Coverage Report

Created: 2024-03-10 06:18

/src/botan/src/lib/pubkey/ed25519/ed25519_key.cpp
Line
Count
Source (jump to first uncovered line)
1
/*
2
* Ed25519
3
* (C) 2017 Ribose Inc
4
*
5
* Based on the public domain code from SUPERCOP ref10 by
6
* Peter Schwabe, Daniel J. Bernstein, Niels Duif, Tanja Lange, Bo-Yin Yang
7
*
8
* Botan is released under the Simplified BSD License (see license.txt)
9
*/
10
11
#include <botan/ed25519.h>
12
13
#include <botan/ber_dec.h>
14
#include <botan/der_enc.h>
15
#include <botan/hash.h>
16
#include <botan/rng.h>
17
#include <botan/internal/ct_utils.h>
18
#include <botan/internal/ed25519_internal.h>
19
#include <botan/internal/pk_ops_impl.h>
20
21
namespace Botan {
22
23
0
AlgorithmIdentifier Ed25519_PublicKey::algorithm_identifier() const {
24
0
   return AlgorithmIdentifier(object_identifier(), AlgorithmIdentifier::USE_EMPTY_PARAM);
25
0
}
26
27
0
bool Ed25519_PublicKey::check_key(RandomNumberGenerator& /*rng*/, bool /*strong*/) const {
28
0
   if(m_public.size() != 32) {
29
0
      return false;
30
0
   }
31
32
   /*
33
   This function was derived from public domain code in Tor's blinding.c
34
   */
35
36
0
   const uint8_t identity_element[32] = {1};
37
0
   if(CT::is_equal(m_public.data(), identity_element, 32).as_bool()) {
38
0
      return false;
39
0
   }
40
41
   // The order of the Ed25519 group encoded
42
0
   const uint8_t modm_m[32] = {0xed, 0xd3, 0xf5, 0x5c, 0x1a, 0x63, 0x12, 0x58, 0xd6, 0x9c, 0xf7,
43
0
                               0xa2, 0xde, 0xf9, 0xde, 0x14, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
44
0
                               0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10};
45
46
0
   const unsigned char zero[32] = {0};
47
48
0
   unsigned char pkcopy[32];
49
50
0
   copy_mem(pkcopy, m_public.data(), 32);
51
0
   pkcopy[31] ^= (1 << 7);  // flip sign
52
0
   ge_p3 point;
53
0
   if(ge_frombytes_negate_vartime(&point, pkcopy) != 0) {
54
0
      return false;
55
0
   }
56
57
0
   uint8_t result[32];
58
0
   ge_double_scalarmult_vartime(result, modm_m, &point, zero);
59
60
0
   if(!CT::is_equal(result, identity_element, 32).as_bool()) {
61
0
      return false;
62
0
   }
63
64
0
   return true;
65
0
}
66
67
0
Ed25519_PublicKey::Ed25519_PublicKey(const uint8_t pub_key[], size_t pub_len) {
68
0
   if(pub_len != 32) {
69
0
      throw Decoding_Error("Invalid length for Ed25519 key");
70
0
   }
71
0
   m_public.assign(pub_key, pub_key + pub_len);
72
0
}
Unexecuted instantiation: Botan::Ed25519_PublicKey::Ed25519_PublicKey(unsigned char const*, unsigned long)
Unexecuted instantiation: Botan::Ed25519_PublicKey::Ed25519_PublicKey(unsigned char const*, unsigned long)
73
74
4
Ed25519_PublicKey::Ed25519_PublicKey(const AlgorithmIdentifier& /*unused*/, std::span<const uint8_t> key_bits) {
75
4
   m_public.assign(key_bits.begin(), key_bits.end());
76
77
4
   if(m_public.size() != 32) {
78
4
      throw Decoding_Error("Invalid size for Ed25519 public key");
79
4
   }
80
4
}
Unexecuted instantiation: Botan::Ed25519_PublicKey::Ed25519_PublicKey(Botan::AlgorithmIdentifier const&, std::__1::span<unsigned char const, 18446744073709551615ul>)
Botan::Ed25519_PublicKey::Ed25519_PublicKey(Botan::AlgorithmIdentifier const&, std::__1::span<unsigned char const, 18446744073709551615ul>)
Line
Count
Source
74
4
Ed25519_PublicKey::Ed25519_PublicKey(const AlgorithmIdentifier& /*unused*/, std::span<const uint8_t> key_bits) {
75
4
   m_public.assign(key_bits.begin(), key_bits.end());
76
77
4
   if(m_public.size() != 32) {
78
4
      throw Decoding_Error("Invalid size for Ed25519 public key");
