doxygen/gost__3410_8cpp_source.html

/*

* GOST 34.10-2012

* (C) 2007 Falko Strenzke, FlexSecure GmbH

*          Manuel Hartl, FlexSecure GmbH

* (C) 2008-2010,2015,2018,2024 Jack Lloyd

*

* Botan is released under the Simplified BSD License (see license.txt)

*/


#include <botan/gost_3410.h>


#include <botan/ber_dec.h>

#include <botan/der_enc.h>

#include <botan/internal/ec_key_data.h>

#include <botan/internal/fmt.h>

#include <botan/internal/pk_ops_impl.h>


namespace Botan {


namespace {


EC_Group check_domain(EC_Group domain) {

   const size_t p_bits = domain.get_p_bits();

   if(p_bits != 256 && p_bits != 512) {

      throw Decoding_Error(fmt("GOST-34.10-2012 is not defined for parameters of size {}", p_bits));

   }

   return domain;

}


}  // namespace


std::optional<size_t> GOST_3410_PublicKey::_signature_element_size_for_DER_encoding() const {

   return domain().get_order_bytes();

}


std::vector<uint8_t> GOST_3410_PublicKey::public_key_bits() const {

   auto bits = _public_ec_point().xy_bytes();


   const size_t part_size = bits.size() / 2;


   // GOST keys are stored in little endian format (WTF)

   for(size_t i = 0; i != part_size / 2; ++i) {

      std::swap(bits[i], bits[part_size - 1 - i]);

      std::swap(bits[part_size + i], bits[2 * part_size - 1 - i]);

   }


   std::vector<uint8_t> output;

   DER_Encoder(output).encode(bits, ASN1_Type::OctetString);

   return output;

}


std::string GOST_3410_PublicKey::algo_name() const {

   const size_t p_bits = domain().get_p_bits();


   if(p_bits == 256 || p_bits == 512) {

      return fmt("GOST-34.10-2012-{}", p_bits);

   } else {

      throw Encoding_Error("GOST-34.10-2012 is not defined for parameters of this size");

   }

}


AlgorithmIdentifier GOST_3410_PublicKey::algorithm_identifier() const {

   std::vector<uint8_t> params;


   const OID gost_oid = object_identifier();

   const OID domain_oid = domain().get_curve_oid();


   DER_Encoder(params).start_sequence().encode(domain_oid).end_cons();


   return AlgorithmIdentifier(gost_oid, params);

}


GOST_3410_PublicKey::GOST_3410_PublicKey(const AlgorithmIdentifier& alg_id, std::span<const uint8_t> key_bits) {

   OID ecc_param_id;


   // The parameters also includes hash and cipher OIDs

   BER_Decoder(alg_id.parameters(), BER_Decoder::Limits::DER())

      .start_sequence()

      .decode(ecc_param_id)

      .discard_remaining()

      .end_cons()

      .verify_end();


   auto group = check_domain(EC_Group::from_OID(ecc_param_id));


   std::vector<uint8_t> bits;

   BER_Decoder(key_bits, BER_Decoder::Limits::DER()).decode(bits, ASN1_Type::OctetString).verify_end();


   if(bits.size() != 2 * (group.get_p_bits() / 8)) {

      throw Decoding_Error("GOST-34.10-2012 invalid encoding of public key");

   }


   const size_t part_size = bits.size() / 2;


   // Keys are stored in little endian format (WTF)

   std::vector<uint8_t> encoding;

   encoding.reserve(bits.size() + 1);

   encoding.push_back(0x04);

   encoding.insert(encoding.end(), bits.rbegin() + part_size, bits.rend());

   encoding.insert(encoding.end(), bits.rbegin(), bits.rend() - part_size);


   m_public_key = std::make_shared<EC_PublicKey_Data>(std::move(group), encoding);

}


GOST_3410_PrivateKey::GOST_3410_PrivateKey(const EC_Group& domain, const BigInt& x) :

      EC_PrivateKey(check_domain(domain), EC_Scalar::from_bigint(domain, x)) {}


GOST_3410_PrivateKey::GOST_3410_PrivateKey(RandomNumberGenerator& rng, EC_Group domain) :

      EC_PrivateKey(rng, check_domain(std::move(domain))) {}


GOST_3410_PrivateKey::GOST_3410_PrivateKey(RandomNumberGenerator& rng, const EC_Group& domain, const BigInt& x) :

