doxygen/xmss__privatekey_8cpp_source.html

 /*
  * XMSS Private Key
  * An XMSS: Extended Hash-Based Siganture private key.
  * The XMSS private key does not support the X509 and PKCS7 standard. Instead
  * the raw format described in [1] is used.
  *
  * [1] XMSS: Extended Hash-Based Signatures,
  *     Request for Comments: 8391
  *     Release: May 2018.
  *     https://datatracker.ietf.org/doc/rfc8391/
  *
  * (C) 2016,2017,2018 Matthias Gierlings
  * (C) 2019 Jack Lloyd
  *
  * Botan is released under the Simplified BSD License (see license.txt)
  **/

 #include <botan/xmss_privatekey.h>
 #include <botan/internal/xmss_signature_operation.h>
 #include <botan/ber_dec.h>

 #if defined(BOTAN_HAS_THREAD_UTILS)
    #include <botan/internal/thread_pool.h>
 #endif

 namespace Botan {

 namespace {

 // fall back to raw decoding for previous versions, which did not encode an OCTET STRING
 secure_vector<uint8_t> extract_raw_key(const secure_vector<uint8_t>& key_bits)
    {
    secure_vector<uint8_t> raw_key;
    try
       {
       BER_Decoder(key_bits).decode(raw_key, OCTET_STRING);
       }
    catch(Decoding_Error&)
       {
       raw_key = key_bits;
       }
    return raw_key;
    }

 }

 XMSS_PrivateKey::XMSS_PrivateKey(const secure_vector<uint8_t>& key_bits)
    : XMSS_PublicKey(unlock(key_bits)),
      XMSS_Common_Ops(XMSS_PublicKey::m_xmss_params.oid()),
      m_wots_priv_key(m_wots_params.oid(), m_public_seed),
      m_index_reg(XMSS_Index_Registry::get_instance())
    {
    /*
    The code requires sizeof(size_t) >= ceil(tree_height / 8)

    Maximum supported tree height is 20, ceil(20/8) == 3, so 4 byte
    size_t is sufficient for all defined parameters, or even a
    (hypothetical) tree height 32, which would be extremely slow to
    compute.
    */
    static_assert(sizeof(size_t) >= 4, "size_t is big enough to support leaf index");

    secure_vector<uint8_t> raw_key = extract_raw_key(key_bits);

    if(raw_key.size() != XMSS_PrivateKey::size())
       {
       throw Decoding_Error("Invalid XMSS private key size");
       }

    // extract & copy unused leaf index from raw_key
    uint64_t unused_leaf = 0;
    auto begin = (raw_key.begin() + XMSS_PublicKey::size());
    auto end = raw_key.begin() + XMSS_PublicKey::size() + sizeof(uint32_t);

    for(auto& i = begin; i != end; i++)
       {
       unused_leaf = ((unused_leaf << 8) | *i);
       }

    if(unused_leaf >= (1ull << XMSS_PublicKey::m_xmss_params.tree_height()))
       {
       throw Decoding_Error("XMSS private key leaf index out of bounds");
       }

    begin = end;
    end = begin + XMSS_PublicKey::m_xmss_params.element_size();
    m_prf.clear();
    m_prf.reserve(XMSS_PublicKey::m_xmss_params.element_size());
    std::copy(begin, end, std::back_inserter(m_prf));

    begin = end;
    end = begin + m_wots_params.element_size();
    m_wots_priv_key.set_private_seed(secure_vector<uint8_t>(begin, end));
    set_unused_leaf_index(static_cast<size_t>(unused_leaf));
    }

 XMSS_PrivateKey::XMSS_PrivateKey(
    XMSS_Parameters::xmss_algorithm_t xmss_algo_id,
    RandomNumberGenerator& rng)
    : XMSS_PublicKey(xmss_algo_id, rng),
      XMSS_Common_Ops(xmss_algo_id),
      m_wots_priv_key(XMSS_PublicKey::m_xmss_params.ots_oid(),
                      public_seed(),
                      rng),
      m_prf(rng.random_vec(XMSS_PublicKey::m_xmss_params.element_size())),
      m_index_reg(XMSS_Index_Registry::get_instance())
    {
    XMSS_Address adrs;
    set_root(tree_hash(0,
                       XMSS_PublicKey::m_xmss_params.tree_height(),
                       adrs));
    }

 secure_vector<uint8_t>
 XMSS_PrivateKey::tree_hash(size_t start_idx,
                            size_t target_node_height,
                            XMSS_Address& adrs)
    {
    BOTAN_ASSERT_NOMSG(target_node_height <= 30);
    BOTAN_ASSERT((start_idx % (static_cast<size_t>(1) << target_node_height)) == 0,
                 "Start index must be divisible by 2^{target node height}.");

