Botan  2.18.2
Crypto and TLS for C++11
pubkey.cpp
Go to the documentation of this file.
1 /*
2 * (C) 1999-2010,2015,2018 Jack Lloyd
3 *
4 * Botan is released under the Simplified BSD License (see license.txt)
5 */
6 
7 #include <botan/pubkey.h>
8 #include <botan/der_enc.h>
9 #include <botan/ber_dec.h>
10 #include <botan/bigint.h>
11 #include <botan/pk_ops.h>
12 #include <botan/internal/ct_utils.h>
13 #include <botan/rng.h>
14 
15 namespace Botan {
16 
17 secure_vector<uint8_t> PK_Decryptor::decrypt(const uint8_t in[], size_t length) const
18  {
19  uint8_t valid_mask = 0;
20 
21  secure_vector<uint8_t> decoded = do_decrypt(valid_mask, in, length);
22 
23  if(valid_mask == 0)
24  throw Decoding_Error("Invalid public key ciphertext, cannot decrypt");
25 
26  return decoded;
27  }
28 
31  size_t length,
32  size_t expected_pt_len,
34  const uint8_t required_content_bytes[],
35  const uint8_t required_content_offsets[],
36  size_t required_contents_length) const
37  {
38  const secure_vector<uint8_t> fake_pms = rng.random_vec(expected_pt_len);
39 
40  uint8_t decrypt_valid = 0;
41  secure_vector<uint8_t> decoded = do_decrypt(decrypt_valid, in, length);
42 
43  auto valid_mask = CT::Mask<uint8_t>::is_equal(decrypt_valid, 0xFF);
44  valid_mask &= CT::Mask<uint8_t>(CT::Mask<size_t>::is_zero(decoded.size() ^ expected_pt_len));
45 
46  decoded.resize(expected_pt_len);
47 
48  for(size_t i = 0; i != required_contents_length; ++i)
49  {
50  /*
51  These values are chosen by the application and for TLS are constants,
52  so this early failure via assert is fine since we know 0,1 < 48
53 
54  If there is a protocol that has content checks on the key where
55  the expected offsets are controllable by the attacker this could
56  still leak.
57 
58  Alternately could always reduce the offset modulo the length?
59  */
60 
61  const uint8_t exp = required_content_bytes[i];
62  const uint8_t off = required_content_offsets[i];
63 
64  BOTAN_ASSERT(off < expected_pt_len, "Offset in range of plaintext");
65 
66  auto eq = CT::Mask<uint8_t>::is_equal(decoded[off], exp);
67 
68  valid_mask &= eq;
69  }
70 
71  // If valid_mask is false, assign fake pre master instead
72  valid_mask.select_n(decoded.data(), decoded.data(), fake_pms.data(), expected_pt_len);
73 
74  return decoded;
75  }
76 
79  size_t length,
80  size_t expected_pt_len,
81  RandomNumberGenerator& rng) const
82  {
83  return decrypt_or_random(in, length, expected_pt_len, rng,
84  nullptr, nullptr, 0);
85  }
86 
89  const std::string& padding,
90  const std::string& provider)
91  {
92  m_op = key.create_encryption_op(rng, padding, provider);
93  if(!m_op)
94  throw Invalid_Argument("Key type " + key.algo_name() + " does not support encryption");
95  }
96 
97 PK_Encryptor_EME::~PK_Encryptor_EME() { /* for unique_ptr */ }
98 
99 size_t PK_Encryptor_EME::ciphertext_length(size_t ptext_len) const
100  {
101  return m_op->ciphertext_length(ptext_len);
102  }
103 
104 std::vector<uint8_t>
105 PK_Encryptor_EME::enc(const uint8_t in[], size_t length, RandomNumberGenerator& rng) const
106  {
107  return unlock(m_op->encrypt(in, length, rng));
108  }
109 
111  {
112  return m_op->max_input_bits() / 8;
113  }
114 
117  const std::string& padding,
118  const std::string& provider)
119  {
120  m_op = key.create_decryption_op(rng, padding, provider);
121  if(!m_op)
122  throw Invalid_Argument("Key type " + key.algo_name() + " does not support decryption");
123  }
124 
125 PK_Decryptor_EME::~PK_Decryptor_EME() { /* for unique_ptr */ }
126 
127 size_t PK_Decryptor_EME::plaintext_length(size_t ctext_len) const
128  {
129  return m_op->plaintext_length(ctext_len);
130  }
131 
132 secure_vector<uint8_t> PK_Decryptor_EME::do_decrypt(uint8_t& valid_mask,
133  const uint8_t in[], size_t in_len) const
134  {
135  return m_op->decrypt(valid_mask, in, in_len);
136  }
137 
140  const std::string& param,
141  const std::string& provider)
142  {
