aboutsummaryrefslogtreecommitdiffstats
path: root/src/lib/pubkey/xmss/xmss.h
diff options
context:
space:
mode:
Diffstat (limited to 'src/lib/pubkey/xmss/xmss.h')
-rw-r--r--src/lib/pubkey/xmss/xmss.h462
1 files changed, 448 insertions, 14 deletions
diff --git a/src/lib/pubkey/xmss/xmss.h b/src/lib/pubkey/xmss/xmss.h
index 42b825f8f..529bbe3bc 100644
--- a/src/lib/pubkey/xmss/xmss.h
+++ b/src/lib/pubkey/xmss/xmss.h
@@ -1,26 +1,460 @@
+/*
+ * XMSS Keys
+ * (C) 2016,2017 Matthias Gierlings
+ * (C) 2019 René Korthaus, Rohde & Schwarz Cybersecurity
+ *
+ * Botan is released under the Simplified BSD License (see license.txt)
+ **/
+
+#ifndef BOTAN_XMSS_H_
+#define BOTAN_XMSS_H_
+
+#include <botan/pk_keys.h>
+#include <botan/exceptn.h>
+#include <botan/xmss_parameters.h>
+#include <botan/xmss_wots_parameters.h>
+#include <botan/xmss_wots_privatekey.h>
+
+namespace Botan {
+
+class RandomNumberGenerator;
+class XMSS_Verification_Operation;
+
/**
- * @file xmss.h
- * Includes headers required for Extended Hash-Based Signatures (XMSS)
- * as described in [1]. @see Botan::XMSS_PublicKey and @see
- * Botan::XMSS_PrivateKey for further
- * details.
+ * An XMSS: Extended Hash-Based Signature public key.
*
- * <pre>
* [1] XMSS: Extended Hash-Based Signatures,
* Request for Comments: 8391
* Release: May 2018.
* https://datatracker.ietf.org/doc/rfc8391/
- * </pre>
- *
- * (C) 2016,2017,2018 Matthias Gierlings
+ **/
+class BOTAN_PUBLIC_API(2,0) XMSS_PublicKey : public virtual Public_Key
+ {
+ public:
+ /**
+ * Creates a new XMSS public key for the chosen XMSS signature method.
+ * New public and prf seeds are generated using rng. The appropriate WOTS
+ * signature method will be automatically set based on the chosen XMSS
+ * signature method.
+ *
+ * @param xmss_oid Identifier for the selected XMSS signature method.
+ * @param rng A random number generator to use for key generation.
+ **/
+ XMSS_PublicKey(XMSS_Parameters::xmss_algorithm_t xmss_oid,
+ RandomNumberGenerator& rng);
+
+ /**
+ * Loads a public key.
+ *
+ * Public key must be encoded as in RFC
+ * draft-vangeest-x509-hash-sigs-03.
+ *
+ * @param key_bits DER encoded public key bits
+ */
+ XMSS_PublicKey(const std::vector<uint8_t>& key_bits);
+
+ /**
+ * Creates a new XMSS public key for a chosen XMSS signature method as
+ * well as pre-computed root node and public_seed values.
+ *
+ * @param xmss_oid Identifier for the selected XMSS signature method.
+ * @param root Root node value.
+ * @param public_seed Public seed value.
+ **/
+ XMSS_PublicKey(XMSS_Parameters::xmss_algorithm_t xmss_oid,
+ const secure_vector<uint8_t>& root,
+ const secure_vector<uint8_t>& public_seed)
+ : m_xmss_params(xmss_oid), m_wots_params(m_xmss_params.ots_oid()),
+ m_root(root), m_public_seed(public_seed) {}
+
+ /**
+ * Creates a new XMSS public key for a chosen XMSS signature method as
+ * well as pre-computed root node and public_seed values.
+ *
+ * @param xmss_oid Identifier for the selected XMSS signature method.
+ * @param root Root node value.
+ * @param public_seed Public seed value.
