aboutsummaryrefslogtreecommitdiffstats
path: root/src/lib/pubkey
diff options
context:
space:
mode:
authorJack Lloyd <[email protected]>2016-06-20 01:23:34 -0400
committerJack Lloyd <[email protected]>2016-06-20 01:37:01 -0400
commit9a6621f473de4d2a49ed47e9a3db7cbf574b9236 (patch)
treec2f025bd0179d6568a3e46b1713c2dbf69629067 /src/lib/pubkey
parent17741e56503bf538b5cceb29269c1f4981f649fb (diff)
parent70a61c082408a22b516fbe0f3a81441c6c5f165e (diff)
Merge GH #504 Add ECKCDSA
Diffstat (limited to 'src/lib/pubkey')
-rw-r--r--src/lib/pubkey/dsa/dsa.cpp3
-rw-r--r--src/lib/pubkey/ecdsa/ecdsa.cpp3
-rw-r--r--src/lib/pubkey/eckcdsa/eckcdsa.cpp201
-rw-r--r--src/lib/pubkey/eckcdsa/eckcdsa.h91
-rw-r--r--src/lib/pubkey/eckcdsa/info.txt13
-rw-r--r--src/lib/pubkey/pk_algs.cpp14
-rw-r--r--src/lib/pubkey/pk_ops.cpp28
-rw-r--r--src/lib/pubkey/pk_ops_impl.h37
-rw-r--r--src/lib/pubkey/rfc6979/rfc6979.cpp14
-rw-r--r--src/lib/pubkey/rfc6979/rfc6979.h2
10 files changed, 382 insertions, 24 deletions
diff --git a/src/lib/pubkey/dsa/dsa.cpp b/src/lib/pubkey/dsa/dsa.cpp
index c2d4b3454..c42e70914 100644
--- a/src/lib/pubkey/dsa/dsa.cpp
+++ b/src/lib/pubkey/dsa/dsa.cpp
@@ -13,6 +13,7 @@
#include <botan/reducer.h>
#if defined(BOTAN_HAS_RFC6979_GENERATOR)
#include <botan/rfc6979.h>
+ #include <botan/emsa.h>
#endif
#include <future>
@@ -115,7 +116,7 @@ DSA_Signature_Operation::raw_sign(const byte msg[], size_t msg_len,
i -= m_q;
#if defined(BOTAN_HAS_RFC6979_GENERATOR)
- const BigInt k = generate_rfc6979_nonce(m_x, m_q, i, hash_for_deterministic_signature(m_emsa));
+ const BigInt k = generate_rfc6979_nonce(m_x, m_q, i, hash_for_emsa(m_emsa));
#else
const BigInt k = BigInt::random_integer(rng, 1, m_q);
#endif
diff --git a/src/lib/pubkey/ecdsa/ecdsa.cpp b/src/lib/pubkey/ecdsa/ecdsa.cpp
index 35a119420..6fe7ce319 100644
--- a/src/lib/pubkey/ecdsa/ecdsa.cpp
+++ b/src/lib/pubkey/ecdsa/ecdsa.cpp
@@ -13,6 +13,7 @@
#include <botan/keypair.h>
#if defined(BOTAN_HAS_RFC6979_GENERATOR)
#include <botan/rfc6979.h>
+ #include <botan/emsa.h>
#endif
namespace Botan {
@@ -72,7 +73,7 @@ ECDSA_Signature_Operation::raw_sign(const byte msg[], size_t msg_len,
const BigInt m(msg, msg_len);
#if defined(BOTAN_HAS_RFC6979_GENERATOR)
- const BigInt k = generate_rfc6979_nonce(m_x, m_order, m, hash_for_deterministic_signature(m_emsa));
+ const BigInt k = generate_rfc6979_nonce(m_x, m_order, m, hash_for_emsa(m_emsa));
#else
const BigInt k = BigInt::random_integer(rng, 1, m_order);
#endif
diff --git a/src/lib/pubkey/eckcdsa/eckcdsa.cpp b/src/lib/pubkey/eckcdsa/eckcdsa.cpp
new file mode 100644
index 000000000..83439332e
--- /dev/null
+++ b/src/lib/pubkey/eckcdsa/eckcdsa.cpp
@@ -0,0 +1,201 @@
+/*
+* ECKCDSA (ISO/IEC 14888-3:2006/Cor.2:2009)
+* (C) 2016 René Korthaus, Sirrix AG
+*
+* Botan is released under the Simplified BSD License (see license.txt)
+*/
+
+#include <botan/internal/pk_utils.h>
+#include <botan/eckcdsa.h>
+#include <botan/keypair.h>
+#include <botan/emsa.h>
+#include <botan/hash.h>
+
+namespace Botan {
+
+bool ECKCDSA_PrivateKey::check_key(RandomNumberGenerator& rng,
+ bool strong) const
+ {
+ if(!public_point().on_the_curve())
