/src/botan/build/include/public/botan/pubkey.h
Line | Count | Source |
1 | | /* |
2 | | * Public Key Interface |
3 | | * (C) 1999-2010 Jack Lloyd |
4 | | * |
5 | | * Botan is released under the Simplified BSD License (see license.txt) |
6 | | */ |
7 | | |
8 | | #ifndef BOTAN_PUBKEY_H_ |
9 | | #define BOTAN_PUBKEY_H_ |
10 | | |
11 | | #include <botan/asn1_obj.h> |
12 | | #include <botan/pk_keys.h> |
13 | | #include <botan/pk_ops_fwd.h> |
14 | | #include <botan/symkey.h> |
15 | | #include <span> |
16 | | #include <string> |
17 | | #include <string_view> |
18 | | #include <utility> |
19 | | |
20 | | namespace Botan { |
21 | | |
22 | | class RandomNumberGenerator; |
23 | | |
24 | | /** |
25 | | * Public Key Encryptor |
26 | | * This is the primary interface for public key encryption |
27 | | */ |
28 | | class BOTAN_PUBLIC_API(2, 0) PK_Encryptor { |
29 | | public: |
30 | | /** |
31 | | * Encrypt a message. |
32 | | * @param in the message as a byte array |
33 | | * @param length the length of the above byte array |
34 | | * @param rng the random number source to use |
35 | | * @return encrypted message |
36 | | */ |
37 | 0 | std::vector<uint8_t> encrypt(const uint8_t in[], size_t length, RandomNumberGenerator& rng) const { |
38 | 0 | return enc(in, length, rng); |
39 | 0 | } |
40 | | |
41 | | /** |
42 | | * Encrypt a message. |
43 | | * @param in the message |
44 | | * @param rng the random number source to use |
45 | | * @return encrypted message |
46 | | */ |
47 | 0 | std::vector<uint8_t> encrypt(std::span<const uint8_t> in, RandomNumberGenerator& rng) const { |
48 | 0 | return enc(in.data(), in.size(), rng); |
49 | 0 | } |
50 | | |
51 | | /** |
52 | | * Return the maximum allowed message size in bytes. |
53 | | * @return maximum message size in bytes |
54 | | */ |
55 | | virtual size_t maximum_input_size() const = 0; |
56 | | |
57 | | /** |
58 | | * Return an upper bound on the ciphertext length |
59 | | */ |
60 | | virtual size_t ciphertext_length(size_t ctext_len) const = 0; |
61 | | |
62 | 0 | PK_Encryptor() = default; |
63 | 0 | virtual ~PK_Encryptor() = default; |
64 | | |
65 | | PK_Encryptor(const PK_Encryptor&) = delete; |
66 | | PK_Encryptor& operator=(const PK_Encryptor&) = delete; |
67 | | |
68 | 0 | PK_Encryptor(PK_Encryptor&&) noexcept = default; |
69 | 0 | PK_Encryptor& operator=(PK_Encryptor&&) noexcept = default; |
70 | | |
71 | | private: |
72 | | virtual std::vector<uint8_t> enc(const uint8_t[], size_t, RandomNumberGenerator&) const = 0; |
73 | | }; |
74 | | |
75 | | /** |
76 | | * Public Key Decryptor |
77 | | */ |
78 | | class BOTAN_PUBLIC_API(2, 0) PK_Decryptor { |
79 | | public: |
80 | | /** |
81 | | * Decrypt a ciphertext, throwing an exception if the input |
82 | | * seems to be invalid (eg due to an accidental or malicious |
83 | | * error in the ciphertext). |
84 | | * |
85 | | * @param in the ciphertext as a byte array |
86 | | * @param length the length of the above byte array |
87 | | * @return decrypted message |
88 | | */ |
89 | | secure_vector<uint8_t> decrypt(const uint8_t in[], size_t length) const; |
90 | | |
91 | | /** |
92 | | * Same as above, but taking a vector |
93 | | * @param in the ciphertext |
94 | | * @return decrypted message |
95 | | */ |
96 | 0 | secure_vector<uint8_t> decrypt(std::span<const uint8_t> in) const { return decrypt(in.data(), in.size()); } |
97 | | |
98 | | /** |
99 | | * Decrypt a ciphertext. If the ciphertext is invalid (eg due to |
100 | | * invalid padding) or is not the expected length, instead |
101 | | * returns a random string of the expected length. Use to avoid |
102 | | * oracle attacks, especially against PKCS #1 v1.5 decryption. |
103 | | */ |
104 | | secure_vector<uint8_t> decrypt_or_random(const uint8_t in[], |
105 | | size_t length, |
106 | | size_t expected_pt_len, |
107 | | RandomNumberGenerator& rng) const; |
108 | | |
109 | | /** |
110 | | * Decrypt a ciphertext. If the ciphertext is invalid (eg due to |
111 | | * invalid padding) or is not the expected length, instead |
112 | | * returns a random string of the expected length. Use to avoid |
113 | | * oracle attacks, especially against PKCS #1 v1.5 decryption. |
114 | | * |
115 | | * Additionally checks (also in const time) that: |
116 | | * contents[required_content_offsets[i]] == required_content_bytes[i] |