 #if defined(BOTAN_HAS_THREAD_UTILS)
    // dertermine number of parallel tasks to split the tree_hashing into.

    Thread_Pool& thread_pool = Thread_Pool::global_instance();

    const size_t split_level = std::min(target_node_height, thread_pool.worker_count());

    // skip parallelization overhead for leaf nodes.
    if(split_level == 0)
       {
       secure_vector<uint8_t> result;
       tree_hash_subtree(result, start_idx, target_node_height, adrs);
       return result;
       }

    const size_t subtrees = static_cast<size_t>(1) << split_level;
    const size_t last_idx = (static_cast<size_t>(1) << (target_node_height)) + start_idx;
    const size_t offs = (last_idx - start_idx) / subtrees;
    // this cast cannot overflow because target_node_height is limited
    uint8_t level = static_cast<uint8_t>(split_level); // current level in the tree

    BOTAN_ASSERT((last_idx - start_idx) % subtrees == 0,
                 "Number of worker threads in tree_hash need to divide range "
                 "of calculated nodes.");

    std::vector<secure_vector<uint8_t>> nodes(
        subtrees,
        secure_vector<uint8_t>(XMSS_PublicKey::m_xmss_params.element_size()));
    std::vector<XMSS_Address> node_addresses(subtrees, adrs);
    std::vector<XMSS_Hash> xmss_hash(subtrees, m_hash);
    std::vector<std::future<void>> work;

    // Calculate multiple subtrees in parallel.
    for(size_t i = 0; i < subtrees; i++)
       {
       using tree_hash_subtree_fn_t =
          void (XMSS_PrivateKey::*)(secure_vector<uint8_t>&,
                                    size_t,
                                    size_t,
                                    XMSS_Address&,
                                    XMSS_Hash&);

       auto work_fn = static_cast<tree_hash_subtree_fn_t>(&XMSS_PrivateKey::tree_hash_subtree);

       work.push_back(thread_pool.run(
                         work_fn,
                         this,
                         std::ref(nodes[i]),
                         start_idx + i * offs,
                         target_node_height - split_level,
                         std::ref(node_addresses[i]),
                         std::ref(xmss_hash[i])));
       }

    for(auto& w : work)
       {
       w.get();
       }
    work.clear();

    // Parallelize the top tree levels horizontally
    while(level-- > 1)
       {
       std::vector<secure_vector<uint8_t>> ro_nodes(
          nodes.begin(), nodes.begin() + (static_cast<size_t>(1) << (level+1)));

       for(size_t i = 0; i < (static_cast<size_t>(1) << level); i++)
          {
          BOTAN_ASSERT_NOMSG(xmss_hash.size() > i);

          node_addresses[i].set_tree_height(static_cast<uint32_t>(target_node_height - (level + 1)));
          node_addresses[i].set_tree_index(
             (node_addresses[2 * i + 1].get_tree_index() - 1) >> 1);
          using rnd_tree_hash_fn_t =
             void (XMSS_PrivateKey::*)(secure_vector<uint8_t>&,
                                       const secure_vector<uint8_t>&,
                                       const secure_vector<uint8_t>&,
                                       XMSS_Address& adrs,
                                       const secure_vector<uint8_t>&,
                                       XMSS_Hash&);

          auto work_fn = static_cast<rnd_tree_hash_fn_t>(&XMSS_PrivateKey::randomize_tree_hash);

          work.push_back(thread_pool.run(
                work_fn,
                this,
                std::ref(nodes[i]),
                std::ref(ro_nodes[2 * i]),
                std::ref(ro_nodes[2 * i + 1]),
                std::ref(node_addresses[i]),
                std::ref(this->public_seed()),
                std::ref(xmss_hash[i])));
          }

       for(auto &w : work)
          {
          w.get();
          }
       work.clear();
       }

