Botan 3.0.0-alpha0
Crypto and TLS for C&
pubkey.cpp
Go to the documentation of this file.
1/*
2* (C) 1999-2010,2015,2018 Jack Lloyd
3*
4* Botan is released under the Simplified BSD License (see license.txt)
5*/
6
7#include <botan/pubkey.h>
8#include <botan/der_enc.h>
9#include <botan/ber_dec.h>
10#include <botan/bigint.h>
11#include <botan/internal/pk_ops.h>
12#include <botan/internal/ct_utils.h>
13#include <botan/rng.h>
14
15namespace Botan {
16
17secure_vector<uint8_t> PK_Decryptor::decrypt(const uint8_t in[], size_t length) const
18 {
19 uint8_t valid_mask = 0;
20
21 secure_vector<uint8_t> decoded = do_decrypt(valid_mask, in, length);
22
23 if(valid_mask == 0)
24 throw Decoding_Error("Invalid public key ciphertext, cannot decrypt");
25
26 return decoded;
27 }
28
31 size_t length,
32 size_t expected_pt_len,
34 const uint8_t required_content_bytes[],
35 const uint8_t required_content_offsets[],
36 size_t required_contents_length) const
37 {
38 const secure_vector<uint8_t> fake_pms = rng.random_vec(expected_pt_len);
39
40 uint8_t decrypt_valid = 0;
41 secure_vector<uint8_t> decoded = do_decrypt(decrypt_valid, in, length);
42
43 auto valid_mask = CT::Mask<uint8_t>::is_equal(decrypt_valid, 0xFF);
44 valid_mask &= CT::Mask<uint8_t>(CT::Mask<size_t>::is_zero(decoded.size() ^ expected_pt_len));
45
46 decoded.resize(expected_pt_len);
47
48 for(size_t i = 0; i != required_contents_length; ++i)
49 {
50 /*
51 These values are chosen by the application and for TLS are constants,
52 so this early failure via assert is fine since we know 0,1 < 48
53
54 If there is a protocol that has content checks on the key where
55 the expected offsets are controllable by the attacker this could
56 still leak.
57
58 Alternately could always reduce the offset modulo the length?
59 */
60
61 const uint8_t exp = required_content_bytes[i];
62 const uint8_t off = required_content_offsets[i];
63
64 BOTAN_ASSERT(off < expected_pt_len, "Offset in range of plaintext");
65
66 auto eq = CT::Mask<uint8_t>::is_equal(decoded[off], exp);
67
68 valid_mask &= eq;
69 }
70
71 // If valid_mask is false, assign fake pre master instead
72 valid_mask.select_n(decoded.data(), decoded.data(), fake_pms.data(), expected_pt_len);
73
74 return decoded;
75 }
76
79 size_t length,
80 size_t expected_pt_len,
81 RandomNumberGenerator& rng) const
82 {
83 return decrypt_or_random(in, length, expected_pt_len, rng,
84 nullptr, nullptr, 0);
85 }
86
89 const std::string& padding,
90 const std::string& provider)
91 {
92 m_op = key.create_encryption_op(rng, padding, provider);
93 if(!m_op)
94 throw Invalid_Argument("Key type " + key.algo_name() + " does not support encryption");
95 }
96
98
99size_t PK_Encryptor_EME::ciphertext_length(size_t ptext_len) const
100 {
101 return m_op->ciphertext_length(ptext_len);
102 }
103
104std::vector<uint8_t>
105PK_Encryptor_EME::enc(const uint8_t in[], size_t length, RandomNumberGenerator& rng) const
106 {
107 return unlock(m_op->encrypt(in, length, rng));
108 }
109
111 {
112 return m_op->max_input_bits() / 8;
113 }
114
117 const std::string& padding,
118 const std::string& provider)
119 {
120 m_op = key.create_decryption_op(rng, padding, provider);
121 if(!m_op)
122 throw Invalid_Argument("Key type " + key.algo_name() + " does not support decryption");
123 }
124
126
127size_t PK_Decryptor_EME::plaintext_length(size_t ctext_len) const
128 {
129 return m_op->plaintext_length(ctext_len);
130 }
131
132secure_vector<uint8_t> PK_Decryptor_EME::do_decrypt(uint8_t& valid_mask,
133 const uint8_t in[], size_t in_len) const
134 {
135 return m_op->decrypt(valid_mask, in, in_len);
136 }
137
140 const std::string& param,
