Botan::TLS::Hybrid_KEM_PublicKey Class Reference

#include <hybrid_public_key.h>

Inheritance diagram for Botan::TLS::Hybrid_KEM_PublicKey:

Public Member Functions
std::string	algo_name () const override
AlgorithmIdentifier	algorithm_identifier () const override
bool	check_key (RandomNumberGenerator &rng, bool strong) const override
virtual std::unique_ptr< PK_Ops::Encryption >	create_encryption_op (RandomNumberGenerator &rng, std::string_view params, std::string_view provider) const
std::unique_ptr< PK_Ops::KEM_Encryption >	create_kem_encryption_op (std::string_view kdf, std::string_view provider="base") const override
virtual std::unique_ptr< PK_Ops::Verification >	create_verification_op (std::string_view params, std::string_view provider) const
virtual std::unique_ptr< PK_Ops::Verification >	create_x509_verification_op (const AlgorithmIdentifier &signature_algorithm, std::string_view provider) const
virtual Signature_Format	default_x509_signature_format () const
size_t	estimated_strength () const override
std::string	fingerprint_public (std::string_view alg="SHA-256") const
std::unique_ptr< Private_Key >	generate_another (RandomNumberGenerator &rng) const final
virtual const BigInt &	get_int_field (std::string_view field) const
OID	get_oid () const
	Hybrid_KEM_PublicKey (const Hybrid_KEM_PublicKey &)=delete
	Hybrid_KEM_PublicKey (Hybrid_KEM_PublicKey &&)=default
	Hybrid_KEM_PublicKey (std::vector< std::unique_ptr< Public_Key > > pks)
size_t	key_length () const override
virtual size_t	message_part_size () const
virtual size_t	message_parts () const
virtual OID	object_identifier () const
Hybrid_KEM_PublicKey &	operator= (const Hybrid_KEM_PublicKey &)=delete
Hybrid_KEM_PublicKey &	operator= (Hybrid_KEM_PublicKey &&)=default
std::vector< uint8_t >	public_key_bits () const override
const auto &	public_keys () const
std::vector< uint8_t >	public_value () const
std::vector< uint8_t >	subject_public_key () const
bool	supports_operation (PublicKeyOperation op) const override
	~Hybrid_KEM_PublicKey ()=default

Static Public Member Functions
static std::unique_ptr< Hybrid_KEM_PublicKey >	load_for_group (Group_Params group, std::span< const uint8_t > concatenated_public_values)

Protected Attributes
std::vector< std::unique_ptr< Public_Key > >	m_public_keys

Detailed Description

Composes a number of public keys as defined in this IETF draft: https://datatracker.ietf.org/doc/html/draft-ietf-tls-hybrid-design-04

To an upstream user, this composite key pair is presented as a KEM. Each individual key pair must either work as a KEX or as a KEM. Currently, the class can deal with ECC keys and Kyber.

The typical use case provides exactly two keys (one traditional KEX and one post-quantum secure KEM). However, this class technically allows composing any number of such keys. Composing more than two keys simply generates a shared secret based on more algorithms.

Note that this class is not generic enough for arbitrary use cases but serializes and parses keys and ciphertexts as described in the above-mentioned IETF draft for a post-quantum TLS 1.3.

Definition at line 40 of file hybrid_public_key.h.

Constructor & Destructor Documentation

Hybrid_KEM_PublicKey() [1/3]

Botan::TLS::Hybrid_KEM_PublicKey::Hybrid_KEM_PublicKey ( std::vector< std::unique_ptr< Public_Key > > pks )

explicit

Definition at line 167 of file hybrid_public_key.cpp.

