Botan  2.9.0
Crypto and TLS for C++11
iso9796.cpp
Go to the documentation of this file.
1 /*
2  * ISO-9796-2 - Digital signature schemes giving message recovery schemes 2 and 3
3  * (C) 2016 Tobias Niemann, Hackmanit GmbH
4  *
5  * Botan is released under the Simplified BSD License (see license.txt)
6  */
7 
8 #include <botan/iso9796.h>
9 #include <botan/rng.h>
10 #include <botan/exceptn.h>
11 #include <botan/mgf1.h>
12 #include <botan/hash_id.h>
13 #include <botan/internal/bit_ops.h>
14 #include <botan/internal/ct_utils.h>
15 
16 namespace Botan {
17 
18 namespace {
19 
20 secure_vector<uint8_t> iso9796_encoding(const secure_vector<uint8_t>& msg,
21  size_t output_bits, std::unique_ptr<HashFunction>& hash, size_t SALT_SIZE, bool implicit, RandomNumberGenerator& rng)
22  {
23  const size_t output_length = (output_bits + 7) / 8;
24 
25  //set trailer length
26  size_t tLength = 1;
27  if(!implicit)
28  {
29  tLength = 2;
30  }
31  const size_t HASH_SIZE = hash->output_length();
32 
33  if(output_length <= HASH_SIZE + SALT_SIZE + tLength)
34  {
35  throw Encoding_Error("ISO9796-2::encoding_of: Output length is too small");
36  }
37 
38  //calculate message capacity
39  const size_t capacity = output_length
40  - HASH_SIZE - SALT_SIZE - tLength - 1;
41 
42  //msg1 is the recoverable and msg2 the unrecoverable message part.
43  secure_vector<uint8_t> msg1;
44  secure_vector<uint8_t> msg2;
45  if(msg.size() > capacity)
46  {
47  msg1 = secure_vector<uint8_t> (msg.begin(), msg.begin() + capacity);
48  msg2 = secure_vector<uint8_t> (msg.begin() + capacity, msg.end());
49  hash->update(msg2);
50  }
51  else
52  {
53  msg1 = msg;
54  }
55  msg2 = hash->final();
56 
57  //compute H(C||msg1 ||H(msg2)||S)
58  uint64_t msgLength = msg1.size();
59  secure_vector<uint8_t> salt = rng.random_vec(SALT_SIZE);
60  hash->update_be(msgLength * 8);
61  hash->update(msg1);
62  hash->update(msg2);
63  hash->update(salt);
64  secure_vector<uint8_t> H = hash->final();
65 
66  secure_vector<uint8_t> EM(output_length);
67 
68  //compute message offset.
69  size_t offset = output_length - HASH_SIZE - SALT_SIZE - tLength
70  - msgLength - 1;
71 
72  //insert message border (0x01), msg1 and salt into the output buffer
73  EM[offset] = 0x01;
74  buffer_insert(EM, offset + 1, msg1);
75  buffer_insert(EM, offset + 1 + msgLength, salt);
76 
77  //apply mask
78  mgf1_mask(*hash, H.data(), HASH_SIZE, EM.data(),
79  output_length - HASH_SIZE - tLength);
80  buffer_insert(EM, output_length - HASH_SIZE - tLength, H);
81  //set implicit/ISO trailer
82  if(!implicit)
83  {
84  uint8_t hash_id = ieee1363_hash_id(hash->name());
85  if(!hash_id)
86  {
87  throw Encoding_Error("ISO9796-2::encoding_of: no hash identifier for " + hash->name());
88  }
89  EM[output_length - 1] = 0xCC;
90  EM[output_length - 2] = hash_id;
91 
92  }
93  else
94  {
95  EM[output_length - 1] = 0xBC;
96  }
97  //clear the leftmost bit (confer bouncy castle)
98  EM[0] &= 0x7F;
99 
100  return EM;
101  }
102 
103 bool iso9796_verification(const secure_vector<uint8_t>& const_coded,
104  const secure_vector<uint8_t>& raw, size_t key_bits, std::unique_ptr<HashFunction>& hash, size_t SALT_SIZE)
105  {
106  const size_t HASH_SIZE = hash->output_length();
107  const size_t KEY_BYTES = (key_bits + 7) / 8;
108 
109  if(const_coded.size() != KEY_BYTES)
110  {
111  return false;
112  }
113  //get trailer length
114  size_t tLength;
115  if(const_coded[const_coded.size() - 1] == 0xBC)
116  {
117  tLength = 1;
118  }
119  else
120  {
121  uint8_t hash_id = ieee1363_hash_id(hash->name());
122  if((!const_coded[const_coded.size() - 2]) || (const_coded[const_coded.size() - 2] != hash_id) ||
123  (const_coded[const_coded.size() - 1] != 0xCC))
124  {
125  return false; //in case of wrong ISO trailer.
