Botan 3.7.1
Crypto and TLS for C&
ec_key_data.cpp
Go to the documentation of this file.
1/*
2* (C) 2024 Jack Lloyd
3*
4* Botan is released under the Simplified BSD License (see license.txt)
5*/
6
7#include <botan/internal/ec_key_data.h>
8
9#include <botan/rng.h>
10
11namespace Botan {
12
13EC_PublicKey_Data::EC_PublicKey_Data(EC_Group group, std::span<const uint8_t> bytes) :
14 m_group(std::move(group)), m_point(m_group, bytes) {
15#if defined(BOTAN_HAS_LEGACY_EC_POINT)
16 m_legacy_point = m_point.to_legacy_point();
17#endif
18}
19
21 m_group(std::move(group)), m_scalar(std::move(x)), m_legacy_x(m_scalar.to_bigint()) {}
22
23namespace {
24
25EC_Scalar decode_ec_secret_key_scalar(const EC_Group& group, std::span<const uint8_t> bytes) {
26 const size_t order_bytes = group.get_order_bytes();
27
28 if(bytes.size() < order_bytes) {
29 /*
30 * Older versions had a bug which caused secret keys to not be encoded to
31 * the full byte length of the order if there were leading zero bytes. This
32 * was particularly a problem for P-521, where on average half of keys do
33 * not have their high bit set and so can be encoded in 65 bytes, vs 66
34 * bytes for the full order.
35 *
36 * To accomodate this, zero prefix the key if we see such a short input
37 */
38 secure_vector<uint8_t> padded_sk(order_bytes);
39 copy_mem(std::span{padded_sk}.last(bytes.size()), bytes);
40 return decode_ec_secret_key_scalar(group, padded_sk);
41 }
42
43 if(auto s = EC_Scalar::deserialize(group, bytes)) {
44 return s.value();
45 } else {
46 throw Decoding_Error("EC private key is invalid for this group");
47 }
48}
49
50} // namespace
51
52EC_PrivateKey_Data::EC_PrivateKey_Data(EC_Group group, std::span<const uint8_t> bytes) :
53 m_group(std::move(group)),
54 m_scalar(decode_ec_secret_key_scalar(m_group, bytes)),
55 m_legacy_x(m_scalar.to_bigint()) {}
56
57std::shared_ptr<EC_PublicKey_Data> EC_PrivateKey_Data::public_key(RandomNumberGenerator& rng,
58 bool with_modular_inverse) const {
59 auto public_point = [&] {
60 std::vector<BigInt> ws;
61 if(with_modular_inverse) {
62 return EC_AffinePoint::g_mul(m_scalar.invert(), rng, ws);
63 } else {
64 return EC_AffinePoint::g_mul(m_scalar, rng, ws);
65 }
66 };
67
68 return std::make_shared<EC_PublicKey_Data>(m_group, public_point());
69}
70
71std::shared_ptr<EC_PublicKey_Data> EC_PrivateKey_Data::public_key(bool with_modular_inverse) const {
72 Null_RNG null_rng;
73 return this->public_key(null_rng, with_modular_inverse);
74}
75
76void EC_PrivateKey_Data::serialize_to(std::span<uint8_t> output) const {
77 m_scalar.serialize_to(output);
78}
79
80} // namespace Botan
static EC_AffinePoint g_mul(const EC_Scalar &scalar, RandomNumberGenerator &rng, std::vector< BigInt > &ws)
size_t get_order_bytes() const
Definition ec_group.cpp:510
void serialize_to(std::span< uint8_t > output) const
std::shared_ptr< EC_PublicKey_Data > public_key(RandomNumberGenerator &rng, bool with_modular_inverse) const
EC_PrivateKey_Data(EC_Group group, EC_Scalar x)
EC_PublicKey_Data(EC_Group group, EC_AffinePoint pt)
Definition ec_key_data.h:26
static std::optional< EC_Scalar > deserialize(const EC_Group &group, std::span< const uint8_t > bytes)
void serialize_to(std::span< uint8_t > bytes) const
Definition ec_scalar.cpp:84
EC_Scalar invert() const
std::vector< T, secure_allocator< T > > secure_vector
Definition secmem.h:61
constexpr void copy_mem(T *out, const T *in, size_t n)
Definition mem_ops.h:147