+ {
+ return false;
+ }
+
+ if(!strong)
+ {
+ return true;
+ }
+
+ return KeyPair::signature_consistency_check(rng, *this, "EMSA1(SHA-1)");
+ }
+
+namespace {
+
+/**
+* ECKCDSA signature operation
+*/
+class ECKCDSA_Signature_Operation : public PK_Ops::Signature_with_EMSA
+ {
+ public:
+ typedef ECKCDSA_PrivateKey Key_Type;
+
+ ECKCDSA_Signature_Operation(const ECKCDSA_PrivateKey& eckcdsa,
+ const std::string& emsa) :
+ PK_Ops::Signature_with_EMSA(emsa),
+ m_order(eckcdsa.domain().get_order()),
+ m_base_point(eckcdsa.domain().get_base_point(), m_order),
+ m_x(eckcdsa.private_value()),
+ m_mod_order(m_order),
+ m_prefix()
+ {
+ const BigInt public_point_x = eckcdsa.public_point().get_affine_x();
+ const BigInt public_point_y = eckcdsa.public_point().get_affine_y();
+
+ m_prefix.resize(public_point_x.bytes() + public_point_y.bytes());
+ public_point_x.binary_encode(m_prefix.data());
+ public_point_y.binary_encode(&m_prefix[public_point_x.bytes()]);
+ m_prefix.resize(HashFunction::create(hash_for_signature())->hash_block_size()); // use only the "hash input block size" leftmost bits
+ }
+
+ secure_vector<byte> raw_sign(const byte msg[], size_t msg_len,
+ RandomNumberGenerator& rng) override;
+
+ size_t message_parts() const override { return 2; }
+ size_t message_part_size() const override { return m_order.bytes(); }
+ size_t max_input_bits() const override { return m_order.bits(); }
+
+ bool has_prefix() override { return true; }
+ secure_vector<byte> message_prefix() const override { return m_prefix; }
+
+ private:
+ const BigInt& m_order;
+ Blinded_Point_Multiply m_base_point;
+ const BigInt& m_x;
+ Modular_Reducer m_mod_order;
+ secure_vector<byte> m_prefix;
+ };
+
+secure_vector<byte>
+ECKCDSA_Signature_Operation::raw_sign(const byte msg[], size_t,
+ RandomNumberGenerator& rng)
+ {
+ const BigInt k = BigInt::random_integer(rng, 1, m_order);
+ const PointGFp k_times_P = m_base_point.blinded_multiply(k, rng);
+ const BigInt k_times_P_x = k_times_P.get_affine_x();
+
+ secure_vector<byte> to_be_hashed(k_times_P_x.bytes());
+ k_times_P_x.binary_encode(to_be_hashed.data());
+
+ std::unique_ptr<EMSA> emsa(m_emsa->clone());
+ emsa->update(to_be_hashed.data(), to_be_hashed.size());
+ secure_vector<byte> c = emsa->raw_data();
+ c = emsa->encoding_of(c, max_input_bits(), rng);
+
+ const BigInt r(c.data(), c.size());
+
+ xor_buf(c, msg, c.size());
+ BigInt w(c.data(), c.size());
+ w = m_mod_order.reduce(w);
+
+ const BigInt s = m_mod_order.multiply(m_x, k - w);
+ BOTAN_ASSERT(s != 0, "invalid s");
+
+ secure_vector<byte> signature(r.bytes() + s.bytes());
+ r.binary_encode(signature.data());
+ s.binary_encode(&signature[r.bytes()]);
+ return signature;
+ }
+
+/**
+* ECKCDSA verification operation
+*/
+class ECKCDSA_Verification_Operation : public PK_Ops::Verification_with_EMSA
+ {
+ public:
+ typedef ECKCDSA_PublicKey Key_Type;
+
+ ECKCDSA_Verification_Operation(const ECKCDSA_PublicKey& eckcdsa,
+ const std::string& emsa) :
+ PK_Ops::Verification_with_EMSA(emsa),
+ m_base_point(eckcdsa.domain().get_base_point()),
+ m_public_point(eckcdsa.public_point()),
+ m_order(eckcdsa.domain().get_order()),
