Botan 3.5.0
Crypto and TLS for C&
eckcdsa.cpp
Go to the documentation of this file.
1/*
2* ECKCDSA (ISO/IEC 14888-3:2006/Cor.2:2009)
3* (C) 2016 René Korthaus, Sirrix AG
4* (C) 2018 Jack Lloyd
5* (C) 2023 Philippe Lieser - Rohde & Schwarz Cybersecurity
6*
7* Botan is released under the Simplified BSD License (see license.txt)
8*/
9
10#include <botan/eckcdsa.h>
11
12#include <botan/hash.h>
13#include <botan/reducer.h>
14#include <botan/rng.h>
15#include <botan/internal/fmt.h>
16#include <botan/internal/keypair.h>
17#include <botan/internal/parsing.h>
18#include <botan/internal/pk_ops_impl.h>
19#include <botan/internal/point_mul.h>
20#include <botan/internal/scan_name.h>
21#include <botan/internal/stl_util.h>
22
23namespace Botan {
24
25std::unique_ptr<Public_Key> ECKCDSA_PrivateKey::public_key() const {
26 return std::make_unique<ECKCDSA_PublicKey>(domain(), public_point());
27}
28
30 if(!EC_PrivateKey::check_key(rng, strong)) {
31 return false;
32 }
33
34 if(!strong) {
35 return true;
36 }
37
38 return KeyPair::signature_consistency_check(rng, *this, "SHA-256");
39}
40
41namespace {
42
43std::unique_ptr<HashFunction> eckcdsa_signature_hash(std::string_view padding) {
44 if(auto hash = HashFunction::create(padding)) {
45 return hash;
46 }
47
48 SCAN_Name req(padding);
49
50 if(req.algo_name() == "EMSA1" && req.arg_count() == 1) {
51 if(auto hash = HashFunction::create(req.arg(0))) {
52 return hash;
53 }
54 }
55
56 // intentionally not supporting Raw for ECKCDSA, we need to know
57 // the length in advance which complicates the logic for Raw
58
59 throw Algorithm_Not_Found(padding);
60}
61
62std::unique_ptr<HashFunction> eckcdsa_signature_hash(const AlgorithmIdentifier& alg_id) {
63 const auto oid_info = split_on(alg_id.oid().to_formatted_string(), '/');
64
65 if(oid_info.size() != 2 || oid_info[0] != "ECKCDSA") {
66 throw Decoding_Error(fmt("Unexpected AlgorithmIdentifier OID {} in association with ECKCDSA key", alg_id.oid()));
67 }
68
69 if(!alg_id.parameters_are_empty()) {
70 throw Decoding_Error("Unexpected non-empty AlgorithmIdentifier parameters for ECKCDSA");
71 }
72
73 return HashFunction::create_or_throw(oid_info[1]);
74}
75
76std::vector<uint8_t> eckcdsa_prefix(const EC_Point& point, size_t hash_block_size) {
77 auto prefix = concat<std::vector<uint8_t>>(point.x_bytes(), point.y_bytes());
78
79 // Either truncate or zero-extend to match the hash block size
80 prefix.resize(hash_block_size);
81
82 return prefix;
83}
84
85/**
86 * @brief Truncate hash output if needed.
87 *
88 * If the output length of the hash function exceeds the size of the group order,
89 * ISO/IEC 14888-3:2018 specifies a truncation of the hash output
90 * when calculating the witness R (the first part of the signature) and H.
91 *
92 * The truncation is specified as follows:
93 *
94 * R = I2BS(beta', BS2I(gamma, R) mod 2^beta')
95 * H = I2BS(beta', BS2I(gamma, H) mod 2^beta')
96 *
97 * where
98 * - gamma: the output bit-length of the hash-function
99 * - beta: the bit-length of the prime number q (i.e. the group order size)
100 * - beta' = 8 * ceil(beta / 8)
101 *
102 * This essentially means a truncation on the byte level
103 * happens from the low side of the hash.
104 *
105 * @param[in,out] digest The hash output to potentially truncate.
