Botan 2.19.1
Crypto and TLS for C&
iso9796.cpp
Go to the documentation of this file.
1/*
2 * ISO-9796-2 - Digital signature schemes giving message recovery schemes 2 and 3
3 * (C) 2016 Tobias Niemann, Hackmanit GmbH
4 *
5 * Botan is released under the Simplified BSD License (see license.txt)
6 */
7
8#include <botan/iso9796.h>
9#include <botan/rng.h>
10#include <botan/exceptn.h>
11#include <botan/mgf1.h>
12#include <botan/hash_id.h>
13#include <botan/internal/bit_ops.h>
14#include <botan/internal/ct_utils.h>
15
16namespace Botan {
17
18namespace {
19
20secure_vector<uint8_t> iso9796_encoding(const secure_vector<uint8_t>& msg,
21 size_t output_bits,
22 std::unique_ptr<HashFunction>& hash,
23 size_t SALT_SIZE,
24 bool implicit,
25 RandomNumberGenerator& rng)
26 {
27 const size_t output_length = (output_bits + 7) / 8;
28
29 //set trailer length
30 size_t tLength = 1;
31 if(!implicit)
32 {
33 tLength = 2;
34 }
35 const size_t HASH_SIZE = hash->output_length();
36
37 if(output_length <= HASH_SIZE + SALT_SIZE + tLength)
38 {
39 throw Encoding_Error("ISO9796-2::encoding_of: Output length is too small");
40 }
41
42 //calculate message capacity
43 const size_t capacity = output_length - HASH_SIZE - SALT_SIZE - tLength - 1;
44
45 //msg1 is the recoverable and msg2 the unrecoverable message part.
46 secure_vector<uint8_t> msg1;
47 secure_vector<uint8_t> msg2;
48 if(msg.size() > capacity)
49 {
50 msg1 = secure_vector<uint8_t>(msg.begin(), msg.begin() + capacity);
51 msg2 = secure_vector<uint8_t>(msg.begin() + capacity, msg.end());
52 hash->update(msg2);
53 }
54 else
55 {
56 msg1 = msg;
57 }
58 msg2 = hash->final();
59
60 //compute H(C||msg1 ||H(msg2)||S)
61 const size_t msgLength = msg1.size();
62 secure_vector<uint8_t> salt = rng.random_vec(SALT_SIZE);
63 hash->update_be(static_cast<uint64_t>(msgLength) * 8);
64 hash->update(msg1);
65 hash->update(msg2);
66 hash->update(salt);
67 secure_vector<uint8_t> H = hash->final();
68
69 secure_vector<uint8_t> EM(output_length);
70
71 //compute message offset.
72 const size_t offset = output_length - HASH_SIZE - SALT_SIZE - tLength - msgLength - 1;
73
74 //insert message border (0x01), msg1 and salt into the output buffer
75 EM[offset] = 0x01;
76 buffer_insert(EM, offset + 1, msg1);
77 buffer_insert(EM, offset + 1 + msgLength, salt);
78
79 //apply mask
80 mgf1_mask(*hash, H.data(), HASH_SIZE, EM.data(),
81 output_length - HASH_SIZE - tLength);
82 buffer_insert(EM, output_length - HASH_SIZE - tLength, H);
83 //set implicit/ISO trailer
84 if(!implicit)
85 {
86 uint8_t hash_id = ieee1363_hash_id(hash->name());
87 if(!hash_id)
88 {
89 throw Encoding_Error("ISO9796-2::encoding_of: no hash identifier for " + hash->name());
90 }
91 EM[output_length - 1] = 0xCC;
92 EM[output_length - 2] = hash_id;
93
94 }
95 else
96 {
97 EM[output_length - 1] = 0xBC;
98 }
99 //clear the leftmost bit (confer bouncy castle)
100 EM[0] &= 0x7F;
101
102 return EM;
103 }
104
105bool iso9796_verification(const secure_vector<uint8_t>& const_coded,
106 const secure_vector<uint8_t>& raw, size_t key_bits, std::unique_ptr<HashFunction>& hash, size_t SALT_SIZE)
107 {
108 const size_t HASH_SIZE = hash->output_length();
109 const size_t KEY_BYTES = (key_bits + 7) / 8;
110
111 if(const_coded.size() != KEY_BYTES)
112 {
113 return false;
114 }
115 //get trailer length
116 size_t tLength;
117 if(const_coded[const_coded.size() - 1] == 0xBC)
118 {
119 tLength = 1;
120 }
121 else
122 {
123 uint8_t hash_id = ieee1363_hash_id(hash->name());
124 if((!const_coded[const_coded.size() - 2]) || (const_coded[const_coded.size() - 2] != hash_id) ||
125 (const_coded[const_coded.size() - 1] != 0xCC))
126 {
127 return false; //in case of wrong ISO trailer.
