Botan 3.6.1
Crypto and TLS for C&
gost_3410.cpp
Go to the documentation of this file.
1/*
2* GOST 34.10-2012
3* (C) 2007 Falko Strenzke, FlexSecure GmbH
4* Manuel Hartl, FlexSecure GmbH
5* (C) 2008-2010,2015,2018,2024 Jack Lloyd
6*
7* Botan is released under the Simplified BSD License (see license.txt)
8*/
9
10#include <botan/gost_3410.h>
11
12#include <botan/ber_dec.h>
13#include <botan/der_enc.h>
14#include <botan/internal/ec_key_data.h>
15#include <botan/internal/fmt.h>
16#include <botan/internal/pk_ops_impl.h>
17
18namespace Botan {
19
20std::vector<uint8_t> GOST_3410_PublicKey::public_key_bits() const {
21 auto bits = public_point().xy_bytes();
22
23 const size_t part_size = bits.size() / 2;
24
25 // GOST keys are stored in little endian format (WTF)
26 for(size_t i = 0; i != part_size / 2; ++i) {
27 std::swap(bits[i], bits[part_size - 1 - i]);
28 std::swap(bits[part_size + i], bits[2 * part_size - 1 - i]);
29 }
30
31 std::vector<uint8_t> output;
32 DER_Encoder(output).encode(bits, ASN1_Type::OctetString);
33 return output;
34}
35
36std::string GOST_3410_PublicKey::algo_name() const {
37 const size_t p_bits = domain().get_p_bits();
38
39 if(p_bits == 256 || p_bits == 512) {
40 return fmt("GOST-34.10-2012-{}", p_bits);
41 } else {
42 throw Encoding_Error("GOST-34.10-2012 is not defined for parameters of this size");
43 }
44}
45
46AlgorithmIdentifier GOST_3410_PublicKey::algorithm_identifier() const {
47 std::vector<uint8_t> params;
48
49 const OID gost_oid = object_identifier();
50 const OID domain_oid = domain().get_curve_oid();
51
52 DER_Encoder(params).start_sequence().encode(domain_oid).end_cons();
53
54 return AlgorithmIdentifier(gost_oid, params);
55}
56
57GOST_3410_PublicKey::GOST_3410_PublicKey(const AlgorithmIdentifier& alg_id, std::span<const uint8_t> key_bits) {
58 OID ecc_param_id;
59
60 // The parameters also includes hash and cipher OIDs
61 BER_Decoder(alg_id.parameters()).start_sequence().decode(ecc_param_id);
62
63 auto group = EC_Group::from_OID(ecc_param_id);
64
65 const size_t p_bits = group.get_p_bits();
66 if(p_bits != 256 && p_bits != 512) {
67 throw Decoding_Error(fmt("GOST-34.10-2012 is not defined for parameters of size {}", p_bits));
68 }
69
70 std::vector<uint8_t> bits;
71 BER_Decoder(key_bits).decode(bits, ASN1_Type::OctetString);
72
73 if(bits.size() != 2 * (p_bits / 8)) {
74 throw Decoding_Error("GOST-34.10-2012 invalid encoding of public key");
75 }
76
77 const size_t part_size = bits.size() / 2;
78
79 // Keys are stored in little endian format (WTF)
80 std::vector<uint8_t> encoding;
81 encoding.reserve(bits.size() + 1);
82 encoding.push_back(0x04);
83 encoding.insert(encoding.end(), bits.rbegin() + part_size, bits.rend());
84 encoding.insert(encoding.end(), bits.rbegin(), bits.rend() - part_size);
85
86 m_public_key = std::make_shared<EC_PublicKey_Data>(std::move(group), encoding);
87}
88
89GOST_3410_PrivateKey::GOST_3410_PrivateKey(RandomNumberGenerator& rng, const EC_Group& domain, const BigInt& x) :
90 EC_PrivateKey(rng, domain, x) {
91 const size_t p_bits = domain.get_p_bits();
92 if(p_bits != 256 && p_bits != 512) {
93 throw Decoding_Error(fmt("GOST-34.10-2012 is not defined for parameters of size {}", p_bits));
94 }
95}
96
97std::unique_ptr<Public_Key> GOST_3410_PrivateKey::public_key() const {
