Botan  2.4.0
Crypto and TLS for C++11
dsa.cpp
Go to the documentation of this file.
1 /*
2 * DSA
3 * (C) 1999-2010,2014,2016 Jack Lloyd
4 * (C) 2016 RenĂ© Korthaus
5 *
6 * Botan is released under the Simplified BSD License (see license.txt)
7 */
8 
9 #include <botan/dsa.h>
10 #include <botan/keypair.h>
11 #include <botan/pow_mod.h>
12 #include <botan/reducer.h>
13 #include <botan/rng.h>
14 #include <botan/internal/pk_ops_impl.h>
15 
16 #if defined(BOTAN_HAS_RFC6979_GENERATOR)
17  #include <botan/emsa.h>
18  #include <botan/rfc6979.h>
19 #endif
20 
21 #if defined(BOTAN_TARGET_OS_HAS_THREADS)
22  #include <future>
23 #endif
24 
25 namespace Botan {
26 
27 /*
28 * DSA_PublicKey Constructor
29 */
31  {
32  m_group = grp;
33  m_y = y1;
34  }
35 
36 /*
37 * Create a DSA private key
38 */
40  const DL_Group& grp,
41  const BigInt& x_arg)
42  {
43  m_group = grp;
44 
45  if(x_arg == 0)
46  m_x = BigInt::random_integer(rng, 2, group_q() - 1);
47  else
48  m_x = x_arg;
49 
50  m_y = power_mod(group_g(), m_x, group_p());
51  }
52 
54  const secure_vector<uint8_t>& key_bits) :
55  DL_Scheme_PrivateKey(alg_id, key_bits, DL_Group::ANSI_X9_57)
56  {
57  m_y = power_mod(group_g(), m_x, group_p());
58  }
59 
60 /*
61 * Check Private DSA Parameters
62 */
63 bool DSA_PrivateKey::check_key(RandomNumberGenerator& rng, bool strong) const
64  {
65  if(!DL_Scheme_PrivateKey::check_key(rng, strong) || m_x >= group_q())
66  return false;
67 
68  if(!strong)
69  return true;
70 
71  return KeyPair::signature_consistency_check(rng, *this, "EMSA1(SHA-256)");
72  }
73 
74 namespace {
75 
76 /**
77 * Object that can create a DSA signature
78 */
79 class DSA_Signature_Operation final : public PK_Ops::Signature_with_EMSA
80  {
81  public:
82  DSA_Signature_Operation(const DSA_PrivateKey& dsa, const std::string& emsa) :
84  m_q(dsa.group_q()),
85  m_x(dsa.get_x()),
86  m_powermod_g_p(dsa.group_g(), dsa.group_p()),
87  m_mod_q(dsa.group_q())
88  {
89 #if defined(BOTAN_HAS_RFC6979_GENERATOR)
90  m_rfc6979_hash = hash_for_emsa(emsa);
91 #endif
92  }
93 
94  size_t max_input_bits() const override { return m_q.bits(); }
95 
96  secure_vector<uint8_t> raw_sign(const uint8_t msg[], size_t msg_len,
97  RandomNumberGenerator& rng) override;
98  private:
99  const BigInt& m_q;
100  const BigInt& m_x;
101  Fixed_Base_Power_Mod m_powermod_g_p;
102  Modular_Reducer m_mod_q;
103 #if defined(BOTAN_HAS_RFC6979_GENERATOR)
104  std::string m_rfc6979_hash;
105 #endif
106  };
107 
109 DSA_Signature_Operation::raw_sign(const uint8_t msg[], size_t msg_len,
111  {
112  BigInt i(msg, msg_len);
113 
114  while(i >= m_q)
115  i -= m_q;
116 
117 #if defined(BOTAN_HAS_RFC6979_GENERATOR)
118  BOTAN_UNUSED(rng);
119  const BigInt k = generate_rfc6979_nonce(m_x, m_q, i, m_rfc6979_hash);
120 #else
121  const BigInt k = BigInt::random_integer(rng, 1, m_q);
122 #endif
123 
124 #if defined(BOTAN_TARGET_OS_HAS_THREADS)
125  auto future_r = std::async(std::launch::async,
126  [&]() { return m_mod_q.reduce(m_powermod_g_p(k)); });
127 
128  BigInt s = inverse_mod(k, m_q);
129  const BigInt r = future_r.get();
130 #else
131  BigInt s = inverse_mod(k, m_q);
132  const BigInt r = m_mod_q.reduce(m_powermod_g_p(k));
133 #endif
134 
135  s = m_mod_q.multiply(s, mul_add(m_x, r, i));
136 
137  // With overwhelming probability, a bug rather than actual zero r/s
138  BOTAN_ASSERT(s != 0, "invalid s");
139  BOTAN_ASSERT(r != 0, "invalid r");
140 
141  return BigInt::encode_fixed_length_int_pair(r, s, m_q.bytes());
142  }
143 
144 /**
145 * Object that can verify a DSA signature
146 */
147 class DSA_Verification_Operation final : public PK_Ops::Verification_with_EMSA
148  {
149  public:
150  DSA_Verification_Operation(const DSA_PublicKey& dsa,
151  const std::string& emsa) :
153  m_q(dsa.group_q()), m_y(dsa.get_y()), m_powermod_g_p{Fixed_Base_Power_Mod(dsa.group_g(), dsa.group_p())},
154  m_powermod_y_p{Fixed_Base_Power_Mod(m_y, dsa.group_p())}, m_mod_p{Modular_Reducer(dsa.group_p())},
155  m_mod_q{Modular_Reducer(dsa.group_q())}
156  {}
157 
158  size_t max_input_bits() const override { return m_q.bits(); }
159 
160  bool with_recovery() const override { return false; }
