/src/botan/src/lib/pubkey/dsa/dsa.cpp
Line | Count | Source |
1 | | /* |
2 | | * DSA |
3 | | * (C) 1999-2010,2014,2016,2023 Jack Lloyd |
4 | | * (C) 2016 René Korthaus |
5 | | * |
6 | | * Botan is released under the Simplified BSD License (see license.txt) |
7 | | */ |
8 | | |
9 | | #include <botan/dsa.h> |
10 | | |
11 | | #include <botan/assert.h> |
12 | | #include <botan/internal/divide.h> |
13 | | #include <botan/internal/dl_scheme.h> |
14 | | #include <botan/internal/keypair.h> |
15 | | #include <botan/internal/pk_ops_impl.h> |
16 | | |
17 | | #if defined(BOTAN_HAS_RFC6979_GENERATOR) |
18 | | #include <botan/internal/rfc6979.h> |
19 | | #endif |
20 | | |
21 | | namespace Botan { |
22 | | |
23 | 0 | std::optional<size_t> DSA_PublicKey::_signature_element_size_for_DER_encoding() const { |
24 | 0 | return m_public_key->group().q_bytes(); |
25 | 0 | } |
26 | | |
27 | 0 | size_t DSA_PublicKey::estimated_strength() const { |
28 | 0 | return m_public_key->estimated_strength(); |
29 | 0 | } |
30 | | |
31 | 0 | size_t DSA_PublicKey::key_length() const { |
32 | 0 | return m_public_key->p_bits(); |
33 | 0 | } |
34 | | |
35 | 0 | const BigInt& DSA_PublicKey::get_int_field(std::string_view field) const { |
36 | 0 | return m_public_key->get_int_field(algo_name(), field); |
37 | 0 | } |
38 | | |
39 | 0 | AlgorithmIdentifier DSA_PublicKey::algorithm_identifier() const { |
40 | 0 | return AlgorithmIdentifier(object_identifier(), m_public_key->group().DER_encode(DL_Group_Format::ANSI_X9_57)); |
41 | 0 | } |
42 | | |
43 | 0 | std::vector<uint8_t> DSA_PublicKey::raw_public_key_bits() const { |
44 | 0 | return m_public_key->public_key_as_bytes(); |
45 | 0 | } |
46 | | |
47 | 0 | std::vector<uint8_t> DSA_PublicKey::public_key_bits() const { |
48 | 0 | return m_public_key->DER_encode(); |
49 | 0 | } |
50 | | |
51 | 0 | bool DSA_PublicKey::check_key(RandomNumberGenerator& rng, bool strong) const { |
52 | 0 | return m_public_key->check_key(rng, strong); |
53 | 0 | } |
54 | | |
55 | 0 | std::unique_ptr<Private_Key> DSA_PublicKey::generate_another(RandomNumberGenerator& rng) const { |
56 | 0 | return std::make_unique<DSA_PrivateKey>(rng, m_public_key->group()); |
57 | 0 | } |
58 | | |
59 | 218 | DSA_PublicKey::DSA_PublicKey(const AlgorithmIdentifier& alg_id, std::span<const uint8_t> key_bits) { |
60 | 218 | m_public_key = std::make_shared<DL_PublicKey>(alg_id, key_bits, DL_Group_Format::ANSI_X9_57); |
61 | | |
62 | 218 | BOTAN_ARG_CHECK(m_public_key->group().has_q(), "Q parameter must be set for DSA"); |
63 | 218 | } Unexecuted instantiation: Botan::DSA_PublicKey::DSA_PublicKey(Botan::AlgorithmIdentifier const&, std::__1::span<unsigned char const, 18446744073709551615ul>) Botan::DSA_PublicKey::DSA_PublicKey(Botan::AlgorithmIdentifier const&, std::__1::span<unsigned char const, 18446744073709551615ul>) Line | Count | Source | 59 | 218 | DSA_PublicKey::DSA_PublicKey(const AlgorithmIdentifier& alg_id, std::span<const uint8_t> key_bits) { | 60 | 218 | m_public_key = std::make_shared<DL_PublicKey>(alg_id, key_bits, DL_Group_Format::ANSI_X9_57); | 61 | | | 62 | 218 | BOTAN_ARG_CHECK(m_public_key->group().has_q(), "Q parameter must be set for DSA"); | 63 | 218 | } |
|
64 | | |
65 | 0 | DSA_PublicKey::DSA_PublicKey(const DL_Group& group, const BigInt& y) { |
66 | 0 | m_public_key = std::make_shared<DL_PublicKey>(group, y); |
67 | |
|
68 | 0 | BOTAN_ARG_CHECK(m_public_key->group().has_q(), "Q parameter must be set for DSA"); |
