diff options
Diffstat (limited to 'src/lib')
-rw-r--r-- | src/lib/asn1/oid_lookup/default.cpp | 10 | ||||
-rw-r--r-- | src/lib/math/numbertheory/mp_numth.cpp | 14 | ||||
-rw-r--r-- | src/lib/math/numbertheory/numthry.h | 11 | ||||
-rw-r--r-- | src/lib/pubkey/ecc_key/ecc_key.cpp | 21 | ||||
-rw-r--r-- | src/lib/pubkey/ecc_key/ecc_key.h | 28 | ||||
-rw-r--r-- | src/lib/pubkey/ecdsa/ecdsa.h | 2 | ||||
-rw-r--r-- | src/lib/pubkey/ecgdsa/ecgdsa.cpp | 148 | ||||
-rw-r--r-- | src/lib/pubkey/ecgdsa/ecgdsa.h | 91 | ||||
-rw-r--r-- | src/lib/pubkey/ecgdsa/info.txt | 13 | ||||
-rw-r--r-- | src/lib/pubkey/pk_algs.cpp | 14 |
10 files changed, 341 insertions, 11 deletions
diff --git a/src/lib/asn1/oid_lookup/default.cpp b/src/lib/asn1/oid_lookup/default.cpp index fe7a42748..9e16cfc0b 100644 --- a/src/lib/asn1/oid_lookup/default.cpp +++ b/src/lib/asn1/oid_lookup/default.cpp @@ -30,6 +30,9 @@ const char* default_oid_list() "1.2.840.10045.2.1 = ECDSA" "\n" "1.3.132.1.12 = ECDH" "\n" + // ecgPublicKey (see https://www.teletrust.de/projekte/oid/) + "1.3.36.3.3.2.5.2.1 = ECGDSA" "\n" + "1.2.643.2.2.19 = GOST-34.10" "\n" // Block ciphers @@ -112,6 +115,13 @@ const char* default_oid_list() "1.2.840.10045.4.3.3 = ECDSA/EMSA1(SHA-384)" "\n" "1.2.840.10045.4.3.4 = ECDSA/EMSA1(SHA-512)" "\n" + "1.3.36.3.3.2.5.4.1 = ECGDSA/EMSA1(RIPEMD-160)" "\n" + "1.3.36.3.3.2.5.4.2 = ECGDSA/EMSA1(SHA-160)" "\n" + "1.3.36.3.3.2.5.4.3 = ECGDSA/EMSA1(SHA-224)" "\n" + "1.3.36.3.3.2.5.4.4 = ECGDSA/EMSA1(SHA-256)" "\n" + "1.3.36.3.3.2.5.4.5 = ECGDSA/EMSA1(SHA-384)" "\n" + "1.3.36.3.3.2.5.4.6 = ECGDSA/EMSA1(SHA-512)" "\n" + "1.2.643.2.2.3 = GOST-34.10/EMSA1(GOST-R-34.11-94)" "\n" "1.3.6.1.4.1.25258.2.1.1.1 = RW/EMSA2(RIPEMD-160)" "\n" diff --git a/src/lib/math/numbertheory/mp_numth.cpp b/src/lib/math/numbertheory/mp_numth.cpp index 6eb938286..3373b9ee7 100644 --- a/src/lib/math/numbertheory/mp_numth.cpp +++ b/src/lib/math/numbertheory/mp_numth.cpp @@ -71,4 +71,18 @@ BigInt sub_mul(const BigInt& a, const BigInt& b, const BigInt& c) return r; } +/* +* Multiply-Subtract Operation +*/ +BigInt mul_sub(const BigInt& a, const BigInt& b, const BigInt& c) + { + if(c.is_negative() || c.is_zero()) + throw Invalid_Argument("mul_sub: Third argument must be > 0"); + + BigInt r = a; + r *= b; + r -= c; + return r; + } + } diff --git a/src/lib/math/numbertheory/numthry.h b/src/lib/math/numbertheory/numthry.h index e1e6c65f6..591b61f6a 100644 --- a/src/lib/math/numbertheory/numthry.h +++ b/src/lib/math/numbertheory/numthry.h @@ -37,6 +37,17 @@ BigInt BOTAN_DLL sub_mul(const BigInt& a, const BigInt& c); /** +* Fused multiply-subtract +* @param a an integer +* @param b an integer +* @param c an integer +* @return (a*b)-c +*/ +BigInt BOTAN_DLL mul_sub(const BigInt& a, + const BigInt& b, + const BigInt& c); + +/** * Return the absolute value * @param n an integer * @return absolute value of n diff --git a/src/lib/pubkey/ecc_key/ecc_key.cpp b/src/lib/pubkey/ecc_key/ecc_key.cpp index 2dca20725..befc2cc4c 100644 --- a/src/lib/pubkey/ecc_key/ecc_key.cpp +++ b/src/lib/pubkey/ecc_key/ecc_key.cpp @@ -33,7 +33,10 @@ EC_PublicKey::EC_PublicKey(const EC_Group& dom_par, } EC_PublicKey::EC_PublicKey(const AlgorithmIdentifier& alg_id, - const secure_vector<byte>& key_bits) : m_domain_params{EC_Group(alg_id.parameters)}, m_public_key{OS2ECP(key_bits, domain().get_curve())}, m_domain_encoding{EC_DOMPAR_ENC_EXPLICIT} + const secure_vector<byte>& key_bits) : + m_domain_params{EC_Group(alg_id.parameters)}, + m_public_key{OS2ECP(key_bits, domain().get_curve())}, + m_domain_encoding{EC_DOMPAR_ENC_EXPLICIT} {} bool EC_PublicKey::check_key(RandomNumberGenerator&, @@ -80,17 +83,23 @@ const BigInt& EC_PrivateKey::private_value() const */ EC_PrivateKey::EC_PrivateKey(RandomNumberGenerator& rng, const EC_Group& ec_group, - const BigInt& x) + const BigInt& x, + bool with_modular_inverse) { m_domain_params = ec_group; m_domain_encoding = EC_DOMPAR_ENC_EXPLICIT; if(x == 0) + { m_private_key = BigInt::random_integer(rng, 1, domain().get_order()); + } else + { m_private_key = x; + } - m_public_key = domain().get_base_point() * m_private_key; + m_public_key = domain().get_base_point() * + ((with_modular_inverse) ? inverse_mod(m_private_key, m_domain_params.get_order()) : m_private_key); BOTAN_ASSERT(m_public_key.on_the_curve(), "Generated public key point was on the curve"); @@ -108,7 +117,8 @@ secure_vector<byte> EC_PrivateKey::pkcs8_private_key() const } EC_PrivateKey::EC_PrivateKey(const AlgorithmIdentifier& alg_id, - const secure_vector<byte>& key_bits) + const secure_vector<byte>& key_bits, + bool with_modular_inverse) { m_domain_params = EC_Group(alg_id.parameters); m_domain_encoding = EC_DOMPAR_ENC_EXPLICIT; @@ -129,7 +139,8 @@ EC_PrivateKey::EC_PrivateKey(const AlgorithmIdentifier& alg_id, if(public_key_bits.empty()) { - m_public_key = domain().get_base_point() * m_private_key; + m_public_key = domain().get_base_point() * + ((with_modular_inverse) ? inverse_mod(m_private_key, m_domain_params.get_order()) : m_private_key); BOTAN_ASSERT(m_public_key.on_the_curve(), "Public point derived from loaded key was on the curve"); diff --git a/src/lib/pubkey/ecc_key/ecc_key.h b/src/lib/pubkey/ecc_key/ecc_key.h index 3f93a908c..a8e77b895 100644 --- a/src/lib/pubkey/ecc_key/ecc_key.h +++ b/src/lib/pubkey/ecc_key/ecc_key.h @@ -96,12 +96,30 @@ class BOTAN_DLL EC_PrivateKey : public virtual EC_PublicKey, public virtual Private_Key { public: - EC_PrivateKey(RandomNumberGenerator& rng, - const EC_Group& domain, - const BigInt& private_key); - + /* + * If x=0, creates a new private key in the domain + * using the given rng. If with_modular_inverse is set, + * the public key will be calculated by multiplying + * the base point with the modular inverse of + * x (as in ECGDSA and ECKCDSA), otherwise by + * multiplying directly with x (as in ECDSA). + */ + EC_PrivateKey(RandomNumberGenerator& rng, + const EC_Group& domain, + const BigInt& x, + bool with_modular_inverse=false); + + /* + * Creates a new private key object from the given + * key_bits. If with_modular_inverse is