/src/botan/src/lib/pubkey/ecgdsa/ecgdsa.cpp
Line | Count | Source (jump to first uncovered line) |
1 | | /* |
2 | | * ECGDSA (BSI-TR-03111, version 2.0) |
3 | | * (C) 2016 René Korthaus |
4 | | * (C) 2018 Jack Lloyd |
5 | | * |
6 | | * Botan is released under the Simplified BSD License (see license.txt) |
7 | | */ |
8 | | |
9 | | #include <botan/ecgdsa.h> |
10 | | #include <botan/internal/keypair.h> |
11 | | #include <botan/reducer.h> |
12 | | #include <botan/internal/pk_ops_impl.h> |
13 | | #include <botan/internal/point_mul.h> |
14 | | |
15 | | namespace Botan { |
16 | | |
17 | | std::unique_ptr<Public_Key> ECGDSA_PrivateKey::public_key() const |
18 | 0 | { |
19 | 0 | return std::make_unique<ECGDSA_PublicKey>(domain(), public_point()); |
20 | 0 | } |
21 | | |
22 | | bool ECGDSA_PrivateKey::check_key(RandomNumberGenerator& rng, |
23 | | bool strong) const |
24 | 0 | { |
25 | 0 | if(!public_point().on_the_curve()) |
26 | 0 | return false; |
27 | | |
28 | 0 | if(!strong) |
29 | 0 | return true; |
30 | | |
31 | 0 | return KeyPair::signature_consistency_check(rng, *this, "EMSA1(SHA-256)"); |
32 | 0 | } |
33 | | |
34 | | namespace { |
35 | | |
36 | | /** |
37 | | * ECGDSA signature operation |
38 | | */ |
39 | | class ECGDSA_Signature_Operation final : public PK_Ops::Signature_with_EMSA |
40 | | { |
41 | | public: |
42 | | |
43 | | ECGDSA_Signature_Operation(const ECGDSA_PrivateKey& ecgdsa, |
44 | | const std::string& emsa) : |
45 | | PK_Ops::Signature_with_EMSA(emsa), |
46 | | m_group(ecgdsa.domain()), |
47 | | m_x(ecgdsa.private_value()) |
48 | 0 | { |
49 | 0 | } |
50 | | |
51 | | secure_vector<uint8_t> raw_sign(const uint8_t msg[], size_t msg_len, |
52 | | RandomNumberGenerator& rng) override; |
53 | | |
54 | 0 | size_t signature_length() const override { return 2*m_group.get_order_bytes(); } |
55 | | |
56 | 0 | size_t max_input_bits() const override { return m_group.get_order_bits(); } |
57 | | |
58 | | private: |
59 | | const EC_Group m_group; |
60 | | const BigInt& m_x; |
61 | | std::vector<BigInt> m_ws; |
62 | | }; |
63 | | |
64 | | secure_vector<uint8_t> |
65 | | ECGDSA_Signature_Operation::raw_sign(const uint8_t msg[], size_t msg_len, |
66 | | RandomNumberGenerator& rng) |
67 | 0 | { |
68 | 0 | const BigInt m = BigInt::from_bytes_with_max_bits(msg, msg_len, m_group.get_order_bits()); |
69 | |
|
70 | 0 | const BigInt k = m_group.random_scalar(rng); |
71 | |
|
72 | 0 | const BigInt r = m_group.mod_order( |
73 | 0 | m_group.blinded_base_point_multiply_x(k, rng, m_ws)); |
74 | |
|
75 | 0 | const BigInt kr = m_group.multiply_mod_order(k, r); |
76 | |
|
77 | 0 | const BigInt s = m_group.multiply_mod_order(m_x, kr - m); |
78 | | |
79 | | // With overwhelming probability, a bug rather than actual zero r/s |
80 | 0 | if(r.is_zero() || s.is_zero()) |
81 | 0 | throw Internal_Error("During ECGDSA signature generated zero r/s"); |
82 | | |