128 }
129 tLength = 2;
130 }
131
132 secure_vector<uint8_t> coded = const_coded;
133
134 CT::poison(coded.data(), coded.size());
135 //remove mask
136 uint8_t* DB = coded.data();
137 const size_t DB_size = coded.size() - HASH_SIZE - tLength;
138
139 const uint8_t* H = &coded[DB_size];
140
141 mgf1_mask(*hash, H, HASH_SIZE, DB, DB_size);
142 //clear the leftmost bit (confer bouncy castle)
143 DB[0] &= 0x7F;
144
145 //recover msg1 and salt
146 size_t msg1_offset = 1;
147
148 auto waiting_for_delim = CT::Mask<uint8_t>::set();
149 auto bad_input = CT::Mask<uint8_t>::cleared();
150
151 for(size_t j = 0; j < DB_size; ++j)
152 {
153 const auto is_zero = CT::Mask<uint8_t>::is_zero(DB[j]);
154 const auto is_one = CT::Mask<uint8_t>::is_equal(DB[j], 0x01);
155
156 const auto add_m = waiting_for_delim & is_zero;
157
158 bad_input |= waiting_for_delim & ~(is_zero | is_one);
159 msg1_offset += add_m.if_set_return(1);
160
161 waiting_for_delim &= is_zero;
162 }
163
164 //invalid, if delimiter 0x01 was not found or msg1_offset is too big
165 bad_input |= waiting_for_delim;
166 bad_input |= CT::Mask<size_t>::is_lt(coded.size(), tLength + HASH_SIZE + msg1_offset + SALT_SIZE);
167
168 //in case that msg1_offset is too big, just continue with offset = 0.
169 msg1_offset = CT::Mask<size_t>::expand(bad_input.value()).if_not_set_return(msg1_offset);
170
171 CT::unpoison(coded.data(), coded.size());
172 CT::unpoison(msg1_offset);
173
174 secure_vector<uint8_t> msg1(coded.begin() + msg1_offset,
175 coded.end() - tLength - HASH_SIZE - SALT_SIZE);
176 secure_vector<uint8_t> salt(coded.begin() + msg1_offset + msg1.size(),
177 coded.end() - tLength - HASH_SIZE);
178
179 //compute H2(C||msg1||H(msg2)||S*). * indicates a recovered value
180 const size_t capacity = (key_bits - 2 + 7) / 8 - HASH_SIZE - SALT_SIZE - tLength - 1;
181 secure_vector<uint8_t> msg1raw;
182 secure_vector<uint8_t> msg2;
183 if(raw.size() > capacity)
184 {
185 msg1raw = secure_vector<uint8_t> (raw.begin(), raw.begin() + capacity);
186 msg2 = secure_vector<uint8_t> (raw.begin() + capacity, raw.end());
187 hash->update(msg2);
188 }
189 else
190 {
191 msg1raw = raw;
192 }
193 msg2 = hash->final();
194
195 const uint64_t msg1rawLength = msg1raw.size();
196 hash->update_be(msg1rawLength * 8);
197 hash->update(msg1raw);
198 hash->update(msg2);
199 hash->update(salt);
200 secure_vector<uint8_t> H3 = hash->final();
201
202 //compute H3(C*||msg1*||H(msg2)||S*) * indicates a recovered value
203 const uint64_t msgLength = msg1.size();
204 hash->update_be(msgLength * 8);
205 hash->update(msg1);
206 hash->update(msg2);
207 hash->update(salt);
208 secure_vector<uint8_t> H2 = hash->final();
209
210 //check if H3 == H2
211 bad_input |= CT::Mask<uint8_t>::is_zero(ct_compare_u8(H3.data(), H2.data(), HASH_SIZE));
212
213 CT::unpoison(bad_input);
214 return (bad_input.is_set() == false);
215 }
216
217}
218
220 {
221 return new ISO_9796_DS2(m_hash->clone(), m_implicit, m_SALT_SIZE);
222 }
223
224/*
225 * ISO-9796-2 signature scheme 2
226 * DS 2 is probabilistic
227 */
228void ISO_9796_DS2::update(const uint8_t input[], size_t length)
229 {
230 //need to buffer message completely, before digest
231 m_msg_buffer.insert(m_msg_buffer.end(), input, input+length);
232 }
233
234/*
235 * Return the raw (unencoded) data
236 */
237secure_vector<uint8_t> ISO_9796_DS2::raw_data()
238 {
239 secure_vector<uint8_t> retbuffer = m_msg_buffer;
240 m_msg_buffer.clear();
241 return retbuffer;
242 }
243
244/*
245 * ISO-9796-2 scheme 2 encode operation
