Botan  2.4.0
Crypto and TLS for C++11
openssl_ec.cpp
Go to the documentation of this file.
1 /*
2 * ECDSA and ECDH via OpenSSL
3 * (C) 2015,2016 Jack Lloyd
4 *
5 * Botan is released under the Simplified BSD License (see license.txt)
6 */
7 
8 #include <botan/internal/openssl.h>
9 
10 #if defined(BOTAN_HAS_ECC_PUBLIC_KEY_CRYPTO)
11  #include <botan/der_enc.h>
12  #include <botan/pkcs8.h>
13  #include <botan/oids.h>
14  #include <botan/internal/pk_ops_impl.h>
15 #endif
16 
17 #if defined(BOTAN_HAS_ECDSA)
18  #include <botan/ecdsa.h>
19 #endif
20 
21 #if defined(BOTAN_HAS_ECDH)
22  #include <botan/ecdh.h>
23 #endif
24 
25 #include <openssl/x509.h>
26 #include <openssl/objects.h>
27 
28 #if !defined(OPENSSL_NO_EC)
29  #include <openssl/ec.h>
30 #endif
31 
32 #if !defined(OPENSSL_NO_ECDSA)
33  #include <openssl/ecdsa.h>
34 #endif
35 
36 #if !defined(OPENSSL_NO_ECDH)
37  #include <openssl/ecdh.h>
38 #endif
39 
40 namespace Botan {
41 
42 #if defined(BOTAN_HAS_ECC_PUBLIC_KEY_CRYPTO)
43 
44 namespace {
45 
46 secure_vector<uint8_t> PKCS8_for_openssl(const EC_PrivateKey& ec)
47  {
48  const PointGFp& pub_key = ec.public_point();
49  const BigInt& priv_key = ec.private_value();
50 
51  return DER_Encoder()
52  .start_cons(SEQUENCE)
53  .encode(static_cast<size_t>(1))
54  .encode(BigInt::encode_1363(priv_key, priv_key.bytes()), OCTET_STRING)
55  .start_cons(ASN1_Tag(0), PRIVATE)
56  .raw_bytes(ec.domain().DER_encode(EC_DOMPAR_ENC_OID))
57  .end_cons()
58  .start_cons(ASN1_Tag(1), PRIVATE)
59  .encode(EC2OSP(pub_key, PointGFp::UNCOMPRESSED), BIT_STRING)
60  .end_cons()
61  .end_cons()
62  .get_contents();
63  }
64 
65 int OpenSSL_EC_curve_builtin(int nid)
66  {
67  // the NID macro is still defined even though the curve may not be
68  // supported, so we need to check the list of builtin curves at runtime
69  EC_builtin_curve builtin_curves[100];
70  size_t num = 0;
71 
72  if (!(num = EC_get_builtin_curves(builtin_curves, sizeof(builtin_curves))))
73  {
74  return -1;
75  }
76 
77  for(size_t i = 0; i < num; ++i)
78  {
79  if(builtin_curves[i].nid == nid)
80  {
81  return nid;
82  }
83  }
84 
85  return -1;
86  }
87 
88 int OpenSSL_EC_nid_for(const OID& oid)
89  {
90  if(oid.empty())
91  return -1;
92 
93  const std::string name = OIDS::lookup(oid);
94 
95  if(name == "secp192r1")
96  return OpenSSL_EC_curve_builtin(NID_X9_62_prime192v1);
97  if(name == "secp224r1")
98  return OpenSSL_EC_curve_builtin(NID_secp224r1);
99  if(name == "secp256r1")
100  return OpenSSL_EC_curve_builtin(NID_X9_62_prime256v1);
101  if(name == "secp384r1")
102  return OpenSSL_EC_curve_builtin(NID_secp384r1);
103  if(name == "secp521r1")
104  return OpenSSL_EC_curve_builtin(NID_secp521r1);
105 
106  // OpenSSL 1.0.2 added brainpool curves
107 #if OPENSSL_VERSION_NUMBER >= 0x1000200fL
108  if(name == "brainpool160r1")
109  return OpenSSL_EC_curve_builtin(NID_brainpoolP160r1);
110  if(name == "brainpool192r1")
111  return OpenSSL_EC_curve_builtin(NID_brainpoolP192r1);
112  if(name == "brainpool224r1")
113  return OpenSSL_EC_curve_builtin(NID_brainpoolP224r1);
114  if(name == "brainpool256r1")
115  return OpenSSL_EC_curve_builtin(NID_brainpoolP256r1);
116  if(name == "brainpool320r1")
117  return OpenSSL_EC_curve_builtin(NID_brainpoolP320r1);
118  if(name == "brainpool384r1")
119  return OpenSSL_EC_curve_builtin(NID_brainpoolP384r1);
120  if(name == "brainpool512r1")
121  return OpenSSL_EC_curve_builtin(NID_brainpoolP512r1);
122 #endif
123 
124  return -1;
125  }
126 
127 }
128 
129 #endif
130 
131 #if defined(BOTAN_HAS_ECDSA) && !defined(OPENSSL_NO_ECDSA)
132 
133 namespace {
134 
135 class OpenSSL_ECDSA_Verification_Operation final : public PK_Ops::Verification_with_EMSA
