Botan  2.15.0
Crypto and TLS for C++11
ecdsa.cpp
Go to the documentation of this file.
1 /*
2 * ECDSA implemenation
3 * (C) 2007 Manuel Hartl, FlexSecure GmbH
4 * 2007 Falko Strenzke, FlexSecure GmbH
5 * 2008-2010,2015,2016,2018 Jack Lloyd
6 * 2016 RenĂ© Korthaus
7 *
8 * Botan is released under the Simplified BSD License (see license.txt)
9 */
10 
11 #include <botan/ecdsa.h>
12 #include <botan/internal/pk_ops_impl.h>
13 #include <botan/internal/point_mul.h>
14 #include <botan/keypair.h>
15 #include <botan/reducer.h>
16 #include <botan/emsa.h>
17 
18 #if defined(BOTAN_HAS_RFC6979_GENERATOR)
19  #include <botan/rfc6979.h>
20 #endif
21 
22 #if defined(BOTAN_HAS_OPENSSL)
23  #include <botan/internal/openssl.h>
24 #endif
25 
26 namespace Botan {
27 
28 namespace {
29 
30 PointGFp recover_ecdsa_public_key(const EC_Group& group,
31  const std::vector<uint8_t>& msg,
32  const BigInt& r,
33  const BigInt& s,
34  uint8_t v)
35  {
36  if(group.get_cofactor() != 1)
37  throw Invalid_Argument("ECDSA public key recovery only supported for prime order groups");
38 
39  if(v > 4)
40  throw Invalid_Argument("Unexpected v param for ECDSA public key recovery");
41 
42  const uint8_t y_odd = v % 2;
43  const uint8_t add_order = v >> 1;
44 
45  const BigInt& group_order = group.get_order();
46  const size_t p_bytes = group.get_p_bytes();
47 
48  try
49  {
50  const BigInt e(msg.data(), msg.size(), group.get_order_bits());
51  const BigInt r_inv = group.inverse_mod_order(r);
52 
53  BigInt x = r + add_order*group_order;
54 
55  std::vector<uint8_t> X(p_bytes + 1);
56 
57  X[0] = 0x02 | y_odd;
58  BigInt::encode_1363(&X[1], p_bytes, x);
59 
60  const PointGFp R = group.OS2ECP(X);
61 
62  if((R*group_order).is_zero() == false)
63  throw Decoding_Error("Unable to recover ECDSA public key");
64 
65  // Compute r_inv * (s*R - eG)
66  PointGFp_Multi_Point_Precompute RG_mul(R, group.get_base_point());
67  const BigInt ne = group.mod_order(group_order - e);
68  return r_inv * RG_mul.multi_exp(s, ne);
69  }
70  catch(...)
71  {
72  // continue on and throw
73  }
74 
75  throw Decoding_Error("Failed to recover ECDSA public key from signature/msg pair");
76  }
77 
78 }
79 
81  const std::vector<uint8_t>& msg,
82  const BigInt& r,
83  const BigInt& s,
84  uint8_t v) :
85  EC_PublicKey(group, recover_ecdsa_public_key(group, msg, r, s, v)) {}
86 
87 
88 uint8_t ECDSA_PublicKey::recovery_param(const std::vector<uint8_t>& msg,
89  const BigInt& r,
90  const BigInt& s) const
91  {
92  for(uint8_t v = 0; v != 4; ++v)
93  {
94  try
95  {
96  PointGFp R = recover_ecdsa_public_key(this->domain(), msg, r, s, v);
97 
98  if(R == this->public_point())
99  {
100  return v;
101  }
102  }
103  catch(Decoding_Error&)
104  {
105  // try the next v
106  }
107  }
108 
109  throw Internal_Error("Could not determine ECDSA recovery parameter");
110  }
111 
113  bool strong) const
114  {
115  if(!public_point().on_the_curve())
116  return false;
117 
118  if(!strong)
119  return true;
120 
121  return KeyPair::signature_consistency_check(rng, *this, "EMSA1(SHA-256)");
122  }
123 
124 namespace {
125 
126 /**
127 * ECDSA signature operation
128 */
129 class ECDSA_Signature_Operation final : public PK_Ops::Signature_with_EMSA
130  {
131  public:
132 
133  ECDSA_Signature_Operation(const ECDSA_PrivateKey& ecdsa,
