Coverage Report

Created: 2024-11-29 06:10

/src/botan/src/lib/pubkey/dsa/dsa.cpp
Line
Count
Source (jump to first uncovered line)
1
/*
2
* DSA
3
* (C) 1999-2010,2014,2016,2023 Jack Lloyd
4
* (C) 2016 René Korthaus
5
*
6
* Botan is released under the Simplified BSD License (see license.txt)
7
*/
8
9
#include <botan/dsa.h>
10
11
#include <botan/numthry.h>
12
#include <botan/internal/divide.h>
13
#include <botan/internal/dl_scheme.h>
14
#include <botan/internal/keypair.h>
15
#include <botan/internal/pk_ops_impl.h>
16
17
#if defined(BOTAN_HAS_RFC6979_GENERATOR)
18
   #include <botan/internal/rfc6979.h>
19
#endif
20
21
namespace Botan {
22
23
0
size_t DSA_PublicKey::message_part_size() const {
24
0
   return m_public_key->group().q_bytes();
25
0
}
26
27
0
size_t DSA_PublicKey::estimated_strength() const {
28
0
   return m_public_key->estimated_strength();
29
0
}
30
31
0
size_t DSA_PublicKey::key_length() const {
32
0
   return m_public_key->p_bits();
33
0
}
34
35
0
const BigInt& DSA_PublicKey::get_int_field(std::string_view field) const {
36
0
   return m_public_key->get_int_field(algo_name(), field);
37
0
}
38
39
0
AlgorithmIdentifier DSA_PublicKey::algorithm_identifier() const {
40
0
   return AlgorithmIdentifier(object_identifier(), m_public_key->group().DER_encode(DL_Group_Format::ANSI_X9_57));
41
0
}
42
43
0
std::vector<uint8_t> DSA_PublicKey::raw_public_key_bits() const {
44
0
   return m_public_key->public_key_as_bytes();
45
0
}
46
47
0
std::vector<uint8_t> DSA_PublicKey::public_key_bits() const {
48
0
   return m_public_key->DER_encode();
49
0
}
50
51
0
bool DSA_PublicKey::check_key(RandomNumberGenerator& rng, bool strong) const {
52
0
   return m_public_key->check_key(rng, strong);
53
0
}
54
55
0
std::unique_ptr<Private_Key> DSA_PublicKey::generate_another(RandomNumberGenerator& rng) const {
56
0
   return std::make_unique<DSA_PrivateKey>(rng, m_public_key->group());
57
0
}
58
59
162
DSA_PublicKey::DSA_PublicKey(const AlgorithmIdentifier& alg_id, std::span<const uint8_t> key_bits) {
60
162
   m_public_key = std::make_shared<DL_PublicKey>(alg_id, key_bits, DL_Group_Format::ANSI_X9_57);
61
62
162
   BOTAN_ARG_CHECK(m_public_key->group().has_q(), "Q parameter must be set for DSA");
63
162
}
Unexecuted instantiation: Botan::DSA_PublicKey::DSA_PublicKey(Botan::AlgorithmIdentifier const&, std::__1::span<unsigned char const, 18446744073709551615ul>)
Botan::DSA_PublicKey::DSA_PublicKey(Botan::AlgorithmIdentifier const&, std::__1::span<unsigned char const, 18446744073709551615ul>)
Line
Count
Source
59
162
DSA_PublicKey::DSA_PublicKey(const AlgorithmIdentifier& alg_id, std::span<const uint8_t> key_bits) {
60
162
   m_public_key = std::make_shared<DL_PublicKey>(alg_id, key_bits, DL_Group_Format::ANSI_X9_57);
61
62
162
   BOTAN_ARG_CHECK(m_public_key->group().has_q(), "Q parameter must be set for DSA");
63
162
}
64
65
0
DSA_PublicKey::DSA_PublicKey(const DL_Group& group, const BigInt& y) {
66
0
   m_public_key = std::make_shared<DL_PublicKey>(group, y);
