/src/botan/src/lib/pk_pad/iso9796/iso9796.cpp
Line | Count | Source (jump to first uncovered line) |
1 | | /* |
2 | | * ISO-9796-2 - Digital signature schemes giving message recovery schemes 2 and 3 |
3 | | * (C) 2016 Tobias Niemann, Hackmanit GmbH |
4 | | * |
5 | | * Botan is released under the Simplified BSD License (see license.txt) |
6 | | */ |
7 | | |
8 | | #include <botan/iso9796.h> |
9 | | #include <botan/rng.h> |
10 | | #include <botan/exceptn.h> |
11 | | #include <botan/mgf1.h> |
12 | | #include <botan/hash_id.h> |
13 | | #include <botan/internal/bit_ops.h> |
14 | | #include <botan/internal/ct_utils.h> |
15 | | |
16 | | namespace Botan { |
17 | | |
18 | | namespace { |
19 | | |
20 | | secure_vector<uint8_t> iso9796_encoding(const secure_vector<uint8_t>& msg, |
21 | | size_t output_bits, |
22 | | std::unique_ptr<HashFunction>& hash, |
23 | | size_t SALT_SIZE, |
24 | | bool implicit, |
25 | | RandomNumberGenerator& rng) |
26 | 0 | { |
27 | 0 | const size_t output_length = (output_bits + 7) / 8; |
28 | 0 |
|
29 | 0 | //set trailer length |
30 | 0 | size_t tLength = 1; |
31 | 0 | if(!implicit) |
32 | 0 | { |
33 | 0 | tLength = 2; |
34 | 0 | } |
35 | 0 | const size_t HASH_SIZE = hash->output_length(); |
36 | 0 |
|
37 | 0 | if(output_length <= HASH_SIZE + SALT_SIZE + tLength) |
38 | 0 | { |
39 | 0 | throw Encoding_Error("ISO9796-2::encoding_of: Output length is too small"); |
40 | 0 | } |
41 | 0 | |
42 | 0 | //calculate message capacity |
43 | 0 | const size_t capacity = output_length - HASH_SIZE - SALT_SIZE - tLength - 1; |
44 | 0 |
|
45 | 0 | //msg1 is the recoverable and msg2 the unrecoverable message part. |
46 | 0 | secure_vector<uint8_t> msg1; |
47 | 0 | secure_vector<uint8_t> msg2; |
48 | 0 | if(msg.size() > capacity) |
49 | 0 | { |
50 | 0 | msg1 = secure_vector<uint8_t>(msg.begin(), msg.begin() + capacity); |
51 | 0 | msg2 = secure_vector<uint8_t>(msg.begin() + capacity, msg.end()); |
52 | 0 | hash->update(msg2); |
53 | 0 | } |
54 | 0 | else |
55 | 0 | { |
56 | 0 | msg1 = msg; |
57 | 0 | } |
58 | 0 | msg2 = hash->final(); |
59 | 0 |
|
60 | 0 | //compute H(C||msg1 ||H(msg2)||S) |
61 | 0 | const size_t msgLength = msg1.size(); |
62 | 0 | secure_vector<uint8_t> salt = rng.random_vec(SALT_SIZE); |
63 | 0 | hash->update_be(static_cast<uint64_t>(msgLength) * 8); |
64 | 0 | hash->update(msg1); |
65 | 0 | hash->update(msg2); |
66 | 0 | hash->update(salt); |
67 | 0 | secure_vector<uint8_t> H = hash->final(); |
68 | 0 |
|
69 | 0 | secure_vector<uint8_t> EM(output_length); |
70 | 0 |
|
71 | 0 | //compute message offset. |
72 | 0 | const size_t offset = output_length - HASH_SIZE - SALT_SIZE - tLength - msgLength - 1; |
73 | 0 |
|
74 | 0 | //insert message border (0x01), msg1 and salt into the output buffer |
75 | 0 | EM[offset] = 0x01; |
76 | 0 | buffer_insert(EM, offset + 1, msg1); |
77 | 0 | buffer_insert(EM, offset + 1 + msgLength, salt); |
78 | 0 |
|
79 | 0 | //apply mask |
