Botan  2.8.0
Crypto and TLS for C++11
dsa.cpp
Go to the documentation of this file.
1 /*
2 * DSA
3 * (C) 1999-2010,2014,2016 Jack Lloyd
4 * (C) 2016 RenĂ© Korthaus
5 *
6 * Botan is released under the Simplified BSD License (see license.txt)
7 */
8 
9 #include <botan/dsa.h>
10 #include <botan/keypair.h>
11 #include <botan/reducer.h>
12 #include <botan/rng.h>
13 #include <botan/internal/pk_ops_impl.h>
14 
15 #if defined(BOTAN_HAS_RFC6979_GENERATOR)
16  #include <botan/emsa.h>
17  #include <botan/rfc6979.h>
18 #endif
19 
20 namespace Botan {
21 
22 /*
23 * DSA_PublicKey Constructor
24 */
25 DSA_PublicKey::DSA_PublicKey(const DL_Group& grp, const BigInt& y1)
26  {
27  m_group = grp;
28  m_y = y1;
29  }
30 
31 /*
32 * Create a DSA private key
33 */
34 DSA_PrivateKey::DSA_PrivateKey(RandomNumberGenerator& rng,
35  const DL_Group& grp,
36  const BigInt& x_arg)
37  {
38  m_group = grp;
39 
40  if(x_arg == 0)
41  m_x = BigInt::random_integer(rng, 2, group_q());
42  else
43  m_x = x_arg;
44 
45  m_y = m_group.power_g_p(m_x, m_group.q_bits());
46  }
47 
48 DSA_PrivateKey::DSA_PrivateKey(const AlgorithmIdentifier& alg_id,
49  const secure_vector<uint8_t>& key_bits) :
50  DL_Scheme_PrivateKey(alg_id, key_bits, DL_Group::ANSI_X9_57)
51  {
52  m_y = m_group.power_g_p(m_x, m_group.q_bits());
53  }
54 
55 /*
56 * Check Private DSA Parameters
57 */
58 bool DSA_PrivateKey::check_key(RandomNumberGenerator& rng, bool strong) const
59  {
60  if(!DL_Scheme_PrivateKey::check_key(rng, strong) || m_x >= group_q())
61  return false;
62 
63  if(!strong)
64  return true;
65 
66  return KeyPair::signature_consistency_check(rng, *this, "EMSA1(SHA-256)");
67  }
68 
69 namespace {
70 
71 /**
72 * Object that can create a DSA signature
73 */
74 class DSA_Signature_Operation final : public PK_Ops::Signature_with_EMSA
75  {
76  public:
77  DSA_Signature_Operation(const DSA_PrivateKey& dsa,
78  const std::string& emsa,
79  RandomNumberGenerator& rng) :
80  PK_Ops::Signature_with_EMSA(emsa),
81  m_group(dsa.get_group()),
82  m_x(dsa.get_x())
83  {
84 #if defined(BOTAN_HAS_RFC6979_GENERATOR)
85  m_rfc6979_hash = hash_for_emsa(emsa);
86 #endif
87 
88  m_b = BigInt::random_integer(rng, 2, dsa.group_q());
89  m_b_inv = m_group.inverse_mod_q(m_b);
90  }
91 
92  size_t signature_length() const override { return 2*m_group.q_bytes(); }
93  size_t max_input_bits() const override { return m_group.q_bits(); }
94 
95  secure_vector<uint8_t> raw_sign(const uint8_t msg[], size_t msg_len,
96  RandomNumberGenerator& rng) override;
97  private:
98  const DL_Group m_group;
99  const BigInt& m_x;
100 #if defined(BOTAN_HAS_RFC6979_GENERATOR)
101  std::string m_rfc6979_hash;
102 #endif
103 
104  BigInt m_b, m_b_inv;
105  };
106 
107 secure_vector<uint8_t>
108 DSA_Signature_Operation::raw_sign(const uint8_t msg[], size_t msg_len,
109  RandomNumberGenerator& rng)
110  {
111  const BigInt& q = m_group.get_q();
112 
113  BigInt m(msg, msg_len, m_group.q_bits());
114 
115  while(m >= q)
116  m -= q;
117 
118 #if defined(BOTAN_HAS_RFC6979_GENERATOR)
119  BOTAN_UNUSED(rng);
120  const BigInt k = generate_rfc6979_nonce(m_x, q, m, m_rfc6979_hash);
121 #else
122  const BigInt k = BigInt::random_integer(rng, 1, q);
123 #endif
124 
125  const BigInt k_inv = m_group.inverse_mod_q(k);
126 