141 const std::string& provider)
142 {
143 m_op = key.create_kem_encryption_op(rng, param, provider);
144 if(!m_op)
145 throw Invalid_Argument("Key type " + key.algo_name() + " does not support KEM encryption");
146 }
147
149
151 secure_vector<uint8_t>& out_shared_key,
152 size_t desired_shared_key_len,
154 const uint8_t salt[],
155 size_t salt_len)
156 {
157 m_op->kem_encrypt(out_encapsulated_key,
158 out_shared_key,
159 desired_shared_key_len,
160 rng,
161 salt,
162 salt_len);
163 }
164
167 const std::string& param,
168 const std::string& provider)
169 {
170 m_op = key.create_kem_decryption_op(rng, param, provider);
171 if(!m_op)
172 throw Invalid_Argument("Key type " + key.algo_name() + " does not support KEM decryption");
173 }
174
176
178 size_t encap_key_len,
179 size_t desired_shared_key_len,
180 const uint8_t salt[],
181 size_t salt_len)
182 {
183 return m_op->kem_decrypt(encap_key, encap_key_len,
184 desired_shared_key_len,
185 salt, salt_len);
186 }
187
189
192 const std::string& kdf,
193 const std::string& provider)
194 {
195 m_op = key.create_key_agreement_op(rng, kdf, provider);
196 if(!m_op)
197 throw Invalid_Argument("Key type " + key.algo_name() + " does not support key agreement");
198 }
199
201
203 {
204 return m_op->agreed_value_size();
205 }
206
208 const uint8_t in[], size_t in_len,
209 const uint8_t salt[],
210 size_t salt_len) const
211 {
212 return m_op->agree(key_len, in, in_len, salt, salt_len);
213 }
214
215static void check_der_format_supported(Signature_Format format, size_t parts)
216 {
217 if(format != IEEE_1363 && parts == 1)
218 throw Invalid_Argument("PK: This algorithm does not support DER encoding");
219 }
220
223 const std::string& emsa,
224 Signature_Format format,
225 const std::string& provider)
226 {
227 m_op = key.create_signature_op(rng, emsa, provider);
228 if(!m_op)
229 throw Invalid_Argument("Key type " + key.algo_name() + " does not support signature generation");
230 m_sig_format = format;
231 m_parts = key.message_parts();
232 m_part_size = key.message_part_size();
233 check_der_format_supported(format, m_parts);
234 }
235
236PK_Signer::~PK_Signer() = default;
237
238void PK_Signer::update(const uint8_t in[], size_t length)
239 {
240 m_op->update(in, length);
241 }
242
243namespace {
244
245std::vector<uint8_t> der_encode_signature(const std::vector<uint8_t>& sig,
246 size_t parts,
247 size_t part_size)
248 {
249 if(sig.size() % parts != 0 || sig.size() != parts * part_size)
250 throw Encoding_Error("Unexpected size for DER signature");
251
252 std::vector<BigInt> sig_parts(parts);
253 for(size_t i = 0; i != sig_parts.size(); ++i)
254 sig_parts[i].binary_decode(&sig[part_size*i], part_size);
255
256 std::vector<uint8_t> output;
257 DER_Encoder(output)
259 .encode_list(sig_parts)
260 .end_cons();
261 return output;
262 }
263
264}
265
267 {
268 if(m_sig_format == IEEE_1363)
269 {
270 return m_op->signature_length();
271 }
272 else if(m_sig_format == DER_SEQUENCE)
273 {
274 // This is a large over-estimate but its easier than computing
275 // the exact value
276 return m_op->signature_length() + (8 + 4*m_parts);
277 }
278 else
279 throw Internal_Error("PK_Signer: Invalid signature format enum");
280 }
281
283 {
284 std::vector<uint8_t> sig = unlock(m_op->sign(rng));
285
286 if(m_sig_format == IEEE_1363)
287 {
288 return sig;
289 }
290 else if(m_sig_format == DER_SEQUENCE)
291 {
292 return der_encode_signature(sig, m_parts, m_part_size);
293 }
294 else
295 throw Internal_Error("PK_Signer: Invalid signature format enum");
296 }
297
299 const std::string& emsa,
300 Signature_Format format,
301 const std::string& provider)
302 {
303 m_op = key.create_verification_op(emsa, provider);
