Botan 3.9.0
Crypto and TLS for C&
gost_3410.cpp
Go to the documentation of this file.
1/*
2* GOST 34.10-2012
3* (C) 2007 Falko Strenzke, FlexSecure GmbH
4* Manuel Hartl, FlexSecure GmbH
5* (C) 2008-2010,2015,2018,2024 Jack Lloyd
6*
7* Botan is released under the Simplified BSD License (see license.txt)
8*/
9
10#include <botan/gost_3410.h>
11
12#include <botan/ber_dec.h>
13#include <botan/der_enc.h>
14#include <botan/internal/ec_key_data.h>
15#include <botan/internal/fmt.h>
16#include <botan/internal/pk_ops_impl.h>
17
18namespace Botan {
19
20namespace {
21
22EC_Group check_domain(EC_Group domain) {
23 const size_t p_bits = domain.get_p_bits();
24 if(p_bits != 256 && p_bits != 512) {
25 throw Decoding_Error(fmt("GOST-34.10-2012 is not defined for parameters of size {}", p_bits));
26 }
27 return domain;
28}
29
30} // namespace
31
32std::vector<uint8_t> GOST_3410_PublicKey::public_key_bits() const {
33 auto bits = _public_ec_point().xy_bytes();
34
35 const size_t part_size = bits.size() / 2;
36
37 // GOST keys are stored in little endian format (WTF)
38 for(size_t i = 0; i != part_size / 2; ++i) {
39 std::swap(bits[i], bits[part_size - 1 - i]);
40 std::swap(bits[part_size + i], bits[2 * part_size - 1 - i]);
41 }
42
43 std::vector<uint8_t> output;
45 return output;
46}
47
48std::string GOST_3410_PublicKey::algo_name() const {
49 const size_t p_bits = domain().get_p_bits();
50
51 if(p_bits == 256 || p_bits == 512) {
52 return fmt("GOST-34.10-2012-{}", p_bits);
53 } else {
54 throw Encoding_Error("GOST-34.10-2012 is not defined for parameters of this size");
55 }
56}
57
59 std::vector<uint8_t> params;
60
61 const OID gost_oid = object_identifier();
62 const OID domain_oid = domain().get_curve_oid();
63
64 DER_Encoder(params).start_sequence().encode(domain_oid).end_cons();
65
66 return AlgorithmIdentifier(gost_oid, params);
67}
68
69GOST_3410_PublicKey::GOST_3410_PublicKey(const AlgorithmIdentifier& alg_id, std::span<const uint8_t> key_bits) {
70 OID ecc_param_id;
71
72 // The parameters also includes hash and cipher OIDs
73 BER_Decoder(alg_id.parameters()).start_sequence().decode(ecc_param_id);
74
75 auto group = check_domain(EC_Group::from_OID(ecc_param_id));
76
77 std::vector<uint8_t> bits;
79
80 if(bits.size() != 2 * (group.get_p_bits() / 8)) {
81 throw Decoding_Error("GOST-34.10-2012 invalid encoding of public key");
82 }
83
84 const size_t part_size = bits.size() / 2;
85
86 // Keys are stored in little endian format (WTF)
87 std::vector<uint8_t> encoding;
88 encoding.reserve(bits.size() + 1);
89 encoding.push_back(0x04);
90 encoding.insert(encoding.end(), bits.rbegin() + part_size, bits.rend());
91 encoding.insert(encoding.end(), bits.rbegin(), bits.rend() - part_size);
92
93 m_public_key = std::make_shared<EC_PublicKey_Data>(std::move(group), encoding);
94}
95
97 EC_PrivateKey(check_domain(domain), EC_Scalar::from_bigint(domain, x)) {}
98
101
104
105std::unique_ptr<Public_Key> GOST_3410_PrivateKey::public_key() const {
106 return std::make_unique<GOST_3410_PublicKey>(domain(), _public_ec_point());
107}
108
109namespace {
110
111EC_Scalar gost_msg_to_scalar(const EC_Group& group, std::span<const uint8_t> msg) {
112 std::vector<uint8_t> rev_bytes(msg.rbegin(), msg.rend());
113
114 auto ie = EC_Scalar::from_bytes_mod_order(group, rev_bytes);
115 if(ie.is_zero()) {
116 return EC_Scalar::one(group);
117 } else {
118 return ie;
119 }
120}
121
122/**
123* GOST-34.10 signature operation
124*/
125class GOST_3410_Signature_Operation final : public PK_Ops::Signature_with_Hash {
126 public:
127 GOST_3410_Signature_Operation(const GOST_3410_PrivateKey& gost_3410, std::string_view hash_fn) :
128 PK_Ops::Signature_with_Hash(hash_fn), m_group(gost_3410.domain()), m_x(gost_3410._private_key()) {}