69 | 0 | } Unexecuted instantiation: Botan::DSA_PublicKey::DSA_PublicKey(Botan::DL_Group const&, Botan::BigInt const&) Unexecuted instantiation: Botan::DSA_PublicKey::DSA_PublicKey(Botan::DL_Group const&, Botan::BigInt const&) |
70 | | |
71 | 0 | DSA_PrivateKey::DSA_PrivateKey(RandomNumberGenerator& rng, const DL_Group& group) { |
72 | 0 | BOTAN_ARG_CHECK(group.has_q(), "Q parameter must be set for DSA"); |
73 | |
|
74 | 0 | m_private_key = std::make_shared<DL_PrivateKey>(group, rng); |
75 | 0 | m_public_key = m_private_key->public_key(); |
76 | 0 | } Unexecuted instantiation: Botan::DSA_PrivateKey::DSA_PrivateKey(Botan::RandomNumberGenerator&, Botan::DL_Group const&) Unexecuted instantiation: Botan::DSA_PrivateKey::DSA_PrivateKey(Botan::RandomNumberGenerator&, Botan::DL_Group const&) |
77 | | |
78 | 0 | DSA_PrivateKey::DSA_PrivateKey(const DL_Group& group, const BigInt& x) { |
79 | 0 | BOTAN_ARG_CHECK(group.has_q(), "Q parameter must be set for DSA"); |
80 | |
|
81 | 0 | m_private_key = std::make_shared<DL_PrivateKey>(group, x); |
82 | 0 | m_public_key = m_private_key->public_key(); |
83 | 0 | } Unexecuted instantiation: Botan::DSA_PrivateKey::DSA_PrivateKey(Botan::DL_Group const&, Botan::BigInt const&) Unexecuted instantiation: Botan::DSA_PrivateKey::DSA_PrivateKey(Botan::DL_Group const&, Botan::BigInt const&) |
84 | | |
85 | 474 | DSA_PrivateKey::DSA_PrivateKey(const AlgorithmIdentifier& alg_id, std::span<const uint8_t> key_bits) { |
86 | 474 | m_private_key = std::make_shared<DL_PrivateKey>(alg_id, key_bits, DL_Group_Format::ANSI_X9_57); |
87 | 474 | m_public_key = m_private_key->public_key(); |
88 | | |
89 | 474 | BOTAN_ARG_CHECK(m_private_key->group().has_q(), "Q parameter must be set for DSA"); |
90 | 474 | } Unexecuted instantiation: Botan::DSA_PrivateKey::DSA_PrivateKey(Botan::AlgorithmIdentifier const&, std::__1::span<unsigned char const, 18446744073709551615ul>) Botan::DSA_PrivateKey::DSA_PrivateKey(Botan::AlgorithmIdentifier const&, std::__1::span<unsigned char const, 18446744073709551615ul>) Line | Count | Source | 85 | 474 | DSA_PrivateKey::DSA_PrivateKey(const AlgorithmIdentifier& alg_id, std::span<const uint8_t> key_bits) { | 86 | 474 | m_private_key = std::make_shared<DL_PrivateKey>(alg_id, key_bits, DL_Group_Format::ANSI_X9_57); | 87 | 474 | m_public_key = m_private_key->public_key(); | 88 | | | 89 | 474 | BOTAN_ARG_CHECK(m_private_key->group().has_q(), "Q parameter must be set for DSA"); | 90 | 474 | } |
|
91 | | |
92 | 0 | bool DSA_PrivateKey::check_key(RandomNumberGenerator& rng, bool strong) const { |
93 | 0 | if(!m_private_key->check_key(rng, strong)) { |
94 | 0 | return false; |
95 | 0 | } |
96 | | |
97 | 0 | if(m_private_key->private_key() >= m_private_key->group().get_q()) { |
98 | 0 | return false; |
99 | 0 | } |
100 | | |
101 | 0 | return KeyPair::signature_consistency_check(rng, *this, "SHA-256"); |
102 | 0 | } |
103 | | |
104 | 0 | secure_vector<uint8_t> DSA_PrivateKey::private_key_bits() const { |
105 | 0 | return m_private_key->DER_encode(); |
106 | 0 | } |
107 | | |
108 | 0 | secure_vector<uint8_t> DSA_PrivateKey::raw_private_key_bits() const { |
109 | 0 | return m_private_key->raw_private_key_bits(); |
110 | 0 | } |
111 | | |
112 | 0 | const BigInt& DSA_PrivateKey::get_int_field(std::string_view field) const { |
113 | 0 | return m_private_key->get_int_field(algo_name(), field); |
114 | 0 | } |
115 | | |
116 | 0 | std::unique_ptr<Public_Key> DSA_PrivateKey::public_key() const { |
117 | | // can't use make_unique here due to private constructor |
