Botan  2.7.0
Crypto and TLS for C++11
openssl_ec.cpp
Go to the documentation of this file.
1 /*
2 * ECDSA and ECDH via OpenSSL
3 * (C) 2015,2016 Jack Lloyd
4 *
5 * Botan is released under the Simplified BSD License (see license.txt)
6 */
7 
8 #include <botan/internal/openssl.h>
9 
10 #if defined(BOTAN_HAS_ECC_PUBLIC_KEY_CRYPTO)
11  #include <botan/der_enc.h>
12  #include <botan/pkcs8.h>
13  #include <botan/oids.h>
14  #include <botan/internal/pk_ops_impl.h>
15 #endif
16 
17 #if defined(BOTAN_HAS_ECDSA)
18  #include <botan/ecdsa.h>
19 #endif
20 
21 #if defined(BOTAN_HAS_ECDH)
22  #include <botan/ecdh.h>
23 #endif
24 
25 #include <openssl/x509.h>
26 #include <openssl/objects.h>
27 
28 #if !defined(OPENSSL_NO_EC)
29  #include <openssl/ec.h>
30 #endif
31 
32 #if !defined(OPENSSL_NO_ECDSA)
33  #include <openssl/ecdsa.h>
34 #endif
35 
36 #if !defined(OPENSSL_NO_ECDH)
37  #include <openssl/ecdh.h>
38 #endif
39 
40 namespace Botan {
41 
42 #if defined(BOTAN_HAS_ECC_PUBLIC_KEY_CRYPTO)
43 
44 namespace {
45 
46 secure_vector<uint8_t> PKCS8_for_openssl(const EC_PrivateKey& ec)
47  {
48  const PointGFp& pub_key = ec.public_point();
49  const BigInt& priv_key = ec.private_value();
50 
51  return DER_Encoder()
52  .start_cons(SEQUENCE)
53  .encode(static_cast<size_t>(1))
54  .encode(BigInt::encode_1363(priv_key, priv_key.bytes()), OCTET_STRING)
55  .start_cons(ASN1_Tag(0), PRIVATE)
56  .raw_bytes(ec.domain().DER_encode(EC_DOMPAR_ENC_OID))
57  .end_cons()
58  .start_cons(ASN1_Tag(1), PRIVATE)
59  .encode(pub_key.encode(PointGFp::UNCOMPRESSED), BIT_STRING)
60  .end_cons()
61  .end_cons()
62  .get_contents();
63  }
64 
65 int OpenSSL_EC_curve_builtin(int nid)
66  {
67  // the NID macro is still defined even though the curve may not be
68  // supported, so we need to check the list of builtin curves at runtime
69  EC_builtin_curve builtin_curves[100];
70  size_t num = 0;
71 
72  if (!(num = EC_get_builtin_curves(builtin_curves, sizeof(builtin_curves))))
73  {
74  return -1;
75  }
76 
77  for(size_t i = 0; i < num; ++i)
78  {
79  if(builtin_curves[i].nid == nid)
80  {
81  return nid;
82  }
83  }
84 
85  return -1;
86  }
87 
88 int OpenSSL_EC_nid_for(const OID& oid)
89  {
90  if(oid.empty())
91  return -1;
92 
93  const std::string name = OIDS::lookup(oid);
94 
95  if(name == "secp192r1")
96  return OpenSSL_EC_curve_builtin(NID_X9_62_prime192v1);
97  if(name == "secp224r1")
98  return OpenSSL_EC_curve_builtin(NID_secp224r1);
99  if(name == "secp256r1")
100  return OpenSSL_EC_curve_builtin(NID_X9_62_prime256v1);
101  if(name == "secp384r1")
102  return OpenSSL_EC_curve_builtin(NID_secp384r1);
103  if(name == "secp521r1")
104  return OpenSSL_EC_curve_builtin(NID_secp521r1);
105 
106  // OpenSSL 1.0.2 added brainpool curves
107 #if OPENSSL_VERSION_NUMBER >= 0x1000200fL
