/src/botan/src/lib/pubkey/ecdsa/ecdsa.cpp

Source (jump to first uncovered line)
/*
* ECDSA implemenation
* (C) 2007 Manuel Hartl, FlexSecure GmbH
*     2007 Falko Strenzke, FlexSecure GmbH
*     2008-2010,2015,2016,2018 Jack Lloyd
*     2016 René Korthaus
*
* Botan is released under the Simplified BSD License (see license.txt)
*/

#include <botan/ecdsa.h>
#include <botan/internal/pk_ops_impl.h>
#include <botan/internal/point_mul.h>
#include <botan/internal/keypair.h>
#include <botan/reducer.h>
#include <botan/internal/emsa.h>

#if defined(BOTAN_HAS_RFC6979_GENERATOR)
  #include <botan/internal/rfc6979.h>
#endif

#if defined(BOTAN_HAS_OPENSSL)
  #include <botan/internal/openssl.h>
#endif

namespace Botan {

namespace {

PointGFp recover_ecdsa_public_key(const EC_Group& group,
                                  const std::vector<uint8_t>& msg,
                                  const BigInt& r,
                                  const BigInt& s,
                                  uint8_t v)
   {
   if(group.get_cofactor() != 1)
      throw Invalid_Argument("ECDSA public key recovery only supported for prime order groups");

   if(v > 4)
      throw Invalid_Argument("Unexpected v param for ECDSA public key recovery");

   const uint8_t y_odd = v % 2;
   const uint8_t add_order = v >> 1;

   const BigInt& group_order = group.get_order();
   const size_t p_bytes = group.get_p_bytes();

   try
      {
      const BigInt e(msg.data(), msg.size(), group.get_order_bits());
      const BigInt r_inv = group.inverse_mod_order(r);

      BigInt x = r + add_order*group_order;

      std::vector<uint8_t> X(p_bytes + 1);

      X[0] = 0x02 | y_odd;
      BigInt::encode_1363(&X[1], p_bytes, x);

      const PointGFp R = group.OS2ECP(X);

      if((R*group_order).is_zero() == false)
         throw Decoding_Error("Unable to recover ECDSA public key");

      // Compute r_inv * (s*R - eG)
      PointGFp_Multi_Point_Precompute RG_mul(R, group.get_base_point());
      const BigInt ne = group.mod_order(group_order - e);
      return r_inv * RG_mul.multi_exp(s, ne);
      }
   catch(...)
      {
      // continue on and throw
      }

   throw Decoding_Error("Failed to recover ECDSA public key from signature/msg pair");
   }

}

ECDSA_PublicKey::ECDSA_PublicKey(const EC_Group& group,
                                 const std::vector<uint8_t>& msg,
                                 const BigInt& r,
                                 const BigInt& s,
                                 uint8_t v) :
   EC_PublicKey(group, recover_ecdsa_public_key(group, msg, r, s, v)) {}


uint8_t ECDSA_PublicKey::recovery_param(const std::vector<uint8_t>& msg,
                                        const BigInt& r,
                                        const BigInt& s) const
   {
   for(uint8_t v = 0; v != 4; ++v)
      {
      try
         {
         PointGFp R = recover_ecdsa_public_key(this->domain(), msg, r, s, v);

         if(R == this->public_point())
            {
            return v;
            }
         }
      catch(Decoding_Error&)
         {
         // try the next v
         }
      }

   throw Internal_Error("Could not determine ECDSA recovery parameter");
   }

std::unique_ptr<Public_Key> ECDSA_PrivateKey::public_key() const
   {
   return std::unique_ptr<Public_Key>(new ECDSA_PublicKey(domain(), public_point()));
   }

bool ECDSA_PrivateKey::check_key(RandomNumberGenerator& rng,
                                 bool strong) const
   {
   if(!public_point().on_the_curve())
      return false;

   if(!strong)
      return true;

   return KeyPair::signature_consistency_check(rng, *this, "EMSA1(SHA-256)");
   }

namespace {

/**
* ECDSA signature operation
*/
class ECDSA_Signature_Operation final : public PK_Ops::Signature_with_EMSA
   {
   public:

