/src/botan/src/lib/pubkey/pubkey.cpp

Source (jump to first uncovered line)
/*
* (C) 1999-2010,2015,2018 Jack Lloyd
*
* Botan is released under the Simplified BSD License (see license.txt)
*/

#include <botan/pubkey.h>
#include <botan/der_enc.h>
#include <botan/ber_dec.h>
#include <botan/bigint.h>
#include <botan/pk_ops.h>
#include <botan/internal/ct_utils.h>
#include <botan/rng.h>

namespace Botan {

secure_vector<uint8_t> PK_Decryptor::decrypt(const uint8_t in[], size_t length) const
   {
   uint8_t valid_mask = 0;

   secure_vector<uint8_t> decoded = do_decrypt(valid_mask, in, length);

   if(valid_mask == 0)
      throw Decoding_Error("Invalid public key ciphertext, cannot decrypt");

   return decoded;
   }

secure_vector<uint8_t>
PK_Decryptor::decrypt_or_random(const uint8_t in[],
                                size_t length,
                                size_t expected_pt_len,
                                RandomNumberGenerator& rng,
                                const uint8_t required_content_bytes[],
                                const uint8_t required_content_offsets[],
                                size_t required_contents_length) const
   {
   const secure_vector<uint8_t> fake_pms = rng.random_vec(expected_pt_len);

   uint8_t decrypt_valid = 0;
   secure_vector<uint8_t> decoded = do_decrypt(decrypt_valid, in, length);

   auto valid_mask = CT::Mask<uint8_t>::is_equal(decrypt_valid, 0xFF);
   valid_mask &= CT::Mask<uint8_t>(CT::Mask<size_t>::is_zero(decoded.size() ^ expected_pt_len));

   decoded.resize(expected_pt_len);

   for(size_t i = 0; i != required_contents_length; ++i)
      {
      /*
      These values are chosen by the application and for TLS are constants,
      so this early failure via assert is fine since we know 0,1 < 48

      If there is a protocol that has content checks on the key where
      the expected offsets are controllable by the attacker this could
      still leak.

      Alternately could always reduce the offset modulo the length?
      */

      const uint8_t exp = required_content_bytes[i];
      const uint8_t off = required_content_offsets[i];

      BOTAN_ASSERT(off < expected_pt_len, "Offset in range of plaintext");

      auto eq = CT::Mask<uint8_t>::is_equal(decoded[off], exp);

      valid_mask &= eq;
      }

   // If valid_mask is false, assign fake pre master instead
   valid_mask.select_n(decoded.data(), decoded.data(), fake_pms.data(), expected_pt_len);

   return decoded;
   }

secure_vector<uint8_t>
PK_Decryptor::decrypt_or_random(const uint8_t in[],
                                size_t length,
                                size_t expected_pt_len,
                                RandomNumberGenerator& rng) const
   {
   return decrypt_or_random(in, length, expected_pt_len, rng,
                            nullptr, nullptr, 0);
   }

PK_Encryptor_EME::PK_Encryptor_EME(const Public_Key& key,
                                   RandomNumberGenerator& rng,
                                   const std::string& padding,
                                   const std::string& provider)
   {
   m_op = key.create_encryption_op(rng, padding, provider);
   if(!m_op)
      throw Invalid_Argument("Key type " + key.algo_name() + " does not support encryption");
   }

PK_Encryptor_EME::~PK_Encryptor_EME() { /* for unique_ptr */ }

size_t PK_Encryptor_EME::ciphertext_length(size_t ptext_len) const
   {
   return m_op->ciphertext_length(ptext_len);
   }

std::vector<uint8_t>
PK_Encryptor_EME::enc(const uint8_t in[], size_t length, RandomNumberGenerator& rng) const
   {
   return unlock(m_op->encrypt(in, length, rng));
   }

size_t PK_Encryptor_EME::maximum_input_size() const
   {
   return m_op->max_input_bits() / 8;
   }