108  if(name == "brainpool160r1")
109  return OpenSSL_EC_curve_builtin(NID_brainpoolP160r1);
110  if(name == "brainpool192r1")
111  return OpenSSL_EC_curve_builtin(NID_brainpoolP192r1);
112  if(name == "brainpool224r1")
113  return OpenSSL_EC_curve_builtin(NID_brainpoolP224r1);
114  if(name == "brainpool256r1")
115  return OpenSSL_EC_curve_builtin(NID_brainpoolP256r1);
116  if(name == "brainpool320r1")
117  return OpenSSL_EC_curve_builtin(NID_brainpoolP320r1);
118  if(name == "brainpool384r1")
119  return OpenSSL_EC_curve_builtin(NID_brainpoolP384r1);
120  if(name == "brainpool512r1")
121  return OpenSSL_EC_curve_builtin(NID_brainpoolP512r1);
122 #endif
123 
124  return -1;
125  }
126 
127 }
128 
129 #endif
130 
131 #if defined(BOTAN_HAS_ECDSA) && !defined(OPENSSL_NO_ECDSA)
132 
133 namespace {
134 
135 class OpenSSL_ECDSA_Verification_Operation final : public PK_Ops::Verification_with_EMSA
136  {
137  public:
138  OpenSSL_ECDSA_Verification_Operation(const ECDSA_PublicKey& ecdsa, const std::string& emsa, int nid) :
139  PK_Ops::Verification_with_EMSA(emsa), m_ossl_ec(::EC_KEY_new(), ::EC_KEY_free)
140  {
141  std::unique_ptr<::EC_GROUP, std::function<void (::EC_GROUP*)>> grp(::EC_GROUP_new_by_curve_name(nid),
142  ::EC_GROUP_free);
143 
144  if(!grp)
145  throw OpenSSL_Error("EC_GROUP_new_by_curve_name");
146 
147  if(!::EC_KEY_set_group(m_ossl_ec.get(), grp.get()))
148  throw OpenSSL_Error("EC_KEY_set_group");
149 
150  const std::vector<uint8_t> enc = ecdsa.public_point().encode(PointGFp::UNCOMPRESSED);
151  const uint8_t* enc_ptr = enc.data();
152  EC_KEY* key_ptr = m_ossl_ec.get();
153  if(!::o2i_ECPublicKey(&key_ptr, &enc_ptr, enc.size()))
154  throw OpenSSL_Error("o2i_ECPublicKey");
155 
156  const EC_GROUP* group = ::EC_KEY_get0_group(m_ossl_ec.get());
157  m_order_bits = ::EC_GROUP_get_degree(group);
158  }
159 
160  size_t max_input_bits() const override { return m_order_bits; }
161 
162  bool with_recovery() const override { return false; }
163 
164  bool verify(const uint8_t msg[], size_t msg_len,
165  const uint8_t sig_bytes[], size_t sig_len) override
166  {
167  const size_t order_bytes = (m_order_bits + 7) / 8;
168  if(sig_len != 2 * order_bytes)
169  return false;
170 
171  std::unique_ptr<ECDSA_SIG, std::function<void (ECDSA_SIG*)>> sig(nullptr, ECDSA_SIG_free);
172  sig.reset(::ECDSA_SIG_new());
173 
174  BIGNUM* r = BN_bin2bn(sig_bytes , sig_len / 2, nullptr);
175  BIGNUM* s = BN_bin2bn(sig_bytes + sig_len / 2, sig_len / 2, nullptr);
176  if(r == nullptr || s == nullptr)
177  throw OpenSSL_Error("BN_bin2bn sig s");
178 
179 #if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
180  sig->r = r;
181  sig->s = s;
182 #else
183  ECDSA_SIG_set0(sig.get(), r, s);
184 #endif
185 
186  const int res = ECDSA_do_verify(msg, msg_len, sig.get(), m_ossl_ec.get());