      ECDSA_Signature_Operation(const ECDSA_PrivateKey& ecdsa,
                                const std::string& emsa,
                                RandomNumberGenerator& rng) :
         PK_Ops::Signature_with_EMSA(emsa),
         m_group(ecdsa.domain()),
         m_x(ecdsa.private_value())
         {
#if defined(BOTAN_HAS_RFC6979_GENERATOR)
         m_rfc6979.reset(new RFC6979_Nonce_Generator(this->hash_for_signature(), m_group.get_order(), m_x));
#endif

         m_b = m_group.random_scalar(rng);
         m_b_inv = m_group.inverse_mod_order(m_b);
         }

      size_t signature_length() const override { return 2*m_group.get_order_bytes(); }

      size_t max_input_bits() const override { return m_group.get_order_bits(); }

      secure_vector<uint8_t> raw_sign(const uint8_t msg[], size_t msg_len,
                                      RandomNumberGenerator& rng) override;

   private:
      const EC_Group m_group;
      const BigInt& m_x;

#if defined(BOTAN_HAS_RFC6979_GENERATOR)
      std::unique_ptr<RFC6979_Nonce_Generator> m_rfc6979;
#endif

      std::vector<BigInt> m_ws;

      BigInt m_b, m_b_inv;
   };

secure_vector<uint8_t>
ECDSA_Signature_Operation::raw_sign(const uint8_t msg[], size_t msg_len,
                                    RandomNumberGenerator& rng)
   {
   BigInt m(msg, msg_len, m_group.get_order_bits());

#if defined(BOTAN_HAS_RFC6979_GENERATOR)
   const BigInt k = m_rfc6979->nonce_for(m);
#else
   const BigInt k = m_group.random_scalar(rng);
#endif

   const BigInt r = m_group.mod_order(
      m_group.blinded_base_point_multiply_x(k, rng, m_ws));

   const BigInt k_inv = m_group.inverse_mod_order(k);

   /*
   * Blind the input message and compute x*r+m as (x*r*b + m*b)/b
   */
   m_b = m_group.square_mod_order(m_b);
   m_b_inv = m_group.square_mod_order(m_b_inv);

   m = m_group.multiply_mod_order(m_b, m_group.mod_order(m));
   const BigInt xr_m = m_group.mod_order(m_group.multiply_mod_order(m_x, m_b, r) + m);

   const BigInt s = m_group.multiply_mod_order(k_inv, xr_m, m_b_inv);

   // With overwhelming probability, a bug rather than actual zero r/s
   if(r.is_zero() || s.is_zero())
      throw Internal_Error("During ECDSA signature generated zero r/s");

   return BigInt::encode_fixed_length_int_pair(r, s, m_group.get_order_bytes());
   }

/**
* ECDSA verification operation
*/
class ECDSA_Verification_Operation final : public PK_Ops::Verification_with_EMSA
   {
   public:
      ECDSA_Verification_Operation(const ECDSA_PublicKey& ecdsa,
                                   const std::string& emsa) :
         PK_Ops::Verification_with_EMSA(emsa),
         m_group(ecdsa.domain()),
         m_gy_mul(m_group.get_base_point(), ecdsa.public_point())
         {
         }

      size_t max_input_bits() const override { return m_group.get_order_bits(); }

      bool with_recovery() const override { return false; }

      bool verify(const uint8_t msg[], size_t msg_len,
                  const uint8_t sig[], size_t sig_len) override;
   private:
      const EC_Group m_group;
      const PointGFp_Multi_Point_Precompute m_gy_mul;
   };

bool ECDSA_Verification_Operation::verify(const uint8_t msg[], size_t msg_len,
                                          const uint8_t sig[], size_t sig_len)
   {
   if(sig_len != m_group.get_order_bytes() * 2)
      return false;

   const BigInt e(msg, msg_len, m_group.get_order_bits());

   const BigInt r(sig, sig_len / 2);
   const BigInt s(sig + sig_len / 2, sig_len / 2);

   if(r <= 0 || r >= m_group.get_order() || s <= 0 || s >= m_group.get_order())
      return false;

   const BigInt w = m_group.inverse_mod_order(s);

   const BigInt u1 = m_group.multiply_mod_order(m_group.mod_order(e), w);
   const BigInt u2 = m_group.multiply_mod_order(r, w);
   const PointGFp R = m_gy_mul.multi_exp(u1, u2);

   if(R.is_zero())
      return false;

   const BigInt v = m_group.mod_order(R.get_affine_x());
   return (v == r);
   }

}

std::unique_ptr<PK_Ops::Verification>
ECDSA_PublicKey::create_verification_op(const std::string& params,
                                        const std::string& provider) const
   {
#if defined(BOTAN_HAS_OPENSSL)
   if(provider == "openssl" || provider.empty())
      {
      try
         {
         return make_openssl_ecdsa_ver_op(*this, params);
         }
      catch(Lookup_Error& e)
         {
         if(provider == "openssl")
            throw;
         }
      }
#endif