+ m_mod_order(m_order),
+ m_prefix()
+ {
+ const BigInt public_point_x = m_public_point.get_affine_x();
+ const BigInt public_point_y = m_public_point.get_affine_y();
+
+ m_prefix.resize(public_point_x.bytes() + public_point_y.bytes());
+ public_point_x.binary_encode(&m_prefix[0]);
+ public_point_y.binary_encode(&m_prefix[public_point_x.bytes()]);
+ m_prefix.resize(HashFunction::create(hash_for_signature())->hash_block_size()); // use only the "hash input block size" leftmost bits
+ }
+
+ bool has_prefix() override { return true; }
+ secure_vector<byte> message_prefix() const override { return m_prefix; }
+
+ size_t message_parts() const override { return 2; }
+ size_t message_part_size() const override { return m_order.bytes(); }
+ size_t max_input_bits() const override { return m_order.bits(); }
+
+ bool with_recovery() const override { return false; }
+
+ bool verify(const byte msg[], size_t msg_len,
+ const byte sig[], size_t sig_len) override;
+ private:
+ const PointGFp& m_base_point;
+ const PointGFp& m_public_point;
+ const BigInt& m_order;
+ // FIXME: should be offered by curve
+ Modular_Reducer m_mod_order;
+ secure_vector<byte> m_prefix;
+ };
+
+bool ECKCDSA_Verification_Operation::verify(const byte msg[], size_t,
+ const byte sig[], size_t sig_len)
+ {
+ // check that bit length of r is equal to output bit length of employed hash function h
+ const std::unique_ptr<HashFunction> hash = HashFunction::create(hash_for_signature());
+
+ // no way to know size of r in sig, so check that we have at least hash->output_length()+1
+ // bytes in sig, enough for r and an arbitrary size s
+ if(sig_len <= hash->output_length())
+ {
+ return false;
+ }
+
+ secure_vector<byte> r(sig, sig + hash->output_length());
+
+ // check that 0 < s < q
+ const BigInt s(sig + hash->output_length(), sig_len - hash->output_length());
+
+ if(s <= 0 || s >= m_order)
+ {
+ return false;
+ }
+
+ secure_vector<byte> r_xor_e(r);
+ xor_buf(r_xor_e, msg, r.size());
+ BigInt w(r_xor_e.data(), r_xor_e.size());
+ w = m_mod_order.reduce(w);
+
+ const PointGFp q = (m_base_point * w) + (m_public_point * s);
+ const BigInt q_x = q.get_affine_x();
+ secure_vector<byte> c(q_x.bytes());
+ q_x.binary_encode(c.data());
+ std::unique_ptr<EMSA> emsa(m_emsa->clone());
+ emsa->update(c.data(), c.size());
+ secure_vector<byte> v = emsa->raw_data();
+ Null_RNG rng;
+ v = emsa->encoding_of(v, max_input_bits(), rng);
+
+ return (v == r);
+ }
+
+BOTAN_REGISTER_PK_SIGNATURE_OP("ECKCDSA", ECKCDSA_Signature_Operation);
+BOTAN_REGISTER_PK_VERIFY_OP("ECKCDSA", ECKCDSA_Verification_Operation);
+
+}
+
+}
diff --git a/src/lib/pubkey/eckcdsa/eckcdsa.h b/src/lib/pubkey/eckcdsa/eckcdsa.h
new file mode 100644
index 000000000..b85c4025e
--- /dev/null
+++ b/src/lib/pubkey/eckcdsa/eckcdsa.h
@@ -0,0 +1,91 @@
+/*
+* ECKCDSA (ISO/IEC 14888-3:2006/Cor.2:2009)
+* (C) 2016 René Korthaus, Sirrix AG
+*
+* Botan is released under the Simplified BSD License (see license.txt)
+*/
+
+#ifndef BOTAN_ECKCDSA_KEY_H__
+#define BOTAN_ECKCDSA_KEY_H__
+
+#include <botan/ecc_key.h>
+
+namespace Botan {
+
+/**
+* This class represents ECKCDSA public keys.