143  m_op = key.create_kem_encryption_op(rng, param, provider);
144  if(!m_op)
145  throw Invalid_Argument("Key type " + key.algo_name() + " does not support KEM encryption");
146  }
147 
148 PK_KEM_Encryptor::~PK_KEM_Encryptor() { /* for unique_ptr */ }
149 
151  secure_vector<uint8_t>& out_shared_key,
152  size_t desired_shared_key_len,
154  const uint8_t salt[],
155  size_t salt_len)
156  {
157  m_op->kem_encrypt(out_encapsulated_key,
158  out_shared_key,
159  desired_shared_key_len,
160  rng,
161  salt,
162  salt_len);
163  }
164 
167  const std::string& param,
168  const std::string& provider)
169  {
170  m_op = key.create_kem_decryption_op(rng, param, provider);
171  if(!m_op)
172  throw Invalid_Argument("Key type " + key.algo_name() + " does not support KEM decryption");
173  }
174 
175 PK_KEM_Decryptor::~PK_KEM_Decryptor() { /* for unique_ptr */ }
176 
178  size_t encap_key_len,
179  size_t desired_shared_key_len,
180  const uint8_t salt[],
181  size_t salt_len)
182  {
183  return m_op->kem_decrypt(encap_key, encap_key_len,
184  desired_shared_key_len,
185  salt, salt_len);
186  }
187 
190  const std::string& kdf,
191  const std::string& provider)
192  {
193  m_op = key.create_key_agreement_op(rng, kdf, provider);
194  if(!m_op)
195  throw Invalid_Argument("Key type " + key.algo_name() + " does not support key agreement");
196  }
197 
198 PK_Key_Agreement::~PK_Key_Agreement() { /* for unique_ptr */ }
199 
201  {
202  if(this != &other)
203  {
204  m_op = std::move(other.m_op);
205  }
206  return (*this);
207  }
208 
210  m_op(std::move(other.m_op))
211  {}
212 
214  {
215  return m_op->agreed_value_size();
216  }
217 
219  const uint8_t in[], size_t in_len,
220  const uint8_t salt[],
221  size_t salt_len) const
222  {
223  return m_op->agree(key_len, in, in_len, salt, salt_len);
224  }
225 
226 static void check_der_format_supported(Signature_Format format, size_t parts)
227  {
228  if(format != IEEE_1363 && parts == 1)
229  throw Invalid_Argument("PK: This algorithm does not support DER encoding");
230  }
231 
234  const std::string& emsa,
235  Signature_Format format,
236  const std::string& provider)
237  {
238  m_op = key.create_signature_op(rng, emsa, provider);
239  if(!m_op)
240  throw Invalid_Argument("Key type " + key.algo_name() + " does not support signature generation");
241  m_sig_format = format;
242  m_parts = key.message_parts();
243  m_part_size = key.message_part_size();
244  check_der_format_supported(format, m_parts);
245  }
246 
247 PK_Signer::~PK_Signer() { /* for unique_ptr */ }
248 
249 void PK_Signer::update(const uint8_t in[], size_t length)
250  {
251  m_op->update(in, length);
252  }
253 
254 namespace {
255 
256 std::vector<uint8_t> der_encode_signature(const std::vector<uint8_t>& sig,
257  size_t parts,
258  size_t part_size)
259  {
260  if(sig.size() % parts != 0 || sig.size() != parts * part_size)
261  throw Encoding_Error("Unexpected size for DER signature");
262 
263  std::vector<BigInt> sig_parts(parts);
264  for(size_t i = 0; i != sig_parts.size(); ++i)
265  sig_parts[i].binary_decode(&sig[part_size*i], part_size);
266 
267  std::vector<uint8_t> output;
268  DER_Encoder(output)
270  .encode_list(sig_parts)
271  .end_cons();
272  return output;
273  }
274 
275 }
276 
278  {
279  if(m_sig_format == IEEE_1363)
280  {
281  return m_op->signature_length();
282  }
283  else if(m_sig_format == DER_SEQUENCE)
284  {
285  // This is a large over-estimate but its easier than computing
286  // the exact value
287  return m_op->signature_length() + (8 + 4*m_parts);
288  }
289  else
290  throw Internal_Error("PK_Signer: Invalid signature format enum");
291  }
292 
293 std::vector<uint8_t> PK_Signer::signature(RandomNumberGenerator& rng)
294  {
295  const std::vector<uint8_t> sig = unlock(m_op->sign(rng));
296 
297  if(m_sig_format == IEEE_1363)
298  {
299  return sig;
300  }
301  else if(m_sig_format == DER_SEQUENCE)
302  {
303  return der_encode_signature(sig, m_parts, m_part_size);
