP *group, EC_JACOBIAN *out,
                                 const uint8_t t[TRUST_TOKEN_NONCE_SIZE]) {
   const uint8_t kHashTLabel[] = "PMBTokens Experiment V1 HashT";
   return ec_hash_to_curve_p384_xmd_sha512_sswu_draft07(
       group, out, kHashTLabel, sizeof(kHashTLabel), t, TRUST_TOKEN_NONCE_SIZE);
 }
 
-static int pmbtoken_exp1_hash_s(const EC_GROUP *group, EC_RAW_POINT *out,
+static int pmbtoken_exp1_hash_s(const EC_GROUP *group, EC_JACOBIAN *out,
                                 const EC_AFFINE *t,
                                 const uint8_t s[TRUST_TOKEN_NONCE_SIZE]) {
   const uint8_t kHashSLabel[] = "PMBTokens Experiment V1 HashS";
@@ -1337,14 +1337,14 @@ int pmbtoken_exp1_get_h_for_testing(uint8_t out[97]) {
 
 // PMBTokens experiment v2.
 
-static int pmbtoken_exp2_hash_t(const EC_GROUP *group, EC_RAW_POINT *out,
+static int pmbtoken_exp2_hash_t(const EC_GROUP *group, EC_JACOBIAN *out,
                                 const uint8_t t[TRUST_TOKEN_NONCE_SIZE]) {
   const uint8_t kHashTLabel[] = "PMBTokens Experiment V2 HashT";
   return ec_hash_to_curve_p384_xmd_sha512_sswu_draft07(
       group, out, kHashTLabel, sizeof(kHashTLabel), t, TRUST_TOKEN_NONCE_SIZE);
 }
 
