/src/botan/src/lib/pubkey/pubkey.cpp

Source (jump to first uncovered line)
/*
* (C) 1999-2010,2015,2018 Jack Lloyd
*
* Botan is released under the Simplified BSD License (see license.txt)
*/

#include <botan/pubkey.h>
#include <botan/der_enc.h>
#include <botan/ber_dec.h>
#include <botan/bigint.h>
#include <botan/internal/pk_ops.h>
#include <botan/internal/ct_utils.h>
#include <botan/rng.h>

namespace Botan {

secure_vector<uint8_t> PK_Decryptor::decrypt(const uint8_t in[], size_t length) const
   {
   uint8_t valid_mask = 0;

   secure_vector<uint8_t> decoded = do_decrypt(valid_mask, in, length);

   if(valid_mask == 0)
      throw Decoding_Error("Invalid public key ciphertext, cannot decrypt");

   return decoded;
   }

secure_vector<uint8_t>
PK_Decryptor::decrypt_or_random(const uint8_t in[],
                                size_t length,
                                size_t expected_pt_len,
                                RandomNumberGenerator& rng,
                                const uint8_t required_content_bytes[],
                                const uint8_t required_content_offsets[],
                                size_t required_contents_length) const
   {
   const secure_vector<uint8_t> fake_pms = rng.random_vec(expected_pt_len);

   uint8_t decrypt_valid = 0;
   secure_vector<uint8_t> decoded = do_decrypt(decrypt_valid, in, length);

   auto valid_mask = CT::Mask<uint8_t>::is_equal(decrypt_valid, 0xFF);
   valid_mask &= CT::Mask<uint8_t>(CT::Mask<size_t>::is_zero(decoded.size() ^ expected_pt_len));

   decoded.resize(expected_pt_len);

   for(size_t i = 0; i != required_contents_length; ++i)
      {
      /*
      These values are chosen by the application and for TLS are constants,
      so this early failure via assert is fine since we know 0,1 < 48

      If there is a protocol that has content checks on the key where
      the expected offsets are controllable by the attacker this could
      still leak.

      Alternately could always reduce the offset modulo the length?
      */

      const uint8_t exp = required_content_bytes[i];
      const uint8_t off = required_content_offsets[i];

      BOTAN_ASSERT(off < expected_pt_len, "Offset in range of plaintext");

      auto eq = CT::Mask<uint8_t>::is_equal(decoded[off], exp);

      valid_mask &= eq;
      }

   // If valid_mask is false, assign fake pre master instead
   valid_mask.select_n(decoded.data(), decoded.data(), fake_pms.data(), expected_pt_len);

   return decoded;
   }

secure_vector<uint8_t>
PK_Decryptor::decrypt_or_random(const uint8_t in[],
                                size_t length,
                                size_t expected_pt_len,
                                RandomNumberGenerator& rng) const
   {
   return decrypt_or_random(in, length, expected_pt_len, rng,
                            nullptr, nullptr, 0);
   }

PK_Encryptor_EME::PK_Encryptor_EME(const Public_Key& key,
                                   RandomNumberGenerator& rng,
                                   const std::string& padding,
                                   const std::string& provider)
   {
   m_op = key.create_encryption_op(rng, padding, provider);
   if(!m_op)
      throw Invalid_Argument("Key type " + key.algo_name() + " does not support encryption");
   }

PK_Encryptor_EME::~PK_Encryptor_EME() = default;

size_t PK_Encryptor_EME::ciphertext_length(size_t ptext_len) const
   {
   return m_op->ciphertext_length(ptext_len);
   }

std::vector<uint8_t>
PK_Encryptor_EME::enc(const uint8_t in[], size_t length, RandomNumberGenerator& rng) const
   {
   return unlock(m_op->encrypt(in, length, rng));
   }

size_t PK_Encryptor_EME::maximum_input_size() const
   {
   return m_op->max_input_bits() / 8;
   }

