/src/botan/src/lib/pubkey/xmss/xmss_verification_operation.cpp

Source (jump to first uncovered line)
/*
 * XMSS Verification Operation
 * Provides signature verification capabilities for Extended Hash-Based
 * Signatures (XMSS).
 *
 * (C) 2016,2017 Matthias Gierlings
 *
 * Botan is released under the Simplified BSD License (see license.txt)
 **/

#include <botan/internal/xmss_verification_operation.h>
#include <botan/internal/xmss_common_ops.h>
#include <botan/internal/xmss_tools.h>
#include <array>

namespace Botan {

XMSS_Verification_Operation::XMSS_Verification_Operation(
   const XMSS_PublicKey& public_key) :
   m_pub_key(public_key),
   m_hash(public_key.xmss_hash_function()),
   m_msg_buf(0)
   {
   }

secure_vector<uint8_t>
XMSS_Verification_Operation::root_from_signature(const XMSS_Signature& sig,
      const secure_vector<uint8_t>& msg,
      XMSS_Address& adrs,
      const secure_vector<uint8_t>& seed)
   {
   const auto params = m_pub_key.xmss_parameters();

   const uint32_t next_index = static_cast<uint32_t>(sig.unused_leaf_index());
   adrs.set_type(XMSS_Address::Type::OTS_Hash_Address);
   adrs.set_ots_address(next_index);

   XMSS_WOTS_PublicKey pub_key_ots(m_pub_key.wots_parameters().oid(),
                                   msg,
                                   sig.tree().ots_signature(),
                                   adrs,
                                   seed);

   adrs.set_type(XMSS_Address::Type::LTree_Address);
   adrs.set_ltree_address(next_index);

   std::array<secure_vector<uint8_t>, 2> node;
   XMSS_Common_Ops::create_l_tree(node[0], pub_key_ots, adrs, seed, m_hash, params);

   adrs.set_type(XMSS_Address::Type::Hash_Tree_Address);
   adrs.set_tree_index(next_index);

   for(size_t k = 0; k < params.tree_height(); k++)
      {
      adrs.set_tree_height(static_cast<uint32_t>(k));
      if(((next_index / (static_cast<size_t>(1) << k)) & 0x01) == 0)
         {
         adrs.set_tree_index(adrs.get_tree_index() >> 1);
         XMSS_Common_Ops::randomize_tree_hash(node[1],
                                              node[0],
                                              sig.tree().authentication_path()[k],
                                              adrs,
                                              seed,
                                              m_hash,
                                              params);
         }
      else
         {
         adrs.set_tree_index((adrs.get_tree_index() - 1) >> 1);
         XMSS_Common_Ops::randomize_tree_hash(node[1],
                                              sig.tree().authentication_path()[k],
                                              node[0],
                                              adrs,
                                              seed,
                                              m_hash,
                                              params);
         }
      node[0] = node[1];
      }
   return node[0];
   }

bool
XMSS_Verification_Operation::verify(const XMSS_Signature& sig,
                                    const secure_vector<uint8_t>& msg,
                                    const XMSS_PublicKey& public_key)
   {
   XMSS_Address adrs;
   secure_vector<uint8_t> index_bytes;
   XMSS_Tools::concat(index_bytes,
                      sig.unused_leaf_index(),
                      m_pub_key.xmss_parameters().element_size());
   secure_vector<uint8_t> msg_digest =
      m_hash.h_msg(sig.randomness(),
                   public_key.root(),
                   index_bytes,
                   msg);

   secure_vector<uint8_t> node = root_from_signature(sig,
                                 msg_digest,
                                 adrs,
                                 public_key.public_seed());

   return (node == public_key.root());
   }

// FIXME: XMSS signature verification requires the "randomness" parameter out
// of the XMSS signature, which is part of the prefix that is hashed before
// msg. Since the signature is unknown till sign() is called all message
// content has to be buffered. For large messages this can be inconvenient or
// impossible.
// Possible solution: Change PK_Ops::Verification interface to take the
// signature as constructor argument, make sign a parameterless member call.
void XMSS_Verification_Operation::update(const uint8_t msg[], size_t msg_len)
   {
   std::copy(msg, msg + msg_len, std::back_inserter(m_msg_buf));
   }

bool XMSS_Verification_Operation::is_valid_signature(const uint8_t sig[],
      size_t sig_len)
   {
   try
      {
      XMSS_Signature signature(m_pub_key.xmss_parameters().oid(),
                               secure_vector<uint8_t>(sig, sig + sig_len));
      bool result = verify(signature, m_msg_buf, m_pub_key);
      m_msg_buf.clear();
      return result;
      }
   catch(...)
      {
      m_msg_buf.clear();
      return false;
      }
   }