67
68
0
   BOTAN_ARG_CHECK(m_public_key->group().has_q(), "Q parameter must be set for DSA");
69
0
}
Unexecuted instantiation: Botan::DSA_PublicKey::DSA_PublicKey(Botan::DL_Group const&, Botan::BigInt const&)
Unexecuted instantiation: Botan::DSA_PublicKey::DSA_PublicKey(Botan::DL_Group const&, Botan::BigInt const&)
70
71
0
DSA_PrivateKey::DSA_PrivateKey(RandomNumberGenerator& rng, const DL_Group& group) {
72
0
   BOTAN_ARG_CHECK(group.has_q(), "Q parameter must be set for DSA");
73
74
0
   m_private_key = std::make_shared<DL_PrivateKey>(group, rng);
75
0
   m_public_key = m_private_key->public_key();
76
0
}
Unexecuted instantiation: Botan::DSA_PrivateKey::DSA_PrivateKey(Botan::RandomNumberGenerator&, Botan::DL_Group const&)
Unexecuted instantiation: Botan::DSA_PrivateKey::DSA_PrivateKey(Botan::RandomNumberGenerator&, Botan::DL_Group const&)
77
78
0
DSA_PrivateKey::DSA_PrivateKey(const DL_Group& group, const BigInt& x) {
79
0
   BOTAN_ARG_CHECK(group.has_q(), "Q parameter must be set for DSA");
80
81
0
   m_private_key = std::make_shared<DL_PrivateKey>(group, x);
82
0
   m_public_key = m_private_key->public_key();
83
0
}
Unexecuted instantiation: Botan::DSA_PrivateKey::DSA_PrivateKey(Botan::DL_Group const&, Botan::BigInt const&)
Unexecuted instantiation: Botan::DSA_PrivateKey::DSA_PrivateKey(Botan::DL_Group const&, Botan::BigInt const&)
84
85
192
DSA_PrivateKey::DSA_PrivateKey(const AlgorithmIdentifier& alg_id, std::span<const uint8_t> key_bits) {
86
192
   m_private_key = std::make_shared<DL_PrivateKey>(alg_id, key_bits, DL_Group_Format::ANSI_X9_57);
87
192
   m_public_key = m_private_key->public_key();
88
89
192
   BOTAN_ARG_CHECK(m_private_key->group().has_q(), "Q parameter must be set for DSA");
90
192
}
Unexecuted instantiation: Botan::DSA_PrivateKey::DSA_PrivateKey(Botan::AlgorithmIdentifier const&, std::__1::span<unsigned char const, 18446744073709551615ul>)
Botan::DSA_PrivateKey::DSA_PrivateKey(Botan::AlgorithmIdentifier const&, std::__1::span<unsigned char const, 18446744073709551615ul>)
Line
Count
Source
85
192
DSA_PrivateKey::DSA_PrivateKey(const AlgorithmIdentifier& alg_id, std::span<const uint8_t> key_bits) {
86
192
   m_private_key = std::make_shared<DL_PrivateKey>(alg_id, key_bits, DL_Group_Format::ANSI_X9_57);
87
192
   m_public_key = m_private_key->public_key();
88
89
192
   BOTAN_ARG_CHECK(m_private_key->group().has_q(), "Q parameter must be set for DSA");
90
192
}
91
92
0
bool DSA_PrivateKey::check_key(RandomNumberGenerator& rng, bool strong) const {
93
0
   if(!m_private_key->check_key(rng, strong)) {
94
0
      return false;
95
0
   }
96
97
0
   if(m_private_key->private_key() >= m_private_key->group().get_q()) {
98
0
      return false;
99
0
   }
100
101
0
   return KeyPair::signature_consistency_check(rng, *this, "SHA-256");
102
0
}
103
104
0
secure_vector<uint8_t> DSA_PrivateKey::private_key_bits() const {
105
0
   return m_private_key->DER_encode();
106
0
}
107
108
0
