/src/botan/src/lib/pubkey/ecdsa/ecdsa.cpp
Line | Count | Source (jump to first uncovered line) |
1 | | /* |
2 | | * ECDSA implemenation |
3 | | * (C) 2007 Manuel Hartl, FlexSecure GmbH |
4 | | * 2007 Falko Strenzke, FlexSecure GmbH |
5 | | * 2008-2010,2015,2016,2018 Jack Lloyd |
6 | | * 2016 René Korthaus |
7 | | * |
8 | | * Botan is released under the Simplified BSD License (see license.txt) |
9 | | */ |
10 | | |
11 | | #include <botan/ecdsa.h> |
12 | | #include <botan/internal/pk_ops_impl.h> |
13 | | #include <botan/internal/point_mul.h> |
14 | | #include <botan/keypair.h> |
15 | | #include <botan/reducer.h> |
16 | | #include <botan/emsa.h> |
17 | | |
18 | | #if defined(BOTAN_HAS_RFC6979_GENERATOR) |
19 | | #include <botan/rfc6979.h> |
20 | | #endif |
21 | | |
22 | | #if defined(BOTAN_HAS_OPENSSL) |
23 | | #include <botan/internal/openssl.h> |
24 | | #endif |
25 | | |
26 | | namespace Botan { |
27 | | |
28 | | namespace { |
29 | | |
30 | | PointGFp recover_ecdsa_public_key(const EC_Group& group, |
31 | | const std::vector<uint8_t>& msg, |
32 | | const BigInt& r, |
33 | | const BigInt& s, |
34 | | uint8_t v) |
35 | 0 | { |
36 | 0 | if(group.get_cofactor() != 1) |
37 | 0 | throw Invalid_Argument("ECDSA public key recovery only supported for prime order groups"); |
38 | 0 | |
39 | 0 | if(v > 4) |
40 | 0 | throw Invalid_Argument("Unexpected v param for ECDSA public key recovery"); |
41 | 0 | |
42 | 0 | const uint8_t y_odd = v % 2; |
43 | 0 | const uint8_t add_order = v >> 1; |
44 | 0 |
|
45 | 0 | const BigInt& group_order = group.get_order(); |
46 | 0 | const size_t p_bytes = group.get_p_bytes(); |
47 | 0 |
|
48 | 0 | try |
49 | 0 | { |
50 | 0 | const BigInt e(msg.data(), msg.size(), group.get_order_bits()); |
51 | 0 | const BigInt r_inv = group.inverse_mod_order(r); |
52 | 0 |
|
53 | 0 | BigInt x = r + add_order*group_order; |
54 | 0 |
|
55 | 0 | std::vector<uint8_t> X(p_bytes + 1); |
56 | 0 |
|
57 | 0 | X[0] = 0x02 | y_odd; |
58 | 0 | BigInt::encode_1363(&X[1], p_bytes, x); |
59 | 0 |
|
60 | 0 | const PointGFp R = group.OS2ECP(X); |
61 | 0 |
|
62 | 0 | if((R*group_order).is_zero() == false) |
63 | 0 | throw Decoding_Error("Unable to recover ECDSA public key"); |
64 | 0 | |
65 | | // Compute r_inv * (s*R - eG) |
66 | 0 | PointGFp_Multi_Point_Precompute RG_mul(R, group.get_base_point()); |
67 | 0 | const BigInt ne = group.mod_order(group_order - e); |
68 | 0 | return r_inv * RG_mul.multi_exp(s, ne); |
69 | 0 | } |
70 | 0 | catch(...) |
71 | 0 | { |
72 | | // continue on and throw |
73 | 0 | } |
74 | 0 |
|
75 | 0 | throw Decoding_Error("Failed to recover ECDSA public key from signature/msg pair"); |
76 | 0 | } |
77 | | |
78 | | } |
79 | | |
80 | | ECDSA_PublicKey::ECDSA_PublicKey(const EC_Group& group, |
81 | | const std::vector<uint8_t>& msg, |
82 | | const BigInt& r, |
83 | | const BigInt& s, |
84 | | uint8_t v) : |
85 | 0 | EC_PublicKey(group, recover_ecdsa_public_key(group, msg, r, s, v)) {} Unexecuted instantiation: Botan::ECDSA_PublicKey::ECDSA_PublicKey(Botan::EC_Group const&, std::__1::vector<unsigned char, std::__1::allocator<unsigned char> > const&, Botan::BigInt const&, Botan::BigInt const&, unsigned char) Unexecuted instantiation: Botan::ECDSA_PublicKey::ECDSA_PublicKey(Botan::EC_Group const&, std::__1::vector<unsigned char, std::__1::allocator<unsigned char> > const&, Botan::BigInt const&, Botan::BigInt const&, unsigned char) |
86 | | |
87 | | |
88 | | uint8_t ECDSA_PublicKey::recovery_param(const std::vector<uint8_t>& msg, |
89 | | const BigInt& r, |
90 | | const BigInt& s) const |
91 | 0 | { |
92 | 0 | for(uint8_t v = 0; v != 4; ++v) |
93 | 0 | { |
94 | 0 | try |
95 | 0 | { |