161 
162  bool verify(const uint8_t msg[], size_t msg_len,
163  const uint8_t sig[], size_t sig_len) override;
164  private:
165  const BigInt& m_q;
166  const BigInt& m_y;
167 
168  Fixed_Base_Power_Mod m_powermod_g_p, m_powermod_y_p;
169  Modular_Reducer m_mod_p, m_mod_q;
170  };
171 
172 bool DSA_Verification_Operation::verify(const uint8_t msg[], size_t msg_len,
173  const uint8_t sig[], size_t sig_len)
174  {
175  if(sig_len != 2*m_q.bytes() || msg_len > m_q.bytes())
176  return false;
177 
178  BigInt r(sig, m_q.bytes());
179  BigInt s(sig + m_q.bytes(), m_q.bytes());
180  BigInt i(msg, msg_len);
181 
182  if(r <= 0 || r >= m_q || s <= 0 || s >= m_q)
183  return false;
184 
185  s = inverse_mod(s, m_q);
186 
187 #if defined(BOTAN_TARGET_OS_HAS_THREADS)
188  auto future_s_i = std::async(std::launch::async,
189  [&]() { return m_powermod_g_p(m_mod_q.multiply(s, i)); });
190 
191  BigInt s_r = m_powermod_y_p(m_mod_q.multiply(s, r));
192  BigInt s_i = future_s_i.get();
193 #else
194  BigInt s_r = m_powermod_y_p(m_mod_q.multiply(s, r));
195  BigInt s_i = m_powermod_g_p(m_mod_q.multiply(s, i));
196 #endif
197 
198  s = m_mod_p.multiply(s_i, s_r);
199 
200  return (m_mod_q.reduce(s) == r);
201  }
202 
203 }
204 
205 std::unique_ptr<PK_Ops::Verification>
206 DSA_PublicKey::create_verification_op(const std::string& params,
207  const std::string& provider) const
208  {
209  if(provider == "base" || provider.empty())
210  return std::unique_ptr<PK_Ops::Verification>(new DSA_Verification_Operation(*this, params));
211  throw Provider_Not_Found(algo_name(), provider);
212  }
213 
214 std::unique_ptr<PK_Ops::Signature>
216  const std::string& params,
217  const std::string& provider) const
218  {
219  if(provider == "base" || provider.empty())
220  return std::unique_ptr<PK_Ops::Signature>(new DSA_Signature_Operation(*this, params));
221  throw Provider_Not_Found(algo_name(), provider);
222  }
223 
224 }
BigInt mul_add(const BigInt &a, const BigInt &b, const BigInt &c)
Definition: mp_numth.cpp:35
BigInt power_mod(const BigInt &base, const BigInt &exp, const BigInt &mod)
Definition: numthry.cpp:374
std::unique_ptr< PK_Ops::Signature > create_signature_op(RandomNumberGenerator &rng, const std::string &params, const std::string &provider) const override
Definition: dsa.cpp:215
const BigInt & m_q
Definition: rsa.cpp:235
const BigInt & get_y() const
Definition: dl_algo.h:37
static BigInt random_integer(RandomNumberGenerator &rng, const BigInt &min, const BigInt &max)
Definition: big_rand.cpp:45
#define BOTAN_ASSERT(expr, assertion_made)
Definition: assert.h:29
BigInt generate_rfc6979_nonce(const BigInt &x, const BigInt &q, const BigInt &h, const std::string &hash)
Definition: rfc6979.cpp:49
bool signature_consistency_check(RandomNumberGenerator &rng, const Private_Key &private_key, const Public_Key &public_key, const std::string &padding)
Definition: keypair.cpp:49
std::string algo_name() const override
Definition: dsa.h:21
std::string hash_for_emsa(const std::string &algo_spec)
Definition: emsa.cpp:168
BigInt inverse_mod(const BigInt &n, const BigInt &mod)
Definition: numthry.cpp:277
DSA_PrivateKey(const AlgorithmIdentifier &alg_id, const secure_vector< uint8_t > &key_bits)
Definition: dsa.cpp:53
Definition: alg_id.cpp:13
#define BOTAN_UNUSED(...)
Definition: assert.h:106
const BigInt & group_p() const
Definition: dl_algo.h:43
bool check_key(RandomNumberGenerator &rng, bool) const override
Definition: dl_algo.cpp:90
bool check_key(RandomNumberGenerator &rng, bool strong) const override
Definition: dsa.cpp:63
std::unique_ptr< PK_Ops::Verification > create_verification_op(const std::string &params, const std::string &provider) const override
Definition: dsa.cpp:206
std::vector< T, secure_allocator< T > > secure_vector
Definition: secmem.h:88
static secure_vector< uint8_t > encode_fixed_length_int_pair(const BigInt &n1, const BigInt &n2, size_t bytes)
Definition: big_code.cpp:103
const BigInt & get_x() const
Definition: dl_algo.h:105
const BigInt & group_g() const
Definition: dl_algo.h:55
const BigInt & group_q() const
Definition: dl_algo.h:49
Modular_Reducer m_mod_p
Definition: rsa.cpp:238