PK_Decryptor_EME::PK_Decryptor_EME(const Private_Key& key,
                                   RandomNumberGenerator& rng,
                                   const std::string& padding,
                                   const std::string& provider)
   {
   m_op = key.create_decryption_op(rng, padding, provider);
   if(!m_op)
      throw Invalid_Argument("Key type " + key.algo_name() + " does not support decryption");
   }

PK_Decryptor_EME::~PK_Decryptor_EME() = default;

size_t PK_Decryptor_EME::plaintext_length(size_t ctext_len) const
   {
   return m_op->plaintext_length(ctext_len);
   }

secure_vector<uint8_t> PK_Decryptor_EME::do_decrypt(uint8_t& valid_mask,
                                                 const uint8_t in[], size_t in_len) const
   {
   return m_op->decrypt(valid_mask, in, in_len);
   }

PK_KEM_Encryptor::PK_KEM_Encryptor(const Public_Key& key,
                                   RandomNumberGenerator& rng,
                                   const std::string& param,
                                   const std::string& provider)
   {
   m_op = key.create_kem_encryption_op(rng, param, provider);
   if(!m_op)
      throw Invalid_Argument("Key type " + key.algo_name() + " does not support KEM encryption");
   }

PK_KEM_Encryptor::~PK_KEM_Encryptor() = default;

void PK_KEM_Encryptor::encrypt(secure_vector<uint8_t>& out_encapsulated_key,
                               secure_vector<uint8_t>& out_shared_key,
                               size_t desired_shared_key_len,
                               Botan::RandomNumberGenerator& rng,
                               const uint8_t salt[],
                               size_t salt_len)
   {
   m_op->kem_encrypt(out_encapsulated_key,
                     out_shared_key,
                     desired_shared_key_len,
                     rng,
                     salt,
                     salt_len);
   }

PK_KEM_Decryptor::PK_KEM_Decryptor(const Private_Key& key,
                                   RandomNumberGenerator& rng,
                                   const std::string& param,
                                   const std::string& provider)
   {
   m_op = key.create_kem_decryption_op(rng, param, provider);
   if(!m_op)
      throw Invalid_Argument("Key type " + key.algo_name() + " does not support KEM decryption");
   }

PK_KEM_Decryptor::~PK_KEM_Decryptor() = default;

secure_vector<uint8_t> PK_KEM_Decryptor::decrypt(const uint8_t encap_key[],
                                              size_t encap_key_len,
                                              size_t desired_shared_key_len,
                                              const uint8_t salt[],
                                              size_t salt_len)
   {
   return m_op->kem_decrypt(encap_key, encap_key_len,
                            desired_shared_key_len,
                            salt, salt_len);
   }

PK_Key_Agreement::PK_Key_Agreement(PK_Key_Agreement&&) = default;

PK_Key_Agreement::PK_Key_Agreement(const Private_Key& key,
                                   RandomNumberGenerator& rng,
                                   const std::string& kdf,
                                   const std::string& provider)
   {
   m_op = key.create_key_agreement_op(rng, kdf, provider);
   if(!m_op)
      throw Invalid_Argument("Key type " + key.algo_name() + " does not support key agreement");
   }

PK_Key_Agreement::~PK_Key_Agreement() = default;

size_t PK_Key_Agreement::agreed_value_size() const
   {
   return m_op->agreed_value_size();
   }

SymmetricKey PK_Key_Agreement::derive_key(size_t key_len,
                                          const uint8_t in[], size_t in_len,
                                          const uint8_t salt[],
                                          size_t salt_len) const
   {
   return m_op->agree(key_len, in, in_len, salt, salt_len);
   }

static void check_der_format_supported(Signature_Format format, size_t parts)
   {
      if(format != IEEE_1363 && parts == 1)
         throw Invalid_Argument("PK: This algorithm does not support DER encoding");
   }

