Botan 2.19.1
Crypto and TLS for C&
pubkey.cpp
Go to the documentation of this file.
1/*
2* (C) 1999-2010,2015,2018 Jack Lloyd
3*
4* Botan is released under the Simplified BSD License (see license.txt)
5*/
6
7#include <botan/pubkey.h>
8#include <botan/der_enc.h>
9#include <botan/ber_dec.h>
10#include <botan/bigint.h>
11#include <botan/pk_ops.h>
12#include <botan/internal/ct_utils.h>
13#include <botan/rng.h>
14
15namespace Botan {
16
17secure_vector<uint8_t> PK_Decryptor::decrypt(const uint8_t in[], size_t length) const
18 {
19 uint8_t valid_mask = 0;
20
21 secure_vector<uint8_t> decoded = do_decrypt(valid_mask, in, length);
22
23 if(valid_mask == 0)
24 throw Decoding_Error("Invalid public key ciphertext, cannot decrypt");
25
26 return decoded;
27 }
28
29secure_vector<uint8_t>
30PK_Decryptor::decrypt_or_random(const uint8_t in[],
31 size_t length,
32 size_t expected_pt_len,
33 RandomNumberGenerator& rng,
34 const uint8_t required_content_bytes[],
35 const uint8_t required_content_offsets[],
36 size_t required_contents_length) const
37 {
38 const secure_vector<uint8_t> fake_pms = rng.random_vec(expected_pt_len);
39
40 uint8_t decrypt_valid = 0;
41 secure_vector<uint8_t> decoded = do_decrypt(decrypt_valid, in, length);
42
43 auto valid_mask = CT::Mask<uint8_t>::is_equal(decrypt_valid, 0xFF);
44 valid_mask &= CT::Mask<uint8_t>(CT::Mask<size_t>::is_zero(decoded.size() ^ expected_pt_len));
45
46 decoded.resize(expected_pt_len);
47
48 for(size_t i = 0; i != required_contents_length; ++i)
49 {
50 /*
51 These values are chosen by the application and for TLS are constants,
52 so this early failure via assert is fine since we know 0,1 < 48
53
54 If there is a protocol that has content checks on the key where
55 the expected offsets are controllable by the attacker this could
56 still leak.
57
58 Alternately could always reduce the offset modulo the length?
59 */
60
61 const uint8_t exp = required_content_bytes[i];
62 const uint8_t off = required_content_offsets[i];
63
64 BOTAN_ASSERT(off < expected_pt_len, "Offset in range of plaintext");
65
66 auto eq = CT::Mask<uint8_t>::is_equal(decoded[off], exp);
67
68 valid_mask &= eq;
69 }
70
71 // If valid_mask is false, assign fake pre master instead
72 valid_mask.select_n(decoded.data(), decoded.data(), fake_pms.data(), expected_pt_len);
73
74 return decoded;
75 }
76
77secure_vector<uint8_t>
78PK_Decryptor::decrypt_or_random(const uint8_t in[],
79 size_t length,
80 size_t expected_pt_len,
81 RandomNumberGenerator& rng) const
82 {
83 return decrypt_or_random(in, length, expected_pt_len, rng,
84 nullptr, nullptr, 0);
85 }
86
87PK_Encryptor_EME::PK_Encryptor_EME(const Public_Key& key,
88 RandomNumberGenerator& rng,
89 const std::string& padding,
90 const std::string& provider)
91 {
92 m_op = key.create_encryption_op(rng, padding, provider);
93 if(!m_op)
94 throw Invalid_Argument("Key type " + key.algo_name() + " does not support encryption");
95 }
96
97PK_Encryptor_EME::~PK_Encryptor_EME() { /* for unique_ptr */ }
98
99size_t PK_Encryptor_EME::ciphertext_length(size_t ptext_len) const
100 {
101 return m_op->ciphertext_length(ptext_len);
102 }
103
104std::vector<uint8_t>
105PK_Encryptor_EME::enc(const uint8_t in[], size_t length, RandomNumberGenerator& rng) const
106 {
