Botan 2.19.1
Crypto and TLS for C&
pubkey.cpp
Go to the documentation of this file.
1/*
2* (C) 1999-2010,2015,2018 Jack Lloyd
3*
4* Botan is released under the Simplified BSD License (see license.txt)
5*/
6
7#include <botan/pubkey.h>
8#include <botan/der_enc.h>
9#include <botan/ber_dec.h>
10#include <botan/bigint.h>
11#include <botan/pk_ops.h>
12#include <botan/internal/ct_utils.h>
13#include <botan/rng.h>
14
15namespace Botan {
16
17secure_vector<uint8_t> PK_Decryptor::decrypt(const uint8_t in[], size_t length) const
18 {
19 uint8_t valid_mask = 0;
20
21 secure_vector<uint8_t> decoded = do_decrypt(valid_mask, in, length);
22
23 if(valid_mask == 0)
24 throw Decoding_Error("Invalid public key ciphertext, cannot decrypt");
25
26 return decoded;
27 }
28
31 size_t length,
32 size_t expected_pt_len,
34 const uint8_t required_content_bytes[],
35 const uint8_t required_content_offsets[],
36 size_t required_contents_length) const
37 {
38 const secure_vector<uint8_t> fake_pms = rng.random_vec(expected_pt_len);
39
40 uint8_t decrypt_valid = 0;
41 secure_vector<uint8_t> decoded = do_decrypt(decrypt_valid, in, length);
42
43 auto valid_mask = CT::Mask<uint8_t>::is_equal(decrypt_valid, 0xFF);
44 valid_mask &= CT::Mask<uint8_t>(CT::Mask<size_t>::is_zero(decoded.size() ^ expected_pt_len));
45
46 decoded.resize(expected_pt_len);
47
48 for(size_t i = 0; i != required_contents_length; ++i)
49 {
50 /*
51 These values are chosen by the application and for TLS are constants,
52 so this early failure via assert is fine since we know 0,1 < 48
53
54 If there is a protocol that has content checks on the key where
55 the expected offsets are controllable by the attacker this could
56 still leak.
57
58 Alternately could always reduce the offset modulo the length?
59 */
60
61 const uint8_t exp = required_content_bytes[i];
62 const uint8_t off = required_content_offsets[i];
63
64 BOTAN_ASSERT(off < expected_pt_len, "Offset in range of plaintext");
65
66 auto eq = CT::Mask<uint8_t>::is_equal(decoded[off], exp);
67
68 valid_mask &= eq;
69 }
70
71 // If valid_mask is false, assign fake pre master instead
72 valid_mask.select_n(decoded.data(), decoded.data(), fake_pms.data(), expected_pt_len);
73
74 return decoded;
75 }
76
79 size_t length,
80 size_t expected_pt_len,
81 RandomNumberGenerator& rng) const
82 {
83 return decrypt_or_random(in, length, expected_pt_len, rng,
84 nullptr, nullptr, 0);
85 }
86
89 const std::string& padding,
90 const std::string& provider)
91 {
92 m_op = key.create_encryption_op(rng, padding, provider);
93 if(!m_op)
94 throw Invalid_Argument("Key type " + key.algo_name() + " does not support encryption");
95 }
96
97PK_Encryptor_EME::~PK_Encryptor_EME() { /* for unique_ptr */ }
98
99size_t PK_Encryptor_EME::ciphertext_length(size_t ptext_len) const
100 {
101 return m_op->ciphertext_length(ptext_len);
102 }
103
104std::vector<uint8_t>
105PK_Encryptor_EME::enc(const uint8_t in[], size_t length, RandomNumberGenerator& rng) const
106 {
107 return unlock(m_op->encrypt(in, length, rng));
108 }
109
111 {
112 return m_op->max_input_bits() / 8;
113 }
114
117 const std::string& padding,
118 const std::string& provider)
119 {
120 m_op = key.create_decryption_op(rng, padding, provider);
121 if(!m_op)
122 throw Invalid_Argument("Key type " + key.algo_name() + " does not support decryption");
123 }
124
125PK_Decryptor_EME::~PK_Decryptor_EME() { /* for unique_ptr */ }
126
127size_t PK_Decryptor_EME::plaintext_length(size_t ctext_len) const
128 {
129 return m_op->plaintext_length(ctext_len);
130 }
131
132secure_vector<uint8_t> PK_Decryptor_EME::do_decrypt(uint8_t& valid_mask,
133 const uint8_t in[], size_t in_len) const
134 {
135 return m_op->decrypt(valid_mask, in, in_len);
136 }
137
140 const std::string& param,
141 const std::string& provider)
142 {
143 m_op = key.create_kem_encryption_op(rng, param, provider);