117 | | * for 0 <= i < required_contents |
118 | | * |
119 | | * Used for example in TLS, which encodes the client version in |
120 | | * the content bytes: if there is any timing variation the version |
121 | | * check can be used as an oracle to recover the key. |
122 | | */ |
123 | | secure_vector<uint8_t> decrypt_or_random(const uint8_t in[], |
124 | | size_t length, |
125 | | size_t expected_pt_len, |
126 | | RandomNumberGenerator& rng, |
127 | | const uint8_t required_content_bytes[], |
128 | | const uint8_t required_content_offsets[], |
129 | | size_t required_contents) const; |
130 | | |
131 | | /** |
132 | | * Return an upper bound on the plaintext length for a particular |
133 | | * ciphertext input length |
134 | | */ |
135 | | virtual size_t plaintext_length(size_t ctext_len) const = 0; |
136 | | |
137 | 0 | PK_Decryptor() = default; |
138 | 0 | virtual ~PK_Decryptor() = default; |
139 | | |
140 | | PK_Decryptor(const PK_Decryptor&) = delete; |
141 | | PK_Decryptor& operator=(const PK_Decryptor&) = delete; |
142 | | |
143 | 0 | PK_Decryptor(PK_Decryptor&&) noexcept = default; |
144 | 0 | PK_Decryptor& operator=(PK_Decryptor&&) noexcept = default; |
145 | | |
146 | | private: |
147 | | virtual secure_vector<uint8_t> do_decrypt(uint8_t& valid_mask, const uint8_t in[], size_t in_len) const = 0; |
148 | | }; |
149 | | |
150 | | /** |
151 | | * Public Key Signer. Use the sign_message() functions for small |
152 | | * messages. Use multiple calls update() to process large messages and |
153 | | * generate the signature by finally calling signature(). |
154 | | */ |
155 | | class BOTAN_PUBLIC_API(2, 0) PK_Signer final { |
156 | | public: |
157 | | /** |
158 | | * Construct a PK Signer. |
159 | | * @param key the key to use inside this signer |
160 | | * @param rng the random generator to use |
161 | | * @param padding the padding/hash to use, eg "SHA-512" or "PSS(SHA-256)" |
162 | | * @param format the signature format to use |
163 | | * @param provider the provider to use |
164 | | */ |
165 | | PK_Signer(const Private_Key& key, |
166 | | RandomNumberGenerator& rng, |
167 | | std::string_view padding, |
168 | | Signature_Format format = Signature_Format::Standard, |
169 | | std::string_view provider = ""); |
170 | | |
171 | | ~PK_Signer(); |
172 | | |
173 | | PK_Signer(const PK_Signer&) = delete; |
174 | | PK_Signer& operator=(const PK_Signer&) = delete; |
175 | | |
176 | | PK_Signer(PK_Signer&&) noexcept; |
177 | | PK_Signer& operator=(PK_Signer&&) noexcept; |
178 | | |
179 | | /** |
180 | | * Sign a message all in one go |
181 | | * @param in the message to sign as a byte array |
182 | | * @param length the length of the above byte array |
183 | | * @param rng the rng to use |
184 | | * @return signature |
185 | | */ |
186 | 0 | std::vector<uint8_t> sign_message(const uint8_t in[], size_t length, RandomNumberGenerator& rng) { |
187 | 0 | this->update(in, length); |
188 | 0 | return this->signature(rng); |
189 | 0 | } |
190 | | |
191 | | /** |
192 | | * Sign a message. |
193 | | * @param in the message to sign |
194 | | * @param rng the rng to use |
195 | | * @return signature |
196 | | */ |
197 | 0 | std::vector<uint8_t> sign_message(std::span<const uint8_t> in, RandomNumberGenerator& rng) { |
198 | 0 | return sign_message(in.data(), in.size(), rng); |
199 | 0 | } |
200 | | |
201 | | /** |
202 | | * Add a message part (single byte). |
203 | | * @param in the byte to add |
204 | | */ |
205 | 0 | void update(uint8_t in) { update(&in, 1); } |
206 | | |
207 | | /** |
208 | | * Add a message part. |
209 | | * @param in the message part to add as a byte array |
210 | | * @param length the length of the above byte array |
211 | | */ |
212 | | void update(const uint8_t in[], size_t length); |
213 | | |
214 | | /** |
215 | | * Add a message part. |
216 | | * @param in the message part to add |
217 | | */ |
218 | 0 | void update(std::span<const uint8_t> in) { update(in.data(), in.size()); } |
219 | | |
220 | | /** |
221 | | * Add a message part. |
222 | | * @param in the message part to add |
223 | | */ |
224 | | void update(std::string_view in); |
225 | | |
226 | | /** |
227 | | * Get the signature of the so far processed message (provided by the |
228 | | * calls to update()). |