-static int pmbtoken_exp2_hash_s(const EC_GROUP *group, EC_RAW_POINT *out,
+static int pmbtoken_exp2_hash_s(const EC_GROUP *group, EC_JACOBIAN *out,
                                 const EC_AFFINE *t,
                                 const uint8_t s[TRUST_TOKEN_NONCE_SIZE]) {
   const uint8_t kHashSLabel[] = "PMBTokens Experiment V2 HashS";
@@ -1508,3 +1508,177 @@ int pmbtoken_exp2_get_h_for_testing(uint8_t out[97]) {
          ec_point_to_bytes(pmbtoken_exp2_method.group, &h,
                            POINT_CONVERSION_UNCOMPRESSED, out, 97) == 97;
 }
+
+// PMBTokens PST v1.
+
+static int pmbtoken_pst1_hash_t(const EC_GROUP *group, EC_JACOBIAN *out,
+                                const uint8_t t[TRUST_TOKEN_NONCE_SIZE]) {
+  const uint8_t kHashTLabel[] = "PMBTokens PST V1 HashT";
+  return ec_hash_to_curve_p384_xmd_sha384_sswu(
+      group, out, kHashTLabel, sizeof(kHashTLabel), t, TRUST_TOKEN_NONCE_SIZE);
+}
+
+static int pmbtoken_pst1_hash_s(const EC_GROUP *group, EC_JACOBIAN *out,
+                                const EC_AFFINE *t,
+                                const uint8_t s[TRUST_TOKEN_NONCE_SIZE]) {
+  const uint8_t kHashSLabel[] = "PMBTokens PST V1 HashS";
+  int ret = 0;
+  CBB cbb;
+  uint8_t *buf = NULL;
+  size_t len;
+  if (!CBB_init(&cbb, 0) ||
+      !point_to_cbb(&cbb, group, t) ||
+      !CBB_add_bytes(&cbb, s, TRUST_TOKEN_NONCE_SIZE) ||
+      !CBB_finish(&cbb, &buf, &len) ||
+      !ec_hash_to_curve_p384_xmd_sha384_sswu(
+          group, out, kHashSLabel, sizeof(kHashSLabel), buf, len)) {
+    goto err;
+  }
+
+  ret = 1;
+
+err:
+  OPENSSL_free(buf);
+  CBB_cleanup(&cbb);
+  return ret;
+}
+
+static int pmbtoken_pst1_hash_c(const EC_GROUP *group, EC_SCALAR *out,
+                                uint8_t *buf, size_t len) {
+  const uint8_t kHashCLabel[] = "PMBTokens PST V1 HashC";
+  return ec_hash_to_scalar_p384_xmd_sha384(
+      group, out, kHashCLabel, sizeof(kHashCLabel), buf, len);
+}
+
+static int pmbtoken_pst1_hash_to_scalar(const EC_GROUP *group, EC_SCALAR *out,
+                                        uint8_t *buf, size_t len) {
+  const uint8_t kHashLabel[] = "PMBTokens PST V1 HashToScalar";
+  return ec_hash_to_scalar_p384_xmd_sha384(
+      group, out, kHashLabel, sizeof(kHashLabel), buf, len);
+}
+
+static int pmbtoken_pst1_ok = 0;
+static PMBTOKEN_METHOD pmbtoken_pst1_method;
+static CRYPTO_once_t pmbtoken_pst1_method_once = CRYPTO_ONCE_INIT;
+
+static void pmbtoken_pst1_init_method_impl(void) {
+  // This is the output of |ec_hash_to_scalar_p384_xmd_sha384| with DST
+  // "PMBTokens PST V1 HashH" and message "generator".
+  static const uint8_t kH[] = {
+      0x04, 0x4c, 0xfa, 0xd4, 0x33, 0x6d, 0x8c, 0x4e, 0x18, 0xce, 0x1a,
+      0x82, 0x7b, 0x53, 0x8c, 0xf8, 0x63, 0x18, 0xe5, 0xa3, 0x96, 0x0d,
+      0x05, 0xde, 0xf4, 0x83, 0xa7, 0xd8, 0xde, 0x9c, 0x50, 0x81, 0x38,
+      0xc9, 0x38, 0x25, 0xa3, 0x70, 0x97, 0xc1, 0x1c, 0x33, 0x2e, 0x83,
+      0x68, 0x64, 0x9c, 0x53, 0x73, 0xc3, 0x03, 0xc1, 0xa9, 0xd8, 0x92,
+      0xa2, 0x32, 0xf4, 0x22, 0x40, 0x07, 0x2d, 0x9b, 0x6f, 0xab, 0xff,
+      0x2a, 0x92, 0x03, 0xb1, 0x73, 0x09, 0x1a, 0x6a, 0x4a, 0xc2, 0x4c,
+      0xac, 0x13, 0x59, 0xf4, 0x28, 0x0e, 0x78, 0x69, 0xa5, 0xdf, 0x0d,
+      0x74, 0xeb, 0x14, 0xca, 0x8a, 0x32, 0xbb, 0xd3, 0x91
+  };
+
+  pmbtoken_pst1_ok = pmbtoken_init_method(
+      &pmbtoken_pst1_method, NID_secp384r1, kH, sizeof(kH),
+      pmbtoken_pst1_hash_t, pmbtoken_pst1_hash_s, pmbtoken_pst1_hash_c,
+      pmbtoken_pst1_hash_to_scalar, 0);
+}
+
+static int pmbtoken_pst1_init_method(void) {
+  CRYPTO_once(&pmbtoken_pst1_method_once, pmbtoken_pst1_init_method_impl);
+  if (!pmbtoken_pst1_ok) {
+    OPENSSL_PUT_ERROR(TRUST_TOKEN, ERR_R_INTERNAL_ERROR);
+    return 0;
+  }
+  return 1;
+}
+
+int pmbtoken_pst1_generate_key(CBB *out_private, CBB *out_public) {
+  if (!pmbtoken_pst1_init_method()) {
+    return 0;
+  }
+
+  return pmbtoken_generate_key(&pmbtoken_pst1_method, out_private, out_public);
+}
+
+
+int pmbtoken_pst1_derive_key_from_secret(CBB *out_private, CBB *out_public,
+                                         const uint8_t *secret,
+                                         size_t secret_len) {
+  if (!pmbtoken_pst1_init_method()) {
+    return 0;
+  }
+
+  return pmbtoken_derive_key_from_secret(&pmbtoken_pst1_method, out_private,
+                                         out_public, secret, secret_len);
+}
+
+int pmbtoken_pst1_client_key_from_bytes(TRUST_TOKEN_CLIENT_KEY *key,
+                                        const uint8_t *in, size_t len) {
+  if (!pmbtoken_pst1_init_method()) {
+    return 0;
+  }
+  return pmbtoken_client_key_from_bytes(&pmbtoken_pst1_method, key, in, len);
+}
+
+int pmbtoken_pst1_issuer_key_from_bytes(TRUST_TOKEN_ISSUER_KEY *key,
+                                        const uint8_t *in, size_t len) {
+  if (!pmbtoken_pst1_init_method()) {
+    return 0;
+  }
+  return pmbtoken_issuer_key_from_bytes(&pmbtoken_pst1_method, key, in, len);
+}
+
+STACK_OF(TRUST_TOKEN_PRETOKEN) *pmbtoken_pst1_blind(CBB *cbb, size_t count,
+                                                    int include_message,
+                                                    const uint8_t *msg,
+                                                    size_t msg_len) {
+  if (!pmbtoken_pst1_init_method()) {
+    return NULL;
+  }
+  return pmbtoken_blind(&pmbtoken_pst1_method, cbb, count, include_message, msg,
+                        msg_len);
+}
+
+int pmbtoken_pst1_sign(const TRUST_TOKEN_ISSUER_KEY *key, CBB *cbb, CBS *cbs,
+                       size_t num_requested, size_t num_to_issue,
+                       uint8_t private_metadata) {
+  if (!pmbtoken_pst1_init_method()) {
+    return 0;
+  }
+  return pmbtoken_sign(&pmbtoken_pst1_method, key, cbb, cbs, num_requested,
+                       num_to_issue, private_metadata);
+}
+
+STACK_OF(TRUST_TOKEN) *pmbtoken_pst1_unblind(
+    const TRUST_TOKEN_CLIENT_KEY *key,
+    const STACK_OF(TRUST_TOKEN_PRETOKEN) *pretokens, CBS *cbs, size_t count,
+    uint32_t key_id) {
+  if (!pmbtoken_pst1_init_method()) {
+    return NULL;
+  }
+  return pmbtoken_unblind(&pmbtoken_pst1_method, key, pretokens, cbs, count,
+                          key_id);
+}
+
+int pmbtoken_pst1_read(const TRUST_TOKEN_ISSUER_KEY *key,
+                       uint8_t out_nonce[TRUST_TOKEN_NONCE_SIZE],
+                       uint8_t *out_private_metadata, const uint8_t *token,
+                       size_t token_len, int include_message,
+                       const uint8_t *msg, size_t msg_len) {
+  if (!pmbtoken_pst1_init_method()) {
+    return 0;
+  }
+  return pmbtoken_read(&pmbtoken_pst1_method, key, out_nonce,
+                       out_private_metadata, token, token_len, include_message,
+                       msg, msg_len);
+}
+
+int pmbtoken_pst1_get_h_for_testing(uint8_t out[97]) {
+  if (!pmbtoken_pst1_init_method()) {
+    return 0;
+  }
+  EC_AFFINE h;
+  return ec_jacobian_to_affine(pmbtoken_pst1_method.group, &h,
+                               &pmbtoken_pst1_method.h) &&
+         ec_point_to_bytes(pmbtoken_pst1_method.group, &h,
+                           POINT_CONVERSION_UNCOMPRESSED, out, 97) == 97;
+}

