Botan  2.1.0
Crypto and TLS for C++11
pubkey.cpp
Go to the documentation of this file.
1 /*
2 * (C) 1999-2010,2015 Jack Lloyd
3 *
4 * Botan is released under the Simplified BSD License (see license.txt)
5 */
6 
7 #include <botan/pubkey.h>
8 #include <botan/der_enc.h>
9 #include <botan/ber_dec.h>
10 #include <botan/bigint.h>
11 #include <botan/pk_ops.h>
12 #include <botan/internal/ct_utils.h>
13 
14 namespace Botan {
15 
16 secure_vector<uint8_t> PK_Decryptor::decrypt(const uint8_t in[], size_t length) const
17  {
18  uint8_t valid_mask = 0;
19 
20  secure_vector<uint8_t> decoded = do_decrypt(valid_mask, in, length);
21 
22  if(valid_mask == 0)
23  throw Decoding_Error("Invalid public key ciphertext, cannot decrypt");
24 
25  return decoded;
26  }
27 
30  size_t length,
31  size_t expected_pt_len,
33  const uint8_t required_content_bytes[],
34  const uint8_t required_content_offsets[],
35  size_t required_contents_length) const
36  {
37  const secure_vector<uint8_t> fake_pms = rng.random_vec(expected_pt_len);
38 
39  uint8_t valid_mask = 0;
40  secure_vector<uint8_t> decoded = do_decrypt(valid_mask, in, length);
41 
42  valid_mask &= CT::is_equal(decoded.size(), expected_pt_len);
43 
44  decoded.resize(expected_pt_len);
45 
46  for(size_t i = 0; i != required_contents_length; ++i)
47  {
48  /*
49  These values are chosen by the application and for TLS are constants,
50  so this early failure via assert is fine since we know 0,1 < 48
51 
52  If there is a protocol that has content checks on the key where
53  the expected offsets are controllable by the attacker this could
54  still leak.
55 
56  Alternately could always reduce the offset modulo the length?
57  */
58 
59  const uint8_t exp = required_content_bytes[i];
60  const uint8_t off = required_content_offsets[i];
61 
62  BOTAN_ASSERT(off < expected_pt_len, "Offset in range of plaintext");
63 
64  valid_mask &= CT::is_equal(decoded[off], exp);
65  }
66 
67  CT::conditional_copy_mem(valid_mask,
68  /*output*/decoded.data(),
69  /*from0*/decoded.data(),
70  /*from1*/fake_pms.data(),
71  expected_pt_len);
72 
73  return decoded;
74  }
75 
78  size_t length,
79  size_t expected_pt_len,
80  RandomNumberGenerator& rng) const
81  {
82  return decrypt_or_random(in, length, expected_pt_len, rng,
83  nullptr, nullptr, 0);
84  }
85 
88  const std::string& padding,
89  const std::string& provider)
90  {
91  m_op = key.create_encryption_op(rng, padding, provider);
92  if(!m_op)
93  throw Invalid_Argument("Key type " + key.algo_name() + " does not support encryption");
94  }
95 
96 PK_Encryptor_EME::~PK_Encryptor_EME() { /* for unique_ptr */ }
97 
98 std::vector<uint8_t>
99 PK_Encryptor_EME::enc(const uint8_t in[], size_t length, RandomNumberGenerator& rng) const
100  {
101  return unlock(m_op->encrypt(in, length, rng));
102  }
103 
105  {
106  return m_op->max_input_bits() / 8;
107  }
108 
111  const std::string& padding,
112  const std::string& provider)
113  {
114  m_op = key.create_decryption_op(rng, padding, provider);
115  if(!m_op)
116  throw Invalid_Argument("Key type " + key.algo_name() + " does not support decryption");
117  }
118 
119 PK_Decryptor_EME::~PK_Decryptor_EME() { /* for unique_ptr */ }
120 
121 secure_vector<uint8_t> PK_Decryptor_EME::do_decrypt(uint8_t& valid_mask,
122  const uint8_t in[], size_t in_len) const
123  {
124  return m_op->decrypt(valid_mask, in, in_len);
125  }
126 