}


Line	Count	Source (jump to first uncovered line)
1		/*
2		* XMSS Verification Operation
3		* Provides signature verification capabilities for Extended Hash-Based
4		* Signatures (XMSS).
5		*
6		* (C) 2016,2017 Matthias Gierlings
7		*
8		* Botan is released under the Simplified BSD License (see license.txt)
9		**/
10
11		#include <botan/internal/xmss_verification_operation.h>
12		#include <botan/internal/xmss_common_ops.h>
13		#include <botan/internal/xmss_tools.h>
14		#include <array>
15
16		namespace Botan {
17
18		XMSS_Verification_Operation::XMSS_Verification_Operation(
19		const XMSS_PublicKey& public_key) :
20		m_pub_key(public_key),
21		m_hash(public_key.xmss_hash_function()),
22		m_msg_buf(0)
23	0	{
24	0	} Unexecuted instantiation: Botan::XMSS_Verification_Operation::XMSS_Verification_Operation(Botan::XMSS_PublicKey const&) Unexecuted instantiation: Botan::XMSS_Verification_Operation::XMSS_Verification_Operation(Botan::XMSS_PublicKey const&)
25
26		secure_vector<uint8_t>
27		XMSS_Verification_Operation::root_from_signature(const XMSS_Signature& sig,
28		const secure_vector<uint8_t>& msg,
29		XMSS_Address& adrs,
30		const secure_vector<uint8_t>& seed)
31	0	{
32	0	const auto params = m_pub_key.xmss_parameters();
33
34	0	const uint32_t next_index = static_cast<uint32_t>(sig.unused_leaf_index());
35	0	adrs.set_type(XMSS_Address::Type::OTS_Hash_Address);
36	0	adrs.set_ots_address(next_index);
37
38	0	XMSS_WOTS_PublicKey pub_key_ots(m_pub_key.wots_parameters().oid(),
39	0	msg,
40	0	sig.tree().ots_signature(),
41	0	adrs,
42	0	seed);
43
44	0	adrs.set_type(XMSS_Address::Type::LTree_Address);
45	0	adrs.set_ltree_address(next_index);
46
47	0	std::array<secure_vector<uint8_t>, 2> node;
48	0	XMSS_Common_Ops::create_l_tree(node[0], pub_key_ots, adrs, seed, m_hash, params);
49
50	0	adrs.set_type(XMSS_Address::Type::Hash_Tree_Address);
51	0	adrs.set_tree_index(next_index);
52
53	0	for(size_t k = 0; k < params.tree_height(); k++)
54	0	{
55	0	adrs.set_tree_height(static_cast<uint32_t>(k));
56	0	if(((next_index / (static_cast<size_t>(1) << k)) & 0x01) == 0)
57	0	{
58	0	adrs.set_tree_index(adrs.get_tree_index() >> 1);
59	0	XMSS_Common_Ops::randomize_tree_hash(node[1],
60	0	node[0],
61	0	sig.tree().authentication_path()[k],
62	0	adrs,
63	0	seed,
64	0	m_hash,
65	0	params);
66	0	}
67	0	else
68	0	{
69	0	adrs.set_tree_index((adrs.get_tree_index() - 1) >> 1);
70	0	XMSS_Common_Ops::randomize_tree_hash(node[1],
71	0	sig.tree().authentication_path()[k],
72	0	node[0],
73	0	adrs,
74	0	seed,
75	0	m_hash,
76	0	params);
77	0	}
78	0	node[0] = node[1];
79	0	}
80	0	return node[0];
81	0	}
82
83		bool
84		XMSS_Verification_Operation::verify(const XMSS_Signature& sig,
85		const secure_vector<uint8_t>& msg,
86		const XMSS_PublicKey& public_key)
87	0	{
88	0	XMSS_Address adrs;
89	0	secure_vector<uint8_t> index_bytes;
90	0	XMSS_Tools::concat(index_bytes,
91	0	sig.unused_leaf_index(),
92	0	m_pub_key.xmss_parameters().element_size());
93	0	secure_vector<uint8_t> msg_digest =
94	0	m_hash.h_msg(sig.randomness(),
95	0	public_key.root(),
96	0	index_bytes,
97	0	msg);
98
99	0	secure_vector<uint8_t> node = root_from_signature(sig,
100	0	msg_digest,
101	0	adrs,
102	0	public_key.public_seed());
103
104	0	return (node == public_key.root());
105	0	}
106
107		// FIXME: XMSS signature verification requires the "randomness" parameter out
108		// of the XMSS signature, which is part of the prefix that is hashed before
109		// msg. Since the signature is unknown till sign() is called all message
110		// content has to be buffered. For large messages this can be inconvenient or
111		// impossible.
112		// Possible solution: Change PK_Ops::Verification interface to take the
113		// signature as constructor argument, make sign a parameterless member call.
114		void XMSS_Verification_Operation::update(const uint8_t msg[], size_t msg_len)
115	0	{
116	0	std::copy(msg, msg + msg_len, std::back_inserter(m_msg_buf));
117	0	}
118
119		bool XMSS_Verification_Operation::is_valid_signature(const uint8_t sig[],
120		size_t sig_len)
121	0	{
122	0	try
123	0	{
124	0	XMSS_Signature signature(m_pub_key.xmss_parameters().oid(),
125	0	secure_vector<uint8_t>(sig, sig + sig_len));
126	0	bool result = verify(signature, m_msg_buf, m_pub_key);
127	0	m_msg_buf.clear();
128	0	return result;
129	0	}
130	0	catch(...)
131	0	{
132	0	m_msg_buf.clear();
133	0	return false;
134	0	}
135	0	}
136
137		}
138

Coverage Report

Created: 2022-09-23 06:05