PK_Decryptor_EME::PK_Decryptor_EME(const Private_Key& key,
                                   RandomNumberGenerator& rng,
                                   const std::string& padding,
                                   const std::string& provider)
   {
   m_op = key.create_decryption_op(rng, padding, provider);
   if(!m_op)
      throw Invalid_Argument("Key type " + key.algo_name() + " does not support decryption");
   }

PK_Decryptor_EME::~PK_Decryptor_EME() { /* for unique_ptr */ }

size_t PK_Decryptor_EME::plaintext_length(size_t ctext_len) const
   {
   return m_op->plaintext_length(ctext_len);
   }

secure_vector<uint8_t> PK_Decryptor_EME::do_decrypt(uint8_t& valid_mask,
                                                 const uint8_t in[], size_t in_len) const
   {
   return m_op->decrypt(valid_mask, in, in_len);
   }

PK_KEM_Encryptor::PK_KEM_Encryptor(const Public_Key& key,
                                   RandomNumberGenerator& rng,
                                   const std::string& param,
                                   const std::string& provider)
   {
   m_op = key.create_kem_encryption_op(rng, param, provider);
   if(!m_op)
      throw Invalid_Argument("Key type " + key.algo_name() + " does not support KEM encryption");
   }

PK_KEM_Encryptor::~PK_KEM_Encryptor() { /* for unique_ptr */ }

void PK_KEM_Encryptor::encrypt(secure_vector<uint8_t>& out_encapsulated_key,
                               secure_vector<uint8_t>& out_shared_key,
                               size_t desired_shared_key_len,
                               Botan::RandomNumberGenerator& rng,
                               const uint8_t salt[],
                               size_t salt_len)
   {
   m_op->kem_encrypt(out_encapsulated_key,
                     out_shared_key,
                     desired_shared_key_len,
                     rng,
                     salt,
                     salt_len);
   }

PK_KEM_Decryptor::PK_KEM_Decryptor(const Private_Key& key,
                                   RandomNumberGenerator& rng,
                                   const std::string& param,
                                   const std::string& provider)
   {
   m_op = key.create_kem_decryption_op(rng, param, provider);
   if(!m_op)
      throw Invalid_Argument("Key type " + key.algo_name() + " does not support KEM decryption");
   }

PK_KEM_Decryptor::~PK_KEM_Decryptor() { /* for unique_ptr */ }

secure_vector<uint8_t> PK_KEM_Decryptor::decrypt(const uint8_t encap_key[],
                                              size_t encap_key_len,
                                              size_t desired_shared_key_len,
                                              const uint8_t salt[],
                                              size_t salt_len)
   {
   return m_op->kem_decrypt(encap_key, encap_key_len,
                            desired_shared_key_len,
                            salt, salt_len);
   }

PK_Key_Agreement::PK_Key_Agreement(const Private_Key& key,
                                   RandomNumberGenerator& rng,
                                   const std::string& kdf,
                                   const std::string& provider)
   {
   m_op = key.create_key_agreement_op(rng, kdf, provider);
   if(!m_op)
      throw Invalid_Argument("Key type " + key.algo_name() + " does not support key agreement");
   }

PK_Key_Agreement::~PK_Key_Agreement() { /* for unique_ptr */ }

PK_Key_Agreement& PK_Key_Agreement::operator=(PK_Key_Agreement&& other)
   {
   if(this != &other)
      {
      m_op = std::move(other.m_op);
      }
   return (*this);
   }

PK_Key_Agreement::PK_Key_Agreement(PK_Key_Agreement&& other) :
   m_op(std::move(other.m_op))
   {}

size_t PK_Key_Agreement::agreed_value_size() const
   {
   return m_op->agreed_value_size();
   }

SymmetricKey PK_Key_Agreement::derive_key(size_t key_len,
                                          const uint8_t in[], size_t in_len,
                                          const uint8_t salt[],
                                          size_t salt_len) const
   {
   return m_op->agree(key_len, in, in_len, salt, salt_len);
   }