96 | 0 | PointGFp R = recover_ecdsa_public_key(this->domain(), msg, r, s, v); |
97 | 0 |
|
98 | 0 | if(R == this->public_point()) |
99 | 0 | { |
100 | 0 | return v; |
101 | 0 | } |
102 | 0 | } |
103 | 0 | catch(Decoding_Error&) |
104 | 0 | { |
105 | | // try the next v |
106 | 0 | } |
107 | 0 | } |
108 | 0 |
|
109 | 0 | throw Internal_Error("Could not determine ECDSA recovery parameter"); |
110 | 0 | } |
111 | | |
112 | | bool ECDSA_PrivateKey::check_key(RandomNumberGenerator& rng, |
113 | | bool strong) const |
114 | 0 | { |
115 | 0 | if(!public_point().on_the_curve()) |
116 | 0 | return false; |
117 | 0 | |
118 | 0 | if(!strong) |
119 | 0 | return true; |
120 | 0 | |
121 | 0 | return KeyPair::signature_consistency_check(rng, *this, "EMSA1(SHA-256)"); |
122 | 0 | } |
123 | | |
124 | | namespace { |
125 | | |
126 | | /** |
127 | | * ECDSA signature operation |
128 | | */ |
129 | | class ECDSA_Signature_Operation final : public PK_Ops::Signature_with_EMSA |
130 | | { |
131 | | public: |
132 | | |
133 | | ECDSA_Signature_Operation(const ECDSA_PrivateKey& ecdsa, |
134 | | const std::string& emsa, |
135 | | RandomNumberGenerator& rng) : |
136 | | PK_Ops::Signature_with_EMSA(emsa), |
137 | | m_group(ecdsa.domain()), |
138 | | m_x(ecdsa.private_value()) |
139 | 0 | { |
140 | 0 | #if defined(BOTAN_HAS_RFC6979_GENERATOR) |
141 | 0 | m_rfc6979.reset(new RFC6979_Nonce_Generator(hash_for_emsa(emsa), m_group.get_order(), m_x)); |
142 | 0 | #endif |
143 | 0 |
|
144 | 0 | m_b = m_group.random_scalar(rng); |
145 | 0 | m_b_inv = m_group.inverse_mod_order(m_b); |
146 | 0 | } |
147 | | |
148 | 0 | size_t signature_length() const override { return 2*m_group.get_order_bytes(); } |
149 | | |
150 | 0 | size_t max_input_bits() const override { return m_group.get_order_bits(); } |
151 | | |
152 | | secure_vector<uint8_t> raw_sign(const uint8_t msg[], size_t msg_len, |
153 | | RandomNumberGenerator& rng) override; |
154 | | |
155 | | private: |
156 | | const EC_Group m_group; |
157 | | const BigInt& m_x; |
158 | | |
159 | | #if defined(BOTAN_HAS_RFC6979_GENERATOR) |
160 | | std::unique_ptr<RFC6979_Nonce_Generator> m_rfc6979; |
161 | | #endif |
162 | | |
163 | | std::vector<BigInt> m_ws; |
164 | | |
165 | | BigInt m_b, m_b_inv; |
166 | | }; |
167 | | |
168 | | secure_vector<uint8_t> |
169 | | ECDSA_Signature_Operation::raw_sign(const uint8_t msg[], size_t msg_len, |
170 | | RandomNumberGenerator& rng) |
171 | 0 | { |
172 | 0 | BigInt m(msg, msg_len, m_group.get_order_bits()); |
173 | 0 |
|
174 | 0 | #if defined(BOTAN_HAS_RFC6979_GENERATOR) |
175 | 0 | const BigInt k = m_rfc6979->nonce_for(m); |
176 | | #else |
177 | | const BigInt k = m_group.random_scalar(rng); |
178 | | #endif |
179 | 0 |
|
180 | 0 | const BigInt r = m_group.mod_order( |
181 | 0 | m_group.blinded_base_point_multiply_x(k, rng, m_ws)); |
182 | 0 |
|
183 | 0 | const BigInt k_inv = m_group.inverse_mod_order(k); |
184 | 0 |
|
185 | | /* |
186 | | * Blind the input message and compute x*r+m as (x*r*b + m*b)/b |
187 | | */ |
188 | 0 | m_b = m_group.square_mod_order(m_b); |
189 | 0 | m_b_inv = m_group.square_mod_order(m_b_inv); |
190 | 0 |
|
191 | 0 | m = m_group.multiply_mod_order(m_b, m_group.mod_order(m)); |
192 | 0 | const BigInt xr_m = m_group.mod_order(m_group.multiply_mod_order(m_x, m_b, r) + m); |
193 | 0 |
|
194 | 0 | const BigInt s = m_group.multiply_mod_order(k_inv, xr_m, m_b_inv); |
195 | 0 |
|
196 | | // With overwhelming probability, a bug rather than actual zero r/s |
197 | 0 | if(r.is_zero() || s.is_zero()) |
198 | 0 | throw Internal_Error("During ECDSA signature generated zero r/s"); |
199 | 0 | |
200 | 0 | return BigInt::encode_fixed_length_int_pair(r, s, m_group.get_order_bytes()); |
201 | 0 | } |
202 | | |