   if(provider == "base" || provider.empty())
      return std::unique_ptr<PK_Ops::Verification>(new ECDSA_Verification_Operation(*this, params));

   throw Provider_Not_Found(algo_name(), provider);
   }

std::unique_ptr<PK_Ops::Signature>
ECDSA_PrivateKey::create_signature_op(RandomNumberGenerator& rng,
                                      const std::string& params,
                                      const std::string& provider) const
   {
#if defined(BOTAN_HAS_OPENSSL)
   if(provider == "openssl" || provider.empty())
      {
      try
         {
         return make_openssl_ecdsa_sig_op(*this, params);
         }
      catch(Lookup_Error& e)
         {
         if(provider == "openssl")
            throw;
         }
      }
#endif

   if(provider == "base" || provider.empty())
      return std::unique_ptr<PK_Ops::Signature>(new ECDSA_Signature_Operation(*this, params, rng));

   throw Provider_Not_Found(algo_name(), provider);
   }

}

Coverage Report

Created: 2021-01-13 07:05

Line	Count	Source (jump to first uncovered line)
1		/*
2		* ECDSA implemenation
3		* (C) 2007 Manuel Hartl, FlexSecure GmbH
4		* 2007 Falko Strenzke, FlexSecure GmbH
5		* 2008-2010,2015,2016,2018 Jack Lloyd
6		* 2016 René Korthaus
7		*
8		* Botan is released under the Simplified BSD License (see license.txt)
9		*/
10
11		#include <botan/ecdsa.h>
12		#include <botan/internal/pk_ops_impl.h>
13		#include <botan/internal/point_mul.h>
14		#include <botan/internal/keypair.h>
15		#include <botan/reducer.h>
16		#include <botan/internal/emsa.h>
17
18		#if defined(BOTAN_HAS_RFC6979_GENERATOR)
19		#include <botan/internal/rfc6979.h>
20		#endif
21
22		#if defined(BOTAN_HAS_OPENSSL)
23		#include <botan/internal/openssl.h>
24		#endif
25
26		namespace Botan {
27
28		namespace {
29
30		PointGFp recover_ecdsa_public_key(const EC_Group& group,
31		const std::vector<uint8_t>& msg,
32		const BigInt& r,
33		const BigInt& s,
34		uint8_t v)
35	0	{
36	0	if(group.get_cofactor() != 1)
37	0	throw Invalid_Argument("ECDSA public key recovery only supported for prime order groups");
38
39	0	if(v > 4)
40	0	throw Invalid_Argument("Unexpected v param for ECDSA public key recovery");
41
42	0	const uint8_t y_odd = v % 2;
43	0	const uint8_t add_order = v >> 1;
44
45	0	const BigInt& group_order = group.get_order();
46	0	const size_t p_bytes = group.get_p_bytes();
47
48	0	try
49	0	{
50	0	const BigInt e(msg.data(), msg.size(), group.get_order_bits());
51	0	const BigInt r_inv = group.inverse_mod_order(r);
52
53	0	BigInt x = r + add_order*group_order;
54
55	0	std::vector<uint8_t> X(p_bytes + 1);
56
57	0	X[0] = 0x02 \| y_odd;
58	0	BigInt::encode_1363(&X[1], p_bytes, x);
59
60	0	const PointGFp R = group.OS2ECP(X);
61
62	0	if((R*group_order).is_zero() == false)
63	0	throw Decoding_Error("Unable to recover ECDSA public key");
64
65		// Compute r_inv * (s*R - eG)
66	0	PointGFp_Multi_Point_Precompute RG_mul(R, group.get_base_point());
67	0	const BigInt ne = group.mod_order(group_order - e);
68	0	return r_inv * RG_mul.multi_exp(s, ne);
69	0	}
70	0	catch(...)
71	0	{
72		// continue on and throw
73	0	}
74
75	0	throw Decoding_Error("Failed to recover ECDSA public key from signature/msg pair");
76	0	}
77
78		}
79
80		ECDSA_PublicKey::ECDSA_PublicKey(const EC_Group& group,
81		const std::vector<uint8_t>& msg,
82		const BigInt& r,
83		const BigInt& s,
84		uint8_t v) :