PK_Signer::PK_Signer(const Private_Key& key,
                     RandomNumberGenerator& rng,
                     const std::string& emsa,
                     Signature_Format format,
                     const std::string& provider)
   {
   m_op = key.create_signature_op(rng, emsa, provider);
   if(!m_op)
      throw Invalid_Argument("Key type " + key.algo_name() + " does not support signature generation");
   m_sig_format = format;
   m_parts = key.message_parts();
   m_part_size = key.message_part_size();
   }

PK_Signer::~PK_Signer() { /* for unique_ptr */ }

void PK_Signer::update(const uint8_t in[], size_t length)
   {
   m_op->update(in, length);
   }

namespace {

std::vector<uint8_t> der_encode_signature(const std::vector<uint8_t>& sig,
                                          size_t parts,
                                          size_t part_size)
   {
   if(sig.size() % parts != 0 || sig.size() != parts * part_size)
      throw Encoding_Error("Unexpected size for DER signature");

   std::vector<BigInt> sig_parts(parts);
   for(size_t i = 0; i != sig_parts.size(); ++i)
      sig_parts[i].binary_decode(&sig[part_size*i], part_size);

   std::vector<uint8_t> output;
   DER_Encoder(output)
      .start_cons(SEQUENCE)
      .encode_list(sig_parts)
      .end_cons();
   return output;
   }

}

size_t PK_Signer::signature_length() const
   {
   if(m_sig_format == IEEE_1363)
      {
      return m_op->signature_length();
      }
   else if(m_sig_format == DER_SEQUENCE)
      {
      // This is a large over-estimate but its easier than computing
      // the exact value
      return m_op->signature_length() + (8 + 4*m_parts);
      }
   else
      throw Internal_Error("PK_Signer: Invalid signature format enum");
   }

std::vector<uint8_t> PK_Signer::signature(RandomNumberGenerator& rng)
   {
   const std::vector<uint8_t> sig = unlock(m_op->sign(rng));

   if(m_sig_format == IEEE_1363)
      {
      return sig;
      }
   else if(m_sig_format == DER_SEQUENCE)
      {
      return der_encode_signature(sig, m_parts, m_part_size);
      }
   else
      throw Internal_Error("PK_Signer: Invalid signature format enum");
   }

PK_Verifier::PK_Verifier(const Public_Key& key,
                         const std::string& emsa,
                         Signature_Format format,
                         const std::string& provider)
   {
   m_op = key.create_verification_op(emsa, provider);
   if(!m_op)
      throw Invalid_Argument("Key type " + key.algo_name() + " does not support signature verification");
   m_sig_format = format;
   m_parts = key.message_parts();
   m_part_size = key.message_part_size();
   }

PK_Verifier::~PK_Verifier() { /* for unique_ptr */ }

void PK_Verifier::set_input_format(Signature_Format format)
   {
   if(format != IEEE_1363 && m_parts == 1)
      throw Invalid_Argument("PK_Verifier: This algorithm does not support DER encoding");
   m_sig_format = format;
   }

bool PK_Verifier::verify_message(const uint8_t msg[], size_t msg_length,
                                 const uint8_t sig[], size_t sig_length)
   {
   update(msg, msg_length);
   return check_signature(sig, sig_length);
   }

void PK_Verifier::update(const uint8_t in[], size_t length)
   {
   m_op->update(in, length);
   }

bool PK_Verifier::check_signature(const uint8_t sig[], size_t length)
   {
   try {
      if(m_sig_format == IEEE_1363)
         {
         return m_op->is_valid_signature(sig, length);
         }
      else if(m_sig_format == DER_SEQUENCE)
         {
         std::vector<uint8_t> real_sig;
         BER_Decoder decoder(sig, length);
         BER_Decoder ber_sig = decoder.start_cons(SEQUENCE);