set, + * the public key will be calculated by multiplying + * the base point with the modular inverse of + * x (as in ECGDSA and ECKCDSA), otherwise by + * multiplying directly with x (as in ECDSA). + */ EC_PrivateKey(const AlgorithmIdentifier& alg_id, - const secure_vector<byte>& key_bits); + const secure_vector<byte>& key_bits, + bool with_modular_inverse=false); secure_vector<byte> pkcs8_private_key() const override; diff --git a/src/lib/pubkey/ecdsa/ecdsa.h b/src/lib/pubkey/ecdsa/ecdsa.h index 1eb41a4b9..eed09afe6 100644 --- a/src/lib/pubkey/ecdsa/ecdsa.h +++ b/src/lib/pubkey/ecdsa/ecdsa.h @@ -78,7 +78,7 @@ class BOTAN_DLL ECDSA_PrivateKey : public ECDSA_PublicKey, * Generate a new private key * @param rng a random number generator * @param domain parameters to used for this key - * @param x the private key (if zero, generate a ney random key) + * @param x the private key (if zero, generate a new random key) */ ECDSA_PrivateKey(RandomNumberGenerator& rng, const EC_Group& domain, diff --git a/src/lib/pubkey/ecgdsa/ecgdsa.cpp b/src/lib/pubkey/ecgdsa/ecgdsa.cpp new file mode 100644 index 000000000..b28e3fe96 --- /dev/null +++ b/src/lib/pubkey/ecgdsa/ecgdsa.cpp @@ -0,0 +1,148 @@ +/* +* ECGDSA (BSI-TR-03111, version 2.0) +* (C) 2016 René Korthaus +* +* Botan is released under the Simplified BSD License (see license.txt) +*/ + +#include <botan/internal/pk_utils.h> +#include <botan/ecgdsa.h> +#include <botan/keypair.h> + +namespace Botan { + +bool ECGDSA_PrivateKey::check_key(RandomNumberGenerator& rng, + bool strong) const + { + if(!public_point().on_the_curve()) + return false; + + if(!strong) + return true; + + return KeyPair::signature_consistency_check(rng, *this, "EMSA1(SHA-1)"); + } + +namespace { + +/** +* ECGDSA signature operation +*/ +class ECGDSA_Signature_Operation : public PK_Ops::Signature_with_EMSA + { + public: + typedef ECGDSA_PrivateKey Key_Type; + + ECGDSA_Signature_Operation(const ECGDSA_PrivateKey& ecgdsa, + const std::string& emsa) : + PK_Ops::Signature_with_EMSA(emsa), + m_order(ecgdsa.domain().get_order()), + m_base_point(ecgdsa.domain().get_base_point(), m_order), + m_x(ecgdsa.private_value()), + m_mod_order(m_order) + { + } + + secure_vector<byte> raw_sign(const byte msg[], size_t msg_len, + RandomNumberGenerator& rng) override; + + size_t message_parts() const override { return 2; } + size_t message_part_size() const override { return m_order.bytes(); } + size_t max_input_bits() const override { return m_order.bits(); } + + private: + const BigInt& m_order; + Blinded_Point_Multiply m_base_point; + const BigInt& m_x; + Modular_Reducer m_mod_order; + }; + +secure_vector<byte> +ECGDSA_Signature_Operation::raw_sign(const byte msg[], size_t msg_len, + RandomNumberGenerator& rng) + { + const BigInt m(msg, msg_len); + + BigInt k = BigInt::random_integer(rng, 1, m_order); + + const PointGFp k_times_P = m_base_point.blinded_multiply(k, rng); + const BigInt r = m_mod_order.reduce(k_times_P.get_affine_x()); + const BigInt s = m_mod_order.multiply(m_x, mul_sub(k, r, m)); + + // With