107 return unlock(m_op->encrypt(in, length, rng));
108 }
109
110size_t PK_Encryptor_EME::maximum_input_size() const
111 {
112 return m_op->max_input_bits() / 8;
113 }
114
115PK_Decryptor_EME::PK_Decryptor_EME(const Private_Key& key,
116 RandomNumberGenerator& rng,
117 const std::string& padding,
118 const std::string& provider)
119 {
120 m_op = key.create_decryption_op(rng, padding, provider);
121 if(!m_op)
122 throw Invalid_Argument("Key type " + key.algo_name() + " does not support decryption");
123 }
124
125PK_Decryptor_EME::~PK_Decryptor_EME() { /* for unique_ptr */ }
126
127size_t PK_Decryptor_EME::plaintext_length(size_t ctext_len) const
128 {
129 return m_op->plaintext_length(ctext_len);
130 }
131
132secure_vector<uint8_t> PK_Decryptor_EME::do_decrypt(uint8_t& valid_mask,
133 const uint8_t in[], size_t in_len) const
134 {
135 return m_op->decrypt(valid_mask, in, in_len);
136 }
137
138PK_KEM_Encryptor::PK_KEM_Encryptor(const Public_Key& key,
139 RandomNumberGenerator& rng,
140 const std::string& param,
141 const std::string& provider)
142 {
143 m_op = key.create_kem_encryption_op(rng, param, provider);
144 if(!m_op)
145 throw Invalid_Argument("Key type " + key.algo_name() + " does not support KEM encryption");
146 }
147
148PK_KEM_Encryptor::~PK_KEM_Encryptor() { /* for unique_ptr */ }
149
150void PK_KEM_Encryptor::encrypt(secure_vector<uint8_t>& out_encapsulated_key,
151 secure_vector<uint8_t>& out_shared_key,
152 size_t desired_shared_key_len,
153 Botan::RandomNumberGenerator& rng,
154 const uint8_t salt[],
155 size_t salt_len)
156 {
157 m_op->kem_encrypt(out_encapsulated_key,
158 out_shared_key,
159 desired_shared_key_len,
160 rng,
161 salt,
162 salt_len);
163 }
164
165PK_KEM_Decryptor::PK_KEM_Decryptor(const Private_Key& key,
166 RandomNumberGenerator& rng,
167 const std::string& param,
168 const std::string& provider)
169 {
170 m_op = key.create_kem_decryption_op(rng, param, provider);
171 if(!m_op)
172 throw Invalid_Argument("Key type " + key.algo_name() + " does not support KEM decryption");
173 }
174
175PK_KEM_Decryptor::~PK_KEM_Decryptor() { /* for unique_ptr */ }
176
177secure_vector<uint8_t> PK_KEM_Decryptor::decrypt(const uint8_t encap_key[],
178 size_t encap_key_len,
179 size_t desired_shared_key_len,
180 const uint8_t salt[],
181 size_t salt_len)
182 {
183 return m_op->kem_decrypt(encap_key, encap_key_len,
184 desired_shared_key_len,
185 salt, salt_len);
186 }
187
188PK_Key_Agreement::PK_Key_Agreement(const Private_Key& key,
189 RandomNumberGenerator& rng,
190 const std::string& kdf,
191 const std::string& provider)
192 {
193 m_op = key.create_key_agreement_op(rng, kdf, provider);
194 if(!m_op)
195 throw Invalid_Argument("Key type " + key.algo_name() + " does not support key agreement");
196 }
197
198PK_Key_Agreement::~PK_Key_Agreement() { /* for unique_ptr */ }
199
200PK_Key_Agreement& PK_Key_Agreement::operator=(PK_Key_Agreement&& other)
201 {
202 if(this != &other)
203 {
204 m_op = std::move(other.m_op);
205 }
206 return (*this);
207 }
208
209PK_Key_Agreement::PK_Key_Agreement(PK_Key_Agreement&& other) :
210 m_op(std::move(other.m_op))
211 {}
212
213size_t PK_Key_Agreement::agreed_value_size() const
214 {
215 return m_op->agreed_value_size();
216 }
217
218SymmetricKey PK_Key_Agreement::derive_key(size_t key_len,