         BOTAN_ASSERT_NOMSG(m_parts != 0 && m_part_size != 0);

         size_t count = 0;

         while(ber_sig.more_items())
            {
            BigInt sig_part;
            ber_sig.decode(sig_part);
            real_sig += BigInt::encode_1363(sig_part, m_part_size);
            ++count;
            }

         if(count != m_parts)
            throw Decoding_Error("PK_Verifier: signature size invalid");

         const std::vector<uint8_t> reencoded =
            der_encode_signature(real_sig, m_parts, m_part_size);

         if(reencoded.size() != length ||
            same_mem(reencoded.data(), sig, reencoded.size()) == false)
            {
            throw Decoding_Error("PK_Verifier: signature is not the canonical DER encoding");
            }

         return m_op->is_valid_signature(real_sig.data(), real_sig.size());
         }
      else
         throw Internal_Error("PK_Verifier: Invalid signature format enum");
      }
   catch(Invalid_Argument&) { return false; }
   }

}

Coverage Report

Created: 2020-09-16 07:52

Line	Count	Source (jump to first uncovered line)
1		/*
2		* (C) 1999-2010,2015,2018 Jack Lloyd
3		*
4		* Botan is released under the Simplified BSD License (see license.txt)
5		*/
6
7		#include <botan/pubkey.h>
8		#include <botan/der_enc.h>
9		#include <botan/ber_dec.h>
10		#include <botan/bigint.h>
11		#include <botan/pk_ops.h>
12		#include <botan/internal/ct_utils.h>
13		#include <botan/rng.h>
14
15		namespace Botan {
16
17		secure_vector<uint8_t> PK_Decryptor::decrypt(const uint8_t in[], size_t length) const
18	0	{
19	0	uint8_t valid_mask = 0;
20	0
21	0	secure_vector<uint8_t> decoded = do_decrypt(valid_mask, in, length);
22	0
23	0	if(valid_mask == 0)
24	0	throw Decoding_Error("Invalid public key ciphertext, cannot decrypt");
25	0
26	0	return decoded;
27	0	}
28
29		secure_vector<uint8_t>
30		PK_Decryptor::decrypt_or_random(const uint8_t in[],
31		size_t length,
32		size_t expected_pt_len,
33		RandomNumberGenerator& rng,
34		const uint8_t required_content_bytes[],
35		const uint8_t required_content_offsets[],
36		size_t required_contents_length) const
37	0	{
38	0	const secure_vector<uint8_t> fake_pms = rng.random_vec(expected_pt_len);
39	0
40	0	uint8_t decrypt_valid = 0;
41	0	secure_vector<uint8_t> decoded = do_decrypt(decrypt_valid, in, length);
42	0
43	0	auto valid_mask = CT::Mask<uint8_t>::is_equal(decrypt_valid, 0xFF);
44	0	valid_mask &= CT::Mask<uint8_t>(CT::Mask<size_t>::is_zero(decoded.size() ^ expected_pt_len));
45	0
46	0	decoded.resize(expected_pt_len);
47	0
48	0	for(size_t i = 0; i != required_contents_length; ++i)
49	0	{
50		/*
51		These values are chosen by the application and for TLS are constants,
52		so this early failure via assert is fine since we know 0,1 < 48
53
54		If there is a protocol that has content checks on the key where
55		the expected offsets are controllable by the attacker this could
56		still leak.
57
58		Alternately could always reduce the offset modulo the length?
59		*/
60	0
61	0	const uint8_t exp = required_content_bytes[i];
62	0	const uint8_t off = required_content_offsets[i];
63	0
64	0	BOTAN_ASSERT(off < expected_pt_len, "Offset in range of plaintext");
65	0
66	0	auto eq = CT::Mask<uint8_t>::is_equal(decoded[off], exp);
67	0
