Coverage Report

Created: 2020-05-23 13:54

/src/botan/src/lib/pubkey/ecdsa/ecdsa.cpp
Line
Count
Source (jump to first uncovered line)
1
/*
2
* ECDSA implemenation
3
* (C) 2007 Manuel Hartl, FlexSecure GmbH
4
*     2007 Falko Strenzke, FlexSecure GmbH
5
*     2008-2010,2015,2016,2018 Jack Lloyd
6
*     2016 René Korthaus
7
*
8
* Botan is released under the Simplified BSD License (see license.txt)
9
*/
10
11
#include <botan/ecdsa.h>
12
#include <botan/internal/pk_ops_impl.h>
13
#include <botan/internal/point_mul.h>
14
#include <botan/keypair.h>
15
#include <botan/reducer.h>
16
#include <botan/emsa.h>
17
18
#if defined(BOTAN_HAS_RFC6979_GENERATOR)
19
  #include <botan/rfc6979.h>
20
#endif
21
22
#if defined(BOTAN_HAS_OPENSSL)
23
  #include <botan/internal/openssl.h>
24
#endif
25
26
namespace Botan {
27
28
namespace {
29
30
PointGFp recover_ecdsa_public_key(const EC_Group& group,
31
                                  const std::vector<uint8_t>& msg,
32
                                  const BigInt& r,
33
                                  const BigInt& s,
34
                                  uint8_t v)
35
0
   {
36
0
   if(group.get_cofactor() != 1)
37
0
      throw Invalid_Argument("ECDSA public key recovery only supported for prime order groups");
38
0
39
0
   if(v > 4)
40
0
      throw Invalid_Argument("Unexpected v param for ECDSA public key recovery");
41
0
42
0
   const uint8_t y_odd = v % 2;
43
0
   const uint8_t add_order = v >> 1;
44
0
45
0
   const BigInt& group_order = group.get_order();
46
0
   const size_t p_bytes = group.get_p_bytes();
47
0
48
0
   try
49
0
      {
50
0
      const BigInt e(msg.data(), msg.size(), group.get_order_bits());
51
0
      const BigInt r_inv = group.inverse_mod_order(r);
52
0
53
0
      BigInt x = r + add_order*group_order;
54
0
55
0
      std::vector<uint8_t> X(p_bytes + 1);
56
0
57
0
      X[0] = 0x02 | y_odd;
58
0
      BigInt::encode_1363(&X[1], p_bytes, x);
59
0
60
0
      const PointGFp R = group.OS2ECP(X);
61
0
62
0
      if((R*group_order).is_zero() == false)
63
0
         throw Decoding_Error("Unable to recover ECDSA public key");
64
0
65
0
      // Compute r_inv * (s*R - eG)
66
0
      PointGFp_Multi_Point_Precompute RG_mul(R, group.get_base_point());
67
0
      const BigInt ne = group.mod_order(group_order - e);
68
0
      return r_inv * RG_mul.multi_exp(s, ne);
69
0
      }
70
0
   catch(...)