PK_Signer::PK_Signer(const Private_Key& key,
                     RandomNumberGenerator& rng,
                     const std::string& emsa,
                     Signature_Format format,
                     const std::string& provider)
   {
   m_op = key.create_signature_op(rng, emsa, provider);
   if(!m_op)
      throw Invalid_Argument("Key type " + key.algo_name() + " does not support signature generation");
   m_sig_format = format;
   m_parts = key.message_parts();
   m_part_size = key.message_part_size();
   check_der_format_supported(format, m_parts);
   }

PK_Signer::~PK_Signer() = default;

void PK_Signer::update(const uint8_t in[], size_t length)
   {
   m_op->update(in, length);
   }

namespace {

std::vector<uint8_t> der_encode_signature(const std::vector<uint8_t>& sig,
                                          size_t parts,
                                          size_t part_size)
   {
   if(sig.size() % parts != 0 || sig.size() != parts * part_size)
      throw Encoding_Error("Unexpected size for DER signature");

   std::vector<BigInt> sig_parts(parts);
   for(size_t i = 0; i != sig_parts.size(); ++i)
      sig_parts[i].binary_decode(&sig[part_size*i], part_size);

   std::vector<uint8_t> output;
   DER_Encoder(output)
      .start_sequence()
      .encode_list(sig_parts)
      .end_cons();
   return output;
   }

}

size_t PK_Signer::signature_length() const
   {
   if(m_sig_format == IEEE_1363)
      {
      return m_op->signature_length();
      }
   else if(m_sig_format == DER_SEQUENCE)
      {
      // This is a large over-estimate but its easier than computing
      // the exact value
      return m_op->signature_length() + (8 + 4*m_parts);
      }
   else
      throw Internal_Error("PK_Signer: Invalid signature format enum");
   }

std::vector<uint8_t> PK_Signer::signature(RandomNumberGenerator& rng)
   {
   const std::vector<uint8_t> sig = unlock(m_op->sign(rng));

   if(m_sig_format == IEEE_1363)
      {
      return sig;
      }
   else if(m_sig_format == DER_SEQUENCE)
      {
      return der_encode_signature(sig, m_parts, m_part_size);
      }
   else
      throw Internal_Error("PK_Signer: Invalid signature format enum");
   }

PK_Verifier::PK_Verifier(const Public_Key& key,
                         const std::string& emsa,
                         Signature_Format format,
                         const std::string& provider)
   {
   m_op = key.create_verification_op(emsa, provider);
   if(!m_op)
      throw Invalid_Argument("Key type " + key.algo_name() + " does not support signature verification");
   m_sig_format = format;
   m_parts = key.message_parts();
   m_part_size = key.message_part_size();
   check_der_format_supported(format, m_parts);
   }

PK_Verifier::~PK_Verifier() = default;

void PK_Verifier::set_input_format(Signature_Format format)
   {
   check_der_format_supported(format, m_parts);
   m_sig_format = format;
   }

bool PK_Verifier::verify_message(const uint8_t msg[], size_t msg_length,
                                 const uint8_t sig[], size_t sig_length)
   {
   update(msg, msg_length);
   return check_signature(sig, sig_length);
   }

void PK_Verifier::update(const uint8_t in[], size_t length)
   {
   m_op->update(in, length);
   }

bool PK_Verifier::check_signature(const uint8_t sig[], size_t length)
   {
   try {
      if(m_sig_format == IEEE_1363)
         {
         return m_op->is_valid_signature(sig, length);
         }
      else if(m_sig_format == DER_SEQUENCE)
         {
         std::vector<uint8_t> real_sig;
         BER_Decoder decoder(sig, length);
         BER_Decoder ber_sig = decoder.start_sequence();