68	0	valid_mask &= eq;
69	0	}
70	0
71		// If valid_mask is false, assign fake pre master instead
72	0	valid_mask.select_n(decoded.data(), decoded.data(), fake_pms.data(), expected_pt_len);
73	0
74	0	return decoded;
75	0	}
76
77		secure_vector<uint8_t>
78		PK_Decryptor::decrypt_or_random(const uint8_t in[],
79		size_t length,
80		size_t expected_pt_len,
81		RandomNumberGenerator& rng) const
82	0	{
83	0	return decrypt_or_random(in, length, expected_pt_len, rng,
84	0	nullptr, nullptr, 0);
85	0	}
86
87		PK_Encryptor_EME::PK_Encryptor_EME(const Public_Key& key,
88		RandomNumberGenerator& rng,
89		const std::string& padding,
90		const std::string& provider)
91	59	{
92	59	m_op = key.create_encryption_op(rng, padding, provider);
93	59	if(!m_op)
94	0	throw Invalid_Argument("Key type " + key.algo_name() + " does not support encryption");
95	59	}
96
97	59	PK_Encryptor_EME::~PK_Encryptor_EME() { /* for unique_ptr */ }
98
99		size_t PK_Encryptor_EME::ciphertext_length(size_t ptext_len) const
100	0	{
101	0	return m_op->ciphertext_length(ptext_len);
102	0	}
103
104		std::vector<uint8_t>
105		PK_Encryptor_EME::enc(const uint8_t in[], size_t length, RandomNumberGenerator& rng) const
106	59	{
107	59	return unlock(m_op->encrypt(in, length, rng));
108	59	}
109
110		size_t PK_Encryptor_EME::maximum_input_size() const
111	0	{
112	0	return m_op->max_input_bits() / 8;
113	0	}
114
115		PK_Decryptor_EME::PK_Decryptor_EME(const Private_Key& key,
116		RandomNumberGenerator& rng,
117		const std::string& padding,
118		const std::string& provider)
119	0	{
120	0	m_op = key.create_decryption_op(rng, padding, provider);
121	0	if(!m_op)
122	0	throw Invalid_Argument("Key type " + key.algo_name() + " does not support decryption");
123	0	}
124
125	0	PK_Decryptor_EME::~PK_Decryptor_EME() { /* for unique_ptr */ }
126
127		size_t PK_Decryptor_EME::plaintext_length(size_t ctext_len) const
128	0	{
129	0	return m_op->plaintext_length(ctext_len);
130	0	}
131
132		secure_vector<uint8_t> PK_Decryptor_EME::do_decrypt(uint8_t& valid_mask,
133		const uint8_t in[], size_t in_len) const
134	0	{
135	0	return m_op->decrypt(valid_mask, in, in_len);
136	0	}
137
138		PK_KEM_Encryptor::PK_KEM_Encryptor(const Public_Key& key,
139		RandomNumberGenerator& rng,
140		const std::string& param,
141		const std::string& provider)
142	0	{
143	0	m_op = key.create_kem_encryption_op(rng, param, provider);
144	0	if(!m_op)
145	0	throw Invalid_Argument("Key type " + key.algo_name() + " does not support KEM encryption");
146	0	}
147
148	0	PK_KEM_Encryptor::~PK_KEM_Encryptor() { /* for unique_ptr */ }
149
150		void PK_KEM_Encryptor::encrypt(secure_vector<uint8_t>& out_encapsulated_key,
151		secure_vector<uint8_t>& out_shared_key,
152		size_t desired_shared_key_len,
153		Botan::RandomNumberGenerator& rng,
154		const uint8_t salt[],
155		size_t salt_len)
156	0	{
157	0	m_op->kem_encrypt(out_encapsulated_key,
158	0	out_shared_key,
159	0	desired_shared_key_len,
160	0	rng,
161	0	salt,
162	0	salt_len);
163	0	}
164
165		PK_KEM_Decryptor::PK_KEM_Decryptor(const Private_Key& key,
166		RandomNumberGenerator& rng,
167		const std::string& param,
168		const std::string& provider)
169	0	{
170	0	m_op = key.create_kem_decryption_op(rng, param, provider);
171	0	if(!m_op)