144 if(!m_op)
145 throw Invalid_Argument("Key type " + key.algo_name() + " does not support KEM encryption");
146 }
147
148PK_KEM_Encryptor::~PK_KEM_Encryptor() { /* for unique_ptr */ }
149
151 secure_vector<uint8_t>& out_shared_key,
152 size_t desired_shared_key_len,
154 const uint8_t salt[],
155 size_t salt_len)
156 {
157 m_op->kem_encrypt(out_encapsulated_key,
158 out_shared_key,
159 desired_shared_key_len,
160 rng,
161 salt,
162 salt_len);
163 }
164
167 const std::string& param,
168 const std::string& provider)
169 {
170 m_op = key.create_kem_decryption_op(rng, param, provider);
171 if(!m_op)
172 throw Invalid_Argument("Key type " + key.algo_name() + " does not support KEM decryption");
173 }
174
175PK_KEM_Decryptor::~PK_KEM_Decryptor() { /* for unique_ptr */ }
176
178 size_t encap_key_len,
179 size_t desired_shared_key_len,
180 const uint8_t salt[],
181 size_t salt_len)
182 {
183 return m_op->kem_decrypt(encap_key, encap_key_len,
184 desired_shared_key_len,
185 salt, salt_len);
186 }
187
190 const std::string& kdf,
191 const std::string& provider)
192 {
193 m_op = key.create_key_agreement_op(rng, kdf, provider);
194 if(!m_op)
195 throw Invalid_Argument("Key type " + key.algo_name() + " does not support key agreement");
196 }
197
198PK_Key_Agreement::~PK_Key_Agreement() { /* for unique_ptr */ }
199
201 {
202 if(this != &other)
203 {
204 m_op = std::move(other.m_op);
205 }
206 return (*this);
207 }
208
210 m_op(std::move(other.m_op))
211 {}
212
214 {
215 return m_op->agreed_value_size();
216 }
217
219 const uint8_t in[], size_t in_len,
220 const uint8_t salt[],
221 size_t salt_len) const
222 {
223 return m_op->agree(key_len, in, in_len, salt, salt_len);
224 }
225
226static void check_der_format_supported(Signature_Format format, size_t parts)
227 {
228 if(format != IEEE_1363 && parts == 1)
229 throw Invalid_Argument("PK: This algorithm does not support DER encoding");
230 }
231
234 const std::string& emsa,
235 Signature_Format format,
236 const std::string& provider)
237 {
238 m_op = key.create_signature_op(rng, emsa, provider);
239 if(!m_op)
240 throw Invalid_Argument("Key type " + key.algo_name() + " does not support signature generation");
241 m_sig_format = format;
242 m_parts = key.message_parts();
243 m_part_size = key.message_part_size();
244 check_der_format_supported(format, m_parts);
245 }
246
247PK_Signer::~PK_Signer() { /* for unique_ptr */ }
248
249void PK_Signer::update(const uint8_t in[], size_t length)
250 {
251 m_op->update(in, length);
252 }
253
254namespace {
255
256std::vector<uint8_t> der_encode_signature(const std::vector<uint8_t>& sig,
257 size_t parts,
258 size_t part_size)
259 {
260 if(sig.size() % parts != 0 || sig.size() != parts * part_size)
261 throw Encoding_Error("Unexpected size for DER signature");
262
263 std::vector<BigInt> sig_parts(parts);
264 for(size_t i = 0; i != sig_parts.size(); ++i)
265 sig_parts[i].binary_decode(&sig[part_size*i], part_size);
266
267 std::vector<uint8_t> output;
268 DER_Encoder(output)
270 .encode_list(sig_parts)
271 .end_cons();
272 return output;
273 }
274
275}
276
278 {
279 if(m_sig_format == IEEE_1363)
280 {
281 return m_op->signature_length();
282 }
283 else if(m_sig_format == DER_SEQUENCE)
284 {
285 // This is a large over-estimate but its easier than computing
286 // the exact value
287 return m_op->signature_length() + (8 + 4*m_parts);
288 }
289 else
290 throw Internal_Error("PK_Signer: Invalid signature format enum");
291 }
292
294 {
295 const std::vector<uint8_t> sig = unlock(m_op->sign(rng));
296
297 if(m_sig_format == IEEE_1363)
298 {
299 return sig;
300 }
301 else if(m_sig_format == DER_SEQUENCE)
302 {
303 return der_encode_signature(sig, m_parts, m_part_size);
304 }
305 else
306 throw Internal_Error("PK_Signer: Invalid signature format enum");
307 }
308
310 const std::string& emsa,
311 Signature_Format format,