219 const uint8_t in[], size_t in_len,
220 const uint8_t salt[],
221 size_t salt_len) const
222 {
223 return m_op->agree(key_len, in, in_len, salt, salt_len);
224 }
225
226static void check_der_format_supported(Signature_Format format, size_t parts)
227 {
228 if(format != IEEE_1363 && parts == 1)
229 throw Invalid_Argument("PK: This algorithm does not support DER encoding");
230 }
231
232PK_Signer::PK_Signer(const Private_Key& key,
233 RandomNumberGenerator& rng,
234 const std::string& emsa,
235 Signature_Format format,
236 const std::string& provider)
237 {
238 m_op = key.create_signature_op(rng, emsa, provider);
239 if(!m_op)
240 throw Invalid_Argument("Key type " + key.algo_name() + " does not support signature generation");
241 m_sig_format = format;
242 m_parts = key.message_parts();
243 m_part_size = key.message_part_size();
244 check_der_format_supported(format, m_parts);
245 }
246
247PK_Signer::~PK_Signer() { /* for unique_ptr */ }
248
249void PK_Signer::update(const uint8_t in[], size_t length)
250 {
251 m_op->update(in, length);
252 }
253
254namespace {
255
256std::vector<uint8_t> der_encode_signature(const std::vector<uint8_t>& sig,
257 size_t parts,
258 size_t part_size)
259 {
260 if(sig.size() % parts != 0 || sig.size() != parts * part_size)
261 throw Encoding_Error("Unexpected size for DER signature");
262
263 std::vector<BigInt> sig_parts(parts);
264 for(size_t i = 0; i != sig_parts.size(); ++i)
265 sig_parts[i].binary_decode(&sig[part_size*i], part_size);
266
267 std::vector<uint8_t> output;
268 DER_Encoder(output)
269 .start_cons(SEQUENCE)
270 .encode_list(sig_parts)
271 .end_cons();
272 return output;
273 }
274
275}
276
277size_t PK_Signer::signature_length() const
278 {
279 if(m_sig_format == IEEE_1363)
280 {
281 return m_op->signature_length();
282 }
283 else if(m_sig_format == DER_SEQUENCE)
284 {
285 // This is a large over-estimate but its easier than computing
286 // the exact value
287 return m_op->signature_length() + (8 + 4*m_parts);
288 }
289 else
290 throw Internal_Error("PK_Signer: Invalid signature format enum");
291 }
292
293std::vector<uint8_t> PK_Signer::signature(RandomNumberGenerator& rng)
294 {
295 const std::vector<uint8_t> sig = unlock(m_op->sign(rng));
296
297 if(m_sig_format == IEEE_1363)
298 {
299 return sig;
300 }
301 else if(m_sig_format == DER_SEQUENCE)
302 {
303 return der_encode_signature(sig, m_parts, m_part_size);
304 }
305 else
306 throw Internal_Error("PK_Signer: Invalid signature format enum");
307 }
308
309PK_Verifier::PK_Verifier(const Public_Key& key,
310 const std::string& emsa,
311 Signature_Format format,
312 const std::string& provider)
313 {
314 m_op = key.create_verification_op(emsa, provider);
315 if(!m_op)
316 throw Invalid_Argument("Key type " + key.algo_name() + " does not support signature verification");
317 m_sig_format = format;
318 m_parts = key.message_parts();
319 m_part_size = key.message_part_size();
320 check_der_format_supported(format, m_parts);
321 }
322
323PK_Verifier::~PK_Verifier() { /* for unique_ptr */ }
324
325void PK_Verifier::set_input_format(Signature_Format format)
326 {
327 check_der_format_supported(format, m_parts);
328 m_sig_format = format;
329 }
330
331bool PK_Verifier::verify_message(const uint8_t msg[], size_t msg_length,