187  if(res < 0)
188  {
189  int err = ERR_get_error();
190 #if defined(EC_R_BAD_SIGNATURE)
191  if(ERR_GET_REASON(err) != EC_R_BAD_SIGNATURE)
192  throw OpenSSL_Error("ECDSA_do_verify", err);
193 #elif defined(ECDSA_R_BAD_SIGNATURE)
194  if(ERR_GET_REASON(err) != ECDSA_R_BAD_SIGNATURE)
195  throw OpenSSL_Error("ECDSA_do_verify", err);
196 #else
197  throw OpenSSL_Error("ECDSA_do_verify");
198 #endif
199  }
200  return (res == 1);
201  }
202 
203  private:
204  std::unique_ptr<EC_KEY, std::function<void (EC_KEY*)>> m_ossl_ec;
205  size_t m_order_bits = 0;
206  };
207 
208 class OpenSSL_ECDSA_Signing_Operation final : public PK_Ops::Signature_with_EMSA
209  {
210  public:
211  OpenSSL_ECDSA_Signing_Operation(const ECDSA_PrivateKey& ecdsa, const std::string& emsa) :
212  PK_Ops::Signature_with_EMSA(emsa),
213  m_ossl_ec(nullptr, ::EC_KEY_free)
214  {
215  const secure_vector<uint8_t> der = PKCS8_for_openssl(ecdsa);
216  const uint8_t* der_ptr = der.data();
217  m_ossl_ec.reset(d2i_ECPrivateKey(nullptr, &der_ptr, der.size()));
218  if(!m_ossl_ec)
219  throw OpenSSL_Error("d2i_ECPrivateKey");
220 
221  const EC_GROUP* group = ::EC_KEY_get0_group(m_ossl_ec.get());
222  m_order_bits = ::EC_GROUP_get_degree(group);
223  }
224 
225  secure_vector<uint8_t> raw_sign(const uint8_t msg[], size_t msg_len,
226  RandomNumberGenerator&) override
227  {
228  std::unique_ptr<ECDSA_SIG, std::function<void (ECDSA_SIG*)>> sig(nullptr, ECDSA_SIG_free);
229  sig.reset(::ECDSA_do_sign(msg, msg_len, m_ossl_ec.get()));
230 
231  if(!sig)
232  throw OpenSSL_Error("ECDSA_do_sign");
233 
234  const size_t order_bytes = (m_order_bits + 7) / 8;
235 
236 #if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
237  const BIGNUM* r = sig->r;
238  const BIGNUM* s = sig->s;
239 #else
240  const BIGNUM* r;
241  const BIGNUM* s;
242  ECDSA_SIG_get0(sig.get(), &r, &s);
243 #endif
244 
245  const size_t r_bytes = BN_num_bytes(r);
246  const size_t s_bytes = BN_num_bytes(s);
247  secure_vector<uint8_t> sigval(2*order_bytes);
248  BN_bn2bin(r, &sigval[order_bytes - r_bytes]);
249  BN_bn2bin(s, &sigval[2*order_bytes - s_bytes]);
250  return sigval;
251  }
252 
253  size_t max_input_bits() const override { return m_order_bits; }
254 
255  private:
256  std::unique_ptr<EC_KEY, std::function<void (EC_KEY*)>> m_ossl_ec;
257  size_t m_order_bits = 0;
258  };
259 
260 }
261 
262 std::unique_ptr<PK_Ops::Verification>
263 make_openssl_ecdsa_ver_op(const ECDSA_PublicKey& key, const std::string& params)
264  {
265  const int nid = OpenSSL_EC_nid_for(key.domain().get_curve_oid());
266  if(nid < 0)
267  {
268  throw Lookup_Error("OpenSSL ECDSA does not support this curve");
269  }
270  return std::unique_ptr<PK_Ops::Verification>(new OpenSSL_ECDSA_Verification_Operation(key, params, nid));
271  }
272 