         BOTAN_ASSERT_NOMSG(m_parts != 0 && m_part_size != 0);

         size_t count = 0;

         while(ber_sig.more_items())
            {
            BigInt sig_part;
            ber_sig.decode(sig_part);
            real_sig += BigInt::encode_1363(sig_part, m_part_size);
            ++count;
            }

         if(count != m_parts)
            throw Decoding_Error("PK_Verifier: signature size invalid");

         const std::vector<uint8_t> reencoded =
            der_encode_signature(real_sig, m_parts, m_part_size);

         if(reencoded.size() != length ||
            same_mem(reencoded.data(), sig, reencoded.size()) == false)
            {
            throw Decoding_Error("PK_Verifier: signature is not the canonical DER encoding");
            }

         return m_op->is_valid_signature(real_sig.data(), real_sig.size());
         }
      else
         throw Internal_Error("PK_Verifier: Invalid signature format enum");
      }
   catch(Invalid_Argument&) { return false; }
   catch(Decoding_Error&) { return false; }
   catch(Encoding_Error&) { return false; }
   }

}

Coverage Report

Created: 2021-11-25 09:31

Line	Count	Source (jump to first uncovered line)
1		/*
2		* (C) 1999-2010,2015,2018 Jack Lloyd
3		*
4		* Botan is released under the Simplified BSD License (see license.txt)
5		*/
6
7		#include <botan/pubkey.h>
8		#include <botan/der_enc.h>
9		#include <botan/ber_dec.h>
10		#include <botan/bigint.h>
11		#include <botan/internal/pk_ops.h>
12		#include <botan/internal/ct_utils.h>
13		#include <botan/rng.h>
14
15		namespace Botan {
16
17		secure_vector<uint8_t> PK_Decryptor::decrypt(const uint8_t in[], size_t length) const
18	0	{
19	0	uint8_t valid_mask = 0;
20
21	0	secure_vector<uint8_t> decoded = do_decrypt(valid_mask, in, length);
22
23	0	if(valid_mask == 0)
24	0	throw Decoding_Error("Invalid public key ciphertext, cannot decrypt");
25
26	0	return decoded;
27	0	}
28
29		secure_vector<uint8_t>
30		PK_Decryptor::decrypt_or_random(const uint8_t in[],
31		size_t length,
32		size_t expected_pt_len,
33		RandomNumberGenerator& rng,
34		const uint8_t required_content_bytes[],
35		const uint8_t required_content_offsets[],
36		size_t required_contents_length) const
37	0	{
38	0	const secure_vector<uint8_t> fake_pms = rng.random_vec(expected_pt_len);
39
40	0	uint8_t decrypt_valid = 0;
41	0	secure_vector<uint8_t> decoded = do_decrypt(decrypt_valid, in, length);
42
43	0	auto valid_mask = CT::Mask<uint8_t>::is_equal(decrypt_valid, 0xFF);
44	0	valid_mask &= CT::Mask<uint8_t>(CT::Mask<size_t>::is_zero(decoded.size() ^ expected_pt_len));
45
46	0	decoded.resize(expected_pt_len);
47
48	0	for(size_t i = 0; i != required_contents_length; ++i)
49	0	{
50		/*
51		These values are chosen by the application and for TLS are constants,
52		so this early failure via assert is fine since we know 0,1 < 48
53
54		If there is a protocol that has content checks on the key where
55		the expected offsets are controllable by the attacker this could
56		still leak.
57
58		Alternately could always reduce the offset modulo the length?
59		*/
60
61	0	const uint8_t exp = required_content_bytes[i];
62	0	const uint8_t off = required_content_offsets[i];
63
64	0	BOTAN_ASSERT(off < expected_pt_len, "Offset in range of plaintext");