129
130 size_t signature_length() const override { return 2 * m_group.get_order_bytes(); }
131
132 AlgorithmIdentifier algorithm_identifier() const override;
133
134 std::vector<uint8_t> raw_sign(std::span<const uint8_t> msg, RandomNumberGenerator& rng) override;
135
136 private:
137 const EC_Group m_group;
138 const EC_Scalar m_x;
139};
140
141AlgorithmIdentifier GOST_3410_Signature_Operation::algorithm_identifier() const {
142 const std::string hash_fn = hash_function();
143
144 const size_t p_bits = m_group.get_p_bits();
145
146 std::string oid_name;
147 if(hash_fn == "GOST-R-34.11-94") {
148 oid_name = "GOST-34.10/GOST-R-34.11-94";
149 } else if(hash_fn == "Streebog-256" && p_bits == 256) {
150 oid_name = "GOST-34.10-2012-256/Streebog-256";
151 } else if(hash_fn == "Streebog-512" && p_bits == 512) {
152 oid_name = "GOST-34.10-2012-512/Streebog-512";
153 } else if(hash_fn == "SHA-256" && p_bits == 256) {
154 oid_name = "GOST-34.10-2012-256/SHA-256";
155 }
156
157 if(oid_name.empty()) {
158 throw Not_Implemented("No encoding defined for GOST with " + hash_fn);
159 }
160
161 return AlgorithmIdentifier(oid_name, AlgorithmIdentifier::USE_EMPTY_PARAM);
162}
163
164std::vector<uint8_t> GOST_3410_Signature_Operation::raw_sign(std::span<const uint8_t> msg, RandomNumberGenerator& rng) {
165 const auto e = gost_msg_to_scalar(m_group, msg);
166
167 const auto k = EC_Scalar::random(m_group, rng);
168 const auto r = EC_Scalar::gk_x_mod_order(k, rng);
169 const auto s = (r * m_x) + (k * e);
170
171 if(r.is_zero() || s.is_zero()) {
172 throw Internal_Error("GOST 34.10 signature generation failed, r/s equal to zero");
173 }
174
175 return EC_Scalar::serialize_pair(s, r);
176}
177
178std::string gost_hash_from_algid(const AlgorithmIdentifier& alg_id) {
179 if(!alg_id.parameters_are_empty()) {
180 throw Decoding_Error("Unexpected non-empty AlgorithmIdentifier parameters for GOST 34.10 signature");
181 }
182
183 const std::string oid_str = alg_id.oid().to_formatted_string();
184 if(oid_str == "GOST-34.10/GOST-R-34.11-94") {
185 return "GOST-R-34.11-94";
186 }
187 if(oid_str == "GOST-34.10-2012-256/Streebog-256") {
188 return "Streebog-256";
189 }
190 if(oid_str == "GOST-34.10-2012-512/Streebog-512") {
191 return "Streebog-512";
192 }
193 if(oid_str == "GOST-34.10-2012-256/SHA-256") {
194 return "SHA-256";
195 }
196
197 throw Decoding_Error(fmt("Unknown OID ({}) for GOST 34.10 signatures", alg_id.oid()));
198}
199
200/**
201* GOST-34.10 verification operation
202*/
203class GOST_3410_Verification_Operation final : public PK_Ops::Verification_with_Hash {
204 public:
205 GOST_3410_Verification_Operation(const GOST_3410_PublicKey& gost, std::string_view padding) :
206 PK_Ops::Verification_with_Hash(padding), m_group(gost.domain()), m_gy_mul(gost._public_ec_point()) {}
207
208 GOST_3410_Verification_Operation(const GOST_3410_PublicKey& gost, const AlgorithmIdentifier& alg_id) :
209 PK_Ops::Verification_with_Hash(gost_hash_from_algid(alg_id)),
210 m_group(gost.domain()),
211 m_gy_mul(gost._public_ec_point()) {}
212
213 bool verify(std::span<const uint8_t> msg, std::span<const uint8_t> sig) override;
214
215 private:
216 const EC_Group m_group;
217 const EC_Group::Mul2Table m_gy_mul;
218};
219
220bool GOST_3410_Verification_Operation::verify(std::span<const uint8_t> msg, std::span<const uint8_t> sig) {
221 if(auto sr = EC_Scalar::deserialize_pair(m_group, sig)) {
222 const auto& [s, r] = sr.value();
223
224 if(r.is_nonzero() && s.is_nonzero()) {
225 const auto e = gost_msg_to_scalar(m_group, msg);
226
227 const auto v = e.invert_vartime();
228
229 // Check if r == x_coord(g*v*s - y*v*r) % n
