/src/botan/src/lib/pubkey/xmss/xmss_verification_operation.cpp
Line | Count | Source (jump to first uncovered line) |
1 | | /* |
2 | | * XMSS Verification Operation |
3 | | * Provides signature verification capabilities for Extended Hash-Based |
4 | | * Signatures (XMSS). |
5 | | * |
6 | | * (C) 2016,2017 Matthias Gierlings |
7 | | * |
8 | | * Botan is released under the Simplified BSD License (see license.txt) |
9 | | **/ |
10 | | |
11 | | #include <botan/internal/xmss_verification_operation.h> |
12 | | #include <botan/internal/xmss_common_ops.h> |
13 | | #include <botan/internal/xmss_tools.h> |
14 | | #include <array> |
15 | | |
16 | | namespace Botan { |
17 | | |
18 | | XMSS_Verification_Operation::XMSS_Verification_Operation( |
19 | | const XMSS_PublicKey& public_key) : |
20 | | m_pub_key(public_key), |
21 | | m_hash(public_key.xmss_hash_function()), |
22 | | m_msg_buf(0) |
23 | 0 | { |
24 | 0 | } Unexecuted instantiation: Botan::XMSS_Verification_Operation::XMSS_Verification_Operation(Botan::XMSS_PublicKey const&) Unexecuted instantiation: Botan::XMSS_Verification_Operation::XMSS_Verification_Operation(Botan::XMSS_PublicKey const&) |
25 | | |
26 | | secure_vector<uint8_t> |
27 | | XMSS_Verification_Operation::root_from_signature(const XMSS_Signature& sig, |
28 | | const secure_vector<uint8_t>& msg, |
29 | | XMSS_Address& adrs, |
30 | | const secure_vector<uint8_t>& seed) |
31 | 0 | { |
32 | 0 | const auto params = m_pub_key.xmss_parameters(); |
33 | |
|
34 | 0 | const uint32_t next_index = static_cast<uint32_t>(sig.unused_leaf_index()); |
35 | 0 | adrs.set_type(XMSS_Address::Type::OTS_Hash_Address); |
36 | 0 | adrs.set_ots_address(next_index); |
37 | |
|
38 | 0 | XMSS_WOTS_PublicKey pub_key_ots(m_pub_key.wots_parameters().oid(), |
39 | 0 | msg, |
40 | 0 | sig.tree().ots_signature(), |
41 | 0 | adrs, |
42 | 0 | seed); |
43 | |
|
44 | 0 | adrs.set_type(XMSS_Address::Type::LTree_Address); |
45 | 0 | adrs.set_ltree_address(next_index); |
46 | |
|
47 | 0 | std::array<secure_vector<uint8_t>, 2> node; |
48 | 0 | XMSS_Common_Ops::create_l_tree(node[0], pub_key_ots, adrs, seed, m_hash, params); |
49 | |
|
50 | 0 | adrs.set_type(XMSS_Address::Type::Hash_Tree_Address); |
51 | 0 | adrs.set_tree_index(next_index); |
52 | |
|
53 | 0 | for(size_t k = 0; k < params.tree_height(); k++) |
54 | 0 | { |
55 | 0 | adrs.set_tree_height(static_cast<uint32_t>(k)); |
56 | 0 | if(((next_index / (static_cast<size_t>(1) << k)) & 0x01) == 0) |
57 | 0 | { |
58 | 0 | adrs.set_tree_index(adrs.get_tree_index() >> 1); |
59 | 0 | XMSS_Common_Ops::randomize_tree_hash(node[1], |
60 | 0 | node[0], |
61 | 0 | sig.tree().authentication_path()[k], |
62 | 0 | adrs, |
63 | 0 | seed, |
64 | 0 | m_hash, |
65 | 0 | params); |
66 | 0 | } |
67 | 0 | else |
68 | 0 | { |
69 | 0 | adrs.set_tree_index((adrs.get_tree_index() - 1) >> 1); |
70 | 0 | XMSS_Common_Ops::randomize_tree_hash(node[1], |
71 | 0 | sig.tree().authentication_path()[k], |
72 | 0 | node[0], |
73 | 0 | adrs, |
74 | 0 | seed, |
75 | 0 | m_hash, |
76 | 0 | params); |
77 | 0 | } |
78 | 0 | node[0] = node[1]; |
79 | 0 | } |
80 | 0 | return node[0]; |
81 | 0 | } |
82 | | |
83 | | bool |
84 | | XMSS_Verification_Operation::verify(const XMSS_Signature& sig, |
85 | | const secure_vector<uint8_t>& msg, |
86 | | const XMSS_PublicKey& public_key) |
87 | 0 | { |
88 | 0 | XMSS_Address adrs; |
89 | 0 | secure_vector<uint8_t> index_bytes; |
90 | 0 | XMSS_Tools::concat(index_bytes, |
91 | 0 | sig.unused_leaf_index(), |
92 | 0 | m_pub_key.xmss_parameters().element_size()); |
93 | 0 | secure_vector<uint8_t> msg_digest = |
94 | 0 | m_hash.h_msg(sig.randomness(), |
95 | 0 | public_key.root(), |
96 | 0 | index_bytes, |
97 | 0 | msg); |
98 | |
|
99 | 0 | secure_vector<uint8_t> node = root_from_signature(sig, |
100 | 0 | msg_digest, |
101 | 0 | adrs, |
102 | 0 | public_key.public_seed()); |
103 | |
|
104 | 0 | return (node == public_key.root()); |
105 | 0 | } |
106 | | |
107 | | // FIXME: XMSS signature verification requires the "randomness" parameter out |
108 | | // of the XMSS signature, which is part of the prefix that is hashed before |
109 | | // msg. Since the signature is unknown till sign() is called all message |
110 | | // content has to be buffered. For large messages this can be inconvenient or |
111 | | // impossible. |
112 | | // Possible solution: Change PK_Ops::Verification interface to take the |
113 | | // signature as constructor argument, make sign a parameterless member call. |
114 | | void XMSS_Verification_Operation::update(const uint8_t msg[], size_t msg_len) |
115 | 0 | { |
116 | 0 | std::copy(msg, msg + msg_len, std::back_inserter(m_msg_buf)); |
117 | 0 | } |
118 | | |
119 | | bool XMSS_Verification_Operation::is_valid_signature(const uint8_t sig[], |
120 | | size_t sig_len) |
121 | 0 | { |
122 | 0 | try |
123 | 0 | { |
124 | 0 | XMSS_Signature signature(m_pub_key.xmss_parameters().oid(), |
125 | 0 | secure_vector<uint8_t>(sig, sig + sig_len)); |
126 | 0 | bool result = verify(signature, m_msg_buf, m_pub_key); |
127 | 0 | m_msg_buf.clear(); |
128 | 0 | return result; |
129 | 0 | } |
130 | 0 | catch(...) |
131 | 0 | { |
132 | 0 | m_msg_buf.clear(); |
133 | 0 | return false; |
134 | 0 | } |
135 | 0 | } |
136 | | |
137 | | } |
138 | | |