134  const std::string& emsa,
135  RandomNumberGenerator& rng) :
136  PK_Ops::Signature_with_EMSA(emsa),
137  m_group(ecdsa.domain()),
138  m_x(ecdsa.private_value())
139  {
140 #if defined(BOTAN_HAS_RFC6979_GENERATOR)
141  m_rfc6979.reset(new RFC6979_Nonce_Generator(hash_for_emsa(emsa), m_group.get_order(), m_x));
142 #endif
143 
144  m_b = m_group.random_scalar(rng);
145  m_b_inv = m_group.inverse_mod_order(m_b);
146  }
147 
148  size_t signature_length() const override { return 2*m_group.get_order_bytes(); }
149 
150  size_t max_input_bits() const override { return m_group.get_order_bits(); }
151 
152  secure_vector<uint8_t> raw_sign(const uint8_t msg[], size_t msg_len,
153  RandomNumberGenerator& rng) override;
154 
155  private:
156  const EC_Group m_group;
157  const BigInt& m_x;
158 
159 #if defined(BOTAN_HAS_RFC6979_GENERATOR)
160  std::unique_ptr<RFC6979_Nonce_Generator> m_rfc6979;
161 #endif
162 
163  std::vector<BigInt> m_ws;
164 
165  BigInt m_b, m_b_inv;
166  };
167 
168 secure_vector<uint8_t>
169 ECDSA_Signature_Operation::raw_sign(const uint8_t msg[], size_t msg_len,
170  RandomNumberGenerator& rng)
171  {
172  BigInt m(msg, msg_len, m_group.get_order_bits());
173 
174 #if defined(BOTAN_HAS_RFC6979_GENERATOR)
175  const BigInt k = m_rfc6979->nonce_for(m);
176 #else
177  const BigInt k = m_group.random_scalar(rng);
178 #endif
179 
180  const BigInt r = m_group.mod_order(
181  m_group.blinded_base_point_multiply_x(k, rng, m_ws));
182 
183  const BigInt k_inv = m_group.inverse_mod_order(k);
184 
185  /*
186  * Blind the input message and compute x*r+m as (x*r*b + m*b)/b
187  */
188  m_b = m_group.square_mod_order(m_b);
189  m_b_inv = m_group.square_mod_order(m_b_inv);
190 
191  m = m_group.multiply_mod_order(m_b, m_group.mod_order(m));
192  const BigInt xr_m = m_group.mod_order(m_group.multiply_mod_order(m_x, m_b, r) + m);
193 
194  const BigInt s = m_group.multiply_mod_order(k_inv, xr_m, m_b_inv);
195 
196  // With overwhelming probability, a bug rather than actual zero r/s
197  if(r.is_zero() || s.is_zero())
198  throw Internal_Error("During ECDSA signature generated zero r/s");
199 
200  return BigInt::encode_fixed_length_int_pair(r, s, m_group.get_order_bytes());
201  }
202 
203 /**
204 * ECDSA verification operation
205 */
206 class ECDSA_Verification_Operation final : public PK_Ops::Verification_with_EMSA
207  {
208  public:
209  ECDSA_Verification_Operation(const ECDSA_PublicKey& ecdsa,
210  const std::string& emsa) :
211  PK_Ops::Verification_with_EMSA(emsa),
212  m_group(ecdsa.domain()),
213  m_gy_mul(m_group.get_base_point(), ecdsa.public_point())
214  {
215  }
216 
217  size_t max_input_bits() const override { return m_group.get_order_bits(); }
218 
219  bool with_recovery() const override { return false; }
220 
221  bool verify(const uint8_t msg[], size_t msg_len,
222  const uint8_t sig[], size_t sig_len) override;
223  private:
224  const EC_Group m_group;
225  const PointGFp_Multi_Point_Precompute m_gy_mul;
226  };
227 
228 bool ECDSA_Verification_Operation::verify(const uint8_t msg[], size_t msg_len,
229  const uint8_t sig[], size_t sig_len)
230  {
231  if(sig_len != m_group.get_order_bytes() * 2)
232  return false;
233 
234  const BigInt e(msg, msg_len, m_group.get_order_bits());
235 