229 | | * @param rng the rng to use |
230 | | * @return signature of the total message |
231 | | */ |
232 | | std::vector<uint8_t> signature(RandomNumberGenerator& rng); |
233 | | |
234 | | /** |
235 | | * Set the output format of the signature. |
236 | | * @param format the signature format to use |
237 | | */ |
238 | 0 | void set_output_format(Signature_Format format) { m_sig_format = format; } |
239 | | |
240 | | /** |
241 | | * Return an upper bound on the length of the signatures this |
242 | | * PK_Signer will produce |
243 | | */ |
244 | | size_t signature_length() const; |
245 | | |
246 | | /** |
247 | | * Return an AlgorithmIdentifier appropriate for identifying the signature |
248 | | * method being generated by this PK_Signer. Throws an exception if this |
249 | | * is not available for the current signature scheme. |
250 | | */ |
251 | | AlgorithmIdentifier algorithm_identifier() const; |
252 | | |
253 | | /** |
254 | | * Return the hash function which is being used to create signatures. |
255 | | * This should never return an empty string however it may return a string |
256 | | * which does not map directly to a hash function, in particular if "Raw" |
257 | | * (unhashed) encoding is being used. |
258 | | */ |
259 | | std::string hash_function() const; |
260 | | |
261 | | private: |
262 | | std::unique_ptr<PK_Ops::Signature> m_op; |
263 | | Signature_Format m_sig_format; |
264 | | std::optional<size_t> m_sig_element_size; |
265 | | }; |
266 | | |
267 | | /** |
268 | | * Public Key Verifier. Use the verify_message() functions for small |
269 | | * messages. Use multiple calls update() to process large messages and |
270 | | * verify the signature by finally calling check_signature(). |
271 | | */ |
272 | | class BOTAN_PUBLIC_API(2, 0) PK_Verifier final { |
273 | | public: |
274 | | /** |
275 | | * Construct a PK Verifier. |
276 | | * @param pub_key the public key to verify against |
277 | | * @param padding the padding/hash to use (eg "SHA-512" or "PSS(SHA-256)") |
278 | | * @param format the signature format to use |
279 | | * @param provider the provider to use |
280 | | */ |
281 | | PK_Verifier(const Public_Key& pub_key, |
282 | | std::string_view padding, |
283 | | Signature_Format format = Signature_Format::Standard, |
284 | | std::string_view provider = ""); |
285 | | |
286 | | /** |
287 | | * Construct a PK Verifier (X.509 specific) |
288 | | * |
289 | | * This constructor will attempt to decode signature_format relative |
290 | | * to the public key provided. If they seem to be inconsistent or |
291 | | * otherwise unsupported, a Decoding_Error is thrown. |
292 | | * |
293 | | * @param pub_key the public key to verify against |
294 | | * @param signature_algorithm the supposed signature algorithm |
295 | | * @param provider the provider to use |
296 | | */ |
297 | | PK_Verifier(const Public_Key& pub_key, |
298 | | const AlgorithmIdentifier& signature_algorithm, |
299 | | std::string_view provider = ""); |
300 | | |
301 | | ~PK_Verifier(); |
302 | | |
303 | | PK_Verifier(const PK_Verifier&) = delete; |
304 | | PK_Verifier& operator=(const PK_Verifier&) = delete; |
305 | | |
306 | | PK_Verifier(PK_Verifier&&) noexcept; |
307 | | PK_Verifier& operator=(PK_Verifier&&) noexcept; |
308 | | |
309 | | /** |
310 | | * Verify a signature. |
311 | | * @param msg the message that the signature belongs to, as a byte array |
312 | | * @param msg_length the length of the above byte array msg |
313 | | * @param sig the signature as a byte array |
314 | | * @param sig_length the length of the above byte array sig |
315 | | * @return true if the signature is valid |
316 | | */ |
317 | | bool verify_message(const uint8_t msg[], size_t msg_length, const uint8_t sig[], size_t sig_length); |
318 | | |
319 | | /** |
320 | | * Verify a signature. |
321 | | * @param msg the message that the signature belongs to |
322 | | * @param sig the signature |
323 | | * @return true if the signature is valid |
324 | | */ |
325 | 0 | bool verify_message(std::span<const uint8_t> msg, std::span<const uint8_t> sig) { |
326 | 0 | return verify_message(msg.data(), msg.size(), sig.data(), sig.size()); |
327 | 0 | } |
328 | | |
329 | | /** |
330 | | * Add a message part (single byte) of the message corresponding to the |
