/src/botan/src/lib/pubkey/ecdsa/ecdsa.cpp

Source (jump to first uncovered line)
/*
* ECDSA implemenation
* (C) 2007 Manuel Hartl, FlexSecure GmbH
*     2007 Falko Strenzke, FlexSecure GmbH
*     2008-2010,2015,2016,2018 Jack Lloyd
*     2016 René Korthaus
*
* Botan is released under the Simplified BSD License (see license.txt)
*/

#include <botan/ecdsa.h>
#include <botan/internal/pk_ops_impl.h>
#include <botan/internal/point_mul.h>
#include <botan/keypair.h>
#include <botan/reducer.h>
#include <botan/emsa.h>

#if defined(BOTAN_HAS_RFC6979_GENERATOR)
  #include <botan/rfc6979.h>
#endif

#if defined(BOTAN_HAS_OPENSSL)
  #include <botan/internal/openssl.h>
#endif

namespace Botan {

namespace {

PointGFp recover_ecdsa_public_key(const EC_Group& group,
                                  const std::vector<uint8_t>& msg,
                                  const BigInt& r,
                                  const BigInt& s,
                                  uint8_t v)
   {
   if(group.get_cofactor() != 1)
      throw Invalid_Argument("ECDSA public key recovery only supported for prime order groups");

   if(v > 4)
      throw Invalid_Argument("Unexpected v param for ECDSA public key recovery");

   const uint8_t y_odd = v % 2;
   const uint8_t add_order = v >> 1;

   const BigInt& group_order = group.get_order();
   const size_t p_bytes = group.get_p_bytes();

   try
      {
      const BigInt e(msg.data(), msg.size(), group.get_order_bits());
      const BigInt r_inv = group.inverse_mod_order(r);

      BigInt x = r + add_order*group_order;

      std::vector<uint8_t> X(p_bytes + 1);

      X[0] = 0x02 | y_odd;
      BigInt::encode_1363(&X[1], p_bytes, x);

      const PointGFp R = group.OS2ECP(X);

      if((R*group_order).is_zero() == false)
         throw Decoding_Error("Unable to recover ECDSA public key");

      // Compute r_inv * (s*R - eG)
      PointGFp_Multi_Point_Precompute RG_mul(R, group.get_base_point());
      const BigInt ne = group.mod_order(group_order - e);
      return r_inv * RG_mul.multi_exp(s, ne);
      }
   catch(...)
      {
      // continue on and throw
      }

   throw Decoding_Error("Failed to recover ECDSA public key from signature/msg pair");
   }

}

ECDSA_PublicKey::ECDSA_PublicKey(const EC_Group& group,
                                 const std::vector<uint8_t>& msg,
                                 const BigInt& r,
                                 const BigInt& s,
                                 uint8_t v) :
   EC_PublicKey(group, recover_ecdsa_public_key(group, msg, r, s, v)) {}


uint8_t ECDSA_PublicKey::recovery_param(const std::vector<uint8_t>& msg,
                                        const BigInt& r,
                                        const BigInt& s) const
   {
   for(uint8_t v = 0; v != 4; ++v)
      {
      try
         {
         PointGFp R = recover_ecdsa_public_key(this->domain(), msg, r, s, v);

         if(R == this->public_point())
            {
            return v;
            }
         }
      catch(Decoding_Error&)
         {
         // try the next v
         }
      }

   throw Internal_Error("Could not determine ECDSA recovery parameter");
   }

bool ECDSA_PrivateKey::check_key(RandomNumberGenerator& rng,
                                 bool strong) const
   {
   if(!public_point().on_the_curve())
      return false;

   if(!strong)
      return true;

   return KeyPair::signature_consistency_check(rng, *this, "EMSA1(SHA-256)");
   }

namespace {

/**
* ECDSA signature operation
*/
class ECDSA_Signature_Operation final : public PK_Ops::Signature_with_EMSA
   {
   public:

      ECDSA_Signature_Operation(const ECDSA_PrivateKey& ecdsa,
                                const std::string& emsa,
                                RandomNumberGenerator& rng) :
         PK_Ops::Signature_with_EMSA(emsa),
         m_group(ecdsa.domain()),
         m_x(ecdsa.private_value())
         {
#if defined(BOTAN_HAS_RFC6979_GENERATOR)
         m_rfc6979.reset(new RFC6979_Nonce_Generator(hash_for_emsa(emsa), m_group.get_order(), m_x));
#endif

         m_b = m_group.random_scalar(rng);
         m_b_inv = m_group.inverse_mod_order(m_b);
         }

      size_t signature_length() const override { return 2*m_group.get_order_bytes(); }

      size_t max_input_bits() const override { return m_group.get_order_bits(); }

      secure_vector<uint8_t> raw_sign(const uint8_t msg[], size_t msg_len,
                                      RandomNumberGenerator& rng) override;

   private:
      const EC_Group m_group;
      const BigInt& m_x;