136  {
137  public:
138  OpenSSL_ECDSA_Verification_Operation(const ECDSA_PublicKey& ecdsa, const std::string& emsa, int nid) :
139  PK_Ops::Verification_with_EMSA(emsa), m_ossl_ec(::EC_KEY_new(), ::EC_KEY_free)
140  {
141  std::unique_ptr<::EC_GROUP, std::function<void (::EC_GROUP*)>> grp(::EC_GROUP_new_by_curve_name(nid),
142  ::EC_GROUP_free);
143 
144  if(!grp)
145  throw OpenSSL_Error("EC_GROUP_new_by_curve_name");
146 
147  if(!::EC_KEY_set_group(m_ossl_ec.get(), grp.get()))
148  throw OpenSSL_Error("EC_KEY_set_group");
149 
150  const secure_vector<uint8_t> enc = EC2OSP(ecdsa.public_point(), PointGFp::UNCOMPRESSED);
151  const uint8_t* enc_ptr = enc.data();
152  EC_KEY* key_ptr = m_ossl_ec.get();
153  if(!::o2i_ECPublicKey(&key_ptr, &enc_ptr, enc.size()))
154  throw OpenSSL_Error("o2i_ECPublicKey");
155 
156  const EC_GROUP* group = ::EC_KEY_get0_group(m_ossl_ec.get());
157  m_order_bits = ::EC_GROUP_get_degree(group);
158  }
159 
160  size_t max_input_bits() const override { return m_order_bits; }
161 
162  bool with_recovery() const override { return false; }
163 
164  bool verify(const uint8_t msg[], size_t msg_len,
165  const uint8_t sig_bytes[], size_t sig_len) override
166  {
167  const size_t order_bytes = (m_order_bits + 7) / 8;
168  if(sig_len != 2 * order_bytes)
169  return false;
170 
171  std::unique_ptr<ECDSA_SIG, std::function<void (ECDSA_SIG*)>> sig(nullptr, ECDSA_SIG_free);
172  sig.reset(::ECDSA_SIG_new());
173 
174  BIGNUM* r = BN_bin2bn(sig_bytes , sig_len / 2, nullptr);
175  BIGNUM* s = BN_bin2bn(sig_bytes + sig_len / 2, sig_len / 2, nullptr);
176  if(r == nullptr || s == nullptr)
177  throw OpenSSL_Error("BN_bin2bn sig s");
178 
179 #if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
180  sig->r = r;
181  sig->s = s;
182 #else
183  ECDSA_SIG_set0(sig.get(), r, s);
184 #endif
185 
186  const int res = ECDSA_do_verify(msg, msg_len, sig.get(), m_ossl_ec.get());
187  if(res < 0)
188  throw OpenSSL_Error("ECDSA_do_verify");
189  return (res == 1);
190  }
191 
192  private:
193  std::unique_ptr<EC_KEY, std::function<void (EC_KEY*)>> m_ossl_ec;
194  size_t m_order_bits = 0;
195  };
196 
197 class OpenSSL_ECDSA_Signing_Operation final : public PK_Ops::Signature_with_EMSA
198  {
199  public:
200  OpenSSL_ECDSA_Signing_Operation(const ECDSA_PrivateKey& ecdsa, const std::string& emsa) :
201  PK_Ops::Signature_with_EMSA(emsa),
202  m_ossl_ec(nullptr, ::EC_KEY_free)
203  {
204  const secure_vector<uint8_t> der = PKCS8_for_openssl(ecdsa);
205  const uint8_t* der_ptr = der.data();
206  m_ossl_ec.reset(d2i_ECPrivateKey(nullptr, &der_ptr, der.size()));
207  if(!m_ossl_ec)
208  throw OpenSSL_Error("d2i_ECPrivateKey");
209 
210  const EC_GROUP* group = ::EC_KEY_get0_group(m_ossl_ec.get());
211  m_order_bits = ::EC_GROUP_get_degree(group);
212  }
213 
214  secure_vector<uint8_t> raw_sign(const uint8_t msg[], size_t msg_len,
215  RandomNumberGenerator&) override
216  {
217  std::unique_ptr<ECDSA_SIG, std::function<void (ECDSA_SIG*)>> sig(nullptr, ECDSA_SIG_free);
218  sig.reset(::ECDSA_do_sign(msg, msg_len, m_ossl_ec.get()));
219 
220  if(!sig)
221  throw OpenSSL_Error("ECDSA_do_sign");
222 
223  const size_t order_bytes = (m_order_bits + 7) / 8;
224 
225 #if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
226  const BIGNUM* r = sig->r;
227  const BIGNUM* s = sig->s;
228 #else
229  const BIGNUM* r;
230  const BIGNUM* s;
231  ECDSA_SIG_get0(sig.get(), &r, &s);
232 #endif
233 
234  const size_t r_bytes = BN_num_bytes(r);
235  const size_t s_bytes = BN_num_bytes(s);
236  secure_vector<uint8_t> sigval(2*order_bytes);