85	0	EC_PublicKey(group, recover_ecdsa_public_key(group, msg, r, s, v)) {} Unexecuted instantiation: Botan::ECDSA_PublicKey::ECDSA_PublicKey(Botan::EC_Group const&, std::__1::vector<unsigned char, std::__1::allocator<unsigned char> > const&, Botan::BigInt const&, Botan::BigInt const&, unsigned char) Unexecuted instantiation: Botan::ECDSA_PublicKey::ECDSA_PublicKey(Botan::EC_Group const&, std::__1::vector<unsigned char, std::__1::allocator<unsigned char> > const&, Botan::BigInt const&, Botan::BigInt const&, unsigned char)
86
87
88		uint8_t ECDSA_PublicKey::recovery_param(const std::vector<uint8_t>& msg,
89		const BigInt& r,
90		const BigInt& s) const
91	0	{
92	0	for(uint8_t v = 0; v != 4; ++v)
93	0	{
94	0	try
95	0	{
96	0	PointGFp R = recover_ecdsa_public_key(this->domain(), msg, r, s, v);
97
98	0	if(R == this->public_point())
99	0	{
100	0	return v;
101	0	}
102	0	}
103	0	catch(Decoding_Error&)
104	0	{
105		// try the next v
106	0	}
107	0	}
108
109	0	throw Internal_Error("Could not determine ECDSA recovery parameter");
110	0	}
111
112		std::unique_ptr<Public_Key> ECDSA_PrivateKey::public_key() const
113	0	{
114	0	return std::unique_ptr<Public_Key>(new ECDSA_PublicKey(domain(), public_point()));
115	0	}
116
117		bool ECDSA_PrivateKey::check_key(RandomNumberGenerator& rng,
118		bool strong) const
119	0	{
120	0	if(!public_point().on_the_curve())
121	0	return false;
122
123	0	if(!strong)
124	0	return true;
125
126	0	return KeyPair::signature_consistency_check(rng, *this, "EMSA1(SHA-256)");
127	0	}
128
129		namespace {
130
131		/**
132		* ECDSA signature operation
133		*/
134		class ECDSA_Signature_Operation final : public PK_Ops::Signature_with_EMSA
135		{
136		public:
137
138		ECDSA_Signature_Operation(const ECDSA_PrivateKey& ecdsa,
139		const std::string& emsa,
140		RandomNumberGenerator& rng) :
141		PK_Ops::Signature_with_EMSA(emsa),
142		m_group(ecdsa.domain()),
143		m_x(ecdsa.private_value())
144	0	{
145	0	#if defined(BOTAN_HAS_RFC6979_GENERATOR)
146	0	m_rfc6979.reset(new RFC6979_Nonce_Generator(this->hash_for_signature(), m_group.get_order(), m_x));
147	0	#endif
148
149	0	m_b = m_group.random_scalar(rng);
150	0	m_b_inv = m_group.inverse_mod_order(m_b);
151	0	}
152
153	0	size_t signature_length() const override { return 2*m_group.get_order_bytes(); }
154
155	0	size_t max_input_bits() const override { return m_group.get_order_bits(); }
156
157		secure_vector<uint8_t> raw_sign(const uint8_t msg[], size_t msg_len,
158		RandomNumberGenerator& rng) override;
159
160		private:
161		const EC_Group m_group;
162		const BigInt& m_x;
163
164		#if defined(BOTAN_HAS_RFC6979_GENERATOR)
165		std::unique_ptr<RFC6979_Nonce_Generator> m_rfc6979;
166		#endif
167
168		std::vector<BigInt> m_ws;
169
170		BigInt m_b, m_b_inv;
171		};
172
173		secure_vector<uint8_t>
174		ECDSA_Signature_Operation::raw_sign(const uint8_t msg[], size_t msg_len,
175		RandomNumberGenerator& rng)
176	0	{
177	0	BigInt m(msg, msg_len, m_group.get_order_bits());
178
179	0	#if defined(BOTAN_HAS_RFC6979_GENERATOR)
180	0	const BigInt k = m_rfc6979->nonce_for(m);
181		#else
182		const BigInt k = m_group.random_scalar(rng);
183		#endif
184
185	0	const BigInt r = m_group.mod_order(
186	0	m_group.blinded_base_point_multiply_x(k, rng, m_ws));
187
188	0	const BigInt k_inv = m_group.inverse_mod_order(k);
189
190		/*
191		* Blind the input message and compute xr+m as (xrb + mb)/b
192		*/
193	0	m_b = m_group.square_mod_order(m_b);
194	0	m_b_inv = m_group.square_mod_order(m_b_inv);
195
196	0	m = m_group.multiply_mod_order(m_b, m_group.mod_order(m));
197	0	const BigInt xr_m = m_group.mod_order(m_group.multiply_mod_order(m_x, m_b, r) + m);