312 const std::string& provider)
313 {
314 m_op = key.create_verification_op(emsa, provider);
315 if(!m_op)
316 throw Invalid_Argument("Key type " + key.algo_name() + " does not support signature verification");
317 m_sig_format = format;
318 m_parts = key.message_parts();
319 m_part_size = key.message_part_size();
320 check_der_format_supported(format, m_parts);
321 }
322
323PK_Verifier::~PK_Verifier() { /* for unique_ptr */ }
324
326 {
327 check_der_format_supported(format, m_parts);
328 m_sig_format = format;
329 }
330
331bool PK_Verifier::verify_message(const uint8_t msg[], size_t msg_length,
332 const uint8_t sig[], size_t sig_length)
333 {
334 update(msg, msg_length);
335 return check_signature(sig, sig_length);
336 }
337
338void PK_Verifier::update(const uint8_t in[], size_t length)
339 {
340 m_op->update(in, length);
341 }
342
343bool PK_Verifier::check_signature(const uint8_t sig[], size_t length)
344 {
345 try {
346 if(m_sig_format == IEEE_1363)
347 {
348 return m_op->is_valid_signature(sig, length);
349 }
350 else if(m_sig_format == DER_SEQUENCE)
351 {
352 std::vector<uint8_t> real_sig;
353 BER_Decoder decoder(sig, length);
354 BER_Decoder ber_sig = decoder.start_cons(SEQUENCE);
355
356 BOTAN_ASSERT_NOMSG(m_parts != 0 && m_part_size != 0);
357
358 size_t count = 0;
359
360 while(ber_sig.more_items())
361 {
362 BigInt sig_part;
363 ber_sig.decode(sig_part);
364 real_sig += BigInt::encode_1363(sig_part, m_part_size);
365 ++count;
366 }
367
368 if(count != m_parts)
369 throw Decoding_Error("PK_Verifier: signature size invalid");
370
371 const std::vector<uint8_t> reencoded =
372 der_encode_signature(real_sig, m_parts, m_part_size);
373
374 if(reencoded.size() != length ||
375 same_mem(reencoded.data(), sig, reencoded.size()) == false)
376 {
377 throw Decoding_Error("PK_Verifier: signature is not the canonical DER encoding");
378 }
379
380 return m_op->is_valid_signature(real_sig.data(), real_sig.size());
381 }
382 else
383 throw Internal_Error("PK_Verifier: Invalid signature format enum");
384 }
385 catch(Invalid_Argument&) { return false; }
386 }
387
388}
#define BOTAN_ASSERT_NOMSG(expr)
Definition: assert.h:68
#define BOTAN_ASSERT(expr, assertion_made)
Definition: assert.h:55
BER_Decoder start_cons(ASN1_Tag type_tag, ASN1_Tag class_tag=UNIVERSAL)
Definition: ber_dec.cpp:290
BER_Decoder & decode(bool &out)
Definition: ber_dec.h:170
bool more_items() const
Definition: ber_dec.cpp:198
static secure_vector< uint8_t > encode_1363(const BigInt &n, size_t bytes)
Definition: big_code.cpp:111
static Mask< T > is_equal(T x, T y)
Definition: ct_utils.h:149
DER_Encoder & encode_list(const std::vector< T > &values)
Definition: der_enc.h:128
DER_Encoder & start_cons(ASN1_Tag type_tag, ASN1_Tag class_tag=UNIVERSAL)
Definition: der_enc.cpp:181
DER_Encoder & end_cons()
Definition: der_enc.cpp:191
size_t plaintext_length(size_t ptext_len) const override
Definition: pubkey.cpp:127
PK_Decryptor_EME(const Private_Key &key, RandomNumberGenerator &rng, const std::string &eme, const std::string &provider="")
Definition: pubkey.cpp:115
secure_vector< uint8_t > decrypt_or_random(const uint8_t in[], size_t length, size_t expected_pt_len, RandomNumberGenerator &rng) const
Definition: pubkey.cpp:78
secure_vector< uint8_t > decrypt(const uint8_t in[], size_t length) const
Definition: pubkey.cpp:17
PK_Encryptor_EME(const Public_Key &key, RandomNumberGenerator &rng, const std::string &padding, const std::string &provider="")
Definition: pubkey.cpp:87
size_t maximum_input_size() const override
Definition: pubkey.cpp:110
size_t ciphertext_length(size_t ptext_len) const override
Definition: pubkey.cpp:99
PK_KEM_Decryptor(const Private_Key &key, RandomNumberGenerator &rng, const std::string &kem_param="", const std::string &provider="")
Definition: pubkey.cpp:165