    // Avoid creation an extra thread to calculate root node.
    node_addresses[0].set_tree_height(static_cast<uint32_t>(target_node_height - 1));
    node_addresses[0].set_tree_index(
       (node_addresses[1].get_tree_index() - 1) >> 1);
    randomize_tree_hash(nodes[0],
                        nodes[0],
                        nodes[1],
                        node_addresses[0],
                        this->public_seed());
    return nodes[0];
 #else
    secure_vector<uint8_t> result;
    tree_hash_subtree(result, start_idx, target_node_height, adrs);
    return result;
 #endif
    }

 void
 XMSS_PrivateKey::tree_hash_subtree(secure_vector<uint8_t>& result,
                                    size_t start_idx,
                                    size_t target_node_height,
                                    XMSS_Address& adrs,
                                    XMSS_Hash& hash)
    {
    const secure_vector<uint8_t>& seed = this->public_seed();

    std::vector<secure_vector<uint8_t>> nodes(
       target_node_height + 1,
       secure_vector<uint8_t>(XMSS_PublicKey::m_xmss_params.element_size()));

    // node stack, holds all nodes on stack and one extra "pending" node. This
    // temporary node referred to as "node" in the XMSS standard document stays
    // a pending element, meaning it is not regarded as element on the stack
    // until level is increased.
    std::vector<uint8_t> node_levels(target_node_height + 1);

    uint8_t level = 0; // current level on the node stack.
    XMSS_WOTS_PublicKey pk(m_wots_priv_key.wots_parameters().oid(), seed);
    const size_t last_idx = (static_cast<size_t>(1) << target_node_height) + start_idx;

    for(size_t i = start_idx; i < last_idx; i++)
       {
       adrs.set_type(XMSS_Address::Type::OTS_Hash_Address);
       adrs.set_ots_address(static_cast<uint32_t>(i));
       this->wots_private_key().generate_public_key(
          pk,
          // getWOTS_SK(SK, s + i), reference implementation uses adrs
          // instead of zero padded index s + i.
          this->wots_private_key().at(adrs, hash),
          adrs,
          hash);
       adrs.set_type(XMSS_Address::Type::LTree_Address);
       adrs.set_ltree_address(static_cast<uint32_t>(i));
       create_l_tree(nodes[level], pk, adrs, seed, hash);
       node_levels[level] = 0;

       adrs.set_type(XMSS_Address::Type::Hash_Tree_Address);
       adrs.set_tree_height(0);
       adrs.set_tree_index(static_cast<uint32_t>(i));

       while(level > 0 && node_levels[level] ==
             node_levels[level - 1])
          {
          adrs.set_tree_index(((adrs.get_tree_index() - 1) >> 1));
          randomize_tree_hash(nodes[level - 1],
                              nodes[level - 1],
                              nodes[level],
                              adrs,
                              seed,
                              hash);
          node_levels[level - 1]++;
          level--; //Pop stack top element
          adrs.set_tree_height(adrs.get_tree_height() + 1);
          }
       level++; //push temporary node to stack
       }
    result = nodes[level - 1];
    }

 std::shared_ptr<Atomic<size_t>>
 XMSS_PrivateKey::recover_global_leaf_index() const
    {
    BOTAN_ASSERT(m_wots_priv_key.private_seed().size() ==
                 XMSS_PublicKey::m_xmss_params.element_size() &&
                 m_prf.size() == XMSS_PublicKey::m_xmss_params.element_size(),
                 "Trying to retrieve index for partially initialized "
                 "key.");
    return m_index_reg.get(m_wots_priv_key.private_seed(),
                           m_prf);
    }

 secure_vector<uint8_t> XMSS_PrivateKey::raw_private_key() const
    {
    std::vector<uint8_t> pk { raw_public_key() };
    secure_vector<uint8_t> result(pk.begin(), pk.end());
    result.reserve(size());

    for(int i = 3; i >= 0; i--)
       {
       result.push_back(
          static_cast<uint8_t>(
             static_cast<uint64_t>(unused_leaf_index()) >> 8 * i));
       }