+*/
+class BOTAN_DLL ECKCDSA_PublicKey : public virtual EC_PublicKey
+ {
+ public:
+
+ /**
+ * Construct a public key from a given public point.
+ * @param dom_par the domain parameters associated with this key
+ * @param public_point the public point defining this key
+ */
+ ECKCDSA_PublicKey(const EC_Group& dom_par,
+ const PointGFp& public_point) :
+ EC_PublicKey(dom_par, public_point) {}
+
+ ECKCDSA_PublicKey(const AlgorithmIdentifier& alg_id,
+ const secure_vector<byte>& key_bits) :
+ EC_PublicKey(alg_id, key_bits) {}
+
+ /**
+ * Get this keys algorithm name.
+ * @result this keys algorithm name ("ECGDSA")
+ */
+ std::string algo_name() const override { return "ECKCDSA"; }
+
+ /**
+ * Get the maximum number of bits allowed to be fed to this key.
+ * This is the bitlength of the order of the base point.
+ * @result the maximum number of input bits
+ */
+ size_t max_input_bits() const override
+ { return domain().get_order().bits(); }
+
+ size_t message_parts() const override { return 2; }
+
+ size_t message_part_size() const override
+ { return domain().get_order().bytes(); }
+
+ protected:
+ ECKCDSA_PublicKey() {}
+ };
+
+/**
+* This class represents ECKCDSA private keys.
+*/
+class BOTAN_DLL ECKCDSA_PrivateKey : public ECKCDSA_PublicKey,
+ public EC_PrivateKey
+ {
+ public:
+
+ /**
+ * Load a private key
+ * @param alg_id the X.509 algorithm identifier
+ * @param key_bits PKCS #8 structure
+ */
+ ECKCDSA_PrivateKey(const AlgorithmIdentifier& alg_id,
+ const secure_vector<byte>& key_bits) :
+ EC_PrivateKey(alg_id, key_bits, true) {}
+
+ /**
+ * Generate a new private key
+ * @param rng a random number generator
+ * @param domain parameters to used for this key
+ * @param x the private key (if zero, generate a new random key)
+ */
+ ECKCDSA_PrivateKey(RandomNumberGenerator& rng,
+ const EC_Group& domain,
+ const BigInt& x = 0) :
+ EC_PrivateKey(rng, domain, x, true) {}
+
+ bool check_key(RandomNumberGenerator& rng, bool) const override;
+ };
+
+}
+
+#endif
diff --git a/src/lib/pubkey/eckcdsa/info.txt b/src/lib/pubkey/eckcdsa/info.txt
new file mode 100644
index 000000000..d3df354b1
--- /dev/null
+++ b/src/lib/pubkey/eckcdsa/info.txt
@@ -0,0 +1,13 @@
+define ECKCDSA 20160413
+
+<requires>
+asn1
+bigint
+ec_group
+ecc_key
+hash
+keypair
+numbertheory
+pk_pad
+rng
+</requires>
diff --git a/src/lib/pubkey/pk_algs.cpp b/src/lib/pubkey/pk_algs.cpp
index d2947b0c0..9dbde28af 100644
--- a/src/lib/pubkey/pk_algs.cpp
+++ b/src/lib/pubkey/pk_algs.cpp
@@ -28,6 +28,10 @@
#include <botan/ecgdsa.h>
#endif
+#if defined(BOTAN_HAS_ECKCDSA)
+ #include <botan/eckcdsa.h>
+#endif
+
#if defined(BOTAN_HAS_GOST_34_10_2001)
#include <botan/gost_3410.h>
#endif
@@ -105,6 +109,11 @@ Public_Key* make_public_key(const AlgorithmIdentifier& alg_id,
return new ECGDSA_PublicKey(alg_id, key_bits);
#endif
+#if defined(BOTAN_HAS_ECKCDSA)
+ if(alg_name == "ECKCDSA")
+ return new ECKCDSA_PublicKey(alg_id, key_bits);
+#endif
+
#if defined(BOTAN_HAS_GOST_34_10_2001)