                                                                                   {
   BOTAN_ARG_CHECK(pks.size() >= 2, "List of public keys must include at least two keys");
   BOTAN_ARG_CHECK(std::all_of(pks.begin(), pks.end(), [](const auto& pk) { return pk != nullptr; }),
                   "List of public keys contains a nullptr");
   BOTAN_ARG_CHECK(std::all_of(pks.begin(),
                               pks.end(),
                               [](const auto& pk) {
                                  return pk->supports_operation(PublicKeyOperation::KeyEncapsulation) ||
                                         pk->supports_operation(PublicKeyOperation::KeyAgreement);
                               }),
                   "Some provided public key is not compatible with this hybrid wrapper");
 
   std::transform(
      pks.begin(), pks.end(), std::back_inserter(m_public_keys), [](auto& key) -> std::unique_ptr<Public_Key> {
         if(key->supports_operation(PublicKeyOperation::KeyAgreement) &&
            !key->supports_operation(PublicKeyOperation::KeyEncapsulation)) {
            return std::make_unique<KEX_to_KEM_Adapter_PublicKey>(std::move(key));
         } else {
            return std::move(key);
         }
      });
 
   m_key_length =
      reduce(m_public_keys, size_t(0), [](size_t kl, const auto& key) { return std::max(kl, key->key_length()); });
   m_estimated_strength = reduce(
      m_public_keys, size_t(0), [](size_t es, const auto& key) { return std::max(es, key->estimated_strength()); });
}

References BOTAN_ARG_CHECK, and m_public_keys.

Hybrid_KEM_PublicKey() [2/3]

Botan::TLS::Hybrid_KEM_PublicKey::Hybrid_KEM_PublicKey ( Hybrid_KEM_PublicKey && )

default

Hybrid_KEM_PublicKey() [3/3]

Botan::TLS::Hybrid_KEM_PublicKey::Hybrid_KEM_PublicKey ( const Hybrid_KEM_PublicKey & )

delete

~Hybrid_KEM_PublicKey()

Botan::TLS::Hybrid_KEM_PublicKey::~Hybrid_KEM_PublicKey ( )

default

Member Function Documentation

algo_name()

std::string Botan::TLS::Hybrid_KEM_PublicKey::algo_name ( ) const

overridevirtual

Get the name of the underlying public key scheme.

Returns

name of the public key scheme

Implements Botan::Asymmetric_Key.

Definition at line 195 of file hybrid_public_key.cpp.

                                                {
   std::ostringstream algo_name("Hybrid(");
   for(size_t i = 0; i < m_public_keys.size(); ++i) {
      if(i > 0) {
         algo_name << ",";
      }
      algo_name << m_public_keys[i]->algo_name();
   }
   algo_name << ")";
   return algo_name.str();
}

algorithm_identifier()

AlgorithmIdentifier Botan::TLS::Hybrid_KEM_PublicKey::algorithm_identifier ( ) const

overridevirtual

Returns

X.509 AlgorithmIdentifier for this key

Implements Botan::Public_Key.

Definition at line 219 of file hybrid_public_key.cpp.

                                                                     {
   throw Botan::Not_Implemented("Hybrid keys don't have an algorithm identifier");
}

check_key()

bool Botan::TLS::Hybrid_KEM_PublicKey::check_key ( RandomNumberGenerator & rng, bool strong ) const

overridevirtual

Implements Botan::Public_Key.

Definition at line 215 of file hybrid_public_key.cpp.

                                                                                  {
   return reduce(m_public_keys, true, [&](bool ckr, const auto& key) { return ckr && key->check_key(rng, strong); });
}

References Botan::reduce().

Referenced by Botan::TLS::Hybrid_KEM_PrivateKey::check_key().

create_encryption_op()

std::unique_ptr< PK_Ops::Encryption > Botan::Public_Key::create_encryption_op ( RandomNumberGenerator & rng, std::string_view params, std::string_view provider ) const

virtualinherited

This is an internal library function exposed on key types. In almost all cases applications should use wrappers in pubkey.h

Return an encryption operation for this key/params or throw

Parameters

rng	a random number generator. The PK_Op may maintain a reference to the RNG and use it many times. The rng must outlive any operations which reference it.
params	additional parameters
provider	the provider to use

Reimplemented in Botan::ElGamal_PublicKey, Botan::RSA_PublicKey, and Botan::SM2_PublicKey.

Definition at line 90 of file pk_keys.cpp.

                                                                                             {
   throw Lookup_Error(fmt("{} does not support encryption", algo_name()));
}

References Botan::Asymmetric_Key::algo_name(), and Botan::fmt().