80 | 0 | mgf1_mask(*hash, H.data(), HASH_SIZE, EM.data(), |
81 | 0 | output_length - HASH_SIZE - tLength); |
82 | 0 | buffer_insert(EM, output_length - HASH_SIZE - tLength, H); |
83 | 0 | //set implicit/ISO trailer |
84 | 0 | if(!implicit) |
85 | 0 | { |
86 | 0 | uint8_t hash_id = ieee1363_hash_id(hash->name()); |
87 | 0 | if(!hash_id) |
88 | 0 | { |
89 | 0 | throw Encoding_Error("ISO9796-2::encoding_of: no hash identifier for " + hash->name()); |
90 | 0 | } |
91 | 0 | EM[output_length - 1] = 0xCC; |
92 | 0 | EM[output_length - 2] = hash_id; |
93 | 0 |
|
94 | 0 | } |
95 | 0 | else |
96 | 0 | { |
97 | 0 | EM[output_length - 1] = 0xBC; |
98 | 0 | } |
99 | 0 | //clear the leftmost bit (confer bouncy castle) |
100 | 0 | EM[0] &= 0x7F; |
101 | 0 |
|
102 | 0 | return EM; |
103 | 0 | } |
104 | | |
105 | | bool iso9796_verification(const secure_vector<uint8_t>& const_coded, |
106 | | const secure_vector<uint8_t>& raw, size_t key_bits, std::unique_ptr<HashFunction>& hash, size_t SALT_SIZE) |
107 | 0 | { |
108 | 0 | const size_t HASH_SIZE = hash->output_length(); |
109 | 0 | const size_t KEY_BYTES = (key_bits + 7) / 8; |
110 | 0 |
|
111 | 0 | if(const_coded.size() != KEY_BYTES) |
112 | 0 | { |
113 | 0 | return false; |
114 | 0 | } |
115 | 0 | //get trailer length |
116 | 0 | size_t tLength; |
117 | 0 | if(const_coded[const_coded.size() - 1] == 0xBC) |
118 | 0 | { |
119 | 0 | tLength = 1; |
120 | 0 | } |
121 | 0 | else |
122 | 0 | { |
123 | 0 | uint8_t hash_id = ieee1363_hash_id(hash->name()); |
124 | 0 | if((!const_coded[const_coded.size() - 2]) || (const_coded[const_coded.size() - 2] != hash_id) || |
125 | 0 | (const_coded[const_coded.size() - 1] != 0xCC)) |
126 | 0 | { |
127 | 0 | return false; //in case of wrong ISO trailer. |
128 | 0 | } |
129 | 0 | tLength = 2; |
130 | 0 | } |
131 | 0 |
|
132 | 0 | secure_vector<uint8_t> coded = const_coded; |
133 | 0 |
|
134 | 0 | CT::poison(coded.data(), coded.size()); |
135 | 0 | //remove mask |
136 | 0 | uint8_t* DB = coded.data(); |
137 | 0 | const size_t DB_size = coded.size() - HASH_SIZE - tLength; |
138 | 0 |
|
139 | 0 | const uint8_t* H = &coded[DB_size]; |
140 | 0 |
|
141 | 0 | mgf1_mask(*hash, H, HASH_SIZE, DB, DB_size); |
142 | 0 | //clear the leftmost bit (confer bouncy castle) |
143 | 0 | DB[0] &= 0x7F; |
144 | 0 |
|
145 | 0 | //recover msg1 and salt |
146 | 0 | size_t msg1_offset = 1; |
147 | 0 |
|
148 | 0 | auto waiting_for_delim = CT::Mask<uint8_t>::set(); |
149 | 0 | auto bad_input = CT::Mask<uint8_t>::cleared(); |
150 | 0 |
|
151 | 0 | for(size_t j = 0; j < DB_size; ++j) |
152 | 0 | { |
153 | 0 | const auto is_zero = CT::Mask<uint8_t>::is_zero(DB[j]); |
154 | 0 | const auto is_one = CT::Mask<uint8_t>::is_equal(DB[j], 0x01); |
155 | 0 |
|
156 | 0 | const auto add_m = waiting_for_delim & is_zero; |
157 | 0 |
|
158 | 0 | bad_input |= waiting_for_delim & ~(is_zero | is_one); |
159 | 0 | msg1_offset += add_m.if_set_return(1); |
160 | 0 |
|
161 | 0 | waiting_for_delim &= is_zero; |