if(alg_name == "GOST-34.10")
return new GOST_3410_PublicKey(alg_id, key_bits);
@@ -176,6 +185,11 @@ Private_Key* make_private_key(const AlgorithmIdentifier& alg_id,
return new ECGDSA_PrivateKey(alg_id, key_bits);
#endif
+#if defined(BOTAN_HAS_ECKCDSA)
+ if(alg_name == "ECKCDSA")
+ return new ECKCDSA_PrivateKey(alg_id, key_bits);
+#endif
+
#if defined(BOTAN_HAS_GOST_34_10_2001)
if(alg_name == "GOST-34.10")
return new GOST_3410_PrivateKey(alg_id, key_bits);
diff --git a/src/lib/pubkey/pk_ops.cpp b/src/lib/pubkey/pk_ops.cpp
index 654b68255..1017518a7 100644
--- a/src/lib/pubkey/pk_ops.cpp
+++ b/src/lib/pubkey/pk_ops.cpp
@@ -76,9 +76,12 @@ secure_vector<byte> PK_Ops::Key_Agreement_with_KDF::agree(size_t key_len,
return z;
}
-PK_Ops::Signature_with_EMSA::Signature_with_EMSA(const std::string& emsa)
+PK_Ops::Signature_with_EMSA::Signature_with_EMSA(const std::string& emsa) :
+ Signature(),
+ m_emsa(get_emsa(emsa)),
+ m_hash(hash_for_emsa(emsa)),
+ m_prefix_used(false)
{
- m_emsa.reset(get_emsa(emsa));
if(!m_emsa)
throw Algorithm_Not_Found(emsa);
}
@@ -87,19 +90,29 @@ PK_Ops::Signature_with_EMSA::~Signature_with_EMSA() {}
void PK_Ops::Signature_with_EMSA::update(const byte msg[], size_t msg_len)
{
+ if(has_prefix() && !m_prefix_used)
+ {
+ m_prefix_used = true;
+ secure_vector<byte> prefix = message_prefix();
+ m_emsa->update(prefix.data(), prefix.size());
+ }
m_emsa->update(msg, msg_len);
}
secure_vector<byte> PK_Ops::Signature_with_EMSA::sign(RandomNumberGenerator& rng)
{
+ m_prefix_used = false;
const secure_vector<byte> msg = m_emsa->raw_data();
const auto padded = m_emsa->encoding_of(msg, this->max_input_bits(), rng);
return raw_sign(padded.data(), padded.size(), rng);
}
-PK_Ops::Verification_with_EMSA::Verification_with_EMSA(const std::string& emsa)
+PK_Ops::Verification_with_EMSA::Verification_with_EMSA(const std::string& emsa) :
+ Verification(),
+ m_emsa(get_emsa(emsa)),
+ m_hash(hash_for_emsa(emsa)),
+ m_prefix_used(false)
{
- m_emsa.reset(get_emsa(emsa));
if(!m_emsa)
throw Algorithm_Not_Found(emsa);
}
@@ -108,11 +121,18 @@ PK_Ops::Verification_with_EMSA::~Verification_with_EMSA() {}
void PK_Ops::Verification_with_EMSA::update(const byte msg[], size_t msg_len)
{
+ if(has_prefix() && !m_prefix_used)
+ {
+ m_prefix_used = true;
+ secure_vector<byte> prefix = message_prefix();
+ m_emsa->update(prefix.data(), prefix.size());
+ }
m_emsa->update(msg, msg_len);
}
bool PK_Ops::Verification_with_EMSA::is_valid_signature(const byte sig[], size_t sig_len)
{
+ m_prefix_used = false;
const secure_vector<byte> msg = m_emsa->raw_data();
if(with_recovery())
diff --git a/src/lib/pubkey/pk_ops_impl.h b/src/lib/pubkey/pk_ops_impl.h
index 81637a81c..9d02de5e5 100644
--- a/src/lib/pubkey/pk_ops_impl.h
+++ b/src/lib/pubkey/pk_ops_impl.h
@@ -58,12 +58,25 @@ class Verification_with_EMSA : public Verification
bool do_check(const secure_vector<byte>& msg,
const byte sig[], size_t sig_len);
+ std::string hash_for_signature() { return m_hash; }