332 const uint8_t sig[], size_t sig_length)
333 {
334 update(msg, msg_length);
335 return check_signature(sig, sig_length);
336 }
337
338void PK_Verifier::update(const uint8_t in[], size_t length)
339 {
340 m_op->update(in, length);
341 }
342
343bool PK_Verifier::check_signature(const uint8_t sig[], size_t length)
344 {
345 try {
346 if(m_sig_format == IEEE_1363)
347 {
348 return m_op->is_valid_signature(sig, length);
349 }
350 else if(m_sig_format == DER_SEQUENCE)
351 {
352 std::vector<uint8_t> real_sig;
353 BER_Decoder decoder(sig, length);
354 BER_Decoder ber_sig = decoder.start_cons(SEQUENCE);
355
356 BOTAN_ASSERT_NOMSG(m_parts != 0 && m_part_size != 0);
357
358 size_t count = 0;
359
360 while(ber_sig.more_items())
361 {
362 BigInt sig_part;
363 ber_sig.decode(sig_part);
364 real_sig += BigInt::encode_1363(sig_part, m_part_size);
365 ++count;
366 }
367
368 if(count != m_parts)
369 throw Decoding_Error("PK_Verifier: signature size invalid");
370
371 const std::vector<uint8_t> reencoded =
372 der_encode_signature(real_sig, m_parts, m_part_size);
373
374 if(reencoded.size() != length ||
375 same_mem(reencoded.data(), sig, reencoded.size()) == false)
376 {
377 throw Decoding_Error("PK_Verifier: signature is not the canonical DER encoding");
378 }
379
380 return m_op->is_valid_signature(real_sig.data(), real_sig.size());
381 }
382 else
383 throw Internal_Error("PK_Verifier: Invalid signature format enum");
384 }
385 catch(Invalid_Argument&) { return false; }
386 }
387
388}
BOTAN_ASSERT_NOMSG
#define BOTAN_ASSERT_NOMSG(expr)
Definition: assert.h:68
BOTAN_ASSERT
#define BOTAN_ASSERT(expr, assertion_made)
Definition: assert.h:55
Botan::BER_Decoder
Definition: ber_dec.h:22
Botan::BER_Decoder::start_cons
BER_Decoder start_cons(ASN1_Tag type_tag, ASN1_Tag class_tag=UNIVERSAL)
Definition: ber_dec.cpp:290
Botan::BER_Decoder::decode
BER_Decoder & decode(bool &out)
Definition: ber_dec.h:170
Botan::BER_Decoder::more_items
bool more_items() const
Definition: ber_dec.cpp:198
Botan::BigInt::encode_1363
static secure_vector< uint8_t > encode_1363(const BigInt &n, size_t bytes)
Definition: big_code.cpp:111
Botan::CT::Mask::is_equal
static Mask< T > is_equal(T x, T y)
Definition: ct_utils.h:149
Botan::DER_Encoder
Definition: der_enc.h:23
Botan::DER_Encoder::encode_list
DER_Encoder & encode_list(const std::vector< T > &values)
Definition: der_enc.h:128
Botan::DER_Encoder::start_cons
DER_Encoder & start_cons(ASN1_Tag type_tag, ASN1_Tag class_tag=UNIVERSAL)
Definition: der_enc.cpp:181
Botan::DER_Encoder::end_cons
DER_Encoder & end_cons()
Definition: der_enc.cpp:191
Botan::Decoding_Error
Definition: exceptn.h:200
Botan::Encoding_Error
Definition: exceptn.h:185
Botan::Internal_Error
Definition: exceptn.h:342
Botan::Invalid_Argument
Definition: exceptn.h:137
Botan::PK_Decryptor_EME::~PK_Decryptor_EME
~PK_Decryptor_EME()
Definition: pubkey.cpp:125
Botan::PK_Decryptor_EME::plaintext_length
size_t plaintext_length(size_t ptext_len) const override
Definition: pubkey.cpp:127
Botan::PK_Decryptor_EME::PK_Decryptor_EME
PK_Decryptor_EME(const Private_Key &key, RandomNumberGenerator &rng, const std::string &eme, const std::string &provider="")
Definition: pubkey.cpp:115
Botan::PK_Decryptor::decrypt_or_random