162 | 0 | } |
163 | 0 |
|
164 | 0 | //invalid, if delimiter 0x01 was not found or msg1_offset is too big |
165 | 0 | bad_input |= waiting_for_delim; |
166 | 0 | bad_input |= CT::Mask<size_t>::is_lt(coded.size(), tLength + HASH_SIZE + msg1_offset + SALT_SIZE); |
167 | 0 |
|
168 | 0 | //in case that msg1_offset is too big, just continue with offset = 0. |
169 | 0 | msg1_offset = CT::Mask<size_t>::expand(bad_input.value()).if_not_set_return(msg1_offset); |
170 | 0 |
|
171 | 0 | CT::unpoison(coded.data(), coded.size()); |
172 | 0 | CT::unpoison(msg1_offset); |
173 | 0 |
|
174 | 0 | secure_vector<uint8_t> msg1(coded.begin() + msg1_offset, |
175 | 0 | coded.end() - tLength - HASH_SIZE - SALT_SIZE); |
176 | 0 | secure_vector<uint8_t> salt(coded.begin() + msg1_offset + msg1.size(), |
177 | 0 | coded.end() - tLength - HASH_SIZE); |
178 | 0 |
|
179 | 0 | //compute H2(C||msg1||H(msg2)||S*). * indicates a recovered value |
180 | 0 | const size_t capacity = (key_bits - 2 + 7) / 8 - HASH_SIZE - SALT_SIZE - tLength - 1; |
181 | 0 | secure_vector<uint8_t> msg1raw; |
182 | 0 | secure_vector<uint8_t> msg2; |
183 | 0 | if(raw.size() > capacity) |
184 | 0 | { |
185 | 0 | msg1raw = secure_vector<uint8_t> (raw.begin(), raw.begin() + capacity); |
186 | 0 | msg2 = secure_vector<uint8_t> (raw.begin() + capacity, raw.end()); |
187 | 0 | hash->update(msg2); |
188 | 0 | } |
189 | 0 | else |
190 | 0 | { |
191 | 0 | msg1raw = raw; |
192 | 0 | } |
193 | 0 | msg2 = hash->final(); |
194 | 0 |
|
195 | 0 | const uint64_t msg1rawLength = msg1raw.size(); |
196 | 0 | hash->update_be(msg1rawLength * 8); |
197 | 0 | hash->update(msg1raw); |
198 | 0 | hash->update(msg2); |
199 | 0 | hash->update(salt); |
200 | 0 | secure_vector<uint8_t> H3 = hash->final(); |
201 | 0 |
|
202 | 0 | //compute H3(C*||msg1*||H(msg2)||S*) * indicates a recovered value |
203 | 0 | const uint64_t msgLength = msg1.size(); |
204 | 0 | hash->update_be(msgLength * 8); |
205 | 0 | hash->update(msg1); |
206 | 0 | hash->update(msg2); |
207 | 0 | hash->update(salt); |
208 | 0 | secure_vector<uint8_t> H2 = hash->final(); |
209 | 0 |
|
210 | 0 | //check if H3 == H2 |
211 | 0 | bad_input |= CT::Mask<uint8_t>::is_zero(ct_compare_u8(H3.data(), H2.data(), HASH_SIZE)); |
212 | 0 |
|
213 | 0 | CT::unpoison(bad_input); |
214 | 0 | return (bad_input.is_set() == false); |
215 | 0 | } |
216 | | |
217 | | } |
218 | | |
219 | | EMSA* ISO_9796_DS2::clone() |
220 | 0 | { |
221 | 0 | return new ISO_9796_DS2(m_hash->clone(), m_implicit, m_SALT_SIZE); |
222 | 0 | } |
223 | | |
224 | | /* |
225 | | * ISO-9796-2 signature scheme 2 |
226 | | * DS 2 is probabilistic |
227 | | */ |
228 | | void ISO_9796_DS2::update(const uint8_t input[], size_t length) |
229 | 0 | { |
230 | 0 | //need to buffer message completely, before digest |
231 | 0 | m_msg_buffer.insert(m_msg_buffer.end(), input, input+length); |
232 | 0 | } |
233 | | |
234 | | /* |
235 | | * Return the raw (unencoded) data |
236 | | */ |
