Botan 3.7.1
Crypto and TLS for C&
Botan::TLS::Hybrid_KEM_PublicKey Class Reference

#include <hybrid_public_key.h>

Inheritance diagram for Botan::TLS::Hybrid_KEM_PublicKey:
Botan::Public_Key Botan::Asymmetric_Key Botan::TLS::Hybrid_KEM_PrivateKey

Public Member Functions

virtual Signature_Format _default_x509_signature_format () const
 
virtual std::optional< size_t > _signature_element_size_for_DER_encoding () const
 
std::string algo_name () const override
 
AlgorithmIdentifier algorithm_identifier () const override
 
bool check_key (RandomNumberGenerator &rng, bool strong) const override
 
virtual std::unique_ptr< PK_Ops::Encryptioncreate_encryption_op (RandomNumberGenerator &rng, std::string_view params, std::string_view provider) const
 
std::unique_ptr< PK_Ops::KEM_Encryptioncreate_kem_encryption_op (std::string_view kdf, std::string_view provider="base") const override
 
virtual std::unique_ptr< PK_Ops::Verificationcreate_verification_op (std::string_view params, std::string_view provider) const
 
virtual std::unique_ptr< PK_Ops::Verificationcreate_x509_verification_op (const AlgorithmIdentifier &signature_algorithm, std::string_view provider) const
 
Signature_Format default_x509_signature_format () const
 
size_t estimated_strength () const override
 
std::string fingerprint_public (std::string_view alg="SHA-256") const
 
std::unique_ptr< Private_Keygenerate_another (RandomNumberGenerator &rng) const final
 
virtual const BigIntget_int_field (std::string_view field) const
 
OID get_oid () const
 
 Hybrid_KEM_PublicKey (const Hybrid_KEM_PublicKey &)=delete
 
 Hybrid_KEM_PublicKey (Hybrid_KEM_PublicKey &&)=default
 
 Hybrid_KEM_PublicKey (std::vector< std::unique_ptr< Public_Key > > pks)
 
size_t key_length () const override
 
size_t message_part_size () const
 
size_t message_parts () const
 
virtual OID object_identifier () const
 
Hybrid_KEM_PublicKeyoperator= (const Hybrid_KEM_PublicKey &)=delete
 
Hybrid_KEM_PublicKeyoperator= (Hybrid_KEM_PublicKey &&)=default
 
std::vector< uint8_t > public_key_bits () const override
 
const auto & public_keys () const
 
std::vector< uint8_t > raw_public_key_bits () const override
 
std::vector< uint8_t > subject_public_key () const
 
bool supports_operation (PublicKeyOperation op) const override
 
 ~Hybrid_KEM_PublicKey ()=default
 

Static Public Member Functions

static std::unique_ptr< Hybrid_KEM_PublicKeyload_for_group (Group_Params group, std::span< const uint8_t > concatenated_public_values)
 

Protected Attributes

std::vector< std::unique_ptr< Public_Key > > m_public_keys
 

Detailed Description

Composes a number of public keys as defined in this IETF draft: https://datatracker.ietf.org/doc/html/draft-ietf-tls-hybrid-design-04

To an upstream user, this composite key pair is presented as a KEM. Each individual key pair must either work as a KEX or as a KEM. Currently, the class can deal with ECC keys and Kyber.

The typical use case provides exactly two keys (one traditional KEX and one post-quantum secure KEM). However, this class technically allows composing any number of such keys. Composing more than two keys simply generates a shared secret based on more algorithms.

Note that this class is not generic enough for arbitrary use cases but serializes and parses keys and ciphertexts as described in the above-mentioned IETF draft for a post-quantum TLS 1.3.

Definition at line 40 of file hybrid_public_key.h.

Constructor & Destructor Documentation

◆ Hybrid_KEM_PublicKey() [1/3]

Botan::TLS::Hybrid_KEM_PublicKey::Hybrid_KEM_PublicKey ( std::vector< std::unique_ptr< Public_Key > > pks)
explicit

Definition at line 160 of file hybrid_public_key.cpp.