304 if(!m_op)
305 throw Invalid_Argument("Key type " + key.algo_name() + " does not support signature verification");
306 m_sig_format = format;
307 m_parts = key.message_parts();
308 m_part_size = key.message_part_size();
309 check_der_format_supported(format, m_parts);
310 }
311
312PK_Verifier::~PK_Verifier() = default;
313
315 {
316 check_der_format_supported(format, m_parts);
317 m_sig_format = format;
318 }
319
320bool PK_Verifier::verify_message(const uint8_t msg[], size_t msg_length,
321 const uint8_t sig[], size_t sig_length)
322 {
323 update(msg, msg_length);
324 return check_signature(sig, sig_length);
325 }
326
327void PK_Verifier::update(const uint8_t in[], size_t length)
328 {
329 m_op->update(in, length);
330 }
331
332bool PK_Verifier::check_signature(const uint8_t sig[], size_t length)
333 {
334 try {
335 if(m_sig_format == IEEE_1363)
336 {
337 return m_op->is_valid_signature(sig, length);
338 }
339 else if(m_sig_format == DER_SEQUENCE)
340 {
341 std::vector<uint8_t> real_sig;
342 BER_Decoder decoder(sig, length);
343 BER_Decoder ber_sig = decoder.start_sequence();
344
345 BOTAN_ASSERT_NOMSG(m_parts != 0 && m_part_size != 0);
346
347 size_t count = 0;
348
349 while(ber_sig.more_items())
350 {
351 BigInt sig_part;
352 ber_sig.decode(sig_part);
353 real_sig += BigInt::encode_1363(sig_part, m_part_size);
354 ++count;
355 }
356
357 if(count != m_parts)
358 throw Decoding_Error("PK_Verifier: signature size invalid");
359
360 const std::vector<uint8_t> reencoded =
361 der_encode_signature(real_sig, m_parts, m_part_size);
362
363 if(reencoded.size() != length ||
364 same_mem(reencoded.data(), sig, reencoded.size()) == false)
365 {
366 throw Decoding_Error("PK_Verifier: signature is not the canonical DER encoding");
367 }
368
369 return m_op->is_valid_signature(real_sig.data(), real_sig.size());
370 }
371 else
372 throw Internal_Error("PK_Verifier: Invalid signature format enum");
373 }
374 catch(Invalid_Argument&) { return false; }
375 catch(Decoding_Error&) { return false; }
376 catch(Encoding_Error&) { return false; }
377 }
378
379}
#define BOTAN_ASSERT_NOMSG(expr)
Definition: assert.h:67
#define BOTAN_ASSERT(expr, assertion_made)
Definition: assert.h:54
BER_Decoder & decode(bool &out)
Definition: ber_dec.h:187
bool more_items() const
Definition: ber_dec.cpp:200
BER_Decoder start_sequence()
Definition: ber_dec.h:111
static secure_vector< uint8_t > encode_1363(const BigInt &n, size_t bytes)
Definition: big_code.cpp:106
static Mask< T > is_equal(T x, T y)
Definition: ct_utils.h:147
DER_Encoder & encode_list(const std::vector< T > &values)
Definition: der_enc.h:149
DER_Encoder & start_sequence()
Definition: der_enc.h:66
DER_Encoder & end_cons()
Definition: der_enc.cpp:194
size_t plaintext_length(size_t ptext_len) const override
Definition: pubkey.cpp:127
PK_Decryptor_EME(const Private_Key &key, RandomNumberGenerator &rng, const std::string &eme, const std::string &provider="")
Definition: pubkey.cpp:115
secure_vector< uint8_t > decrypt_or_random(const uint8_t in[], size_t length, size_t expected_pt_len, RandomNumberGenerator &rng) const
Definition: pubkey.cpp:78
secure_vector< uint8_t > decrypt(const uint8_t in[], size_t length) const
Definition: pubkey.cpp:17
PK_Encryptor_EME(const Public_Key &key, RandomNumberGenerator &rng, const std::string &padding, const std::string &provider="")
Definition: pubkey.cpp:87
size_t maximum_input_size() const override
Definition: pubkey.cpp:110
size_t ciphertext_length(size_t ptext_len) const override
Definition: pubkey.cpp:99
PK_KEM_Decryptor(const Private_Key &key, RandomNumberGenerator &rng, const std::string &kem_param="", const std::string &provider="")