118 | 0 | return std::unique_ptr<DSA_PublicKey>(new DSA_PublicKey(m_public_key)); |
119 | 0 | } |
120 | | |
121 | | namespace { |
122 | | |
123 | | /** |
124 | | * Object that can create a DSA signature |
125 | | */ |
126 | | class DSA_Signature_Operation final : public PK_Ops::Signature_with_Hash { |
127 | | public: |
128 | | DSA_Signature_Operation(const std::shared_ptr<const DL_PrivateKey>& key, |
129 | | std::string_view hash_fn, |
130 | | RandomNumberGenerator& rng) : |
131 | 0 | PK_Ops::Signature_with_Hash(hash_fn), m_key(key) { |
132 | 0 | m_b = BigInt::random_integer(rng, BigInt::from_s32(2), m_key->group().get_q()); |
133 | 0 | m_b_inv = m_key->group().inverse_mod_q(m_b); |
134 | 0 | } |
135 | | |
136 | 0 | size_t signature_length() const override { return 2 * m_key->group().q_bytes(); } |
137 | | |
138 | | std::vector<uint8_t> raw_sign(std::span<const uint8_t> msg, RandomNumberGenerator& rng) override; |
139 | | |
140 | | AlgorithmIdentifier algorithm_identifier() const override; |
141 | | |
142 | | private: |
143 | | std::shared_ptr<const DL_PrivateKey> m_key; |
144 | | BigInt m_b, m_b_inv; |
145 | | }; |
146 | | |
147 | 0 | AlgorithmIdentifier DSA_Signature_Operation::algorithm_identifier() const { |
148 | 0 | const std::string full_name = "DSA/" + hash_function(); |
149 | 0 | const OID oid = OID::from_string(full_name); |
150 | 0 | return AlgorithmIdentifier(oid, AlgorithmIdentifier::USE_EMPTY_PARAM); |
151 | 0 | } |
152 | | |
153 | 0 | std::vector<uint8_t> DSA_Signature_Operation::raw_sign(std::span<const uint8_t> msg, RandomNumberGenerator& rng) { |
154 | 0 | const DL_Group& group = m_key->group(); |
155 | 0 | const BigInt& q = group.get_q(); |
156 | |
|
157 | 0 | BigInt m = BigInt::from_bytes_with_max_bits(msg.data(), msg.size(), group.q_bits()); |
158 | |
|
159 | 0 | if(m >= q) { |
160 | 0 | m -= q; |
161 | 0 | } |
162 | |
|
163 | 0 | #if defined(BOTAN_HAS_RFC6979_GENERATOR) |
164 | 0 | BOTAN_UNUSED(rng); |
165 | 0 | const BigInt k = generate_rfc6979_nonce(m_key->private_key(), q, m, this->rfc6979_hash_function()); |
166 | | #else |
167 | | const BigInt k = BigInt::random_integer(rng, 1, q); |
168 | | #endif |
169 | |
|
170 | 0 | const BigInt k_inv = group.multiply_mod_q(group.inverse_mod_q(group.mod_q(m_b * k)), m_b); |
171 | | |
172 | | /* |
173 | | * It may not be strictly necessary for the reduction (g^k mod p) mod q to be |
174 | | * const time, since r is published as part of the signature, and deriving |
175 | | * anything useful about k from g^k mod p would seem to require computing a |
176 | | * discrete logarithm. |
177 | | * |
178 | | * However it only increases the cost of signatures by about 7-10%, and DSA is |
179 | | * only for legacy use anyway so we don't care about the performance so much. |
180 | | */ |
181 | 0 | const BigInt r = ct_modulo(group.power_g_p(k, group.q_bits()), group.get_q()); |
182 | | |
183 | | /* |
184 | | * Blind the input message and compute x*r+m as (x*r*b + m*b)/b |
185 | | */ |
186 | 0 | m_b = group.square_mod_q(m_b); |
187 | 0 | m_b_inv = group.square_mod_q(m_b_inv); |
188 | |
|
189 | 0 | m = group.multiply_mod_q(m_b, m); |
190 | 0 | const BigInt xr = group.multiply_mod_q(m_b, m_key->private_key(), r); |
191 | |
|
192 | 0 | const BigInt s = group.multiply_mod_q(m_b_inv, k_inv, group.mod_q(xr + m)); |
193 | | |
194 | | // With overwhelming probability, a bug rather than actual zero r/s |
195 | 0 | if(r.is_zero() || s.is_zero()) { |
