Botan 2.19.1
Crypto and TLS for C&
ecdsa.cpp
Go to the documentation of this file.
1/*
2* ECDSA implemenation
3* (C) 2007 Manuel Hartl, FlexSecure GmbH
4* 2007 Falko Strenzke, FlexSecure GmbH
5* 2008-2010,2015,2016,2018 Jack Lloyd
6* 2016 René Korthaus
7*
8* Botan is released under the Simplified BSD License (see license.txt)
9*/
10
11#include <botan/ecdsa.h>
12#include <botan/internal/pk_ops_impl.h>
13#include <botan/internal/point_mul.h>
14#include <botan/keypair.h>
15#include <botan/reducer.h>
16#include <botan/emsa.h>
17
18#if defined(BOTAN_HAS_RFC6979_GENERATOR)
19 #include <botan/rfc6979.h>
20#endif
21
22#if defined(BOTAN_HAS_OPENSSL)
23 #include <botan/internal/openssl.h>
24#endif
25
26namespace Botan {
27
28namespace {
29
30PointGFp recover_ecdsa_public_key(const EC_Group& group,
31 const std::vector<uint8_t>& msg,
32 const BigInt& r,
33 const BigInt& s,
34 uint8_t v)
35 {
36 if(group.get_cofactor() != 1)
37 throw Invalid_Argument("ECDSA public key recovery only supported for prime order groups");
38
39 if(v > 4)
40 throw Invalid_Argument("Unexpected v param for ECDSA public key recovery");
41
42 const uint8_t y_odd = v % 2;
43 const uint8_t add_order = v >> 1;
44
45 const BigInt& group_order = group.get_order();
46 const size_t p_bytes = group.get_p_bytes();
47
48 try
49 {
50 const BigInt e(msg.data(), msg.size(), group.get_order_bits());
51 const BigInt r_inv = group.inverse_mod_order(r);
52
53 BigInt x = r + add_order*group_order;
54
55 std::vector<uint8_t> X(p_bytes + 1);
56
57 X[0] = 0x02 | y_odd;
58 BigInt::encode_1363(&X[1], p_bytes, x);
59
60 const PointGFp R = group.OS2ECP(X);
61
62 if((R*group_order).is_zero() == false)
63 throw Decoding_Error("Unable to recover ECDSA public key");
64
65 // Compute r_inv * (s*R - eG)
66 PointGFp_Multi_Point_Precompute RG_mul(R, group.get_base_point());
67 const BigInt ne = group.mod_order(group_order - e);
68 return r_inv * RG_mul.multi_exp(s, ne);
69 }
70 catch(...)
71 {
72 // continue on and throw
73 }
74
75 throw Decoding_Error("Failed to recover ECDSA public key from signature/msg pair");
76 }
77
78}
79
81 const std::vector<uint8_t>& msg,
82 const BigInt& r,
83 const BigInt& s,
84 uint8_t v) :
85 EC_PublicKey(group, recover_ecdsa_public_key(group, msg, r, s, v)) {}
86
87
88uint8_t ECDSA_PublicKey::recovery_param(const std::vector<uint8_t>& msg,
89 const BigInt& r,
90 const BigInt& s) const
91 {
92 for(uint8_t v = 0; v != 4; ++v)
93 {
94 try
95 {
96 PointGFp R = recover_ecdsa_public_key(this->domain(), msg, r, s, v);
97
98 if(R == this->public_point())
99 {
100 return v;
101 }
102 }
103 catch(Decoding_Error&)
104 {
105 // try the next v
106 }
107 }
108
109 throw Internal_Error("Could not determine ECDSA recovery parameter");
110 }
111
113 bool strong) const
114 {
115 if(!public_point().on_the_curve())
116 return false;
117
118 if(!strong)
119 return true;
120
121 return KeyPair::signature_consistency_check(rng, *this, "EMSA1(SHA-256)");
122 }
123
124namespace {
125
126/**
127* ECDSA signature operation
128*/
129class ECDSA_Signature_Operation final : public PK_Ops::Signature_with_EMSA
130 {
131 public:
132
133 ECDSA_Signature_Operation(const ECDSA_PrivateKey& ecdsa,