secure_vector< uint8_t > decrypt_or_random(const uint8_t in[], size_t length, size_t expected_pt_len, RandomNumberGenerator &rng) const
Definition: pubkey.cpp:78
Botan::PK_Decryptor::decrypt
secure_vector< uint8_t > decrypt(const uint8_t in[], size_t length) const
Definition: pubkey.cpp:17
Botan::PK_Encryptor_EME::PK_Encryptor_EME
PK_Encryptor_EME(const Public_Key &key, RandomNumberGenerator &rng, const std::string &padding, const std::string &provider="")
Definition: pubkey.cpp:87
Botan::PK_Encryptor_EME::~PK_Encryptor_EME
~PK_Encryptor_EME()
Definition: pubkey.cpp:97
Botan::PK_Encryptor_EME::maximum_input_size
size_t maximum_input_size() const override
Definition: pubkey.cpp:110
Botan::PK_Encryptor_EME::ciphertext_length
size_t ciphertext_length(size_t ptext_len) const override
Definition: pubkey.cpp:99
Botan::PK_KEM_Decryptor::PK_KEM_Decryptor
PK_KEM_Decryptor(const Private_Key &key, RandomNumberGenerator &rng, const std::string &kem_param="", const std::string &provider="")
Definition: pubkey.cpp:165
Botan::PK_KEM_Decryptor::decrypt
secure_vector< uint8_t > decrypt(const uint8_t encap_key[], size_t encap_key_len, size_t desired_shared_key_len, const uint8_t salt[], size_t salt_len)
Definition: pubkey.cpp:177
Botan::PK_KEM_Decryptor::~PK_KEM_Decryptor
~PK_KEM_Decryptor()
Definition: pubkey.cpp:175
Botan::PK_KEM_Encryptor::PK_KEM_Encryptor
PK_KEM_Encryptor(const Public_Key &key, RandomNumberGenerator &rng, const std::string &kem_param="", const std::string &provider="")
Definition: pubkey.cpp:138
Botan::PK_KEM_Encryptor::encrypt
void encrypt(secure_vector< uint8_t > &out_encapsulated_key, secure_vector< uint8_t > &out_shared_key, size_t desired_shared_key_len, Botan::RandomNumberGenerator &rng, const uint8_t salt[], size_t salt_len)
Definition: pubkey.cpp:150
Botan::PK_KEM_Encryptor::~PK_KEM_Encryptor
~PK_KEM_Encryptor()
Definition: pubkey.cpp:148
Botan::PK_Key_Agreement
Definition: pubkey.h:414
Botan::PK_Key_Agreement::operator=
PK_Key_Agreement & operator=(PK_Key_Agreement &&)
Definition: pubkey.cpp:200
Botan::PK_Key_Agreement::agreed_value_size
size_t agreed_value_size() const
Definition: pubkey.cpp:213
Botan::PK_Key_Agreement::PK_Key_Agreement
PK_Key_Agreement(const Private_Key &key, RandomNumberGenerator &rng, const std::string &kdf, const std::string &provider="")
Definition: pubkey.cpp:188
Botan::PK_Key_Agreement::~PK_Key_Agreement
~PK_Key_Agreement()
Definition: pubkey.cpp:198
Botan::PK_Key_Agreement::derive_key
SymmetricKey derive_key(size_t key_len, const uint8_t in[], size_t in_len, const uint8_t params[], size_t params_len) const
Definition: pubkey.cpp:218
Botan::PK_Signer::update
void update(uint8_t in)
Definition: pubkey.h:238
Botan::PK_Signer::PK_Signer
PK_Signer(const Private_Key &key, RandomNumberGenerator &rng, const std::string &emsa, Signature_Format format=IEEE_1363, const std::string &provider="")
Definition: pubkey.cpp:232
Botan::PK_Signer::signature_length
size_t signature_length() const
Definition: pubkey.cpp:277
Botan::PK_Signer::~PK_Signer
~PK_Signer()
Definition: pubkey.cpp:247
Botan::PK_Signer::signature
std::vector< uint8_t > signature(RandomNumberGenerator &rng)
Definition: pubkey.cpp:293
Botan::PK_Verifier::set_input_format
void set_input_format(Signature_Format format)
Definition: pubkey.cpp:325
Botan::PK_Verifier::update
void update(uint8_t in)
