Botan 3.9.0
Crypto and TLS for C&
ecdsa.cpp
Go to the documentation of this file.
1/*
2* ECDSA implemenation
3* (C) 2007 Manuel Hartl, FlexSecure GmbH
4* 2007 Falko Strenzke, FlexSecure GmbH
5* 2008-2010,2015,2016,2018,2024 Jack Lloyd
6* 2016 René Korthaus
7*
8* Botan is released under the Simplified BSD License (see license.txt)
9*/
10
11#include <botan/ecdsa.h>
12
13#include <botan/internal/keypair.h>
14#include <botan/internal/pk_ops_impl.h>
15
16#if defined(BOTAN_HAS_RFC6979_GENERATOR)
17 #include <botan/internal/rfc6979.h>
18#endif
19
20namespace Botan {
21
22namespace {
23
24EC_AffinePoint recover_ecdsa_public_key(
25 const EC_Group& group, const std::vector<uint8_t>& msg, const BigInt& r, const BigInt& s, uint8_t v) {
26 if(group.has_cofactor()) {
27 throw Invalid_Argument("ECDSA public key recovery only supported for prime order groups");
28 }
29
30 if(v >= 4) {
31 throw Invalid_Argument("Unexpected v param for ECDSA public key recovery");
32 }
33
34 const BigInt& group_order = group.get_order();
35
36 if(r <= 0 || r >= group_order || s <= 0 || s >= group_order) {
37 throw Invalid_Argument("Out of range r/s cannot recover ECDSA public key");
38 }
39
40 const uint8_t y_odd = v % 2;
41 const bool add_order = (v >> 1) == 0x01;
42 const size_t p_bytes = group.get_p_bytes();
43
44 BigInt x = r;
45
46 if(add_order) {
47 x += group_order;
48 }
49
50 if(x.bytes() <= p_bytes) {
51 std::vector<uint8_t> X(p_bytes + 1);
52
53 X[0] = 0x02 | y_odd;
54 x.serialize_to(std::span{X}.subspan(1));
55
56 if(auto R = EC_AffinePoint::deserialize(group, X)) {
57 // Compute r_inv * (-eG + s*R)
58 const auto ne = EC_Scalar::from_bytes_with_trunc(group, msg).negate();
59 const auto ss = EC_Scalar::from_bigint(group, s);
60
61 const auto r_inv = EC_Scalar::from_bigint(group, r).invert_vartime();
62
63 EC_Group::Mul2Table GR_mul(R.value());
64 if(auto egsr = GR_mul.mul2_vartime(ne * r_inv, ss * r_inv)) {
65 return egsr.value();
66 }
67 }
68 }
69
70 throw Decoding_Error("Failed to recover ECDSA public key from signature/msg pair");
71}
72
73} // namespace
74
75ECDSA_PublicKey::ECDSA_PublicKey(
76 const EC_Group& group, const std::vector<uint8_t>& msg, const BigInt& r, const BigInt& s, uint8_t v) :
77 EC_PublicKey(group, recover_ecdsa_public_key(group, msg, r, s, v)) {}
78
79std::unique_ptr<Private_Key> ECDSA_PublicKey::generate_another(RandomNumberGenerator& rng) const {
80 return std::make_unique<ECDSA_PrivateKey>(rng, domain());
81}
82
83uint8_t ECDSA_PublicKey::recovery_param(const std::vector<uint8_t>& msg, const BigInt& r, const BigInt& s) const {
84 const auto this_key = this->_public_ec_point().serialize_compressed();
85
86 for(uint8_t v = 0; v != 4; ++v) {
87 try {
88 const auto R = recover_ecdsa_public_key(this->domain(), msg, r, s, v);
89
90 if(R.serialize_compressed() == this_key) {
91 return v;
92 }
93 } catch(Decoding_Error&) {
94 // try the next v
95 }
96 }
97
98 throw Internal_Error("Could not determine ECDSA recovery parameter");
99}
100
101std::unique_ptr<Public_Key> ECDSA_PrivateKey::public_key() const {
102 return std::make_unique<ECDSA_PublicKey>(domain(), _public_ec_point());
103}
104
105bool ECDSA_PrivateKey::check_key(RandomNumberGenerator& rng, bool strong) const {
106 if(!EC_PrivateKey::check_key(rng, strong)) {
107 return false;
108 }
109
110 if(!strong) {
111 return true;
112 }
113
114 return KeyPair::signature_consistency_check(rng, *this, "SHA-256");
115}
116
117namespace {
118
119/**
120* ECDSA signature operation
121*/
122class ECDSA_Signature_Operation final : public PK_Ops::Signature_with_Hash {
123 public:
124 ECDSA_Signature_Operation(const ECDSA_PrivateKey& ecdsa, std::string_view padding, RandomNumberGenerator& rng) :
125 PK_Ops::Signature_with_Hash(padding),
126 m_group(ecdsa.domain()),
127 m_x(ecdsa._private_key()),
128 m_b(EC_Scalar::random(m_group, rng)),
129 m_b_inv(m_b.invert()) {
130#if defined(BOTAN_HAS_RFC6979_GENERATOR)
131 m_rfc6979 = std::make_unique<RFC6979_Nonce_Generator>(