65
66	0	auto eq = CT::Mask<uint8_t>::is_equal(decoded[off], exp);
67
68	0	valid_mask &= eq;
69	0	}
70
71		// If valid_mask is false, assign fake pre master instead
72	0	valid_mask.select_n(decoded.data(), decoded.data(), fake_pms.data(), expected_pt_len);
73
74	0	return decoded;
75	0	}
76
77		secure_vector<uint8_t>
78		PK_Decryptor::decrypt_or_random(const uint8_t in[],
79		size_t length,
80		size_t expected_pt_len,
81		RandomNumberGenerator& rng) const
82	0	{
83	0	return decrypt_or_random(in, length, expected_pt_len, rng,
84	0	nullptr, nullptr, 0);
85	0	}
86
87		PK_Encryptor_EME::PK_Encryptor_EME(const Public_Key& key,
88		RandomNumberGenerator& rng,
89		const std::string& padding,
90		const std::string& provider)
91	0	{
92	0	m_op = key.create_encryption_op(rng, padding, provider);
93	0	if(!m_op)
94	0	throw Invalid_Argument("Key type " + key.algo_name() + " does not support encryption");
95	0	}
96
97	0	PK_Encryptor_EME::~PK_Encryptor_EME() = default;
98
99		size_t PK_Encryptor_EME::ciphertext_length(size_t ptext_len) const
100	0	{
101	0	return m_op->ciphertext_length(ptext_len);
102	0	}
103
104		std::vector<uint8_t>
105		PK_Encryptor_EME::enc(const uint8_t in[], size_t length, RandomNumberGenerator& rng) const
106	0	{
107	0	return unlock(m_op->encrypt(in, length, rng));
108	0	}
109
110		size_t PK_Encryptor_EME::maximum_input_size() const
111	0	{
112	0	return m_op->max_input_bits() / 8;
113	0	}
114
115		PK_Decryptor_EME::PK_Decryptor_EME(const Private_Key& key,
116		RandomNumberGenerator& rng,
117		const std::string& padding,
118		const std::string& provider)
119	0	{
120	0	m_op = key.create_decryption_op(rng, padding, provider);
121	0	if(!m_op)
122	0	throw Invalid_Argument("Key type " + key.algo_name() + " does not support decryption");
123	0	}
124
125	0	PK_Decryptor_EME::~PK_Decryptor_EME() = default;
126
127		size_t PK_Decryptor_EME::plaintext_length(size_t ctext_len) const
128	0	{
129	0	return m_op->plaintext_length(ctext_len);
130	0	}
131
132		secure_vector<uint8_t> PK_Decryptor_EME::do_decrypt(uint8_t& valid_mask,
133		const uint8_t in[], size_t in_len) const
134	0	{
135	0	return m_op->decrypt(valid_mask, in, in_len);
136	0	}
137
138		PK_KEM_Encryptor::PK_KEM_Encryptor(const Public_Key& key,
139		RandomNumberGenerator& rng,
140		const std::string& param,
141		const std::string& provider)
142	0	{
143	0	m_op = key.create_kem_encryption_op(rng, param, provider);
144	0	if(!m_op)
145	0	throw Invalid_Argument("Key type " + key.algo_name() + " does not support KEM encryption");
146	0	}
147
148	0	PK_KEM_Encryptor::~PK_KEM_Encryptor() = default;
149
150		void PK_KEM_Encryptor::encrypt(secure_vector<uint8_t>& out_encapsulated_key,
151		secure_vector<uint8_t>& out_shared_key,
152		size_t desired_shared_key_len,
153		Botan::RandomNumberGenerator& rng,
154		const uint8_t salt[],
155		size_t salt_len)
156	0	{
157	0	m_op->kem_encrypt(out_encapsulated_key,
158	0	out_shared_key,
159	0	desired_shared_key_len,
160	0	rng,
161	0	salt,
162	0	salt_len);
163	0	}
164
165		PK_KEM_Decryptor::PK_KEM_Decryptor(const Private_Key& key,
166		RandomNumberGenerator& rng,
167		const std::string& param,
168		const std::string& provider)
169	0	{
170	0	m_op = key.create_kem_decryption_op(rng, param, provider);
171	0	if(!m_op)