134 const std::string& emsa,
136 PK_Ops::Signature_with_EMSA(emsa),
137 m_group(ecdsa.domain()),
138 m_x(ecdsa.private_value())
139 {
140#if defined(BOTAN_HAS_RFC6979_GENERATOR)
141 m_rfc6979.reset(new RFC6979_Nonce_Generator(hash_for_emsa(emsa), m_group.get_order(), m_x));
142#endif
143
144 m_b = m_group.random_scalar(rng);
145 m_b_inv = m_group.inverse_mod_order(m_b);
146 }
147
148 size_t signature_length() const override { return 2*m_group.get_order_bytes(); }
149
150 size_t max_input_bits() const override { return m_group.get_order_bits(); }
151
152 secure_vector<uint8_t> raw_sign(const uint8_t msg[], size_t msg_len,
153 RandomNumberGenerator& rng) override;
154
155 private:
156 const EC_Group m_group;
157 const BigInt& m_x;
158
159#if defined(BOTAN_HAS_RFC6979_GENERATOR)
160 std::unique_ptr<RFC6979_Nonce_Generator> m_rfc6979;
161#endif
162
163 std::vector<BigInt> m_ws;
164
165 BigInt m_b, m_b_inv;
166 };
167
168secure_vector<uint8_t>
169ECDSA_Signature_Operation::raw_sign(const uint8_t msg[], size_t msg_len,
170 RandomNumberGenerator& rng)
171 {
172 BigInt m(msg, msg_len, m_group.get_order_bits());
173
174#if defined(BOTAN_HAS_RFC6979_GENERATOR)
175 const BigInt k = m_rfc6979->nonce_for(m);
176#else
177 const BigInt k = m_group.random_scalar(rng);
178#endif
179
180 const BigInt r = m_group.mod_order(
181 m_group.blinded_base_point_multiply_x(k, rng, m_ws));
182
183 const BigInt k_inv = m_group.inverse_mod_order(k);
184
185 /*
186 * Blind the input message and compute x*r+m as (x*r*b + m*b)/b
187 */
188 m_b = m_group.square_mod_order(m_b);
189 m_b_inv = m_group.square_mod_order(m_b_inv);
190
191 m = m_group.multiply_mod_order(m_b, m_group.mod_order(m));
192 const BigInt xr_m = m_group.mod_order(m_group.multiply_mod_order(m_x, m_b, r) + m);
193
194 const BigInt s = m_group.multiply_mod_order(k_inv, xr_m, m_b_inv);
195
196 // With overwhelming probability, a bug rather than actual zero r/s
197 if(r.is_zero() || s.is_zero())
198 throw Internal_Error("During ECDSA signature generated zero r/s");
199
200 return BigInt::encode_fixed_length_int_pair(r, s, m_group.get_order_bytes());
201 }
202
203/**
204* ECDSA verification operation
205*/
206class ECDSA_Verification_Operation final : public PK_Ops::Verification_with_EMSA
207 {
208 public:
209 ECDSA_Verification_Operation(const ECDSA_PublicKey& ecdsa,
210 const std::string& emsa) :
211 PK_Ops::Verification_with_EMSA(emsa),
212 m_group(ecdsa.domain()),
213 m_gy_mul(m_group.get_base_point(), ecdsa.public_point())
214 {
215 }
216
217 size_t max_input_bits() const override { return m_group.get_order_bits(); }
218
219 bool with_recovery() const override { return false; }
220
221 bool verify(const uint8_t msg[], size_t msg_len,
222 const uint8_t sig[], size_t sig_len) override;
223 private:
224 const EC_Group m_group;
225 const PointGFp_Multi_Point_Precompute m_gy_mul;
226 };
227
228bool ECDSA_Verification_Operation::verify(const uint8_t msg[], size_t msg_len,
229 const uint8_t sig[], size_t sig_len)
230 {
231 if(sig_len != m_group.get_order_bytes() * 2)
232 return false;
233
234 const BigInt e(msg, msg_len, m_group.get_order_bits());
