doxygen/iso9796_8cpp_source.html

/*

 * ISO-9796-2 - Digital signature schemes giving message recovery schemes 2 and 3

 * (C) 2016 Tobias Niemann, Hackmanit GmbH

 *     2025 Jack Lloyd

 *

 * Botan is released under the Simplified BSD License (see license.txt)

 */


#include <botan/internal/iso9796.h>


#include <botan/exceptn.h>

#include <botan/hash.h>

#include <botan/rng.h>

#include <botan/internal/ct_utils.h>

#include <botan/internal/fmt.h>

#include <botan/internal/hash_id.h>

#include <botan/internal/mgf1.h>


namespace Botan {


namespace {


std::vector<uint8_t> iso9796_hash(HashFunction& hash,

                                  std::span<const uint8_t> msg1,

                                  std::span<const uint8_t> hmsg2,

                                  std::span<const uint8_t> salt) {

   // Compute H(C || msg1 || H(msg2) || S) as described in the ISO text

   hash.update_be(static_cast<uint64_t>(msg1.size()) * 8);

   hash.update(msg1);

   hash.update(hmsg2);

   hash.update(salt);

   return hash.final_stdvec();

}


std::vector<uint8_t> iso9796_encoding(std::span<const uint8_t> msg,

                                      size_t output_bits,

                                      std::unique_ptr<HashFunction>& hash,

                                      size_t salt_len,

                                      bool implicit,

                                      RandomNumberGenerator& rng) {

   const size_t output_length = (output_bits + 7) / 8;


   //set trailer length

   const size_t trailer_len = (implicit) ? 1 : 2;


   const size_t hash_len = hash->output_length();


   if(output_length <= hash_len + salt_len + trailer_len) {

      throw Encoding_Error("ISO9796-2::encoding_of: Output length is too small");

   }


   //calculate message capacity

   const size_t capacity = output_length - hash_len - salt_len - trailer_len - 1;


   // msg1 is the recoverable part and hmsg2 is the hash of the unrecoverable message part.

   const size_t msg1_len = std::min(capacity, msg.size());

   const auto msg1 = msg.first(msg1_len);    // the first capacity bytes

   const auto msg2 = msg.subspan(msg1_len);  // the rest; possibly empty


   const auto hmsg2 = hash->process<std::vector<uint8_t>>(msg2);

   const auto salt = rng.random_vec<std::vector<uint8_t>>(salt_len);


   const auto H = iso9796_hash(*hash, msg1, hmsg2, salt);


   std::vector<uint8_t> EM(output_length);


   BufferStuffer stuffer(EM);

   stuffer.append(0x00, stuffer.remaining_capacity() - (hash_len + salt_len + trailer_len + msg1_len + 1));

   stuffer.append(0x01);

   stuffer.append(msg1);

   stuffer.append(salt);


   //apply mask

   const size_t mgf1_bytes = EM.size() - hash_len - trailer_len;

   mgf1_mask(*hash, H, std::span{EM}.first(mgf1_bytes));


   //clear the leftmost bit (confer bouncy castle)

   EM[0] &= 0x7F;


   stuffer.append(H);


   // set implicit/ISO trailer


   if(implicit) {

      stuffer.append(0xBC);

   } else {

      const uint8_t hash_id = ieee1363_hash_id(hash->name());

      if(hash_id == 0) {

         throw Encoding_Error("ISO-9796: no hash identifier for " + hash->name());

      }

      stuffer.append(hash_id);

      stuffer.append(0xCC);

   }


   BOTAN_ASSERT_NOMSG(stuffer.full());


   return EM;

}


bool iso9796_verification(std::span<const uint8_t> repr,

                          std::span<const uint8_t> raw,

                          size_t key_bits,

                          std::unique_ptr<HashFunction>& hash,

                          size_t salt_len) {

   if(repr.size() != (key_bits + 7) / 8) {

      return false;

   }

   //get trailer length


   const uint8_t last = repr[repr.size() - 1];


   if(last != 0xBC && last != 0xCC) {

      return false;

   }


   const size_t trailer_len = last == 0xBC ? 1 : 2;


   if(trailer_len == 2) {

      uint8_t hash_id = ieee1363_hash_id(hash->name());

      if(hash_id == 0) {

         throw Decoding_Error("ISO-9796: no hash identifier for " + hash->name());

      }


      const uint8_t trailer_0 = repr[repr.size() - 2];

      const uint8_t trailer_1 = repr[repr.size() - 1];


      if(trailer_0 != hash_id || trailer_1 != 0xCC) {

         return false;

