Botan 3.7.1
Crypto and TLS for C&
gost_3410.cpp
Go to the documentation of this file.
1/*
2* GOST 34.10-2012
3* (C) 2007 Falko Strenzke, FlexSecure GmbH
4* Manuel Hartl, FlexSecure GmbH
5* (C) 2008-2010,2015,2018,2024 Jack Lloyd
6*
7* Botan is released under the Simplified BSD License (see license.txt)
8*/
9
10#include <botan/gost_3410.h>
11
12#include <botan/ber_dec.h>
13#include <botan/der_enc.h>
14#include <botan/internal/ec_key_data.h>
15#include <botan/internal/fmt.h>
16#include <botan/internal/pk_ops_impl.h>
17
18namespace Botan {
19
20namespace {
21
22EC_Group check_domain(EC_Group domain) {
23 const size_t p_bits = domain.get_p_bits();
24 if(p_bits != 256 && p_bits != 512) {
25 throw Decoding_Error(fmt("GOST-34.10-2012 is not defined for parameters of size {}", p_bits));
26 }
27 return domain;
28}
29
30} // namespace
31
32std::vector<uint8_t> GOST_3410_PublicKey::public_key_bits() const {
33 auto bits = _public_ec_point().xy_bytes();
34
35 const size_t part_size = bits.size() / 2;
36
37 // GOST keys are stored in little endian format (WTF)
38 for(size_t i = 0; i != part_size / 2; ++i) {
39 std::swap(bits[i], bits[part_size - 1 - i]);
40 std::swap(bits[part_size + i], bits[2 * part_size - 1 - i]);
41 }
42
43 std::vector<uint8_t> output;
45 return output;
46}
47
48std::string GOST_3410_PublicKey::algo_name() const {
49 const size_t p_bits = domain().get_p_bits();
50
51 if(p_bits == 256 || p_bits == 512) {
52 return fmt("GOST-34.10-2012-{}", p_bits);
53 } else {
54 throw Encoding_Error("GOST-34.10-2012 is not defined for parameters of this size");
55 }
56}
57
59 std::vector<uint8_t> params;
60
61 const OID gost_oid = object_identifier();
62 const OID domain_oid = domain().get_curve_oid();
63
64 DER_Encoder(params).start_sequence().encode(domain_oid).end_cons();
65
66 return AlgorithmIdentifier(gost_oid, params);
67}
68
69GOST_3410_PublicKey::GOST_3410_PublicKey(const AlgorithmIdentifier& alg_id, std::span<const uint8_t> key_bits) {
70 OID ecc_param_id;
71
72 // The parameters also includes hash and cipher OIDs
73 BER_Decoder(alg_id.parameters()).start_sequence().decode(ecc_param_id);
74
75 auto group = check_domain(EC_Group::from_OID(ecc_param_id));
76
77 std::vector<uint8_t> bits;
79
80 if(bits.size() != 2 * (group.get_p_bits() / 8)) {
81 throw Decoding_Error("GOST-34.10-2012 invalid encoding of public key");
82 }
83
84 const size_t part_size = bits.size() / 2;
85
86 // Keys are stored in little endian format (WTF)
87 std::vector<uint8_t> encoding;
88 encoding.reserve(bits.size() + 1);
89 encoding.push_back(0x04);
90 encoding.insert(encoding.end(), bits.rbegin() + part_size, bits.rend());
91 encoding.insert(encoding.end(), bits.rbegin(), bits.rend() - part_size);
92
93 m_public_key = std::make_shared<EC_PublicKey_Data>(std::move(group), encoding);
94}
95
97 EC_PrivateKey(check_domain(domain), EC_Scalar::from_bigint(domain, x)) {}
98
100 EC_PrivateKey(rng, check_domain(std::move(domain))) {}
101
103 EC_PrivateKey(rng, check_domain(domain), x) {}
104
105std::unique_ptr<Public_Key> GOST_3410_PrivateKey::public_key() const {
106 return std::make_unique<GOST_3410_PublicKey>(domain(), _public_ec_point());
107}
108
109namespace {
110
111EC_Scalar gost_msg_to_scalar(const EC_Group& group, std::span<const uint8_t> msg) {
112 std::vector<uint8_t> rev_bytes(msg.rbegin(), msg.rend());
113
114 auto ie = EC_Scalar::from_bytes_mod_order(group, rev_bytes);
115 if(ie.is_zero()) {
116 return EC_Scalar::one(group);
117 } else {
118 return ie;
119 }
120}
121
122/**
123* GOST-34.10 signature operation
124*/
125class GOST_3410_Signature_Operation final : public PK_Ops::Signature_with_Hash {
126 public:
127 GOST_3410_Signature_Operation(const GOST_3410_PrivateKey& gost_3410, std::string_view emsa) :
128 PK_Ops::Signature_with_Hash(emsa), m_group(gost_3410.domain()), m_x(gost_3410._private_key()) {}
129
130 size_t signature_length() const override { return 2 * m_group.get_order_bytes(); }
131
132 AlgorithmIdentifier algorithm_identifier() const override;
133
134 std::vector<uint8_t> raw_sign(std::span<const uint8_t> msg, RandomNumberGenerator& rng) override;
135
136 private:
137 const EC_Group m_group;
138 const EC_Scalar m_x;
139 std::vector<BigInt> m_ws;
140};
141
142AlgorithmIdentifier GOST_3410_Signature_Operation::algorithm_identifier() const {
143 const std::string hash_fn = hash_function();
144
145 const size_t p_bits = m_group.get_p_bits();
146
147 std::string oid_name;
148 if(hash_fn == "GOST-R-34.11-94") {
149 oid_name = "GOST-34.10/GOST-R-34.11-94";
150 } else if(hash_fn == "Streebog-256" && p_bits == 256) {
151 oid_name = "GOST-34.10-2012-256/Streebog-256";
152 } else if(hash_fn == "Streebog-512" && p_bits == 512) {
153 oid_name = "GOST-34.10-2012-512/Streebog-512";
154 } else if(hash_fn == "SHA-256" && p_bits == 256) {
155 oid_name = "GOST-34.10-2012-256/SHA-256";
156 }
157
158 if(oid_name.empty()) {
159 throw Not_Implemented("No encoding defined for GOST with " + hash_fn);
160 }
161
162 return AlgorithmIdentifier(oid_name, AlgorithmIdentifier::USE_EMPTY_PARAM);
163}
164
165std::vector<uint8_t> GOST_3410_Signature_Operation::raw_sign(std::span<const uint8_t> msg, RandomNumberGenerator& rng) {
166 const auto e = gost_msg_to_scalar(m_group, msg);
167
168 const auto k = EC_Scalar::random(m_group, rng);
169 const auto r = EC_Scalar::gk_x_mod_order(k, rng, m_ws);
170 const auto s = (r * m_x) + (k * e);
171
172 if(r.is_zero() || s.is_zero()) {
173 throw Internal_Error("GOST 34.10 signature generation failed, r/s equal to zero");
174 }
175
176 return EC_Scalar::serialize_pair(s, r);
177}
178
179std::string gost_hash_from_algid(const AlgorithmIdentifier& alg_id) {
180 if(!alg_id.parameters_are_empty()) {
181 throw Decoding_Error("Unexpected non-empty AlgorithmIdentifier parameters for GOST 34.10 signature");
182 }
183
184 const std::string oid_str = alg_id.oid().to_formatted_string();
185 if(oid_str == "GOST-34.10/GOST-R-34.11-94") {
186 return "GOST-R-34.11-94";
187 }
188 if(oid_str == "GOST-34.10-2012-256/Streebog-256") {
189 return "Streebog-256";
190 }
191 if(oid_str == "GOST-34.10-2012-512/Streebog-512") {
192 return "Streebog-512";
193 }
194 if(oid_str == "GOST-34.10-2012-256/SHA-256") {
195 return "SHA-256";
196 }
197
198 throw Decoding_Error(fmt("Unknown OID ({}) for GOST 34.10 signatures", alg_id.oid()));
199}
200
201/**
202* GOST-34.10 verification operation
203*/
204class GOST_3410_Verification_Operation final : public PK_Ops::Verification_with_Hash {
205 public:
206 GOST_3410_Verification_Operation(const GOST_3410_PublicKey& gost, std::string_view padding) :
207 PK_Ops::Verification_with_Hash(padding), m_group(gost.domain()), m_gy_mul(gost._public_ec_point()) {}
208
209 GOST_3410_Verification_Operation(const GOST_3410_PublicKey& gost, const AlgorithmIdentifier& alg_id) :
210 PK_Ops::Verification_with_Hash(gost_hash_from_algid(alg_id)),
211 m_group(gost.domain()),
212 m_gy_mul(gost._public_ec_point()) {}
213
214 bool verify(std::span<const uint8_t> msg, std::span<const uint8_t> sig) override;
215
216 private:
217 const EC_Group m_group;
218 const EC_Group::Mul2Table m_gy_mul;
219};
220
221bool GOST_3410_Verification_Operation::verify(std::span<const uint8_t> msg, std::span<const uint8_t> sig) {
222 if(auto sr = EC_Scalar::deserialize_pair(m_group, sig)) {
223 const auto& [s, r] = sr.value();
224
225 if(r.is_nonzero() && s.is_nonzero()) {
226 const auto e = gost_msg_to_scalar(m_group, msg);
227
228 const auto v = e.invert_vartime();
229
