Botan  2.1.0
Crypto and TLS for C++11
dsa.cpp
Go to the documentation of this file.
1 /*
2 * DSA
3 * (C) 1999-2010,2014,2016 Jack Lloyd
4 * (C) 2016 RenĂ© Korthaus
5 *
6 * Botan is released under the Simplified BSD License (see license.txt)
7 */
8 
9 #include <botan/dsa.h>
10 #include <botan/keypair.h>
11 #include <botan/pow_mod.h>
12 #include <botan/reducer.h>
13 #include <botan/internal/pk_ops_impl.h>
14 
15 #if defined(BOTAN_HAS_RFC6979_GENERATOR)
16  #include <botan/emsa.h>
17  #include <botan/rfc6979.h>
18 #endif
19 
20 #if defined(BOTAN_TARGET_OS_HAS_THREADS)
21  #include <future>
22 #endif
23 
24 namespace Botan {
25 
26 /*
27 * DSA_PublicKey Constructor
28 */
30  {
31  m_group = grp;
32  m_y = y1;
33  }
34 
35 /*
36 * Create a DSA private key
37 */
39  const DL_Group& grp,
40  const BigInt& x_arg)
41  {
42  m_group = grp;
43 
44  if(x_arg == 0)
45  m_x = BigInt::random_integer(rng, 2, group_q() - 1);
46  else
47  m_x = x_arg;
48 
49  m_y = power_mod(group_g(), m_x, group_p());
50  }
51 
53  const secure_vector<uint8_t>& key_bits) :
54  DL_Scheme_PrivateKey(alg_id, key_bits, DL_Group::ANSI_X9_57)
55  {
56  m_y = power_mod(group_g(), m_x, group_p());
57  }
58 
59 /*
60 * Check Private DSA Parameters
61 */
62 bool DSA_PrivateKey::check_key(RandomNumberGenerator& rng, bool strong) const
63  {
64  if(!DL_Scheme_PrivateKey::check_key(rng, strong) || m_x >= group_q())
65  return false;
66 
67  if(!strong)
68  return true;
69 
70  return KeyPair::signature_consistency_check(rng, *this, "EMSA1(SHA-256)");
71  }
72 
73 namespace {
74 
75 /**
76 * Object that can create a DSA signature
77 */
78 class DSA_Signature_Operation : public PK_Ops::Signature_with_EMSA
79  {
80  public:
81  DSA_Signature_Operation(const DSA_PrivateKey& dsa, const std::string& emsa) :
82  PK_Ops::Signature_with_EMSA(emsa),
83  m_q(dsa.group_q()),
84  m_x(dsa.get_x()),
85  m_powermod_g_p(dsa.group_g(), dsa.group_p()),
86  m_mod_q(dsa.group_q()),
87  m_emsa(emsa)
88  {
89  }
90 
91  size_t max_input_bits() const override { return m_q.bits(); }
92 
93  secure_vector<uint8_t> raw_sign(const uint8_t msg[], size_t msg_len,
94  RandomNumberGenerator& rng) override;
95  private:
96  const BigInt& m_q;
97  const BigInt& m_x;
98  Fixed_Base_Power_Mod m_powermod_g_p;
99  Modular_Reducer m_mod_q;
100  std::string m_emsa;
101  };
102 
103 secure_vector<uint8_t>
104 DSA_Signature_Operation::raw_sign(const uint8_t msg[], size_t msg_len,
105  RandomNumberGenerator& rng)
106  {
107  BigInt i(msg, msg_len);
108 
109  while(i >= m_q)
110  i -= m_q;
111 
112 #if defined(BOTAN_HAS_RFC6979_GENERATOR)
113  BOTAN_UNUSED(rng);
114  const BigInt k = generate_rfc6979_nonce(m_x, m_q, i, hash_for_emsa(m_emsa));
115 #else
116  const BigInt k = BigInt::random_integer(rng, 1, m_q);
117 #endif
118 
119 #if defined(BOTAN_TARGET_OS_HAS_THREADS)
120  auto future_r = std::async(std::launch::async,
121  [&]() { return m_mod_q.reduce(m_powermod_g_p(k)); });
122 
123  BigInt s = inverse_mod(k, m_q);
124  const BigInt r = future_r.get();
125 #else
126  BigInt s = inverse_mod(k, m_q);
127  const BigInt r = m_mod_q.reduce(m_powermod_g_p(k));
128 #endif
129 
130  s = m_mod_q.multiply(s, mul_add(m_x, r, i));
131 
132  // With overwhelming probability, a bug rather than actual zero r/s
133  BOTAN_ASSERT(s != 0, "invalid s");
134  BOTAN_ASSERT(r != 0, "invalid r");
135 
137  }
138 
139 /**
140 * Object that can verify a DSA signature
141 */
142 class DSA_Verification_Operation : public PK_Ops::Verification_with_EMSA
143  {
144  public:
145  DSA_Verification_Operation(const DSA_PublicKey& dsa,
146  const std::string& emsa) :
147  PK_Ops::Verification_with_EMSA(emsa),
148  m_q(dsa.group_q()), m_y(dsa.get_y()), m_powermod_g_p{Fixed_Base_Power_Mod(dsa.group_g(), dsa.group_p())},
149  m_powermod_y_p{Fixed_Base_Power_Mod(m_y, dsa.group_p())}, m_mod_p{Modular_Reducer(dsa.group_p())},
150  m_mod_q{Modular_Reducer(dsa.group_q())}
151  {}
152 
153  size_t max_input_bits() const override { return m_q.bits(); }
154 
155  bool with_recovery() const override { return false; }
156 
157  bool verify(const uint8_t msg[], size_t msg_len,
158  const uint8_t sig[], size_t sig_len) override;
159  private:
160  const BigInt& m_q;
161  const BigInt& m_y;
162 