secure_vector<uint8_t> DSA_PrivateKey::raw_private_key_bits() const {
109
0
   return m_private_key->raw_private_key_bits();
110
0
}
111
112
0
const BigInt& DSA_PrivateKey::get_int_field(std::string_view field) const {
113
0
   return m_private_key->get_int_field(algo_name(), field);
114
0
}
115
116
0
std::unique_ptr<Public_Key> DSA_PrivateKey::public_key() const {
117
   // can't use make_unique here due to private constructor
118
0
   return std::unique_ptr<DSA_PublicKey>(new DSA_PublicKey(m_public_key));
119
0
}
120
121
namespace {
122
123
/**
124
* Object that can create a DSA signature
125
*/
126
class DSA_Signature_Operation final : public PK_Ops::Signature_with_Hash {
127
   public:
128
      DSA_Signature_Operation(const std::shared_ptr<const DL_PrivateKey>& key,
129
                              std::string_view emsa,
130
                              RandomNumberGenerator& rng) :
131
0
            PK_Ops::Signature_with_Hash(emsa), m_key(key) {
132
0
         m_b = BigInt::random_integer(rng, 2, m_key->group().get_q());
133
0
         m_b_inv = m_key->group().inverse_mod_q(m_b);
134
0
      }
135
136
0
      size_t signature_length() const override { return 2 * m_key->group().q_bytes(); }
137
138
      std::vector<uint8_t> raw_sign(std::span<const uint8_t> msg, RandomNumberGenerator& rng) override;
139
140
      AlgorithmIdentifier algorithm_identifier() const override;
141
142
   private:
143
      std::shared_ptr<const DL_PrivateKey> m_key;
144
      BigInt m_b, m_b_inv;
145
};
146
147
0
AlgorithmIdentifier DSA_Signature_Operation::algorithm_identifier() const {
148
0
   const std::string full_name = "DSA/" + hash_function();
149
0
   const OID oid = OID::from_string(full_name);
150
0
   return AlgorithmIdentifier(oid, AlgorithmIdentifier::USE_EMPTY_PARAM);
151
0
}
152
153
0
std::vector<uint8_t> DSA_Signature_Operation::raw_sign(std::span<const uint8_t> msg, RandomNumberGenerator& rng) {
154
0
   const DL_Group& group = m_key->group();
155
0
   const BigInt& q = group.get_q();
156
157
0
   BigInt m = BigInt::from_bytes_with_max_bits(msg.data(), msg.size(), group.q_bits());
158
159
0
   if(m >= q) {
160
0
      m -= q;
161
0
   }
162
163
0
#if defined(BOTAN_HAS_RFC6979_GENERATOR)
164
0
   BOTAN_UNUSED(rng);
165
0
   const BigInt k = generate_rfc6979_nonce(m_key->private_key(), q, m, this->rfc6979_hash_function());
166
#else
167
   const BigInt k = BigInt::random_integer(rng, 1, q);
168
#endif
169
170
0
   const BigInt k_inv = group.inverse_mod_q(k);
171
172
   /*
173
   * It may not be strictly necessary for the reduction (g^k mod p) mod q to be
174
   * const time, since r is published as part of the signature, and deriving
175
   * anything useful about k from g^k mod p would seem to require computing a
176
   * discrete logarithm.
177
   *
178
   * However it only increases the cost of signatures by about 7-10%, and DSA is
179
   * only for legacy use anyway so we don't care about the performance so much.