79
4
   }
80
4
}
81
82
0
std::vector<uint8_t> Ed25519_PublicKey::public_key_bits() const {
83
0
   return m_public;
84
0
}
85
86
0
std::unique_ptr<Private_Key> Ed25519_PublicKey::generate_another(RandomNumberGenerator& rng) const {
87
0
   return std::make_unique<Ed25519_PrivateKey>(rng);
88
0
}
89
90
0
Ed25519_PrivateKey::Ed25519_PrivateKey(const secure_vector<uint8_t>& secret_key) {
91
0
   if(secret_key.size() == 64) {
92
0
      m_private = secret_key;
93
0
      m_public.assign(m_private.begin() + 32, m_private.end());
94
0
   } else if(secret_key.size() == 32) {
95
0
      m_public.resize(32);
96
0
      m_private.resize(64);
97
0
      ed25519_gen_keypair(m_public.data(), m_private.data(), secret_key.data());
98
0
   } else {
99
0
      throw Decoding_Error("Invalid size for Ed25519 private key");
100
0
   }
101
0
}
Unexecuted instantiation: Botan::Ed25519_PrivateKey::Ed25519_PrivateKey(std::__1::vector<unsigned char, Botan::secure_allocator<unsigned char> > const&)
Unexecuted instantiation: Botan::Ed25519_PrivateKey::Ed25519_PrivateKey(std::__1::vector<unsigned char, Botan::secure_allocator<unsigned char> > const&)
102
103
0
Ed25519_PrivateKey::Ed25519_PrivateKey(RandomNumberGenerator& rng) {
104
0
   const secure_vector<uint8_t> seed = rng.random_vec(32);
105
0
   m_public.resize(32);
106
0
   m_private.resize(64);
107
0
   ed25519_gen_keypair(m_public.data(), m_private.data(), seed.data());
108
0
}
Unexecuted instantiation: Botan::Ed25519_PrivateKey::Ed25519_PrivateKey(Botan::RandomNumberGenerator&)
Unexecuted instantiation: Botan::Ed25519_PrivateKey::Ed25519_PrivateKey(Botan::RandomNumberGenerator&)
109
110
51
Ed25519_PrivateKey::Ed25519_PrivateKey(const AlgorithmIdentifier& /*unused*/, std::span<const uint8_t> key_bits) {
111
51
   secure_vector<uint8_t> bits;
112
51
   BER_Decoder(key_bits).decode(bits, ASN1_Type::OctetString).discard_remaining();
113
114
51
   if(bits.size() != 32) {
115
41
      throw Decoding_Error("Invalid size for Ed25519 private key");
116
41
   }
117
10
   m_public.resize(32);
118
10
   m_private.resize(64);
119
10
   ed25519_gen_keypair(m_public.data(), m_private.data(), bits.data());
120
10
}
Unexecuted instantiation: Botan::Ed25519_PrivateKey::Ed25519_PrivateKey(Botan::AlgorithmIdentifier const&, std::__1::span<unsigned char const, 18446744073709551615ul>)
Botan::Ed25519_PrivateKey::Ed25519_PrivateKey(Botan::AlgorithmIdentifier const&, std::__1::span<unsigned char const, 18446744073709551615ul>)
Line
Count
Source
110
51
Ed25519_PrivateKey::Ed25519_PrivateKey(const AlgorithmIdentifier& /*unused*/, std::span<const uint8_t> key_bits) {
111
51
   secure_vector<uint8_t> bits;
112
51
   BER_Decoder(key_bits).decode(bits, ASN1_Type::OctetString).discard_remaining();
113
114
51
   if(bits.size() != 32) {
115
41
      throw Decoding_Error("Invalid size for Ed25519 private key");
116
41
   }
117
10
   m_public.resize(32);
118
10
   m_private.resize(64);
119
10
   ed25519_gen_keypair(m_public.data(), m_private.data(), bits.data());
120
10
}
121
122
0
std::unique_ptr<Public_Key> Ed25519_PrivateKey::public_key() const {
123
0
   return std::make_unique<Ed25519_PublicKey>(get_public_key());
124
0
}
125
126
0
secure_vector<uint8_t> Ed25519_PrivateKey::private_key_bits() const {
127
0
   secure_vector<uint8_t> bits(&m_private[0], &m_private[32]);
128
0
   return DER_Encoder().encode(bits, ASN1_Type::OctetString).get_contents();
129
0
}
130
131
0
bool Ed25519_PrivateKey::check_key(RandomNumberGenerator& /*rng*/, bool /*strong*/) const {
132
0
   return true;  // ???