230 // Check if r == x_coord(g*v*s - y*v*r) % n
231 return m_gy_mul.mul2_vartime_x_mod_order_eq(r, v, s, r.negate());
232 }
233 }
234
235 return false;
236}
237
238} // namespace
239
240std::unique_ptr<Private_Key> GOST_3410_PublicKey::generate_another(RandomNumberGenerator& rng) const {
241 return std::make_unique<GOST_3410_PrivateKey>(rng, domain());
242}
243
244std::unique_ptr<PK_Ops::Verification> GOST_3410_PublicKey::create_verification_op(std::string_view params,
245 std::string_view provider) const {
246 if(provider == "base" || provider.empty()) {
247 return std::make_unique<GOST_3410_Verification_Operation>(*this, params);
248 }
249 throw Provider_Not_Found(algo_name(), provider);
250}
251
252std::unique_ptr<PK_Ops::Verification> GOST_3410_PublicKey::create_x509_verification_op(
253 const AlgorithmIdentifier& signature_algorithm, std::string_view provider) const {
254 if(provider == "base" || provider.empty()) {
255 return std::make_unique<GOST_3410_Verification_Operation>(*this, signature_algorithm);
256 }
257
258 throw Provider_Not_Found(algo_name(), provider);
259}
260
261std::unique_ptr<PK_Ops::Signature> GOST_3410_PrivateKey::create_signature_op(RandomNumberGenerator& /*rng*/,
262 std::string_view params,
263 std::string_view provider) const {
264 if(provider == "base" || provider.empty()) {
265 return std::make_unique<GOST_3410_Signature_Operation>(*this, params);
266 }
267 throw Provider_Not_Found(algo_name(), provider);
268}
269
270} // namespace Botan
const std::vector< uint8_t > & parameters() const
Definition asn1_obj.h:474
virtual OID object_identifier() const
Definition pk_keys.cpp:22
void push_back(const BER_Object &obj)
Definition ber_dec.cpp:286
BER_Decoder & decode(bool &out)
Definition ber_dec.h:186
BER_Decoder start_sequence()
Definition ber_dec.h:123
DER_Encoder & start_sequence()
Definition der_enc.h:64
DER_Encoder & end_cons()
Definition der_enc.cpp:171
DER_Encoder & encode(bool b)
Definition der_enc.cpp:250
bool mul2_vartime_x_mod_order_eq(const EC_Scalar &v, const EC_Scalar &x, const EC_Scalar &y) const
Definition ec_group.cpp:743
size_t get_p_bits() const
Definition ec_group.cpp:498
static EC_Group from_OID(const OID &oid)
Definition ec_group.cpp:343
const OID & get_curve_oid() const
Definition ec_group.cpp:582
const EC_Group & domain() const
Definition ecc_key.cpp:63
std::shared_ptr< const EC_PublicKey_Data > m_public_key
Definition ecc_key.h:135
const EC_AffinePoint & _public_ec_point() const
Definition ecc_key.cpp:75
static EC_Scalar one(const EC_Group &group)
Definition ec_scalar.cpp:61
static EC_Scalar from_bytes_mod_order(const EC_Group &group, std::span< const uint8_t > bytes)
Definition ec_scalar.cpp:49
std::unique_ptr< PK_Ops::Signature > create_signature_op(RandomNumberGenerator &rng, std::string_view params, std::string_view provider) const override
std::unique_ptr< Public_Key > public_key() const override
GOST_3410_PrivateKey(const AlgorithmIdentifier &alg_id, std::span< const uint8_t > key_bits)
Definition gost_3410.h:92
AlgorithmIdentifier algorithm_identifier() const override
Definition gost_3410.cpp:58
std::string algo_name() const override
Definition gost_3410.cpp:48
std::unique_ptr< PK_Ops::Verification > create_x509_verification_op(const AlgorithmIdentifier &signature_algorithm, std::string_view provider) const override
std::unique_ptr< PK_Ops::Verification > create_verification_op(std::string_view params, std::string_view provider) const override
std::unique_ptr< Private_Key > generate_another(RandomNumberGenerator &rng) const final
std::vector< uint8_t > public_key_bits() const override
Definition gost_3410.cpp:32
int(* final)(unsigned char *, CTX *)
std::string fmt(std::string_view format, const T &... args)
Definition fmt.h:53