Definition: pubkey.h:347
Botan::PK_Verifier::~PK_Verifier
~PK_Verifier()
Definition: pubkey.cpp:323
Botan::PK_Verifier::verify_message
bool verify_message(const uint8_t msg[], size_t msg_length, const uint8_t sig[], size_t sig_length)
Definition: pubkey.cpp:331
Botan::PK_Verifier::PK_Verifier
PK_Verifier(const Public_Key &pub_key, const std::string &emsa, Signature_Format format=IEEE_1363, const std::string &provider="")
Definition: pubkey.cpp:309
Botan::PK_Verifier::check_signature
bool check_signature(const uint8_t sig[], size_t length)
Definition: pubkey.cpp:343
Botan::Private_Key
Definition: pk_keys.h:181
Botan::Private_Key::create_signature_op
virtual std::unique_ptr< PK_Ops::Signature > create_signature_op(RandomNumberGenerator &rng, const std::string &params, const std::string &provider) const
Definition: pk_keys.cpp:130
Botan::Private_Key::create_key_agreement_op
virtual std::unique_ptr< PK_Ops::Key_Agreement > create_key_agreement_op(RandomNumberGenerator &rng, const std::string &params, const std::string &provider) const
Definition: pk_keys.cpp:138
Botan::Private_Key::create_decryption_op
virtual std::unique_ptr< PK_Ops::Decryption > create_decryption_op(RandomNumberGenerator &rng, const std::string &params, const std::string &provider) const
Definition: pk_keys.cpp:114
Botan::Private_Key::create_kem_decryption_op
virtual std::unique_ptr< PK_Ops::KEM_Decryption > create_kem_decryption_op(RandomNumberGenerator &rng, const std::string &params, const std::string &provider) const
Definition: pk_keys.cpp:122
Botan::Public_Key
Definition: pk_keys.h:29
Botan::Public_Key::create_encryption_op
virtual std::unique_ptr< PK_Ops::Encryption > create_encryption_op(RandomNumberGenerator &rng, const std::string &params, const std::string &provider) const
Definition: pk_keys.cpp:91
Botan::Public_Key::create_kem_encryption_op
virtual std::unique_ptr< PK_Ops::KEM_Encryption > create_kem_encryption_op(RandomNumberGenerator &rng, const std::string &params, const std::string &provider) const
Definition: pk_keys.cpp:99
Botan::Public_Key::message_part_size
virtual size_t message_part_size() const
Definition: pk_keys.h:123
Botan::Public_Key::algo_name
virtual std::string algo_name() const =0
Botan::Public_Key::message_parts
virtual size_t message_parts() const
Definition: pk_keys.h:112
Botan::Public_Key::create_verification_op
virtual std::unique_ptr< PK_Ops::Verification > create_verification_op(const std::string &params, const std::string &provider) const
Definition: pk_keys.cpp:107
Botan::RandomNumberGenerator::random_vec
secure_vector< uint8_t > random_vec(size_t bytes)
Definition: rng.h:143
Botan
Definition: alg_id.cpp:13
Botan::unlock
std::vector< T > unlock(const secure_vector< T > &in)
Definition: secmem.h:72
Botan::same_mem
bool same_mem(const T *p1, const T *p2, size_t n)
Definition: mem_ops.h:217
Botan::SEQUENCE
@ SEQUENCE
Definition: asn1_obj.h:42
Botan::Signature_Format
Signature_Format
Definition: pk_keys.h:23
Botan::DER_SEQUENCE
@ DER_SEQUENCE
Definition: pk_keys.h:23
Botan::IEEE_1363
@ IEEE_1363
Definition: pk_keys.h:23
Botan::secure_vector
std::vector< T, secure_allocator< T > > secure_vector
Definition: secmem.h:65
std
Definition: bigint.h:1143
salt_len
size_t salt_len
Definition: x509_obj.cpp:25
Generated by doxygen 1.9.3