198
199	0	const BigInt s = m_group.multiply_mod_order(k_inv, xr_m, m_b_inv);
200
201		// With overwhelming probability, a bug rather than actual zero r/s
202	0	if(r.is_zero() \|\| s.is_zero())
203	0	throw Internal_Error("During ECDSA signature generated zero r/s");
204
205	0	return BigInt::encode_fixed_length_int_pair(r, s, m_group.get_order_bytes());
206	0	}
207
208		/**
209		* ECDSA verification operation
210		*/
211		class ECDSA_Verification_Operation final : public PK_Ops::Verification_with_EMSA
212		{
213		public:
214		ECDSA_Verification_Operation(const ECDSA_PublicKey& ecdsa,
215		const std::string& emsa) :
216		PK_Ops::Verification_with_EMSA(emsa),
217		m_group(ecdsa.domain()),
218		m_gy_mul(m_group.get_base_point(), ecdsa.public_point())
219	1.28k	{
220	1.28k	}
221
222	392	size_t max_input_bits() const override { return m_group.get_order_bits(); }
223
224	392	bool with_recovery() const override { return false; }
225
226		bool verify(const uint8_t msg[], size_t msg_len,
227		const uint8_t sig[], size_t sig_len) override;
228		private:
229		const EC_Group m_group;
230		const PointGFp_Multi_Point_Precompute m_gy_mul;
231		};
232
233		bool ECDSA_Verification_Operation::verify(const uint8_t msg[], size_t msg_len,
234		const uint8_t sig[], size_t sig_len)
235	392	{
236	392	if(sig_len != m_group.get_order_bytes() * 2)
237	0	return false;
238
239	392	const BigInt e(msg, msg_len, m_group.get_order_bits());
240
241	392	const BigInt r(sig, sig_len / 2);
242	392	const BigInt s(sig + sig_len / 2, sig_len / 2);
243
244	392	if(r <= 0 \|\| r >= m_group.get_order() \|\| s <= 0 \|\| s >= m_group.get_order())
245	14	return false;
246
247	378	const BigInt w = m_group.inverse_mod_order(s);
248
249	378	const BigInt u1 = m_group.multiply_mod_order(m_group.mod_order(e), w);
250	378	const BigInt u2 = m_group.multiply_mod_order(r, w);
251	378	const PointGFp R = m_gy_mul.multi_exp(u1, u2);
252
253	378	if(R.is_zero())
254	0	return false;
255
256	378	const BigInt v = m_group.mod_order(R.get_affine_x());
257	378	return (v == r);
258	378	}
259
260		}
261
262		std::unique_ptr<PK_Ops::Verification>
263		ECDSA_PublicKey::create_verification_op(const std::string& params,
264		const std::string& provider) const
265	1.28k	{
266		#if defined(BOTAN_HAS_OPENSSL)
267		if(provider == "openssl" \|\| provider.empty())
268		{
269		try
270		{
271		return make_openssl_ecdsa_ver_op(*this, params);
272		}
273		catch(Lookup_Error& e)
274		{
275		if(provider == "openssl")
276		throw;
277		}
278		}
279		#endif
280
281	1.28k	if(provider == "base" \|\| provider.empty())
282	1.28k	return std::unique_ptr<PK_Ops::Verification>(new ECDSA_Verification_Operation(*this, params));
283
284	0	throw Provider_Not_Found(algo_name(), provider);
285	0	}
286
287		std::unique_ptr<PK_Ops::Signature>
288		ECDSA_PrivateKey::create_signature_op(RandomNumberGenerator& rng,
289		const std::string& params,
290		const std::string& provider) const
291	0	{
292		#if defined(BOTAN_HAS_OPENSSL)
293		if(provider == "openssl" \|\| provider.empty())
294		{
295		try
296		{
297		return make_openssl_ecdsa_sig_op(*this, params);
298		}
299		catch(Lookup_Error& e)
300		{
301		if(provider == "openssl")
302		throw;
303		}
304		}
305		#endif
306
307	0	if(provider == "base" \|\| provider.empty())
308	0	return std::unique_ptr<PK_Ops::Signature>(new ECDSA_Signature_Operation(*this, params, rng));
309
310	0	throw Provider_Not_Found(algo_name(), provider);
311	0	}
312
313		}