Definition: pubkey.cpp:165
secure_vector< uint8_t > decrypt(const uint8_t encap_key[], size_t encap_key_len, size_t desired_shared_key_len, const uint8_t salt[], size_t salt_len)
Definition: pubkey.cpp:177
PK_KEM_Encryptor(const Public_Key &key, RandomNumberGenerator &rng, const std::string &kem_param="", const std::string &provider="")
Definition: pubkey.cpp:138
void encrypt(secure_vector< uint8_t > &out_encapsulated_key, secure_vector< uint8_t > &out_shared_key, size_t desired_shared_key_len, Botan::RandomNumberGenerator &rng, const uint8_t salt[], size_t salt_len)
Definition: pubkey.cpp:150
size_t agreed_value_size() const
Definition: pubkey.cpp:202
PK_Key_Agreement(const Private_Key &key, RandomNumberGenerator &rng, const std::string &kdf, const std::string &provider="")
Definition: pubkey.cpp:190
SymmetricKey derive_key(size_t key_len, const uint8_t in[], size_t in_len, const uint8_t params[], size_t params_len) const
Definition: pubkey.cpp:207
void update(uint8_t in)
Definition: pubkey.h:222
PK_Signer(const Private_Key &key, RandomNumberGenerator &rng, const std::string &emsa, Signature_Format format=IEEE_1363, const std::string &provider="")
Definition: pubkey.cpp:221
size_t signature_length() const
Definition: pubkey.cpp:266
std::vector< uint8_t > signature(RandomNumberGenerator &rng)
Definition: pubkey.cpp:282
void set_input_format(Signature_Format format)
Definition: pubkey.cpp:314
void update(uint8_t in)
Definition: pubkey.h:333
bool verify_message(const uint8_t msg[], size_t msg_length, const uint8_t sig[], size_t sig_length)
Definition: pubkey.cpp:320
PK_Verifier(const Public_Key &pub_key, const std::string &emsa, Signature_Format format=IEEE_1363, const std::string &provider="")
Definition: pubkey.cpp:298
bool check_signature(const uint8_t sig[], size_t length)
Definition: pubkey.cpp:332
virtual std::unique_ptr< PK_Ops::Signature > create_signature_op(RandomNumberGenerator &rng, const std::string &params, const std::string &provider) const
Definition: pk_keys.cpp:130
virtual std::unique_ptr< PK_Ops::Decryption > create_decryption_op(RandomNumberGenerator &rng, const std::string &params, const std::string &provider) const
Definition: pk_keys.cpp:114
virtual std::unique_ptr< PK_Ops::KEM_Decryption > create_kem_decryption_op(RandomNumberGenerator &rng, const std::string &params, const std::string &provider) const
Definition: pk_keys.cpp:122
virtual std::unique_ptr< PK_Ops::Encryption > create_encryption_op(RandomNumberGenerator &rng, const std::string &params, const std::string &provider) const
Definition: pk_keys.cpp:91
virtual std::unique_ptr< PK_Ops::KEM_Encryption > create_kem_encryption_op(RandomNumberGenerator &rng, const std::string &params, const std::string &provider) const
Definition: pk_keys.cpp:99
virtual size_t message_part_size() const
Definition: pk_keys.h:123
virtual std::string algo_name() const =0
virtual size_t message_parts() const
Definition: pk_keys.h:112
virtual std::unique_ptr< PK_Ops::Verification > create_verification_op(const std::string &params, const std::string &provider) const
Definition: pk_keys.cpp:107
secure_vector< uint8_t > random_vec(size_t bytes)
Definition: rng.h:167
Definition: alg_id.cpp:13
std::vector< T > unlock(const secure_vector< T > &in)
Definition: secmem.h:72
bool same_mem(const T *p1, const T *p2, size_t n)
Definition: mem_ops.h:210
Signature_Format
Definition: pk_keys.h:23
@ DER_SEQUENCE
Definition: pk_keys.h:23
@ IEEE_1363
Definition: pk_keys.h:23
std::vector< T, secure_allocator< T > > secure_vector
Definition: secmem.h:65
Definition: bigint.h:1077
size_t salt_len
Definition: x509_obj.cpp:25