Referenced by Botan::PK_Encryptor_EME::PK_Encryptor_EME().

create_kem_encryption_op()

std::unique_ptr< Botan::PK_Ops::KEM_Encryption > Botan::TLS::Hybrid_KEM_PublicKey::create_kem_encryption_op ( std::string_view params, std::string_view provider = "base" ) const

overridevirtual

This is an internal library function exposed on key types. In almost all cases applications should use wrappers in pubkey.h

Return a KEM encryption operation for this key/params or throw

Parameters

params	additional parameters
provider	the provider to use

Reimplemented from Botan::Public_Key.

Definition at line 310 of file hybrid_public_key.cpp.

                                                      {
   return std::make_unique<Hybrid_KEM_Encryption_Operation>(*this, kdf, provider);
}

create_verification_op()

std::unique_ptr< PK_Ops::Verification > Botan::Public_Key::create_verification_op ( std::string_view params, std::string_view provider ) const

virtualinherited

This is an internal library function exposed on key types. In all cases applications should use wrappers in pubkey.h

Return a verification operation for this key/params or throw

Parameters

params	additional parameters
provider	the provider to use

Reimplemented in Botan::Ed448_PublicKey, Botan::Dilithium_PublicKey, Botan::DSA_PublicKey, Botan::ECDSA_PublicKey, Botan::ECGDSA_PublicKey, Botan::ECKCDSA_PublicKey, Botan::Ed25519_PublicKey, Botan::GOST_3410_PublicKey, Botan::RSA_PublicKey, Botan::SM2_PublicKey, Botan::SphincsPlus_PublicKey, and Botan::XMSS_PublicKey.

Definition at line 101 of file pk_keys.cpp.

                                                                                                 {
   throw Lookup_Error(fmt("{} does not support verification", algo_name()));
}

References Botan::Asymmetric_Key::algo_name(), and Botan::fmt().

Referenced by Botan::PK_Verifier::PK_Verifier().

create_x509_verification_op()

std::unique_ptr< PK_Ops::Verification > Botan::Public_Key::create_x509_verification_op ( const AlgorithmIdentifier & signature_algorithm, std::string_view provider ) const

virtualinherited

This is an internal library function exposed on key types. In all cases applications should use wrappers in pubkey.h

Return a verification operation for this combination of key and signature algorithm or throw.

Parameters

signature_algorithm	is the X.509 algorithm identifier encoding the padding scheme and hash hash function used in the signature if applicable.
provider	the provider to use

Reimplemented in Botan::RSA_PublicKey, Botan::XMSS_PublicKey, Botan::Ed448_PublicKey, Botan::Dilithium_PublicKey, Botan::DSA_PublicKey, Botan::ECDSA_PublicKey, Botan::ECGDSA_PublicKey, Botan::ECKCDSA_PublicKey, Botan::Ed25519_PublicKey, Botan::GOST_3410_PublicKey, and Botan::SphincsPlus_PublicKey.

Definition at line 106 of file pk_keys.cpp.

                                                                                                      {
   throw Lookup_Error(fmt("{} does not support X.509 verification", algo_name()));
}

References Botan::Asymmetric_Key::algo_name(), and Botan::fmt().

Referenced by Botan::PK_Verifier::PK_Verifier().

default_x509_signature_format()

virtual Signature_Format Botan::Public_Key::default_x509_signature_format ( ) const

inlinevirtualinherited

Reimplemented in Botan::GOST_3410_PublicKey.

Definition at line 190 of file pk_keys.h.

                                                                     {
         return (this->message_parts() >= 2) ? Signature_Format::DerSequence : Signature_Format::Standard;
      }

Referenced by Botan::X509_Object::choose_sig_format(), and Botan::PK_Verifier::PK_Verifier().

estimated_strength()

size_t Botan::TLS::Hybrid_KEM_PublicKey::estimated_strength ( ) const

overridevirtual

Return the estimated strength of the underlying key against the best currently known attack. Note that this ignores anything but pure attacks against the key itself and do not take into account padding schemes, usage mistakes, etc which might reduce the strength. However it does suffice to provide an upper bound.

Returns

estimated strength in bits

Implements Botan::Asymmetric_Key.