127  const BigInt r = m_group.mod_q(m_group.power_g_p(k, m_group.q_bits()));
128 
129  /*
130  * Blind the input message and compute x*r+m as (x*r*b + m*b)/b
131  */
132  m_b = m_group.square_mod_q(m_b);
133  m_b_inv = m_group.square_mod_q(m_b_inv);
134 
135  m = m_group.multiply_mod_q(m_b, m);
136  const BigInt xr = m_group.multiply_mod_q(m_b, m_x, r);
137 
138  const BigInt s = m_group.multiply_mod_q(m_b_inv, k_inv, m_group.mod_q(xr+m));
139 
140  // With overwhelming probability, a bug rather than actual zero r/s
141  if(r.is_zero() || s.is_zero())
142  throw Internal_Error("Computed zero r/s during DSA signature");
143 
144  return BigInt::encode_fixed_length_int_pair(r, s, q.bytes());
145  }
146 
147 /**
148 * Object that can verify a DSA signature
149 */
150 class DSA_Verification_Operation final : public PK_Ops::Verification_with_EMSA
151  {
152  public:
153  DSA_Verification_Operation(const DSA_PublicKey& dsa,
154  const std::string& emsa) :
155  PK_Ops::Verification_with_EMSA(emsa),
156  m_group(dsa.get_group()),
157  m_y(dsa.get_y())
158  {
159  }
160 
161  size_t max_input_bits() const override { return m_group.q_bits(); }
162 
163  bool with_recovery() const override { return false; }
164 
165  bool verify(const uint8_t msg[], size_t msg_len,
166  const uint8_t sig[], size_t sig_len) override;
167  private:
168  const DL_Group m_group;
169  const BigInt& m_y;
170  };
171 
172 bool DSA_Verification_Operation::verify(const uint8_t msg[], size_t msg_len,
173  const uint8_t sig[], size_t sig_len)
174  {
175  const BigInt& q = m_group.get_q();
176  const size_t q_bytes = q.bytes();
177 
178  if(sig_len != 2*q_bytes || msg_len > q_bytes)
179  return false;
180 
181  BigInt r(sig, q_bytes);
182  BigInt s(sig + q_bytes, q_bytes);
183  BigInt i(msg, msg_len, q.bits());
184 
185  if(r <= 0 || r >= q || s <= 0 || s >= q)
186  return false;
187 
188  s = inverse_mod(s, q);
189 
190  const BigInt sr = m_group.multiply_mod_q(s, r);
191  const BigInt si = m_group.multiply_mod_q(s, i);
192 
193  s = m_group.multi_exponentiate(si, m_y, sr);
194 
195  return (m_group.mod_q(s) == r);
196  }
197 
198 }
199 
200 std::unique_ptr<PK_Ops::Verification>
201 DSA_PublicKey::create_verification_op(const std::string& params,
202  const std::string& provider) const
203  {
204  if(provider == "base" || provider.empty())
205  return std::unique_ptr<PK_Ops::Verification>(new DSA_Verification_Operation(*this, params));
206  throw Provider_Not_Found(algo_name(), provider);
207  }
208 
209 std::unique_ptr<PK_Ops::Signature>
210 DSA_PrivateKey::create_signature_op(RandomNumberGenerator& rng,
211  const std::string& params,
212  const std::string& provider) const
213  {
214  if(provider == "base" || provider.empty())
215  return std::unique_ptr<PK_Ops::Signature>(new DSA_Signature_Operation(*this, params, rng));
216  throw Provider_Not_Found(algo_name(), provider);
217  }
218 
219 }
Botan::DL_Scheme_PrivateKey
Definition: dl_algo.h:103
Botan::DL_Group::inverse_mod_q
BigInt inverse_mod_q(const BigInt &x) const
Definition: dl_group.cpp:484
Botan::DL_Scheme_PrivateKey::m_x
BigInt m_x
Definition: dl_algo.h:135
Botan::DL_Group::power_g_p
BigInt power_g_p(const BigInt &x) const
Definition: dl_group.cpp:520
final
int(* final)(unsigned char *, CTX *)
