Botan  2.7.0
Crypto and TLS for C++11
gost_3410.cpp
Go to the documentation of this file.
1 /*
2 * GOST 34.10-2001 implemenation
3 * (C) 2007 Falko Strenzke, FlexSecure GmbH
4 * Manuel Hartl, FlexSecure GmbH
5 * (C) 2008-2010,2015,2018 Jack Lloyd
6 *
7 * Botan is released under the Simplified BSD License (see license.txt)
8 */
9 
10 #include <botan/gost_3410.h>
11 #include <botan/internal/pk_ops_impl.h>
12 #include <botan/internal/point_mul.h>
13 #include <botan/reducer.h>
14 #include <botan/der_enc.h>
15 #include <botan/ber_dec.h>
16 
17 namespace Botan {
18 
19 std::vector<uint8_t> GOST_3410_PublicKey::public_key_bits() const
20  {
21  const BigInt x = public_point().get_affine_x();
22  const BigInt y = public_point().get_affine_y();
23 
24  size_t part_size = std::max(x.bytes(), y.bytes());
25 
26  std::vector<uint8_t> bits(2*part_size);
27 
28  x.binary_encode(&bits[part_size - x.bytes()]);
29  y.binary_encode(&bits[2*part_size - y.bytes()]);
30 
31  // Keys are stored in little endian format (WTF)
32  for(size_t i = 0; i != part_size / 2; ++i)
33  {
34  std::swap(bits[i], bits[part_size-1-i]);
35  std::swap(bits[part_size+i], bits[2*part_size-1-i]);
36  }
37 
38  std::vector<uint8_t> output;
39  DER_Encoder(output).encode(bits, OCTET_STRING);
40  return output;
41  }
42 
44  {
45  std::vector<uint8_t> params;
46 
47  DER_Encoder(params)
49  .encode(domain().get_curve_oid())
50  .end_cons();
51 
52  return AlgorithmIdentifier(get_oid(), params);
53  }
54 
56  const std::vector<uint8_t>& key_bits)
57  {
58  OID ecc_param_id;
59 
60  // The parameters also includes hash and cipher OIDs
61  BER_Decoder(alg_id.get_parameters()).start_cons(SEQUENCE).decode(ecc_param_id);
62 
63  m_domain_params = EC_Group(ecc_param_id);
64 
66  BER_Decoder(key_bits).decode(bits, OCTET_STRING);
67 
68  const size_t part_size = bits.size() / 2;
69 
70  // Keys are stored in little endian format (WTF)
71  for(size_t i = 0; i != part_size / 2; ++i)
72  {
73  std::swap(bits[i], bits[part_size-1-i]);
74  std::swap(bits[part_size+i], bits[2*part_size-1-i]);
75  }
76 
77  BigInt x(bits.data(), part_size);
78  BigInt y(&bits[part_size], part_size);
79 
80  m_public_key = domain().point(x, y);
81 
83  "Loaded GOST 34.10 public key is on the curve");
84  }
85 
86 namespace {
87 
88 BigInt decode_le(const uint8_t msg[], size_t msg_len)
89  {
90  secure_vector<uint8_t> msg_le(msg, msg + msg_len);
91 
92  for(size_t i = 0; i != msg_le.size() / 2; ++i)
93  std::swap(msg_le[i], msg_le[msg_le.size()-1-i]);
94 
95  return BigInt(msg_le.data(), msg_le.size());
96  }
97 
98 /**
99 * GOST-34.10 signature operation
100 */
101 class GOST_3410_Signature_Operation final : public PK_Ops::Signature_with_EMSA
102  {
103  public:
104  GOST_3410_Signature_Operation(const GOST_3410_PrivateKey& gost_3410,
105  const std::string& emsa) :
106  PK_Ops::Signature_with_EMSA(emsa),
107  m_group(gost_3410.domain()),
108  m_x(gost_3410.private_value())
109  {}
110 
111  size_t max_input_bits() const override { return m_group.get_order_bits(); }
112 
113  secure_vector<uint8_t> raw_sign(const uint8_t msg[], size_t msg_len,
114  RandomNumberGenerator& rng) override;
115 
116  private:
117  const EC_Group m_group;
118  const BigInt& m_x;
119  std::vector<BigInt> m_ws;
120  };
121 
122 secure_vector<uint8_t>
123 GOST_3410_Signature_Operation::raw_sign(const uint8_t msg[], size_t msg_len,
124  RandomNumberGenerator& rng)
125  {
126  const BigInt k = m_group.random_scalar(rng);
127 
128  BigInt e = decode_le(msg, msg_len);
129 
130  e = m_group.mod_order(e);
131  if(e == 0)
132  e = 1;
133 
134  const BigInt r = m_group.mod_order(
135  m_group.blinded_base_point_multiply_x(k, rng, m_ws));
136 
137  const BigInt s = m_group.mod_order(
138  m_group.multiply_mod_order(r, m_x) +
139  m_group.multiply_mod_order(k, e));
140 
141  if(r == 0 || s == 0)
142  throw Internal_Error("GOST 34.10 signature generation failed, r/s equal to zero");
143 
144  return BigInt::encode_fixed_length_int_pair(s, r, m_group.get_order_bytes());
145  }
146 
147 /**
148 * GOST-34.10 verification operation
149 */
150 class GOST_3410_Verification_Operation final : public PK_Ops::Verification_with_EMSA