Definition at line 207 of file hybrid_public_key.cpp.

                                                      {
   return m_estimated_strength;
}

fingerprint_public()

std::string Botan::Public_Key::fingerprint_public ( std::string_view alg = "SHA-256" ) const

inherited

Returns

Hash of the subject public key

Definition at line 79 of file pk_keys.cpp.

                                                                       {
   return create_hex_fingerprint(subject_public_key(), hash_algo);
}

References Botan::create_hex_fingerprint(), and Botan::Public_Key::subject_public_key().

generate_another()

std::unique_ptr< Private_Key > Botan::TLS::Hybrid_KEM_PublicKey::generate_another ( RandomNumberGenerator & rng ) const

finalvirtual

Generate another (cryptographically independent) key pair using the same algorithm parameters as this key. This is most useful for algorithms that support PublicKeyOperation::KeyAgreement to generate a fitting ephemeral key pair. For other key types it might throw Not_Implemented.

Implements Botan::Asymmetric_Key.

Definition at line 253 of file hybrid_public_key.cpp.

                                                                                                  {
   std::vector<std::unique_ptr<Private_Key>> new_private_keys;
   std::transform(
      m_public_keys.begin(), m_public_keys.end(), std::back_inserter(new_private_keys), [&](const auto& public_key) {
         return public_key->generate_another(rng);
      });
   return std::make_unique<Hybrid_KEM_PrivateKey>(std::move(new_private_keys));
}

get_int_field()

const BigInt & Botan::Asymmetric_Key::get_int_field ( std::string_view field ) const

virtualinherited

Access an algorithm specific field

If the field is not known for this algorithm, an Invalid_Argument is thrown. The interpretation of the result requires knowledge of which algorithm is involved. For instance for RSA "p" represents one of the secret primes, while for DSA "p" is the public prime.

Some algorithms may not implement this method at all.

This is primarily used to implement the FFI botan_pubkey_get_field and botan_privkey_get_field functions.

Reimplemented in Botan::EC_PrivateKey, Botan::DH_PublicKey, Botan::DH_PrivateKey, Botan::DSA_PublicKey, Botan::DSA_PrivateKey, Botan::EC_PublicKey, Botan::ElGamal_PublicKey, Botan::ElGamal_PrivateKey, Botan::RSA_PublicKey, and Botan::RSA_PrivateKey.

Definition at line 18 of file pk_keys.cpp.

                                                                      {
   throw Unknown_PK_Field_Name(algo_name(), field);
}

References Botan::Asymmetric_Key::algo_name().

Referenced by Botan::EC_PublicKey::get_int_field(), and Botan::RSA_PublicKey::get_int_field().

get_oid()

OID Botan::Public_Key::get_oid ( ) const

inlineinherited

Deprecated version of object_identifier

Definition at line 132 of file pk_keys.h.

{ return this->object_identifier(); }

key_length()

size_t Botan::TLS::Hybrid_KEM_PublicKey::key_length ( ) const

overridevirtual

Return an integer value best approximating the length of the primary security parameter. For example for RSA this will be the size of the modulus, for ECDSA the size of the ECC group, and for McEliece the size of the code will be returned.

Implements Botan::Public_Key.

Definition at line 211 of file hybrid_public_key.cpp.

                                              {
   return m_key_length;
}

load_for_group()

std::unique_ptr< Hybrid_KEM_PublicKey > Botan::TLS::Hybrid_KEM_PublicKey::load_for_group ( Group_Params group, std::span< const uint8_t > concatenated_public_values )

static

Definition at line 147 of file hybrid_public_key.cpp.