163  Fixed_Base_Power_Mod m_powermod_g_p, m_powermod_y_p;
164  Modular_Reducer m_mod_p, m_mod_q;
165  };
166 
167 bool DSA_Verification_Operation::verify(const uint8_t msg[], size_t msg_len,
168  const uint8_t sig[], size_t sig_len)
169  {
170  if(sig_len != 2*m_q.bytes() || msg_len > m_q.bytes())
171  return false;
172 
173  BigInt r(sig, m_q.bytes());
174  BigInt s(sig + m_q.bytes(), m_q.bytes());
175  BigInt i(msg, msg_len);
176 
177  if(r <= 0 || r >= m_q || s <= 0 || s >= m_q)
178  return false;
179 
180  s = inverse_mod(s, m_q);
181 
182 #if defined(BOTAN_TARGET_OS_HAS_THREADS)
183  auto future_s_i = std::async(std::launch::async,
184  [&]() { return m_powermod_g_p(m_mod_q.multiply(s, i)); });
185 
186  BigInt s_r = m_powermod_y_p(m_mod_q.multiply(s, r));
187  BigInt s_i = future_s_i.get();
188 #else
189  BigInt s_r = m_powermod_y_p(m_mod_q.multiply(s, r));
190  BigInt s_i = m_powermod_g_p(m_mod_q.multiply(s, i));
191 #endif
192 
193  s = m_mod_p.multiply(s_i, s_r);
194 
195  return (m_mod_q.reduce(s) == r);
196  }
197 
198 }
199 
200 std::unique_ptr<PK_Ops::Verification>
201 DSA_PublicKey::create_verification_op(const std::string& params,
202  const std::string& provider) const
203  {
204  if(provider == "base" || provider.empty())
205  return std::unique_ptr<PK_Ops::Verification>(new DSA_Verification_Operation(*this, params));
206  throw Provider_Not_Found(algo_name(), provider);
207  }
208 
209 std::unique_ptr<PK_Ops::Signature>
211  const std::string& params,
212  const std::string& provider) const
213  {
214  if(provider == "base" || provider.empty())
215  return std::unique_ptr<PK_Ops::Signature>(new DSA_Signature_Operation(*this, params));
216  throw Provider_Not_Found(algo_name(), provider);
217  }
218 
219 }
std::string hash_for_emsa(const std::string &algo_spec)
Definition: emsa.cpp:142
const BigInt & m_x
Definition: dsa.cpp:97
const BigInt & group_q() const
Definition: dl_algo.h:49
Modular_Reducer m_mod_q
Definition: dsa.cpp:99
const BigInt & group_p() const
Definition: dl_algo.h:43
std::unique_ptr< PK_Ops::Signature > create_signature_op(RandomNumberGenerator &rng, const std::string &params, const std::string &provider) const override
Definition: dsa.cpp:210
const BigInt & m_y
Definition: dsa.cpp:161
static BigInt random_integer(RandomNumberGenerator &rng, const BigInt &min, const BigInt &max)
Definition: big_rand.cpp:45
#define BOTAN_ASSERT(expr, assertion_made)
Definition: assert.h:27
std::vector< T, secure_allocator< T >> secure_vector
Definition: secmem.h:121
Modular_Reducer m_mod_p
Definition: dsa.cpp:164
std::string m_emsa
Definition: dsa.cpp:100
#define BOTAN_UNUSED(v)
Definition: assert.h:92
BigInt multiply(const BigInt &x, const BigInt &y) const
Definition: reducer.h:31
DSA_PrivateKey(const AlgorithmIdentifier &alg_id, const secure_vector< uint8_t > &key_bits)
Definition: dsa.cpp:52
bool signature_consistency_check(RandomNumberGenerator &rng, const Private_Key &private_key, const Public_Key &public_key, const std::string &padding)
Definition: keypair.cpp:48
Definition: alg_id.cpp:13
BigInt reduce(const BigInt &x) const
Definition: reducer.cpp:32
BigInt inverse_mod(const BigInt &n, const BigInt &mod)
Definition: numthry.cpp:276
BigInt power_mod(const BigInt &base, const BigInt &exp, const BigInt &mod)
Definition: numthry.cpp:373
bool check_key(RandomNumberGenerator &rng, bool) const override
Definition: dl_algo.cpp:90
BigInt generate_rfc6979_nonce(const BigInt &x, const BigInt &q, const BigInt &h, const std::string &hash)
Definition: rfc6979.cpp:49
bool check_key(RandomNumberGenerator &rng, bool strong) const override
Definition: dsa.cpp:62
const BigInt & group_g() const
Definition: dl_algo.h:55
std::unique_ptr< PK_Ops::Verification > create_verification_op(const std::string &params, const std::string &provider) const override
Definition: dsa.cpp:201
static secure_vector< uint8_t > encode_fixed_length_int_pair(const BigInt &n1, const BigInt &n2, size_t bytes)
Definition: big_code.cpp:103
Fixed_Base_Power_Mod m_powermod_y_p
Definition: dsa.cpp:163
Fixed_Base_Power_Mod m_powermod_g_p
Definition: dsa.cpp:98
BigInt mul_add(const BigInt &a, const BigInt &b, const BigInt &c)
Definition: mp_numth.cpp:35
const BigInt & m_q
Definition: dsa.cpp:96
size_t bytes() const
Definition: bigint.cpp:176