106 * @param[in] group_order_bytes Size of the group order.
107 */
108void truncate_hash_if_needed(secure_vector<uint8_t>& digest, size_t group_order_bytes) {
109 if(digest.size() > group_order_bytes) {
110 const size_t bytes_to_truncate = digest.size() - group_order_bytes;
111 digest.erase(digest.begin(), digest.begin() + bytes_to_truncate);
112 }
113}
114
115/**
116* ECKCDSA signature operation
117*/
118class ECKCDSA_Signature_Operation final : public PK_Ops::Signature {
119 public:
120 ECKCDSA_Signature_Operation(const ECKCDSA_PrivateKey& eckcdsa, std::string_view padding) :
121 m_group(eckcdsa.domain()),
122 m_x(eckcdsa.private_value()),
123 m_hash(eckcdsa_signature_hash(padding)),
124 m_prefix_used(false) {
125 m_prefix = eckcdsa_prefix(eckcdsa.public_point(), m_hash->hash_block_size());
126 }
127
128 void update(const uint8_t msg[], size_t msg_len) override {
129 if(!m_prefix_used) {
130 m_hash->update(m_prefix.data(), m_prefix.size());
131 m_prefix_used = true;
132 }
133 m_hash->update(msg, msg_len);
134 }
135
136 secure_vector<uint8_t> sign(RandomNumberGenerator& rng) override {
137 m_prefix_used = false;
138 secure_vector<uint8_t> digest = m_hash->final();
139 truncate_hash_if_needed(digest, m_group.get_order_bytes());
140 return raw_sign(digest.data(), digest.size(), rng);
141 }
142
143 size_t signature_length() const override { return 2 * m_group.get_order_bytes(); }
144
145 AlgorithmIdentifier algorithm_identifier() const override;
146
147 std::string hash_function() const override { return m_hash->name(); }
148
149 private:
150 secure_vector<uint8_t> raw_sign(const uint8_t msg[], size_t msg_len, RandomNumberGenerator& rng);
151
152 const EC_Group m_group;
153 const BigInt m_x;
154 std::unique_ptr<HashFunction> m_hash;
155 std::vector<uint8_t> m_prefix;
156 std::vector<BigInt> m_ws;
157 bool m_prefix_used;
158};
159
160AlgorithmIdentifier ECKCDSA_Signature_Operation::algorithm_identifier() const {
161 const std::string full_name = "ECKCDSA/" + m_hash->name();
162 const OID oid = OID::from_string(full_name);
163 return AlgorithmIdentifier(oid, AlgorithmIdentifier::USE_EMPTY_PARAM);
164}
165
166secure_vector<uint8_t> ECKCDSA_Signature_Operation::raw_sign(const uint8_t msg[],
167 size_t msg_len,
168 RandomNumberGenerator& rng) {
169 const BigInt k = m_group.random_scalar(rng);
170 const BigInt k_times_P_x = m_group.blinded_base_point_multiply_x(k, rng, m_ws);
171
172 auto hash = m_hash->new_object();
173 hash->update(k_times_P_x.serialize(m_group.get_order_bytes()));
174 secure_vector<uint8_t> c = hash->final();
175 truncate_hash_if_needed(c, m_group.get_order_bytes());
176
177 const auto r = c;
178
179 BOTAN_ASSERT_NOMSG(msg_len == c.size());
180 xor_buf(c, msg, c.size());
181 const BigInt w = m_group.mod_order(BigInt::from_bytes(c));
182
183 const BigInt s = m_group.multiply_mod_order(m_x, k - w);
184 if(s.is_zero()) {
185 throw Internal_Error("During ECKCDSA signature generation created zero s");
186 }
187
188 return concat(r, s.serialize(m_group.get_order_bytes()));
189}
190
191/**
192* ECKCDSA verification operation
193*/
194class ECKCDSA_Verification_Operation final : public PK_Ops::Verification {
195 public:
196 ECKCDSA_Verification_Operation(const ECKCDSA_PublicKey& eckcdsa, std::string_view padding) :
197 m_group(eckcdsa.domain()),