overwhelming probability, a bug rather than actual zero r/s + BOTAN_ASSERT(s != 0, "invalid s"); + BOTAN_ASSERT(r != 0, "invalid r"); + + secure_vector<byte> output(2*m_order.bytes()); + r.binary_encode(&output[output.size() / 2 - r.bytes()]); + s.binary_encode(&output[output.size() - s.bytes()]); + return output; + } + +/** +* ECGDSA verification operation +*/ +class ECGDSA_Verification_Operation : public PK_Ops::Verification_with_EMSA + { + public: + typedef ECGDSA_PublicKey Key_Type; + + ECGDSA_Verification_Operation(const ECGDSA_PublicKey& ecgdsa, + const std::string& emsa) : + PK_Ops::Verification_with_EMSA(emsa), + m_base_point(ecgdsa.domain().get_base_point()), + m_public_point(ecgdsa.public_point()), + m_order(ecgdsa.domain().get_order()), + m_mod_order(m_order) + { + } + + size_t message_parts() const override { return 2; } + size_t message_part_size() const override { return m_order.bytes(); } + size_t max_input_bits() const override { return m_order.bits(); } + + bool with_recovery() const override { return false; } + + bool verify(const byte msg[], size_t msg_len, + const byte sig[], size_t sig_len) override; + private: + const PointGFp& m_base_point; + const PointGFp& m_public_point; + const BigInt& m_order; + // FIXME: should be offered by curve + Modular_Reducer m_mod_order; + }; + +bool ECGDSA_Verification_Operation::verify(const byte msg[], size_t msg_len, + const byte sig[], size_t sig_len) + { + if(sig_len != m_order.bytes()*2) + return false; + + BigInt e(msg, msg_len); + + BigInt r(sig, sig_len / 2); + BigInt s(sig + sig_len / 2, sig_len / 2); + + if(r <= 0 || r >= m_order || s <= 0 || s >= m_order) + return false; + + BigInt w = inverse_mod(r, m_order); + + const BigInt u1 = m_mod_order.reduce(e * w); + const BigInt u2 = m_mod_order.reduce(s * w); + const PointGFp R = multi_exponentiate(m_base_point, u1, m_public_point, u2); + + if(R.is_zero()) + return false; + + const BigInt v = m_mod_order.reduce(R.get_affine_x()); + return (v == r); + } + +BOTAN_REGISTER_PK_SIGNATURE_OP("ECGDSA", ECGDSA_Signature_Operation); +BOTAN_REGISTER_PK_VERIFY_OP("ECGDSA", ECGDSA_Verification_Operation); + +} + +} diff --git a/src/lib/pubkey/ecgdsa/ecgdsa.h b/src/lib/pubkey/ecgdsa/ecgdsa.h new file mode 100644 index 000000000..518adeeab --- /dev/null +++ b/src/lib/pubkey/ecgdsa/ecgdsa.h @@ -0,0 +1,91 @@ +/* +* ECGDSA (BSI-TR-03111, version 2.0) +* (C) 2016 René Korthaus +* +* Botan is released under the Simplified BSD License (see license.txt) +*/ + +#ifndef BOTAN_ECGDSA_KEY_H__ +#define BOTAN_ECGDSA_KEY_H__ + +#include <botan/ecc_key.h> + +namespace Botan { + +/** +* This class represents ECGDSA public keys. +*/ +class BOTAN_DLL ECGDSA_PublicKey : public virtual EC_PublicKey + { + public: + + /** + * Construct a public key from a given public point. + * @param dom_par the domain parameters associated with this key + * @param public_point the public point defining this key + */ + ECGDSA_PublicKey(const EC_Group& dom_par, + const PointGFp& public_point) : + EC_PublicKey(dom_par, public_point) {} + + ECGDSA_PublicKey(const