Merge GH #2446 Further cleanup of XMSS headers

1 files changed, 448 insertions, 14 deletions

diff --git a/src/lib/pubkey/xmss/xmss.h b/src/lib/pubkey/xmss/xmss.h
index 42b825f8f..529bbe3bc 100644
--- a/src/lib/pubkey/xmss/xmss.h
+++ b/src/lib/pubkey/xmss/xmss.h
@@ -1,26 +1,460 @@
+/*
+ * XMSS Keys
+ * (C) 2016,2017 Matthias Gierlings
+ * (C) 2019 René Korthaus, Rohde & Schwarz Cybersecurity
+ *
+ * Botan is released under the Simplified BSD License (see license.txt)
+ **/
+
+#ifndef BOTAN_XMSS_H_
+#define BOTAN_XMSS_H_
+
+#include <botan/pk_keys.h>
+#include <botan/exceptn.h>
+#include <botan/xmss_parameters.h>
+#include <botan/xmss_wots_parameters.h>
+#include <botan/xmss_wots_privatekey.h>
+
+namespace Botan {
+
+class RandomNumberGenerator;
+class XMSS_Verification_Operation;
+
 /**
- * @file xmss.h
- * Includes headers required for Extended Hash-Based Signatures (XMSS)
- * as described in [1]. @see Botan::XMSS_PublicKey and @see
- * Botan::XMSS_PrivateKey for further
- * details.
+ * An XMSS: Extended Hash-Based Signature public key.
  *
- * <pre>
  * [1] XMSS: Extended Hash-Based Signatures,
  *     Request for Comments: 8391
  *     Release: May 2018.
  *     https://datatracker.ietf.org/doc/rfc8391/
- * </pre>
- *
- * (C) 2016,2017,2018 Matthias Gierlings
+ **/
+class BOTAN_PUBLIC_API(2,0) XMSS_PublicKey : public virtual Public_Key
+   {
+   public:
+      /**
+       * Creates a new XMSS public key for the chosen XMSS signature method.
+       * New public and prf seeds are generated using rng. The appropriate WOTS
+       * signature method will be automatically set based on the chosen XMSS
+       * signature method.
+       *
+       * @param xmss_oid Identifier for the selected XMSS signature method.
+       * @param rng A random number generator to use for key generation.
+       **/
+      XMSS_PublicKey(XMSS_Parameters::xmss_algorithm_t xmss_oid,
+                     RandomNumberGenerator& rng);
+
+      /**
+       * Loads a public key.
+       *
+       * Public key must be encoded as in RFC
+       * draft-vangeest-x509-hash-sigs-03.
+       *
+       * @param key_bits DER encoded public key bits
+       */
+      XMSS_PublicKey(const std::vector<uint8_t>& key_bits);
+
+      /**
+       * Creates a new XMSS public key for a chosen XMSS signature method as
+       * well as pre-computed root node and public_seed values.
+       *
+       * @param xmss_oid Identifier for the selected XMSS signature method.
+       * @param root Root node value.
+       * @param public_seed Public seed value.
+       **/
+      XMSS_PublicKey(XMSS_Parameters::xmss_algorithm_t xmss_oid,
+                     const secure_vector<uint8_t>& root,
+                     const secure_vector<uint8_t>& public_seed)
+         : m_xmss_params(xmss_oid), m_wots_params(m_xmss_params.ots_oid()),
+           m_root(root), m_public_seed(public_seed) {}
+
+      /**
+       * Creates a new XMSS public key for a chosen XMSS signature method as
+       * well as pre-computed root node and public_seed values.
+       *
+       * @param xmss_oid Identifier for the selected XMSS signature method.
+       * @param root Root node value.
+       * @param public_seed Public seed value.
+       **/
+      XMSS_PublicKey(XMSS_Parameters::xmss_algorithm_t xmss_oid,
+                     secure_vector<uint8_t>&& root,
+                     secure_vector<uint8_t>&& public_seed)
+         : m_xmss_params(xmss_oid), m_wots_params(m_xmss_params.ots_oid()),
+           m_root(std::move(root)), m_public_seed(std::move(public_seed)) {}
+
+      /**
+       * Retrieves the chosen XMSS signature method.