160 {
161 BOTAN_ARG_CHECK(pks.size() >= 2, "List of public keys must include at least two keys");
162 BOTAN_ARG_CHECK(std::all_of(pks.begin(), pks.end(), [](const auto& pk) { return pk != nullptr; }),
163 "List of public keys contains a nullptr");
164 BOTAN_ARG_CHECK(std::all_of(pks.begin(),
165 pks.end(),
166 [](const auto& pk) {
167 return pk->supports_operation(PublicKeyOperation::KeyEncapsulation) ||
168 pk->supports_operation(PublicKeyOperation::KeyAgreement);
169 }),
170 "Some provided public key is not compatible with this hybrid wrapper");
171
172 std::transform(
173 pks.begin(), pks.end(), std::back_inserter(m_public_keys), [](auto& key) -> std::unique_ptr<Public_Key> {
174 if(key->supports_operation(PublicKeyOperation::KeyAgreement) &&
175 !key->supports_operation(PublicKeyOperation::KeyEncapsulation)) {
176 return std::make_unique<KEX_to_KEM_Adapter_PublicKey>(std::move(key));
177 } else {
178 return std::move(key);
179 }
180 });
181
182 m_key_length =
183 reduce(m_public_keys, size_t(0), [](size_t kl, const auto& key) { return std::max(kl, key->key_length()); });
184 m_estimated_strength = reduce(
185 m_public_keys, size_t(0), [](size_t es, const auto& key) { return std::max(es, key->estimated_strength()); });
186}
#define BOTAN_ARG_CHECK(expr, msg)
Definition assert.h:29
std::vector< std::unique_ptr< Public_Key > > m_public_keys
RetT reduce(const std::vector< KeyT > &keys, RetT acc, ReducerT reducer)
Definition stl_util.h:47

References BOTAN_ARG_CHECK, and m_public_keys.

◆ Hybrid_KEM_PublicKey() [2/3]

Botan::TLS::Hybrid_KEM_PublicKey::Hybrid_KEM_PublicKey ( Hybrid_KEM_PublicKey && )
default

◆ Hybrid_KEM_PublicKey() [3/3]

Botan::TLS::Hybrid_KEM_PublicKey::Hybrid_KEM_PublicKey ( const Hybrid_KEM_PublicKey & )
delete

◆ ~Hybrid_KEM_PublicKey()

Botan::TLS::Hybrid_KEM_PublicKey::~Hybrid_KEM_PublicKey ( )
default

Member Function Documentation

◆ _default_x509_signature_format()

Signature_Format Botan::Asymmetric_Key::_default_x509_signature_format ( ) const
virtualinherited

◆ _signature_element_size_for_DER_encoding()

virtual std::optional< size_t > Botan::Asymmetric_Key::_signature_element_size_for_DER_encoding ( ) const
inlinevirtualinherited

Certain signatures schemes such as ECDSA have more than one element, and certain unfortunate protocols decided the thing to do was not concatenate them as normally done, but instead DER encode each of the elements as independent values.

If this returns a value x then the signature is checked to be exactly 2*x bytes and split in half for DER encoding.

Reimplemented in Botan::DSA_PublicKey, Botan::ECDSA_PublicKey, Botan::ECGDSA_PublicKey, Botan::ECKCDSA_PublicKey, Botan::GOST_3410_PublicKey, and Botan::SM2_PublicKey.

Definition at line 136 of file pk_keys.h.

136{ return {}; }

Referenced by Botan::Asymmetric_Key::_default_x509_signature_format(), Botan::PK_Signer::PK_Signer(), Botan::PK_Verifier::PK_Verifier(), and Botan::PK_Verifier::PK_Verifier().

◆ algo_name()

std::string Botan::TLS::Hybrid_KEM_PublicKey::algo_name ( ) const
overridevirtual

Get the name of the underlying public key scheme.

Returns
name of the public key scheme

Implements Botan::Asymmetric_Key.

Definition at line 188 of file hybrid_public_key.cpp.