AlgorithmIdentifier& alg_id, + const secure_vector<byte>& key_bits) : + EC_PublicKey(alg_id, key_bits) {} + + /** + * Get this keys algorithm name. + * @result this keys algorithm name ("ECGDSA") + */ + std::string algo_name() const override { return "ECGDSA"; } + + /** + * Get the maximum number of bits allowed to be fed to this key. + * This is the bitlength of the order of the base point. + * @result the maximum number of input bits + */ + size_t max_input_bits() const override + { return domain().get_order().bits(); } + + size_t message_parts() const override { return 2; } + + size_t message_part_size() const override + { return domain().get_order().bytes(); } + + protected: + ECGDSA_PublicKey() {} + }; + +/** +* This class represents ECGDSA private keys. +*/ +class BOTAN_DLL ECGDSA_PrivateKey : public ECGDSA_PublicKey, + public EC_PrivateKey + { + public: + + /** + * Load a private key + * @param alg_id the X.509 algorithm identifier + * @param key_bits PKCS #8 structure + */ + ECGDSA_PrivateKey(const AlgorithmIdentifier& alg_id, + const secure_vector<byte>& key_bits) : + EC_PrivateKey(alg_id, key_bits, true) {} + + /** + * Generate a new private key + * @param rng a random number generator + * @param domain parameters to used for this key + * @param x the private key (if zero, generate a new random key) + */ + ECGDSA_PrivateKey(RandomNumberGenerator& rng, + const EC_Group& domain, + const BigInt& x = 0) : + EC_PrivateKey(rng, domain, x, true) {} + + bool check_key(RandomNumberGenerator& rng, bool) const override; + }; + +} + +#endif diff --git a/src/lib/pubkey/ecgdsa/info.txt b/src/lib/pubkey/ecgdsa/info.txt new file mode 100644 index 000000000..9583c47d4 --- /dev/null +++ b/src/lib/pubkey/ecgdsa/info.txt @@ -0,0 +1,13 @@ +define ECGDSA 20160301 + +load_on request + +<requires> +asn1 +bigint +ec_group +ecc_key +keypair +numbertheory +rng +</requires> diff --git a/src/lib/pubkey/pk_algs.cpp b/src/lib/pubkey/pk_algs.cpp index 689237a84..d2947b0c0 100644 --- a/src/lib/pubkey/pk_algs.cpp +++ b/src/lib/pubkey/pk_algs.cpp @@ -24,6 +24,10 @@ #include <botan/ecdsa.h> #endif +#if defined(BOTAN_HAS_ECGDSA) + #include <botan/ecgdsa.h> +#endif + #if defined(BOTAN_HAS_GOST_34_10_2001) #include <botan/gost_3410.h> #endif @@ -96,6 +100,11 @@ Public_Key* make_public_key(const AlgorithmIdentifier& alg_id, return new ECDSA_PublicKey(alg_id, key_bits); #endif +#if defined(BOTAN_HAS_ECGDSA) + if(alg_name == "ECGDSA") + return new ECGDSA_PublicKey(alg_id, key_bits); +#endif + #if defined(BOTAN_HAS_GOST_34_10_2001) if(alg_name == "GOST-34.10") return new GOST_3410_PublicKey(alg_id, key_bits); @@ -162,6 +171,11 @@ Private_Key* make_private_key(const AlgorithmIdentifier& alg_id, return new ECDSA_PrivateKey(alg_id, key_bits); #endif +#if defined(BOTAN_HAS_ECGDSA) + if(alg_name == "ECGDSA") + return new ECGDSA_PrivateKey(alg_id, key_bits); +#endif + #if defined(BOTAN_HAS_GOST_34_10_2001) if(alg_name == "GOST-34.10") return new GOST_3410_PrivateKey(alg_id, key_bits); |