    std::copy(m_prf.begin(), m_prf.end(), std::back_inserter(result));
    std::copy(m_wots_priv_key.private_seed().begin(),
              m_wots_priv_key.private_seed().end(),
              std::back_inserter(result));

    return result;
    }

 std::unique_ptr<PK_Ops::Signature>
 XMSS_PrivateKey::create_signature_op(RandomNumberGenerator&,
                                      const std::string&,
                                      const std::string& provider) const
    {
    if(provider == "base" || provider.empty())
       return std::unique_ptr<PK_Ops::Signature>(
          new XMSS_Signature_Operation(*this));

    throw Provider_Not_Found(algo_name(), provider);
    }

 }
Botan::XMSS_PrivateKey::public_seed
const secure_vector< uint8_t > & public_seed() const override
Definition: xmss_privatekey.h:193

Botan::XMSS_Common_Ops
Definition: xmss_common_ops.h:26

Botan::XMSS_Address::Type::LTree_Address

Botan::Thread_Pool
Definition: thread_pool.h:24

Botan::Thread_Pool::worker_count
size_t worker_count() const
Definition: thread_pool.h:43

Botan::XMSS_PrivateKey::wots_private_key
const XMSS_WOTS_PrivateKey & wots_private_key() const
Definition: xmss_privatekey.h:154

Botan::XMSS_PrivateKey::tree_hash
secure_vector< uint8_t > tree_hash(size_t start_idx, size_t target_node_height, XMSS_Address &adrs)
Definition: xmss_privatekey.cpp:115

Botan::XMSS_Address::get_tree_index
uint32_t get_tree_index() const
Definition: xmss_address.h:297

Botan::XMSS_Hash
Definition: xmss_hash.h:21

Botan::RandomNumberGenerator
Definition: rng.h:24

Botan::XMSS_Address::set_ots_address
void set_ots_address(uint32_t value)
Definition: xmss_address.h:164

Botan::XMSS_Address::set_tree_height
void set_tree_height(uint32_t value)
Definition: xmss_address.h:251

Botan::XMSS_Address::Type::OTS_Hash_Address

Botan::XMSS_PublicKey
Definition: xmss_publickey.h:39

Botan::XMSS_Signature_Operation
Definition: xmss_signature_operation.h:34

Botan::XMSS_Address::set_ltree_address
void set_ltree_address(uint32_t value)
Definition: xmss_address.h:194

Botan::XMSS_Address
Definition: xmss_address.h:21

Botan::XMSS_PublicKey::set_root
void set_root(const secure_vector< uint8_t > &root)
Definition: xmss_publickey.h:152

Botan::XMSS_PrivateKey::set_unused_leaf_index
void set_unused_leaf_index(size_t idx)
Definition: xmss_privatekey.h:115

BOTAN_ASSERT_NOMSG
#define BOTAN_ASSERT_NOMSG(expr)
Definition: assert.h:68

Botan::XMSS_Common_Ops::create_l_tree
void create_l_tree(secure_vector< uint8_t > &result, wots_keysig_t pk, XMSS_Address &adrs, const secure_vector< uint8_t > &seed, XMSS_Hash &hash)
Definition: xmss_common_ops.cpp:46

Botan::XMSS_PublicKey::raw_public_key
virtual std::vector< uint8_t > raw_public_key() const
Definition: xmss_publickey.cpp:96

Botan::XMSS_Index_Registry
Definition: xmss_index_registry.h:23

Botan::XMSS_PublicKey::size
virtual size_t size() const
Definition: xmss_publickey.h:235

BOTAN_ASSERT
#define BOTAN_ASSERT(expr, assertion_made)
Definition: assert.h:55

Botan::Decoding_Error
Definition: exceptn.h:199

Botan::Thread_Pool::run
auto run(F &&f, Args &&... args) -> std::future< typename std::result_of< F(Args...)>::type >
Definition: thread_pool.h:57

Botan::XMSS_PrivateKey::unused_leaf_index
size_t unused_leaf_index() const
Definition: xmss_privatekey.h:103

Botan::XMSS_PrivateKey::XMSS_PrivateKey
XMSS_PrivateKey(XMSS_Parameters::xmss_algorithm_t xmss_algo_id, RandomNumberGenerator &rng)
Definition: xmss_privatekey.cpp:97

