aboutsummaryrefslogtreecommitdiffstats
path: root/src/lib
diff options
context:
space:
mode:
Diffstat (limited to 'src/lib')
-rw-r--r--src/lib/asn1/oid_lookup/default.cpp10
-rw-r--r--src/lib/math/numbertheory/mp_numth.cpp14
-rw-r--r--src/lib/math/numbertheory/numthry.h11
-rw-r--r--src/lib/pubkey/ecc_key/ecc_key.cpp21
-rw-r--r--src/lib/pubkey/ecc_key/ecc_key.h28
-rw-r--r--src/lib/pubkey/ecdsa/ecdsa.h2
-rw-r--r--src/lib/pubkey/ecgdsa/ecgdsa.cpp148
-rw-r--r--src/lib/pubkey/ecgdsa/ecgdsa.h91
-rw-r--r--src/lib/pubkey/ecgdsa/info.txt13
-rw-r--r--src/lib/pubkey/pk_algs.cpp14
10 files changed, 341 insertions, 11 deletions
diff --git a/src/lib/asn1/oid_lookup/default.cpp b/src/lib/asn1/oid_lookup/default.cpp
index fe7a42748..9e16cfc0b 100644
--- a/src/lib/asn1/oid_lookup/default.cpp
+++ b/src/lib/asn1/oid_lookup/default.cpp
@@ -30,6 +30,9 @@ const char* default_oid_list()
"1.2.840.10045.2.1 = ECDSA" "\n"
"1.3.132.1.12 = ECDH" "\n"
+ // ecgPublicKey (see https://www.teletrust.de/projekte/oid/)
+ "1.3.36.3.3.2.5.2.1 = ECGDSA" "\n"
+
"1.2.643.2.2.19 = GOST-34.10" "\n"
// Block ciphers
@@ -112,6 +115,13 @@ const char* default_oid_list()
"1.2.840.10045.4.3.3 = ECDSA/EMSA1(SHA-384)" "\n"
"1.2.840.10045.4.3.4 = ECDSA/EMSA1(SHA-512)" "\n"
+ "1.3.36.3.3.2.5.4.1 = ECGDSA/EMSA1(RIPEMD-160)" "\n"
+ "1.3.36.3.3.2.5.4.2 = ECGDSA/EMSA1(SHA-160)" "\n"
+ "1.3.36.3.3.2.5.4.3 = ECGDSA/EMSA1(SHA-224)" "\n"
+ "1.3.36.3.3.2.5.4.4 = ECGDSA/EMSA1(SHA-256)" "\n"
+ "1.3.36.3.3.2.5.4.5 = ECGDSA/EMSA1(SHA-384)" "\n"
+ "1.3.36.3.3.2.5.4.6 = ECGDSA/EMSA1(SHA-512)" "\n"
+
"1.2.643.2.2.3 = GOST-34.10/EMSA1(GOST-R-34.11-94)" "\n"
"1.3.6.1.4.1.25258.2.1.1.1 = RW/EMSA2(RIPEMD-160)" "\n"
diff --git a/src/lib/math/numbertheory/mp_numth.cpp b/src/lib/math/numbertheory/mp_numth.cpp
index 6eb938286..3373b9ee7 100644
--- a/src/lib/math/numbertheory/mp_numth.cpp
+++ b/src/lib/math/numbertheory/mp_numth.cpp
@@ -71,4 +71,18 @@ BigInt sub_mul(const BigInt& a, const BigInt& b, const BigInt& c)
return r;
}
+/*
+* Multiply-Subtract Operation
+*/
+BigInt mul_sub(const BigInt& a, const BigInt& b, const BigInt& c)
+ {
+ if(c.is_negative() || c.is_zero())
+ throw Invalid_Argument("mul_sub: Third argument must be > 0");
+
+ BigInt r = a;
+ r *= b;
+ r -= c;
+ return r;
+ }
+
}
diff --git a/src/lib/math/numbertheory/numthry.h b/src/lib/math/numbertheory/numthry.h
index e1e6c65f6..591b61f6a 100644
--- a/src/lib/math/numbertheory/numthry.h
+++ b/src/lib/math/numbertheory/numthry.h
@@ -37,6 +37,17 @@ BigInt BOTAN_DLL sub_mul(const BigInt& a,
const BigInt& c);
/**
+* Fused multiply-subtract
+* @param a an integer
+* @param b an integer
+* @param c an integer
+* @return (a*b)-c
+*/
+BigInt BOTAN_DLL mul_sub(const BigInt& a,
+ const BigInt& b,
+ const BigInt& c);
+
+/**
* Return the absolute value
* @param n an integer
* @return absolute value of n
diff --git a/src/lib/pubkey/ecc_key/ecc_key.cpp b/src/lib/pubkey/ecc_key/ecc_key.cpp