230 return m_gy_mul.mul2_vartime_x_mod_order_eq(r, v, s, r.negate());
231 }
232 }
233
234 return false;
235}
236
237} // namespace
238
239std::unique_ptr<Private_Key> GOST_3410_PublicKey::generate_another(RandomNumberGenerator& rng) const {
240 return std::make_unique<GOST_3410_PrivateKey>(rng, domain());
241}
242
243std::unique_ptr<PK_Ops::Verification> GOST_3410_PublicKey::create_verification_op(std::string_view params,
244 std::string_view provider) const {
245 if(provider == "base" || provider.empty()) {
246 return std::make_unique<GOST_3410_Verification_Operation>(*this, params);
247 }
248 throw Provider_Not_Found(algo_name(), provider);
249}
250
251std::unique_ptr<PK_Ops::Verification> GOST_3410_PublicKey::create_x509_verification_op(
252 const AlgorithmIdentifier& signature_algorithm, std::string_view provider) const {
253 if(provider == "base" || provider.empty()) {
254 return std::make_unique<GOST_3410_Verification_Operation>(*this, signature_algorithm);
255 }
256
257 throw Provider_Not_Found(algo_name(), provider);
258}
259
260std::unique_ptr<PK_Ops::Signature> GOST_3410_PrivateKey::create_signature_op(RandomNumberGenerator& /*rng*/,
261 std::string_view params,
262 std::string_view provider) const {
263 if(provider == "base" || provider.empty()) {
264 return std::make_unique<GOST_3410_Signature_Operation>(*this, params);
265 }
266 throw Provider_Not_Found(algo_name(), provider);
267}
268
269} // namespace Botan
const std::vector< uint8_t > & parameters() const
Definition asn1_obj.h:481
virtual OID object_identifier() const
Definition pk_keys.cpp:22
void push_back(const BER_Object &obj)
Definition ber_dec.cpp:289
BER_Decoder & decode(bool &out)
Definition ber_dec.h:188
BER_Decoder start_sequence()
Definition ber_dec.h:125
DER_Encoder & start_sequence()
Definition der_enc.h:65
DER_Encoder & end_cons()
Definition der_enc.cpp:173
DER_Encoder & encode(bool b)
Definition der_enc.cpp:252
bool mul2_vartime_x_mod_order_eq(const EC_Scalar &v, const EC_Scalar &x, const EC_Scalar &y) const
Definition ec_group.cpp:784
size_t get_p_bits() const
Definition ec_group.cpp:534
static EC_Group from_OID(const OID &oid)
Definition ec_group.cpp:373
const OID & get_curve_oid() const
Definition ec_group.cpp:618
EC_PrivateKey(const EC_PrivateKey &other)=default
const EC_Group & domain() const
Definition ecc_key.cpp:64
std::shared_ptr< const EC_PublicKey_Data > m_public_key
Definition ecc_key.h:135
const EC_AffinePoint & _public_ec_point() const
Definition ecc_key.cpp:76
static EC_Scalar one(const EC_Group &group)
Definition ec_scalar.cpp:65
static EC_Scalar from_bytes_mod_order(const EC_Group &group, std::span< const uint8_t > bytes)
Definition ec_scalar.cpp:53
std::unique_ptr< PK_Ops::Signature > create_signature_op(RandomNumberGenerator &rng, std::string_view params, std::string_view provider) const override
std::unique_ptr< Public_Key > public_key() const override
GOST_3410_PrivateKey(const AlgorithmIdentifier &alg_id, std::span< const uint8_t > key_bits)
Definition gost_3410.h:92
AlgorithmIdentifier algorithm_identifier() const override
Definition gost_3410.cpp:58
std::string algo_name() const override
Definition gost_3410.cpp:48
std::unique_ptr< PK_Ops::Verification > create_x509_verification_op(const AlgorithmIdentifier &signature_algorithm, std::string_view provider) const override
std::unique_ptr< PK_Ops::Verification > create_verification_op(std::string_view params, std::string_view provider) const override
std::unique_ptr< Private_Key > generate_another(RandomNumberGenerator &rng) const final
std::vector< uint8_t > public_key_bits() const override
Definition gost_3410.cpp:32
std::string fmt(std::string_view format, const T &... args)
Definition fmt.h:53