133
0
}
134
135
namespace {
136
137
/**
138
* Ed25519 verifying operation
139
*/
140
class Ed25519_Pure_Verify_Operation final : public PK_Ops::Verification {
141
   public:
142
0
      explicit Ed25519_Pure_Verify_Operation(const Ed25519_PublicKey& key) : m_key(key.get_public_key()) {}
143
144
0
      void update(const uint8_t msg[], size_t msg_len) override { m_msg.insert(m_msg.end(), msg, msg + msg_len); }
145
146
0
      bool is_valid_signature(const uint8_t sig[], size_t sig_len) override {
147
0
         if(sig_len != 64) {
148
0
            return false;
149
0
         }
150
151
0
         BOTAN_ASSERT_EQUAL(m_key.size(), 32, "Expected size");
152
0
         const bool ok = ed25519_verify(m_msg.data(), m_msg.size(), sig, m_key.data(), nullptr, 0);
153
0
         m_msg.clear();
154
0
         return ok;
155
0
      }
156
157
0
      std::string hash_function() const override { return "SHA-512"; }
158
159
   private:
160
      std::vector<uint8_t> m_msg;
161
      std::vector<uint8_t> m_key;
162
};
163
164
/**
165
* Ed25519 verifying operation with pre-hash
166
*/
167
class Ed25519_Hashed_Verify_Operation final : public PK_Ops::Verification {
168
   public:
169
      Ed25519_Hashed_Verify_Operation(const Ed25519_PublicKey& key, std::string_view hash, bool rfc8032) :
170
0
            m_key(key.get_public_key()) {
171
0
         m_hash = HashFunction::create_or_throw(hash);
172
173
0
         if(rfc8032) {
174
0
            m_domain_sep = {0x53, 0x69, 0x67, 0x45, 0x64, 0x32, 0x35, 0x35, 0x31, 0x39, 0x20, 0x6E,
175
0
                            0x6F, 0x20, 0x45, 0x64, 0x32, 0x35, 0x35, 0x31, 0x39, 0x20, 0x63, 0x6F,
176
0
                            0x6C, 0x6C, 0x69, 0x73, 0x69, 0x6F, 0x6E, 0x73, 0x01, 0x00};
177
0
         }
178
0
      }
179
180
0
      void update(const uint8_t msg[], size_t msg_len) override { m_hash->update(msg, msg_len); }
181
182
0
      bool is_valid_signature(const uint8_t sig[], size_t sig_len) override {
183
0
         if(sig_len != 64) {
184
0
            return false;
185
0
         }
186
0
         std::vector<uint8_t> msg_hash(m_hash->output_length());
187
0
         m_hash->final(msg_hash.data());
188
189
0
         BOTAN_ASSERT_EQUAL(m_key.size(), 32, "Expected size");
190
0
         return ed25519_verify(
191
0
            msg_hash.data(), msg_hash.size(), sig, m_key.data(), m_domain_sep.data(), m_domain_sep.size());
192
0
      }
193
194
0
      std::string hash_function() const override { return m_hash->name(); }
195
196
   private:
197
      std::unique_ptr<HashFunction> m_hash;
198
      std::vector<uint8_t> m_key;
199
      std::vector<uint8_t> m_domain_sep;
200
};
201
202
/**
203
* Ed25519 signing operation ('pure' - signs message directly)
204
*/
205
class Ed25519_Pure_Sign_Operation final : public PK_Ops::Signature {
206
   public:
207
0
      explicit Ed25519_Pure_Sign_Operation(const Ed25519_PrivateKey& key) : m_key(key.raw_private_key_bits()) {}
208
209
0
      void update(const uint8_t msg[], size_t msg_len) override { m_msg.insert(m_msg.end(), msg, msg + msg_len); }
210
211
0
      secure_vector<uint8_t> sign(RandomNumberGenerator& /*rng*/) override {
212
0
         secure_vector<uint8_t> sig(64);
213
0
         ed25519_sign(sig.data(), m_msg.data(), m_msg.size(), m_key.data(), nullptr, 0);
214
0
         m_msg.clear();
215
0
         return sig;
216
0
      }
217
218
0
      size_t signature_length() const override { return 64; }
219
220
      AlgorithmIdentifier algorithm_identifier() const override;
221
222
0
      std::string hash_function() const override { return "SHA-512"; }
223
224
   private:
225
      std::vector<uint8_t> m_msg;
226
      secure_vector<uint8_t> m_key;
227
};
228
229
0
AlgorithmIdentifier Ed25519_Pure_Sign_Operation::algorithm_identifier() const {
230
0
   return AlgorithmIdentifier(OID::from_string("Ed25519"), AlgorithmIdentifier::USE_EMPTY_PARAM);
231
0
}
232
233
/**
234
* Ed25519 signing operation with pre-hash
235
*/
236