index 2dca20725..befc2cc4c 100644
--- a/src/lib/pubkey/ecc_key/ecc_key.cpp
+++ b/src/lib/pubkey/ecc_key/ecc_key.cpp
@@ -33,7 +33,10 @@ EC_PublicKey::EC_PublicKey(const EC_Group& dom_par,
}
EC_PublicKey::EC_PublicKey(const AlgorithmIdentifier& alg_id,
- const secure_vector<byte>& key_bits) : m_domain_params{EC_Group(alg_id.parameters)}, m_public_key{OS2ECP(key_bits, domain().get_curve())}, m_domain_encoding{EC_DOMPAR_ENC_EXPLICIT}
+ const secure_vector<byte>& key_bits) :
+ m_domain_params{EC_Group(alg_id.parameters)},
+ m_public_key{OS2ECP(key_bits, domain().get_curve())},
+ m_domain_encoding{EC_DOMPAR_ENC_EXPLICIT}
{}
bool EC_PublicKey::check_key(RandomNumberGenerator&,
@@ -80,17 +83,23 @@ const BigInt& EC_PrivateKey::private_value() const
*/
EC_PrivateKey::EC_PrivateKey(RandomNumberGenerator& rng,
const EC_Group& ec_group,
- const BigInt& x)
+ const BigInt& x,
+ bool with_modular_inverse)
{
m_domain_params = ec_group;
m_domain_encoding = EC_DOMPAR_ENC_EXPLICIT;
if(x == 0)
+ {
m_private_key = BigInt::random_integer(rng, 1, domain().get_order());
+ }
else
+ {
m_private_key = x;
+ }
- m_public_key = domain().get_base_point() * m_private_key;
+ m_public_key = domain().get_base_point() *
+ ((with_modular_inverse) ? inverse_mod(m_private_key, m_domain_params.get_order()) : m_private_key);
BOTAN_ASSERT(m_public_key.on_the_curve(),
"Generated public key point was on the curve");
@@ -108,7 +117,8 @@ secure_vector<byte> EC_PrivateKey::pkcs8_private_key() const
}
EC_PrivateKey::EC_PrivateKey(const AlgorithmIdentifier& alg_id,
- const secure_vector<byte>& key_bits)
+ const secure_vector<byte>& key_bits,
+ bool with_modular_inverse)
{
m_domain_params = EC_Group(alg_id.parameters);
m_domain_encoding = EC_DOMPAR_ENC_EXPLICIT;
@@ -129,7 +139,8 @@ EC_PrivateKey::EC_PrivateKey(const AlgorithmIdentifier& alg_id,
if(public_key_bits.empty())
{
- m_public_key = domain().get_base_point() * m_private_key;
+ m_public_key = domain().get_base_point() *
+ ((with_modular_inverse) ? inverse_mod(m_private_key, m_domain_params.get_order()) : m_private_key);
BOTAN_ASSERT(m_public_key.on_the_curve(),
"Public point derived from loaded key was on the curve");
diff --git a/src/lib/pubkey/ecc_key/ecc_key.h b/src/lib/pubkey/ecc_key/ecc_key.h
index 3f93a908c..a8e77b895 100644
--- a/src/lib/pubkey/ecc_key/ecc_key.h
+++ b/src/lib/pubkey/ecc_key/ecc_key.h
@@ -96,12 +96,30 @@ class BOTAN_DLL EC_PrivateKey : public virtual EC_PublicKey,
public virtual Private_Key
{
public:
- EC_PrivateKey(RandomNumberGenerator& rng,
- const EC_Group& domain,
- const BigInt& private_key);
-
+ /*
+ * If x=0, creates a new private key in the domain
+ * using the given rng. If with_modular_inverse is set,
+ * the public key will be calculated by multiplying
+ * the base point with the modular inverse of
+ * x (as in ECGDSA and ECKCDSA), otherwise by
+ * multiplying directly with x (as in ECDSA).
