Botan 3.0.0-alpha0
Crypto and TLS for C&
pubkey.cpp
Go to the documentation of this file.
1/*
2* (C) 1999-2010,2015,2018 Jack Lloyd
3*
4* Botan is released under the Simplified BSD License (see license.txt)
5*/
6
7#include <botan/pubkey.h>
8#include <botan/der_enc.h>
9#include <botan/ber_dec.h>
10#include <botan/bigint.h>
11#include <botan/internal/pk_ops.h>
12#include <botan/internal/ct_utils.h>
13#include <botan/rng.h>
14
15namespace Botan {
16
17secure_vector<uint8_t> PK_Decryptor::decrypt(const uint8_t in[], size_t length) const
18 {
19 uint8_t valid_mask = 0;
20
21 secure_vector<uint8_t> decoded = do_decrypt(valid_mask, in, length);
22
23 if(valid_mask == 0)
24 throw Decoding_Error("Invalid public key ciphertext, cannot decrypt");
25
26 return decoded;
27 }
28
29secure_vector<uint8_t>
30PK_Decryptor::decrypt_or_random(const uint8_t in[],
31 size_t length,
32 size_t expected_pt_len,
33 RandomNumberGenerator& rng,
34 const uint8_t required_content_bytes[],
35 const uint8_t required_content_offsets[],
36 size_t required_contents_length) const
37 {
38 const secure_vector<uint8_t> fake_pms = rng.random_vec(expected_pt_len);
39
40 uint8_t decrypt_valid = 0;
41 secure_vector<uint8_t> decoded = do_decrypt(decrypt_valid, in, length);
42
43 auto valid_mask = CT::Mask<uint8_t>::is_equal(decrypt_valid, 0xFF);
44 valid_mask &= CT::Mask<uint8_t>(CT::Mask<size_t>::is_zero(decoded.size() ^ expected_pt_len));
45
46 decoded.resize(expected_pt_len);
47
48 for(size_t i = 0; i != required_contents_length; ++i)
49 {
50 /*
51 These values are chosen by the application and for TLS are constants,
52 so this early failure via assert is fine since we know 0,1 < 48
53
54 If there is a protocol that has content checks on the key where
55 the expected offsets are controllable by the attacker this could
56 still leak.
57
58 Alternately could always reduce the offset modulo the length?
59 */
60
61 const uint8_t exp = required_content_bytes[i];
62 const uint8_t off = required_content_offsets[i];
63
64 BOTAN_ASSERT(off < expected_pt_len, "Offset in range of plaintext");
65
66 auto eq = CT::Mask<uint8_t>::is_equal(decoded[off], exp);
67
68 valid_mask &= eq;
69 }
70
71 // If valid_mask is false, assign fake pre master instead
72 valid_mask.select_n(decoded.data(), decoded.data(), fake_pms.data(), expected_pt_len);
73
74 return decoded;
75 }
76
77secure_vector<uint8_t>
78PK_Decryptor::decrypt_or_random(const uint8_t in[],
79 size_t length,
80 size_t expected_pt_len,
81 RandomNumberGenerator& rng) const
82 {
83 return decrypt_or_random(in, length, expected_pt_len, rng,
84 nullptr, nullptr, 0);
85 }
86
87PK_Encryptor_EME::PK_Encryptor_EME(const Public_Key& key,
88 RandomNumberGenerator& rng,
89 const std::string& padding,
90 const std::string& provider)
91 {
92 m_op = key.create_encryption_op(rng, padding, provider);
93 if(!m_op)
94 throw Invalid_Argument("Key type " + key.algo_name() + " does not support encryption");
95 }
96
97PK_Encryptor_EME::~PK_Encryptor_EME() = default;
98
99size_t PK_Encryptor_EME::ciphertext_length(size_t ptext_len) const
100 {
101 return m_op->ciphertext_length(ptext_len);
102 }
103
104std::vector<uint8_t>
105PK_Encryptor_EME::enc(const uint8_t in[], size_t length, RandomNumberGenerator& rng) const
106 {
107 return unlock(m_op->encrypt(in, length, rng));
108 }
109
110size_t PK_Encryptor_EME::maximum_input_size() const
111 {
112 return m_op->max_input_bits() / 8;
113 }
114
115PK_Decryptor_EME::PK_Decryptor_EME(const Private_Key& key,
116 RandomNumberGenerator& rng,
117 const std::string& padding,
118 const std::string& provider)
119 {
120 m_op = key.create_decryption_op(rng, padding, provider);
121 if(!m_op)
122 throw Invalid_Argument("Key type " + key.algo_name() + " does not support decryption");