235
236 const BigInt r(sig, sig_len / 2);
237 const BigInt s(sig + sig_len / 2, sig_len / 2);
238
239 if(r <= 0 || r >= m_group.get_order() || s <= 0 || s >= m_group.get_order())
240 return false;
241
242 const BigInt w = m_group.inverse_mod_order(s);
243
244 const BigInt u1 = m_group.multiply_mod_order(m_group.mod_order(e), w);
245 const BigInt u2 = m_group.multiply_mod_order(r, w);
246 const PointGFp R = m_gy_mul.multi_exp(u1, u2);
247
248 if(R.is_zero())
249 return false;
250
251 const BigInt v = m_group.mod_order(R.get_affine_x());
252 return (v == r);
253 }
254
255}
256
257std::unique_ptr<PK_Ops::Verification>
259 const std::string& provider) const
260 {
261#if defined(BOTAN_HAS_OPENSSL)
262 if(provider == "openssl" || provider.empty())
263 {
264 try
265 {
266 return make_openssl_ecdsa_ver_op(*this, params);
267 }
268 catch(Lookup_Error& e)
269 {
270 if(provider == "openssl")
271 throw;
272 }
273 }
274#endif
275
276 if(provider == "base" || provider.empty())
277 return std::unique_ptr<PK_Ops::Verification>(new ECDSA_Verification_Operation(*this, params));
278
279 throw Provider_Not_Found(algo_name(), provider);
280 }
281
282std::unique_ptr<PK_Ops::Signature>
284 const std::string& params,
285 const std::string& provider) const
286 {
287#if defined(BOTAN_HAS_OPENSSL)
288 if(provider == "openssl" || provider.empty())
289 {
290 try
291 {
292 return make_openssl_ecdsa_sig_op(*this, params);
293 }
294 catch(Lookup_Error& e)
295 {
296 if(provider == "openssl")
297 throw;
298 }
299 }
300#endif
301
302 if(provider == "base" || provider.empty())
303 return std::unique_ptr<PK_Ops::Signature>(new ECDSA_Signature_Operation(*this, params, rng));
304
305 throw Provider_Not_Found(algo_name(), provider);
306 }
307
308}
static secure_vector< uint8_t > encode_fixed_length_int_pair(const BigInt &n1, const BigInt &n2, size_t bytes)
Definition: big_code.cpp:133
static secure_vector< uint8_t > encode_1363(const BigInt &n, size_t bytes)
Definition: big_code.cpp:111
std::unique_ptr< PK_Ops::Signature > create_signature_op(RandomNumberGenerator &rng, const std::string &params, const std::string &provider) const override
Definition: ecdsa.cpp:283
bool check_key(RandomNumberGenerator &rng, bool) const override
Definition: ecdsa.cpp:112
std::string algo_name() const override
Definition: ecdsa.h:61
uint8_t recovery_param(const std::vector< uint8_t > &msg, const BigInt &r, const BigInt &s) const
Definition: ecdsa.cpp:88
std::unique_ptr< PK_Ops::Verification > create_verification_op(const std::string &params, const std::string &provider) const override
Definition: ecdsa.cpp:258
const EC_Group & domain() const
Definition: ecc_key.h:72
const PointGFp & public_point() const
Definition: ecc_key.h:57
PointGFp multi_exp(const BigInt &k1, const BigInt &k2) const
Definition: point_mul.cpp:394
int(* final)(unsigned char *, CTX *)
fe X
Definition: ge.cpp:27
bool signature_consistency_check(RandomNumberGenerator &rng, const Private_Key &private_key, const Public_Key &public_key, const std::string &padding)
Definition: keypair.cpp:49
Definition: alg_id.cpp:13
std::string hash_for_emsa(const std::string &algo_spec)
Definition: emsa.cpp:189