secure_vector< uint8_t > decrypt(const uint8_t encap_key[], size_t encap_key_len, size_t desired_shared_key_len, const uint8_t salt[], size_t salt_len)
Definition: pubkey.cpp:177
PK_KEM_Encryptor(const Public_Key &key, RandomNumberGenerator &rng, const std::string &kem_param="", const std::string &provider="")
Definition: pubkey.cpp:138
void encrypt(secure_vector< uint8_t > &out_encapsulated_key, secure_vector< uint8_t > &out_shared_key, size_t desired_shared_key_len, Botan::RandomNumberGenerator &rng, const uint8_t salt[], size_t salt_len)
Definition: pubkey.cpp:150
PK_Key_Agreement & operator=(PK_Key_Agreement &&)
Definition: pubkey.cpp:200
size_t agreed_value_size() const
Definition: pubkey.cpp:213
PK_Key_Agreement(const Private_Key &key, RandomNumberGenerator &rng, const std::string &kdf, const std::string &provider="")
Definition: pubkey.cpp:188
SymmetricKey derive_key(size_t key_len, const uint8_t in[], size_t in_len, const uint8_t params[], size_t params_len) const
Definition: pubkey.cpp:218
void update(uint8_t in)
Definition: pubkey.h:238
PK_Signer(const Private_Key &key, RandomNumberGenerator &rng, const std::string &emsa, Signature_Format format=IEEE_1363, const std::string &provider="")
Definition: pubkey.cpp:232
size_t signature_length() const
Definition: pubkey.cpp:277
std::vector< uint8_t > signature(RandomNumberGenerator &rng)
Definition: pubkey.cpp:293
void set_input_format(Signature_Format format)
Definition: pubkey.cpp:325
void update(uint8_t in)
Definition: pubkey.h:347
bool verify_message(const uint8_t msg[], size_t msg_length, const uint8_t sig[], size_t sig_length)
Definition: pubkey.cpp:331
PK_Verifier(const Public_Key &pub_key, const std::string &emsa, Signature_Format format=IEEE_1363, const std::string &provider="")
Definition: pubkey.cpp:309
bool check_signature(const uint8_t sig[], size_t length)
Definition: pubkey.cpp:343
virtual std::unique_ptr< PK_Ops::Signature > create_signature_op(RandomNumberGenerator &rng, const std::string &params, const std::string &provider) const
Definition: pk_keys.cpp:130
virtual std::unique_ptr< PK_Ops::Key_Agreement > create_key_agreement_op(RandomNumberGenerator &rng, const std::string &params, const std::string &provider) const
Definition: pk_keys.cpp:138
virtual std::unique_ptr< PK_Ops::Decryption > create_decryption_op(RandomNumberGenerator &rng, const std::string &params, const std::string &provider) const
Definition: pk_keys.cpp:114
virtual std::unique_ptr< PK_Ops::KEM_Decryption > create_kem_decryption_op(RandomNumberGenerator &rng, const std::string &params, const std::string &provider) const
Definition: pk_keys.cpp:122
virtual std::unique_ptr< PK_Ops::Encryption > create_encryption_op(RandomNumberGenerator &rng, const std::string &params, const std::string &provider) const
Definition: pk_keys.cpp:91
virtual std::unique_ptr< PK_Ops::KEM_Encryption > create_kem_encryption_op(RandomNumberGenerator &rng, const std::string &params, const std::string &provider) const
Definition: pk_keys.cpp:99
virtual size_t message_part_size() const
Definition: pk_keys.h:123
virtual std::string algo_name() const =0
virtual size_t message_parts() const
Definition: pk_keys.h:112
virtual std::unique_ptr< PK_Ops::Verification > create_verification_op(const std::string &params, const std::string &provider) const
Definition: pk_keys.cpp:107
secure_vector< uint8_t > random_vec(size_t bytes)
Definition: rng.h:143
Definition: alg_id.cpp:13
std::vector< T > unlock(const secure_vector< T > &in)
Definition: secmem.h:72
bool same_mem(const T *p1, const T *p2, size_t n)
Definition: mem_ops.h:217
@ SEQUENCE
Definition: asn1_obj.h:42
Signature_Format
Definition: pk_keys.h:23
@ DER_SEQUENCE
Definition: pk_keys.h:23
@ IEEE_1363
Definition: pk_keys.h:23
std::vector< T, secure_allocator< T > > secure_vector
Definition: secmem.h:65
Definition: bigint.h:1143
size_t salt_len
Definition: x509_obj.cpp:25