198 m_gy_mul(m_group.get_base_point(), eckcdsa.public_point()),
199 m_hash(eckcdsa_signature_hash(padding)),
200 m_prefix_used(false) {
201 m_prefix = eckcdsa_prefix(eckcdsa.public_point(), m_hash->hash_block_size());
202 }
203
204 ECKCDSA_Verification_Operation(const ECKCDSA_PublicKey& eckcdsa, const AlgorithmIdentifier& alg_id) :
205 m_group(eckcdsa.domain()),
206 m_gy_mul(m_group.get_base_point(), eckcdsa.public_point()),
207 m_hash(eckcdsa_signature_hash(alg_id)),
208 m_prefix_used(false) {
209 m_prefix = eckcdsa_prefix(eckcdsa.public_point(), m_hash->hash_block_size());
210 }
211
212 void update(const uint8_t msg[], size_t msg_len) override;
213
214 bool is_valid_signature(const uint8_t sig[], size_t sig_len) override;
215
216 std::string hash_function() const override { return m_hash->name(); }
217
218 private:
219 bool verify(const uint8_t msg[], size_t msg_len, const uint8_t sig[], size_t sig_len);
220
221 const EC_Group m_group;
222 const EC_Point_Multi_Point_Precompute m_gy_mul;
223 std::vector<uint8_t> m_prefix;
224 std::unique_ptr<HashFunction> m_hash;
225 bool m_prefix_used;
226};
227
228void ECKCDSA_Verification_Operation::update(const uint8_t msg[], size_t msg_len) {
229 if(!m_prefix_used) {
230 m_prefix_used = true;
231 m_hash->update(m_prefix.data(), m_prefix.size());
232 }
233 m_hash->update(msg, msg_len);
234}
235
236bool ECKCDSA_Verification_Operation::is_valid_signature(const uint8_t sig[], size_t sig_len) {
237 m_prefix_used = false;
238 secure_vector<uint8_t> digest = m_hash->final();
239 truncate_hash_if_needed(digest, m_group.get_order_bytes());
240 return verify(digest.data(), digest.size(), sig, sig_len);
241}
242
243bool ECKCDSA_Verification_Operation::verify(const uint8_t msg[], size_t msg_len, const uint8_t sig[], size_t sig_len) {
244 //calculate size of r
245
246 const size_t order_bytes = m_group.get_order_bytes();
247
248 const size_t size_r = std::min(msg_len, order_bytes);
249 if(sig_len != size_r + order_bytes) {
250 return false;
251 }
252
253 secure_vector<uint8_t> r(sig, sig + size_r);
254
255 // check that 0 < s < q
256 const BigInt s(sig + size_r, order_bytes);
257
258 if(s <= 0 || s >= m_group.get_order()) {
259 return false;
260 }
261
262 secure_vector<uint8_t> r_xor_e(r);
263 xor_buf(r_xor_e, msg, r.size());
264
265 const BigInt w = m_group.mod_order(BigInt::from_bytes(r_xor_e));
266
267 const EC_Point q = m_gy_mul.multi_exp(w, s);
268 if(q.is_zero()) {
269 return false;
270 }
271
272 auto c_hash = m_hash->new_object();
273 c_hash->update(q.x_bytes());
274 secure_vector<uint8_t> v = c_hash->final();
275 truncate_hash_if_needed(v, m_group.get_order_bytes());
276
277 return (v == r);
278}
279
280} // namespace
281
282std::unique_ptr<Private_Key> ECKCDSA_PublicKey::generate_another(RandomNumberGenerator& rng) const {
283 return std::make_unique<ECKCDSA_PrivateKey>(rng, domain());
284}
285
286std::unique_ptr<PK_Ops::Verification> ECKCDSA_PublicKey::create_verification_op(std::string_view params,
287 std::string_view provider) const {
288 if(provider == "base" || provider.empty()) {
289 return std::make_unique<ECKCDSA_Verification_Operation>(*this, params);
290 }
291 throw Provider_Not_Found(algo_name(), provider);
292}
293
294std::unique_ptr<PK_Ops::Verification> ECKCDSA_PublicKey::create_x509_verification_op(