Definition: commoncrypto_hash.cpp:28
Botan::DSA_PrivateKey::create_signature_op
std::unique_ptr< PK_Ops::Signature > create_signature_op(RandomNumberGenerator &rng, const std::string &params, const std::string &provider) const override
Definition: dsa.cpp:210
Botan::BigInt::random_integer
static BigInt random_integer(RandomNumberGenerator &rng, const BigInt &min, const BigInt &max)
Definition: big_rand.cpp:45
Botan::generate_rfc6979_nonce
BigInt generate_rfc6979_nonce(const BigInt &x, const BigInt &q, const BigInt &h, const std::string &hash)
Definition: rfc6979.cpp:49
Botan::KeyPair::signature_consistency_check
bool signature_consistency_check(RandomNumberGenerator &rng, const Private_Key &private_key, const Public_Key &public_key, const std::string &padding)
Definition: keypair.cpp:49
Botan::DL_Group
Definition: dl_group.h:23
Botan::DSA_PublicKey::algo_name
std::string algo_name() const override
Definition: dsa.h:21
Botan::DL_Scheme_PublicKey::m_group
DL_Group m_group
Definition: dl_algo.h:97
Botan::DL_Group::square_mod_q
BigInt square_mod_q(const BigInt &x) const
Definition: dl_group.cpp:509
Botan::DSA_PrivateKey
Definition: dsa.h:55
Botan::DL_Scheme_PublicKey::m_y
BigInt m_y
Definition: dl_algo.h:92
Botan::hash_for_emsa
std::string hash_for_emsa(const std::string &algo_spec)
Definition: emsa.cpp:189
Botan::inverse_mod
BigInt inverse_mod(const BigInt &n, const BigInt &mod)
Definition: numthry.cpp:289
Botan::DSA_PrivateKey::DSA_PrivateKey
DSA_PrivateKey(const AlgorithmIdentifier &alg_id, const secure_vector< uint8_t > &key_bits)
Definition: dsa.cpp:48
Botan::DL_Group::multiply_mod_q
BigInt multiply_mod_q(const BigInt &x, const BigInt &y) const
Definition: dl_group.cpp:497
Botan::PK_Ops::Signature_with_EMSA
Definition: pk_ops_impl.h:127
Botan
Definition: alg_id.cpp:13
Botan::BigInt::bytes
size_t bytes() const
Definition: bigint.cpp:221
BOTAN_UNUSED
#define BOTAN_UNUSED(...)
Definition: assert.h:142
Botan::DL_Group::q_bits
size_t q_bits() const
Definition: dl_group.cpp:446
Botan::DL_Scheme_PrivateKey::check_key
bool check_key(RandomNumberGenerator &rng, bool) const override
Definition: dl_algo.cpp:78
Botan::DSA_PublicKey::DSA_PublicKey
DSA_PublicKey()=default
Botan::DL_Group::multi_exponentiate
BigInt multi_exponentiate(const BigInt &x, const BigInt &y, const BigInt &z) const
Definition: dl_group.cpp:515
Botan::DSA_PrivateKey::check_key
bool check_key(RandomNumberGenerator &rng, bool strong) const override
Definition: dsa.cpp:58
Botan::DSA_PublicKey::create_verification_op
std::unique_ptr< PK_Ops::Verification > create_verification_op(const std::string &params, const std::string &provider) const override
Definition: dsa.cpp:201
Botan::secure_vector
std::vector< T, secure_allocator< T > > secure_vector
Definition: secmem.h:88
Botan::DL_Group::mod_q
BigInt mod_q(const BigInt &x) const
Definition: dl_group.cpp:491
Botan::Provider_Not_Found
Definition: exceptn.h:152
Botan::BigInt::encode_fixed_length_int_pair
static secure_vector< uint8_t > encode_fixed_length_int_pair(const BigInt &n1, const BigInt &n2, size_t bytes)
Definition: big_code.cpp:145
Botan::DL_Scheme_PublicKey::group_q
const BigInt & group_q() const
Definition: dl_algo.h:55
Botan::DL_Group::get_q
const BigInt & get_q() const
Definition: dl_group.cpp:426
Generated by   doxygen 1.8.14