+ **/
+ XMSS_PublicKey(XMSS_Parameters::xmss_algorithm_t xmss_oid,
+ secure_vector<uint8_t>&& root,
+ secure_vector<uint8_t>&& public_seed)
+ : m_xmss_params(xmss_oid), m_wots_params(m_xmss_params.ots_oid()),
+ m_root(std::move(root)), m_public_seed(std::move(public_seed)) {}
+
+ /**
+ * Retrieves the chosen XMSS signature method.
+ *
+ * @return XMSS signature method identifier.
+ **/
+ XMSS_Parameters::xmss_algorithm_t xmss_oid() const
+ {
+ return m_xmss_params.oid();
+ }
+
+ /**
+ * Sets the chosen XMSS signature method
+ **/
+ void set_xmss_oid(XMSS_Parameters::xmss_algorithm_t xmss_oid)
+ {
+ m_xmss_params = XMSS_Parameters(xmss_oid);
+ m_wots_params = XMSS_WOTS_Parameters(m_xmss_params.ots_oid());
+ }
+
+ /**
+ * Retrieves the XMSS parameters determined by the chosen XMSS Signature
+ * method.
+ *
+ * @return XMSS parameters.
+ **/
+ const XMSS_Parameters& xmss_parameters() const
+ {
+ return m_xmss_params;
+ }
+
+ /**
+ * Retrieves the XMSS parameters determined by the chosen XMSS Signature
+ * method.
+ *
+ * @return XMSS parameters.
+ **/
+ std::string xmss_hash_function() const
+ {
+ return m_xmss_params.hash_function_name();
+ }
+
+ /**
+ * Retrieves the Winternitz One Time Signature (WOTS) method,
+ * corresponding to the chosen XMSS signature method.
+ *
+ * @return XMSS WOTS signature method identifier.
+ **/
+ XMSS_WOTS_Parameters::ots_algorithm_t wots_oid() const
+ {
+ return m_wots_params.oid();
+ }
+
+ /**
+ * Retrieves the Winternitz One Time Signature (WOTS) parameters
+ * corresponding to the chosen XMSS signature method.
+ *
+ * @return XMSS WOTS signature method parameters.
+ **/
+ const XMSS_WOTS_Parameters& wots_parameters() const
+ {
+ return m_wots_params;
+ }
+
+ secure_vector<uint8_t>& root()
+ {
+ return m_root;
+ }
+
+ void set_root(const secure_vector<uint8_t>& root)
+ {
+ m_root = root;
+ }
+
+ void set_root(secure_vector<uint8_t>&& root)
+ {
+ m_root = std::move(root);
+ }
+
+ const secure_vector<uint8_t>& root() const
+ {
+ return m_root;
+ }
+
+ virtual secure_vector<uint8_t>& public_seed()
+ {
+ return m_public_seed;
+ }
+
+ virtual void set_public_seed(const secure_vector<uint8_t>& public_seed)
+ {
+ m_public_seed = public_seed;
+ }
+
+ virtual void set_public_seed(secure_vector<uint8_t>&& public_seed)
+ {
+ m_public_seed = std::move(public_seed);
+ }
+
+ virtual const secure_vector<uint8_t>& public_seed() const
+ {
+ return m_public_seed;
+ }
+
+ std::string algo_name() const override
+ {
+ return "XMSS";
+ }
+
+ AlgorithmIdentifier algorithm_identifier() const override
+ {
+ return AlgorithmIdentifier(get_oid(), AlgorithmIdentifier::USE_EMPTY_PARAM);
+ }
+
+ bool check_key(RandomNumberGenerator&, bool) const override
+ {
+ return true;
+ }
+
+ std::unique_ptr<PK_Ops::Verification>
+ create_verification_op(const std::string&,
+ const std::string& provider) const override;
+
+ size_t estimated_strength() const override
+ {
+ return m_xmss_params.estimated_strength();
+ }
+
+ size_t key_length() const override
+ {
+ return m_xmss_params.estimated_strength();
+ }
+
+ /**
+ * Returns the encoded public key as defined in RFC
+ * draft-vangeest-x509-hash-sigs-03.
+ *
+ * @return encoded public key bits
+ **/
+ std::vector<uint8_t> public_key_bits() const override;
+
+ /**
+ * Size in bytes of the serialized XMSS public key produced by
+ * raw_public_key().