98 return std::make_unique<GOST_3410_PublicKey>(domain(), public_point());
99}
100
101namespace {
102
103EC_Scalar gost_msg_to_scalar(const EC_Group& group, std::span<const uint8_t> msg) {
104 std::vector<uint8_t> rev_bytes(msg.rbegin(), msg.rend());
105
106 auto ie = EC_Scalar::from_bytes_mod_order(group, rev_bytes);
107 if(ie.is_zero()) {
108 return EC_Scalar::one(group);
109 } else {
110 return ie;
111 }
112}
113
114/**
115* GOST-34.10 signature operation
116*/
117class GOST_3410_Signature_Operation final : public PK_Ops::Signature_with_Hash {
118 public:
119 GOST_3410_Signature_Operation(const GOST_3410_PrivateKey& gost_3410, std::string_view emsa) :
120 PK_Ops::Signature_with_Hash(emsa), m_group(gost_3410.domain()), m_x(gost_3410._private_key()) {}
121
122 size_t signature_length() const override { return 2 * m_group.get_order_bytes(); }
123
124 AlgorithmIdentifier algorithm_identifier() const override;
125
126 std::vector<uint8_t> raw_sign(std::span<const uint8_t> msg, RandomNumberGenerator& rng) override;
127
128 private:
129 const EC_Group m_group;
130 const EC_Scalar m_x;
131 std::vector<BigInt> m_ws;
132};
133
134AlgorithmIdentifier GOST_3410_Signature_Operation::algorithm_identifier() const {
135 const std::string hash_fn = hash_function();
136
137 const size_t p_bits = m_group.get_p_bits();
138
139 std::string oid_name;
140 if(hash_fn == "GOST-R-34.11-94") {
141 oid_name = "GOST-34.10/GOST-R-34.11-94";
142 } else if(hash_fn == "Streebog-256" && p_bits == 256) {
143 oid_name = "GOST-34.10-2012-256/Streebog-256";
144 } else if(hash_fn == "Streebog-512" && p_bits == 512) {
145 oid_name = "GOST-34.10-2012-512/Streebog-512";
146 } else if(hash_fn == "SHA-256" && p_bits == 256) {
147 oid_name = "GOST-34.10-2012-256/SHA-256";
148 }
149
150 if(oid_name.empty()) {
151 throw Not_Implemented("No encoding defined for GOST with " + hash_fn);
152 }
153
154 return AlgorithmIdentifier(oid_name, AlgorithmIdentifier::USE_EMPTY_PARAM);
155}
156
157std::vector<uint8_t> GOST_3410_Signature_Operation::raw_sign(std::span<const uint8_t> msg, RandomNumberGenerator& rng) {
158 const auto e = gost_msg_to_scalar(m_group, msg);
159
160 const auto k = EC_Scalar::random(m_group, rng);
161 const auto r = EC_Scalar::gk_x_mod_order(k, rng, m_ws);
162 const auto s = (r * m_x) + (k * e);
163
164 if(r.is_zero() || s.is_zero()) {
165 throw Internal_Error("GOST 34.10 signature generation failed, r/s equal to zero");
166 }
167
168 return EC_Scalar::serialize_pair(s, r);
169}
170
171std::string gost_hash_from_algid(const AlgorithmIdentifier& alg_id) {
172 if(!alg_id.parameters_are_empty()) {
173 throw Decoding_Error("Unexpected non-empty AlgorithmIdentifier parameters for GOST 34.10 signature");
174 }
175
176 const std::string oid_str = alg_id.oid().to_formatted_string();
177 if(oid_str == "GOST-34.10/GOST-R-34.11-94") {
178 return "GOST-R-34.11-94";
179 }
180 if(oid_str == "GOST-34.10-2012-256/Streebog-256") {
181 return "Streebog-256";
182 }
183 if(oid_str == "GOST-34.10-2012-512/Streebog-512") {
184 return "Streebog-512";
185 }
186 if(oid_str == "GOST-34.10-2012-256/SHA-256") {
187 return "SHA-256";
188 }
189
190 throw Decoding_Error(fmt("Unknown OID ({}) for GOST 34.10 signatures", alg_id.oid()));
191}
192
193/**
194* GOST-34.10 verification operation