      EC_PrivateKey(rng, check_domain(domain), x) {}


std::unique_ptr<Public_Key> GOST_3410_PrivateKey::public_key() const {

   return std::make_unique<GOST_3410_PublicKey>(domain(), _public_ec_point());

}


namespace {


EC_Scalar gost_msg_to_scalar(const EC_Group& group, std::span<const uint8_t> msg) {

   std::vector<uint8_t> rev_bytes(msg.rbegin(), msg.rend());


   auto ie = EC_Scalar::from_bytes_mod_order(group, rev_bytes);

   if(ie.is_zero()) {

      return EC_Scalar::one(group);

   } else {

      return ie;

   }

}


/**

* GOST-34.10 signature operation

*/

class GOST_3410_Signature_Operation final : public PK_Ops::Signature_with_Hash {

   public:

      GOST_3410_Signature_Operation(const GOST_3410_PrivateKey& gost_3410, std::string_view hash_fn) :

            PK_Ops::Signature_with_Hash(hash_fn), m_group(gost_3410.domain()), m_x(gost_3410._private_key()) {}


      size_t signature_length() const override { return 2 * m_group.get_order_bytes(); }


      AlgorithmIdentifier algorithm_identifier() const override;


      std::vector<uint8_t> raw_sign(std::span<const uint8_t> msg, RandomNumberGenerator& rng) override;


   private:

      const EC_Group m_group;

      const EC_Scalar m_x;

};


AlgorithmIdentifier GOST_3410_Signature_Operation::algorithm_identifier() const {

   const std::string hash_fn = hash_function();


   const size_t p_bits = m_group.get_p_bits();


   std::string oid_name;

   if(hash_fn == "GOST-R-34.11-94") {

      oid_name = "GOST-34.10/GOST-R-34.11-94";

   } else if(hash_fn == "Streebog-256" && p_bits == 256) {

      oid_name = "GOST-34.10-2012-256/Streebog-256";

   } else if(hash_fn == "Streebog-512" && p_bits == 512) {

      oid_name = "GOST-34.10-2012-512/Streebog-512";

   } else if(hash_fn == "SHA-256" && p_bits == 256) {

      oid_name = "GOST-34.10-2012-256/SHA-256";

   }


   if(oid_name.empty()) {

      throw Not_Implemented("No encoding defined for GOST with " + hash_fn);

   }


   return AlgorithmIdentifier(oid_name, AlgorithmIdentifier::USE_EMPTY_PARAM);

}


std::vector<uint8_t> GOST_3410_Signature_Operation::raw_sign(std::span<const uint8_t> msg, RandomNumberGenerator& rng) {

   const auto e = gost_msg_to_scalar(m_group, msg);


   const auto k = EC_Scalar::random(m_group, rng);

   const auto r = EC_Scalar::gk_x_mod_order(k, rng);

   const auto s = (r * m_x) + (k * e);


   if(r.is_zero() || s.is_zero()) {

      throw Internal_Error("GOST 34.10 signature generation failed, r/s equal to zero");

   }


   return EC_Scalar::serialize_pair(s, r);

}


std::string gost_hash_from_algid(const AlgorithmIdentifier& alg_id) {

   if(!alg_id.parameters_are_empty()) {

      throw Decoding_Error("Unexpected non-empty AlgorithmIdentifier parameters for GOST 34.10 signature");

   }


   const std::string oid_str = alg_id.oid().to_formatted_string();

   if(oid_str == "GOST-34.10/GOST-R-34.11-94") {

      return "GOST-R-34.11-94";

   }

   if(oid_str == "GOST-34.10-2012-256/Streebog-256") {

      return "Streebog-256";

   }

   if(oid_str == "GOST-34.10-2012-512/Streebog-512") {

      return "Streebog-512";

   }

   if(oid_str == "GOST-34.10-2012-256/SHA-256") {

      return "SHA-256";

   }


   throw Decoding_Error(fmt("Unknown OID ({}) for GOST 34.10 signatures", alg_id.oid()));

}


/**

* GOST-34.10 verification operation

*/

class GOST_3410_Verification_Operation final : public PK_Ops::Verification_with_Hash {

   public:

      GOST_3410_Verification_Operation(const GOST_3410_PublicKey& gost, std::string_view padding) :

            PK_Ops::Verification_with_Hash(padding), m_group(gost.domain()), m_gy_mul(gost._public_ec_point()) {}