+ *
+ * @return size in bytes of serialized Public Key.
+ **/
+ virtual size_t size() const
+ {
+ return sizeof(uint32_t) + 2 * m_xmss_params.element_size();
+ }
+
+ /**
+ * Generates a byte sequence representing the XMSS
+ * public key, as defined in [1] (p. 23, "XMSS Public Key")
+ *
+ * @return 4-byte OID, followed by n-byte root node, followed by
+ * public seed.
+ **/
+ virtual std::vector<uint8_t> raw_public_key() const;
+
+ protected:
+ std::vector<uint8_t> m_raw_key;
+ XMSS_Parameters m_xmss_params;
+ XMSS_WOTS_Parameters m_wots_params;
+ secure_vector<uint8_t> m_root;
+ secure_vector<uint8_t> m_public_seed;
+
+ private:
+ XMSS_Parameters::xmss_algorithm_t deserialize_xmss_oid(
+ const std::vector<uint8_t>& raw_key);
+ };
+
+template<typename> class Atomic;
+
+class XMSS_Index_Registry;
+
+/**
+ * An XMSS: Extended Hash-Based Signature private key.
+ * The XMSS private key does not support the X509 and PKCS7 standard. Instead
+ * the raw format described in [1] is used.
*
- * Botan is released under the Simplified BSD License (see license.txt)
+ * [1] XMSS: Extended Hash-Based Signatures,
+ * Request for Comments: 8391
+ * Release: May 2018.
+ * https://datatracker.ietf.org/doc/rfc8391/
**/
+class BOTAN_PUBLIC_API(2,0) XMSS_PrivateKey final : public virtual XMSS_PublicKey,
+ public virtual Private_Key
+ {
+ public:
+ /**
+ * Creates a new XMSS private key for the chosen XMSS signature method.
+ * New seeds for public/private key and pseudo random function input are
+ * generated using the provided RNG. The appropriate WOTS signature method
+ * will be automatically set based on the chosen XMSS signature method.
+ *
+ * @param xmss_algo_id Identifier for the selected XMSS signature method.
+ * @param rng A random number generator to use for key generation.
+ **/
+ XMSS_PrivateKey(XMSS_Parameters::xmss_algorithm_t xmss_algo_id,
+ RandomNumberGenerator& rng);
-#ifndef BOTAN_XMSS_H_
-#define BOTAN_XMSS_H_
+ /**
+ * Creates an XMSS_PrivateKey from a byte sequence produced by
+ * raw_private_key().
+ *
+ * @param raw_key An XMSS private key serialized using raw_private_key().
+ **/
+ XMSS_PrivateKey(const secure_vector<uint8_t>& raw_key);
+
+ /**
+ * Creates a new XMSS private key for the chosen XMSS signature method
+ * using precomputed seeds for public/private keys and pseudo random
+ * function input. The appropriate WOTS signature method will be
+ * automatically set, based on the chosen XMSS signature method.
+ *
+ * @param xmss_algo_id Identifier for the selected XMSS signature method.
+ * @param idx_leaf Index of the next unused leaf.
+ * @param wots_priv_seed A seed to generate a Winternitz-One-Time-
+ * Signature private key from.
+ * @param prf a secret n-byte key sourced from a secure source
+ * of uniformly random data.
+ * @param root Root node of the binary hash tree.
+ * @param public_seed The public seed.
+ **/
+ XMSS_PrivateKey(XMSS_Parameters::xmss_algorithm_t xmss_algo_id,
+ size_t idx_leaf,
+ const secure_vector<uint8_t>& wots_priv_seed,
+ const secure_vector<uint8_t>& prf,
+ const secure_vector<uint8_t>& root,
+ const secure_vector<uint8_t>& public_seed);
+
+ bool stateful_operation() const override { return true; }
+
+ /**
+ * Retrieves the last unused leaf index of the private key. Reusing a leaf
+ * by utilizing leaf indices lower than the last unused leaf index will
+ * compromise security.
+ *
+ * @return Index of the last unused leaf.