71
0
      {
72
0
      // continue on and throw
73
0
      }
74
0
75
0
   throw Decoding_Error("Failed to recover ECDSA public key from signature/msg pair");
76
0
   }
77
78
}
79
80
ECDSA_PublicKey::ECDSA_PublicKey(const EC_Group& group,
81
                                 const std::vector<uint8_t>& msg,
82
                                 const BigInt& r,
83
                                 const BigInt& s,
84
                                 uint8_t v) :
85
0
   EC_PublicKey(group, recover_ecdsa_public_key(group, msg, r, s, v)) {}
Unexecuted instantiation: Botan::ECDSA_PublicKey::ECDSA_PublicKey(Botan::EC_Group const&, std::__1::vector<unsigned char, std::__1::allocator<unsigned char> > const&, Botan::BigInt const&, Botan::BigInt const&, unsigned char)
Unexecuted instantiation: Botan::ECDSA_PublicKey::ECDSA_PublicKey(Botan::EC_Group const&, std::__1::vector<unsigned char, std::__1::allocator<unsigned char> > const&, Botan::BigInt const&, Botan::BigInt const&, unsigned char)
86
87
88
uint8_t ECDSA_PublicKey::recovery_param(const std::vector<uint8_t>& msg,
89
                                        const BigInt& r,
90
                                        const BigInt& s) const
91
0
   {
92
0
   for(uint8_t v = 0; v != 4; ++v)
93
0
      {
94
0
      try
95
0
         {
96
0
         PointGFp R = recover_ecdsa_public_key(this->domain(), msg, r, s, v);
97
0
98
0
         if(R == this->public_point())
99
0
            {
100
0
            return v;
101
0
            }
102
0
         }
103
0
      catch(Decoding_Error&)
104
0
         {
105
0
         // try the next v
106
0
         }
107
0
      }
108
0
109
0
   throw Internal_Error("Could not determine ECDSA recovery parameter");
110
0
   }
111
112
bool ECDSA_PrivateKey::check_key(RandomNumberGenerator& rng,
113
                                 bool strong) const
114
0
   {
115
0
   if(!public_point().on_the_curve())
116
0
      return false;
117
0
118
0
   if(!strong)
119
0
      return true;
120
0
121
0
   return KeyPair::signature_consistency_check(rng, *this, "EMSA1(SHA-256)");
122
0
   }
123
124
namespace {
125
126
/**
127
* ECDSA signature operation
128
*/
129
class ECDSA_Signature_Operation final : public PK_Ops::Signature_with_EMSA
130
   {
131
   public:
132
133
      ECDSA_Signature_Operation(const ECDSA_PrivateKey& ecdsa,
134
                                const std::string& emsa,
135
                                RandomNumberGenerator& rng) :
136
         PK_Ops::Signature_with_EMSA(emsa),
137
         m_group(ecdsa.domain()),
138
         m_x(ecdsa.private_value())
139
0
         {
140
0
#if defined(BOTAN_HAS_RFC6979_GENERATOR)
141
0
         m_rfc6979.reset(new RFC6979_Nonce_Generator(hash_for_emsa(emsa), m_group.get_order(), m_x));
142
0
#endif
143
0
144
0
         m_b = m_group.random_scalar(rng);
145
0
         m_b_inv = m_group.inverse_mod_order(m_b);
146
0
         }
147
148
0
      size_t signature_length() const override { return 2*m_group.get_order_bytes(); }
149
150
0
      size_t max_input_bits() const override { return m_group.get_order_bits(); }
151
152
      secure_vector<uint8_t> raw_sign(const uint8_t msg[], size_t msg_len,
153
                                      RandomNumberGenerator& rng) override;
154
155
   private:
156
      const EC_Group m_group;
157
      const BigInt& m_x;
158
159
#if defined(BOTAN_HAS_RFC6979_GENERATOR)
160
      std::unique_ptr<RFC6979_Nonce_Generator> m_rfc6979;
161
#endif
162
163
      std::vector<BigInt> m_ws;
164
165
      BigInt m_b, m_b_inv;
166
   };
167
168
secure_vector<uint8_t>
169
ECDSA_Signature_Operation::raw_sign(const uint8_t msg[], size_t msg_len,
170
                                    RandomNumberGenerator& rng)
171
0
   {
172
0
   BigInt m(msg, msg_len, m_group.get_order_bits());
173
0
174
0
#if defined(BOTAN_HAS_RFC6979_GENERATOR)
175
0
   const BigInt k = m_rfc6979->nonce_for(m);
176
#else
177
   const BigInt k = m_group.random_scalar(rng);
178
#endif
179
180
0
   const BigInt r = m_group.mod_order(
181
0
      m_group.blinded_base_point_multiply_x(k, rng, m_ws));
182
0
183
0
   const BigInt k_inv = m_group.inverse_mod_order(k);
184
0
185
0
   /*
186
0
   * Blind the input message and compute x*r+m as (x*r*b + m*b)/b
187
0
   */
188
0