196 | 0 | throw Internal_Error("Computed zero r/s during DSA signature"); |
197 | 0 | } |
198 | | |
199 | 0 | return unlock(BigInt::encode_fixed_length_int_pair(r, s, q.bytes())); |
200 | 0 | } |
201 | | |
202 | | /** |
203 | | * Object that can verify a DSA signature |
204 | | */ |
205 | | class DSA_Verification_Operation final : public PK_Ops::Verification_with_Hash { |
206 | | public: |
207 | | DSA_Verification_Operation(const std::shared_ptr<const DL_PublicKey>& key, std::string_view hash_fn) : |
208 | 0 | PK_Ops::Verification_with_Hash(hash_fn), m_key(key) {} |
209 | | |
210 | | DSA_Verification_Operation(const std::shared_ptr<const DL_PublicKey>& key, const AlgorithmIdentifier& alg_id) : |
211 | 37 | PK_Ops::Verification_with_Hash(alg_id, "DSA"), m_key(key) {} |
212 | | |
213 | | bool verify(std::span<const uint8_t> input, std::span<const uint8_t> sig) override; |
214 | | |
215 | | private: |
216 | | std::shared_ptr<const DL_PublicKey> m_key; |
217 | | }; |
218 | | |
219 | 0 | bool DSA_Verification_Operation::verify(std::span<const uint8_t> input, std::span<const uint8_t> sig) { |
220 | 0 | const auto group = m_key->group(); |
221 | |
|
222 | 0 | const BigInt& q = group.get_q(); |
223 | 0 | const size_t q_bytes = q.bytes(); |
224 | |
|
225 | 0 | if(sig.size() != 2 * q_bytes) { |
226 | 0 | return false; |
227 | 0 | } |
228 | | |
229 | 0 | BigInt r(sig.first(q_bytes)); |
230 | 0 | BigInt s(sig.last(q_bytes)); |
231 | |
|
232 | 0 | if(r == 0 || r >= q || s == 0 || s >= q) { |
233 | 0 | return false; |
234 | 0 | } |
235 | | |
236 | 0 | BigInt i = BigInt::from_bytes_with_max_bits(input.data(), input.size(), group.q_bits()); |
237 | 0 | if(i >= q) { |
238 | 0 | i -= q; |
239 | 0 | } |
240 | |
|
241 | 0 | s = group.inverse_mod_q(s); |
242 | |
|
243 | 0 | const BigInt sr = group.multiply_mod_q(s, r); |
244 | 0 | const BigInt si = group.multiply_mod_q(s, i); |
245 | |
|
246 | 0 | s = group.multi_exponentiate(si, m_key->public_key(), sr); |
247 | | |
248 | | // s is too big for Barrett, and verification doesn't need to be const-time |
249 | 0 | return (s % group.get_q() == r); |
250 | 0 | } |
251 | | |
252 | | } // namespace |
253 | | |
254 | | std::unique_ptr<PK_Ops::Verification> DSA_PublicKey::create_verification_op(std::string_view params, |
255 | 0 | std::string_view provider) const { |
256 | 0 | if(provider == "base" || provider.empty()) { |
257 | 0 | return std::make_unique<DSA_Verification_Operation>(this->m_public_key, params); |
258 | 0 | } |
259 | 0 | throw Provider_Not_Found(algo_name(), provider); |
260 | 0 | } |
261 | | |
262 | | std::unique_ptr<PK_Ops::Verification> DSA_PublicKey::create_x509_verification_op( |
263 | 37 | const AlgorithmIdentifier& signature_algorithm, std::string_view provider) const { |
264 | 37 | if(provider == "base" || provider.empty()) { |
265 | 37 | return std::make_unique<DSA_Verification_Operation>(this->m_public_key, signature_algorithm); |
266 | 37 | } |
267 | | |
268 | 0 | throw Provider_Not_Found(algo_name(), provider); |
269 | 37 | } |
270 | | |
271 | | std::unique_ptr<PK_Ops::Signature> DSA_PrivateKey::create_signature_op(RandomNumberGenerator& rng, |
272 | | std::string_view params, |
273 | 0 | std::string_view provider) const { |
274 | 0 | if(provider == "base" || provider.empty()) { |
275 | 0 | return std::make_unique<DSA_Signature_Operation>(this->m_private_key, params, rng); |
276 | 0 | } |
277 | 0 | throw Provider_Not_Found(algo_name(), provider); |
278 | 0 | } |
279 | | |
280 | | } // namespace Botan |