protected:
explicit Verification_with_EMSA(const std::string& emsa);
~Verification_with_EMSA();
/**
+ * @return boolean specifying if this signature scheme uses
+ * a message prefix returned by message_prefix()
+ */
+ virtual bool has_prefix() { return false; }
+
+ /**
+ * @return the message prefix if this signature scheme uses
+ * a message prefix, signaled via has_prefix()
+ */
+ virtual secure_vector<byte> message_prefix() const { throw Exception( "No prefix" ); }
+
+ /**
* @return boolean specifying if this key type supports message
* recovery and thus if you need to call verify() or verify_mr()
*/
@@ -95,8 +108,11 @@ class Verification_with_EMSA : public Verification
throw Invalid_State("Message recovery not supported");
}
- private:
std::unique_ptr<EMSA> m_emsa;
+
+ private:
+ const std::string m_hash;
+ bool m_prefix_used;
};
class Signature_with_EMSA : public Signature
@@ -108,6 +124,22 @@ class Signature_with_EMSA : public Signature
protected:
explicit Signature_with_EMSA(const std::string& emsa);
~Signature_with_EMSA();
+
+ std::string hash_for_signature() { return m_hash; }
+
+ /**
+ * @return boolean specifying if this signature scheme uses
+ * a message prefix returned by message_prefix()
+ */
+ virtual bool has_prefix() { return false; }
+
+ /**
+ * @return the message prefix if this signature scheme uses
+ * a message prefix, signaled via has_prefix()
+ */
+ virtual secure_vector<byte> message_prefix() const { throw Exception( "No prefix" ); }
+
+ std::unique_ptr<EMSA> m_emsa;
private:
/**
@@ -122,7 +154,8 @@ class Signature_with_EMSA : public Signature
virtual secure_vector<byte> raw_sign(const byte msg[], size_t msg_len,
RandomNumberGenerator& rng) = 0;
- std::unique_ptr<EMSA> m_emsa;
+ const std::string m_hash;
+ bool m_prefix_used;
};
class Key_Agreement_with_KDF : public Key_Agreement
diff --git a/src/lib/pubkey/rfc6979/rfc6979.cpp b/src/lib/pubkey/rfc6979/rfc6979.cpp
index f749b039f..0b26aadb5 100644
--- a/src/lib/pubkey/rfc6979/rfc6979.cpp
+++ b/src/lib/pubkey/rfc6979/rfc6979.cpp
@@ -8,23 +8,9 @@
#include <botan/rfc6979.h>
#include <botan/hmac_drbg.h>
#include <botan/mac.h>
-#include <botan/scan_name.h>
namespace Botan {
-std::string hash_for_deterministic_signature(const std::string& emsa)
- {
- SCAN_Name emsa_name(emsa);
-
- if(emsa_name.arg_count() > 0)
- {
- const std::string pos_hash = emsa_name.arg(0);
- return pos_hash;
- }
-
- return "SHA-512"; // safe default if nothing we understand
- }
-
RFC6979_Nonce_Generator::RFC6979_Nonce_Generator(const std::string& hash,
const BigInt& order,
const BigInt& x) :
diff --git a/src/lib/pubkey/rfc6979/rfc6979.h b/src/lib/pubkey/rfc6979/rfc6979.h
index 5b3dee8ef..32728befb 100644
--- a/src/lib/pubkey/rfc6979/rfc6979.h
+++ b/src/lib/pubkey/rfc6979/rfc6979.h
@@ -46,8 +46,6 @@ BigInt BOTAN_DLL generate_rfc6979_nonce(const BigInt& x,
const BigInt& h,
const std::string& hash);
-std::string hash_for_deterministic_signature(const std::string& emsa);
-
}
#endif