                                                                          {
   const auto public_value_lengths = public_value_lengths_for_group(group);
   auto alg_ids = algorithm_identifiers_for_group(group);
   BOTAN_ASSERT_NOMSG(public_value_lengths.size() == alg_ids.size());
 
   const auto expected_public_values_length =
      reduce(public_value_lengths, size_t(0), [](size_t acc, size_t len) { return acc + len; });
   BOTAN_ARG_CHECK(expected_public_values_length == concatenated_public_values.size(),
                   "Concatenated public values have an unexpected length");
 
   BufferSlicer public_value_slicer(concatenated_public_values);
   std::vector<std::unique_ptr<Public_Key>> pks;
   for(size_t idx = 0; idx < alg_ids.size(); ++idx) {
      pks.emplace_back(load_public_key(alg_ids[idx], public_value_slicer.take(public_value_lengths[idx])));
   }
   BOTAN_ASSERT_NOMSG(public_value_slicer.empty());
   return std::make_unique<Hybrid_KEM_PublicKey>(std::move(pks));
}

References BOTAN_ARG_CHECK, BOTAN_ASSERT_NOMSG, Botan::BufferSlicer::empty(), Botan::load_public_key(), Botan::reduce(), and Botan::BufferSlicer::take().

Referenced by Botan::TLS::Callbacks::tls_kem_encapsulate().

message_part_size()

virtual size_t Botan::Public_Key::message_part_size ( ) const

inlinevirtualinherited

Returns how large each of the message parts refered to by message_parts() is

This function is public but applications should have few reasons to ever call this.

Returns

size of the message parts in bits

Reimplemented in Botan::DSA_PublicKey, Botan::ECDSA_PublicKey, Botan::ECGDSA_PublicKey, Botan::ECKCDSA_PublicKey, Botan::GOST_3410_PublicKey, and Botan::SM2_PublicKey.

Definition at line 188 of file pk_keys.h.

{ return 0; }

Referenced by Botan::PK_Signer::PK_Signer(), Botan::PK_Verifier::PK_Verifier(), and Botan::PK_Verifier::PK_Verifier().

message_parts()

virtual size_t Botan::Public_Key::message_parts ( ) const

inlinevirtualinherited

Returns more than 1 if the output of this algorithm (ciphertext, signature) should be treated as more than one value. This is used for algorithms like DSA and ECDSA, where the (r,s) output pair can be encoded as either a plain binary list or a TLV tagged DER encoding depending on the protocol.

This function is public but applications should have few reasons to ever call this.

Returns

number of message parts

Reimplemented in Botan::DSA_PublicKey, Botan::ECDSA_PublicKey, Botan::ECGDSA_PublicKey, Botan::ECKCDSA_PublicKey, Botan::GOST_3410_PublicKey, and Botan::SM2_PublicKey.

Definition at line 177 of file pk_keys.h.

{ return 1; }

Referenced by Botan::PK_Signer::PK_Signer(), Botan::PK_Verifier::PK_Verifier(), and Botan::PK_Verifier::PK_Verifier().

object_identifier()

OID Botan::Asymmetric_Key::object_identifier ( ) const

virtualinherited

Get the OID of the underlying public key scheme.

Returns

OID of the public key scheme

Reimplemented in Botan::Dilithium_PublicKey, Botan::FrodoKEM_PublicKey, Botan::Kyber_PublicKey, and Botan::SphincsPlus_PublicKey.

Definition at line 22 of file pk_keys.cpp.

                                            {
   try {
      return OID::from_string(algo_name());
   } catch(Lookup_Error&) {
      throw Lookup_Error(fmt("Public key algorithm {} has no defined OIDs", algo_name()));
   }
}

References Botan::Asymmetric_Key::algo_name(), Botan::fmt(), and Botan::OID::from_string().

Referenced by Botan::TPM_PrivateKey::algorithm_identifier(), Botan::Curve25519_PublicKey::algorithm_identifier(), Botan::Ed448_PublicKey::algorithm_identifier(), Botan::X448_PublicKey::algorithm_identifier(), Botan::DH_PublicKey::algorithm_identifier(), Botan::DSA_PublicKey::algorithm_identifier(), Botan::EC_PublicKey::algorithm_identifier(), Botan::Ed25519_PublicKey::algorithm_identifier(), Botan::ElGamal_PublicKey::algorithm_identifier(), Botan::GOST_3410_PublicKey::algorithm_identifier(), Botan::McEliece_PublicKey::algorithm_identifier(), and Botan::RSA_PublicKey::algorithm_identifier().

operator=() [1/2]

Hybrid_KEM_PublicKey & Botan::TLS::Hybrid_KEM_PublicKey::operator= ( const Hybrid_KEM_PublicKey & )

delete

operator=() [2/2]

Hybrid_KEM_PublicKey & Botan::TLS::Hybrid_KEM_PublicKey::operator= ( Hybrid_KEM_PublicKey && )

default

public_key_bits()

std::vector< uint8_t > Botan::TLS::Hybrid_KEM_PublicKey::public_key_bits ( ) const

overridevirtual

Returns

BER encoded public key bits

Implements Botan::Public_Key.