123 }
124
125PK_Decryptor_EME::~PK_Decryptor_EME() = default;
126
127size_t PK_Decryptor_EME::plaintext_length(size_t ctext_len) const
128 {
129 return m_op->plaintext_length(ctext_len);
130 }
131
132secure_vector<uint8_t> PK_Decryptor_EME::do_decrypt(uint8_t& valid_mask,
133 const uint8_t in[], size_t in_len) const
134 {
135 return m_op->decrypt(valid_mask, in, in_len);
136 }
137
138PK_KEM_Encryptor::PK_KEM_Encryptor(const Public_Key& key,
139 RandomNumberGenerator& rng,
140 const std::string& param,
141 const std::string& provider)
142 {
143 m_op = key.create_kem_encryption_op(rng, param, provider);
144 if(!m_op)
145 throw Invalid_Argument("Key type " + key.algo_name() + " does not support KEM encryption");
146 }
147
148PK_KEM_Encryptor::~PK_KEM_Encryptor() = default;
149
150void PK_KEM_Encryptor::encrypt(secure_vector<uint8_t>& out_encapsulated_key,
151 secure_vector<uint8_t>& out_shared_key,
152 size_t desired_shared_key_len,
153 Botan::RandomNumberGenerator& rng,
154 const uint8_t salt[],
155 size_t salt_len)
156 {
157 m_op->kem_encrypt(out_encapsulated_key,
158 out_shared_key,
159 desired_shared_key_len,
160 rng,
161 salt,
162 salt_len);
163 }
164
165PK_KEM_Decryptor::PK_KEM_Decryptor(const Private_Key& key,
166 RandomNumberGenerator& rng,
167 const std::string& param,
168 const std::string& provider)
169 {
170 m_op = key.create_kem_decryption_op(rng, param, provider);
171 if(!m_op)
172 throw Invalid_Argument("Key type " + key.algo_name() + " does not support KEM decryption");
173 }
174
175PK_KEM_Decryptor::~PK_KEM_Decryptor() = default;
176
177secure_vector<uint8_t> PK_KEM_Decryptor::decrypt(const uint8_t encap_key[],
178 size_t encap_key_len,
179 size_t desired_shared_key_len,
180 const uint8_t salt[],
181 size_t salt_len)
182 {
183 return m_op->kem_decrypt(encap_key, encap_key_len,
184 desired_shared_key_len,
185 salt, salt_len);
186 }
187
188PK_Key_Agreement::PK_Key_Agreement(PK_Key_Agreement&&) noexcept = default;
189
190PK_Key_Agreement::PK_Key_Agreement(const Private_Key& key,
191 RandomNumberGenerator& rng,
192 const std::string& kdf,
193 const std::string& provider)
194 {
195 m_op = key.create_key_agreement_op(rng, kdf, provider);
196 if(!m_op)
197 throw Invalid_Argument("Key type " + key.algo_name() + " does not support key agreement");
198 }
199
200PK_Key_Agreement::~PK_Key_Agreement() = default;
201
202size_t PK_Key_Agreement::agreed_value_size() const
203 {
204 return m_op->agreed_value_size();
205 }
206
207SymmetricKey PK_Key_Agreement::derive_key(size_t key_len,
208 const uint8_t in[], size_t in_len,
209 const uint8_t salt[],
210 size_t salt_len) const
211 {
212 return m_op->agree(key_len, in, in_len, salt, salt_len);
213 }
214
215static void check_der_format_supported(Signature_Format format, size_t parts)
216 {
217 if(format != IEEE_1363 && parts == 1)
218 throw Invalid_Argument("PK: This algorithm does not support DER encoding");
219 }
220
221PK_Signer::PK_Signer(const Private_Key& key,
222 RandomNumberGenerator& rng,
223 const std::string& emsa,
224 Signature_Format format,
225 const std::string& provider)
226 {
227 m_op = key.create_signature_op(rng, emsa, provider);
228 if(!m_op)
229 throw Invalid_Argument("Key type " + key.algo_name() + " does not support signature generation");
230 m_sig_format = format;
231 m_parts = key.message_parts();
232 m_part_size = key.message_part_size();
233 check_der_format_supported(format, m_parts);
234 }
235
236PK_Signer::~PK_Signer() = default;
237
238void PK_Signer::update(const uint8_t in[], size_t length)
239 {
240 m_op->update(in, length);
241 }
242
243namespace {
244
245std::vector<uint8_t> der_encode_signature(const std::vector<uint8_t>& sig,
246 size_t parts,
247 size_t part_size)
248 {
249 if(sig.size() % parts != 0 || sig.size() != parts * part_size)
