11#include <botan/ecdsa.h>
13#include <botan/reducer.h>
14#include <botan/internal/keypair.h>
15#include <botan/internal/pk_ops_impl.h>
16#include <botan/internal/point_mul.h>
18#if defined(BOTAN_HAS_RFC6979_GENERATOR)
19 #include <botan/internal/rfc6979.h>
26EC_Point recover_ecdsa_public_key(
27 const EC_Group& group,
const std::vector<uint8_t>& msg,
const BigInt& r,
const BigInt& s, uint8_t v) {
28 if(group.get_cofactor() != 1) {
29 throw Invalid_Argument(
"ECDSA public key recovery only supported for prime order groups");
33 throw Invalid_Argument(
"Unexpected v param for ECDSA public key recovery");
36 const BigInt& group_order = group.get_order();
38 if(r <= 0 || r >= group_order || s <= 0 || s >= group_order) {
39 throw Invalid_Argument(
"Out of range r/s cannot recover ECDSA public key");
42 const uint8_t y_odd = v % 2;
43 const uint8_t add_order = v >> 1;
44 const size_t p_bytes = group.get_p_bytes();
48 const BigInt r_inv = group.inverse_mod_order(r);
50 BigInt x = r + add_order * group_order;
52 std::vector<uint8_t>
X(p_bytes + 1);
55 x.serialize_to(std::span{
X}.subspan(1));
57 const EC_Point R = group.OS2ECP(
X);
59 if((R * group_order).is_zero() ==
false) {
60 throw Decoding_Error(
"Unable to recover ECDSA public key");
64 EC_Point_Multi_Point_Precompute RG_mul(R, group.get_base_point());
65 const BigInt ne = group.mod_order(group_order - e);
66 return r_inv * RG_mul.multi_exp(s, ne);
71 throw Decoding_Error(
"Failed to recover ECDSA public key from signature/msg pair");
77 const EC_Group& group,
const std::vector<uint8_t>& msg,
const BigInt& r,
const BigInt& s, uint8_t v) :
78 EC_PublicKey(group, recover_ecdsa_public_key(group, msg, r, s, v)) {}
81 return std::make_unique<ECDSA_PrivateKey>(rng,
domain());
85 for(uint8_t v = 0; v != 4; ++v) {
87 EC_Point R = recover_ecdsa_public_key(this->
domain(), msg, r, s, v);
97 throw Internal_Error(
"Could not determine ECDSA recovery parameter");
124 PK_Ops::Signature_with_Hash(padding), m_group(ecdsa.domain()), m_x(ecdsa.private_value()) {
125#if defined(BOTAN_HAS_RFC6979_GENERATOR)
126 m_rfc6979 = std::make_unique<RFC6979_Nonce_Generator>(this->rfc6979_hash_function(), m_group.get_order(), m_x);
129 m_b = m_group.random_scalar(rng);
130 m_b_inv = m_group.inverse_mod_order(m_b);
133 size_t signature_length()
const override {
return 2 * m_group.get_order_bytes(); }
135 secure_vector<uint8_t> raw_sign(
const uint8_t msg[],
size_t msg_len, RandomNumberGenerator& rng)
override;
137 AlgorithmIdentifier algorithm_identifier()
const override;
140 const EC_Group m_group;
143#if defined(BOTAN_HAS_RFC6979_GENERATOR)
144 std::unique_ptr<RFC6979_Nonce_Generator> m_rfc6979;
147 std::vector<BigInt> m_ws;
152AlgorithmIdentifier ECDSA_Signature_Operation::algorithm_identifier()
const {
153 const std::string full_name =
"ECDSA/" + hash_function();
154 const OID oid = OID::from_string(full_name);
155 return AlgorithmIdentifier(oid, AlgorithmIdentifier::USE_EMPTY_PARAM);
160 RandomNumberGenerator& rng) {
163#if defined(BOTAN_HAS_RFC6979_GENERATOR)
164 const BigInt k = m_rfc6979->nonce_for(m);
185 if(r.is_zero() || s.is_zero()) {
186 throw Internal_Error(
"During ECDSA signature generated zero r/s");
189 return BigInt::encode_fixed_length_int_pair(r, s, m_group.