+       *
+       * @return XMSS signature method identifier.
+       **/
+      XMSS_Parameters::xmss_algorithm_t xmss_oid() const
+         {
+         return m_xmss_params.oid();
+         }
+
+      /**
+       * Sets the chosen XMSS signature method
+       **/
+      void set_xmss_oid(XMSS_Parameters::xmss_algorithm_t xmss_oid)
+         {
+         m_xmss_params = XMSS_Parameters(xmss_oid);
+         m_wots_params = XMSS_WOTS_Parameters(m_xmss_params.ots_oid());
+         }
+
+      /**
+       * Retrieves the XMSS parameters determined by the chosen XMSS Signature
+       * method.
+       *
+       * @return XMSS parameters.
+       **/
+      const XMSS_Parameters& xmss_parameters() const
+         {
+         return m_xmss_params;
+         }
+
+      /**
+       * Retrieves the XMSS parameters determined by the chosen XMSS Signature
+       * method.
+       *
+       * @return XMSS parameters.
+       **/
+      std::string xmss_hash_function() const
+         {
+         return m_xmss_params.hash_function_name();
+         }
+
+      /**
+       * Retrieves the Winternitz One Time Signature (WOTS) method,
+       * corresponding to the chosen XMSS signature method.
+       *
+       * @return XMSS WOTS signature method identifier.
+       **/
+      XMSS_WOTS_Parameters::ots_algorithm_t wots_oid() const
+         {
+         return m_wots_params.oid();
+         }
+
+      /**
+       * Retrieves the Winternitz One Time Signature (WOTS) parameters
+       * corresponding to the chosen XMSS signature method.
+       *
+       * @return XMSS WOTS signature method parameters.
+       **/
+      const XMSS_WOTS_Parameters& wots_parameters() const
+         {
+         return m_wots_params;
+         }
+
+      secure_vector<uint8_t>& root()
+         {
+         return m_root;
+         }
+
+      void set_root(const secure_vector<uint8_t>& root)
+         {
+         m_root = root;
+         }
+
+      void set_root(secure_vector<uint8_t>&& root)
+         {
+         m_root = std::move(root);
+         }
+
+      const secure_vector<uint8_t>& root() const
+         {
+         return m_root;
+         }
+
+      virtual secure_vector<uint8_t>& public_seed()
+         {
+         return m_public_seed;
+         }
+
+      virtual void set_public_seed(const secure_vector<uint8_t>& public_seed)
+         {
+         m_public_seed = public_seed;
+         }
+
+      virtual void set_public_seed(secure_vector<uint8_t>&& public_seed)
+         {
+         m_public_seed = std::move(public_seed);
+         }
+
+      virtual const secure_vector<uint8_t>& public_seed() const
+         {
+         return m_public_seed;
+         }
+
+      std::string algo_name() const override
+         {
+         return "XMSS";
+         }
+
+      AlgorithmIdentifier algorithm_identifier() const override
+         {
+         return AlgorithmIdentifier(get_oid(), AlgorithmIdentifier::USE_EMPTY_PARAM);
+         }
+
+      bool check_key(RandomNumberGenerator&, bool) const override
+         {
+         return true;
+         }
+
+      std::unique_ptr<PK_Ops::Verification>
+      create_verification_op(const std::string&,
+                             const std::string& provider) const override;
+
+      size_t estimated_strength() const override
+         {
+         return m_xmss_params.estimated_strength();
+         }
+
+      size_t key_length() const override
+         {
+         return m_xmss_params.estimated_strength();
+         }
+
+      /**
+       * Returns the encoded public key as defined in RFC
+       * draft-vangeest-x509-hash-sigs-03.
+       *
+       * @return encoded public key bits
+       **/
+      std::vector<uint8_t> public_key_bits() const override;
+
+      /**
+       * Size in bytes of the serialized XMSS public key produced by
+       * raw_public_key().
+       *
+       * @return size in bytes of serialized Public Key.
