Botan  2.8.0
Crypto and TLS for C++11
gost_3410.cpp
Go to the documentation of this file.
1 /*
2 * GOST 34.10-2001 implemenation
3 * (C) 2007 Falko Strenzke, FlexSecure GmbH
4 * Manuel Hartl, FlexSecure GmbH
5 * (C) 2008-2010,2015,2018 Jack Lloyd
6 *
7 * Botan is released under the Simplified BSD License (see license.txt)
8 */
9 
10 #include <botan/gost_3410.h>
11 #include <botan/internal/pk_ops_impl.h>
12 #include <botan/internal/point_mul.h>
13 #include <botan/reducer.h>
14 #include <botan/der_enc.h>
15 #include <botan/ber_dec.h>
16 
17 namespace Botan {
18 
19 std::vector<uint8_t> GOST_3410_PublicKey::public_key_bits() const
20  {
21  const BigInt x = public_point().get_affine_x();
22  const BigInt y = public_point().get_affine_y();
23 
24  size_t part_size = std::max(x.bytes(), y.bytes());
25 
26  std::vector<uint8_t> bits(2*part_size);
27 
28  x.binary_encode(&bits[part_size - x.bytes()]);
29  y.binary_encode(&bits[2*part_size - y.bytes()]);
30 
31  // Keys are stored in little endian format (WTF)
32  for(size_t i = 0; i != part_size / 2; ++i)
33  {
34  std::swap(bits[i], bits[part_size-1-i]);
35  std::swap(bits[part_size+i], bits[2*part_size-1-i]);
36  }
37 
38  std::vector<uint8_t> output;
39  DER_Encoder(output).encode(bits, OCTET_STRING);
40  return output;
41  }
42 
44  {
45  std::vector<uint8_t> params;
46 
47  DER_Encoder(params)
49  .encode(domain().get_curve_oid())
50  .end_cons();
51 
52  return AlgorithmIdentifier(get_oid(), params);
53  }
54 
56  const std::vector<uint8_t>& key_bits)
57  {
58  OID ecc_param_id;
59 
60  // The parameters also includes hash and cipher OIDs
61  BER_Decoder(alg_id.get_parameters()).start_cons(SEQUENCE).decode(ecc_param_id);
62 
63  m_domain_params = EC_Group(ecc_param_id);
64 
66  BER_Decoder(key_bits).decode(bits, OCTET_STRING);
67 
68  const size_t part_size = bits.size() / 2;
69 
70  // Keys are stored in little endian format (WTF)
71  for(size_t i = 0; i != part_size / 2; ++i)
72  {
73  std::swap(bits[i], bits[part_size-1-i]);
74  std::swap(bits[part_size+i], bits[2*part_size-1-i]);
75  }
76 
77  BigInt x(bits.data(), part_size);
78  BigInt y(&bits[part_size], part_size);
79 
80  m_public_key = domain().point(x, y);
81 
83  "Loaded GOST 34.10 public key is on the curve");
84  }
85 
86 namespace {
87 
88 BigInt decode_le(const uint8_t msg[], size_t msg_len)
89  {
90  secure_vector<uint8_t> msg_le(msg, msg + msg_len);
91 
92  for(size_t i = 0; i != msg_le.size() / 2; ++i)
93  std::swap(msg_le[i], msg_le[msg_le.size()-1-i]);
94 
95  return BigInt(msg_le.data(), msg_le.size());
96  }
97 
98 /**
99 * GOST-34.10 signature operation
100 */
101 class GOST_3410_Signature_Operation final : public PK_Ops::Signature_with_EMSA
102  {
103  public:
104  GOST_3410_Signature_Operation(const GOST_3410_PrivateKey& gost_3410,
105  const std::string& emsa) :
106  PK_Ops::Signature_with_EMSA(emsa),
107  m_group(gost_3410.domain()),
108  m_x(gost_3410.private_value())
109  {}
110 
111  size_t signature_length() const override { return 2*m_group.get_order_bytes(); }
112 
113  size_t max_input_bits() const override { return m_group.get_order_bits(); }
114 
115  secure_vector<uint8_t> raw_sign(const uint8_t msg[], size_t msg_len,
116  RandomNumberGenerator& rng) override;
117 
118  private:
119  const EC_Group m_group;
120  const BigInt& m_x;
121  std::vector<BigInt> m_ws;
122  };
123 
124 secure_vector<uint8_t>
125 GOST_3410_Signature_Operation::raw_sign(const uint8_t msg[], size_t msg_len,
126  RandomNumberGenerator& rng)
127  {
128  const BigInt k = m_group.random_scalar(rng);
129 
130  BigInt e = decode_le(msg, msg_len);
131 
132  e = m_group.mod_order(e);
133  if(e == 0)
134  e = 1;
135 
136  const BigInt r = m_group.mod_order(
137  m_group.blinded_base_point_multiply_x(k, rng, m_ws));
138 
139  const BigInt s = m_group.mod_order(
140  m_group.multiply_mod_order(r, m_x) +
141  m_group.multiply_mod_order(k, e));
142 
143  if(r == 0 || s == 0)
144  throw Internal_Error("GOST 34.10 signature generation failed, r/s equal to zero");
145 
146  return BigInt::encode_fixed_length_int_pair(s, r, m_group.get_order_bytes());
147  }
148 
149 /**
150 * GOST-34.10 verification operation
151 */
152 class GOST_3410_Verification_Operation final : public PK_Ops::Verification_with_EMSA
153  {
154  public:
155 
156  GOST_3410_Verification_Operation(const GOST_3410_PublicKey& gost,
157  const std::string& emsa) :
158  PK_Ops::Verification_with_EMSA(emsa),
159  m_group(gost.domain()),
160  m_gy_mul(m_group.get_base_point(), gost.public_point())
161  {}
162 
163  size_t max_input_bits() const override { return m_group.get_order_bits(); }
164 
165  bool with_recovery() const override { return false; }
166 
167  bool verify(const uint8_t msg[], size_t msg_len,
168  const uint8_t sig[], size_t sig_len) override;
169  private:
170  const EC_Group m_group;
171  const PointGFp_Multi_Point_Precompute m_gy_mul;
172  };
173 
174 bool GOST_3410_Verification_Operation::verify(const uint8_t msg[], size_t msg_len,
175  const uint8_t sig[], size_t sig_len)
176  {
177  if(sig_len != m_group.get_order_bytes() * 2)
178  return false;
179 
180  const BigInt s(sig, sig_len / 2);
181  const BigInt r(sig + sig_len / 2, sig_len / 2);
182 
183  const BigInt& order = m_group.get_order();
184 
185  if(r <= 0 || r >= order || s <= 0 || s >= order)
186  return false;
187 
188  BigInt e = decode_le(msg, msg_len);
189  e = m_group.mod_order(e);
190  if(e == 0)
191  e = 1;
192 
193  const BigInt v = m_group.inverse_mod_order(e);
194 
195  const BigInt z1 = m_group.multiply_mod_order(s, v);
196  const BigInt z2 = m_group.multiply_mod_order(-r, v);
197 
198  const PointGFp R = m_gy_mul.multi_exp(z1, z2);
199 
200  if(R.is_zero())
201  return false;
202 
203  return (R.get_affine_x() == r);
204  }
205 
206 }
207 
208 std::unique_ptr<PK_Ops::Verification>
210  const std::string& provider) const
211  {
212  if(provider == "base" || provider.empty())
213  return std::unique_ptr<PK_Ops::Verification>(new GOST_3410_Verification_Operation(*this, params));
214  throw Provider_Not_Found(algo_name(), provider);
215  }
216 
217 std::unique_ptr<PK_Ops::Signature>
219  const std::string& params,
220  const std::string& provider) const
221  {
222  if(provider == "base" || provider.empty())
223  return std::unique_ptr<PK_Ops::Signature>(new GOST_3410_Signature_Operation(*this, params));
224  throw Provider_Not_Found(algo_name(), provider);
225  }
226 
227 }
PointGFp point(const BigInt &x, const BigInt &y) const
Definition: ec_group.cpp:543
PointGFp multi_exp(const BigInt &k1, const BigInt &k2) const
Definition: point_mul.cpp:341
const PointGFp & public_point() const
Definition: ecc_key.h:57
int(* final)(unsigned char *, CTX *)
PointGFp m_public_key
Definition: ecc_key.h:115
void binary_encode(uint8_t buf[]) const
Definition: bigint.cpp:317
DER_Encoder & end_cons()
Definition: der_enc.cpp:191
BER_Decoder & decode(bool &out)
Definition: ber_dec.h:170
BigInt get_affine_x() const
Definition: point_gfp.cpp:501
std::unique_ptr< PK_Ops::Signature > create_signature_op(RandomNumberGenerator &rng, const std::string &params, const std::string &provider) const override
Definition: gost_3410.cpp:218
BigInt get_affine_y() const
Definition: point_gfp.cpp:520
#define BOTAN_ASSERT(expr, assertion_made)
Definition: assert.h:55
std::vector< uint8_t > public_key_bits() const override
Definition: gost_3410.cpp:19
DER_Encoder & encode(bool b)
Definition: der_enc.cpp:285
virtual OID get_oid() const
Definition: pk_keys.cpp:53
const EC_Group & domain() const
Definition: ecc_key.h:72
Definition: alg_id.cpp:13
size_t bytes() const
Definition: bigint.cpp:221
const std::vector< uint8_t > & get_parameters() const
Definition: alg_id.h:38
bool on_the_curve() const
Definition: point_gfp.cpp:540
std::string algo_name() const override
Definition: gost_3410.h:45
AlgorithmIdentifier algorithm_identifier() const override
Definition: gost_3410.cpp:43
DER_Encoder & start_cons(ASN1_Tag type_tag, ASN1_Tag class_tag=UNIVERSAL)
Definition: der_enc.cpp:181
std::unique_ptr< PK_Ops::Verification > create_verification_op(const std::string &params, const std::string &provider) const override
Definition: gost_3410.cpp:209
std::vector< T, secure_allocator< T > > secure_vector
Definition: secmem.h:88
static secure_vector< uint8_t > encode_fixed_length_int_pair(const BigInt &n1, const BigInt &n2, size_t bytes)
Definition: big_code.cpp:145
EC_Group m_domain_params
Definition: ecc_key.h:114