172	0	throw Invalid_Argument("Key type " + key.algo_name() + " does not support KEM decryption");
173	0	}
174
175	0	PK_KEM_Decryptor::~PK_KEM_Decryptor() { /* for unique_ptr */ }
176
177		secure_vector<uint8_t> PK_KEM_Decryptor::decrypt(const uint8_t encap_key[],
178		size_t encap_key_len,
179		size_t desired_shared_key_len,
180		const uint8_t salt[],
181		size_t salt_len)
182	0	{
183	0	return m_op->kem_decrypt(encap_key, encap_key_len,
184	0	desired_shared_key_len,
185	0	salt, salt_len);
186	0	}
187
188		PK_Key_Agreement::PK_Key_Agreement(const Private_Key& key,
189		RandomNumberGenerator& rng,
190		const std::string& kdf,
191		const std::string& provider)
192	14.3k	{
193	14.3k	m_op = key.create_key_agreement_op(rng, kdf, provider);
194	14.3k	if(!m_op)
195	0	throw Invalid_Argument("Key type " + key.algo_name() + " does not support key agreement");
196	14.3k	}
197
198	14.3k	PK_Key_Agreement::~PK_Key_Agreement() { /* for unique_ptr */ }
199
200		PK_Key_Agreement& PK_Key_Agreement::operator=(PK_Key_Agreement&& other)
201	0	{
202	0	if(this != &other)
203	0	{
204	0	m_op = std::move(other.m_op);
205	0	}
206	0	return (*this);
207	0	}
208
209		PK_Key_Agreement::PK_Key_Agreement(PK_Key_Agreement&& other) :
210		m_op(std::move(other.m_op))
211	0	{}
212
213		size_t PK_Key_Agreement::agreed_value_size() const
214	0	{
215	0	return m_op->agreed_value_size();
216	0	}
217
218		SymmetricKey PK_Key_Agreement::derive_key(size_t key_len,
219		const uint8_t in[], size_t in_len,
220		const uint8_t salt[],
221		size_t salt_len) const
222	14.3k	{
223	14.3k	return m_op->agree(key_len, in, in_len, salt, salt_len);
224	14.3k	}
225
226		PK_Signer::PK_Signer(const Private_Key& key,
227		RandomNumberGenerator& rng,
228		const std::string& emsa,
229		Signature_Format format,
230		const std::string& provider)
231	0	{
232	0	m_op = key.create_signature_op(rng, emsa, provider);
233	0	if(!m_op)
234	0	throw Invalid_Argument("Key type " + key.algo_name() + " does not support signature generation");
235	0	m_sig_format = format;
236	0	m_parts = key.message_parts();
237	0	m_part_size = key.message_part_size();
238	0	}
239
240	0	PK_Signer::~PK_Signer() { /* for unique_ptr */ }
241
242		void PK_Signer::update(const uint8_t in[], size_t length)
243	0	{
244	0	m_op->update(in, length);
245	0	}
246
247		namespace {
248
249		std::vector<uint8_t> der_encode_signature(const std::vector<uint8_t>& sig,
250		size_t parts,
251		size_t part_size)
252	533	{
253	533	if(sig.size() % parts != 0 \|\| sig.size() != parts * part_size)
254	0	throw Encoding_Error("Unexpected size for DER signature");
255	533
256	533	std::vector<BigInt> sig_parts(parts);
257	1.59k	for(size_t i = 0; i != sig_parts.size(); ++i)
258	1.06k	sig_parts[i].binary_decode(&sig[part_size*i], part_size);
259	533
260	533	std::vector<uint8_t> output;
261	533	DER_Encoder(output)
262	533	.start_cons(SEQUENCE)
263	533	.encode_list(sig_parts)
264	533	.end_cons();
265	533	return output;
266	533	}
267
268		}
269
270		size_t PK_Signer::signature_length() const
271	0	{
272	0	if(m_sig_format == IEEE_1363)
273	0	{
274	0	return m_op->signature_length();
275	0	}
276	0	else if(m_sig_format == DER_SEQUENCE)
277	0	{
278		// This is a large over-estimate but its easier than computing
279		// the exact value