+ */
+ EC_PrivateKey(RandomNumberGenerator& rng,
+ const EC_Group& domain,
+ const BigInt& x,
+ bool with_modular_inverse=false);
+
+ /*
+ * Creates a new private key object from the given
+ * key_bits. If with_modular_inverse is set,
+ * the public key will be calculated by multiplying
+ * the base point with the modular inverse of
+ * x (as in ECGDSA and ECKCDSA), otherwise by
+ * multiplying directly with x (as in ECDSA).
+ */
EC_PrivateKey(const AlgorithmIdentifier& alg_id,
- const secure_vector<byte>& key_bits);
+ const secure_vector<byte>& key_bits,
+ bool with_modular_inverse=false);
secure_vector<byte> pkcs8_private_key() const override;
diff --git a/src/lib/pubkey/ecdsa/ecdsa.h b/src/lib/pubkey/ecdsa/ecdsa.h
index 1eb41a4b9..eed09afe6 100644
--- a/src/lib/pubkey/ecdsa/ecdsa.h
+++ b/src/lib/pubkey/ecdsa/ecdsa.h
@@ -78,7 +78,7 @@ class BOTAN_DLL ECDSA_PrivateKey : public ECDSA_PublicKey,
* Generate a new private key
* @param rng a random number generator
* @param domain parameters to used for this key
- * @param x the private key (if zero, generate a ney random key)
+ * @param x the private key (if zero, generate a new random key)
*/
ECDSA_PrivateKey(RandomNumberGenerator& rng,
const EC_Group& domain,
diff --git a/src/lib/pubkey/ecgdsa/ecgdsa.cpp b/src/lib/pubkey/ecgdsa/ecgdsa.cpp
new file mode 100644
index 000000000..b28e3fe96
--- /dev/null
+++ b/src/lib/pubkey/ecgdsa/ecgdsa.cpp
@@ -0,0 +1,148 @@
+/*
+* ECGDSA (BSI-TR-03111, version 2.0)
+* (C) 2016 René Korthaus
+*
+* Botan is released under the Simplified BSD License (see license.txt)
+*/
+
+#include <botan/internal/pk_utils.h>
+#include <botan/ecgdsa.h>
+#include <botan/keypair.h>
+
+namespace Botan {
+
+bool ECGDSA_PrivateKey::check_key(RandomNumberGenerator& rng,
+ bool strong) const
+ {
+ if(!public_point().on_the_curve())
+ return false;
+
+ if(!strong)
+ return true;
+
+ return KeyPair::signature_consistency_check(rng, *this, "EMSA1(SHA-1)");
+ }
+
+namespace {
+
+/**
+* ECGDSA signature operation
+*/
+class ECGDSA_Signature_Operation : public PK_Ops::Signature_with_EMSA
+ {
+ public:
+ typedef ECGDSA_PrivateKey Key_Type;
+
+ ECGDSA_Signature_Operation(const ECGDSA_PrivateKey& ecgdsa,
+ const std::string& emsa) :
+ PK_Ops::Signature_with_EMSA(emsa),
+ m_order(ecgdsa.domain().get_order()),
+ m_base_point(ecgdsa.domain().get_base_point(), m_order),
+ m_x(ecgdsa.private_value()),
+ m_mod_order(m_order)
+ {
+ }
+
+ secure_vector<byte> raw_sign(const byte msg[], size_t msg_len,
+ RandomNumberGenerator& rng) override;
+
+ size_t message_parts() const override { return 2; }
+ size_t message_part_size() const override { return m_order.bytes(); }
+ size_t max_input_bits() const override { return m_order.bits(); }
+
+ private:
+ const BigInt& m_order;
+ Blinded_Point_Multiply m_base_point;
+ const BigInt& m_x;
+ Modular_Reducer m_mod_order;
+ };
+
+secure_vector<byte>
+ECGDSA_Signature_Operation::raw_sign(const byte msg[], size_t msg_len,
+ RandomNumberGenerator& rng)
+ {
+ const BigInt m(msg, msg_len);
+