129  const std::string& param,
130  const std::string& provider)
131  {
132  m_op = key.create_kem_encryption_op(rng, param, provider);
133  if(!m_op)
134  throw Invalid_Argument("Key type " + key.algo_name() + " does not support KEM encryption");
135  }
136 
137 PK_KEM_Encryptor::~PK_KEM_Encryptor() { /* for unique_ptr */ }
138 
140  secure_vector<uint8_t>& out_shared_key,
141  size_t desired_shared_key_len,
143  const uint8_t salt[],
144  size_t salt_len)
145  {
146  m_op->kem_encrypt(out_encapsulated_key,
147  out_shared_key,
148  desired_shared_key_len,
149  rng,
150  salt,
151  salt_len);
152  }
153 
156  const std::string& param,
157  const std::string& provider)
158  {
159  m_op = key.create_kem_decryption_op(rng, param, provider);
160  if(!m_op)
161  throw Invalid_Argument("Key type " + key.algo_name() + " does not support KEM decryption");
162  }
163 
164 PK_KEM_Decryptor::~PK_KEM_Decryptor() { /* for unique_ptr */ }
165 
167  size_t encap_key_len,
168  size_t desired_shared_key_len,
169  const uint8_t salt[],
170  size_t salt_len)
171  {
172  return m_op->kem_decrypt(encap_key, encap_key_len,
173  desired_shared_key_len,
174  salt, salt_len);
175  }
176 
179  const std::string& kdf,
180  const std::string& provider)
181  {
182  m_op = key.create_key_agreement_op(rng, kdf, provider);
183  if(!m_op)
184  throw Invalid_Argument("Key type " + key.algo_name() + " does not support key agreement");
185  }
186 
187 PK_Key_Agreement::~PK_Key_Agreement() { /* for unique_ptr */ }
188 
190  {
191  if(this != &other)
192  {
193  m_op = std::move(other.m_op);
194  }
195  return (*this);
196  }
197 
199  m_op(std::move(other.m_op))
200  {}
201 
203  const uint8_t in[], size_t in_len,
204  const uint8_t salt[],
205  size_t salt_len) const
206  {
207  return m_op->agree(key_len, in, in_len, salt, salt_len);
208  }
209 
212  const std::string& emsa,
213  Signature_Format format,
214  const std::string& provider)
215  {
216  m_op = key.create_signature_op(rng, emsa, provider);
217  if(!m_op)
218  throw Invalid_Argument("Key type " + key.algo_name() + " does not support signature generation");
219  m_sig_format = format;
220  m_parts = key.message_parts();
221  m_part_size = key.message_part_size();
222  }
223 
224 PK_Signer::~PK_Signer() { /* for unique_ptr */ }
225 
226 void PK_Signer::update(const uint8_t in[], size_t length)
227  {
228  m_op->update(in, length);
229  }
230 
231 std::vector<uint8_t> PK_Signer::signature(RandomNumberGenerator& rng)
232  {
233  const std::vector<uint8_t> sig = unlock(m_op->sign(rng));
234 
235  if(m_sig_format == IEEE_1363)
236  {
237  return sig;
238  }
239  else if(m_sig_format == DER_SEQUENCE)
240  {
241  if(sig.size() % m_parts != 0 || sig.size() != m_parts * m_part_size)
242  throw Internal_Error("PK_Signer: DER signature sizes unexpected, cannot encode");
243 
244  std::vector<BigInt> sig_parts(m_parts);
245  for(size_t i = 0; i != sig_parts.size(); ++i)
246  sig_parts[i].binary_decode(&sig[m_part_size*i], m_part_size);
247 
248  return DER_Encoder()
250  .encode_list(sig_parts)
251  .end_cons()
253  }
254  else
255  throw Internal_Error("PK_Signer: Invalid signature format enum");
256  }
257 
259  const std::string& emsa,
260  Signature_Format format,
261  const std::string& provider)
262  {
263  m_op = key.create_verification_op(emsa, provider);
264  if(!m_op)
265  throw Invalid_Argument("Key type " + key.algo_name() + " does not support signature verification");