195*/
196class GOST_3410_Verification_Operation final : public PK_Ops::Verification_with_Hash {
197 public:
198 GOST_3410_Verification_Operation(const GOST_3410_PublicKey& gost, std::string_view padding) :
199 PK_Ops::Verification_with_Hash(padding), m_group(gost.domain()), m_gy_mul(gost._public_key()) {}
200
201 GOST_3410_Verification_Operation(const GOST_3410_PublicKey& gost, const AlgorithmIdentifier& alg_id) :
202 PK_Ops::Verification_with_Hash(gost_hash_from_algid(alg_id)),
203 m_group(gost.domain()),
204 m_gy_mul(gost._public_key()) {}
205
206 bool verify(std::span<const uint8_t> msg, std::span<const uint8_t> sig) override;
207
208 private:
209 const EC_Group m_group;
210 const EC_Group::Mul2Table m_gy_mul;
211};
212
213bool GOST_3410_Verification_Operation::verify(std::span<const uint8_t> msg, std::span<const uint8_t> sig) {
214 if(auto sr = EC_Scalar::deserialize_pair(m_group, sig)) {
215 const auto& [s, r] = sr.value();
216
217 if(r.is_nonzero() && s.is_nonzero()) {
218 const auto e = gost_msg_to_scalar(m_group, msg);
219
220 const auto v = e.invert();
221
222 // Check if r == x_coord(g*v*s - y*v*r) % n
223 return m_gy_mul.mul2_vartime_x_mod_order_eq(r, v, s, r.negate());
224 }
225 }
226
227 return false;
228}
229
230} // namespace
231
232std::unique_ptr<Private_Key> GOST_3410_PublicKey::generate_another(RandomNumberGenerator& rng) const {
233 return std::make_unique<GOST_3410_PrivateKey>(rng, domain());
234}
235
236std::unique_ptr<PK_Ops::Verification> GOST_3410_PublicKey::create_verification_op(std::string_view params,
237 std::string_view provider) const {
238 if(provider == "base" || provider.empty()) {
239 return std::make_unique<GOST_3410_Verification_Operation>(*this, params);
240 }
241 throw Provider_Not_Found(algo_name(), provider);
242}
243
244std::unique_ptr<PK_Ops::Verification> GOST_3410_PublicKey::create_x509_verification_op(
245 const AlgorithmIdentifier& signature_algorithm, std::string_view provider) const {
246 if(provider == "base" || provider.empty()) {
247 return std::make_unique<GOST_3410_Verification_Operation>(*this, signature_algorithm);
248 }
249
250 throw Provider_Not_Found(algo_name(), provider);
251}
252
253std::unique_ptr<PK_Ops::Signature> GOST_3410_PrivateKey::create_signature_op(RandomNumberGenerator& /*rng*/,
254 std::string_view params,
255 std::string_view provider) const {
256 if(provider == "base" || provider.empty()) {
257 return std::make_unique<GOST_3410_Signature_Operation>(*this, params);
258 }
259 throw Provider_Not_Found(algo_name(), provider);
260}
261
262} // namespace Botan
Botan::AlgorithmIdentifier::parameters
const std::vector< uint8_t > & parameters() const
Definition asn1_obj.h:466
Botan::Asymmetric_Key::object_identifier
virtual OID object_identifier() const
Definition pk_keys.cpp:22
Botan::BER_Decoder
Definition ber_dec.h:22
Botan::BER_Decoder::push_back
void push_back(const BER_Object &obj)
Definition ber_dec.cpp:286
Botan::BER_Decoder::decode
BER_Decoder & decode(bool &out)
Definition ber_dec.h:186
Botan::BER_Decoder::start_sequence
BER_Decoder start_sequence()
Definition ber_dec.h:123
Botan::DER_Encoder
Definition der_enc.h:22
Botan::DER_Encoder::start_sequence
DER_Encoder & start_sequence()
Definition der_enc.h:64
Botan::DER_Encoder::end_cons