250 throw Encoding_Error("Unexpected size for DER signature");
251
252 std::vector<BigInt> sig_parts(parts);
253 for(size_t i = 0; i != sig_parts.size(); ++i)
254 sig_parts[i].binary_decode(&sig[part_size*i], part_size);
255
256 std::vector<uint8_t> output;
257 DER_Encoder(output)
258 .start_sequence()
259 .encode_list(sig_parts)
260 .end_cons();
261 return output;
262 }
263
264}
265
266size_t PK_Signer::signature_length() const
267 {
268 if(m_sig_format == IEEE_1363)
269 {
270 return m_op->signature_length();
271 }
272 else if(m_sig_format == DER_SEQUENCE)
273 {
274 // This is a large over-estimate but its easier than computing
275 // the exact value
276 return m_op->signature_length() + (8 + 4*m_parts);
277 }
278 else
279 throw Internal_Error("PK_Signer: Invalid signature format enum");
280 }
281
282std::vector<uint8_t> PK_Signer::signature(RandomNumberGenerator& rng)
283 {
284 std::vector<uint8_t> sig = unlock(m_op->sign(rng));
285
286 if(m_sig_format == IEEE_1363)
287 {
288 return sig;
289 }
290 else if(m_sig_format == DER_SEQUENCE)
291 {
292 return der_encode_signature(sig, m_parts, m_part_size);
293 }
294 else
295 throw Internal_Error("PK_Signer: Invalid signature format enum");
296 }
297
298PK_Verifier::PK_Verifier(const Public_Key& key,
299 const std::string& emsa,
300 Signature_Format format,
301 const std::string& provider)
302 {
303 m_op = key.create_verification_op(emsa, provider);
304 if(!m_op)
305 throw Invalid_Argument("Key type " + key.algo_name() + " does not support signature verification");
306 m_sig_format = format;
307 m_parts = key.message_parts();
308 m_part_size = key.message_part_size();
309 check_der_format_supported(format, m_parts);
310 }
311
312PK_Verifier::~PK_Verifier() = default;
313
314void PK_Verifier::set_input_format(Signature_Format format)
315 {
316 check_der_format_supported(format, m_parts);
317 m_sig_format = format;
318 }
319
320bool PK_Verifier::verify_message(const uint8_t msg[], size_t msg_length,
321 const uint8_t sig[], size_t sig_length)
322 {
323 update(msg, msg_length);
324 return check_signature(sig, sig_length);
325 }
326
327void PK_Verifier::update(const uint8_t in[], size_t length)
328 {
329 m_op->update(in, length);
330 }
331
332bool PK_Verifier::check_signature(const uint8_t sig[], size_t length)
333 {
334 try {
335 if(m_sig_format == IEEE_1363)
336 {
337 return m_op->is_valid_signature(sig, length);
338 }
339 else if(m_sig_format == DER_SEQUENCE)
340 {
341 std::vector<uint8_t> real_sig;
342 BER_Decoder decoder(sig, length);
343 BER_Decoder ber_sig = decoder.start_sequence();
344
345 BOTAN_ASSERT_NOMSG(m_parts != 0 && m_part_size != 0);
346
347 size_t count = 0;
348
349 while(ber_sig.more_items())
350 {
351 BigInt sig_part;
352 ber_sig.decode(sig_part);
353 real_sig += BigInt::encode_1363(sig_part, m_part_size);
354 ++count;
355 }
356
357 if(count != m_parts)
358 throw Decoding_Error("PK_Verifier: signature size invalid");
359
360 const std::vector<uint8_t> reencoded =
361 der_encode_signature(real_sig, m_parts, m_part_size);
362
363 if(reencoded.size() != length ||
364 same_mem(reencoded.data(), sig, reencoded.size()) == false)
365 {
366 throw Decoding_Error("PK_Verifier: signature is not the canonical DER encoding");
367 }
368
369 return m_op->is_valid_signature(real_sig.data(), real_sig.size());
370 }
371 else
372 throw Internal_Error("PK_Verifier: Invalid signature format enum");
373 }
374 catch(Invalid_Argument&) { return false; }
375 catch(Decoding_Error&) { return false; }
376 catch(Encoding_Error&) { return false; }
377 }
378
379}
BOTAN_ASSERT_NOMSG
#define BOTAN_ASSERT_NOMSG(expr)
Definition: assert.h:67
BOTAN_ASSERT
#define BOTAN_ASSERT(expr, assertion_made)
Definition: assert.h:54
Botan::BER_Decoder