237  BN_bn2bin(r, &sigval[order_bytes - r_bytes]);
238  BN_bn2bin(s, &sigval[2*order_bytes - s_bytes]);
239  return sigval;
240  }
241 
242  size_t max_input_bits() const override { return m_order_bits; }
243 
244  private:
245  std::unique_ptr<EC_KEY, std::function<void (EC_KEY*)>> m_ossl_ec;
246  size_t m_order_bits = 0;
247  };
248 
249 }
250 
251 std::unique_ptr<PK_Ops::Verification>
252 make_openssl_ecdsa_ver_op(const ECDSA_PublicKey& key, const std::string& params)
253  {
254  const int nid = OpenSSL_EC_nid_for(key.domain().get_oid());
255  if(nid < 0)
256  {
257  throw Lookup_Error("OpenSSL ECDSA does not support this curve");
258  }
259  return std::unique_ptr<PK_Ops::Verification>(new OpenSSL_ECDSA_Verification_Operation(key, params, nid));
260  }
261 
262 std::unique_ptr<PK_Ops::Signature>
263 make_openssl_ecdsa_sig_op(const ECDSA_PrivateKey& key, const std::string& params)
264  {
265  const int nid = OpenSSL_EC_nid_for(key.domain().get_oid());
266  if(nid < 0)
267  {
268  throw Lookup_Error("OpenSSL ECDSA does not support this curve");
269  }
270  return std::unique_ptr<PK_Ops::Signature>(new OpenSSL_ECDSA_Signing_Operation(key, params));
271  }
272 
273 #endif
274 
275 #if defined(BOTAN_HAS_ECDH) && !defined(OPENSSL_NO_ECDH)
276 
277 namespace {
278 
279 class OpenSSL_ECDH_KA_Operation final : public PK_Ops::Key_Agreement_with_KDF
280  {
281  public:
282 
283  OpenSSL_ECDH_KA_Operation(const ECDH_PrivateKey& ecdh, const std::string& kdf) :
284  PK_Ops::Key_Agreement_with_KDF(kdf), m_ossl_ec(::EC_KEY_new(), ::EC_KEY_free)
285  {
286  const secure_vector<uint8_t> der = PKCS8_for_openssl(ecdh);
287  const uint8_t* der_ptr = der.data();
288  m_ossl_ec.reset(d2i_ECPrivateKey(nullptr, &der_ptr, der.size()));
289  if(!m_ossl_ec)
290  throw OpenSSL_Error("d2i_ECPrivateKey");
291  }
292 
293  secure_vector<uint8_t> raw_agree(const uint8_t w[], size_t w_len) override
294  {
295  const EC_GROUP* group = ::EC_KEY_get0_group(m_ossl_ec.get());
296  const size_t out_len = (::EC_GROUP_get_degree(group) + 7) / 8;
297  secure_vector<uint8_t> out(out_len);
298  EC_POINT* pub_key = ::EC_POINT_new(group);
299 
300  if(!pub_key)
301  throw OpenSSL_Error("EC_POINT_new");
302 
303  const int os2ecp_rc =
304  ::EC_POINT_oct2point(group, pub_key, w, w_len, nullptr);
305 
306  if(os2ecp_rc != 1)
307  throw OpenSSL_Error("EC_POINT_oct2point");
308 
309  const int ecdh_rc = ::ECDH_compute_key(out.data(),
310  out.size(),
311  pub_key,
312  m_ossl_ec.get(),
313  /*KDF*/nullptr);
314 
315  if(ecdh_rc <= 0)
316  throw OpenSSL_Error("ECDH_compute_key");
317 
318  const size_t ecdh_sz = static_cast<size_t>(ecdh_rc);
319 
320  if(ecdh_sz > out.size())
321  throw Internal_Error("OpenSSL ECDH returned more than requested");
322 
323  out.resize(ecdh_sz);
324  return out;
325  }
326 
327  private:
328  std::unique_ptr<EC_KEY, std::function<void (EC_KEY*)>> m_ossl_ec;
329  };
330 
331 }
332 
333 std::unique_ptr<PK_Ops::Key_Agreement>
334 make_openssl_ecdh_ka_op(const ECDH_PrivateKey& key, const std::string& params)
335  {
336  const int nid = OpenSSL_EC_nid_for(key.domain().get_oid());
337  if(nid < 0)
338  {
339  throw Lookup_Error("OpenSSL ECDH does not support this curve");
340  }
341 
342  return std::unique_ptr<PK_Ops::Key_Agreement>(new OpenSSL_ECDH_KA_Operation(key, params));
343  }
344 
345 #endif
346 
347 }
348 
ASN1_Tag
Definition: asn1_obj.h:22
secure_vector< uint8_t > EC2OSP(const PointGFp &point, uint8_t format)
Definition: point_gfp.cpp:469
Definition: alg_id.cpp:13
static secure_vector< uint8_t > encode_1363(const BigInt &n, size_t bytes)
Definition: big_code.cpp:82
std::string lookup(const OID &oid)
Definition: oids.cpp:18