304  }
305  else
306  throw Internal_Error("PK_Signer: Invalid signature format enum");
307  }
308 
310  const std::string& emsa,
311  Signature_Format format,
312  const std::string& provider)
313  {
314  m_op = key.create_verification_op(emsa, provider);
315  if(!m_op)
316  throw Invalid_Argument("Key type " + key.algo_name() + " does not support signature verification");
317  m_sig_format = format;
318  m_parts = key.message_parts();
319  m_part_size = key.message_part_size();
320  check_der_format_supported(format, m_parts);
321  }
322 
323 PK_Verifier::~PK_Verifier() { /* for unique_ptr */ }
324 
326  {
327  check_der_format_supported(format, m_parts);
328  m_sig_format = format;
329  }
330 
331 bool PK_Verifier::verify_message(const uint8_t msg[], size_t msg_length,
332  const uint8_t sig[], size_t sig_length)
333  {
334  update(msg, msg_length);
335  return check_signature(sig, sig_length);
336  }
337 
338 void PK_Verifier::update(const uint8_t in[], size_t length)
339  {
340  m_op->update(in, length);
341  }
342 
343 bool PK_Verifier::check_signature(const uint8_t sig[], size_t length)
344  {
345  try {
346  if(m_sig_format == IEEE_1363)
347  {
348  return m_op->is_valid_signature(sig, length);
349  }
350  else if(m_sig_format == DER_SEQUENCE)
351  {
352  std::vector<uint8_t> real_sig;
353  BER_Decoder decoder(sig, length);
354  BER_Decoder ber_sig = decoder.start_cons(SEQUENCE);
355 
356  BOTAN_ASSERT_NOMSG(m_parts != 0 && m_part_size != 0);
357 
358  size_t count = 0;
359 
360  while(ber_sig.more_items())
361  {
362  BigInt sig_part;
363  ber_sig.decode(sig_part);
364  real_sig += BigInt::encode_1363(sig_part, m_part_size);
365  ++count;
366  }
367 
368  if(count != m_parts)
369  throw Decoding_Error("PK_Verifier: signature size invalid");
370 
371  const std::vector<uint8_t> reencoded =
372  der_encode_signature(real_sig, m_parts, m_part_size);
373 
374  if(reencoded.size() != length ||
375  same_mem(reencoded.data(), sig, reencoded.size()) == false)
376  {
377  throw Decoding_Error("PK_Verifier: signature is not the canonical DER encoding");
378  }
379 
380  return m_op->is_valid_signature(real_sig.data(), real_sig.size());
381  }
382  else
383  throw Internal_Error("PK_Verifier: Invalid signature format enum");
384  }
385  catch(Invalid_Argument&) { return false; }
386  }
387 
388 }
size_t signature_length() const
Definition: pubkey.cpp:277
DER_Encoder & encode_list(const std::vector< T > &values)
Definition: der_enc.h:128
PK_Signer(const Private_Key &key, RandomNumberGenerator &rng, const std::string &emsa, Signature_Format format=IEEE_1363, const std::string &provider="")
Definition: pubkey.cpp:232
secure_vector< uint8_t > random_vec(size_t bytes)
Definition: rng.h:143
bool same_mem(const T *p1, const T *p2, size_t n)
Definition: mem_ops.h:217
bool verify_message(const uint8_t msg[], size_t msg_length, const uint8_t sig[], size_t sig_length)
Definition: pubkey.cpp:331
virtual std::unique_ptr< PK_Ops::Signature > create_signature_op(RandomNumberGenerator &rng, const std::string &params, const std::string &provider) const
Definition: pk_keys.cpp:130
PK_KEM_Encryptor(const Public_Key &key, RandomNumberGenerator &rng, const std::string &kem_param="", const std::string &provider="")
Definition: pubkey.cpp:138
size_t plaintext_length(size_t ptext_len) const override
Definition: pubkey.cpp:127
secure_vector< uint8_t > decrypt(const uint8_t in[], size_t length) const
Definition: pubkey.cpp:17
PK_Key_Agreement(const Private_Key &key, RandomNumberGenerator &rng, const std::string &kdf, const std::string &provider="")
Definition: pubkey.cpp:188
Signature_Format
Definition: pk_keys.h:23
Definition: bigint.h:1143
std::vector< uint8_t > signature(RandomNumberGenerator &rng)
Definition: pubkey.cpp:293
virtual std::string algo_name() const =0
#define BOTAN_ASSERT_NOMSG(expr)
Definition: assert.h:68