132 this->rfc6979_hash_function(), m_group.get_order_bits(), ecdsa._private_key());
133#endif
134 }
135
136 size_t signature_length() const override { return 2 * m_group.get_order_bytes(); }
137
138 std::vector<uint8_t> raw_sign(std::span<const uint8_t> msg, RandomNumberGenerator& rng) override;
139
140 AlgorithmIdentifier algorithm_identifier() const override;
141
142 private:
143 const EC_Group m_group;
144 const EC_Scalar m_x;
145
146#if defined(BOTAN_HAS_RFC6979_GENERATOR)
147 std::unique_ptr<RFC6979_Nonce_Generator> m_rfc6979;
148#endif
149
150 EC_Scalar m_b;
151 EC_Scalar m_b_inv;
152};
153
154AlgorithmIdentifier ECDSA_Signature_Operation::algorithm_identifier() const {
155 const std::string full_name = "ECDSA/" + hash_function();
156 const OID oid = OID::from_string(full_name);
157 return AlgorithmIdentifier(oid, AlgorithmIdentifier::USE_EMPTY_PARAM);
158}
159
160std::vector<uint8_t> ECDSA_Signature_Operation::raw_sign(std::span<const uint8_t> msg, RandomNumberGenerator& rng) {
161 const auto m = EC_Scalar::from_bytes_with_trunc(m_group, msg);
162
163#if defined(BOTAN_HAS_RFC6979_GENERATOR)
164 const auto k = m_rfc6979->nonce_for(m_group, m);
165#else
166 const auto k = EC_Scalar::random(m_group, rng);
167#endif
168
169 const auto r = EC_Scalar::gk_x_mod_order(k, rng);
170
171 // Blind the inversion of k
172 const auto k_inv = (m_b * k).invert() * m_b;
173
174 /*
175 * Blind the input message and compute x*r+m as (x*r*b + m*b)/b
176 */
177 m_b.square_self();
178 m_b_inv.square_self();
179
180 const auto xr_m = ((m_x * m_b) * r) + (m * m_b);
181
182 const auto s = (k_inv * xr_m) * m_b_inv;
183
184 // With overwhelming probability, a bug rather than actual zero r/s
185 if(r.is_zero() || s.is_zero()) {
186 throw Internal_Error("During ECDSA signature generated zero r/s");
187 }
188
189 return EC_Scalar::serialize_pair(r, s);
190}
191
192/**
193* ECDSA verification operation
194*/
195class ECDSA_Verification_Operation final : public PK_Ops::Verification_with_Hash {
196 public:
197 ECDSA_Verification_Operation(const ECDSA_PublicKey& ecdsa, std::string_view padding) :
198 PK_Ops::Verification_with_Hash(padding), m_group(ecdsa.domain()), m_gy_mul(ecdsa._public_ec_point()) {}
199
200 ECDSA_Verification_Operation(const ECDSA_PublicKey& ecdsa, const AlgorithmIdentifier& alg_id) :
201 PK_Ops::Verification_with_Hash(alg_id, "ECDSA", true),
202 m_group(ecdsa.domain()),
203 m_gy_mul(ecdsa._public_ec_point()) {}
204
205 bool verify(std::span<const uint8_t> msg, std::span<const uint8_t> sig) override;
206
207 private:
208 const EC_Group m_group;
209 const EC_Group::Mul2Table m_gy_mul;
210};
211
212bool ECDSA_Verification_Operation::verify(std::span<const uint8_t> msg, std::span<const uint8_t> sig) {
213 if(auto rs = EC_Scalar::deserialize_pair(m_group, sig)) {
214 const auto& [r, s] = rs.value();
215
216 if(r.is_nonzero() && s.is_nonzero()) {
217 const auto m = EC_Scalar::from_bytes_with_trunc(m_group, msg);
218
219 const auto w = s.invert_vartime();
220
221 // Check if r == x_coord(g*w*m + y*w*r) % n
222 return m_gy_mul.mul2_vartime_x_mod_order_eq(r, w, m, r);
223 }
224 }
225
226 return false;
227}
228
229} // namespace
230
231std::unique_ptr<PK_Ops::Verification> ECDSA_PublicKey::create_verification_op(std::string_view params,
232 std::string_view provider) const {
233 if(provider == "base" || provider.empty()) {
234 return std::make_unique<ECDSA_Verification_Operation>(*this, params);
235 }
236
237 throw Provider_Not_Found(algo_name(), provider);
238}
239
240std::unique_ptr<PK_Ops::Verification> ECDSA_PublicKey::create_x509_verification_op(
241 const AlgorithmIdentifier& signature_algorithm, std::string_view provider) const {
242 if(provider == "base" || provider.empty()) {
243 return std::make_unique<ECDSA_Verification_Operation>(*this, signature_algorithm);
244 }
245
246 throw Provider_Not_Found(algo_name(), provider);
247}
248
249std::unique_ptr<PK_Ops::Signature> ECDSA_PrivateKey::create_signature_op(RandomNumberGenerator& rng,