      }

   }


   const size_t hash_len = hash->output_length();


   if(repr.size() < hash_len + trailer_len + salt_len) {

      return false;

   }


   std::vector<uint8_t> coded(repr.begin(), repr.end());


   CT::poison(coded.data(), coded.size());

   //remove mask

   uint8_t* DB = coded.data();

   const size_t DB_size = coded.size() - hash_len - trailer_len;


   const uint8_t* H = &coded[DB_size];


   mgf1_mask(*hash, {H, hash_len}, {DB, DB_size});

   //clear the leftmost bit (confer bouncy castle)

   DB[0] &= 0x7F;


   //recover msg1 and salt

   size_t msg1_offset = 1;


   auto waiting_for_delim = CT::Mask<uint8_t>::set();

   auto bad_input = CT::Mask<uint8_t>::cleared();


   for(size_t j = 0; j < DB_size; ++j) {

      const auto is_zero = CT::Mask<uint8_t>::is_zero(DB[j]);

      const auto is_one = CT::Mask<uint8_t>::is_equal(DB[j], 0x01);


      const auto add_m = waiting_for_delim & is_zero;


      bad_input |= waiting_for_delim & ~(is_zero | is_one);

      msg1_offset += add_m.if_set_return(1);


      waiting_for_delim &= is_zero;

   }


   //invalid, if delimiter 0x01 was not found or msg1_offset is too big

   bad_input |= waiting_for_delim;


   const auto bad_offset = CT::Mask<size_t>::is_lt(coded.size(), trailer_len + hash_len + msg1_offset + salt_len);

   bad_input |= CT::Mask<uint8_t>(bad_offset);


   //in case that msg1_offset is too big, just continue with offset = 0.

   msg1_offset = CT::Mask<size_t>::expand(bad_input.value()).if_not_set_return(msg1_offset);


   CT::unpoison(coded.data(), coded.size());

   CT::unpoison(msg1_offset);


   const size_t msg1_len = coded.size() - (trailer_len + hash_len + msg1_offset + salt_len);


   const auto msg1 = std::span(coded).subspan(msg1_offset, msg1_len);

   const auto salt = std::span(coded).subspan(msg1_offset + msg1.size(), salt_len);


   //compute H2(C||msg1||H(msg2)||S*). * indicates a recovered value

   const size_t capacity = (key_bits - 2 + 7) / 8 - hash_len - salt_len - trailer_len - 1;


   std::span<const uint8_t> msg1raw = raw;

   if(msg1raw.size() > capacity) {

      hash->update(msg1raw.subspan(capacity));

      msg1raw = msg1raw.first(capacity);

   }


   const auto hmsg2 = hash->final_stdvec();


   // Compute H(C*||msg1*||H(msg2)||S*) where '*' indicates a recovered value

   const auto H2 = iso9796_hash(*hash, msg1, hmsg2, salt);


   // Check if H == H2

   bad_input |= CT::is_not_equal(H, H2.data(), hash_len);


   // Check that msg after MGF1 matches msg in the original

   bad_input |= ~CT::Mask<uint8_t>(CT::Mask<size_t>::is_equal(msg1.size(), msg1raw.size()));

   bad_input |= ~CT::is_equal(msg1.data(), msg1raw.data(), std::min(msg1.size(), msg1raw.size()));


   CT::unpoison(bad_input);

   return (bad_input.as_bool() == false);

}


}  // namespace


/*

 *  ISO-9796-2 signature scheme 2

 *  DS 2 is probabilistic

 */

void ISO_9796_DS2::update(const uint8_t input[], size_t length) {

   //need to buffer message completely, before digest

   m_msg_buffer.insert(m_msg_buffer.end(), input, input + length);

}


/*

 * Return the raw (unencoded) data

 */

std::vector<uint8_t> ISO_9796_DS2::raw_data() {

   std::vector<uint8_t> retbuffer = m_msg_buffer;

   m_msg_buffer.clear();

   return retbuffer;

}


/*

 *  ISO-9796-2 scheme 2 encode operation

 */

std::vector<uint8_t> ISO_9796_DS2::encoding_of(std::span<const uint8_t> msg,

                                               size_t output_bits,

                                               RandomNumberGenerator& rng) {

   return iso9796_encoding(msg, output_bits, m_hash, m_salt_len, m_implicit, rng);

}


/*

 * ISO-9796-2 scheme 2 verify operation

 */

bool ISO_9796_DS2::verify(std::span<const uint8_t> repr, std::span<const uint8_t> raw, size_t key_bits) {

   return iso9796_verification(repr, raw, key_bits, m_hash, m_salt_len);