280	0	return m_op->signature_length() + (8 + 4*m_parts);
281	0	}
282	0	else
283	0	throw Internal_Error("PK_Signer: Invalid signature format enum");
284	0	}
285
286		std::vector<uint8_t> PK_Signer::signature(RandomNumberGenerator& rng)
287	0	{
288	0	const std::vector<uint8_t> sig = unlock(m_op->sign(rng));
289	0
290	0	if(m_sig_format == IEEE_1363)
291	0	{
292	0	return sig;
293	0	}
294	0	else if(m_sig_format == DER_SEQUENCE)
295	0	{
296	0	return der_encode_signature(sig, m_parts, m_part_size);
297	0	}
298	0	else
299	0	throw Internal_Error("PK_Signer: Invalid signature format enum");
300	0	}
301
302		PK_Verifier::PK_Verifier(const Public_Key& key,
303		const std::string& emsa,
304		Signature_Format format,
305		const std::string& provider)
306	7.68k	{
307	7.68k	m_op = key.create_verification_op(emsa, provider);
308	7.68k	if(!m_op)
309	0	throw Invalid_Argument("Key type " + key.algo_name() + " does not support signature verification");
310	7.68k	m_sig_format = format;
311	7.68k	m_parts = key.message_parts();
312	7.68k	m_part_size = key.message_part_size();
313	7.68k	}
314
315	7.68k	PK_Verifier::~PK_Verifier() { /* for unique_ptr */ }
316
317		void PK_Verifier::set_input_format(Signature_Format format)
318	0	{
319	0	if(format != IEEE_1363 && m_parts == 1)
320	0	throw Invalid_Argument("PK_Verifier: This algorithm does not support DER encoding");
321	0	m_sig_format = format;
322	0	}
323
324		bool PK_Verifier::verify_message(const uint8_t msg[], size_t msg_length,
325		const uint8_t sig[], size_t sig_length)
326	7.68k	{
327	7.68k	update(msg, msg_length);
328	7.68k	return check_signature(sig, sig_length);
329	7.68k	}
330
331		void PK_Verifier::update(const uint8_t in[], size_t length)
332	7.68k	{
333	7.68k	m_op->update(in, length);
334	7.68k	}
335
336		bool PK_Verifier::check_signature(const uint8_t sig[], size_t length)
337	7.68k	{
338	7.68k	try {
339	7.68k	if(m_sig_format == IEEE_1363)
340	6.42k	{
341	6.42k	return m_op->is_valid_signature(sig, length);
342	6.42k	}
343	1.26k	else if(m_sig_format == DER_SEQUENCE)
344	1.26k	{
345	1.26k	std::vector<uint8_t> real_sig;
346	1.26k	BER_Decoder decoder(sig, length);
347	1.26k	BER_Decoder ber_sig = decoder.start_cons(SEQUENCE);
348	1.26k
349	1.26k	BOTAN_ASSERT_NOMSG(m_parts != 0 && m_part_size != 0);
350	1.26k
351	1.26k	size_t count = 0;
352	1.26k
353	3.21k	while(ber_sig.more_items())
354	1.94k	{
355	1.94k	BigInt sig_part;
356	1.94k	ber_sig.decode(sig_part);
357	1.94k	real_sig += BigInt::encode_1363(sig_part, m_part_size);
358	1.94k	++count;
359	1.94k	}
360	1.26k
361	1.26k	if(count != m_parts)
362	34	throw Decoding_Error("PK_Verifier: signature size invalid");
363	1.22k
364	1.22k	const std::vector<uint8_t> reencoded =
365	1.22k	der_encode_signature(real_sig, m_parts, m_part_size);
366	1.22k
367	1.22k	if(reencoded.size() != length \|\|
368	459	same_mem(reencoded.data(), sig, reencoded.size()) == false)
369	91	{
370	91	throw Decoding_Error("PK_Verifier: signature is not the canonical DER encoding");
371	91	}
372	1.13k
373	1.13k	return m_op->is_valid_signature(real_sig.data(), real_sig.size());
374	1.13k	}
375	0	else
376	0	throw Internal_Error("PK_Verifier: Invalid signature format enum");
377	910	}
378	910	catch(Invalid_Argument&) { return false; }
379	7.68k	}
380
381		}