+ BigInt k = BigInt::random_integer(rng, 1, m_order);
+
+ const PointGFp k_times_P = m_base_point.blinded_multiply(k, rng);
+ const BigInt r = m_mod_order.reduce(k_times_P.get_affine_x());
+ const BigInt s = m_mod_order.multiply(m_x, mul_sub(k, r, m));
+
+ // With overwhelming probability, a bug rather than actual zero r/s
+ BOTAN_ASSERT(s != 0, "invalid s");
+ BOTAN_ASSERT(r != 0, "invalid r");
+
+ secure_vector<byte> output(2*m_order.bytes());
+ r.binary_encode(&output[output.size() / 2 - r.bytes()]);
+ s.binary_encode(&output[output.size() - s.bytes()]);
+ return output;
+ }
+
+/**
+* ECGDSA verification operation
+*/
+class ECGDSA_Verification_Operation : public PK_Ops::Verification_with_EMSA
+ {
+ public:
+ typedef ECGDSA_PublicKey Key_Type;
+
+ ECGDSA_Verification_Operation(const ECGDSA_PublicKey& ecgdsa,
+ const std::string& emsa) :
+ PK_Ops::Verification_with_EMSA(emsa),
+ m_base_point(ecgdsa.domain().get_base_point()),
+ m_public_point(ecgdsa.public_point()),
+ m_order(ecgdsa.domain().get_order()),
+ m_mod_order(m_order)
+ {
+ }
+
+ size_t message_parts() const override { return 2; }
+ size_t message_part_size() const override { return m_order.bytes(); }
+ size_t max_input_bits() const override { return m_order.bits(); }
+
+ bool with_recovery() const override { return false; }
+
+ bool verify(const byte msg[], size_t msg_len,
+ const byte sig[], size_t sig_len) override;
+ private:
+ const PointGFp& m_base_point;
+ const PointGFp& m_public_point;
+ const BigInt& m_order;
+ // FIXME: should be offered by curve
+ Modular_Reducer m_mod_order;
+ };
+
+bool ECGDSA_Verification_Operation::verify(const byte msg[], size_t msg_len,
+ const byte sig[], size_t sig_len)
+ {
+ if(sig_len != m_order.bytes()*2)
+ return false;
+
+ BigInt e(msg, msg_len);
+
+ BigInt r(sig, sig_len / 2);
+ BigInt s(sig + sig_len / 2, sig_len / 2);
+
+ if(r <= 0 || r >= m_order || s <= 0 || s >= m_order)
+ return false;
+
+ BigInt w = inverse_mod(r, m_order);
+
+ const BigInt u1 = m_mod_order.reduce(e * w);
+ const BigInt u2 = m_mod_order.reduce(s * w);
+ const PointGFp R = multi_exponentiate(m_base_point, u1, m_public_point, u2);
+
+ if(R.is_zero())
+ return false;
+
+ const BigInt v = m_mod_order.reduce(R.get_affine_x());
+ return (v == r);
+ }
+
+BOTAN_REGISTER_PK_SIGNATURE_OP("ECGDSA", ECGDSA_Signature_Operation);
+BOTAN_REGISTER_PK_VERIFY_OP("ECGDSA", ECGDSA_Verification_Operation);
+
+}
+
+}
diff --git a/src/lib/pubkey/ecgdsa/ecgdsa.h b/src/lib/pubkey/ecgdsa/ecgdsa.h
new file mode 100644
index 000000000..518adeeab
--- /dev/null
+++ b/src/lib/pubkey/ecgdsa/ecgdsa.h
@@ -0,0 +1,91 @@
+/*
+* ECGDSA (BSI-TR-03111, version 2.0)
+* (C) 2016 René Korthaus
+*
+* Botan is released under the Simplified BSD License (see license.txt)
+*/
+
+#ifndef BOTAN_ECGDSA_KEY_H__
+#define BOTAN_ECGDSA_KEY_H__
+
+#include <botan/ecc_key.h>
+
+namespace Botan {
+
+/**
+* This class represents ECGDSA public keys.
+*/
+class BOTAN_DLL ECGDSA_PublicKey : public virtual EC_PublicKey
+ {
+ public:
+
+ /**
+ * Construct a public key from a given public point.