Definition at line 223 of file hybrid_public_key.cpp.

                                                               {
   // Technically, that's not really correct. The docstring for public_key_bits()
   // states that it should return a BER-encoding of the public key.
   //
   // TODO: Perhaps add something like Public_Key::raw_public_key_bits() to
   //       better reflect what we need here.
   return public_value();
}

public_keys()

const auto & Botan::TLS::Hybrid_KEM_PublicKey::public_keys ( ) const

inline

Definition at line 68 of file hybrid_public_key.h.

{ return m_public_keys; }

public_value()

std::vector< uint8_t > Botan::TLS::Hybrid_KEM_PublicKey::public_value

(

)

const

Definition at line 232 of file hybrid_public_key.cpp.

                                                            {
   // draft-ietf-tls-hybrid-design-06 3.2
   //   The values are directly concatenated, without any additional encoding
   //   or length fields; this assumes that the representation and length of
   //   elements is fixed once the algorithm is fixed.  If concatenation were
   //   to be used with values that are not fixed-length, a length prefix or
   //   other unambiguous encoding must be used to ensure that the composition
   //   of the two values is injective.
   return reduce(m_public_keys, std::vector<uint8_t>(), [](auto pkb, const auto& key) {
      // Technically, this is not correct! `public_key_bits()` is meant to
      // return a BER-encoded public key. For (e.g.) Kyber, that contract is
      // broken: It returns the raw encoding as used in the reference
      // implementation.
      //
      // TODO: Provide something like Public_Key::raw_public_key_bits() to
      //       reflect that difference. Also: Key agreement keys could return
      //       their raw public value there.
      return concat(pkb, key->public_key_bits());
   });
}

References Botan::concat(), and Botan::reduce().

subject_public_key()

std::vector< uint8_t > Botan::Public_Key::subject_public_key ( ) const

inherited

Returns

X.509 subject key encoding for this key object

Definition at line 48 of file pk_keys.cpp.

                                                        {
   std::vector<uint8_t> output;
 
   DER_Encoder(output)
      .start_sequence()
      .encode(algorithm_identifier())
      .encode(public_key_bits(), ASN1_Type::BitString)
      .end_cons();
 
   return output;
}

References Botan::Public_Key::algorithm_identifier(), Botan::BitString, Botan::DER_Encoder::encode(), Botan::DER_Encoder::end_cons(), Botan::Public_Key::public_key_bits(), and Botan::DER_Encoder::start_sequence().

Referenced by Botan::X509::BER_encode(), Botan::PKCS10_Request::create(), Botan::Public_Key::fingerprint_public(), and Botan::X509::PEM_encode().

supports_operation()

bool Botan::TLS::Hybrid_KEM_PublicKey::supports_operation ( PublicKeyOperation op ) const

overridevirtual

Return true if this key could be used for the specified type of operation.

Implements Botan::Asymmetric_Key.

Definition at line 262 of file hybrid_public_key.cpp.

                                                                         {
   return PublicKeyOperation::KeyEncapsulation == op;
}

References Botan::KeyEncapsulation.

Member Data Documentation

m_public_keys

std::vector<std::unique_ptr<Public_Key> > Botan::TLS::Hybrid_KEM_PublicKey::m_public_keys

protected

Definition at line 71 of file hybrid_public_key.h.

Referenced by Botan::TLS::Hybrid_KEM_PrivateKey::check_key(), and Hybrid_KEM_PublicKey().

---

The documentation for this class was generated from the following files:

• src/lib/tls/tls13_pqc/hybrid_public_key.h
• src/lib/tls/tls13_pqc/hybrid_public_key.cpp