236  const BigInt r(sig, sig_len / 2);
237  const BigInt s(sig + sig_len / 2, sig_len / 2);
238 
239  if(r <= 0 || r >= m_group.get_order() || s <= 0 || s >= m_group.get_order())
240  return false;
241 
242  const BigInt w = m_group.inverse_mod_order(s);
243 
244  const BigInt u1 = m_group.multiply_mod_order(m_group.mod_order(e), w);
245  const BigInt u2 = m_group.multiply_mod_order(r, w);
246  const PointGFp R = m_gy_mul.multi_exp(u1, u2);
247 
248  if(R.is_zero())
249  return false;
250 
251  const BigInt v = m_group.mod_order(R.get_affine_x());
252  return (v == r);
253  }
254 
255 }
256 
257 std::unique_ptr<PK_Ops::Verification>
258 ECDSA_PublicKey::create_verification_op(const std::string& params,
259  const std::string& provider) const
260  {
261 #if defined(BOTAN_HAS_OPENSSL)
262  if(provider == "openssl" || provider.empty())
263  {
264  try
265  {
266  return make_openssl_ecdsa_ver_op(*this, params);
267  }
268  catch(Lookup_Error& e)
269  {
270  if(provider == "openssl")
271  throw;
272  }
273  }
274 #endif
275 
276  if(provider == "base" || provider.empty())
277  return std::unique_ptr<PK_Ops::Verification>(new ECDSA_Verification_Operation(*this, params));
278 
279  throw Provider_Not_Found(algo_name(), provider);
280  }
281 
282 std::unique_ptr<PK_Ops::Signature>
284  const std::string& params,
285  const std::string& provider) const
286  {
287 #if defined(BOTAN_HAS_OPENSSL)
288  if(provider == "openssl" || provider.empty())
289  {
290  try
291  {
292  return make_openssl_ecdsa_sig_op(*this, params);
293  }
294  catch(Lookup_Error& e)
295  {
296  if(provider == "openssl")
297  throw;
298  }
299  }
300 #endif
301 
302  if(provider == "base" || provider.empty())
303  return std::unique_ptr<PK_Ops::Signature>(new ECDSA_Signature_Operation(*this, params, rng));
304 
305  throw Provider_Not_Found(algo_name(), provider);
306  }
307 
308 }
fe X
Definition: ge.cpp:27
bool check_key(RandomNumberGenerator &rng, bool) const override
Definition: ecdsa.cpp:112
PointGFp multi_exp(const BigInt &k1, const BigInt &k2) const
Definition: point_mul.cpp:381
const PointGFp & public_point() const
Definition: ecc_key.h:57
int(* final)(unsigned char *, CTX *)
bool signature_consistency_check(RandomNumberGenerator &rng, const Private_Key &private_key, const Public_Key &public_key, const std::string &padding)
Definition: keypair.cpp:49
const EC_Group & domain() const
Definition: ecc_key.h:72
std::string hash_for_emsa(const std::string &algo_spec)
Definition: emsa.cpp:189
std::unique_ptr< PK_Ops::Verification > create_verification_op(const std::string &params, const std::string &provider) const override
Definition: ecdsa.cpp:258
Definition: alg_id.cpp:13
std::unique_ptr< PK_Ops::Signature > create_signature_op(RandomNumberGenerator &rng, const std::string &params, const std::string &provider) const override
Definition: ecdsa.cpp:283
static secure_vector< uint8_t > encode_1363(const BigInt &n, size_t bytes)
Definition: big_code.cpp:111
std::string algo_name() const override
Definition: ecdsa.h:61
static secure_vector< uint8_t > encode_fixed_length_int_pair(const BigInt &n1, const BigInt &n2, size_t bytes)
Definition: big_code.cpp:133
uint8_t recovery_param(const std::vector< uint8_t > &msg, const BigInt &r, const BigInt &s) const
Definition: ecdsa.cpp:88