188 {
189 std::ostringstream algo_name("Hybrid(");
190 for(size_t i = 0; i < m_public_keys.size(); ++i) {
191 if(i > 0) {
192 algo_name << ",";
193 }
194 algo_name << m_public_keys[i]->algo_name();
195 }
196 algo_name << ")";
197 return algo_name.str();
198}
std::string algo_name() const override

◆ algorithm_identifier()

AlgorithmIdentifier Botan::TLS::Hybrid_KEM_PublicKey::algorithm_identifier ( ) const
overridevirtual
Returns
X.509 AlgorithmIdentifier for this key

Implements Botan::Public_Key.

Definition at line 212 of file hybrid_public_key.cpp.

212 {
213 throw Botan::Not_Implemented("Hybrid keys don't have an algorithm identifier");
214}

◆ check_key()

bool Botan::TLS::Hybrid_KEM_PublicKey::check_key ( RandomNumberGenerator & rng,
bool strong ) const
overridevirtual

Implements Botan::Asymmetric_Key.

Definition at line 208 of file hybrid_public_key.cpp.

208 {
209 return reduce(m_public_keys, true, [&](bool ckr, const auto& key) { return ckr && key->check_key(rng, strong); });
210}

References Botan::reduce().

Referenced by Botan::TLS::Hybrid_KEM_PrivateKey::check_key().

◆ create_encryption_op()

std::unique_ptr< PK_Ops::Encryption > Botan::Public_Key::create_encryption_op ( RandomNumberGenerator & rng,
std::string_view params,
std::string_view provider ) const
virtualinherited

This is an internal library function exposed on key types. In almost all cases applications should use wrappers in pubkey.h

Return an encryption operation for this key/params or throw

Parameters
rnga random number generator. The PK_Op may maintain a reference to the RNG and use it many times. The rng must outlive any operations which reference it.
paramsadditional parameters
providerthe provider to use

Reimplemented in Botan::ElGamal_PublicKey, Botan::RSA_PublicKey, Botan::SM2_PublicKey, and Botan::TPM2::RSA_PublicKey.

Definition at line 98 of file pk_keys.cpp.

100 {
101 throw Lookup_Error(fmt("{} does not support encryption", algo_name()));
102}
virtual std::string algo_name() const =0
std::string fmt(std::string_view format, const T &... args)
Definition fmt.h:53

References Botan::Asymmetric_Key::algo_name(), and Botan::fmt().

Referenced by Botan::PK_Encryptor_EME::PK_Encryptor_EME().

◆ create_kem_encryption_op()

std::unique_ptr< Botan::PK_Ops::KEM_Encryption > Botan::TLS::Hybrid_KEM_PublicKey::create_kem_encryption_op ( std::string_view params,
std::string_view provider = "base" ) const
overridevirtual

This is an internal library function exposed on key types. In almost all cases applications should use wrappers in pubkey.h

Return a KEM encryption operation for this key/params or throw

Parameters
paramsadditional parameters
providerthe provider to use

Reimplemented from Botan::Public_Key.

Definition at line 290 of file hybrid_public_key.cpp.

291 {
292 return std::make_unique<Hybrid_KEM_Encryption_Operation>(*this, kdf, provider);
293}

◆ create_verification_op()

std::unique_ptr< PK_Ops::Verification > Botan::Public_Key::create_verification_op ( std::string_view params,
std::string_view provider ) const
virtualinherited

This is an internal library function exposed on key types. In all cases applications should use wrappers in pubkey.h

Return a verification operation for this key/params or throw

Parameters
paramsadditional parameters
providerthe provider to use

Reimplemented in Botan::Dilithium_PublicKey, Botan::DSA_PublicKey, Botan::ECDSA_PublicKey, Botan::ECGDSA_PublicKey, Botan::ECKCDSA_PublicKey, Botan::Ed25519_PublicKey, Botan::Ed448_PublicKey, Botan::GOST_3410_PublicKey, Botan::HSS_LMS_PublicKey, Botan::RSA_PublicKey, Botan::SM2_PublicKey, Botan::SphincsPlus_PublicKey, Botan::TPM2::EC_PublicKey, Botan::TPM2::RSA_PublicKey, and Botan::XMSS_PublicKey.

Definition at line 109 of file pk_keys.cpp.

110 {
111 throw Lookup_Error(fmt("{} does not support verification", algo_name()));
112}

References Botan::Asymmetric_Key::algo_name(), and Botan::fmt().

