Botan 3.9.0
Crypto and TLS for C&
ecgdsa.cpp
Go to the documentation of this file.
1/*
2* ECGDSA (BSI-TR-03111, version 2.0)
3* (C) 2016 René Korthaus
4* (C) 2018,2024 Jack Lloyd
5*
6* Botan is released under the Simplified BSD License (see license.txt)
7*/
8
9#include <botan/ecgdsa.h>
10
11#include <botan/internal/keypair.h>
12#include <botan/internal/pk_ops_impl.h>
13
14namespace Botan {
15
16std::unique_ptr<Public_Key> ECGDSA_PrivateKey::public_key() const {
17 return std::make_unique<ECGDSA_PublicKey>(domain(), _public_ec_point());
18}
19
21 if(!EC_PrivateKey::check_key(rng, strong)) {
22 return false;
23 }
24
25 if(!strong) {
26 return true;
27 }
28
29 return KeyPair::signature_consistency_check(rng, *this, "SHA-256");
30}
31
32namespace {
33
34/**
35* ECGDSA signature operation
36*/
37class ECGDSA_Signature_Operation final : public PK_Ops::Signature_with_Hash {
38 public:
39 ECGDSA_Signature_Operation(const ECGDSA_PrivateKey& ecgdsa, std::string_view hash_fn) :
40 PK_Ops::Signature_with_Hash(hash_fn), m_group(ecgdsa.domain()), m_x(ecgdsa._private_key()) {}
41
42 std::vector<uint8_t> raw_sign(std::span<const uint8_t> msg, RandomNumberGenerator& rng) override;
43
44 size_t signature_length() const override { return 2 * m_group.get_order_bytes(); }
45
46 AlgorithmIdentifier algorithm_identifier() const override;
47
48 private:
49 const EC_Group m_group;
50 const EC_Scalar m_x;
51};
52
53AlgorithmIdentifier ECGDSA_Signature_Operation::algorithm_identifier() const {
54 const std::string full_name = "ECGDSA/" + hash_function();
55 const OID oid = OID::from_string(full_name);
56 return AlgorithmIdentifier(oid, AlgorithmIdentifier::USE_EMPTY_PARAM);
57}
58
59std::vector<uint8_t> ECGDSA_Signature_Operation::raw_sign(std::span<const uint8_t> msg, RandomNumberGenerator& rng) {
60 const auto m = EC_Scalar::from_bytes_with_trunc(m_group, msg);
61
62 const auto k = EC_Scalar::random(m_group, rng);
63
64 const auto r = EC_Scalar::gk_x_mod_order(k, rng);
65
66 const auto s = m_x * ((k * r) - m);
67
68 // With overwhelming probability, a bug rather than actual zero r/s
69 if(r.is_zero() || s.is_zero()) {
70 throw Internal_Error("During ECGDSA signature generated zero r/s");
71 }
72
73 return EC_Scalar::serialize_pair(r, s);
74}
75
76/**
77* ECGDSA verification operation
78*/
79class ECGDSA_Verification_Operation final : public PK_Ops::Verification_with_Hash {
80 public:
81 ECGDSA_Verification_Operation(const ECGDSA_PublicKey& ecgdsa, std::string_view padding) :
82 PK_Ops::Verification_with_Hash(padding), m_group(ecgdsa.domain()), m_gy_mul(ecgdsa._public_ec_point()) {}
83
84 ECGDSA_Verification_Operation(const ECGDSA_PublicKey& ecgdsa, const AlgorithmIdentifier& alg_id) :
85 PK_Ops::Verification_with_Hash(alg_id, "ECGDSA"),
86 m_group(ecgdsa.domain()),
87 m_gy_mul(ecgdsa._public_ec_point()) {}
88
89 bool verify(std::span<const uint8_t> msg, std::span<const uint8_t> sig) override;
90
91 private:
92 const EC_Group m_group;
93 const EC_Group::Mul2Table m_gy_mul;
94};
95
96bool ECGDSA_Verification_Operation::verify(std::span<const uint8_t> msg, std::span<const uint8_t> sig) {
97 if(auto rs = EC_Scalar::deserialize_pair(m_group, sig)) {
98 const auto& [r, s] = rs.value();
99
100 if(r.is_nonzero() && s.is_nonzero()) {
101 const auto m = EC_Scalar::from_bytes_with_trunc(m_group, msg);
102
103 const auto w = r.invert_vartime();
104
105 // Check if r == x_coord(g*w*m + y*w*s) % n
106 return m_gy_mul.mul2_vartime_x_mod_order_eq(r, w, m, s);
107 }
108 }
109
110 return false;
111}
112
113} // namespace
114
115std::unique_ptr<Private_Key> ECGDSA_PublicKey::generate_another(RandomNumberGenerator& rng) const {
116 return std::make_unique<ECGDSA_PrivateKey>(rng, domain());
117}
118
119std::unique_ptr<PK_Ops::Verification> ECGDSA_PublicKey::create_verification_op(std::string_view params,
120 std::string_view provider) const {
121 if(provider == "base" || provider.empty()) {
122 return std::make_unique<ECGDSA_Verification_Operation>(*this, params);
123 }
124 throw Provider_Not_Found(algo_name(), provider);
125}
126
127std::unique_ptr<PK_Ops::Verification> ECGDSA_PublicKey::create_x509_verification_op(
128 const AlgorithmIdentifier& signature_algorithm, std::string_view provider) const {
129 if(provider == "base" || provider.empty()) {
130 return std::make_unique<ECGDSA_Verification_Operation>(*this, signature_algorithm);
131 }
132
133 throw Provider_Not_Found(algo_name(), provider);
134}
135
136std::unique_ptr<PK_Ops::Signature> ECGDSA_PrivateKey::create_signature_op(RandomNumberGenerator& /*rng*/,
137 std::string_view params,
138 std::string_view provider) const {
139 if(provider == "base" || provider.empty()) {
140 return std::make_unique<ECGDSA_Signature_Operation>(*this, params);
141 }
142 throw Provider_Not_Found(algo_name(), provider);
143}
144
145} // namespace Botan
bool check_key(RandomNumberGenerator &rng, bool strong) const override
Definition ecgdsa.cpp:20
std::unique_ptr< Public_Key > public_key() const override
Definition ecgdsa.cpp:16
std::unique_ptr< PK_Ops::Signature > create_signature_op(RandomNumberGenerator &rng, std::string_view params, std::string_view provider) const override
Definition ecgdsa.cpp:136
std::string algo_name() const override
Definition ecgdsa.h:48
std::unique_ptr< PK_Ops::Verification > create_verification_op(std::string_view params, std::string_view provider) const override
Definition ecgdsa.cpp:119
std::unique_ptr< PK_Ops::Verification > create_x509_verification_op(const AlgorithmIdentifier &signature_algorithm, std::string_view provider) const override
Definition ecgdsa.cpp:127
std::unique_ptr< Private_Key > generate_another(RandomNumberGenerator &rng) const final
Definition ecgdsa.cpp:115
bool mul2_vartime_x_mod_order_eq(const EC_Scalar &v, const EC_Scalar &x, const EC_Scalar &y) const
Definition ec_group.cpp:784
bool check_key(RandomNumberGenerator &rng, bool strong) const override
Definition ecc_key.cpp:201
const EC_Group & domain() const
Definition ecc_key.cpp:64
const EC_AffinePoint & _public_ec_point() const
Definition ecc_key.cpp:76
bool signature_consistency_check(RandomNumberGenerator &rng, const Private_Key &private_key, const Public_Key &public_key, std::string_view padding)
Definition keypair.cpp:49