126  }
127  tLength = 2;
128  }
129 
130  secure_vector<uint8_t> coded = const_coded;
131 
132  CT::poison(coded.data(), coded.size());
133  //remove mask
134  uint8_t* DB = coded.data();
135  const size_t DB_size = coded.size() - HASH_SIZE - tLength;
136 
137  const uint8_t* H = &coded[DB_size];
138 
139  mgf1_mask(*hash, H, HASH_SIZE, DB, DB_size);
140  //clear the leftmost bit (confer bouncy castle)
141  DB[0] &= 0x7F;
142 
143  //recover msg1 and salt
144  size_t msg1_offset = 1;
145 
146  auto waiting_for_delim = CT::Mask<uint8_t>::set();
147  auto bad_input = CT::Mask<uint8_t>::cleared();
148 
149  for(size_t j = 0; j < DB_size; ++j)
150  {
151  const auto is_zero = CT::Mask<uint8_t>::is_zero(DB[j]);
152  const auto is_one = CT::Mask<uint8_t>::is_equal(DB[j], 0x01);
153 
154  const auto add_m = waiting_for_delim & is_zero;
155 
156  bad_input |= waiting_for_delim & ~(is_zero | is_one);
157  msg1_offset += add_m.if_set_return(1);
158 
159  waiting_for_delim &= is_zero;
160  }
161 
162  //invalid, if delimiter 0x01 was not found or msg1_offset is too big
163  bad_input |= waiting_for_delim;
164  bad_input |= CT::Mask<size_t>::is_lt(coded.size(), tLength + HASH_SIZE + msg1_offset + SALT_SIZE);
165 
166  //in case that msg1_offset is too big, just continue with offset = 0.
167  msg1_offset = CT::Mask<size_t>::expand(bad_input.value()).if_not_set_return(msg1_offset);
168 
169  CT::unpoison(coded.data(), coded.size());
170  CT::unpoison(msg1_offset);
171 
172  secure_vector<uint8_t> msg1(coded.begin() + msg1_offset,
173  coded.end() - tLength - HASH_SIZE - SALT_SIZE);
174  secure_vector<uint8_t> salt(coded.begin() + msg1_offset + msg1.size(),
175  coded.end() - tLength - HASH_SIZE);
176 
177  //compute H2(C||msg1||H(msg2)||S*). * indicates a recovered value
178  const size_t capacity = (key_bits - 2 + 7) / 8 - HASH_SIZE - SALT_SIZE - tLength - 1;
179  secure_vector<uint8_t> msg1raw;
180  secure_vector<uint8_t> msg2;
181  if(raw.size() > capacity)
182  {
183  msg1raw = secure_vector<uint8_t> (raw.begin(), raw.begin() + capacity);
184  msg2 = secure_vector<uint8_t> (raw.begin() + capacity, raw.end());
185  hash->update(msg2);
186  }
187  else
188  {
189  msg1raw = raw;
190  }
191  msg2 = hash->final();
192 
193  const uint64_t msg1rawLength = msg1raw.size();
194  hash->update_be(msg1rawLength * 8);
195  hash->update(msg1raw);
196  hash->update(msg2);
197  hash->update(salt);
198  secure_vector<uint8_t> H3 = hash->final();
199 
200  //compute H3(C*||msg1*||H(msg2)||S*) * indicates a recovered value
201  const uint64_t msgLength = msg1.size();
202  hash->update_be(msgLength * 8);
203  hash->update(msg1);
204  hash->update(msg2);
205  hash->update(salt);
206  secure_vector<uint8_t> H2 = hash->final();
207 
208  //check if H3 == H2
209  bad_input |= CT::Mask<uint8_t>::is_zero(ct_compare_u8(H3.data(), H2.data(), HASH_SIZE));
210 
211  CT::unpoison(bad_input);
212  return (bad_input.is_set() == false);
213  }
214 
215 }
216 
218  {
219  return new ISO_9796_DS2(m_hash->clone(), m_implicit, m_SALT_SIZE);
220  }
221 
222 /*
223  * ISO-9796-2 signature scheme 2
224  * DS 2 is probabilistic
225  */
226 void ISO_9796_DS2::update(const uint8_t input[], size_t length)
227  {
228  //need to buffer message completely, before digest
229  m_msg_buffer.insert(m_msg_buffer.end(), input, input+length);
230  }
231 
232 /*
233  * Return the raw (unencoded) data
234  */
235 secure_vector<uint8_t> ISO_9796_DS2::raw_data()
236  {
237  secure_vector<uint8_t> retbuffer = m_msg_buffer;
238  m_msg_buffer.clear();
239  return retbuffer;
240  }
241 
242 /*