Referenced by Botan::PK_Verifier::PK_Verifier().

◆ create_x509_verification_op()

std::unique_ptr< PK_Ops::Verification > Botan::Public_Key::create_x509_verification_op ( const AlgorithmIdentifier & signature_algorithm,
std::string_view provider ) const
virtualinherited

This is an internal library function exposed on key types. In all cases applications should use wrappers in pubkey.h

Return a verification operation for this combination of key and signature algorithm or throw.

Parameters
signature_algorithmis the X.509 algorithm identifier encoding the padding scheme and hash hash function used in the signature if applicable.
providerthe provider to use

Reimplemented in Botan::Dilithium_PublicKey, Botan::DSA_PublicKey, Botan::ECDSA_PublicKey, Botan::ECGDSA_PublicKey, Botan::ECKCDSA_PublicKey, Botan::Ed25519_PublicKey, Botan::Ed448_PublicKey, Botan::GOST_3410_PublicKey, Botan::HSS_LMS_PublicKey, Botan::RSA_PublicKey, Botan::SphincsPlus_PublicKey, and Botan::XMSS_PublicKey.

Definition at line 114 of file pk_keys.cpp.

115 {
116 throw Lookup_Error(fmt("{} does not support X.509 verification", algo_name()));
117}

References Botan::Asymmetric_Key::algo_name(), and Botan::fmt().

Referenced by Botan::PK_Verifier::PK_Verifier().

◆ default_x509_signature_format()

Signature_Format Botan::Public_Key::default_x509_signature_format ( ) const
inlineinherited

Definition at line 227 of file pk_keys.h.

227 {
229 }
virtual Signature_Format _default_x509_signature_format() const
Definition pk_keys.cpp:30

◆ estimated_strength()

size_t Botan::TLS::Hybrid_KEM_PublicKey::estimated_strength ( ) const
overridevirtual

Return the estimated strength of the underlying key against the best currently known attack. Note that this ignores anything but pure attacks against the key itself and do not take into account padding schemes, usage mistakes, etc which might reduce the strength. However it does suffice to provide an upper bound.

Returns
estimated strength in bits

Implements Botan::Asymmetric_Key.

Definition at line 200 of file hybrid_public_key.cpp.

200 {
201 return m_estimated_strength;
202}

◆ fingerprint_public()

std::string Botan::Public_Key::fingerprint_public ( std::string_view alg = "SHA-256") const
inherited
Returns
Hash of the subject public key

Definition at line 87 of file pk_keys.cpp.

87 {
88 return create_hex_fingerprint(subject_public_key(), hash_algo);
89}
std::vector< uint8_t > subject_public_key() const
Definition pk_keys.cpp:56
std::string create_hex_fingerprint(const uint8_t bits[], size_t bits_len, std::string_view hash_name)
Definition pk_keys.cpp:38

References Botan::create_hex_fingerprint(), and Botan::Public_Key::subject_public_key().

◆ generate_another()

std::unique_ptr< Private_Key > Botan::TLS::Hybrid_KEM_PublicKey::generate_another ( RandomNumberGenerator & rng) const
finalvirtual

Generate another (cryptographically independent) key pair using the same algorithm parameters as this key. This is most useful for algorithms that support PublicKeyOperation::KeyAgreement to generate a fitting ephemeral key pair. For other key types it might throw Not_Implemented.

Implements Botan::Asymmetric_Key.

Definition at line 233 of file hybrid_public_key.cpp.

233 {
234 std::vector<std::unique_ptr<Private_Key>> new_private_keys;
235 std::transform(
236 m_public_keys.begin(), m_public_keys.end(), std::back_inserter(new_private_keys), [&](const auto& public_key) {
237 return public_key->generate_another(rng);
238 });
239 return std::make_unique<Hybrid_KEM_PrivateKey>(std::move(new_private_keys));
240}

◆ get_int_field()

const BigInt & Botan::Asymmetric_Key::get_int_field ( std::string_view field) const
virtualinherited

Access an algorithm specific field

If the field is not known for this algorithm, an Invalid_Argument is thrown. The interpretation of the result requires knowledge of which algorithm is involved. For instance for RSA "p" represents one of the secret primes, while for DSA "p" is the public prime.