83 | 0 | return BigInt::encode_fixed_length_int_pair(r, s, m_group.get_order_bytes()); |
84 | 0 | } |
85 | | |
86 | | /** |
87 | | * ECGDSA verification operation |
88 | | */ |
89 | | class ECGDSA_Verification_Operation final : public PK_Ops::Verification_with_EMSA |
90 | | { |
91 | | public: |
92 | | |
93 | | ECGDSA_Verification_Operation(const ECGDSA_PublicKey& ecgdsa, |
94 | | const std::string& emsa) : |
95 | | PK_Ops::Verification_with_EMSA(emsa), |
96 | | m_group(ecgdsa.domain()), |
97 | | m_gy_mul(m_group.get_base_point(), ecgdsa.public_point()) |
98 | 0 | { |
99 | 0 | } |
100 | | |
101 | 0 | size_t max_input_bits() const override { return m_group.get_order_bits(); } |
102 | | |
103 | 0 | bool with_recovery() const override { return false; } |
104 | | |
105 | | bool verify(const uint8_t msg[], size_t msg_len, |
106 | | const uint8_t sig[], size_t sig_len) override; |
107 | | private: |
108 | | const EC_Group m_group; |
109 | | const PointGFp_Multi_Point_Precompute m_gy_mul; |
110 | | }; |
111 | | |
112 | | bool ECGDSA_Verification_Operation::verify(const uint8_t msg[], size_t msg_len, |
113 | | const uint8_t sig[], size_t sig_len) |
114 | 0 | { |
115 | 0 | if(sig_len != m_group.get_order_bytes() * 2) |
116 | 0 | return false; |
117 | | |
118 | 0 | const BigInt e = BigInt::from_bytes_with_max_bits(msg, msg_len, m_group.get_order_bits()); |
119 | |
|
120 | 0 | const BigInt r(sig, sig_len / 2); |
121 | 0 | const BigInt s(sig + sig_len / 2, sig_len / 2); |
122 | |
|
123 | 0 | if(r <= 0 || r >= m_group.get_order() || s <= 0 || s >= m_group.get_order()) |
124 | 0 | return false; |
125 | | |
126 | 0 | const BigInt w = m_group.inverse_mod_order(r); |
127 | |
|
128 | 0 | const BigInt u1 = m_group.multiply_mod_order(e, w); |
129 | 0 | const BigInt u2 = m_group.multiply_mod_order(s, w); |
130 | 0 | const PointGFp R = m_gy_mul.multi_exp(u1, u2); |
131 | |
|
132 | 0 | if(R.is_zero()) |
133 | 0 | return false; |
134 | | |
135 | 0 | const BigInt v = m_group.mod_order(R.get_affine_x()); |
136 | 0 | return (v == r); |
137 | 0 | } |
138 | | |
139 | | } |
140 | | |
141 | | std::unique_ptr<PK_Ops::Verification> |
142 | | ECGDSA_PublicKey::create_verification_op(const std::string& params, |
143 | | const std::string& provider) const |
144 | 0 | { |
145 | 0 | if(provider == "base" || provider.empty()) |
146 | 0 | return std::make_unique<ECGDSA_Verification_Operation>(*this, params); |
147 | 0 | throw Provider_Not_Found(algo_name(), provider); |
148 | 0 | } |
149 | | |
150 | | std::unique_ptr<PK_Ops::Signature> |
151 | | ECGDSA_PrivateKey::create_signature_op(RandomNumberGenerator& /*rng*/, |
152 | | const std::string& params, |
153 | | const std::string& provider) const |
154 | 0 | { |
155 | 0 | if(provider == "base" || provider.empty()) |
156 | 0 | return std::make_unique<ECGDSA_Signature_Operation>(*this, params); |
157 | 0 | throw Provider_Not_Found(algo_name(), provider); |
158 | 0 | } |
159 | | |
160 | | } |