+ * @param dom_par the domain parameters associated with this key
+ * @param public_point the public point defining this key
+ */
+ ECGDSA_PublicKey(const EC_Group& dom_par,
+ const PointGFp& public_point) :
+ EC_PublicKey(dom_par, public_point) {}
+
+ ECGDSA_PublicKey(const AlgorithmIdentifier& alg_id,
+ const secure_vector<byte>& key_bits) :
+ EC_PublicKey(alg_id, key_bits) {}
+
+ /**
+ * Get this keys algorithm name.
+ * @result this keys algorithm name ("ECGDSA")
+ */
+ std::string algo_name() const override { return "ECGDSA"; }
+
+ /**
+ * Get the maximum number of bits allowed to be fed to this key.
+ * This is the bitlength of the order of the base point.
+ * @result the maximum number of input bits
+ */
+ size_t max_input_bits() const override
+ { return domain().get_order().bits(); }
+
+ size_t message_parts() const override { return 2; }
+
+ size_t message_part_size() const override
+ { return domain().get_order().bytes(); }
+
+ protected:
+ ECGDSA_PublicKey() {}
+ };
+
+/**
+* This class represents ECGDSA private keys.
+*/
+class BOTAN_DLL ECGDSA_PrivateKey : public ECGDSA_PublicKey,
+ public EC_PrivateKey
+ {
+ public:
+
+ /**
+ * Load a private key
+ * @param alg_id the X.509 algorithm identifier
+ * @param key_bits PKCS #8 structure
+ */
+ ECGDSA_PrivateKey(const AlgorithmIdentifier& alg_id,
+ const secure_vector<byte>& key_bits) :
+ EC_PrivateKey(alg_id, key_bits, true) {}
+
+ /**
+ * Generate a new private key
+ * @param rng a random number generator
+ * @param domain parameters to used for this key
+ * @param x the private key (if zero, generate a new random key)
+ */
+ ECGDSA_PrivateKey(RandomNumberGenerator& rng,
+ const EC_Group& domain,
+ const BigInt& x = 0) :
+ EC_PrivateKey(rng, domain, x, true) {}
+
+ bool check_key(RandomNumberGenerator& rng, bool) const override;
+ };
+
+}
+
+#endif
diff --git a/src/lib/pubkey/ecgdsa/info.txt b/src/lib/pubkey/ecgdsa/info.txt
new file mode 100644
index 000000000..9583c47d4
--- /dev/null
+++ b/src/lib/pubkey/ecgdsa/info.txt
@@ -0,0 +1,13 @@
+define ECGDSA 20160301
+
+load_on request
+
+<requires>
+asn1
+bigint
+ec_group
+ecc_key
+keypair
+numbertheory
+rng
+</requires>
diff --git a/src/lib/pubkey/pk_algs.cpp b/src/lib/pubkey/pk_algs.cpp
index 689237a84..d2947b0c0 100644
--- a/src/lib/pubkey/pk_algs.cpp
+++ b/src/lib/pubkey/pk_algs.cpp
@@ -24,6 +24,10 @@
#include <botan/ecdsa.h>
#endif
+#if defined(BOTAN_HAS_ECGDSA)
+ #include <botan/ecgdsa.h>
+#endif
+
#if defined(BOTAN_HAS_GOST_34_10_2001)
#include <botan/gost_3410.h>
#endif
@@ -96,6 +100,11 @@ Public_Key* make_public_key(const AlgorithmIdentifier& alg_id,
return new ECDSA_PublicKey(alg_id, key_bits);
#endif
+#if defined(BOTAN_HAS_ECGDSA)
+ if(alg_name == "ECGDSA")
+ return new ECGDSA_PublicKey(alg_id, key_bits);
+#endif
+
#if defined(BOTAN_HAS_GOST_34_10_2001)
if(alg_name == "GOST-34.10")
return new GOST_3410_PublicKey(alg_id, key_bits);
@@ -162,6 +171,11 @@ Private_Key* make_private_key(const AlgorithmIdentifier& alg_id,
return new ECDSA_PrivateKey(alg_id, key_bits);
#endif
+#if defined(BOTAN_HAS_ECGDSA)
+ if(alg_name == "ECGDSA")
+ return new ECGDSA_PrivateKey(alg_id, key_bits);
+#endif
+
#if defined(BOTAN_HAS_GOST_34_10_2001)
if(alg_name == "GOST-34.10")
return new GOST_3410_PrivateKey(alg_id, key_bits);