/*

* GOST 34.10-2012

* (C) 2007 Falko Strenzke, FlexSecure GmbH

*          Manuel Hartl, FlexSecure GmbH

* (C) 2008-2010,2015,2018 Jack Lloyd

*

* Botan is released under the Simplified BSD License (see license.txt)

*/

#include <botan/gost_3410.h>

#include <botan/internal/pk_ops_impl.h>

#include <botan/internal/point_mul.h>

#include <botan/reducer.h>

#include <botan/der_enc.h>

#include <botan/ber_dec.h>

namespace Botan {

std::vector<uint8_t> GOST_3410_PublicKey::public_key_bits() const

   {

   const BigInt x = public_point().get_affine_x();

   const BigInt y = public_point().get_affine_y();

   size_t part_size = std::max(x.bytes(), y.bytes());

   std::vector<uint8_t> bits(2*part_size);

   x.binary_encode(&bits[part_size - x.bytes()]);

   y.binary_encode(&bits[2*part_size - y.bytes()]);

   // Keys are stored in little endian format (WTF)

   for(size_t i = 0; i != part_size / 2; ++i)

      {

      std::swap(bits[i], bits[part_size-1-i]);

      std::swap(bits[part_size+i], bits[2*part_size-1-i]);

      }

   std::vector<uint8_t> output;

   DER_Encoder(output).encode(bits, ASN1_Type::OctetString);

   return output;

   }

std::string GOST_3410_PublicKey::algo_name() const

   {

   const size_t p_bits = domain().get_p_bits();

   if(p_bits == 256 || p_bits == 512)

      return "GOST-34.10-2012-" + std::to_string(p_bits);

   else

      throw Encoding_Error("GOST-34.10-2012 is not defined for parameters of this size");

   }

AlgorithmIdentifier GOST_3410_PublicKey::algorithm_identifier() const

   {

   std::vector<uint8_t> params;

   const OID gost_oid = get_oid();

   const OID domain_oid = domain().get_curve_oid();

   DER_Encoder(params).start_sequence().encode(domain_oid).end_cons();

   return AlgorithmIdentifier(gost_oid, params);

   }

GOST_3410_PublicKey::GOST_3410_PublicKey(const AlgorithmIdentifier& alg_id,

                                         const std::vector<uint8_t>& key_bits)

   {

   OID ecc_param_id;

   // The parameters also includes hash and cipher OIDs

   BER_Decoder(alg_id.get_parameters()).start_sequence().decode(ecc_param_id);

   m_domain_params = EC_Group(ecc_param_id);

   const size_t p_bits = m_domain_params.get_p_bits();

   if(p_bits != 256 && p_bits != 512)

      throw Decoding_Error("GOST-34.10-2012 is not defined for parameters of size " +

                           std::to_string(p_bits));

   secure_vector<uint8_t> bits;

   BER_Decoder(key_bits).decode(bits, ASN1_Type::OctetString);

   if(bits.size() != 2*(p_bits/8))

      throw Decoding_Error("GOST-34.10-2020 invalid encoding of public key");

   const size_t part_size = bits.size() / 2;

   // Keys are stored in little endian format (WTF)

   for(size_t i = 0; i != part_size / 2; ++i)

      {

      std::swap(bits[i], bits[part_size-1-i]);

      std::swap(bits[part_size+i], bits[2*part_size-1-i]);

      }

   BigInt x(bits.data(), part_size);

   BigInt y(&bits[part_size], part_size);

   m_public_key = domain().point(x, y);

   BOTAN_ASSERT(m_public_key.on_the_curve(),

                "Loaded GOST 34.10 public key is on the curve");

   }

Unexecuted instantiation: Botan::GOST_3410_PublicKey::GOST_3410_PublicKey(Botan::AlgorithmIdentifier const&, std::__1::vector<unsigned char, std::__1::allocator<unsigned char> > const&)

Botan::GOST_3410_PublicKey::GOST_3410_PublicKey(Botan::AlgorithmIdentifier const&, std::__1::vector<unsigned char, std::__1::allocator<unsigned char> > const&)

Line

Count

Source

67

90

   {

68

90

   OID ecc_param_id;

69

70

   // The parameters also includes hash and cipher OIDs

71

90

   BER_Decoder(alg_id.get_parameters()).start_sequence().decode(ecc_param_id);

72

73

90

   m_domain_params = EC_Group(ecc_param_id);

74

75

90

   const size_t p_bits = m_domain_params.get_p_bits();

76

90

   if(p_bits != 256 && p_bits != 512)

77

3

      throw Decoding_Error("GOST-34.10-2012 is not defined for parameters of size " +

78

3

                           std::to_string(p_bits));

79

80

87

   secure_vector<uint8_t> bits;

81

87

   BER_Decoder(key_bits).decode(bits, ASN1_Type::OctetString);

82

83

87

   if(bits.size() != 2*(p_bits/8))

84

3

      throw Decoding_Error("GOST-34.10-2020 invalid encoding of public key");

85

86

84

   const size_t part_size = bits.size() / 2;

87

88

   // Keys are stored in little endian format (WTF)

89

1.33k

   for(size_t i = 0; i != part_size / 2; ++i)

90

1.24k

      {

91

1.24k

      std::swap(bits[i], bits[part_size-1-i]);

92

1.24k

      std::swap(bits[part_size+i], bits[2*part_size-1-i]);

93

1.24k

      }

94

95

84

   BigInt x(bits.data(), part_size);

96

84

   BigInt y(&bits[part_size], part_size);

97

98

84

   m_public_key = domain().point(x, y);

99

100

84

   BOTAN_ASSERT(m_public_key.on_the_curve(),

101

84

                "Loaded GOST 34.10 public key is on the curve");