   m_b = m_group.square_mod_order(m_b);
189
0
   m_b_inv = m_group.square_mod_order(m_b_inv);
190
0
191
0
   m = m_group.multiply_mod_order(m_b, m_group.mod_order(m));
192
0
   const BigInt xr_m = m_group.mod_order(m_group.multiply_mod_order(m_x, m_b, r) + m);
193
0
194
0
   const BigInt s = m_group.multiply_mod_order(k_inv, xr_m, m_b_inv);
195
0
196
0
   // With overwhelming probability, a bug rather than actual zero r/s
197
0
   if(r.is_zero() || s.is_zero())
198
0
      throw Internal_Error("During ECDSA signature generated zero r/s");
199
0
200
0
   return BigInt::encode_fixed_length_int_pair(r, s, m_group.get_order_bytes());
201
0
   }
202
203
/**
204
* ECDSA verification operation
205
*/
206
class ECDSA_Verification_Operation final : public PK_Ops::Verification_with_EMSA
207
   {
208
   public:
209
      ECDSA_Verification_Operation(const ECDSA_PublicKey& ecdsa,
210
                                   const std::string& emsa) :
211
         PK_Ops::Verification_with_EMSA(emsa),
212
         m_group(ecdsa.domain()),
213
         m_gy_mul(m_group.get_base_point(), ecdsa.public_point())
214
1.08k
         {
215
1.08k
         }
216
217
373
      size_t max_input_bits() const override { return m_group.get_order_bits(); }
218
219
373
      bool with_recovery() const override { return false; }
220
221
      bool verify(const uint8_t msg[], size_t msg_len,
222
                  const uint8_t sig[], size_t sig_len) override;
223
   private:
224
      const EC_Group m_group;
225
      const PointGFp_Multi_Point_Precompute m_gy_mul;
226
   };
227
228
bool ECDSA_Verification_Operation::verify(const uint8_t msg[], size_t msg_len,
229
                                          const uint8_t sig[], size_t sig_len)
230
373
   {
231
373
   if(sig_len != m_group.get_order_bytes() * 2)
232
0
      return false;
233
373
234
373
   const BigInt e(msg, msg_len, m_group.get_order_bits());
235
373
236
373
   const BigInt r(sig, sig_len / 2);
237
373
   const BigInt s(sig + sig_len / 2, sig_len / 2);
238
373
239
373
   if(r <= 0 || r >= m_group.get_order() || s <= 0 || s >= m_group.get_order())
240
10
      return false;
241
363
242
363
   const BigInt w = m_group.inverse_mod_order(s);
243
363
244
363
   const BigInt u1 = m_group.multiply_mod_order(m_group.mod_order(e), w);
245
363
   const BigInt u2 = m_group.multiply_mod_order(r, w);
246
363
   const PointGFp R = m_gy_mul.multi_exp(u1, u2);
247
363
248
363
   if(R.is_zero())
249
18
      return false;
250
345
251
345
   const BigInt v = m_group.mod_order(R.get_affine_x());
252
345
   return (v == r);
253
345
   }
254
255
}
256
257
std::unique_ptr<PK_Ops::Verification>
258
ECDSA_PublicKey::create_verification_op(const std::string& params,
259
                                        const std::string& provider) const
260
1.08k
   {
261
#if defined(BOTAN_HAS_OPENSSL)
262
   if(provider == "openssl" || provider.empty())
263
      {
264
      try
265
         {
266
         return make_openssl_ecdsa_ver_op(*this, params);
267
         }
268
      catch(Lookup_Error& e)
269
         {
270
         if(provider == "openssl")
271
            throw;
272
         }
273
      }
274
#endif
275
276
1.08k
   if(provider == "base" || provider.empty())
277
1.08k
      return std::unique_ptr<PK_Ops::Verification>(new ECDSA_Verification_Operation(*this, params));
278
0
279
0
   throw Provider_Not_Found(algo_name(), provider);
280
0
   }
281
282
std::unique_ptr<PK_Ops::Signature>
283
ECDSA_PrivateKey::create_signature_op(RandomNumberGenerator& rng,
284
                                      const std::string& params,
285
                                      const std::string& provider) const
286
0
   {
287
#if defined(BOTAN_HAS_OPENSSL)
288
   if(provider == "openssl" || provider.empty())
289
      {
290
      try
291
         {
292
         return make_openssl_ecdsa_sig_op(*this, params);
293
         }
294
      catch(Lookup_Error& e)
295
         {
296
         if(provider == "openssl")
297
            throw;
298
         }
299
      }
300
#endif
301
302
0
   if(provider == "base" || provider.empty())
303
0
      return std::unique_ptr<PK_Ops::Signature>(new ECDSA_Signature_Operation(*this, params, rng));
304
0
305
0
   throw Provider_Not_Found(algo_name(), provider);
306
0
   }
307
308
}