Definition: ber_dec.h:22
Botan::BER_Decoder::decode
BER_Decoder & decode(bool &out)
Definition: ber_dec.h:187
Botan::BER_Decoder::more_items
bool more_items() const
Definition: ber_dec.cpp:200
Botan::BER_Decoder::start_sequence
BER_Decoder start_sequence()
Definition: ber_dec.h:111
Botan::BigInt::encode_1363
static secure_vector< uint8_t > encode_1363(const BigInt &n, size_t bytes)
Definition: big_code.cpp:106
Botan::CT::Mask::is_equal
static Mask< T > is_equal(T x, T y)
Definition: ct_utils.h:147
Botan::DER_Encoder
Definition: der_enc.h:23
Botan::DER_Encoder::encode_list
DER_Encoder & encode_list(const std::vector< T > &values)
Definition: der_enc.h:149
Botan::DER_Encoder::start_sequence
DER_Encoder & start_sequence()
Definition: der_enc.h:66
Botan::DER_Encoder::end_cons
DER_Encoder & end_cons()
Definition: der_enc.cpp:194
Botan::Decoding_Error
Definition: exceptn.h:188
Botan::Encoding_Error
Definition: exceptn.h:177
Botan::Internal_Error
Definition: exceptn.h:330
Botan::Invalid_Argument
Definition: exceptn.h:133
Botan::PK_Decryptor_EME::~PK_Decryptor_EME
~PK_Decryptor_EME()
Botan::PK_Decryptor_EME::plaintext_length
size_t plaintext_length(size_t ptext_len) const override
Definition: pubkey.cpp:127
Botan::PK_Decryptor_EME::PK_Decryptor_EME
PK_Decryptor_EME(const Private_Key &key, RandomNumberGenerator &rng, const std::string &eme, const std::string &provider="")
Definition: pubkey.cpp:115
Botan::PK_Decryptor::decrypt_or_random
secure_vector< uint8_t > decrypt_or_random(const uint8_t in[], size_t length, size_t expected_pt_len, RandomNumberGenerator &rng) const
Definition: pubkey.cpp:78
Botan::PK_Decryptor::decrypt
secure_vector< uint8_t > decrypt(const uint8_t in[], size_t length) const
Definition: pubkey.cpp:17
Botan::PK_Encryptor_EME::PK_Encryptor_EME
PK_Encryptor_EME(const Public_Key &key, RandomNumberGenerator &rng, const std::string &padding, const std::string &provider="")
Definition: pubkey.cpp:87
Botan::PK_Encryptor_EME::~PK_Encryptor_EME
~PK_Encryptor_EME()
Botan::PK_Encryptor_EME::maximum_input_size
size_t maximum_input_size() const override
Definition: pubkey.cpp:110
Botan::PK_Encryptor_EME::ciphertext_length
size_t ciphertext_length(size_t ptext_len) const override
Definition: pubkey.cpp:99
Botan::PK_KEM_Decryptor::PK_KEM_Decryptor
PK_KEM_Decryptor(const Private_Key &key, RandomNumberGenerator &rng, const std::string &kem_param="", const std::string &provider="")
Definition: pubkey.cpp:165
Botan::PK_KEM_Decryptor::decrypt
secure_vector< uint8_t > decrypt(const uint8_t encap_key[], size_t encap_key_len, size_t desired_shared_key_len, const uint8_t salt[], size_t salt_len)
Definition: pubkey.cpp:177
Botan::PK_KEM_Decryptor::~PK_KEM_Decryptor
~PK_KEM_Decryptor()
Botan::PK_KEM_Encryptor::PK_KEM_Encryptor
PK_KEM_Encryptor(const Public_Key &key, RandomNumberGenerator &rng, const std::string &kem_param="", const std::string &provider="")
Definition: pubkey.cpp:138
Botan::PK_KEM_Encryptor::encrypt
void encrypt(secure_vector< uint8_t > &out_encapsulated_key, secure_vector< uint8_t > &out_shared_key, size_t desired_shared_key_len, Botan::RandomNumberGenerator &rng, const uint8_t salt[], size_t salt_len)
Definition: pubkey.cpp:150
Botan::PK_KEM_Encryptor::~PK_KEM_Encryptor
~PK_KEM_Encryptor()
Botan::PK_Key_Agreement
Definition: pubkey.h:400
Botan::PK_Key_Agreement::agreed_value_size
size_t agreed_value_size() const
Definition: pubkey.cpp:202
Botan::PK_Key_Agreement::PK_Key_Agreement
PK_Key_Agreement(const Private_Key &key, RandomNumberGenerator &rng, const std::string &kdf, const std::string &provider="")
Definition: pubkey.cpp:190
Botan::PK_Key_Agreement::~PK_Key_Agreement
~PK_Key_Agreement()
Botan::PK_Key_Agreement::derive_key