172	0	throw Invalid_Argument("Key type " + key.algo_name() + " does not support KEM decryption");
173	0	}
174
175	0	PK_KEM_Decryptor::~PK_KEM_Decryptor() = default;
176
177		secure_vector<uint8_t> PK_KEM_Decryptor::decrypt(const uint8_t encap_key[],
178		size_t encap_key_len,
179		size_t desired_shared_key_len,
180		const uint8_t salt[],
181		size_t salt_len)
182	0	{
183	0	return m_op->kem_decrypt(encap_key, encap_key_len,
184	0	desired_shared_key_len,
185	0	salt, salt_len);
186	0	}
187
188	0	PK_Key_Agreement::PK_Key_Agreement(PK_Key_Agreement&&) = default;
189
190		PK_Key_Agreement::PK_Key_Agreement(const Private_Key& key,
191		RandomNumberGenerator& rng,
192		const std::string& kdf,
193		const std::string& provider)
194	13.2k	{
195	13.2k	m_op = key.create_key_agreement_op(rng, kdf, provider);
196	13.2k	if(!m_op)
197	0	throw Invalid_Argument("Key type " + key.algo_name() + " does not support key agreement");
198	13.2k	}
199
200	13.2k	PK_Key_Agreement::~PK_Key_Agreement() = default;
201
202		size_t PK_Key_Agreement::agreed_value_size() const
203	0	{
204	0	return m_op->agreed_value_size();
205	0	}
206
207		SymmetricKey PK_Key_Agreement::derive_key(size_t key_len,
208		const uint8_t in[], size_t in_len,
209		const uint8_t salt[],
210		size_t salt_len) const
211	13.2k	{
212	13.2k	return m_op->agree(key_len, in, in_len, salt, salt_len);
213	13.2k	}
214
215		static void check_der_format_supported(Signature_Format format, size_t parts)
216	8.54k	{
217	8.54k	if(format != IEEE_1363 && parts == 1)
218	0	throw Invalid_Argument("PK: This algorithm does not support DER encoding");
219	8.54k	}
220
221		PK_Signer::PK_Signer(const Private_Key& key,
222		RandomNumberGenerator& rng,
223		const std::string& emsa,
224		Signature_Format format,
225		const std::string& provider)
226	0	{
227	0	m_op = key.create_signature_op(rng, emsa, provider);
228	0	if(!m_op)
229	0	throw Invalid_Argument("Key type " + key.algo_name() + " does not support signature generation");
230	0	m_sig_format = format;
231	0	m_parts = key.message_parts();
232	0	m_part_size = key.message_part_size();
233	0	check_der_format_supported(format, m_parts);
234	0	}
235
236	0	PK_Signer::~PK_Signer() = default;
237
238		void PK_Signer::update(const uint8_t in[], size_t length)
239	0	{
240	0	m_op->update(in, length);
241	0	}
242
243		namespace {
244
245		std::vector<uint8_t> der_encode_signature(const std::vector<uint8_t>& sig,
246		size_t parts,
247		size_t part_size)
248	446	{
249	446	if(sig.size() % parts != 0 \|\| sig.size() != parts * part_size)
250	0	throw Encoding_Error("Unexpected size for DER signature");
251
252	446	std::vector<BigInt> sig_parts(parts);
253	1.33k	for(size_t i = 0; i != sig_parts.size(); ++i)
254	892	sig_parts[i].binary_decode(&sig[part_size*i], part_size);
255
256	446	std::vector<uint8_t> output;
257	446	DER_Encoder(output)
258	446	.start_sequence()
259	446	.encode_list(sig_parts)
260	446	.end_cons();
261	446	return output;
262	446	}
263
264		}
265
266		size_t PK_Signer::signature_length() const
267	0	{
268	0	if(m_sig_format == IEEE_1363)
269	0	{
270	0	return m_op->signature_length();
271	0	}
272	0	else if(m_sig_format == DER_SEQUENCE)
273	0	{
274		// This is a large over-estimate but its easier than computing
275		// the exact value