Some algorithms may not implement this method at all.

This is primarily used to implement the FFI botan_pubkey_get_field and botan_privkey_get_field functions.

TODO(Botan4) Change this to return by value

Reimplemented in Botan::DH_PrivateKey, Botan::DH_PublicKey, Botan::DSA_PrivateKey, Botan::DSA_PublicKey, Botan::EC_PrivateKey, Botan::EC_PublicKey, Botan::ElGamal_PrivateKey, Botan::ElGamal_PublicKey, Botan::RSA_PrivateKey, and Botan::RSA_PublicKey.

Definition at line 18 of file pk_keys.cpp.

18 {
19 throw Unknown_PK_Field_Name(algo_name(), field);
20}

References Botan::Asymmetric_Key::algo_name().

Referenced by Botan::EC_PublicKey::get_int_field(), and Botan::RSA_PublicKey::get_int_field().

◆ get_oid()

OID Botan::Public_Key::get_oid ( ) const
inlineinherited

Deprecated version of object_identifier

Definition at line 160 of file pk_keys.h.

160{ return this->object_identifier(); }
virtual OID object_identifier() const
Definition pk_keys.cpp:22

◆ key_length()

size_t Botan::TLS::Hybrid_KEM_PublicKey::key_length ( ) const
overridevirtual

Return an integer value best approximating the length of the primary security parameter. For example for RSA this will be the size of the modulus, for ECDSA the size of the ECC group, and for McEliece the size of the code will be returned.

Implements Botan::Public_Key.

Definition at line 204 of file hybrid_public_key.cpp.

204 {
205 return m_key_length;
206}

◆ load_for_group()

std::unique_ptr< Hybrid_KEM_PublicKey > Botan::TLS::Hybrid_KEM_PublicKey::load_for_group ( Group_Params group,
std::span< const uint8_t > concatenated_public_values )
static

Definition at line 138 of file hybrid_public_key.cpp.

139 {
140 const auto public_value_lengths = public_value_lengths_for_group(group);
141 auto alg_ids = algorithm_identifiers_for_group(group);
142 BOTAN_ASSERT_NOMSG(public_value_lengths.size() == alg_ids.size());
143
144 const auto expected_public_values_length =
145 reduce(public_value_lengths, size_t(0), [](size_t acc, size_t len) { return acc + len; });
146 if(expected_public_values_length != concatenated_public_values.size()) {
147 throw Decoding_Error("Concatenated public values have an unexpected length");
148 }
149
150 BufferSlicer public_value_slicer(concatenated_public_values);
151 std::vector<std::unique_ptr<Public_Key>> pks;
152 pks.reserve(alg_ids.size());
153 for(size_t idx = 0; idx < alg_ids.size(); ++idx) {
154 pks.emplace_back(load_public_key(alg_ids[idx], public_value_slicer.take(public_value_lengths[idx])));
155 }
156 BOTAN_ASSERT_NOMSG(public_value_slicer.empty());
157 return std::make_unique<Hybrid_KEM_PublicKey>(std::move(pks));
158}
#define BOTAN_ASSERT_NOMSG(expr)
Definition assert.h:59
std::unique_ptr< Public_Key > load_public_key(const AlgorithmIdentifier &alg_id, std::span< const uint8_t > key_bits)
Definition pk_algs.cpp:124

References BOTAN_ASSERT_NOMSG, Botan::BufferSlicer::empty(), Botan::load_public_key(), Botan::reduce(), and Botan::BufferSlicer::take().

Referenced by Botan::TLS::Callbacks::tls_deserialize_peer_public_key().

◆ message_part_size()

size_t Botan::Public_Key::message_part_size ( ) const
inlineinherited

Returns how large each of the message parts refered to by message_parts() is

This function is public but applications should have few reasons to ever call this.

Returns
size of the message parts in bits

Definition at line 220 of file pk_keys.h.

220 {
221 return _signature_element_size_for_DER_encoding().value_or(0);
222 }

◆ message_parts()

size_t Botan::Public_Key::message_parts ( ) const
inlineinherited

Returns more than 1 if the output of this algorithm (ciphertext, signature) should be treated as more than one value. This is used for algorithms like DSA and ECDSA, where the (r,s) output pair can be encoded as either a plain binary list or a TLV tagged DER encoding depending on the protocol.