      GOST_3410_Verification_Operation(const GOST_3410_PublicKey& gost, const AlgorithmIdentifier& alg_id) :

            PK_Ops::Verification_with_Hash(gost_hash_from_algid(alg_id)),

            m_group(gost.domain()),

            m_gy_mul(gost._public_ec_point()) {}


      bool verify(std::span<const uint8_t> msg, std::span<const uint8_t> sig) override;


   private:

      const EC_Group m_group;

      const EC_Group::Mul2Table m_gy_mul;

};


bool GOST_3410_Verification_Operation::verify(std::span<const uint8_t> msg, std::span<const uint8_t> sig) {

   if(auto sr = EC_Scalar::deserialize_pair(m_group, sig)) {

      const auto& [s, r] = sr.value();


      if(r.is_nonzero() && s.is_nonzero()) {

         const auto e = gost_msg_to_scalar(m_group, msg);


         const auto v = e.invert_vartime();


         // Check if r == x_coord(g*v*s - y*v*r) % n

         return m_gy_mul.mul2_vartime_x_mod_order_eq(r, v, s, r.negate());

      }

   }


   return false;

}


}  // namespace


std::unique_ptr<Private_Key> GOST_3410_PublicKey::generate_another(RandomNumberGenerator& rng) const {

   return std::make_unique<GOST_3410_PrivateKey>(rng, domain());

}


std::unique_ptr<PK_Ops::Verification> GOST_3410_PublicKey::create_verification_op(std::string_view params,

                                                                                  std::string_view provider) const {

   if(provider == "base" || provider.empty()) {

      return std::make_unique<GOST_3410_Verification_Operation>(*this, params);

   }

   throw Provider_Not_Found(algo_name(), provider);

}


std::unique_ptr<PK_Ops::Verification> GOST_3410_PublicKey::create_x509_verification_op(

   const AlgorithmIdentifier& signature_algorithm, std::string_view provider) const {

   if(provider == "base" || provider.empty()) {

      return std::make_unique<GOST_3410_Verification_Operation>(*this, signature_algorithm);

   }


   throw Provider_Not_Found(algo_name(), provider);

}


std::unique_ptr<PK_Ops::Signature> GOST_3410_PrivateKey::create_signature_op(RandomNumberGenerator& /*rng*/,

                                                                             std::string_view params,

                                                                             std::string_view provider) const {

   if(provider == "base" || provider.empty()) {

      return std::make_unique<GOST_3410_Signature_Operation>(*this, params);

   }

   throw Provider_Not_Found(algo_name(), provider);

}


}  // namespace Botan

Botan::AlgorithmIdentifier
Definition asn1_obj.h:392

Botan::AlgorithmIdentifier::parameters
const std::vector< uint8_t > & parameters() const
Definition asn1_obj.h:409

Botan::Asymmetric_Key::object_identifier
virtual OID object_identifier() const
Definition pk_keys.cpp:22

Botan::BER_Decoder::Limits::DER
static Limits DER()
Definition ber_dec.h:35

Botan::BER_Decoder
Definition ber_dec.h:25

Botan::BER_Decoder::push_back
void push_back(const BER_Object &obj)
Definition ber_dec.cpp:500

Botan::BER_Decoder::decode
BER_Decoder & decode(bool &out)
Definition ber_dec.h:220

Botan::BER_Decoder::verify_end
BER_Decoder & verify_end()
Definition ber_dec.cpp:381

Botan::BER_Decoder::end_cons
BER_Decoder & end_cons()
Definition ber_dec.cpp:524

Botan::BER_Decoder::discard_remaining
BER_Decoder & discard_remaining()
Definition ber_dec.cpp:398

Botan::BER_Decoder::start_sequence
BER_Decoder start_sequence()
Definition ber_dec.h:160

Botan::BigInt
Definition bigint.h:26

Botan::DER_Encoder
Definition der_enc.h:25

Botan::DER_Encoder::start_sequence
DER_Encoder & start_sequence()
Definition der_enc.h:67

Botan::DER_Encoder::end_cons
DER_Encoder & end_cons()
Definition der_enc.cpp:173

Botan::DER_Encoder::encode
DER_Encoder & encode(bool b)
Definition der_enc.cpp:245