+       **/
+      virtual size_t size() const
+         {
+         return sizeof(uint32_t) + 2 * m_xmss_params.element_size();
+         }
+
+      /**
+       * Generates a byte sequence representing the XMSS
+       * public key, as defined in [1] (p. 23, "XMSS Public Key")
+       *
+       * @return 4-byte OID, followed by n-byte root node, followed by
+       *         public seed.
+       **/
+      virtual std::vector<uint8_t> raw_public_key() const;
+
+   protected:
+      std::vector<uint8_t> m_raw_key;
+      XMSS_Parameters m_xmss_params;
+      XMSS_WOTS_Parameters m_wots_params;
+      secure_vector<uint8_t> m_root;
+      secure_vector<uint8_t> m_public_seed;
+
+   private:
+      XMSS_Parameters::xmss_algorithm_t deserialize_xmss_oid(
+         const std::vector<uint8_t>& raw_key);
+   };
+
+template<typename> class Atomic;
+
+class XMSS_Index_Registry;
+
+/**
+ * An XMSS: Extended Hash-Based Signature private key.
+ * The XMSS private key does not support the X509 and PKCS7 standard. Instead
+ * the raw format described in [1] is used.
  *
- * Botan is released under the Simplified BSD License (see license.txt)
+ * [1] XMSS: Extended Hash-Based Signatures,
+ *     Request for Comments: 8391
+ *     Release: May 2018.
+ *     https://datatracker.ietf.org/doc/rfc8391/
  **/
+class BOTAN_PUBLIC_API(2,0) XMSS_PrivateKey final : public virtual XMSS_PublicKey,
+   public virtual Private_Key
+   {
+   public:
+      /**
+      * Creates a new XMSS private key for the chosen XMSS signature method.
+      * New seeds for public/private key and pseudo random function input are
+      * generated using the provided RNG. The appropriate WOTS signature method
+      * will be automatically set based on the chosen XMSS signature method.
+      *
+      * @param xmss_algo_id Identifier for the selected XMSS signature method.
+      * @param rng A random number generator to use for key generation.
+      **/
+      XMSS_PrivateKey(XMSS_Parameters::xmss_algorithm_t xmss_algo_id,
+                      RandomNumberGenerator& rng);
 
-#ifndef BOTAN_XMSS_H_
-#define BOTAN_XMSS_H_
+      /**
+       * Creates an XMSS_PrivateKey from a byte sequence produced by
+       * raw_private_key().
+       *
+       * @param raw_key An XMSS private key serialized using raw_private_key().
+       **/
+      XMSS_PrivateKey(const secure_vector<uint8_t>& raw_key);
+
+      /**
+       * Creates a new XMSS private key for the chosen XMSS signature method
+       * using precomputed seeds for public/private keys and pseudo random
+       * function input. The appropriate WOTS signature method will be
+       * automatically set, based on the chosen XMSS signature method.
+       *
+       * @param xmss_algo_id Identifier for the selected XMSS signature method.
+       * @param idx_leaf Index of the next unused leaf.
+       * @param wots_priv_seed A seed to generate a Winternitz-One-Time-
+       *                      Signature private key from.
+       * @param prf a secret n-byte key sourced from a secure source
+       *        of uniformly random data.
+       * @param root Root node of the binary hash tree.
+       * @param public_seed The public seed.
+       **/
+      XMSS_PrivateKey(XMSS_Parameters::xmss_algorithm_t xmss_algo_id,
+                      size_t idx_leaf,
+                      const secure_vector<uint8_t>& wots_priv_seed,
+                      const secure_vector<uint8_t>& prf,
+                      const secure_vector<uint8_t>& root,
+                      const secure_vector<uint8_t>& public_seed);
+
+      bool stateful_operation() const override { return true; }
+
+      /**
+       * Retrieves the last unused leaf index of the private key. Reusing a leaf
+       * by utilizing leaf indices lower than the last unused leaf index will
+       * compromise security.
+       *
+       * @return Index of the last unused leaf.
+       **/
+      size_t unused_leaf_index() const;
+
+      /**
+       * Sets the last unused leaf index of the private key. The leaf index
+       * will be updated automatically during every signing operation, and
+       * should not be set manually.
