Coverage Report

Created: 2024-11-29 06:10

/src/botan/src/lib/pubkey/xmss/xmss_verification_operation.cpp
Line
Count
Source (jump to first uncovered line)
1
/*
2
 * XMSS Verification Operation
3
 * Provides signature verification capabilities for Extended Hash-Based
4
 * Signatures (XMSS).
5
 *
6
 * (C) 2016,2017 Matthias Gierlings
7
 *
8
 * Botan is released under the Simplified BSD License (see license.txt)
9
 **/
10
11
#include <botan/internal/xmss_verification_operation.h>
12
13
#include <botan/internal/xmss_common_ops.h>
14
#include <botan/internal/xmss_tools.h>
15
#include <array>
16
17
namespace Botan {
18
19
XMSS_Verification_Operation::XMSS_Verification_Operation(const XMSS_PublicKey& public_key) :
20
0
      m_pub_key(public_key), m_hash(public_key.xmss_parameters()), m_msg_buf(0) {}
Unexecuted instantiation: Botan::XMSS_Verification_Operation::XMSS_Verification_Operation(Botan::XMSS_PublicKey const&)
Unexecuted instantiation: Botan::XMSS_Verification_Operation::XMSS_Verification_Operation(Botan::XMSS_PublicKey const&)
21
22
secure_vector<uint8_t> XMSS_Verification_Operation::root_from_signature(const XMSS_Signature& sig,
23
                                                                        const secure_vector<uint8_t>& msg,
24
                                                                        XMSS_Address& adrs,
25
0
                                                                        const secure_vector<uint8_t>& seed) {
26
0
   const auto& params = m_pub_key.xmss_parameters();
27
28
0
   const uint32_t next_index = static_cast<uint32_t>(sig.unused_leaf_index());
29
0
   adrs.set_type(XMSS_Address::Type::OTS_Hash_Address);
30
0
   adrs.set_ots_address(next_index);
31
32
0
   XMSS_WOTS_PublicKey pub_key_ots(params.ots_oid(), seed, sig.tree().ots_signature, msg, adrs, m_hash);
33
34
0
   adrs.set_type(XMSS_Address::Type::LTree_Address);
35
0
   adrs.set_ltree_address(next_index);
36
37
0
   std::array<secure_vector<uint8_t>, 2> node;
38
0
   XMSS_Common_Ops::create_l_tree(node[0], pub_key_ots.key_data(), adrs, seed, m_hash, params);
39
40
0
   adrs.set_type(XMSS_Address::Type::Hash_Tree_Address);
41
0
   adrs.set_tree_index(next_index);
42
43
0
   for(size_t k = 0; k < params.tree_height(); k++) {
44
0
      adrs.set_tree_height(static_cast<uint32_t>(k));
45
0
      if(((next_index / (static_cast<size_t>(1) << k)) & 0x01) == 0) {
46
0
         adrs.set_tree_index(adrs.get_tree_index() >> 1);
47
0
         XMSS_Common_Ops::randomize_tree_hash(
48
0
            node[1], node[0], sig.tree().authentication_path[k], adrs, seed, m_hash, params);
49
0
      } else {
50
0
         adrs.set_tree_index((adrs.get_tree_index() - 1) >> 1);
51
0
         XMSS_Common_Ops::randomize_tree_hash(
52
0
            node[1], sig.tree().authentication_path[k], node[0], adrs, seed, m_hash, params);
53
0
      }
54
0
      node[0] = node[1];
55
0
   }
56
0
   return node[0];
57
0
}
58
59
bool XMSS_Verification_Operation::verify(const XMSS_Signature& sig,
60
                                         const secure_vector<uint8_t>& msg,
61
0
                                         const XMSS_PublicKey& public_key) {
62
0
   XMSS_Address adrs;
63
0
   secure_vector<uint8_t> index_bytes;
64
0
   XMSS_Tools::concat(index_bytes, sig.unused_leaf_index(), m_pub_key.xmss_parameters().element_size());
65
0
   secure_vector<uint8_t> msg_digest = m_hash.h_msg(sig.randomness(), public_key.root(), index_bytes, msg);
66
67
0
   secure_vector<uint8_t> node = root_from_signature(sig, msg_digest, adrs, public_key.public_seed());
68
69
0
   return (node == public_key.root());
70
0
}
71
72
// FIXME: XMSS signature verification requires the "randomness" parameter out
73
// of the XMSS signature, which is part of the prefix that is hashed before
74
// msg. Since the signature is unknown till sign() is called all message
75
// content has to be buffered. For large messages this can be inconvenient or
76
// impossible.
77
// Possible solution: Change PK_Ops::Verification interface to take the
78
// signature as constructor argument, make sign a parameterless member call.
79
0
void XMSS_Verification_Operation::update(std::span<const uint8_t> input) {
80
0
   m_msg_buf.insert(m_msg_buf.end(), input.begin(), input.end());
81
0
}
82
83
0
bool XMSS_Verification_Operation::is_valid_signature(std::span<const uint8_t> sig) {
84
0
   try {
85
0
      XMSS_Signature signature(m_pub_key.xmss_parameters().oid(), sig);
86
0
      bool result = verify(signature, m_msg_buf, m_pub_key);
87
0
      m_msg_buf.clear();
88
0
      return result;
89
0
   } catch(...) {
90
0
      m_msg_buf.clear();
91
0
      return false;
92
0
   }
93
0
}
94
95
}  // namespace Botan