266  m_sig_format = format;
267  m_parts = key.message_parts();
268  m_part_size = key.message_part_size();
269  }
270 
271 PK_Verifier::~PK_Verifier() { /* for unique_ptr */ }
272 
274  {
275  if(format != IEEE_1363 && m_parts == 1)
276  throw Invalid_Argument("PK_Verifier: This algorithm does not support DER encoding");
277  m_sig_format = format;
278  }
279 
280 bool PK_Verifier::verify_message(const uint8_t msg[], size_t msg_length,
281  const uint8_t sig[], size_t sig_length)
282  {
283  update(msg, msg_length);
284  return check_signature(sig, sig_length);
285  }
286 
287 void PK_Verifier::update(const uint8_t in[], size_t length)
288  {
289  m_op->update(in, length);
290  }
291 
292 bool PK_Verifier::check_signature(const uint8_t sig[], size_t length)
293  {
294  try {
295  if(m_sig_format == IEEE_1363)
296  {
297  return m_op->is_valid_signature(sig, length);
298  }
299  else if(m_sig_format == DER_SEQUENCE)
300  {
301  std::vector<uint8_t> real_sig;
302  BER_Decoder decoder(sig, length);
303  BER_Decoder ber_sig = decoder.start_cons(SEQUENCE);
304 
305  size_t count = 0;
306  while(ber_sig.more_items())
307  {
308  BigInt sig_part;
309  ber_sig.decode(sig_part);
310  real_sig += BigInt::encode_1363(sig_part, m_part_size);
311  ++count;
312  }
313 
314  if(count != m_parts)
315  throw Decoding_Error("PK_Verifier: signature size invalid");
316 
317  return m_op->is_valid_signature(real_sig.data(), real_sig.size());
318  }
319  else
320  throw Internal_Error("PK_Verifier: Invalid signature format enum");
321  }
322  catch(Invalid_Argument&) { return false; }
323  }
324 
325 }
DER_Encoder & encode_list(const std::vector< T > &values)
Definition: der_enc.h:85
PK_Signer(const Private_Key &key, RandomNumberGenerator &rng, const std::string &emsa, Signature_Format format=IEEE_1363, const std::string &provider="")
Definition: pubkey.cpp:210
secure_vector< uint8_t > random_vec(size_t bytes)
Definition: rng.h:133
void conditional_copy_mem(T value, T *to, const T *from0, const T *from1, size_t elems)
Definition: ct_utils.h:138
std::vector< uint8_t > get_contents_unlocked()
Definition: der_enc.h:27
bool verify_message(const uint8_t msg[], size_t msg_length, const uint8_t sig[], size_t sig_length)
Definition: pubkey.cpp:280
virtual std::unique_ptr< PK_Ops::Signature > create_signature_op(RandomNumberGenerator &rng, const std::string &params, const std::string &provider) const
Definition: pk_keys.cpp:118
PK_KEM_Encryptor(const Public_Key &key, RandomNumberGenerator &rng, const std::string &kem_param="", const std::string &provider="")
Definition: pubkey.cpp:127
SymmetricKey derive_key(size_t key_len, const uint8_t in[], size_t in_len, const uint8_t params[], size_t params_len) const
Definition: pubkey.cpp:202
virtual size_t message_part_size() const
Definition: pk_keys.h:114
PK_Key_Agreement(const Private_Key &key, RandomNumberGenerator &rng, const std::string &kdf, const std::string &provider="")
Definition: pubkey.cpp:177
Signature_Format
Definition: pubkey.h:29
Definition: bigint.h:619
secure_vector< uint8_t > decrypt(const uint8_t in[], size_t length) const
Definition: pubkey.cpp:16
std::vector< uint8_t > signature(RandomNumberGenerator &rng)
Definition: pubkey.cpp:231
virtual std::string algo_name() const =0
BER_Decoder & decode(bool &v)
Definition: ber_dec.cpp:376