180
   */
181
0
   const BigInt r = ct_modulo(group.power_g_p(k, group.q_bits()), group.get_q());
182
183
   /*
184
   * Blind the input message and compute x*r+m as (x*r*b + m*b)/b
185
   */
186
0
   m_b = group.square_mod_q(m_b);
187
0
   m_b_inv = group.square_mod_q(m_b_inv);
188
189
0
   m = group.multiply_mod_q(m_b, m);
190
0
   const BigInt xr = group.multiply_mod_q(m_b, m_key->private_key(), r);
191
192
0
   const BigInt s = group.multiply_mod_q(m_b_inv, k_inv, group.mod_q(xr + m));
193
194
   // With overwhelming probability, a bug rather than actual zero r/s
195
0
   if(r.is_zero() || s.is_zero()) {
196
0
      throw Internal_Error("Computed zero r/s during DSA signature");
197
0
   }
198
199
0
   return unlock(BigInt::encode_fixed_length_int_pair(r, s, q.bytes()));
200
0
}
201
202
/**
203
* Object that can verify a DSA signature
204
*/
205
class DSA_Verification_Operation final : public PK_Ops::Verification_with_Hash {
206
   public:
207
      DSA_Verification_Operation(const std::shared_ptr<const DL_PublicKey>& key, std::string_view emsa) :
208
0
            PK_Ops::Verification_with_Hash(emsa), m_key(key) {}
209
210
      DSA_Verification_Operation(const std::shared_ptr<const DL_PublicKey>& key, const AlgorithmIdentifier& alg_id) :
211
20
            PK_Ops::Verification_with_Hash(alg_id, "DSA"), m_key(key) {}
212
213
      bool verify(std::span<const uint8_t> input, std::span<const uint8_t> sig) override;
214
215
   private:
216
      std::shared_ptr<const DL_PublicKey> m_key;
217
};
218
219
0
bool DSA_Verification_Operation::verify(std::span<const uint8_t> input, std::span<const uint8_t> sig) {
220
0
   const auto group = m_key->group();
221
222
0
   const BigInt& q = group.get_q();
223
0
   const size_t q_bytes = q.bytes();
224
225
0
   if(sig.size() != 2 * q_bytes) {
226
0
      return false;
227
0
   }
228
229
0
   BigInt r(sig.first(q_bytes));
230
0
   BigInt s(sig.last(q_bytes));
231
232
0
   if(r == 0 || r >= q || s == 0 || s >= q) {
233
0
      return false;
234
0
   }
235
236
0
   BigInt i = BigInt::from_bytes_with_max_bits(input.data(), input.size(), group.q_bits());
237
0
   if(i >= q) {
238
0
      i -= q;
239
0
   }
240
241
0
   s = inverse_mod(s, q);
242
243
0
   const BigInt sr = group.multiply_mod_q(s, r);
244
0
   const BigInt si = group.multiply_mod_q(s, i);
245
246
0
   s = group.multi_exponentiate(si, m_key->public_key(), sr);
247
248
   // s is too big for Barrett, and verification doesn't need to be const-time
249
0
   return (s % group.get_q() == r);
250
0
}
251
252
}  // namespace
253
254
std::unique_ptr<PK_Ops::Verification> DSA_PublicKey::create_verification_op(std::string_view params,
255
0
                                                                            std::string_view provider) const {
256
0
   if(provider == "base" || provider.empty()) {
257
0
      return std::make_unique<DSA_Verification_Operation>(this->m_public_key, params);
258
0
   }
259
0
   throw Provider_Not_Found(algo_name(), provider);
260
0
}
261
262
std::unique_ptr<PK_Ops::Verification> DSA_PublicKey::create_x509_verification_op(
263
20
   const AlgorithmIdentifier& signature_algorithm, std::string_view provider) const {
264
20
   if(provider == "base" || provider.empty()) {
265
20
      return std::make_unique<DSA_Verification_Operation>(this->m_public_key, signature_algorithm);
266
20
   }
267
268
0
   throw Provider_Not_Found(algo_name(), provider);
269
20
}
270
271
std::unique_ptr<PK_Ops::Signature> DSA_PrivateKey::create_signature_op(RandomNumberGenerator& rng,
272
                                                                       std::string_view params,
273
0
                                                                       std::string_view provider) const {
274
0
   if(provider == "base" || provider.empty()) {
275
0
      return std::make_unique<DSA_Signature_Operation>(this->m_private_key, params, rng);
276
0
   }
277
0
   throw Provider_Not_Found(algo_name(), provider);
278
0
}
279
280
}  // namespace Botan