331 | | * signature to be verified. |
332 | | * @param in the byte to add |
333 | | */ |
334 | 0 | void update(uint8_t in) { update(&in, 1); } |
335 | | |
336 | | /** |
337 | | * Add a message part of the message corresponding to the |
338 | | * signature to be verified. |
339 | | * @param msg_part the new message part as a byte array |
340 | | * @param length the length of the above byte array |
341 | | */ |
342 | | void update(const uint8_t msg_part[], size_t length); |
343 | | |
344 | | /** |
345 | | * Add a message part of the message corresponding to the |
346 | | * signature to be verified. |
347 | | * @param in the new message part |
348 | | */ |
349 | 0 | void update(std::span<const uint8_t> in) { update(in.data(), in.size()); } |
350 | | |
351 | | /** |
352 | | * Add a message part of the message corresponding to the |
353 | | * signature to be verified. |
354 | | */ |
355 | | void update(std::string_view in); |
356 | | |
357 | | /** |
358 | | * Check the signature of the buffered message, i.e. the one build |
359 | | * by successive calls to update. |
360 | | * @param sig the signature to be verified as a byte array |
361 | | * @param length the length of the above byte array |
362 | | * @return true if the signature is valid, false otherwise |
363 | | */ |
364 | | bool check_signature(const uint8_t sig[], size_t length); |
365 | | |
366 | | /** |
367 | | * Check the signature of the buffered message, i.e. the one build |
368 | | * by successive calls to update. |
369 | | * @param sig the signature to be verified |
370 | | * @return true if the signature is valid, false otherwise |
371 | | */ |
372 | 0 | bool check_signature(std::span<const uint8_t> sig) { return check_signature(sig.data(), sig.size()); } |
373 | | |
374 | | /** |
375 | | * Set the format of the signatures fed to this verifier. |
376 | | * @param format the signature format to use |
377 | | */ |
378 | | BOTAN_DEPRECATED("Provide Signature_Format to the constructor") void set_input_format(Signature_Format format); |
379 | | |
380 | | /** |
381 | | * Return the hash function which is being used to verify signatures. |
382 | | * This should never return an empty string however it may return a string |
383 | | * which does not map directly to a hash function, in particular if "Raw" |
384 | | * (unhashed) encoding is being used. |
385 | | */ |
386 | | std::string hash_function() const; |
387 | | |
388 | | private: |
389 | | std::unique_ptr<PK_Ops::Verification> m_op; |
390 | | Signature_Format m_sig_format; |
391 | | std::optional<size_t> m_sig_element_size; |
392 | | }; |
393 | | |
394 | | /** |
395 | | * Object used for key agreement |
396 | | */ |
397 | | class BOTAN_PUBLIC_API(2, 0) PK_Key_Agreement final { |
398 | | public: |
399 | | /** |
400 | | * Construct a PK Key Agreement. |
401 | | * @param key the key to use |
402 | | * @param rng the random generator to use |
403 | | * @param kdf name of the KDF to use (or 'Raw' for no KDF) |
404 | | * @param provider the algo provider to use (or empty for default) |
405 | | */ |
406 | | PK_Key_Agreement(const Private_Key& key, |
407 | | RandomNumberGenerator& rng, |
408 | | std::string_view kdf, |
409 | | std::string_view provider = ""); |
410 | | |
411 | | ~PK_Key_Agreement(); |
412 | | |
413 | | PK_Key_Agreement(const PK_Key_Agreement&) = delete; |
414 | | PK_Key_Agreement& operator=(const PK_Key_Agreement&) = delete; |
415 | | |
416 | | PK_Key_Agreement(PK_Key_Agreement&&) noexcept; |
417 | | PK_Key_Agreement& operator=(PK_Key_Agreement&&) noexcept; |
418 | | |
419 | | /** |
420 | | * Perform Key Agreement Operation |
421 | | * @param key_len the desired key output size (ignored if "Raw" KDF is used) |
422 | | * @param peer_key the other parties key |
423 | | * @param salt extra derivation salt |
424 | | */ |
425 | | SymmetricKey derive_key(size_t key_len, std::span<const uint8_t> peer_key, std::span<const uint8_t> salt) const; |
426 | | |
427 | | /** |
428 | | * Perform Key Agreement Operation |
429 | | * @param key_len the desired key output size (ignored if "Raw" KDF is used) |
430 | | * @param peer_key the other parties key |
431 | | * @param peer_key_len the length of peer_key in bytes |
432 | | * @param salt extra derivation salt |
433 | | * @param salt_len the length of salt in bytes |