DER_Encoder & end_cons()
Definition der_enc.cpp:171
Botan::DER_Encoder::encode
DER_Encoder & encode(bool b)
Definition der_enc.cpp:250
Botan::Decoding_Error
Definition exceptn.h:191
Botan::EC_Group::Mul2Table::mul2_vartime_x_mod_order_eq
bool mul2_vartime_x_mod_order_eq(const EC_Scalar &v, const EC_Scalar &x, const EC_Scalar &y) const
Definition ec_group.cpp:652
Botan::EC_Group
Definition ec_group.h:51
Botan::EC_Group::get_p_bits
size_t get_p_bits() const
Definition ec_group.cpp:418
Botan::EC_Group::from_OID
static EC_Group from_OID(const OID &oid)
Definition ec_group.cpp:296
Botan::EC_Group::get_curve_oid
const OID & get_curve_oid() const
Definition ec_group.cpp:478
Botan::EC_Point::xy_bytes
secure_vector< uint8_t > xy_bytes() const
Definition ec_point.cpp:482
Botan::EC_PrivateKey
Definition ecc_key.h:144
Botan::EC_PublicKey::domain
const EC_Group & domain() const
Definition ecc_key.cpp:59
Botan::EC_PublicKey::m_public_key
std::shared_ptr< const EC_PublicKey_Data > m_public_key
Definition ecc_key.h:131
Botan::EC_PublicKey::public_point
const EC_Point & public_point() const
Definition ecc_key.cpp:64
Botan::EC_Scalar
Definition ec_scalar.h:28
Botan::EC_Scalar::one
static EC_Scalar one(const EC_Group &group)
Definition ec_scalar.cpp:61
Botan::EC_Scalar::from_bytes_mod_order
static EC_Scalar from_bytes_mod_order(const EC_Group &group, std::span< const uint8_t > bytes)
Definition ec_scalar.cpp:49
Botan::Encoding_Error
Definition exceptn.h:181
Botan::GOST_3410_PrivateKey::create_signature_op
std::unique_ptr< PK_Ops::Signature > create_signature_op(RandomNumberGenerator &rng, std::string_view params, std::string_view provider) const override
Definition gost_3410.cpp:253
Botan::GOST_3410_PrivateKey::public_key
std::unique_ptr< Public_Key > public_key() const override
Definition gost_3410.cpp:97
Botan::GOST_3410_PrivateKey::GOST_3410_PrivateKey
GOST_3410_PrivateKey(const AlgorithmIdentifier &alg_id, std::span< const uint8_t > key_bits)
Definition gost_3410.h:82
Botan::GOST_3410_PublicKey::algorithm_identifier
AlgorithmIdentifier algorithm_identifier() const override
Definition gost_3410.cpp:46
Botan::GOST_3410_PublicKey::GOST_3410_PublicKey
GOST_3410_PublicKey()=default
Botan::GOST_3410_PublicKey::algo_name
std::string algo_name() const override
Definition gost_3410.cpp:36
Botan::GOST_3410_PublicKey::create_x509_verification_op
std::unique_ptr< PK_Ops::Verification > create_x509_verification_op(const AlgorithmIdentifier &signature_algorithm, std::string_view provider) const override
Definition gost_3410.cpp:244
Botan::GOST_3410_PublicKey::create_verification_op
std::unique_ptr< PK_Ops::Verification > create_verification_op(std::string_view params, std::string_view provider) const override
Definition gost_3410.cpp:236
Botan::GOST_3410_PublicKey::generate_another
std::unique_ptr< Private_Key > generate_another(RandomNumberGenerator &rng) const final
Definition gost_3410.cpp:232
Botan::GOST_3410_PublicKey::public_key_bits
std::vector< uint8_t > public_key_bits() const override
Definition gost_3410.cpp:20
Botan::Provider_Not_Found
Definition exceptn.h:262
final
int(* final)(unsigned char *, CTX *)
Definition commoncrypto_hash.cpp:29
Botan::fmt
std::string fmt(std::string_view format, const T &... args)
Definition fmt.h:53
Generated by doxygen 1.12.0