From e14d6a0489ee290d289cf276fa3ff94044191af7 Mon Sep 17 00:00:00 2001 From: René Korthaus Date: Wed, 13 Apr 2016 19:07:33 +0200 Subject: Add ECKCDSA signature algorithm --- src/lib/pubkey/dsa/dsa.cpp | 3 +- src/lib/pubkey/ecdsa/ecdsa.cpp | 3 +- src/lib/pubkey/eckcdsa/eckcdsa.cpp | 201 +++++++++++++++++++++++++++++++++++++ src/lib/pubkey/eckcdsa/eckcdsa.h | 91 +++++++++++++++++ src/lib/pubkey/eckcdsa/info.txt | 13 +++ src/lib/pubkey/pk_algs.cpp | 14 +++ src/lib/pubkey/pk_ops.cpp | 28 +++++- src/lib/pubkey/pk_ops_impl.h | 37 ++++++- src/lib/pubkey/rfc6979/rfc6979.cpp | 14 --- src/lib/pubkey/rfc6979/rfc6979.h | 2 - 10 files changed, 382 insertions(+), 24 deletions(-) create mode 100644 src/lib/pubkey/eckcdsa/eckcdsa.cpp create mode 100644 src/lib/pubkey/eckcdsa/eckcdsa.h create mode 100644 src/lib/pubkey/eckcdsa/info.txt (limited to 'src/lib/pubkey') diff --git a/src/lib/pubkey/dsa/dsa.cpp b/src/lib/pubkey/dsa/dsa.cpp index c7d44c73a..6e0618fa2 100644 --- a/src/lib/pubkey/dsa/dsa.cpp +++ b/src/lib/pubkey/dsa/dsa.cpp @@ -13,6 +13,7 @@ #include #if defined(BOTAN_HAS_RFC6979_GENERATOR) #include + #include #endif #include @@ -115,7 +116,7 @@ DSA_Signature_Operation::raw_sign(const byte msg[], size_t msg_len, i -= m_q; #if defined(BOTAN_HAS_RFC6979_GENERATOR) - const BigInt k = generate_rfc6979_nonce(m_x, m_q, i, hash_for_deterministic_signature(m_emsa)); + const BigInt k = generate_rfc6979_nonce(m_x, m_q, i, hash_for_emsa(m_emsa)); #else const BigInt k = BigInt::random_integer(rng, 1, m_q); #endif diff --git a/src/lib/pubkey/ecdsa/ecdsa.cpp b/src/lib/pubkey/ecdsa/ecdsa.cpp index 53b5982e0..14f902c13 100644 --- a/src/lib/pubkey/ecdsa/ecdsa.cpp +++ b/src/lib/pubkey/ecdsa/ecdsa.cpp @@ -13,6 +13,7 @@ #include #if defined(BOTAN_HAS_RFC6979_GENERATOR) #include + #include #endif namespace Botan { @@ -72,7 +73,7 @@ ECDSA_Signature_Operation::raw_sign(const byte msg[], size_t msg_len, const BigInt m(msg, msg_len); #if defined(BOTAN_HAS_RFC6979_GENERATOR) - const BigInt k = generate_rfc6979_nonce(m_x, m_order, m, hash_for_deterministic_signature(m_emsa)); + const BigInt k = generate_rfc6979_nonce(m_x, m_order, m, hash_for_emsa(m_emsa)); #else const BigInt k = BigInt::random_integer(rng, 1, m_order); #endif diff --git a/src/lib/pubkey/eckcdsa/eckcdsa.cpp b/src/lib/pubkey/eckcdsa/eckcdsa.cpp new file mode 100644 index 000000000..83439332e --- /dev/null +++ b/src/lib/pubkey/eckcdsa/eckcdsa.cpp @@ -0,0 +1,201 @@ +/* +* ECKCDSA (ISO/IEC 14888-3:2006/Cor.2:2009) +* (C) 2016 René Korthaus, Sirrix AG +* +* Botan is released under the Simplified BSD License (see license.txt) +*/ + +#include +#include +#include +#include +#include + +namespace Botan { + +bool ECKCDSA_PrivateKey::check_key(RandomNumberGenerator& rng, + bool strong) const + { + if(!public_point().on_the_curve()) + { + return false; + } + + if(!strong) + { + return true; + } + + return KeyPair::signature_consistency_check(rng, *this, "EMSA1(SHA-1)"); + } + +namespace { + +/** +* ECKCDSA signature operation +*/ +class ECKCDSA_Signature_Operation : public PK_Ops::Signature_with_EMSA + { + public: + typedef ECKCDSA_PrivateKey Key_Type; + + ECKCDSA_Signature_Operation(const ECKCDSA_PrivateKey& eckcdsa, + const std::string& emsa) : + PK_Ops::Signature_with_EMSA(emsa), + m_order(eckcdsa.domain().get_order()), + m_base_point(eckcdsa.domain().get_base_point(), m_order), + m_x(eckcdsa.private_value()), + m_mod_order(m_order), + m_prefix() + { + const BigInt public_point_x = eckcdsa.public_point().get_affine_x(); + const BigInt public_point_y = eckcdsa.public_point().get_affine_y(); + + m_prefix.resize(public_point_x.bytes() + public_point_y.bytes()); + public_point_x.binary_encode(m_prefix.data()); + public_point_y.binary_encode(&m_prefix[public_point_x.bytes()]); + m_prefix.resize(HashFunction::create(hash_for_signature())->hash_block_size()); // use only the "hash input block size" leftmost bits + } + + secure_vector raw_sign(const byte msg[], size_t msg_len, + RandomNumberGenerator& rng) override; + + size_t message_parts() const override { return 2; } + size_t message_part_size() const override { return m_order.bytes(); } + size_t max_input_bits() const override { return m_order.bits(); } + + bool has_prefix() override { return true; } + secure_vector message_prefix() const override { return m_prefix; } + + private: + const BigInt& m_order; + Blinded_Point_Multiply m_base_point; + const BigInt& m_x; + Modular_Reducer m_mod_order; + secure_vector m_prefix; + }; + +secure_vector +ECKCDSA_Signature_Operation::raw_sign(const byte msg[], size_t, + RandomNumberGenerator& rng) + { + const BigInt k = BigInt::random_integer(rng, 1, m_order); + const PointGFp k_times_P = m_base_point.blinded_multiply(k, rng); + const BigInt k_times_P_x = k_times_P.get_affine_x(); + + secure_vector to_be_hashed(k_times_P_x.bytes()); + k_times_P_x.binary_encode(to_be_hashed.data()); + + std::unique_ptr emsa(m_emsa->clone()); + emsa->update(to_be_hashed.data(), to_be_hashed.size()); + secure_vector c = emsa->raw_data(); + c = emsa->encoding_of(c, max_input_bits(), rng); + + const BigInt r(c.data(), c.size()); + + xor_buf(c, msg, c.size()); + BigInt w(c.data(), c.size()); + w = m_mod_order.reduce(w); + + const BigInt s = m_mod_order.multiply(m_x, k - w); + BOTAN_ASSERT(s != 0, "invalid s"); + + secure_vector signature(r.bytes() + s.bytes()); + r.binary_encode(signature.data()); + s.binary_encode(&signature[r.bytes()]); + return signature; + } + +/** +* ECKCDSA verification operation +*/ +class ECKCDSA_Verification_Operation : public PK_Ops::Verification_with_EMSA + { + public: + typedef ECKCDSA_PublicKey Key_Type; + + ECKCDSA_Verification_Operation(const ECKCDSA_PublicKey& eckcdsa, + const std::string& emsa) : + PK_Ops::Verification_with_EMSA(emsa), + m_base_point(eckcdsa.domain().get_base_point()), + m_public_point(eckcdsa.public_point()), + m_order(eckcdsa.domain().get_order()), + m_mod_order(m_order), + m_prefix() + { + const BigInt public_point_x = m_public_point.get_affine_x(); + const BigInt public_point_y = m_public_point.get_affine_y(); + + m_prefix.resize(public_point_x.bytes() + public_point_y.bytes()); + public_point_x.binary_encode(&m_prefix[0]); + public_point_y.binary_encode(&m_prefix[public_point_x.bytes()]); + m_prefix.resize(HashFunction::create(hash_for_signature())->hash_block_size()); // use only the "hash input block size" leftmost bits + } + + bool has_prefix() override { return true; } + secure_vector message_prefix() const override { return m_prefix; } + + size_t message_parts() const override { return 2; } + size_t message_part_size() const override { return m_order.bytes(); } + size_t max_input_bits() const override { return m_order.bits(); } + + bool with_recovery() const override { return false; } + + bool verify(const byte msg[], size_t msg_len, + const byte sig[], size_t sig_len) override; + private: + const PointGFp& m_base_point; + const PointGFp& m_public_point; + const BigInt& m_order; + // FIXME: should be offered by curve + Modular_Reducer m_mod_order; + secure_vector m_prefix; + }; + +bool