virtual std::unique_ptr< PK_Ops::KEM_Decryption > create_kem_decryption_op(RandomNumberGenerator &rng, const std::string &params, const std::string &provider) const
Definition: pk_keys.cpp:122
DER_Encoder & end_cons()
Definition: der_enc.cpp:191
virtual std::unique_ptr< PK_Ops::KEM_Encryption > create_kem_encryption_op(RandomNumberGenerator &rng, const std::string &params, const std::string &provider) const
Definition: pk_keys.cpp:99
BER_Decoder & decode(bool &out)
Definition: ber_dec.h:170
void update(uint8_t in)
Definition: pubkey.h:347
virtual std::unique_ptr< PK_Ops::Decryption > create_decryption_op(RandomNumberGenerator &rng, const std::string &params, const std::string &provider) const
Definition: pk_keys.cpp:114
PK_Decryptor_EME(const Private_Key &key, RandomNumberGenerator &rng, const std::string &eme, const std::string &provider="")
Definition: pubkey.cpp:115
#define BOTAN_ASSERT(expr, assertion_made)
Definition: assert.h:55
secure_vector< uint8_t > decrypt_or_random(const uint8_t in[], size_t length, size_t expected_pt_len, RandomNumberGenerator &rng) const
Definition: pubkey.cpp:78
secure_vector< uint8_t > decrypt(const uint8_t encap_key[], size_t encap_key_len, size_t desired_shared_key_len, const uint8_t salt[], size_t salt_len)
Definition: pubkey.cpp:177
virtual size_t message_part_size() const
Definition: pk_keys.h:123
size_t maximum_input_size() const override
Definition: pubkey.cpp:110
void update(uint8_t in)
Definition: pubkey.h:238
PK_KEM_Decryptor(const Private_Key &key, RandomNumberGenerator &rng, const std::string &kem_param="", const std::string &provider="")
Definition: pubkey.cpp:165
size_t salt_len
Definition: x509_obj.cpp:25
SymmetricKey derive_key(size_t key_len, const uint8_t in[], size_t in_len, const uint8_t params[], size_t params_len) const
Definition: pubkey.cpp:218
PK_Key_Agreement & operator=(PK_Key_Agreement &&)
Definition: pubkey.cpp:200
BER_Decoder start_cons(ASN1_Tag type_tag, ASN1_Tag class_tag=UNIVERSAL)
Definition: ber_dec.cpp:290
Definition: alg_id.cpp:13
size_t agreed_value_size() const
Definition: pubkey.cpp:213
void set_input_format(Signature_Format format)
Definition: pubkey.cpp:325
std::vector< T > unlock(const secure_vector< T > &in)
Definition: secmem.h:72
size_t ciphertext_length(size_t ptext_len) const override
Definition: pubkey.cpp:99
bool check_signature(const uint8_t sig[], size_t length)
Definition: pubkey.cpp:343
PK_Encryptor_EME(const Public_Key &key, RandomNumberGenerator &rng, const std::string &padding, const std::string &provider="")
Definition: pubkey.cpp:87
PK_Verifier(const Public_Key &pub_key, const std::string &emsa, Signature_Format format=IEEE_1363, const std::string &provider="")
Definition: pubkey.cpp:309
DER_Encoder & start_cons(ASN1_Tag type_tag, ASN1_Tag class_tag=UNIVERSAL)
Definition: der_enc.cpp:181
static secure_vector< uint8_t > encode_1363(const BigInt &n, size_t bytes)
Definition: big_code.cpp:111
virtual std::unique_ptr< PK_Ops::Verification > create_verification_op(const std::string &params, const std::string &provider) const
Definition: pk_keys.cpp:107
std::vector< T, secure_allocator< T > > secure_vector
Definition: secmem.h:65
virtual std::unique_ptr< PK_Ops::Encryption > create_encryption_op(RandomNumberGenerator &rng, const std::string &params, const std::string &provider) const
Definition: pk_keys.cpp:91
static Mask< T > is_zero(T x)
Definition: ct_utils.h:141
bool more_items() const
Definition: ber_dec.cpp:198
static Mask< T > is_equal(T x, T y)
Definition: ct_utils.h:149
virtual size_t message_parts() const
Definition: pk_keys.h:112
virtual std::unique_ptr< PK_Ops::Key_Agreement > create_key_agreement_op(RandomNumberGenerator &rng, const std::string &params, const std::string &provider) const
Definition: pk_keys.cpp:138
void encrypt(secure_vector< uint8_t > &out_encapsulated_key, secure_vector< uint8_t > &out_shared_key, size_t desired_shared_key_len, Botan::RandomNumberGenerator &rng, const uint8_t salt[], size_t salt_len)
Definition: pubkey.cpp:150