151  {
152  public:
153 
154  GOST_3410_Verification_Operation(const GOST_3410_PublicKey& gost,
155  const std::string& emsa) :
156  PK_Ops::Verification_with_EMSA(emsa),
157  m_group(gost.domain()),
158  m_gy_mul(m_group.get_base_point(), gost.public_point())
159  {}
160 
161  size_t max_input_bits() const override { return m_group.get_order_bits(); }
162 
163  bool with_recovery() const override { return false; }
164 
165  bool verify(const uint8_t msg[], size_t msg_len,
166  const uint8_t sig[], size_t sig_len) override;
167  private:
168  const EC_Group m_group;
169  const PointGFp_Multi_Point_Precompute m_gy_mul;
170  };
171 
172 bool GOST_3410_Verification_Operation::verify(const uint8_t msg[], size_t msg_len,
173  const uint8_t sig[], size_t sig_len)
174  {
175  if(sig_len != m_group.get_order_bytes() * 2)
176  return false;
177 
178  const BigInt s(sig, sig_len / 2);
179  const BigInt r(sig + sig_len / 2, sig_len / 2);
180 
181  const BigInt& order = m_group.get_order();
182 
183  if(r <= 0 || r >= order || s <= 0 || s >= order)
184  return false;
185 
186  BigInt e = decode_le(msg, msg_len);
187  e = m_group.mod_order(e);
188  if(e == 0)
189  e = 1;
190 
191  const BigInt v = m_group.inverse_mod_order(e);
192 
193  const BigInt z1 = m_group.multiply_mod_order(s, v);
194  const BigInt z2 = m_group.multiply_mod_order(-r, v);
195 
196  const PointGFp R = m_gy_mul.multi_exp(z1, z2);
197 
198  if(R.is_zero())
199  return false;
200 
201  return (R.get_affine_x() == r);
202  }
203 
204 }
205 
206 std::unique_ptr<PK_Ops::Verification>
208  const std::string& provider) const
209  {
210  if(provider == "base" || provider.empty())
211  return std::unique_ptr<PK_Ops::Verification>(new GOST_3410_Verification_Operation(*this, params));
212  throw Provider_Not_Found(algo_name(), provider);
213  }
214 
215 std::unique_ptr<PK_Ops::Signature>
217  const std::string& params,
218  const std::string& provider) const
219  {
220  if(provider == "base" || provider.empty())
221  return std::unique_ptr<PK_Ops::Signature>(new GOST_3410_Signature_Operation(*this, params));
222  throw Provider_Not_Found(algo_name(), provider);
223  }
224 
225 }
PointGFp point(const BigInt &x, const BigInt &y) const
Definition: ec_group.cpp:555
PointGFp multi_exp(const BigInt &k1, const BigInt &k2) const
Definition: point_mul.cpp:341
const PointGFp & public_point() const
Definition: ecc_key.h:57
PointGFp m_public_key
Definition: ecc_key.h:115
void binary_encode(uint8_t buf[]) const
Definition: bigint.cpp:316
DER_Encoder & end_cons()
Definition: der_enc.cpp:191
BER_Decoder & decode(bool &out)
Definition: ber_dec.h:170
BigInt get_affine_x() const
Definition: point_gfp.cpp:501
std::unique_ptr< PK_Ops::Signature > create_signature_op(RandomNumberGenerator &rng, const std::string &params, const std::string &provider) const override
Definition: gost_3410.cpp:216
BigInt get_affine_y() const
Definition: point_gfp.cpp:520
#define BOTAN_ASSERT(expr, assertion_made)
Definition: assert.h:43
std::vector< uint8_t > public_key_bits() const override
Definition: gost_3410.cpp:19
DER_Encoder & encode(bool b)
Definition: der_enc.cpp:285
virtual OID get_oid() const
Definition: pk_keys.cpp:53
const EC_Group & domain() const
Definition: ecc_key.h:72
Definition: alg_id.cpp:13
size_t bytes() const
Definition: bigint.cpp:220
const std::vector< uint8_t > & get_parameters() const
Definition: alg_id.h:38
bool on_the_curve() const
Definition: point_gfp.cpp:540
std::string algo_name() const override
Definition: gost_3410.h:45
AlgorithmIdentifier algorithm_identifier() const override
Definition: gost_3410.cpp:43
DER_Encoder & start_cons(ASN1_Tag type_tag, ASN1_Tag class_tag=UNIVERSAL)
Definition: der_enc.cpp:181
std::unique_ptr< PK_Ops::Verification > create_verification_op(const std::string &params, const std::string &provider) const override
Definition: gost_3410.cpp:207
std::vector< T, secure_allocator< T > > secure_vector
Definition: secmem.h:88
static secure_vector< uint8_t > encode_fixed_length_int_pair(const BigInt &n1, const BigInt &n2, size_t bytes)
Definition: big_code.cpp:103
EC_Group m_domain_params
Definition: ecc_key.h:114