434 | | */ |
435 | | SymmetricKey derive_key( |
436 | 0 | size_t key_len, const uint8_t peer_key[], size_t peer_key_len, const uint8_t salt[], size_t salt_len) const { |
437 | 0 | return this->derive_key(key_len, {peer_key, peer_key_len}, {salt, salt_len}); |
438 | 0 | } |
439 | | |
440 | | /** |
441 | | * Perform Key Agreement Operation |
442 | | * @param key_len the desired key output size (ignored if "Raw" KDF is used) |
443 | | * @param peer_key the other parties key |
444 | | * @param salt extra derivation salt |
445 | | * @param salt_len the length of salt in bytes |
446 | | */ |
447 | | SymmetricKey derive_key(size_t key_len, |
448 | | std::span<const uint8_t> peer_key, |
449 | | const uint8_t salt[], |
450 | 0 | size_t salt_len) const { |
451 | 0 | return derive_key(key_len, peer_key.data(), peer_key.size(), salt, salt_len); |
452 | 0 | } |
453 | | |
454 | | /** |
455 | | * Perform Key Agreement Operation |
456 | | * @param key_len the desired key output size (ignored if "Raw" KDF is used) |
457 | | * @param peer_key the other parties key |
458 | | * @param peer_key_len the length of peer_key in bytes |
459 | | * @param salt extra derivation info |
460 | | */ |
461 | | SymmetricKey derive_key(size_t key_len, |
462 | | const uint8_t peer_key[], |
463 | | size_t peer_key_len, |
464 | | std::string_view salt = "") const; |
465 | | |
466 | | /** |
467 | | * Perform Key Agreement Operation |
468 | | * @param key_len the desired key output size (ignored if "Raw" KDF is used) |
469 | | * @param peer_key the other parties key |
470 | | * @param salt extra derivation info |
471 | | */ |
472 | | SymmetricKey derive_key(size_t key_len, std::span<const uint8_t> peer_key, std::string_view salt = "") const; |
473 | | |
474 | | /** |
475 | | * Return the underlying size of the value that is agreed. |
476 | | * If derive_key is called with a length of 0 with a "Raw" |
477 | | * KDF, it will return a value of this size. |
478 | | */ |
479 | | size_t agreed_value_size() const; |
480 | | |
481 | | private: |
482 | | std::unique_ptr<PK_Ops::Key_Agreement> m_op; |
483 | | }; |
484 | | |
485 | | /** |
486 | | * Encryption using a standard message recovery algorithm like RSA or |
487 | | * ElGamal, paired with an encoding scheme like OAEP. |
488 | | */ |
489 | | class BOTAN_PUBLIC_API(2, 0) PK_Encryptor_EME final : public PK_Encryptor { |
490 | | public: |
491 | | size_t maximum_input_size() const override; |
492 | | |
493 | | /** |
494 | | * Construct an instance. |
495 | | * @param key the key to use inside the encryptor |
496 | | * @param rng the RNG to use |
497 | | * @param padding the message encoding scheme to use (eg "OAEP(SHA-256)") |
498 | | * @param provider the provider to use |
499 | | */ |
500 | | PK_Encryptor_EME(const Public_Key& key, |
501 | | RandomNumberGenerator& rng, |
502 | | std::string_view padding, |
503 | | std::string_view provider = ""); |
504 | | |
505 | | ~PK_Encryptor_EME() override; |
506 | | |
507 | | PK_Encryptor_EME(const PK_Encryptor_EME&) = delete; |
508 | | PK_Encryptor_EME& operator=(const PK_Encryptor_EME&) = delete; |
509 | | |
510 | | PK_Encryptor_EME(PK_Encryptor_EME&&) noexcept; |
511 | | PK_Encryptor_EME& operator=(PK_Encryptor_EME&&) noexcept; |
512 | | |
513 | | /** |
514 | | * Return an upper bound on the ciphertext length for a particular |
515 | | * plaintext input length |
516 | | */ |
517 | | size_t ciphertext_length(size_t ptext_len) const override; |
518 | | |
519 | | private: |
520 | | std::vector<uint8_t> enc(const uint8_t ptext[], size_t len, RandomNumberGenerator& rng) const override; |
521 | | |
522 | | std::unique_ptr<PK_Ops::Encryption> m_op; |
523 | | }; |
524 | | |
525 | | /** |
526 | | * Decryption with an MR algorithm and an EME. |
527 | | */ |
528 | | class BOTAN_PUBLIC_API(2, 0) PK_Decryptor_EME final : public PK_Decryptor { |
529 | | public: |
530 | | /** |
531 | | * Construct an instance. |
532 | | * @param key the key to use inside the decryptor |
533 | | * @param rng the random generator to use |
534 | | * @param eme the EME to use |
535 | | * @param provider the provider to use |
536 | | */ |
537 | | PK_Decryptor_EME(const Private_Key& key, |
538 | | RandomNumberGenerator& rng, |
539 | | std::string_view eme, |
540 | | std::string_view provider = ""); |