get_order_bytes());
195class ECDSA_Verification_Operation
final :
public PK_Ops::Verification_with_Hash {
197 ECDSA_Verification_Operation(
const ECDSA_PublicKey& ecdsa, std::string_view padding) :
198 PK_Ops::Verification_with_Hash(padding),
199 m_group(ecdsa.domain()),
200 m_gy_mul(m_group.get_base_point(), ecdsa.public_point()) {}
202 ECDSA_Verification_Operation(
const ECDSA_PublicKey& ecdsa,
const AlgorithmIdentifier& alg_id) :
203 PK_Ops::Verification_with_Hash(alg_id,
"ECDSA", true),
204 m_group(ecdsa.domain()),
205 m_gy_mul(m_group.get_base_point(), ecdsa.public_point()) {}
207 bool verify(
const uint8_t msg[],
size_t msg_len,
const uint8_t sig[],
size_t sig_len)
override;
210 const EC_Group m_group;
211 const EC_Point_Multi_Point_Precompute m_gy_mul;
214bool ECDSA_Verification_Operation::verify(
const uint8_t msg[],
size_t msg_len,
const uint8_t sig[],
size_t sig_len) {
219 const BigInt e = BigInt::from_bytes_with_max_bits(msg, msg_len, m_group.
get_order_bits());
221 const BigInt r(sig, sig_len / 2);
222 const BigInt s(sig + sig_len / 2, sig_len / 2);
225 if(r.is_zero() || s.is_zero()) {
237 const EC_Point R = m_gy_mul.
multi_exp(u1, u2);
243 const BigInt v = m_group.
mod_order(R.get_affine_x());
250 std::string_view provider)
const {
251 if(provider ==
"base" || provider.empty()) {
252 return std::make_unique<ECDSA_Verification_Operation>(*
this, params);
260 if(provider ==
"base" || provider.empty()) {
261 return std::make_unique<ECDSA_Verification_Operation>(*
this, signature_algorithm);
268 std::string_view params,
269 std::string_view provider)
const {
270 if(provider ==
"base" || provider.empty()) {
271 return std::make_unique<ECDSA_Signature_Operation>(*
this, params, rng);
static BigInt from_bytes_with_max_bits(const uint8_t buf[], size_t length, size_t max_bits)
std::unique_ptr< Public_Key > public_key() const override
std::unique_ptr< PK_Ops::Signature > create_signature_op(RandomNumberGenerator &rng, std::string_view params, std::string_view provider) const override
bool check_key(RandomNumberGenerator &rng, bool) const override
std::unique_ptr< PK_Ops::Verification > create_x509_verification_op(const AlgorithmIdentifier &signature_algorithm, std::string_view provider) const override
ECDSA_PublicKey()=default
std::unique_ptr< Private_Key > generate_another(RandomNumberGenerator &rng) const override
uint8_t recovery_param(const std::vector< uint8_t > &msg, const BigInt &r, const BigInt &s) const
std::unique_ptr< PK_Ops::Verification > create_verification_op(std::string_view params, std::string_view provider) const override
BigInt blinded_base_point_multiply_x(const BigInt &k, RandomNumberGenerator &rng, std::vector< BigInt > &ws) const
BigInt mod_order(const BigInt &x) const
BigInt multiply_mod_order(const BigInt &x, const BigInt &y) const
const BigInt & get_order() const
BigInt square_mod_order(const BigInt &x) const
BigInt inverse_mod_order(const BigInt &x) const
BigInt random_scalar(RandomNumberGenerator &rng) const
size_t get_order_bits() const
size_t get_order_bytes() const
EC_Point multi_exp(const BigInt &k1, const BigInt &k2) const
bool check_key(RandomNumberGenerator &rng, bool strong) const override
const EC_Group & domain() const
const EC_Point & public_point() const
int(* final)(unsigned char *, CTX *)
bool signature_consistency_check(RandomNumberGenerator &rng, const Private_Key &private_key, const Public_Key &public_key, std::string_view padding)
std::vector< T, secure_allocator< T > > secure_vector