295 const AlgorithmIdentifier& signature_algorithm, std::string_view provider) const {
296 if(provider == "base" || provider.empty()) {
297 return std::make_unique<ECKCDSA_Verification_Operation>(*this, signature_algorithm);
298 }
299
300 throw Provider_Not_Found(algo_name(), provider);
301}
302
303std::unique_ptr<PK_Ops::Signature> ECKCDSA_PrivateKey::create_signature_op(RandomNumberGenerator& /*rng*/,
304 std::string_view params,
305 std::string_view provider) const {
306 if(provider == "base" || provider.empty()) {
307 return std::make_unique<ECKCDSA_Signature_Operation>(*this, params);
308 }
309 throw Provider_Not_Found(algo_name(), provider);
310}
311
312} // namespace Botan
#define BOTAN_ASSERT_NOMSG(expr)
Definition assert.h:59
std::unique_ptr< PK_Ops::Signature > create_signature_op(RandomNumberGenerator &rng, std::string_view params, std::string_view provider) const override
Definition eckcdsa.cpp:303
std::unique_ptr< Public_Key > public_key() const override
Definition eckcdsa.cpp:25
bool check_key(RandomNumberGenerator &rng, bool) const override
Definition eckcdsa.cpp:29
std::unique_ptr< PK_Ops::Verification > create_x509_verification_op(const AlgorithmIdentifier &signature_algorithm, std::string_view provider) const override
Definition eckcdsa.cpp:294
std::unique_ptr< PK_Ops::Verification > create_verification_op(std::string_view params, std::string_view provider) const override
Definition eckcdsa.cpp:286
std::unique_ptr< Private_Key > generate_another(RandomNumberGenerator &rng) const final
Definition eckcdsa.cpp:282
BigInt blinded_base_point_multiply_x(const BigInt &k, RandomNumberGenerator &rng, std::vector< BigInt > &ws) const
Definition ec_group.cpp:648
BigInt mod_order(const BigInt &x) const
Definition ec_group.cpp:587
BigInt multiply_mod_order(const BigInt &x, const BigInt &y) const
Definition ec_group.cpp:599
const BigInt & get_order() const
Definition ec_group.cpp:571
BigInt random_scalar(RandomNumberGenerator &rng) const
Definition ec_group.cpp:659
size_t get_order_bytes() const
Definition ec_group.cpp:551
EC_Point multi_exp(const BigInt &k1, const BigInt &k2) const
bool check_key(RandomNumberGenerator &rng, bool strong) const override
Definition ecc_key.cpp:171
const EC_Group & domain() const
Definition ecc_key.h:56
const EC_Point & public_point() const
Definition ecc_key.h:40
static std::unique_ptr< HashFunction > create_or_throw(std::string_view algo_spec, std::string_view provider="")
Definition hash.cpp:298
static std::unique_ptr< HashFunction > create(std::string_view algo_spec, std::string_view provider="")
Definition hash.cpp:107
int(* update)(CTX *, const void *, CC_LONG len)
int(* final)(unsigned char *, CTX *)
bool signature_consistency_check(RandomNumberGenerator &rng, const Private_Key &private_key, const Public_Key &public_key, std::string_view padding)
Definition keypair.cpp:49
std::string fmt(std::string_view format, const T &... args)
Definition fmt.h:53
std::vector< std::string > split_on(std::string_view str, char delim)
Definition parsing.cpp:111
constexpr auto concat(Rs &&... ranges)
Definition stl_util.h:262
constexpr void xor_buf(ranges::contiguous_output_range< uint8_t > auto &&out, ranges::contiguous_range< uint8_t > auto &&in)
Definition mem_ops.h:341
std::vector< T, secure_allocator< T > > secure_vector
Definition secmem.h:61