541 | | |
542 | | size_t plaintext_length(size_t ptext_len) const override; |
543 | | |
544 | | ~PK_Decryptor_EME() override; |
545 | | |
546 | | PK_Decryptor_EME(const PK_Decryptor_EME&) = delete; |
547 | | PK_Decryptor_EME& operator=(const PK_Decryptor_EME&) = delete; |
548 | | |
549 | | PK_Decryptor_EME(PK_Decryptor_EME&&) noexcept; |
550 | | PK_Decryptor_EME& operator=(PK_Decryptor_EME&&) noexcept; |
551 | | |
552 | | private: |
553 | | secure_vector<uint8_t> do_decrypt(uint8_t& valid_mask, const uint8_t in[], size_t in_len) const override; |
554 | | |
555 | | std::unique_ptr<PK_Ops::Decryption> m_op; |
556 | | }; |
557 | | |
558 | | /** |
559 | | * Result of a key encapsulation operation. |
560 | | */ |
561 | | class KEM_Encapsulation final { |
562 | | public: |
563 | | KEM_Encapsulation(std::vector<uint8_t> encapsulated_shared_key, secure_vector<uint8_t> shared_key) : |
564 | 0 | m_encapsulated_shared_key(std::move(encapsulated_shared_key)), m_shared_key(std::move(shared_key)) {} |
565 | | |
566 | | /** |
567 | | * @returns the encapsulated shared secret (encrypted with the public key) |
568 | | */ |
569 | 0 | const std::vector<uint8_t>& encapsulated_shared_key() const { return m_encapsulated_shared_key; } |
570 | | |
571 | | /** |
572 | | * @returns the plaintext shared secret |
573 | | */ |
574 | 0 | const secure_vector<uint8_t>& shared_key() const { return m_shared_key; } |
575 | | |
576 | | /** |
577 | | * @returns the pair (encapsulated key, key) extracted from @p kem |
578 | | */ |
579 | | static std::pair<std::vector<uint8_t>, secure_vector<uint8_t>> destructure( |
580 | 0 | KEM_Encapsulation&& kem) /* NOLINT(*param-not-moved*) */ { |
581 | 0 | return std::make_pair(std::exchange(kem.m_encapsulated_shared_key, {}), std::exchange(kem.m_shared_key, {})); |
582 | 0 | } |
583 | | |
584 | | private: |
585 | | friend class PK_KEM_Encryptor; |
586 | | |
587 | | KEM_Encapsulation(size_t encapsulated_size, size_t shared_key_size) : |
588 | 0 | m_encapsulated_shared_key(encapsulated_size), m_shared_key(shared_key_size) {} |
589 | | |
590 | | private: |
591 | | std::vector<uint8_t> m_encapsulated_shared_key; |
592 | | secure_vector<uint8_t> m_shared_key; |
593 | | }; |
594 | | |
595 | | /** |
596 | | * Public Key Key Encapsulation Mechanism Encryption. |
597 | | */ |
598 | | class BOTAN_PUBLIC_API(2, 0) PK_KEM_Encryptor final { |
599 | | public: |
600 | | /** |
601 | | * Construct an instance. |
602 | | * @param key the key to encrypt to |
603 | | * @param kem_param additional KEM parameters |
604 | | * @param provider the provider to use |
605 | | */ |
606 | | BOTAN_FUTURE_EXPLICIT PK_KEM_Encryptor(const Public_Key& key, |
607 | | std::string_view kem_param = "", |
608 | | std::string_view provider = ""); |
609 | | |
610 | | /** |
611 | | * Construct an instance. |
612 | | * @param key the key to encrypt to |
613 | | * @param rng the RNG to use |
614 | | * @param kem_param additional KEM parameters |
615 | | * @param provider the provider to use |
616 | | */ |
617 | | BOTAN_DEPRECATED("Use constructor that does not take RNG") |
618 | | PK_KEM_Encryptor(const Public_Key& key, |
619 | | RandomNumberGenerator& rng, |
620 | | std::string_view kem_param = "", |
621 | | std::string_view provider = ""); |
622 | | |
623 | | ~PK_KEM_Encryptor(); |
624 | | |
625 | | PK_KEM_Encryptor(const PK_KEM_Encryptor&) = delete; |
626 | | PK_KEM_Encryptor& operator=(const PK_KEM_Encryptor&) = delete; |
627 | | |
628 | | PK_KEM_Encryptor(PK_KEM_Encryptor&&) noexcept; |
629 | | PK_KEM_Encryptor& operator=(PK_KEM_Encryptor&&) noexcept; |
630 | | |
631 | | /** |
632 | | * Return the length of the shared key returned by this KEM |
633 | | * |
634 | | * If this KEM was used with a KDF, then it will always return |
635 | | * exactly the desired key length, because the output of the KEM |
636 | | * will be hashed by the KDF. |
637 | | * |
638 | | * However if the KEM was used with "Raw" kdf, to request the |
639 | | * algorithmic output of the KEM directly, then the desired key |
640 | | * length will be ignored and a bytestring that depends on the |
641 | | * algorithm is returned |
642 | | * |
643 | | * @param desired_shared_key_len is the requested length |
644 | | */ |
645 | | size_t shared_key_length(size_t desired_shared_key_len) const; |