237 | | secure_vector<uint8_t> ISO_9796_DS2::raw_data() |
238 | 0 | { |
239 | 0 | secure_vector<uint8_t> retbuffer = m_msg_buffer; |
240 | 0 | m_msg_buffer.clear(); |
241 | 0 | return retbuffer; |
242 | 0 | } |
243 | | |
244 | | /* |
245 | | * ISO-9796-2 scheme 2 encode operation |
246 | | */ |
247 | | secure_vector<uint8_t> ISO_9796_DS2::encoding_of(const secure_vector<uint8_t>& msg, |
248 | | size_t output_bits, |
249 | | RandomNumberGenerator& rng) |
250 | 0 | { |
251 | 0 | return iso9796_encoding(msg, output_bits, m_hash, m_SALT_SIZE, m_implicit, rng); |
252 | 0 | } |
253 | | |
254 | | /* |
255 | | * ISO-9796-2 scheme 2 verify operation |
256 | | */ |
257 | | bool ISO_9796_DS2::verify(const secure_vector<uint8_t>& const_coded, |
258 | | const secure_vector<uint8_t>& raw, size_t key_bits) |
259 | 0 | { |
260 | 0 | return iso9796_verification(const_coded, raw, key_bits, m_hash, m_SALT_SIZE); |
261 | 0 | } |
262 | | |
263 | | /* |
264 | | * Return the SCAN name |
265 | | */ |
266 | | std::string ISO_9796_DS2::name() const |
267 | 0 | { |
268 | 0 | return "ISO_9796_DS2(" + m_hash->name() + "," |
269 | 0 | + (m_implicit ? "imp" : "exp") + "," + std::to_string(m_SALT_SIZE) + ")"; |
270 | 0 | } |
271 | | |
272 | | EMSA* ISO_9796_DS3::clone() |
273 | 0 | { |
274 | 0 | return new ISO_9796_DS3(m_hash->clone(), m_implicit); |
275 | 0 | } |
276 | | |
277 | | /* |
278 | | * ISO-9796-2 signature scheme 3 |
279 | | * DS 3 is deterministic and equals DS2 without salt |
280 | | */ |
281 | | void ISO_9796_DS3::update(const uint8_t input[], size_t length) |
282 | 0 | { |
283 | 0 | //need to buffer message completely, before digest |
284 | 0 | m_msg_buffer.insert(m_msg_buffer.end(), input, input+length); |
285 | 0 | } |
286 | | |
287 | | /* |
288 | | * Return the raw (unencoded) data |
289 | | */ |
290 | | secure_vector<uint8_t> ISO_9796_DS3::raw_data() |
291 | 0 | { |
292 | 0 | secure_vector<uint8_t> retbuffer = m_msg_buffer; |
293 | 0 | m_msg_buffer.clear(); |
294 | 0 | return retbuffer; |
295 | 0 | } |
296 | | |
297 | | /* |
298 | | * ISO-9796-2 scheme 3 encode operation |
299 | | */ |
300 | | secure_vector<uint8_t> ISO_9796_DS3::encoding_of(const secure_vector<uint8_t>& msg, |
301 | | size_t output_bits, RandomNumberGenerator& rng) |
302 | 0 | { |
303 | 0 | return iso9796_encoding(msg, output_bits, m_hash, 0, m_implicit, rng); |
304 | 0 | } |
305 | | |
306 | | /* |
307 | | * ISO-9796-2 scheme 3 verify operation |
308 | | */ |
309 | | bool ISO_9796_DS3::verify(const secure_vector<uint8_t>& const_coded, |
310 | | const secure_vector<uint8_t>& raw, size_t key_bits) |
311 | 0 | { |
312 | 0 | return iso9796_verification(const_coded, raw, key_bits, m_hash, 0); |
313 | 0 | } |
314 | | /* |
315 | | * Return the SCAN name |
316 | | */ |
317 | | std::string ISO_9796_DS3::name() const |
318 | 0 | { |
319 | 0 | return "ISO_9796_DS3(" + m_hash->name() + "," + |
320 | 0 | (m_implicit ? "imp" : "exp") + ")"; |
321 | 0 | } |
322 | | } |