273 std::unique_ptr<PK_Ops::Signature>
274 make_openssl_ecdsa_sig_op(const ECDSA_PrivateKey& key, const std::string& params)
275  {
276  const int nid = OpenSSL_EC_nid_for(key.domain().get_curve_oid());
277  if(nid < 0)
278  {
279  throw Lookup_Error("OpenSSL ECDSA does not support this curve");
280  }
281  return std::unique_ptr<PK_Ops::Signature>(new OpenSSL_ECDSA_Signing_Operation(key, params));
282  }
283 
284 #endif
285 
286 #if defined(BOTAN_HAS_ECDH) && !defined(OPENSSL_NO_ECDH)
287 
288 namespace {
289 
290 class OpenSSL_ECDH_KA_Operation final : public PK_Ops::Key_Agreement_with_KDF
291  {
292  public:
293 
294  OpenSSL_ECDH_KA_Operation(const ECDH_PrivateKey& ecdh, const std::string& kdf) :
295  PK_Ops::Key_Agreement_with_KDF(kdf), m_ossl_ec(::EC_KEY_new(), ::EC_KEY_free)
296  {
297  const secure_vector<uint8_t> der = PKCS8_for_openssl(ecdh);
298  const uint8_t* der_ptr = der.data();
299  m_ossl_ec.reset(d2i_ECPrivateKey(nullptr, &der_ptr, der.size()));
300  if(!m_ossl_ec)
301  throw OpenSSL_Error("d2i_ECPrivateKey");
302  }
303 
304  secure_vector<uint8_t> raw_agree(const uint8_t w[], size_t w_len) override
305  {
306  const EC_GROUP* group = ::EC_KEY_get0_group(m_ossl_ec.get());
307  const size_t out_len = (::EC_GROUP_get_degree(group) + 7) / 8;
308  secure_vector<uint8_t> out(out_len);
309  EC_POINT* pub_key = ::EC_POINT_new(group);
310 
311  if(!pub_key)
312  throw OpenSSL_Error("EC_POINT_new");
313 
314  const int os2ecp_rc =
315  ::EC_POINT_oct2point(group, pub_key, w, w_len, nullptr);
316 
317  if(os2ecp_rc != 1)
318  throw OpenSSL_Error("EC_POINT_oct2point");
319 
320  const int ecdh_rc = ::ECDH_compute_key(out.data(),
321  out.size(),
322  pub_key,
323  m_ossl_ec.get(),
324  /*KDF*/nullptr);
325 
326  if(ecdh_rc <= 0)
327  throw OpenSSL_Error("ECDH_compute_key");
328 
329  const size_t ecdh_sz = static_cast<size_t>(ecdh_rc);
330 
331  if(ecdh_sz > out.size())
332  throw Internal_Error("OpenSSL ECDH returned more than requested");
333 
334  out.resize(ecdh_sz);
335  return out;
336  }
337 
338  private:
339  std::unique_ptr<EC_KEY, std::function<void (EC_KEY*)>> m_ossl_ec;
340  };
341 
342 }
343 
344 std::unique_ptr<PK_Ops::Key_Agreement>
345 make_openssl_ecdh_ka_op(const ECDH_PrivateKey& key, const std::string& params)
346  {
347  const int nid = OpenSSL_EC_nid_for(key.domain().get_curve_oid());
348  if(nid < 0)
349  {
350  throw Lookup_Error("OpenSSL ECDH does not support this curve");
351  }
352 
353  return std::unique_ptr<PK_Ops::Key_Agreement>(new OpenSSL_ECDH_KA_Operation(key, params));
354  }
355 
356 #endif
357 
358 }
359 
ASN1_Tag
Definition: asn1_obj.h:22
Definition: alg_id.cpp:13
static secure_vector< uint8_t > encode_1363(const BigInt &n, size_t bytes)
Definition: big_code.cpp:82
std::string lookup(const OID &oid)
Definition: oids.cpp:113