Botan::XMSS_PrivateKey::size
size_t size() const override
Definition: xmss_privatekey.h:208

Botan::XMSS_Address::get_tree_height
uint32_t get_tree_height() const
Definition: xmss_address.h:235

Botan::XMSS_Address::set_type
void set_type(Type type)
Definition: xmss_address.h:111

Botan::XMSS_PrivateKey
Definition: xmss_privatekey.h:37

Botan::XMSS_Index_Registry::get
std::shared_ptr< Atomic< size_t > > get(const secure_vector< uint8_t > &private_seed, const secure_vector< uint8_t > &prf)
Definition: xmss_index_registry.cpp:38

Botan::XMSS_Common_Ops::m_hash
XMSS_Hash m_hash
Definition: xmss_common_ops.h:122

Botan::XMSS_WOTS_PrivateKey::generate_public_key
XMSS_WOTS_PublicKey generate_public_key(XMSS_Address &adrs)
Definition: xmss_wots_privatekey.cpp:32

Botan
Definition: alg_id.cpp:13

Botan::XMSS_WOTS_PublicKey::wots_parameters
const XMSS_WOTS_Parameters & wots_parameters() const
Definition: xmss_wots_publickey.h:229

Botan::OCTET_STRING
Definition: asn1_obj.h:36

Botan::unlock
std::vector< T > unlock(const secure_vector< T > &in)
Definition: secmem.h:72

Botan::XMSS_Address::Type::Hash_Tree_Address

Botan::XMSS_PrivateKey::create_signature_op
std::unique_ptr< PK_Ops::Signature > create_signature_op(RandomNumberGenerator &, const std::string &, const std::string &provider) const override
Definition: xmss_privatekey.cpp:337

Botan::XMSS_WOTS_PublicKey
Definition: xmss_wots_publickey.h:32

Botan::XMSS_WOTS_PrivateKey::private_seed
const secure_vector< uint8_t > & private_seed() const
Definition: xmss_wots_privatekey.h:268

Botan::XMSS_PublicKey::algo_name
std::string algo_name() const override
Definition: xmss_publickey.h:187

Botan::XMSS_PrivateKey::raw_private_key
secure_vector< uint8_t > raw_private_key() const
Definition: xmss_privatekey.cpp:315

Botan::XMSS_Parameters::element_size
size_t element_size() const
Definition: xmss_parameters.h:67

Botan::XMSS_PublicKey::m_wots_params
XMSS_WOTS_Parameters m_wots_params
Definition: xmss_publickey.h:252

Botan::Thread_Pool::global_instance
static Thread_Pool & global_instance()
Definition: thread_pool.cpp:15

Botan::XMSS_Parameters::xmss_algorithm_t
xmss_algorithm_t
Definition: xmss_parameters.h:26

Botan::secure_vector
std::vector< T, secure_allocator< T > > secure_vector
Definition: secmem.h:65

Botan::XMSS_Common_Ops::randomize_tree_hash
void randomize_tree_hash(secure_vector< uint8_t > &result, const secure_vector< uint8_t > &left, const secure_vector< uint8_t > &right, XMSS_Address &adrs, const secure_vector< uint8_t > &seed, XMSS_Hash &hash)
Definition: xmss_common_ops.cpp:14

Botan::XMSS_Address::set_tree_index
void set_tree_index(uint32_t value)
Definition: xmss_address.h:313

Botan::XMSS_WOTS_PrivateKey::set_private_seed
void set_private_seed(const secure_vector< uint8_t > &private_seed)
Definition: xmss_wots_privatekey.h:279

Botan::XMSS_PublicKey::m_xmss_params
XMSS_Parameters m_xmss_params
Definition: xmss_publickey.h:251

Botan::Provider_Not_Found
Definition: exceptn.h:278

Botan::XMSS_WOTS_Parameters::element_size
size_t element_size() const
Definition: xmss_wots_parameters.h:79

hash
MechanismType hash
Definition: p11_mechanism.cpp:64

Botan::XMSS_WOTS_Parameters::oid
ots_algorithm_t oid() const
Definition: xmss_wots_parameters.h:97