11 #include <botan/ecdsa.h>
12 #include <botan/internal/pk_ops_impl.h>
13 #include <botan/internal/point_mul.h>
14 #include <botan/keypair.h>
15 #include <botan/reducer.h>
16 #include <botan/emsa.h>
18 #if defined(BOTAN_HAS_RFC6979_GENERATOR)
19 #include <botan/rfc6979.h>
22 #if defined(BOTAN_HAS_OPENSSL)
23 #include <botan/internal/openssl.h>
30 PointGFp recover_ecdsa_public_key(
const EC_Group& group,
31 const std::vector<uint8_t>& msg,
36 if(group.get_cofactor() != 1)
37 throw Invalid_Argument(
"ECDSA public key recovery only supported for prime order groups");
40 throw Invalid_Argument(
"Unexpected v param for ECDSA public key recovery");
42 const uint8_t y_odd = v % 2;
43 const uint8_t add_order = v >> 1;
45 const BigInt& group_order = group.get_order();
46 const size_t p_bytes = group.get_p_bytes();
50 const BigInt e(msg.data(), msg.size(), group.get_order_bits());
51 const BigInt r_inv = group.inverse_mod_order(r);
53 BigInt x = r + add_order*group_order;
55 std::vector<uint8_t>
X(p_bytes + 1);
60 const PointGFp R = group.OS2ECP(
X);
62 if((R*group_order).is_zero() ==
false)
63 throw Decoding_Error(
"Unable to recover ECDSA public key");
66 PointGFp_Multi_Point_Precompute RG_mul(R, group.get_base_point());
67 const BigInt ne = group.mod_order(group_order - e);
68 return r_inv * RG_mul.multi_exp(s, ne);
75 throw Decoding_Error(
"Failed to recover ECDSA public key from signature/msg pair");
81 const std::vector<uint8_t>& msg,
85 EC_PublicKey(group, recover_ecdsa_public_key(group, msg, r, s, v)) {}
92 for(uint8_t v = 0; v != 4; ++v)
96 PointGFp R = recover_ecdsa_public_key(this->
domain(), msg, r, s, v);
109 throw Internal_Error(
"Could not determine ECDSA recovery parameter");
134 const std::string& emsa,
136 PK_Ops::Signature_with_EMSA(emsa),
138 m_x(ecdsa.private_value())
140 #if defined(BOTAN_HAS_RFC6979_GENERATOR)
148 size_t signature_length()
const override {
return 2*
m_group.get_order_bytes(); }
150 size_t max_input_bits()
const override {
return m_group.get_order_bits(); }
152 secure_vector<uint8_t> raw_sign(
const uint8_t msg[],
size_t msg_len,
153 RandomNumberGenerator& rng)
override;
159 #if defined(BOTAN_HAS_RFC6979_GENERATOR)
160 std::unique_ptr<RFC6979_Nonce_Generator> m_rfc6979;
168 secure_vector<uint8_t>
169 ECDSA_Signature_Operation::raw_sign(
const uint8_t msg[],
size_t msg_len,
170 RandomNumberGenerator& rng)
174 #if defined(BOTAN_HAS_RFC6979_GENERATOR)
175 const BigInt k = m_rfc6979->nonce_for(m);
197 if(r.is_zero() || s.is_zero())
198 throw Internal_Error(
"During ECDSA signature generated zero r/s");
206 class ECDSA_Verification_Operation
final :
public PK_Ops::Verification_with_EMSA
209 ECDSA_Verification_Operation(
const ECDSA_PublicKey& ecdsa,
210 const std::string& emsa) :
211 PK_Ops::Verification_with_EMSA(emsa),
217 size_t max_input_bits()
const override {
return m_group.get_order_bits(); }
219 bool with_recovery()
const override {
return false; }
221 bool verify(
const uint8_t msg[],
size_t msg_len,
222 const uint8_t sig[],
size_t sig_len)
override;
228 bool ECDSA_Verification_Operation::verify(
const uint8_t msg[],
size_t msg_len,
229 const uint8_t sig[],
size_t sig_len)
236 const BigInt r(sig, sig_len / 2);
237 const BigInt s(sig + sig_len / 2, sig_len / 2);
257 std::unique_ptr<PK_Ops::Verification>
259 const std::string& provider)
const
261 #if defined(BOTAN_HAS_OPENSSL)
262 if(provider ==
"openssl" || provider.empty())
266 return make_openssl_ecdsa_ver_op(*
this, params);
270 if(provider ==
"openssl")
276 if(provider ==
"base" || provider.empty())
277 return std::unique_ptr<PK_Ops::Verification>(
new ECDSA_Verification_Operation(*
this, params));
282 std::unique_ptr<PK_Ops::Signature>
284 const std::string& params,
285 const std::string& provider)
const
287 #if defined(BOTAN_HAS_OPENSSL)
288 if(provider ==
"openssl" || provider.empty())
292 return make_openssl_ecdsa_sig_op(*
this, params);
296 if(provider ==
"openssl")
302 if(provider ==
"base" || provider.empty())
303 return std::unique_ptr<PK_Ops::Signature>(
new ECDSA_Signature_Operation(*
this, params, rng));
bool check_key(RandomNumberGenerator &rng, bool) const override
const PointGFp_Multi_Point_Precompute m_gy_mul
const EC_Group & domain() const
int(* final)(unsigned char *, CTX *)
BigInt inverse_mod_order(const BigInt &x) const
std::vector< BigInt > m_ws
BigInt multiply_mod_order(const BigInt &x, const BigInt &y) const
const PointGFp & public_point() const
size_t get_order_bytes() const
bool signature_consistency_check(RandomNumberGenerator &rng, const Private_Key &private_key, const Public_Key &public_key, const std::string &padding)
uint8_t recovery_param(const std::vector< uint8_t > &msg, const BigInt &r, const BigInt &s) const
BigInt square_mod_order(const BigInt &x) const
BigInt mod_order(const BigInt &x) const
const BigInt & get_order() const
ECDSA_PublicKey()=default
std::string hash_for_emsa(const std::string &algo_spec)
std::unique_ptr< PK_Ops::Verification > create_verification_op(const std::string ¶ms, const std::string &provider) const override
BigInt blinded_base_point_multiply_x(const BigInt &k, RandomNumberGenerator &rng, std::vector< BigInt > &ws) const
std::unique_ptr< PK_Ops::Signature > create_signature_op(RandomNumberGenerator &rng, const std::string ¶ms, const std::string &provider) const override
static secure_vector< uint8_t > encode_1363(const BigInt &n, size_t bytes)
std::string algo_name() const override
static secure_vector< uint8_t > encode_fixed_length_int_pair(const BigInt &n1, const BigInt &n2, size_t bytes)
PointGFp multi_exp(const BigInt &k1, const BigInt &k2) const
BigInt random_scalar(RandomNumberGenerator &rng) const
size_t get_order_bits() const