246 */
247secure_vector<uint8_t> ISO_9796_DS2::encoding_of(const secure_vector<uint8_t>& msg,
248 size_t output_bits,
249 RandomNumberGenerator& rng)
250 {
251 return iso9796_encoding(msg, output_bits, m_hash, m_SALT_SIZE, m_implicit, rng);
252 }
253
254/*
255 * ISO-9796-2 scheme 2 verify operation
256 */
257bool ISO_9796_DS2::verify(const secure_vector<uint8_t>& const_coded,
258 const secure_vector<uint8_t>& raw, size_t key_bits)
259 {
260 return iso9796_verification(const_coded, raw, key_bits, m_hash, m_SALT_SIZE);
261 }
262
263/*
264 * Return the SCAN name
265 */
266std::string ISO_9796_DS2::name() const
267 {
268 return "ISO_9796_DS2(" + m_hash->name() + ","
269 + (m_implicit ? "imp" : "exp") + "," + std::to_string(m_SALT_SIZE) + ")";
270 }
271
273 {
274 return new ISO_9796_DS3(m_hash->clone(), m_implicit);
275 }
276
277/*
278 * ISO-9796-2 signature scheme 3
279 * DS 3 is deterministic and equals DS2 without salt
280 */
281void ISO_9796_DS3::update(const uint8_t input[], size_t length)
282 {
283 //need to buffer message completely, before digest
284 m_msg_buffer.insert(m_msg_buffer.end(), input, input+length);
285 }
286
287/*
288 * Return the raw (unencoded) data
289 */
290secure_vector<uint8_t> ISO_9796_DS3::raw_data()
291 {
292 secure_vector<uint8_t> retbuffer = m_msg_buffer;
293 m_msg_buffer.clear();
294 return retbuffer;
295 }
296
297/*
298 * ISO-9796-2 scheme 3 encode operation
299 */
300secure_vector<uint8_t> ISO_9796_DS3::encoding_of(const secure_vector<uint8_t>& msg,
301 size_t output_bits, RandomNumberGenerator& rng)
302 {
303 return iso9796_encoding(msg, output_bits, m_hash, 0, m_implicit, rng);
304 }
305
306/*
307 * ISO-9796-2 scheme 3 verify operation
308 */
309bool ISO_9796_DS3::verify(const secure_vector<uint8_t>& const_coded,
310 const secure_vector<uint8_t>& raw, size_t key_bits)
311 {
312 return iso9796_verification(const_coded, raw, key_bits, m_hash, 0);
313 }
314/*
315 * Return the SCAN name
316 */
317std::string ISO_9796_DS3::name() const
318 {
319 return "ISO_9796_DS3(" + m_hash->name() + "," +
320 (m_implicit ? "imp" : "exp") + ")";
321 }
322}
static Mask< T > is_equal(T x, T y)
Definition: ct_utils.h:149
static Mask< T > is_zero(T x)
Definition: ct_utils.h:141
static Mask< T > expand(T v)
Definition: ct_utils.h:123
static Mask< T > set()
Definition: ct_utils.h:107
static Mask< T > is_lt(T x, T y)
Definition: ct_utils.h:157
static Mask< T > cleared()
Definition: ct_utils.h:115
ISO_9796_DS2(HashFunction *hash, bool implicit=false)
Definition: iso9796.h:28
EMSA * clone() override
Definition: iso9796.cpp:219
std::string name() const override
Definition: iso9796.cpp:266
EMSA * clone() override
Definition: iso9796.cpp:272
ISO_9796_DS3(HashFunction *hash, bool implicit=false)
Definition: iso9796.h:71
std::string name() const override
Definition: iso9796.cpp:317
std::string to_string(const BER_Object &obj)
Definition: asn1_obj.cpp:213
void poison(const T *p, size_t n)
Definition: ct_utils.h:48
void unpoison(const T *p, size_t n)
Definition: ct_utils.h:59
Definition: alg_id.cpp:13
void mgf1_mask(HashFunction &hash, const uint8_t in[], size_t in_len, uint8_t out[], size_t out_len)
Definition: mgf1.cpp:14
size_t buffer_insert(std::vector< T, Alloc > &buf, size_t buf_offset, const T input[], size_t input_length)
Definition: mem_ops.h:228
uint8_t ct_compare_u8(const uint8_t x[], const uint8_t y[], size_t len)
Definition: mem_ops.cpp:56
uint8_t ieee1363_hash_id(const std::string &name)
Definition: hash_id.cpp:146
MechanismType hash