ECKCDSA_Verification_Operation::verify(const byte msg[], size_t, + const byte sig[], size_t sig_len) + { + // check that bit length of r is equal to output bit length of employed hash function h + const std::unique_ptr hash = HashFunction::create(hash_for_signature()); + + // no way to know size of r in sig, so check that we have at least hash->output_length()+1 + // bytes in sig, enough for r and an arbitrary size s + if(sig_len <= hash->output_length()) + { + return false; + } + + secure_vector r(sig, sig + hash->output_length()); + + // check that 0 < s < q + const BigInt s(sig + hash->output_length(), sig_len - hash->output_length()); + + if(s <= 0 || s >= m_order) + { + return false; + } + + secure_vector r_xor_e(r); + xor_buf(r_xor_e, msg, r.size()); + BigInt w(r_xor_e.data(), r_xor_e.size()); + w = m_mod_order.reduce(w); + + const PointGFp q = (m_base_point * w) + (m_public_point * s); + const BigInt q_x = q.get_affine_x(); + secure_vector c(q_x.bytes()); + q_x.binary_encode(c.data()); + std::unique_ptr emsa(m_emsa->clone()); + emsa->update(c.data(), c.size()); + secure_vector v = emsa->raw_data(); + Null_RNG rng; + v = emsa->encoding_of(v, max_input_bits(), rng); + + return (v == r); + } + +BOTAN_REGISTER_PK_SIGNATURE_OP("ECKCDSA", ECKCDSA_Signature_Operation); +BOTAN_REGISTER_PK_VERIFY_OP("ECKCDSA", ECKCDSA_Verification_Operation); + +} + +} diff --git a/src/lib/pubkey/eckcdsa/eckcdsa.h b/src/lib/pubkey/eckcdsa/eckcdsa.h new file mode 100644 index 000000000..b85c4025e --- /dev/null +++ b/src/lib/pubkey/eckcdsa/eckcdsa.h @@ -0,0 +1,91 @@ +/* +* ECKCDSA (ISO/IEC 14888-3:2006/Cor.2:2009) +* (C) 2016 René Korthaus, Sirrix AG +* +* Botan is released under the Simplified BSD License (see license.txt) +*/ + +#ifndef BOTAN_ECKCDSA_KEY_H__ +#define BOTAN_ECKCDSA_KEY_H__ + +#include + +namespace Botan { + +/** +* This class represents ECKCDSA public keys. +*/ +class BOTAN_DLL ECKCDSA_PublicKey : public virtual EC_PublicKey + { + public: + + /** + * Construct a public key from a given public point. + * @param dom_par the domain parameters associated with this key + * @param public_point the public point defining this key + */ + ECKCDSA_PublicKey(const EC_Group& dom_par, + const PointGFp& public_point) : + EC_PublicKey(dom_par, public_point) {} + + ECKCDSA_PublicKey(const AlgorithmIdentifier& alg_id, + const secure_vector& key_bits) : + EC_PublicKey(alg_id, key_bits) {} + + /** + * Get this keys algorithm name. + * @result this keys algorithm name ("ECGDSA") + */ + std::string algo_name() const override { return "ECKCDSA"; } + + /** + * Get the maximum number of bits allowed to be fed to this key. + * This is the bitlength of the order of the base point. + * @result the maximum number of input bits + */ + size_t max_input_bits() const override + { return domain().get_order().bits(); } + + size_t message_parts() const override { return 2; } + + size_t message_part_size() const override + { return domain().get_order().bytes(); } + + protected: + ECKCDSA_PublicKey() {} + }; + +/** +* This class represents ECKCDSA private keys. +*/ +class BOTAN_DLL ECKCDSA_PrivateKey : public ECKCDSA_PublicKey, + public EC_PrivateKey + { + public: + + /** + * Load a private key + * @param alg_id the X.509 algorithm identifier + * @param key_bits PKCS #8 structure + */ + ECKCDSA_PrivateKey(const AlgorithmIdentifier& alg_id, + const secure_vector& key_bits) : + EC_PrivateKey(alg_id, key_bits, true) {} + + /** + * Generate a new private key + * @param rng a random number generator + * @param