102

84

   }

GOST_3410_PrivateKey::GOST_3410_PrivateKey(RandomNumberGenerator& rng,

                                           const EC_Group& domain,

                                           const BigInt& x) :

   EC_PrivateKey(rng, domain, x)

   {

   const size_t p_bits = m_domain_params.get_p_bits();

   if(p_bits != 256 && p_bits != 512)

      throw Decoding_Error("GOST-34.10-2012 is not defined for parameters of size " +

                           std::to_string(p_bits));

   }

Unexecuted instantiation: Botan::GOST_3410_PrivateKey::GOST_3410_PrivateKey(Botan::RandomNumberGenerator&, Botan::EC_Group const&, Botan::BigInt const&)

Unexecuted instantiation: Botan::GOST_3410_PrivateKey::GOST_3410_PrivateKey(Botan::RandomNumberGenerator&, Botan::EC_Group const&, Botan::BigInt const&)

std::unique_ptr<Public_Key> GOST_3410_PrivateKey::public_key() const

   {

   return std::make_unique<GOST_3410_PublicKey>(domain(), public_point());

   }

namespace {

BigInt decode_le(const uint8_t msg[], size_t msg_len)

   {

   secure_vector<uint8_t> msg_le(msg, msg + msg_len);

   for(size_t i = 0; i != msg_le.size() / 2; ++i)

      std::swap(msg_le[i], msg_le[msg_le.size()-1-i]);

   return BigInt(msg_le.data(), msg_le.size());

   }

/**

* GOST-34.10 signature operation

*/

class GOST_3410_Signature_Operation final : public PK_Ops::Signature_with_EMSA

   {

   public:

      GOST_3410_Signature_Operation(const GOST_3410_PrivateKey& gost_3410,

                                    const std::string& emsa) :

         PK_Ops::Signature_with_EMSA(emsa),

         m_group(gost_3410.domain()),

         m_x(gost_3410.private_value())

         {}

      size_t signature_length() const override { return 2*m_group.get_order_bytes(); }

      size_t max_input_bits() const override { return m_group.get_order_bits(); }

      secure_vector<uint8_t> raw_sign(const uint8_t msg[], size_t msg_len,

                                      RandomNumberGenerator& rng) override;

   private:

      const EC_Group m_group;

      const BigInt& m_x;

      std::vector<BigInt> m_ws;

   };

secure_vector<uint8_t>

GOST_3410_Signature_Operation::raw_sign(const uint8_t msg[], size_t msg_len,

                                        RandomNumberGenerator& rng)

   {

   const BigInt k = m_group.random_scalar(rng);

   BigInt e = decode_le(msg, msg_len);

   e = m_group.mod_order(e);

   if(e.is_zero())

      e = BigInt::one();

   const BigInt r = m_group.mod_order(

      m_group.blinded_base_point_multiply_x(k, rng, m_ws));

   const BigInt s = m_group.mod_order(

      m_group.multiply_mod_order(r, m_x) +

      m_group.multiply_mod_order(k, e));

   if(r == 0 || s == 0)

      throw Internal_Error("GOST 34.10 signature generation failed, r/s equal to zero");

   return BigInt::encode_fixed_length_int_pair(s, r, m_group.get_order_bytes());

   }

/**

* GOST-34.10 verification operation

*/

class GOST_3410_Verification_Operation final : public PK_Ops::Verification_with_EMSA

   {

   public:

      GOST_3410_Verification_Operation(const GOST_3410_PublicKey& gost,

                                       const std::string& emsa) :

         PK_Ops::Verification_with_EMSA(emsa),

         m_group(gost.domain()),

         m_gy_mul(m_group.get_base_point(), gost.public_point())

         {}

      size_t max_input_bits() const override { return m_group.get_order_bits(); }

      bool with_recovery() const override { return false; }

      bool verify(const uint8_t msg[], size_t msg_len,

                  const uint8_t sig[], size_t sig_len) override;

   private:

      const EC_Group m_group;

      const PointGFp_Multi_Point_Precompute m_gy_mul;

   };

bool GOST_3410_Verification_Operation::verify(const uint8_t msg[], size_t msg_len,

                                              const uint8_t sig[], size_t sig_len)

   {

   if(sig_len != m_group.get_order_bytes() * 2)

      return false;

   const BigInt s(sig, sig_len / 2);

   const BigInt r(sig + sig_len / 2, sig_len / 2);

   const BigInt& order = m_group.get_order();

   if(r <= 0 || r >= order || s <= 0 || s >= order)

      return false;

   BigInt e = decode_le(msg, msg_len);

   e = m_group.mod_order(e);

   if(e.is_zero())

      e = BigInt::one();

   const BigInt v = m_group.inverse_mod_order(e);

   const BigInt z1 = m_group.multiply_mod_order(s, v);

   const BigInt z2 = m_group.multiply_mod_order(-r, v);

   const PointGFp R = m_gy_mul.multi_exp(z1, z2);

   if(R.is_zero())

     return false;

   return (R.get_affine_x() == r);

   }

}

std::unique_ptr<PK_Ops::Verification>

GOST_3410_PublicKey::create_verification_op(const std::string& params,

                                            const std::string& provider) const

   {

   if(provider == "base" || provider.empty())

      return std::make_unique<GOST_3410_Verification_Operation>(*this, params);

   throw Provider_Not_Found(algo_name(), provider);

   }

std::unique_ptr<PK_Ops::Signature>

GOST_3410_PrivateKey::create_signature_op(RandomNumberGenerator& /*rng*/,

                                          const std::string& params,

                                          const std::string& provider) const

   {

   if(provider == "base" || provider.empty())

      return std::make_unique<GOST_3410_Signature_Operation>(*this, params);

   throw Provider_Not_Found(algo_name(), provider);

   }

}