#if defined(BOTAN_HAS_RFC6979_GENERATOR)
      std::unique_ptr<RFC6979_Nonce_Generator> m_rfc6979;
#endif

      std::vector<BigInt> m_ws;

      BigInt m_b, m_b_inv;
   };

secure_vector<uint8_t>
ECDSA_Signature_Operation::raw_sign(const uint8_t msg[], size_t msg_len,
                                    RandomNumberGenerator& rng)
   {
   BigInt m(msg, msg_len, m_group.get_order_bits());

#if defined(BOTAN_HAS_RFC6979_GENERATOR)
   const BigInt k = m_rfc6979->nonce_for(m);
#else
   const BigInt k = m_group.random_scalar(rng);
#endif

   const BigInt r = m_group.mod_order(
      m_group.blinded_base_point_multiply_x(k, rng, m_ws));

   const BigInt k_inv = m_group.inverse_mod_order(k);

   /*
   * Blind the input message and compute x*r+m as (x*r*b + m*b)/b
   */
   m_b = m_group.square_mod_order(m_b);
   m_b_inv = m_group.square_mod_order(m_b_inv);

   m = m_group.multiply_mod_order(m_b, m_group.mod_order(m));
   const BigInt xr_m = m_group.mod_order(m_group.multiply_mod_order(m_x, m_b, r) + m);

   const BigInt s = m_group.multiply_mod_order(k_inv, xr_m, m_b_inv);

   // With overwhelming probability, a bug rather than actual zero r/s
   if(r.is_zero() || s.is_zero())
      throw Internal_Error("During ECDSA signature generated zero r/s");

   return BigInt::encode_fixed_length_int_pair(r, s, m_group.get_order_bytes());
   }

/**
* ECDSA verification operation
*/
class ECDSA_Verification_Operation final : public PK_Ops::Verification_with_EMSA
   {
   public:
      ECDSA_Verification_Operation(const ECDSA_PublicKey& ecdsa,
                                   const std::string& emsa) :
         PK_Ops::Verification_with_EMSA(emsa),
         m_group(ecdsa.domain()),
         m_gy_mul(m_group.get_base_point(), ecdsa.public_point())
         {
         }

      size_t max_input_bits() const override { return m_group.get_order_bits(); }

      bool with_recovery() const override { return false; }

      bool verify(const uint8_t msg[], size_t msg_len,
                  const uint8_t sig[], size_t sig_len) override;
   private:
      const EC_Group m_group;
      const PointGFp_Multi_Point_Precompute m_gy_mul;
   };

bool ECDSA_Verification_Operation::verify(const uint8_t msg[], size_t msg_len,
                                          const uint8_t sig[], size_t sig_len)
   {
   if(sig_len != m_group.get_order_bytes() * 2)
      return false;

   const BigInt e(msg, msg_len, m_group.get_order_bits());

   const BigInt r(sig, sig_len / 2);
   const BigInt s(sig + sig_len / 2, sig_len / 2);

   if(r <= 0 || r >= m_group.get_order() || s <= 0 || s >= m_group.get_order())
      return false;

   const BigInt w = m_group.inverse_mod_order(s);

   const BigInt u1 = m_group.multiply_mod_order(m_group.mod_order(e), w);
   const BigInt u2 = m_group.multiply_mod_order(r, w);
   const PointGFp R = m_gy_mul.multi_exp(u1, u2);

   if(R.is_zero())
      return false;

   const BigInt v = m_group.mod_order(R.get_affine_x());
   return (v == r);
   }

}

std::unique_ptr<PK_Ops::Verification>
ECDSA_PublicKey::create_verification_op(const std::string& params,
                                        const std::string& provider) const
   {
#if defined(BOTAN_HAS_OPENSSL)
   if(provider == "openssl" || provider.empty())
      {
      try
         {
         return make_openssl_ecdsa_ver_op(*this, params);
         }
      catch(Lookup_Error& e)
         {
         if(provider == "openssl")
            throw;
         }
      }
#endif