This function is public but applications should have few reasons to ever call this.

Returns
number of message parts

Definition at line 207 of file pk_keys.h.

207 {
209 }

◆ object_identifier()

◆ operator=() [1/2]

Hybrid_KEM_PublicKey & Botan::TLS::Hybrid_KEM_PublicKey::operator= ( const Hybrid_KEM_PublicKey & )
delete

◆ operator=() [2/2]

Hybrid_KEM_PublicKey & Botan::TLS::Hybrid_KEM_PublicKey::operator= ( Hybrid_KEM_PublicKey && )
default

◆ public_key_bits()

std::vector< uint8_t > Botan::TLS::Hybrid_KEM_PublicKey::public_key_bits ( ) const
overridevirtual
Returns
BER encoded public key bits

Implements Botan::Public_Key.

Definition at line 216 of file hybrid_public_key.cpp.

216 {
217 return raw_public_key_bits();
218}
std::vector< uint8_t > raw_public_key_bits() const override

◆ public_keys()

const auto & Botan::TLS::Hybrid_KEM_PublicKey::public_keys ( ) const
inline

Definition at line 68 of file hybrid_public_key.h.

68{ return m_public_keys; }

◆ raw_public_key_bits()

std::vector< uint8_t > Botan::TLS::Hybrid_KEM_PublicKey::raw_public_key_bits ( ) const
overridevirtual
Returns
binary public key bits, with no additional encoding

For key agreements this is an alias for PK_Key_Agreement_Key::public_value.

Note: some algorithms (for example RSA) do not have an obvious encoding for this value due to having many different values, and thus throw Not_Implemented when invoking this method.

Implements Botan::Public_Key.

Definition at line 220 of file hybrid_public_key.cpp.

220 {
221 // draft-ietf-tls-hybrid-design-06 3.2
222 // The values are directly concatenated, without any additional encoding
223 // or length fields; this assumes that the representation and length of
224 // elements is fixed once the algorithm is fixed. If concatenation were
225 // to be used with values that are not fixed-length, a length prefix or
226 // other unambiguous encoding must be used to ensure that the composition
227 // of the two values is injective.
228 return reduce(m_public_keys, std::vector<uint8_t>(), [](auto pkb, const auto& key) {
229 return concat(pkb, key->raw_public_key_bits());
230 });
231}
constexpr auto concat(Rs &&... ranges)
Definition stl_util.h:263

References Botan::concat(), and Botan::reduce().

◆ subject_public_key()

std::vector< uint8_t > Botan::Public_Key::subject_public_key ( ) const
inherited
Returns
X.509 subject key encoding for this key object

Definition at line 56 of file pk_keys.cpp.

56 {
57 std::vector<uint8_t> output;
58
59 DER_Encoder(output)
60 .start_sequence()
61 .encode(algorithm_identifier())
63 .end_cons();
64
65 return output;
66}
virtual AlgorithmIdentifier algorithm_identifier() const =0
virtual std::vector< uint8_t > public_key_bits() const =0

References Botan::Public_Key::algorithm_identifier(), Botan::BitString, Botan::DER_Encoder::encode(), Botan::DER_Encoder::end_cons(), Botan::Public_Key::public_key_bits(), and Botan::DER_Encoder::start_sequence().

Referenced by Botan::X509::BER_encode(), Botan::PKCS10_Request::create(), Botan::Public_Key::fingerprint_public(), and Botan::X509::PEM_encode().

◆ supports_operation()

bool Botan::TLS::Hybrid_KEM_PublicKey::supports_operation ( PublicKeyOperation op) const
overridevirtual

Return true if this key could be used for the specified type of operation.

Implements Botan::Asymmetric_Key.

Definition at line 242 of file hybrid_public_key.cpp.

References Botan::KeyEncapsulation.

Member Data Documentation

◆ m_public_keys

std::vector<std::unique_ptr<Public_Key> > Botan::TLS::Hybrid_KEM_PublicKey::m_public_keys
protected

The documentation for this class was generated from the following files: