10#include <botan/gost_3410.h>
12#include <botan/ber_dec.h>
13#include <botan/der_enc.h>
14#include <botan/internal/ec_key_data.h>
15#include <botan/internal/fmt.h>
16#include <botan/internal/pk_ops_impl.h>
22EC_Group check_domain(EC_Group domain) {
23 const size_t p_bits = domain.get_p_bits();
24 if(p_bits != 256 && p_bits != 512) {
25 throw Decoding_Error(
fmt(
"GOST-34.10-2012 is not defined for parameters of size {}", p_bits));
35 const size_t part_size = bits.size() / 2;
38 for(
size_t i = 0; i != part_size / 2; ++i) {
39 std::swap(bits[i], bits[part_size - 1 - i]);
40 std::swap(bits[part_size + i], bits[2 * part_size - 1 - i]);
43 std::vector<uint8_t> output;
51 if(p_bits == 256 || p_bits == 512) {
52 return fmt(
"GOST-34.10-2012-{}", p_bits);
54 throw Encoding_Error(
"GOST-34.10-2012 is not defined for parameters of this size");
59 std::vector<uint8_t> params;
77 std::vector<uint8_t> bits;
80 if(bits.size() != 2 * (group.get_p_bits() / 8)) {
81 throw Decoding_Error(
"GOST-34.10-2012 invalid encoding of public key");
84 const size_t part_size = bits.size() / 2;
87 std::vector<uint8_t> encoding;
88 encoding.reserve(bits.size() + 1);
90 encoding.insert(encoding.end(), bits.rbegin() + part_size, bits.rend());
91 encoding.insert(encoding.end(), bits.rbegin(), bits.rend() - part_size);
93 m_public_key = std::make_shared<EC_PublicKey_Data>(std::move(group), encoding);
111EC_Scalar gost_msg_to_scalar(
const EC_Group& group, std::span<const uint8_t> msg) {
112 std::vector<uint8_t> rev_bytes(msg.rbegin(), msg.rend());
125class GOST_3410_Signature_Operation
final :
public PK_Ops::Signature_with_Hash {
127 GOST_3410_Signature_Operation(
const GOST_3410_PrivateKey& gost_3410, std::string_view emsa) :
128 PK_Ops::Signature_with_Hash(emsa), m_group(gost_3410.domain()), m_x(gost_3410._private_key()) {}
130 size_t signature_length()
const override {
return 2 * m_group.get_order_bytes(); }
132 AlgorithmIdentifier algorithm_identifier()
const override;
134 std::vector<uint8_t> raw_sign(std::span<const uint8_t> msg, RandomNumberGenerator& rng)
override;
137 const EC_Group m_group;
139 std::vector<BigInt> m_ws;
142AlgorithmIdentifier GOST_3410_Signature_Operation::algorithm_identifier()
const {
143 const std::string hash_fn = hash_function();
147 std::string oid_name;
148 if(hash_fn ==
"GOST-R-34.11-94") {
149 oid_name =
"GOST-34.10/GOST-R-34.11-94";
150 }
else if(hash_fn ==
"Streebog-256" && p_bits == 256) {
151 oid_name =
"GOST-34.10-2012-256/Streebog-256";
152 }
else if(hash_fn ==
"Streebog-512" && p_bits == 512) {
153 oid_name =
"GOST-34.10-2012-512/Streebog-512";
154 }
else if(hash_fn ==
"SHA-256" && p_bits == 256) {
155 oid_name =
"GOST-34.10-2012-256/SHA-256";
158 if(oid_name.empty()) {
159 throw Not_Implemented(
"No encoding defined for GOST with " + hash_fn);
162 return AlgorithmIdentifier(oid_name, AlgorithmIdentifier::USE_EMPTY_PARAM);
165std::vector<uint8_t> GOST_3410_Signature_Operation::raw_sign(std::span<const uint8_t> msg, RandomNumberGenerator& rng) {
166 const auto e = gost_msg_to_scalar(m_group, msg);
168 const auto k = EC_Scalar::random(m_group, rng);
169 const auto r = EC_Scalar::gk_x_mod_order(k, rng, m_ws);
170 const auto s = (r * m_x) + (k * e);
172 if(r.is_zero() || s.is_zero()) {
173 throw Internal_Error(
"GOST 34.10 signature generation failed, r/s equal to zero");
176 return EC_Scalar::serialize_pair(s, r);
179std::string gost_hash_from_algid(
const AlgorithmIdentifier& alg_id) {
180 if(!alg_id.parameters_are_empty()) {
181 throw Decoding_Error(
"Unexpected non-empty AlgorithmIdentifier parameters for GOST 34.10 signature");
184 const std::string oid_str = alg_id.oid().to_formatted_string();
185 if(oid_str ==
"GOST-34.10/GOST-R-34.11-94") {
186 return "GOST-R-34.11-94";
188 if(oid_str ==
"GOST-34.10-2012-256/Streebog-256") {
189 return "Streebog-256";
191 if(oid_str ==
"GOST-34.10-2012-512/Streebog-512") {
192 return "Streebog-512";
194 if(oid_str ==
"GOST-34.10-2012-256/SHA-256") {
198 throw Decoding_Error(
fmt(
"Unknown OID ({}) for GOST 34.10 signatures", alg_id.oid()));
204class GOST_3410_Verification_Operation
final :
public PK_Ops::Verification_with_Hash {
206 GOST_3410_Verification_Operation(
const GOST_3410_PublicKey& gost, std::string_view padding) :
207 PK_Ops::Verification_with_Hash(padding), m_group(gost.domain()), m_gy_mul(gost._public_ec_point()) {}
209 GOST_3410_Verification_Operation(
const GOST_3410_PublicKey& gost,
const AlgorithmIdentifier& alg_id) :
210 PK_Ops::Verification_with_Hash(gost_hash_from_algid(alg_id)),
211 m_group(gost.domain()),
212 m_gy_mul(gost._public_ec_point()) {}
214 bool verify(std::span<const uint8_t> msg, std::span<const uint8_t> sig)
override;
217 const EC_Group m_group;
218 const EC_Group::Mul2Table m_gy_mul;
221bool GOST_3410_Verification_Operation::verify(std::span<const uint8_t> msg, std::span<const uint8_t> sig) {
222 if(
auto sr = EC_Scalar::deserialize_pair(m_group, sig)) {
223 const auto& [s, r] = sr.value();
225 if(r.is_nonzero() && s.is_nonzero()) {
226 const auto e = gost_msg_to_scalar(m_group, msg);
228 const auto v = e.invert_vartime();
241 return std::make_unique<GOST_3410_PrivateKey>(rng, domain());
245 std::string_view provider)
const {
246 if(provider ==
"base" || provider.empty()) {
247 return std::make_unique<GOST_3410_Verification_Operation>(*
this, params);
254 if(provider ==
"base" || provider.empty()) {
255 return std::make_unique<GOST_3410_Verification_Operation>(*
this, signature_algorithm);
262 std::string_view params,
263 std::string_view provider)
const {
264 if(provider ==
"base" || provider.empty()) {
265 return std::make_unique<GOST_3410_Signature_Operation>(*
this, params);
const std::vector< uint8_t > & parameters() const
virtual OID object_identifier() const
void push_back(const BER_Object &obj)
BER_Decoder & decode(bool &out)
BER_Decoder start_sequence()
DER_Encoder & start_sequence()
DER_Encoder & encode(bool b)
bool mul2_vartime_x_mod_order_eq(const EC_Scalar &v, const EC_Scalar &x, const EC_Scalar &y) const
size_t get_p_bits() const
static EC_Group from_OID(const OID &oid)
const OID & get_curve_oid() const
const EC_Group & domain() const
std::shared_ptr< const EC_PublicKey_Data > m_public_key
const EC_AffinePoint & _public_ec_point() const
static EC_Scalar one(const EC_Group &group)
static EC_Scalar from_bytes_mod_order(const EC_Group &group, std::span< const uint8_t > bytes)
std::unique_ptr< PK_Ops::Signature > create_signature_op(RandomNumberGenerator &rng, std::string_view params, std::string_view provider) const override
std::unique_ptr< Public_Key > public_key() const override
GOST_3410_PrivateKey(const AlgorithmIdentifier &alg_id, std::span< const uint8_t > key_bits)
AlgorithmIdentifier algorithm_identifier() const override
GOST_3410_PublicKey()=default
std::string algo_name() const override
std::unique_ptr< PK_Ops::Verification > create_x509_verification_op(const AlgorithmIdentifier &signature_algorithm, std::string_view provider) const override
std::unique_ptr< PK_Ops::Verification > create_verification_op(std::string_view params, std::string_view provider) const override
std::unique_ptr< Private_Key > generate_another(RandomNumberGenerator &rng) const final
std::vector< uint8_t > public_key_bits() const override
int(* final)(unsigned char *, CTX *)
std::string fmt(std::string_view format, const T &... args)