   if(provider == "base" || provider.empty())
      return std::unique_ptr<PK_Ops::Verification>(new ECDSA_Verification_Operation(*this, params));

   throw Provider_Not_Found(algo_name(), provider);
   }

std::unique_ptr<PK_Ops::Signature>
ECDSA_PrivateKey::create_signature_op(RandomNumberGenerator& rng,
                                      const std::string& params,
                                      const std::string& provider) const
   {
#if defined(BOTAN_HAS_OPENSSL)
   if(provider == "openssl" || provider.empty())
      {
      try
         {
         return make_openssl_ecdsa_sig_op(*this, params);
         }
      catch(Lookup_Error& e)
         {
         if(provider == "openssl")
            throw;
         }
      }
#endif

   if(provider == "base" || provider.empty())
      return std::unique_ptr<PK_Ops::Signature>(new ECDSA_Signature_Operation(*this, params, rng));

   throw Provider_Not_Found(algo_name(), provider);
   }

}

Coverage Report

Created: 2020-06-30 13:58

Line	Count	Source (jump to first uncovered line)
1		/*
2		* ECDSA implemenation
3		* (C) 2007 Manuel Hartl, FlexSecure GmbH
4		* 2007 Falko Strenzke, FlexSecure GmbH
5		* 2008-2010,2015,2016,2018 Jack Lloyd
6		* 2016 René Korthaus
7		*
8		* Botan is released under the Simplified BSD License (see license.txt)
9		*/
10
11		#include <botan/ecdsa.h>
12		#include <botan/internal/pk_ops_impl.h>
13		#include <botan/internal/point_mul.h>
14		#include <botan/keypair.h>
15		#include <botan/reducer.h>
16		#include <botan/emsa.h>
17
18		#if defined(BOTAN_HAS_RFC6979_GENERATOR)
19		#include <botan/rfc6979.h>
20		#endif
21
22		#if defined(BOTAN_HAS_OPENSSL)
23		#include <botan/internal/openssl.h>
24		#endif
25
26		namespace Botan {
27
28		namespace {
29
30		PointGFp recover_ecdsa_public_key(const EC_Group& group,
31		const std::vector<uint8_t>& msg,
32		const BigInt& r,
33		const BigInt& s,
34		uint8_t v)
35	0	{
36	0	if(group.get_cofactor() != 1)
37	0	throw Invalid_Argument("ECDSA public key recovery only supported for prime order groups");
38	0
39	0	if(v > 4)
40	0	throw Invalid_Argument("Unexpected v param for ECDSA public key recovery");
41	0
42	0	const uint8_t y_odd = v % 2;
43	0	const uint8_t add_order = v >> 1;
44	0
45	0	const BigInt& group_order = group.get_order();
46	0	const size_t p_bytes = group.get_p_bytes();
47	0
48	0	try
49	0	{
50	0	const BigInt e(msg.data(), msg.size(), group.get_order_bits());
51	0	const BigInt r_inv = group.inverse_mod_order(r);
52	0
53	0	BigInt x = r + add_order*group_order;
54	0
55	0	std::vector<uint8_t> X(p_bytes + 1);
56	0
57	0	X[0] = 0x02 \| y_odd;
58	0	BigInt::encode_1363(&X[1], p_bytes, x);
59	0
60	0	const PointGFp R = group.OS2ECP(X);
61	0
62	0	if((R*group_order).is_zero() == false)
63	0	throw Decoding_Error("Unable to recover ECDSA public key");
64	0
65	0	// Compute r_inv * (s*R - eG)
66	0	PointGFp_Multi_Point_Precompute RG_mul(R, group.get_base_point());
67	0	const BigInt ne = group.mod_order(group_order - e);
68	0	return r_inv * RG_mul.multi_exp(s, ne);
69	0	}
70	0	catch(...)
71	0	{
72	0	// continue on and throw
73	0	}
74	0
75	0	throw Decoding_Error("Failed to recover ECDSA public key from signature/msg pair");
76	0	}
77
78		}
79
80		ECDSA_PublicKey::ECDSA_PublicKey(const EC_Group& group,
81		const std::vector<uint8_t>& msg,
82		const BigInt& r,
83		const BigInt& s,
84		uint8_t v) :