+       *
+       * @param idx Index of the last unused leaf.
+       **/
+      void set_unused_leaf_index(size_t idx);
+
+      size_t reserve_unused_leaf_index();
+
+      /**
+       * Winternitz One Time Signature Scheme key utilized for signing
+       * operations.
+       *
+       * @return WOTS+ private key.
+       **/
+      const XMSS_WOTS_PrivateKey& wots_private_key() const
+         {
+         return m_wots_priv_key;
+         }
+
+      /**
+       * Winternitz One Time Signature Scheme key utilized for signing
+       * operations.
+       *
+       * @return WOTS+ private key.
+       **/
+      XMSS_WOTS_PrivateKey& wots_private_key()
+         {
+         return m_wots_priv_key;
+         }
+
+      const secure_vector<uint8_t>& prf() const
+         {
+         return m_prf;
+         }
+
+      secure_vector<uint8_t>& prf()
+         {
+         return m_prf;
+         }
+
+      void set_public_seed(
+         const secure_vector<uint8_t>& public_seed) override
+         {
+         m_public_seed = public_seed;
+         m_wots_priv_key.set_public_seed(public_seed);
+         }
+
+      void set_public_seed(secure_vector<uint8_t>&& public_seed) override
+         {
+         m_public_seed = std::move(public_seed);
+         m_wots_priv_key.set_public_seed(m_public_seed);
+         }
+
+      const secure_vector<uint8_t>& public_seed() const override
+         {
+         return m_public_seed;
+         }
+
+      std::unique_ptr<PK_Ops::Signature>
+      create_signature_op(RandomNumberGenerator&,
+                          const std::string&,
+                          const std::string& provider) const override;
+
+      secure_vector<uint8_t> private_key_bits() const override;
+
+      size_t size() const override
+         {
+         return XMSS_PublicKey::size() +
+                sizeof(uint32_t) +
+                2 * XMSS_PublicKey::m_xmss_params.element_size();
+         }
+
+      /**
+       * Generates a non standartized byte sequence representing the XMSS
+       * private key.
+       *
+       * @return byte sequence consisting of the following elements in order:
+       *         4-byte OID, n-byte root node, n-byte public seed,
+       *         8-byte unused leaf index, n-byte prf seed, n-byte private seed.
+       **/
+      secure_vector<uint8_t> raw_private_key() const;
+      /**
+       * Algorithm 9: "treeHash"
+       * Computes the internal n-byte nodes of a Merkle tree.
+       *
+       * @param start_idx The start index.
+       * @param target_node_height Height of the target node.
+       * @param adrs Address of the tree containing the target node.
+       *
+       * @return The root node of a tree of height target_node height with the
+       *         leftmost leaf being the hash of the WOTS+ pk with index
+       *         start_idx.
+       **/
+      secure_vector<uint8_t> tree_hash(
+         size_t start_idx,
+         size_t target_node_height,
+         XMSS_Address& adrs);
+
+   private:
+      /**
+       * Fetches shared unused leaf index from the index registry
+       **/
+      std::shared_ptr<Atomic<size_t>> recover_global_leaf_index() const;
+
+      inline void tree_hash_subtree(secure_vector<uint8_t>& result,
+                                    size_t start_idx,
+                                    size_t target_node_height,
+                                    XMSS_Address& adrs)
+         {
+         return tree_hash_subtree(result, start_idx, target_node_height, adrs, m_hash);
+         }
+
+
+      /**
+       * Helper for multithreaded tree hashing.
+       */
+      void tree_hash_subtree(secure_vector<uint8_t>& result,
+                             size_t start_idx,
+                             size_t target_node_height,
+                             XMSS_Address& adrs,
+                             XMSS_Hash& hash);
+
+      XMSS_WOTS_PrivateKey m_wots_priv_key;
+      XMSS_Hash m_hash;
+      secure_vector<uint8_t> m_prf;
+      XMSS_Index_Registry& m_index_reg;
+   };
 
-#include <botan/xmss_publickey.h>
-#include <botan/xmss_privatekey.h>
+}
 
 #endif