203 | | /** |
204 | | * ECDSA verification operation |
205 | | */ |
206 | | class ECDSA_Verification_Operation final : public PK_Ops::Verification_with_EMSA |
207 | | { |
208 | | public: |
209 | | ECDSA_Verification_Operation(const ECDSA_PublicKey& ecdsa, |
210 | | const std::string& emsa) : |
211 | | PK_Ops::Verification_with_EMSA(emsa), |
212 | | m_group(ecdsa.domain()), |
213 | | m_gy_mul(m_group.get_base_point(), ecdsa.public_point()) |
214 | 1.15k | { |
215 | 1.15k | } |
216 | | |
217 | 328 | size_t max_input_bits() const override { return m_group.get_order_bits(); } |
218 | | |
219 | 328 | bool with_recovery() const override { return false; } |
220 | | |
221 | | bool verify(const uint8_t msg[], size_t msg_len, |
222 | | const uint8_t sig[], size_t sig_len) override; |
223 | | private: |
224 | | const EC_Group m_group; |
225 | | const PointGFp_Multi_Point_Precompute m_gy_mul; |
226 | | }; |
227 | | |
228 | | bool ECDSA_Verification_Operation::verify(const uint8_t msg[], size_t msg_len, |
229 | | const uint8_t sig[], size_t sig_len) |
230 | 328 | { |
231 | 328 | if(sig_len != m_group.get_order_bytes() * 2) |
232 | 0 | return false; |
233 | 328 | |
234 | 328 | const BigInt e(msg, msg_len, m_group.get_order_bits()); |
235 | 328 | |
236 | 328 | const BigInt r(sig, sig_len / 2); |
237 | 328 | const BigInt s(sig + sig_len / 2, sig_len / 2); |
238 | 328 | |
239 | 328 | if(r <= 0 || r >= m_group.get_order() || s <= 0 || s >= m_group.get_order()) |
240 | 10 | return false; |
241 | 318 | |
242 | 318 | const BigInt w = m_group.inverse_mod_order(s); |
243 | 318 | |
244 | 318 | const BigInt u1 = m_group.multiply_mod_order(m_group.mod_order(e), w); |
245 | 318 | const BigInt u2 = m_group.multiply_mod_order(r, w); |
246 | 318 | const PointGFp R = m_gy_mul.multi_exp(u1, u2); |
247 | 318 | |
248 | 318 | if(R.is_zero()) |
249 | 16 | return false; |
250 | 302 | |
251 | 302 | const BigInt v = m_group.mod_order(R.get_affine_x()); |
252 | 302 | return (v == r); |
253 | 302 | } |
254 | | |
255 | | } |
256 | | |
257 | | std::unique_ptr<PK_Ops::Verification> |
258 | | ECDSA_PublicKey::create_verification_op(const std::string& params, |
259 | | const std::string& provider) const |
260 | 1.15k | { |
261 | | #if defined(BOTAN_HAS_OPENSSL) |
262 | | if(provider == "openssl" || provider.empty()) |
263 | | { |
264 | | try |
265 | | { |
266 | | return make_openssl_ecdsa_ver_op(*this, params); |
267 | | } |
268 | | catch(Lookup_Error& e) |
269 | | { |
270 | | if(provider == "openssl") |
271 | | throw; |
272 | | } |
273 | | } |
274 | | #endif |
275 | 1.15k | |
276 | 1.15k | if(provider == "base" || provider.empty()) |
277 | 1.15k | return std::unique_ptr<PK_Ops::Verification>(new ECDSA_Verification_Operation(*this, params)); |
278 | 0 | |
279 | 0 | throw Provider_Not_Found(algo_name(), provider); |
280 | 0 | } |
281 | | |
282 | | std::unique_ptr<PK_Ops::Signature> |
283 | | ECDSA_PrivateKey::create_signature_op(RandomNumberGenerator& rng, |
284 | | const std::string& params, |
285 | | const std::string& provider) const |
286 | 0 | { |
287 | | #if defined(BOTAN_HAS_OPENSSL) |
288 | | if(provider == "openssl" || provider.empty()) |
289 | | { |
290 | | try |
291 | | { |
292 | | return make_openssl_ecdsa_sig_op(*this, params); |
293 | | } |
294 | | catch(Lookup_Error& e) |
295 | | { |
296 | | if(provider == "openssl") |
297 | | throw; |
298 | | } |
299 | | } |
300 | | #endif |
301 | 0 |
|
302 | 0 | if(provider == "base" || provider.empty()) |
303 | 0 | return std::unique_ptr<PK_Ops::Signature>(new ECDSA_Signature_Operation(*this, params, rng)); |
304 | 0 | |
305 | 0 | throw Provider_Not_Found(algo_name(), provider); |
306 | 0 | } |
307 | | |
308 | | } |