class Ed25519_Hashed_Sign_Operation final : public PK_Ops::Signature {
237
   public:
238
      Ed25519_Hashed_Sign_Operation(const Ed25519_PrivateKey& key, std::string_view hash, bool rfc8032) :
239
0
            m_key(key.raw_private_key_bits()) {
240
0
         m_hash = HashFunction::create_or_throw(hash);
241
242
0
         if(rfc8032) {
243
0
            m_domain_sep = std::vector<uint8_t>{0x53, 0x69, 0x67, 0x45, 0x64, 0x32, 0x35, 0x35, 0x31, 0x39, 0x20, 0x6E,
244
0
                                                0x6F, 0x20, 0x45, 0x64, 0x32, 0x35, 0x35, 0x31, 0x39, 0x20, 0x63, 0x6F,
245
0
                                                0x6C, 0x6C, 0x69, 0x73, 0x69, 0x6F, 0x6E, 0x73, 0x01, 0x00};
246
0
         }
247
0
      }
248
249
0
      size_t signature_length() const override { return 64; }
250
251
0
      void update(const uint8_t msg[], size_t msg_len) override { m_hash->update(msg, msg_len); }
252
253
0
      secure_vector<uint8_t> sign(RandomNumberGenerator& /*rng*/) override {
254
0
         secure_vector<uint8_t> sig(64);
255
0
         std::vector<uint8_t> msg_hash(m_hash->output_length());
256
0
         m_hash->final(msg_hash.data());
257
0
         ed25519_sign(
258
0
            sig.data(), msg_hash.data(), msg_hash.size(), m_key.data(), m_domain_sep.data(), m_domain_sep.size());
259
0
         return sig;
260
0
      }
261
262
0
      std::string hash_function() const override { return m_hash->name(); }
263
264
   private:
265
      std::unique_ptr<HashFunction> m_hash;
266
      secure_vector<uint8_t> m_key;
267
      std::vector<uint8_t> m_domain_sep;
268
};
269
270
}  // namespace
271
272
std::unique_ptr<PK_Ops::Verification> Ed25519_PublicKey::create_verification_op(std::string_view params,
273
0
                                                                                std::string_view provider) const {
274
0
   if(provider == "base" || provider.empty()) {
275
0
      if(params.empty() || params == "Identity" || params == "Pure") {
276
0
         return std::make_unique<Ed25519_Pure_Verify_Operation>(*this);
277
0
      } else if(params == "Ed25519ph") {
278
0
         return std::make_unique<Ed25519_Hashed_Verify_Operation>(*this, "SHA-512", true);
279
0
      } else {
280
0
         return std::make_unique<Ed25519_Hashed_Verify_Operation>(*this, params, false);
281
0
      }
282
0
   }
283
0
   throw Provider_Not_Found(algo_name(), provider);
284
0
}
285
286
std::unique_ptr<PK_Ops::Verification> Ed25519_PublicKey::create_x509_verification_op(const AlgorithmIdentifier& alg_id,
287
0
                                                                                     std::string_view provider) const {
288
0
   if(provider == "base" || provider.empty()) {
289
0
      if(alg_id != this->algorithm_identifier()) {
290
0
         throw Decoding_Error("Unexpected AlgorithmIdentifier for Ed25519 X509 signature");
291
0
      }
292
293
0
      return std::make_unique<Ed25519_Pure_Verify_Operation>(*this);
294
0
   }
295
0
   throw Provider_Not_Found(algo_name(), provider);
296
0
}
297
298
std::unique_ptr<PK_Ops::Signature> Ed25519_PrivateKey::create_signature_op(RandomNumberGenerator& /*rng*/,
299
                                                                           std::string_view params,
300
0
                                                                           std::string_view provider) const {
301
0
   if(provider == "base" || provider.empty()) {
302
0
      if(params.empty() || params == "Identity" || params == "Pure") {
303
0
         return std::make_unique<Ed25519_Pure_Sign_Operation>(*this);
304
0
      } else if(params == "Ed25519ph") {
305
0
         return std::make_unique<Ed25519_Hashed_Sign_Operation>(*this, "SHA-512", true);
306
0
      } else {
307
0
         return std::make_unique<Ed25519_Hashed_Sign_Operation>(*this, params, false);
308
0
      }
309
0
   }
310
0
   throw Provider_Not_Found(algo_name(), provider);
311
0
}
312
313
}  // namespace Botan