+ **/
+ size_t unused_leaf_index() const;
+
+ /**
+ * Sets the last unused leaf index of the private key. The leaf index
+ * will be updated automatically during every signing operation, and
+ * should not be set manually.
+ *
+ * @param idx Index of the last unused leaf.
+ **/
+ void set_unused_leaf_index(size_t idx);
+
+ size_t reserve_unused_leaf_index();
+
+ /**
+ * Winternitz One Time Signature Scheme key utilized for signing
+ * operations.
+ *
+ * @return WOTS+ private key.
+ **/
+ const XMSS_WOTS_PrivateKey& wots_private_key() const
+ {
+ return m_wots_priv_key;
+ }
+
+ /**
+ * Winternitz One Time Signature Scheme key utilized for signing
+ * operations.
+ *
+ * @return WOTS+ private key.
+ **/
+ XMSS_WOTS_PrivateKey& wots_private_key()
+ {
+ return m_wots_priv_key;
+ }
+
+ const secure_vector<uint8_t>& prf() const
+ {
+ return m_prf;
+ }
+
+ secure_vector<uint8_t>& prf()
+ {
+ return m_prf;
+ }
+
+ void set_public_seed(
+ const secure_vector<uint8_t>& public_seed) override
+ {
+ m_public_seed = public_seed;
+ m_wots_priv_key.set_public_seed(public_seed);
+ }
+
+ void set_public_seed(secure_vector<uint8_t>&& public_seed) override
+ {
+ m_public_seed = std::move(public_seed);
+ m_wots_priv_key.set_public_seed(m_public_seed);
+ }
+
+ const secure_vector<uint8_t>& public_seed() const override
+ {
+ return m_public_seed;
+ }
+
+ std::unique_ptr<PK_Ops::Signature>
+ create_signature_op(RandomNumberGenerator&,
+ const std::string&,
+ const std::string& provider) const override;
+
+ secure_vector<uint8_t> private_key_bits() const override;
+
+ size_t size() const override
+ {
+ return XMSS_PublicKey::size() +
+ sizeof(uint32_t) +
+ 2 * XMSS_PublicKey::m_xmss_params.element_size();
+ }
+
+ /**
+ * Generates a non standartized byte sequence representing the XMSS
+ * private key.
+ *
+ * @return byte sequence consisting of the following elements in order:
+ * 4-byte OID, n-byte root node, n-byte public seed,
+ * 8-byte unused leaf index, n-byte prf seed, n-byte private seed.
+ **/
+ secure_vector<uint8_t> raw_private_key() const;
+ /**
+ * Algorithm 9: "treeHash"
+ * Computes the internal n-byte nodes of a Merkle tree.
+ *
+ * @param start_idx The start index.
+ * @param target_node_height Height of the target node.
+ * @param adrs Address of the tree containing the target node.
+ *
+ * @return The root node of a tree of height target_node height with the
+ * leftmost leaf being the hash of the WOTS+ pk with index
+ * start_idx.
+ **/
+ secure_vector<uint8_t> tree_hash(
+ size_t start_idx,
+ size_t target_node_height,
+ XMSS_Address& adrs);
+
+ private:
+ /**
+ * Fetches shared unused leaf index from the index registry
+ **/
+ std::shared_ptr<Atomic<size_t>> recover_global_leaf_index() const;
+
+ inline void tree_hash_subtree(secure_vector<uint8_t>& result,
+ size_t start_idx,
+ size_t target_node_height,
+ XMSS_Address& adrs)
+ {
+ return tree_hash_subtree(result, start_idx, target_node_height, adrs, m_hash);
+ }
+
+
+ /**
+ * Helper for multithreaded tree hashing.
+ */
+ void tree_hash_subtree(secure_vector<uint8_t>& result,
+ size_t start_idx,
+ size_t target_node_height,
+ XMSS_Address& adrs,
+ XMSS_Hash& hash);
+
+ XMSS_WOTS_PrivateKey m_wots_priv_key;
+ XMSS_Hash m_hash;
+ secure_vector<uint8_t> m_prf;
+ XMSS_Index_Registry& m_index_reg;
+ };
-#include <botan/xmss_publickey.h>
-#include <botan/xmss_privatekey.h>
+}
#endif