276	0	return m_op->signature_length() + (8 + 4*m_parts);
277	0	}
278	0	else
279	0	throw Internal_Error("PK_Signer: Invalid signature format enum");
280	0	}
281
282		std::vector<uint8_t> PK_Signer::signature(RandomNumberGenerator& rng)
283	0	{
284	0	const std::vector<uint8_t> sig = unlock(m_op->sign(rng));
285
286	0	if(m_sig_format == IEEE_1363)
287	0	{
288	0	return sig;
289	0	}
290	0	else if(m_sig_format == DER_SEQUENCE)
291	0	{
292	0	return der_encode_signature(sig, m_parts, m_part_size);
293	0	}
294	0	else
295	0	throw Internal_Error("PK_Signer: Invalid signature format enum");
296	0	}
297
298		PK_Verifier::PK_Verifier(const Public_Key& key,
299		const std::string& emsa,
300		Signature_Format format,
301		const std::string& provider)
302	8.54k	{
303	8.54k	m_op = key.create_verification_op(emsa, provider);
304	8.54k	if(!m_op)
305	0	throw Invalid_Argument("Key type " + key.algo_name() + " does not support signature verification");
306	8.54k	m_sig_format = format;
307	8.54k	m_parts = key.message_parts();
308	8.54k	m_part_size = key.message_part_size();
309	8.54k	check_der_format_supported(format, m_parts);
310	8.54k	}
311
312	8.54k	PK_Verifier::~PK_Verifier() = default;
313
314		void PK_Verifier::set_input_format(Signature_Format format)
315	0	{
316	0	check_der_format_supported(format, m_parts);
317	0	m_sig_format = format;
318	0	}
319
320		bool PK_Verifier::verify_message(const uint8_t msg[], size_t msg_length,
321		const uint8_t sig[], size_t sig_length)
322	8.54k	{
323	8.54k	update(msg, msg_length);
324	8.54k	return check_signature(sig, sig_length);
325	8.54k	}
326
327		void PK_Verifier::update(const uint8_t in[], size_t length)
328	8.54k	{
329	8.54k	m_op->update(in, length);
330	8.54k	}
331
332		bool PK_Verifier::check_signature(const uint8_t sig[], size_t length)
333	8.54k	{
334	8.54k	try {
335	8.54k	if(m_sig_format == IEEE_1363)
336	7.87k	{
337	7.87k	return m_op->is_valid_signature(sig, length);
338	7.87k	}
339	671	else if(m_sig_format == DER_SEQUENCE)
340	671	{
341	671	std::vector<uint8_t> real_sig;
342	671	BER_Decoder decoder(sig, length);
343	671	BER_Decoder ber_sig = decoder.start_sequence();
344
345	671	BOTAN_ASSERT_NOMSG(m_parts != 0 && m_part_size != 0);
346
347	671	size_t count = 0;
348
349	2.08k	while(ber_sig.more_items())
350	1.41k	{
351	1.41k	BigInt sig_part;
352	1.41k	ber_sig.decode(sig_part);
353	1.41k	real_sig += BigInt::encode_1363(sig_part, m_part_size);
354	1.41k	++count;
355	1.41k	}
356
357	671	if(count != m_parts)
358	13	throw Decoding_Error("PK_Verifier: signature size invalid");
359
360	658	const std::vector<uint8_t> reencoded =
361	658	der_encode_signature(real_sig, m_parts, m_part_size);
362
363	658	if(reencoded.size() != length \|\|
364	658	same_mem(reencoded.data(), sig, reencoded.size()) == false)
365	16	{
366	16	throw Decoding_Error("PK_Verifier: signature is not the canonical DER encoding");
367	16	}
368
369	642	return m_op->is_valid_signature(real_sig.data(), real_sig.size());
370	658	}
371	0	else
372	0	throw Internal_Error("PK_Verifier: Invalid signature format enum");
373	8.54k	}
374	8.54k	catch(Invalid_Argument&) { return false; }
375	8.54k	catch(Decoding_Error&) { return false; }
376	8.54k	catch(Encoding_Error&) { return false; }
377	8.54k	}
378
379		}