646 | | |
647 | | /** |
648 | | * Return the length in bytes of encapsulated keys returned by this KEM |
649 | | */ |
650 | | size_t encapsulated_key_length() const; |
651 | | |
652 | | /** |
653 | | * Generate a shared key for data encryption. |
654 | | * |
655 | | * @param rng the RNG to use |
656 | | * @param desired_shared_key_len desired size of the shared key in bytes for the KDF |
657 | | * (ignored if no KDF is used) |
658 | | * @param salt a salt value used in the KDF |
659 | | * (ignored if no KDF is used) |
660 | | * |
661 | | * @returns a struct with both the shared secret and its encapsulation |
662 | | */ |
663 | | KEM_Encapsulation encrypt(RandomNumberGenerator& rng, |
664 | | size_t desired_shared_key_len = 32, |
665 | 0 | std::span<const uint8_t> salt = {}) { |
666 | 0 | std::vector<uint8_t> encapsulated_shared_key(encapsulated_key_length()); |
667 | 0 | secure_vector<uint8_t> shared_key(shared_key_length(desired_shared_key_len)); |
668 | 0 |
|
669 | 0 | encrypt(std::span{encapsulated_shared_key}, std::span{shared_key}, rng, desired_shared_key_len, salt); |
670 | 0 | return KEM_Encapsulation(std::move(encapsulated_shared_key), std::move(shared_key)); |
671 | 0 | } |
672 | | |
673 | | /** |
674 | | * Generate a shared key for data encryption. |
675 | | * @param out_encapsulated_key the generated encapsulated key |
676 | | * @param out_shared_key the generated shared key |
677 | | * @param rng the RNG to use |
678 | | * @param desired_shared_key_len desired size of the shared key in bytes |
679 | | * (ignored if no KDF is used) |
680 | | * @param salt a salt value used in the KDF |
681 | | * (ignored if no KDF is used) |
682 | | */ |
683 | | void encrypt(secure_vector<uint8_t>& out_encapsulated_key, |
684 | | secure_vector<uint8_t>& out_shared_key, |
685 | | RandomNumberGenerator& rng, |
686 | | size_t desired_shared_key_len = 32, |
687 | 0 | std::span<const uint8_t> salt = {}) { |
688 | 0 | out_encapsulated_key.resize(encapsulated_key_length()); |
689 | 0 | out_shared_key.resize(shared_key_length(desired_shared_key_len)); |
690 | 0 | encrypt(std::span{out_encapsulated_key}, std::span{out_shared_key}, rng, desired_shared_key_len, salt); |
691 | 0 | } |
692 | | |
693 | | /** |
694 | | * Generate a shared key for data encryption. |
695 | | * @param out_encapsulated_key the generated encapsulated key |
696 | | * @param out_shared_key the generated shared key |
697 | | * @param rng the RNG to use |
698 | | * @param desired_shared_key_len desired size of the shared key in bytes |
699 | | * (ignored if no KDF is used) |
700 | | * @param salt a salt value used in the KDF |
701 | | * (ignored if no KDF is used) |
702 | | */ |
703 | | void encrypt(std::span<uint8_t> out_encapsulated_key, |
704 | | std::span<uint8_t> out_shared_key, |
705 | | RandomNumberGenerator& rng, |
706 | | size_t desired_shared_key_len = 32, |
707 | | std::span<const uint8_t> salt = {}); |
708 | | |
709 | | BOTAN_DEPRECATED("use overload with salt as std::span<>") |
710 | | void encrypt(secure_vector<uint8_t>& out_encapsulated_key, |
711 | | secure_vector<uint8_t>& out_shared_key, |
712 | | size_t desired_shared_key_len, |
713 | | RandomNumberGenerator& rng, |
714 | | const uint8_t salt[], |
715 | 0 | size_t salt_len) { |
716 | 0 | this->encrypt(out_encapsulated_key, out_shared_key, rng, desired_shared_key_len, {salt, salt_len}); |
717 | 0 | } |
718 | | |
719 | | BOTAN_DEPRECATED("use overload where rng comes after the out-paramters") |
720 | | void encrypt(secure_vector<uint8_t>& out_encapsulated_key, |
721 | | secure_vector<uint8_t>& out_shared_key, |
722 | | size_t desired_shared_key_len, |
723 | | RandomNumberGenerator& rng, |
724 | 0 | std::span<const uint8_t> salt = {}) { |
725 | 0 | out_encapsulated_key.resize(encapsulated_key_length()); |
726 | 0 | out_shared_key.resize(shared_key_length(desired_shared_key_len)); |
727 | 0 | encrypt(out_encapsulated_key, out_shared_key, rng, desired_shared_key_len, salt); |
728 | 0 | } |
729 | | |
730 | | private: |
731 | | std::unique_ptr<PK_Ops::KEM_Encryption> m_op; |
732 | | }; |
733 | | |
734 | | /** |
735 | | * Public Key Key Encapsulation Mechanism Decryption. |
736 | | */ |
737 | | class BOTAN_PUBLIC_API(2, 0) PK_KEM_Decryptor final { |
738 | | public: |
739 | | /** |