85	0	EC_PublicKey(group, recover_ecdsa_public_key(group, msg, r, s, v)) {} Unexecuted instantiation: Botan::ECDSA_PublicKey::ECDSA_PublicKey(Botan::EC_Group const&, std::__1::vector<unsigned char, std::__1::allocator<unsigned char> > const&, Botan::BigInt const&, Botan::BigInt const&, unsigned char) Unexecuted instantiation: Botan::ECDSA_PublicKey::ECDSA_PublicKey(Botan::EC_Group const&, std::__1::vector<unsigned char, std::__1::allocator<unsigned char> > const&, Botan::BigInt const&, Botan::BigInt const&, unsigned char)
86
87
88		uint8_t ECDSA_PublicKey::recovery_param(const std::vector<uint8_t>& msg,
89		const BigInt& r,
90		const BigInt& s) const
91	0	{
92	0	for(uint8_t v = 0; v != 4; ++v)
93	0	{
94	0	try
95	0	{
96	0	PointGFp R = recover_ecdsa_public_key(this->domain(), msg, r, s, v);
97	0
98	0	if(R == this->public_point())
99	0	{
100	0	return v;
101	0	}
102	0	}
103	0	catch(Decoding_Error&)
104	0	{
105	0	// try the next v
106	0	}
107	0	}
108	0
109	0	throw Internal_Error("Could not determine ECDSA recovery parameter");
110	0	}
111
112		bool ECDSA_PrivateKey::check_key(RandomNumberGenerator& rng,
113		bool strong) const
114	0	{
115	0	if(!public_point().on_the_curve())
116	0	return false;
117	0
118	0	if(!strong)
119	0	return true;
120	0
121	0	return KeyPair::signature_consistency_check(rng, *this, "EMSA1(SHA-256)");
122	0	}
123
124		namespace {
125
126		/**
127		* ECDSA signature operation
128		*/
129		class ECDSA_Signature_Operation final : public PK_Ops::Signature_with_EMSA
130		{
131		public:
132
133		ECDSA_Signature_Operation(const ECDSA_PrivateKey& ecdsa,
134		const std::string& emsa,
135		RandomNumberGenerator& rng) :
136		PK_Ops::Signature_with_EMSA(emsa),
137		m_group(ecdsa.domain()),
138		m_x(ecdsa.private_value())
139	0	{
140	0	#if defined(BOTAN_HAS_RFC6979_GENERATOR)
141	0	m_rfc6979.reset(new RFC6979_Nonce_Generator(hash_for_emsa(emsa), m_group.get_order(), m_x));
142	0	#endif
143	0
144	0	m_b = m_group.random_scalar(rng);
145	0	m_b_inv = m_group.inverse_mod_order(m_b);
146	0	}
147
148	0	size_t signature_length() const override { return 2*m_group.get_order_bytes(); }
149
150	0	size_t max_input_bits() const override { return m_group.get_order_bits(); }
151
152		secure_vector<uint8_t> raw_sign(const uint8_t msg[], size_t msg_len,
153		RandomNumberGenerator& rng) override;
154
155		private:
156		const EC_Group m_group;
157		const BigInt& m_x;
158
159		#if defined(BOTAN_HAS_RFC6979_GENERATOR)
160		std::unique_ptr<RFC6979_Nonce_Generator> m_rfc6979;
161		#endif
162
163		std::vector<BigInt> m_ws;
164
165		BigInt m_b, m_b_inv;
166		};
167
168		secure_vector<uint8_t>
169		ECDSA_Signature_Operation::raw_sign(const uint8_t msg[], size_t msg_len,
170		RandomNumberGenerator& rng)
171	0	{
172	0	BigInt m(msg, msg_len, m_group.get_order_bits());
173	0
174	0	#if defined(BOTAN_HAS_RFC6979_GENERATOR)
175	0	const BigInt k = m_rfc6979->nonce_for(m);
176		#else
177		const BigInt k = m_group.random_scalar(rng);
178		#endif
179
180	0	const BigInt r = m_group.mod_order(
181	0	m_group.blinded_base_point_multiply_x(k, rng, m_ws));
182	0
183	0	const BigInt k_inv = m_group.inverse_mod_order(k);
184	0
185	0	/*
186	0	* Blind the input message and compute xr+m as (xrb + mb)/b
187	0	*/
188	0	m_b = m_group.square_mod_order(m_b);
189	0	m_b_inv = m_group.square_mod_order(m_b_inv);
190	0
191	0	m = m_group.multiply_mod_order(m_b, m_group.mod_order(m));
192	0	const BigInt xr_m = m_group.mod_order(m_group.multiply_mod_order(m_x, m_b, r) + m);
193	0
194	0	const BigInt s = m_group.multiply_mod_order(k_inv, xr_m, m_b_inv);