domain parameters to used for this key + * @param x the private key (if zero, generate a new random key) + */ + ECKCDSA_PrivateKey(RandomNumberGenerator& rng, + const EC_Group& domain, + const BigInt& x = 0) : + EC_PrivateKey(rng, domain, x, true) {} + + bool check_key(RandomNumberGenerator& rng, bool) const override; + }; + +} + +#endif diff --git a/src/lib/pubkey/eckcdsa/info.txt b/src/lib/pubkey/eckcdsa/info.txt new file mode 100644 index 000000000..d3df354b1 --- /dev/null +++ b/src/lib/pubkey/eckcdsa/info.txt @@ -0,0 +1,13 @@ +define ECKCDSA 20160413 + + +asn1 +bigint +ec_group +ecc_key +hash +keypair +numbertheory +pk_pad +rng + diff --git a/src/lib/pubkey/pk_algs.cpp b/src/lib/pubkey/pk_algs.cpp index d2947b0c0..9dbde28af 100644 --- a/src/lib/pubkey/pk_algs.cpp +++ b/src/lib/pubkey/pk_algs.cpp @@ -28,6 +28,10 @@ #include #endif +#if defined(BOTAN_HAS_ECKCDSA) + #include +#endif + #if defined(BOTAN_HAS_GOST_34_10_2001) #include #endif @@ -105,6 +109,11 @@ Public_Key* make_public_key(const AlgorithmIdentifier& alg_id, return new ECGDSA_PublicKey(alg_id, key_bits); #endif +#if defined(BOTAN_HAS_ECKCDSA) + if(alg_name == "ECKCDSA") + return new ECKCDSA_PublicKey(alg_id, key_bits); +#endif + #if defined(BOTAN_HAS_GOST_34_10_2001) if(alg_name == "GOST-34.10") return new GOST_3410_PublicKey(alg_id, key_bits); @@ -176,6 +185,11 @@ Private_Key* make_private_key(const AlgorithmIdentifier& alg_id, return new ECGDSA_PrivateKey(alg_id, key_bits); #endif +#if defined(BOTAN_HAS_ECKCDSA) + if(alg_name == "ECKCDSA") + return new ECKCDSA_PrivateKey(alg_id, key_bits); +#endif + #if defined(BOTAN_HAS_GOST_34_10_2001) if(alg_name == "GOST-34.10") return new GOST_3410_PrivateKey(alg_id, key_bits); diff --git a/src/lib/pubkey/pk_ops.cpp b/src/lib/pubkey/pk_ops.cpp index 654b68255..1017518a7 100644 --- a/src/lib/pubkey/pk_ops.cpp +++ b/src/lib/pubkey/pk_ops.cpp @@ -76,9 +76,12 @@ secure_vector PK_Ops::Key_Agreement_with_KDF::agree(size_t key_len, return z; } -PK_Ops::Signature_with_EMSA::Signature_with_EMSA(const std::string& emsa) +PK_Ops::Signature_with_EMSA::Signature_with_EMSA(const std::string& emsa) : + Signature(), + m_emsa(get_emsa(emsa)), + m_hash(hash_for_emsa(emsa)), + m_prefix_used(false) { - m_emsa.reset(get_emsa(emsa)); if(!m_emsa) throw Algorithm_Not_Found(emsa); } @@ -87,19 +90,29 @@ PK_Ops::Signature_with_EMSA::~Signature_with_EMSA() {} void PK_Ops::Signature_with_EMSA::update(const byte msg[], size_t msg_len) { + if(has_prefix() && !m_prefix_used) + { + m_prefix_used = true; + secure_vector prefix = message_prefix(); + m_emsa->update(prefix.data(), prefix.size()); + } m_emsa->update(msg, msg_len); } secure_vector PK_Ops::Signature_with_EMSA::sign(RandomNumberGenerator& rng) { + m_prefix_used = false; const secure_vector msg = m_emsa->raw_data(); const auto padded = m_emsa->encoding_of(msg, this->max_input_bits(), rng); return raw_sign(padded.data(), padded.size(), rng); } -PK_Ops::Verification_with_EMSA::Verification_with_EMSA(const std::string& emsa) +PK_Ops::Verification_with_EMSA::Verification_with_EMSA(const std::string& emsa) : + Verification(), + m_emsa(get_emsa(emsa)), + m_hash(hash_for_emsa(emsa)), + m_prefix_used(false) { - m_emsa.reset(get_emsa(emsa)); if(!m_emsa) throw Algorithm_Not_Found(emsa); } @@ -108,11 +121,18 @@ PK_Ops::Verification_with_EMSA::~Verification_with_EMSA() {} void PK_Ops::Verification_with_EMSA::update(const byte msg[], size_t msg_len) { + if(has_prefix() && !m_prefix_used) + { + m_prefix_used = true; + secure_vector prefix = message_prefix(); + m_emsa->update(prefix.data(), prefix.size()); + } m_emsa->update(msg, msg_len); } bool PK_Ops::Verification_with_EMSA::is_valid_signature(const byte sig[], size_t sig_len) { + m_prefix_used = false; const secure_vector msg = m_emsa->raw_data(); if(with_recovery()) diff --git a/src/lib/pubkey/pk_ops_impl.h b/src/lib/pubkey/pk_ops_impl.h index 81637a81c..9d02de5e5 100644 --- a/src/lib/pubkey/pk_ops_impl.h +++ b/src/lib/pubkey/pk_ops_impl.h @@ -58,11 +58,24 @@ class Verification_with_EMSA : public Verification bool do_check(const secure_vector& msg, const byte sig[], size_t sig_len); + std::string hash_for_signature() { return m_hash; } protected: explicit Verification_with_EMSA(const std::string& emsa); ~Verification_with_EMSA(); + /** + * @return boolean specifying if this signature scheme uses + * a message prefix returned by message_prefix() + */ + virtual bool has_prefix() { return false; } + + /** + * @return the message prefix if this signature scheme uses + * a message prefix, signaled via has_prefix() + */ + virtual secure_vector message_prefix() const { throw Exception( "No prefix" ); } + /** * @return boolean specifying if this key type supports message * recovery and thus if you need to call verify() or verify_mr() @@ -95,8 +108,11 @@ class Verification_with_EMSA : public Verification throw Invalid_State("Message recovery not supported"); } - private: std::unique_ptr m_emsa; + + private: + const std::string m_hash; + bool m_prefix_used; }; class Signature_with_EMSA : public Signature @@ -108,6 +124,22 @@ class Signature_with_EMSA : public Signature protected: explicit Signature_with_EMSA(const std::string& emsa); ~Signature_with_EMSA(); + + std::string hash_for_signature() { return m_hash; } + + /** + * @return boolean specifying if this signature scheme uses + * a message prefix returned by message_prefix() + */ + virtual bool has_prefix() { return false; } + + /** + * @return the message prefix if this signature scheme uses + * a message prefix, signaled via has_prefix() + */ + virtual secure_vector message_prefix() const { throw Exception( "No prefix" ); } + + std::unique_ptr m_emsa; private: /** @@ -122,7 +154,8 @@ class Signature_with_EMSA : public Signature virtual secure_vector raw_sign(const byte msg[], size_t msg_len, RandomNumberGenerator& rng) = 0; - std::unique_ptr m_emsa; + const std::string m_hash; + bool m_prefix_used; }; class Key_Agreement_with_KDF : public Key_Agreement diff --git a/src/lib/pubkey/rfc6979/rfc6979.cpp b/src/lib/pubkey/rfc6979/rfc6979.cpp index f749b039f..0b26aadb5 100644 --- a/src/lib/pubkey/rfc6979/rfc6979.cpp +++ b/src/lib/pubkey/rfc6979/rfc6979.cpp @@ -8,23 +8,9 @@ #include #include #include -#include namespace Botan { -std::string hash_for_deterministic_signature(const std::string& emsa) - { - SCAN_Name emsa_name(emsa); - - if(emsa_name.arg_count() > 0) - { - const std::string pos_hash = emsa_name.arg(0); - return pos_hash; - } - - return "SHA-512"; // safe default if nothing we understand - } - RFC6979_Nonce_Generator::RFC6979_Nonce_Generator(const std::string& hash, const BigInt& order, const BigInt& x) : diff --git a/src/lib/pubkey/rfc6979/rfc6979.h b/src/lib/pubkey/rfc6979/rfc6979.h index 5b3dee8ef..32728befb 100644 --- a/src/lib/pubkey/rfc6979/rfc6979.h +++ b/src/lib/pubkey/rfc6979/rfc6979.h @@ -46,8 +46,6 @@ BigInt BOTAN_DLL generate_rfc6979_nonce(const BigInt& x, const BigInt& h, const std::string& hash); -std::string hash_for_deterministic_signature(const std::string& emsa); - } #endif -- cgit v1.2.3