740 | | * Construct an instance. |
741 | | * @param key the key to use inside the decryptor |
742 | | * @param rng the RNG to use |
743 | | * @param kem_param additional KEM parameters |
744 | | * @param provider the provider to use |
745 | | */ |
746 | | PK_KEM_Decryptor(const Private_Key& key, |
747 | | RandomNumberGenerator& rng, |
748 | | std::string_view kem_param = "", |
749 | | std::string_view provider = ""); |
750 | | |
751 | | ~PK_KEM_Decryptor(); |
752 | | PK_KEM_Decryptor(const PK_KEM_Decryptor&) = delete; |
753 | | PK_KEM_Decryptor& operator=(const PK_KEM_Decryptor&) = delete; |
754 | | |
755 | | PK_KEM_Decryptor(PK_KEM_Decryptor&&) noexcept; |
756 | | PK_KEM_Decryptor& operator=(PK_KEM_Decryptor&&) noexcept; |
757 | | |
758 | | /** |
759 | | * Return the length of the shared key returned by this KEM |
760 | | * |
761 | | * If this KEM was used with a KDF, then it will always return |
762 | | * exactly the desired key length, because the output of the KEM |
763 | | * will be hashed by the KDF. |
764 | | * |
765 | | * However if the KEM was used with "Raw" kdf, to request the |
766 | | * algorithmic output of the KEM directly, then the desired key |
767 | | * length will be ignored and a bytestring that depends on the |
768 | | * algorithm is returned |
769 | | * |
770 | | * @param desired_shared_key_len is the requested length. |
771 | | */ |
772 | | size_t shared_key_length(size_t desired_shared_key_len) const; |
773 | | |
774 | | /** |
775 | | * Return the length of the encapsulated key expected by this KEM |
776 | | */ |
777 | | size_t encapsulated_key_length() const; |
778 | | |
779 | | /** |
780 | | * Decrypts the shared key for data encryption. |
781 | | * |
782 | | * @param out_shared_key the generated shared key |
783 | | * @param encap_key the encapsulated key |
784 | | * @param desired_shared_key_len desired size of the shared key in bytes |
785 | | * (ignored if no KDF is used) |
786 | | * @param salt a salt value used in the KDF |
787 | | * (ignored if no KDF is used) |
788 | | */ |
789 | | void decrypt(std::span<uint8_t> out_shared_key, |
790 | | std::span<const uint8_t> encap_key, |
791 | | size_t desired_shared_key_len = 32, |
792 | | std::span<const uint8_t> salt = {}); |
793 | | |
794 | | /** |
795 | | * Decrypts the shared key for data encryption. |
796 | | * |
797 | | * @param encap_key the encapsulated key |
798 | | * @param encap_key_len size of the encapsulated key in bytes |
799 | | * @param desired_shared_key_len desired size of the shared key in bytes |
800 | | * (ignored if no KDF is used) |
801 | | * @param salt a salt value used in the KDF |
802 | | * (ignored if no KDF is used) |
803 | | * @param salt_len size of the salt value in bytes |
804 | | * (ignored if no KDF is used) |
805 | | * |
806 | | * @return the shared data encryption key |
807 | | */ |
808 | | secure_vector<uint8_t> decrypt(const uint8_t encap_key[], |
809 | | size_t encap_key_len, |
810 | | size_t desired_shared_key_len, |
811 | | const uint8_t salt[] = nullptr, |
812 | 0 | size_t salt_len = 0) { |
813 | 0 | secure_vector<uint8_t> shared_key(shared_key_length(desired_shared_key_len)); |
814 | 0 | decrypt(shared_key, {encap_key, encap_key_len}, desired_shared_key_len, {salt, salt_len}); |
815 | 0 | return shared_key; |
816 | 0 | } |
817 | | |
818 | | /** |
819 | | * Decrypts the shared key for data encryption. |
820 | | * |
821 | | * @param encap_key the encapsulated key |
822 | | * @param desired_shared_key_len desired size of the shared key in bytes |
823 | | * (ignored if no KDF is used) |
824 | | * @param salt a salt value used in the KDF |
825 | | * (ignored if no KDF is used) |
826 | | * |
827 | | * @return the shared data encryption key |
828 | | */ |
829 | | secure_vector<uint8_t> decrypt(std::span<const uint8_t> encap_key, |
830 | | size_t desired_shared_key_len = 32, |
831 | 0 | std::span<const uint8_t> salt = {}) { |
832 | 0 | secure_vector<uint8_t> shared_key(shared_key_length(desired_shared_key_len)); |
833 | 0 | decrypt(shared_key, encap_key, desired_shared_key_len, salt); |
834 | 0 | return shared_key; |
835 | 0 | } |
836 | | |
837 | | private: |
838 | | std::unique_ptr<PK_Ops::KEM_Decryption> m_op; |
839 | | }; |
840 | | |
841 | | } // namespace Botan |
842 | | |
843 | | #endif |