Botan::Decoding_Error
Definition exceptn.h:192

Botan::EC_AffinePoint::xy_bytes
T xy_bytes() const
Definition ec_apoint.h:193

Botan::EC_Group::Mul2Table::mul2_vartime_x_mod_order_eq
bool mul2_vartime_x_mod_order_eq(const EC_Scalar &v, const EC_Scalar &x, const EC_Scalar &y) const
Definition ec_group.cpp:873

Botan::EC_Group
Definition ec_group.h:69

Botan::EC_Group::get_p_bits
size_t get_p_bits() const
Definition ec_group.cpp:623

Botan::EC_Group::from_OID
static EC_Group from_OID(const OID &oid)
Definition ec_group.cpp:457

Botan::EC_Group::get_curve_oid
const OID & get_curve_oid() const
Definition ec_group.cpp:707

Botan::EC_Group::get_order_bytes
size_t get_order_bytes() const
Definition ec_group.cpp:635

Botan::EC_PrivateKey::EC_PrivateKey
EC_PrivateKey(const EC_PrivateKey &other)=default

Botan::EC_PublicKey::domain
const EC_Group & domain() const
Definition ecc_key.cpp:64

Botan::EC_PublicKey::m_public_key
std::shared_ptr< const EC_PublicKey_Data > m_public_key
Definition ecc_key.h:139

Botan::EC_PublicKey::_public_ec_point
const EC_AffinePoint & _public_ec_point() const
Definition ecc_key.cpp:76

Botan::EC_Scalar
Definition ec_scalar.h:28

Botan::EC_Scalar::one
static EC_Scalar one(const EC_Group &group)
Definition ec_scalar.cpp:65

Botan::EC_Scalar::from_bytes_mod_order
static EC_Scalar from_bytes_mod_order(const EC_Group &group, std::span< const uint8_t > bytes)
Definition ec_scalar.cpp:53

Botan::Encoding_Error
Definition exceptn.h:182

Botan::GOST_3410_PrivateKey::create_signature_op
std::unique_ptr< PK_Ops::Signature > create_signature_op(RandomNumberGenerator &rng, std::string_view params, std::string_view provider) const override
Definition gost_3410.cpp:269

Botan::GOST_3410_PrivateKey::public_key
std::unique_ptr< Public_Key > public_key() const override
Definition gost_3410.cpp:114

Botan::GOST_3410_PrivateKey::GOST_3410_PrivateKey
GOST_3410_PrivateKey(const AlgorithmIdentifier &alg_id, std::span< const uint8_t > key_bits)
Definition gost_3410.h:90

Botan::GOST_3410_PublicKey::algorithm_identifier
AlgorithmIdentifier algorithm_identifier() const override
Definition gost_3410.cpp:62

Botan::GOST_3410_PublicKey::GOST_3410_PublicKey
GOST_3410_PublicKey()=default

Botan::GOST_3410_PublicKey::algo_name
std::string algo_name() const override
Definition gost_3410.cpp:52

Botan::GOST_3410_PublicKey::create_x509_verification_op
std::unique_ptr< PK_Ops::Verification > create_x509_verification_op(const AlgorithmIdentifier &signature_algorithm, std::string_view provider) const override
Definition gost_3410.cpp:260

Botan::GOST_3410_PublicKey::create_verification_op
std::unique_ptr< PK_Ops::Verification > create_verification_op(std::string_view params, std::string_view provider) const override
Definition gost_3410.cpp:252

Botan::GOST_3410_PublicKey::generate_another
std::unique_ptr< Private_Key > generate_another(RandomNumberGenerator &rng) const final
Definition gost_3410.cpp:248

Botan::GOST_3410_PublicKey::public_key_bits
std::vector< uint8_t > public_key_bits() const override
Definition gost_3410.cpp:36

Botan::GOST_3410_PublicKey::_signature_element_size_for_DER_encoding
std::optional< size_t > _signature_element_size_for_DER_encoding() const override
Definition gost_3410.cpp:32

Botan::OID
Definition asn1_obj.h:215

Botan::PK_Ops::Signature_with_Hash
Definition pk_ops_impl.h:85

Botan::Provider_Not_Found
Definition exceptn.h:263

Botan::RandomNumberGenerator
Definition rng.h:39

Botan::OCSP::Response_Status_Code::Internal_Error
@ Internal_Error
Definition ocsp.h:124

Botan
Definition alg_id.cpp:13

Botan::fmt
std::string fmt(std::string_view format, const T &... args)
Definition fmt.h:53

Botan::ASN1_Type::OctetString
@ OctetString
Definition asn1_obj.h:48