data/third_party/boringssl-with-bazel/src/crypto/trust_token/trust_token.c

@@ -78,6 +78,41 @@ const TRUST_TOKEN_METHOD *TRUST_TOKEN_experiment_v2_pmb(void) {
   return &kMethod;
 }
 
+const TRUST_TOKEN_METHOD *TRUST_TOKEN_pst_v1_voprf(void) {
+  static const TRUST_TOKEN_METHOD kMethod = {
+      voprf_pst1_generate_key,
+      voprf_pst1_derive_key_from_secret,
+      voprf_pst1_client_key_from_bytes,
+      voprf_pst1_issuer_key_from_bytes,
+      voprf_pst1_blind,
+      voprf_pst1_sign,
+      voprf_pst1_unblind,
+      voprf_pst1_read,
+      0, /* has_private_metadata */
+      6, /* max_keys */
+      0, /* has_srr */
+  };
+  return &kMethod;
+}
+
+const TRUST_TOKEN_METHOD *TRUST_TOKEN_pst_v1_pmb(void) {
+  static const TRUST_TOKEN_METHOD kMethod = {
+      pmbtoken_pst1_generate_key,
+      pmbtoken_pst1_derive_key_from_secret,
+      pmbtoken_pst1_client_key_from_bytes,
+      pmbtoken_pst1_issuer_key_from_bytes,
+      pmbtoken_pst1_blind,
+      pmbtoken_pst1_sign,
+      pmbtoken_pst1_unblind,
+      pmbtoken_pst1_read,
+      1, /* has_private_metadata */
+      3, /* max_keys */
+      0, /* has_srr */
+  };
+  return &kMethod;
+}
+
+
 void TRUST_TOKEN_PRETOKEN_free(TRUST_TOKEN_PRETOKEN *pretoken) {
   OPENSSL_free(pretoken);
 }