250 std::string_view params,
251 std::string_view provider) const {
252 if(provider == "base" || provider.empty()) {
253 return std::make_unique<ECDSA_Signature_Operation>(*this, params, rng);
254 }
255
256 throw Provider_Not_Found(algo_name(), provider);
257}
258
259} // namespace Botan
Botan::Decoding_Error
Definition exceptn.h:191
Botan::ECDSA_PrivateKey
Definition ecdsa.h:92
Botan::ECDSA_PrivateKey::public_key
std::unique_ptr< Public_Key > public_key() const override
Definition ecdsa.cpp:101
Botan::ECDSA_PrivateKey::create_signature_op
std::unique_ptr< PK_Ops::Signature > create_signature_op(RandomNumberGenerator &rng, std::string_view params, std::string_view provider) const override
Definition ecdsa.cpp:249
Botan::ECDSA_PrivateKey::check_key
bool check_key(RandomNumberGenerator &rng, bool strong) const override
Definition ecdsa.cpp:105
Botan::ECDSA_PublicKey::algo_name
std::string algo_name() const override
Definition ecdsa.h:62
Botan::ECDSA_PublicKey::create_x509_verification_op
std::unique_ptr< PK_Ops::Verification > create_x509_verification_op(const AlgorithmIdentifier &signature_algorithm, std::string_view provider) const override
Definition ecdsa.cpp:240
Botan::ECDSA_PublicKey::ECDSA_PublicKey
ECDSA_PublicKey()=default
Botan::ECDSA_PublicKey::generate_another
std::unique_ptr< Private_Key > generate_another(RandomNumberGenerator &rng) const override
Definition ecdsa.cpp:79
Botan::ECDSA_PublicKey::recovery_param
uint8_t recovery_param(const std::vector< uint8_t > &msg, const BigInt &r, const BigInt &s) const
Definition ecdsa.cpp:83
Botan::ECDSA_PublicKey::create_verification_op
std::unique_ptr< PK_Ops::Verification > create_verification_op(std::string_view params, std::string_view provider) const override
Definition ecdsa.cpp:231
Botan::EC_AffinePoint
Definition ec_apoint.h:36
Botan::EC_AffinePoint::deserialize
static std::optional< EC_AffinePoint > deserialize(const EC_Group &group, std::span< const uint8_t > bytes)
Definition ec_apoint.cpp:150
Botan::EC_AffinePoint::serialize_compressed
T serialize_compressed() const
Definition ec_apoint.h:213
Botan::EC_Group::Mul2Table
Table for computing g*x + h*y.
Definition ec_group.h:334
Botan::EC_Group::Mul2Table::mul2_vartime_x_mod_order_eq
bool mul2_vartime_x_mod_order_eq(const EC_Scalar &v, const EC_Scalar &x, const EC_Scalar &y) const
Definition ec_group.cpp:784
Botan::EC_Group
Definition ec_group.h:87
Botan::EC_PrivateKey::_private_key
const EC_Scalar & _private_key() const
Definition ecc_key.cpp:123
Botan::EC_PrivateKey::check_key
bool check_key(RandomNumberGenerator &rng, bool strong) const override
Definition ecc_key.cpp:201
Botan::EC_PublicKey::domain
const EC_Group & domain() const
Definition ecc_key.cpp:64
Botan::EC_PublicKey::EC_PublicKey
EC_PublicKey(const EC_PublicKey &other)=default
Botan::EC_PublicKey::_public_ec_point
const EC_AffinePoint & _public_ec_point() const
Definition ecc_key.cpp:76
Botan::EC_Scalar
Definition ec_scalar.h:28
Botan::EC_Scalar::from_bigint
static EC_Scalar from_bigint(const EC_Group &group, const BigInt &bn)
Definition ec_scalar.cpp:69
Botan::EC_Scalar::invert_vartime
EC_Scalar invert_vartime() const
Definition ec_scalar.cpp:141
Botan::EC_Scalar::square_self
void square_self()
Definition ec_scalar.cpp:149
Botan::EC_Scalar::negate
EC_Scalar negate() const
Definition ec_scalar.cpp:145
Botan::EC_Scalar::from_bytes_with_trunc
static EC_Scalar from_bytes_with_trunc(const EC_Group &group, std::span< const uint8_t > bytes)
Definition ec_scalar.cpp:49
Botan::Internal_Error
Definition exceptn.h:321
Botan::Invalid_Argument
Definition exceptn.h:131
Botan::PK_Ops::Signature_with_Hash
Definition pk_ops_impl.h:85
Botan::Provider_Not_Found
Definition exceptn.h:262
Botan::KeyPair::signature_consistency_check
bool signature_consistency_check(RandomNumberGenerator &rng, const Private_Key &private_key, const Public_Key &public_key, std::string_view padding)
Definition keypair.cpp:49
Botan::PK_Ops
Definition pk_ops.h:36
Generated by doxygen 1.14.0