11#include <botan/ecdsa.h>
12#include <botan/internal/pk_ops_impl.h>
13#include <botan/internal/point_mul.h>
14#include <botan/internal/keypair.h>
15#include <botan/reducer.h>
16#include <botan/internal/emsa.h>
18#if defined(BOTAN_HAS_RFC6979_GENERATOR)
19 #include <botan/internal/rfc6979.h>
26PointGFp recover_ecdsa_public_key(
const EC_Group& group,
27 const std::vector<uint8_t>& msg,
32 if(group.get_cofactor() != 1)
33 throw Invalid_Argument(
"ECDSA public key recovery only supported for prime order groups");
36 throw Invalid_Argument(
"Unexpected v param for ECDSA public key recovery");
38 const BigInt& group_order = group.get_order();
40 if(r <= 0 || r >= group_order || s <= 0 || s >= group_order)
42 throw Invalid_Argument(
"Out of range r/s cannot recover ECDSA public key");
45 const uint8_t y_odd =
v % 2;
46 const uint8_t add_order =
v >> 1;
47 const size_t p_bytes = group.get_p_bytes();
52 const BigInt r_inv = group.inverse_mod_order(r);
54 BigInt x = r + add_order*group_order;
56 std::vector<uint8_t>
X(p_bytes + 1);
61 const PointGFp R = group.OS2ECP(
X);
63 if((R*group_order).is_zero() ==
false)
64 throw Decoding_Error(
"Unable to recover ECDSA public key");
67 PointGFp_Multi_Point_Precompute RG_mul(R, group.get_base_point());
68 const BigInt ne = group.mod_order(group_order - e);
69 return r_inv * RG_mul.multi_exp(s, ne);
76 throw Decoding_Error(
"Failed to recover ECDSA public key from signature/msg pair");
82 const std::vector<uint8_t>& msg,
86 EC_PublicKey(group, recover_ecdsa_public_key(group, msg, r, s,
v)) {}
93 for(uint8_t
v = 0;
v != 4; ++
v)
110 throw Internal_Error(
"Could not determine ECDSA recovery parameter");
140 const std::string& emsa,
142 PK_Ops::Signature_with_EMSA(emsa),
143 m_group(ecdsa.domain()),
144 m_x(ecdsa.private_value())
146#if defined(BOTAN_HAS_RFC6979_GENERATOR)
150 m_b = m_group.random_scalar(rng);
151 m_b_inv = m_group.inverse_mod_order(m_b);
154 size_t signature_length()
const override {
return 2*m_group.get_order_bytes(); }
156 size_t max_input_bits()
const override {
return m_group.get_order_bits(); }
158 secure_vector<uint8_t> raw_sign(
const uint8_t msg[],
size_t msg_len,
159 RandomNumberGenerator& rng)
override;
162 const EC_Group m_group;
165#if defined(BOTAN_HAS_RFC6979_GENERATOR)
166 std::unique_ptr<RFC6979_Nonce_Generator> m_rfc6979;
169 std::vector<BigInt> m_ws;
174secure_vector<uint8_t>
175ECDSA_Signature_Operation::raw_sign(
const uint8_t msg[],
size_t msg_len,
176 RandomNumberGenerator& rng)
180#if defined(BOTAN_HAS_RFC6979_GENERATOR)
181 const BigInt k = m_rfc6979->nonce_for(m);
183 const BigInt k = m_group.random_scalar(rng);
186 const BigInt r = m_group.mod_order(
187 m_group.blinded_base_point_multiply_x(k, rng, m_ws));
189 const BigInt k_inv = m_group.inverse_mod_order(k);
194 m_b = m_group.square_mod_order(m_b);
195 m_b_inv = m_group.square_mod_order(m_b_inv);
197 m = m_group.multiply_mod_order(m_b, m_group.mod_order(m));
198 const BigInt xr_m = m_group.mod_order(m_group.multiply_mod_order(m_x, m_b, r) + m);
200 const BigInt s = m_group.multiply_mod_order(k_inv, xr_m, m_b_inv);
203 if(r.is_zero() || s.is_zero())
204 throw Internal_Error(
"During ECDSA signature generated zero r/s");
212class ECDSA_Verification_Operation
final :
public PK_Ops::Verification_with_EMSA
215 ECDSA_Verification_Operation(
const ECDSA_PublicKey& ecdsa,
216 const std::string& emsa) :
217 PK_Ops::Verification_with_EMSA(emsa),
218 m_group(ecdsa.domain()),
219 m_gy_mul(m_group.get_base_point(), ecdsa.public_point())
223 size_t max_input_bits()
const override {
return m_group.get_order_bits(); }
225 bool with_recovery()
const override {
return false; }
227 bool verify(
const uint8_t msg[],
size_t msg_len,
228 const uint8_t sig[],
size_t sig_len)
override;
230 const EC_Group m_group;
231 const PointGFp_Multi_Point_Precompute m_gy_mul;
234bool ECDSA_Verification_Operation::verify(
const uint8_t msg[],
size_t msg_len,
235 const uint8_t sig[],
size_t sig_len)
237 if(sig_len != m_group.get_order_bytes() * 2)
242 const BigInt r(sig, sig_len / 2);
243 const BigInt s(sig + sig_len / 2, sig_len / 2);
246 if(r.is_zero() || s.is_zero())
249 if(r >= m_group.get_order() || s >= m_group.get_order())
252 const BigInt w = m_group.inverse_mod_order(s);
254 const BigInt u1 = m_group.multiply_mod_order(m_group.mod_order(e), w);
255 const BigInt u2 = m_group.multiply_mod_order(r, w);
256 const PointGFp R = m_gy_mul.
multi_exp(u1, u2);
261 const BigInt
v = m_group.mod_order(R.get_affine_x());
267std::unique_ptr<PK_Ops::Verification>
269 const std::string& provider)
const
271 if(provider ==
"base" || provider.empty())
272 return std::make_unique<ECDSA_Verification_Operation>(*
this, params);
277std::unique_ptr<PK_Ops::Signature>
279 const std::string& params,
280 const std::string& provider)
const
282 if(provider ==
"base" || provider.empty())
283 return std::make_unique<ECDSA_Signature_Operation>(*
this, params, rng);
static secure_vector< uint8_t > encode_fixed_length_int_pair(const BigInt &n1, const BigInt &n2, size_t bytes)
static secure_vector< uint8_t > encode_1363(const BigInt &n, size_t bytes)
static BigInt from_bytes_with_max_bits(const uint8_t buf[], size_t length, size_t max_bits)
std::unique_ptr< Public_Key > public_key() const override
std::unique_ptr< PK_Ops::Signature > create_signature_op(RandomNumberGenerator &rng, const std::string ¶ms, const std::string &provider) const override
bool check_key(RandomNumberGenerator &rng, bool) const override
std::string algo_name() const override
ECDSA_PublicKey()=default
uint8_t recovery_param(const std::vector< uint8_t > &msg, const BigInt &r, const BigInt &s) const
std::unique_ptr< PK_Ops::Verification > create_verification_op(const std::string ¶ms, const std::string &provider) const override
const EC_Group & domain() const
const PointGFp & public_point() const
PointGFp multi_exp(const BigInt &k1, const BigInt &k2) const
int(* final)(unsigned char *, CTX *)
bool signature_consistency_check(RandomNumberGenerator &rng, const Private_Key &private_key, const Public_Key &public_key, const std::string &padding)