243  * ISO-9796-2 scheme 2 encode operation
244  */
245 secure_vector<uint8_t> ISO_9796_DS2::encoding_of(const secure_vector<uint8_t>& msg,
246  size_t output_bits, RandomNumberGenerator& rng)
247  {
248  return iso9796_encoding(msg, output_bits, m_hash, m_SALT_SIZE, m_implicit, rng);
249  }
250 
251 /*
252  * ISO-9796-2 scheme 2 verify operation
253  */
254 bool ISO_9796_DS2::verify(const secure_vector<uint8_t>& const_coded,
255  const secure_vector<uint8_t>& raw, size_t key_bits)
256  {
257  return iso9796_verification(const_coded,raw,key_bits,m_hash,m_SALT_SIZE);
258  }
259 
260 /*
261  * Return the SCAN name
262  */
263 std::string ISO_9796_DS2::name() const
264  {
265  return "ISO_9796_DS2(" + m_hash->name() + ","
266  + (m_implicit ? "imp" : "exp") + "," + std::to_string(m_SALT_SIZE) + ")";
267  }
268 
270  {
271  return new ISO_9796_DS3(m_hash->clone(), m_implicit);
272  }
273 
274 /*
275  * ISO-9796-2 signature scheme 3
276  * DS 3 is deterministic and equals DS2 without salt
277  */
278 void ISO_9796_DS3::update(const uint8_t input[], size_t length)
279  {
280  //need to buffer message completely, before digest
281  m_msg_buffer.insert(m_msg_buffer.end(), input, input+length);
282  }
283 
284 /*
285  * Return the raw (unencoded) data
286  */
287 secure_vector<uint8_t> ISO_9796_DS3::raw_data()
288  {
289  secure_vector<uint8_t> retbuffer = m_msg_buffer;
290  m_msg_buffer.clear();
291  return retbuffer;
292  }
293 
294 /*
295  * ISO-9796-2 scheme 3 encode operation
296  */
297 secure_vector<uint8_t> ISO_9796_DS3::encoding_of(const secure_vector<uint8_t>& msg,
298  size_t output_bits, RandomNumberGenerator& rng)
299  {
300  return iso9796_encoding(msg, output_bits, m_hash, 0, m_implicit, rng);
301  }
302 
303 /*
304  * ISO-9796-2 scheme 3 verify operation
305  */
306 bool ISO_9796_DS3::verify(const secure_vector<uint8_t>& const_coded,
307  const secure_vector<uint8_t>& raw, size_t key_bits)
308  {
309  return iso9796_verification(const_coded, raw, key_bits, m_hash, 0);
310  }
311 /*
312  * Return the SCAN name
313  */
314 std::string ISO_9796_DS3::name() const
315  {
316  return "ISO_9796_DS3(" + m_hash->name() + "," +
317  (m_implicit ? "imp" : "exp") + ")";
318  }
319 }
static Mask< T > cleared()
Definition: ct_utils.h:115
EMSA * clone() override
Definition: iso9796.cpp:217
std::string name() const override
Definition: iso9796.cpp:314
void poison(const T *p, size_t n)
Definition: ct_utils.h:48
uint8_t ieee1363_hash_id(const std::string &name)
Definition: hash_id.cpp:146
std::string to_string(const BER_Object &obj)
Definition: asn1_obj.cpp:210
static Mask< T > expand(T v)
Definition: ct_utils.h:123
uint8_t ct_compare_u8(const uint8_t x[], const uint8_t y[], size_t len)
Definition: mem_ops.cpp:53
ISO_9796_DS3(HashFunction *hash, bool implicit=false)
Definition: iso9796.h:69
Definition: alg_id.cpp:13
std::string name() const override
Definition: iso9796.cpp:263
size_t buffer_insert(std::vector< T, Alloc > &buf, size_t buf_offset, const T input[], size_t input_length)
Definition: secmem.h:80
void unpoison(const T *p, size_t n)
Definition: ct_utils.h:59
static Mask< T > set()
Definition: ct_utils.h:107
void mgf1_mask(HashFunction &hash, const uint8_t in[], size_t in_len, uint8_t out[], size_t out_len)
Definition: mgf1.cpp:14
ISO_9796_DS2(HashFunction *hash, bool implicit=false)
Definition: iso9796.h:26
static Mask< T > is_zero(T x)
Definition: ct_utils.h:141
static Mask< T > is_equal(T x, T y)
Definition: ct_utils.h:149
MechanismType hash
static Mask< T > is_lt(T x, T y)
Definition: ct_utils.h:157
EMSA * clone() override
Definition: iso9796.cpp:269