virtual std::unique_ptr< PK_Ops::Encryption > create_encryption_op(RandomNumberGenerator &rng, const std::string &params, const std::string &provider) const
Definition: pk_keys.cpp:79
DER_Encoder & end_cons()
Definition: der_enc.cpp:147
virtual std::unique_ptr< PK_Ops::Decryption > create_decryption_op(RandomNumberGenerator &rng, const std::string &params, const std::string &provider) const
Definition: pk_keys.cpp:102
T is_equal(T x, T y)
Definition: ct_utils.h:116
void update(uint8_t in)
Definition: pubkey.h:337
PK_Decryptor_EME(const Private_Key &key, RandomNumberGenerator &rng, const std::string &eme, const std::string &provider="")
Definition: pubkey.cpp:109
#define BOTAN_ASSERT(expr, assertion_made)
Definition: assert.h:27
std::vector< T, secure_allocator< T >> secure_vector
Definition: secmem.h:121
secure_vector< uint8_t > decrypt(const uint8_t encap_key[], size_t encap_key_len, size_t desired_shared_key_len, const uint8_t salt[], size_t salt_len)
Definition: pubkey.cpp:166
bool more_items() const
Definition: ber_dec.cpp:158
secure_vector< uint8_t > decrypt_or_random(const uint8_t in[], size_t length, size_t expected_pt_len, RandomNumberGenerator &rng) const
Definition: pubkey.cpp:77
virtual size_t message_parts() const
Definition: pk_keys.h:103
size_t maximum_input_size() const override
Definition: pubkey.cpp:104
void update(uint8_t in)
Definition: pubkey.h:240
PK_KEM_Decryptor(const Private_Key &key, RandomNumberGenerator &rng, const std::string &kem_param="", const std::string &provider="")
Definition: pubkey.cpp:154
PK_Key_Agreement & operator=(PK_Key_Agreement &&)
Definition: pubkey.cpp:189
BER_Decoder start_cons(ASN1_Tag type_tag, ASN1_Tag class_tag=UNIVERSAL)
Definition: ber_dec.cpp:258
virtual std::unique_ptr< PK_Ops::KEM_Decryption > create_kem_decryption_op(RandomNumberGenerator &rng, const std::string &params, const std::string &provider) const
Definition: pk_keys.cpp:110
Definition: alg_id.cpp:13
void set_input_format(Signature_Format format)
Definition: pubkey.cpp:273
virtual std::unique_ptr< PK_Ops::Key_Agreement > create_key_agreement_op(RandomNumberGenerator &rng, const std::string &params, const std::string &provider) const
Definition: pk_keys.cpp:126
std::vector< T > unlock(const secure_vector< T > &in)
Definition: secmem.h:125
bool check_signature(const uint8_t sig[], size_t length)
Definition: pubkey.cpp:292
PK_Encryptor_EME(const Public_Key &key, RandomNumberGenerator &rng, const std::string &padding, const std::string &provider="")
Definition: pubkey.cpp:86
PK_Verifier(const Public_Key &pub_key, const std::string &emsa, Signature_Format format=IEEE_1363, const std::string &provider="")
Definition: pubkey.cpp:258
virtual std::unique_ptr< PK_Ops::KEM_Encryption > create_kem_encryption_op(RandomNumberGenerator &rng, const std::string &params, const std::string &provider) const
Definition: pk_keys.cpp:87
DER_Encoder & start_cons(ASN1_Tag type_tag, ASN1_Tag class_tag=UNIVERSAL)
Definition: der_enc.cpp:137
static secure_vector< uint8_t > encode_1363(const BigInt &n, size_t bytes)
Definition: big_code.cpp:82
virtual std::unique_ptr< PK_Ops::Verification > create_verification_op(const std::string &params, const std::string &provider) const
Definition: pk_keys.cpp:95
void encrypt(secure_vector< uint8_t > &out_encapsulated_key, secure_vector< uint8_t > &out_shared_key, size_t desired_shared_key_len, Botan::RandomNumberGenerator &rng, const uint8_t salt[], size_t salt_len)
Definition: pubkey.cpp:139