}


std::string ISO_9796_DS2::hash_function() const {

   return m_hash->name();

}


/*

 * Return the SCAN name

 */


std::string ISO_9796_DS2::name() const {

   return fmt("ISO_9796_DS2({},{},{})", m_hash->name(), (m_implicit ? "imp" : "exp"), m_salt_len);

}


/*

 *  ISO-9796-2 signature scheme 3

 *  DS 3 is deterministic and equals DS2 without salt

 */

void ISO_9796_DS3::update(const uint8_t input[], size_t length) {

   //need to buffer message completely, before digest

   m_msg_buffer.insert(m_msg_buffer.end(), input, input + length);

}


/*

 * Return the raw (unencoded) data

 */

std::vector<uint8_t> ISO_9796_DS3::raw_data() {

   std::vector<uint8_t> retbuffer = m_msg_buffer;

   m_msg_buffer.clear();

   return retbuffer;

}


/*

 *  ISO-9796-2 scheme 3 encode operation

 */

std::vector<uint8_t> ISO_9796_DS3::encoding_of(std::span<const uint8_t> msg,

                                               size_t output_bits,

                                               RandomNumberGenerator& rng) {

   return iso9796_encoding(msg, output_bits, m_hash, 0, m_implicit, rng);

}


/*

 * ISO-9796-2 scheme 3 verify operation

 */

bool ISO_9796_DS3::verify(std::span<const uint8_t> repr, std::span<const uint8_t> raw, size_t key_bits) {

   return iso9796_verification(repr, raw, key_bits, m_hash, 0);

}


std::string ISO_9796_DS3::hash_function() const {

   return m_hash->name();

}


/*

 * Return the SCAN name

 */


std::string ISO_9796_DS3::name() const {

   return fmt("ISO_9796_DS3({},{})", m_hash->name(), (m_implicit ? "imp" : "exp"));

}


}  // namespace Botan

BOTAN_ASSERT_NOMSG
#define BOTAN_ASSERT_NOMSG(expr)
Definition assert.h:75

Botan::BufferStuffer
Helper class to ease in-place marshalling of concatenated fixed-length values.
Definition stl_util.h:133

Botan::CT::Mask
Definition ct_utils.h:388

Botan::CT::Mask::set
static constexpr Mask< T > set()
Definition ct_utils.h:410

Botan::CT::Mask::expand
static constexpr Mask< T > expand(T v)
Definition ct_utils.h:420

Botan::CT::Mask::is_equal
static constexpr Mask< T > is_equal(T x, T y)
Definition ct_utils.h:470

Botan::CT::Mask::is_lt
static constexpr Mask< T > is_lt(T x, T y)
Definition ct_utils.h:478

Botan::CT::Mask::is_zero
static constexpr Mask< T > is_zero(T x)
Definition ct_utils.h:465

Botan::CT::Mask::cleared
static constexpr Mask< T > cleared()
Definition ct_utils.h:415

Botan::Decoding_Error
Definition exceptn.h:191

Botan::Encoding_Error
Definition exceptn.h:181

Botan::HashFunction
Definition hash.h:21

Botan::ISO_9796_DS2::name
std::string name() const override
Definition iso9796.cpp:254

Botan::ISO_9796_DS2::hash_function
std::string hash_function() const override
Definition iso9796.cpp:247

Botan::ISO_9796_DS3::hash_function
std::string hash_function() const override
Definition iso9796.cpp:292

Botan::ISO_9796_DS3::name
std::string name() const override
Definition iso9796.cpp:299

Botan::RandomNumberGenerator
Definition rng.h:30

Botan::SignaturePaddingScheme::raw_data
virtual std::vector< uint8_t > raw_data()=0

Botan::CT
Definition ct_utils.h:31

Botan::CT::is_not_equal
constexpr CT::Mask< T > is_not_equal(const T x[], const T y[], size_t len)
Definition ct_utils.h:866

Botan::CT::unpoison
constexpr void unpoison(const T *p, size_t n)
Definition ct_utils.h:65

Botan::CT::poison
constexpr void poison(const T *p, size_t n)
Definition ct_utils.h:54

Botan
Definition alg_id.cpp:13

Botan::fmt
std::string fmt(std::string_view format, const T &... args)
Definition fmt.h:53

Botan::mgf1_mask
void mgf1_mask(HashFunction &hash, std::span< const uint8_t > input, std::span< uint8_t > output)
Definition mgf1.cpp:15

Botan::ieee1363_hash_id
uint8_t ieee1363_hash_id(std::string_view name)
Definition hash_id.cpp:144