SymmetricKey derive_key(size_t key_len, const uint8_t in[], size_t in_len, const uint8_t params[], size_t params_len) const
Definition: pubkey.cpp:207
Botan::PK_Signer::update
void update(uint8_t in)
Definition: pubkey.h:222
Botan::PK_Signer::PK_Signer
PK_Signer(const Private_Key &key, RandomNumberGenerator &rng, const std::string &emsa, Signature_Format format=IEEE_1363, const std::string &provider="")
Definition: pubkey.cpp:221
Botan::PK_Signer::signature_length
size_t signature_length() const
Definition: pubkey.cpp:266
Botan::PK_Signer::~PK_Signer
~PK_Signer()
Botan::PK_Signer::signature
std::vector< uint8_t > signature(RandomNumberGenerator &rng)
Definition: pubkey.cpp:282
Botan::PK_Verifier::set_input_format
void set_input_format(Signature_Format format)
Definition: pubkey.cpp:314
Botan::PK_Verifier::update
void update(uint8_t in)
Definition: pubkey.h:333
Botan::PK_Verifier::~PK_Verifier
~PK_Verifier()
Botan::PK_Verifier::verify_message
bool verify_message(const uint8_t msg[], size_t msg_length, const uint8_t sig[], size_t sig_length)
Definition: pubkey.cpp:320
Botan::PK_Verifier::PK_Verifier
PK_Verifier(const Public_Key &pub_key, const std::string &emsa, Signature_Format format=IEEE_1363, const std::string &provider="")
Definition: pubkey.cpp:298
Botan::PK_Verifier::check_signature
bool check_signature(const uint8_t sig[], size_t length)
Definition: pubkey.cpp:332
Botan::Private_Key
Definition: pk_keys.h:181
Botan::Private_Key::create_signature_op
virtual std::unique_ptr< PK_Ops::Signature > create_signature_op(RandomNumberGenerator &rng, const std::string &params, const std::string &provider) const
Definition: pk_keys.cpp:130
Botan::Private_Key::create_decryption_op
virtual std::unique_ptr< PK_Ops::Decryption > create_decryption_op(RandomNumberGenerator &rng, const std::string &params, const std::string &provider) const
Definition: pk_keys.cpp:114
Botan::Private_Key::create_kem_decryption_op
virtual std::unique_ptr< PK_Ops::KEM_Decryption > create_kem_decryption_op(RandomNumberGenerator &rng, const std::string &params, const std::string &provider) const
Definition: pk_keys.cpp:122
Botan::Public_Key
Definition: pk_keys.h:29
Botan::Public_Key::create_encryption_op
virtual std::unique_ptr< PK_Ops::Encryption > create_encryption_op(RandomNumberGenerator &rng, const std::string &params, const std::string &provider) const
Definition: pk_keys.cpp:91
Botan::Public_Key::create_kem_encryption_op
virtual std::unique_ptr< PK_Ops::KEM_Encryption > create_kem_encryption_op(RandomNumberGenerator &rng, const std::string &params, const std::string &provider) const
Definition: pk_keys.cpp:99
Botan::Public_Key::message_part_size
virtual size_t message_part_size() const
Definition: pk_keys.h:123
Botan::Public_Key::algo_name
virtual std::string algo_name() const =0
Botan::Public_Key::message_parts
virtual size_t message_parts() const
Definition: pk_keys.h:112
Botan::Public_Key::create_verification_op
virtual std::unique_ptr< PK_Ops::Verification > create_verification_op(const std::string &params, const std::string &provider) const
Definition: pk_keys.cpp:107
Botan::RandomNumberGenerator::random_vec
secure_vector< uint8_t > random_vec(size_t bytes)
Definition: rng.h:167
Botan
Definition: alg_id.cpp:13
Botan::unlock
std::vector< T > unlock(const secure_vector< T > &in)
Definition: secmem.h:72
Botan::same_mem
bool same_mem(const T *p1, const T *p2, size_t n)
Definition: mem_ops.h:210
Botan::Signature_Format
Signature_Format
Definition: pk_keys.h:23
Botan::DER_SEQUENCE
@ DER_SEQUENCE
Definition: pk_keys.h:23
Botan::IEEE_1363
@ IEEE_1363
Definition: pk_keys.h:23
Botan::secure_vector
std::vector< T, secure_allocator< T > > secure_vector
Definition: secmem.h:65
std
Definition: bigint.h:1077
salt_len
size_t salt_len
Definition: x509_obj.cpp:25
Generated by doxygen 1.9.3