195	0
196	0	// With overwhelming probability, a bug rather than actual zero r/s
197	0	if(r.is_zero() \|\| s.is_zero())
198	0	throw Internal_Error("During ECDSA signature generated zero r/s");
199	0
200	0	return BigInt::encode_fixed_length_int_pair(r, s, m_group.get_order_bytes());
201	0	}
202
203		/**
204		* ECDSA verification operation
205		*/
206		class ECDSA_Verification_Operation final : public PK_Ops::Verification_with_EMSA
207		{
208		public:
209		ECDSA_Verification_Operation(const ECDSA_PublicKey& ecdsa,
210		const std::string& emsa) :
211		PK_Ops::Verification_with_EMSA(emsa),
212		m_group(ecdsa.domain()),
213		m_gy_mul(m_group.get_base_point(), ecdsa.public_point())
214	1.55k	{
215	1.55k	}
216
217	540	size_t max_input_bits() const override { return m_group.get_order_bits(); }
218
219	540	bool with_recovery() const override { return false; }
220
221		bool verify(const uint8_t msg[], size_t msg_len,
222		const uint8_t sig[], size_t sig_len) override;
223		private:
224		const EC_Group m_group;
225		const PointGFp_Multi_Point_Precompute m_gy_mul;
226		};
227
228		bool ECDSA_Verification_Operation::verify(const uint8_t msg[], size_t msg_len,
229		const uint8_t sig[], size_t sig_len)
230	540	{
231	540	if(sig_len != m_group.get_order_bytes() * 2)
232	0	return false;
233	540
234	540	const BigInt e(msg, msg_len, m_group.get_order_bits());
235	540
236	540	const BigInt r(sig, sig_len / 2);
237	540	const BigInt s(sig + sig_len / 2, sig_len / 2);
238	540
239	540	if(r <= 0 \|\| r >= m_group.get_order() \|\| s <= 0 \|\| s >= m_group.get_order())
240	11	return false;
241	529
242	529	const BigInt w = m_group.inverse_mod_order(s);
243	529
244	529	const BigInt u1 = m_group.multiply_mod_order(m_group.mod_order(e), w);
245	529	const BigInt u2 = m_group.multiply_mod_order(r, w);
246	529	const PointGFp R = m_gy_mul.multi_exp(u1, u2);
247	529
248	529	if(R.is_zero())
249	19	return false;
250	510
251	510	const BigInt v = m_group.mod_order(R.get_affine_x());
252	510	return (v == r);
253	510	}
254
255		}
256
257		std::unique_ptr<PK_Ops::Verification>
258		ECDSA_PublicKey::create_verification_op(const std::string& params,
259		const std::string& provider) const
260	1.55k	{
261		#if defined(BOTAN_HAS_OPENSSL)
262		if(provider == "openssl" \|\| provider.empty())
263		{
264		try
265		{
266		return make_openssl_ecdsa_ver_op(*this, params);
267		}
268		catch(Lookup_Error& e)
269		{
270		if(provider == "openssl")
271		throw;
272		}
273		}
274		#endif
275
276	1.55k	if(provider == "base" \|\| provider.empty())
277	1.55k	return std::unique_ptr<PK_Ops::Verification>(new ECDSA_Verification_Operation(*this, params));
278	0
279	0	throw Provider_Not_Found(algo_name(), provider);
280	0	}
281
282		std::unique_ptr<PK_Ops::Signature>
283		ECDSA_PrivateKey::create_signature_op(RandomNumberGenerator& rng,
284		const std::string& params,
285		const std::string& provider) const
286	0	{
287		#if defined(BOTAN_HAS_OPENSSL)
288		if(provider == "openssl" \|\| provider.empty())
289		{
290		try
291		{
292		return make_openssl_ecdsa_sig_op(*this, params);
293		}
294		catch(Lookup_Error& e)
295		{
296		if(provider == "openssl")
297		throw;
298		}
299		}
300		#endif
301
302	0	if(provider == "base" \|\| provider.empty())
303	0	return std::unique_ptr<PK_Ops::Signature>(new ECDSA_Signature_Operation(*this, params, rng));
304	0
305	0	throw Provider_Not_Found(algo_name(), provider);
306	0	}
307
308		}