5134090420

Committed 31 May 2023 03:12PM UTC coverage: 91.721% (-0.3%) from 91.995%

Build # 5134090420

Build Type

push

github

Committed by

randombit

Commit Message

Merge GH #3565 Disable noisy/pointless pylint warnings

Run Details

76048 of 82912 relevant lines covered (91.72%)

11755290.1 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

93.44

/src/lib/x509/x509_obj.cpp

/*
* X.509 SIGNED Object
* (C) 1999-2007,2020 Jack Lloyd
*
* Botan is released under the Simplified BSD License (see license.txt)
*/

#include <botan/x509_obj.h>

#include <botan/ber_dec.h>
#include <botan/der_enc.h>
#include <botan/pem.h>
#include <botan/pubkey.h>
#include <botan/internal/emsa.h>
#include <botan/internal/fmt.h>
#include <algorithm>
#include <sstream>

namespace Botan {

/*
* Read a PEM or BER X.509 object
*/
void X509_Object::load_data(DataSource& in) {
   try {
      if(ASN1::maybe_BER(in) && !PEM_Code::matches(in)) {
         BER_Decoder dec(in);
         decode_from(dec);
      } else {
         std::string got_label;
         DataSource_Memory ber(PEM_Code::decode(in, got_label));

         if(got_label != PEM_label()) {
            bool is_alternate = false;
            for(std::string_view alt_label : alternate_PEM_labels()) {
               if(got_label == alt_label) {
                  is_alternate = true;
                  break;
               }
            }

            if(!is_alternate) {
               throw Decoding_Error("Unexpected PEM label for " + PEM_label() + " of " + got_label);
            }
         }

         BER_Decoder dec(ber);
         decode_from(dec);
      }
   } catch(Decoding_Error& e) {
      throw Decoding_Error(PEM_label() + " decoding", e);
   }
}

void X509_Object::encode_into(DER_Encoder& to) const {
   to.start_sequence()
      .start_sequence()
      .raw_bytes(signed_body())
      .end_cons()
      .encode(signature_algorithm())
      .encode(signature(), ASN1_Type::BitString)
      .end_cons();
}

/*
* Read a BER encoded X.509 object
*/
void X509_Object::decode_from(BER_Decoder& from) {
   from.start_sequence()
      .start_sequence()
      .raw_bytes(m_tbs_bits)
      .end_cons()
      .decode(m_sig_algo)
      .decode(m_sig, ASN1_Type::BitString)
      .end_cons();

   force_decode();
}

/*
* Return a PEM encoded X.509 object
*/
std::string X509_Object::PEM_encode() const { return PEM_Code::encode(BER_encode(), PEM_label()); }

/*
* Return the TBS data
*/
std::vector<uint8_t> X509_Object::tbs_data() const { return ASN1::put_in_sequence(m_tbs_bits); }

/*
* Check the signature on an object
*/
bool X509_Object::check_signature(const Public_Key& pub_key) const {
   const auto result = this->verify_signature(pub_key);
   return (result.first == Certificate_Status_Code::VERIFIED);
}

std::pair<Certificate_Status_Code, std::string> X509_Object::verify_signature(const Public_Key& pub_key) const {
   try {
      PK_Verifier verifier(pub_key, signature_algorithm());
      const bool valid = verifier.verify_message(tbs_data(), signature());

      if(valid) {
         return std::make_pair(Certificate_Status_Code::VERIFIED, verifier.hash_function());
      } else {
         return std::make_pair(Certificate_Status_Code::SIGNATURE_ERROR, "");
      }
   } catch(Decoding_Error&) {
      return std::make_pair(Certificate_Status_Code::SIGNATURE_ALGO_BAD_PARAMS, "");
   } catch(Algorithm_Not_Found&) {
      return std::make_pair(Certificate_Status_Code::SIGNATURE_ALGO_UNKNOWN, "");
   } catch(...) {
      // This shouldn't happen, fallback to generic signature error
      return std::make_pair(Certificate_Status_Code::SIGNATURE_ERROR, "");
   }
}

/*
* Apply the X.509 SIGNED macro
*/
std::vector<uint8_t> X509_Object::make_signed(PK_Signer& signer,
                                              RandomNumberGenerator& rng,
                                              const AlgorithmIdentifier& algo,
                                              const secure_vector<uint8_t>& tbs_bits) {
   const std::vector<uint8_t> signature = signer.sign_message(tbs_bits, rng);

   std::vector<uint8_t> output;
   DER_Encoder(output)
      .start_sequence()
      .raw_bytes(tbs_bits)
      .encode(algo)
      .encode(signature, ASN1_Type::BitString)
      .end_cons();

   return output;
}

namespace {

std::string x509_signature_padding_for(const std::string& algo_name,
                                       std::string_view hash_fn,
                                       std::string_view user_specified_padding) {
   if(algo_name == "DSA" || algo_name == "ECDSA" || algo_name == "ECGDSA" || algo_name == "ECKCDSA" ||
      algo_name == "GOST-34.10" || algo_name == "GOST-34.10-2012-256" || algo_name == "GOST-34.10-2012-512") {
      BOTAN_ARG_CHECK(user_specified_padding.empty() || user_specified_padding == "EMSA1",
                      "Invalid padding scheme for DSA-like scheme");

      return hash_fn.empty() ? "SHA-256" : std::string(hash_fn);
   } else if(algo_name == "RSA") {
      // set to PKCSv1.5 for compatibility reasons, originally it was the only option

      if(user_specified_padding.empty()) {
         if(hash_fn.empty()) {
            return "EMSA3(SHA-256)";
         } else {
            return fmt("EMSA3({})", hash_fn);
         }
      } else {
         if(hash_fn.empty()) {
            return fmt("{}(SHA-256)", user_specified_padding);
         } else {
            return fmt("{}({})", user_specified_padding, hash_fn);
         }
      }
   } else if(algo_name == "Ed25519") {
      return user_specified_padding.empty() ? "Pure" : std::string(user_specified_padding);
   } else if(algo_name.starts_with("Dilithium-")) {
      return user_specified_padding.empty() ? "Randomized" : std::string(user_specified_padding);
   } else {
      throw Invalid_Argument("Unknown X.509 signing key type: " + algo_name);
   }
}

std::string format_padding_error_message(std::string_view key_name,
                                         std::string_view signer_hash_fn,
                                         std::string_view user_hash_fn,
                                         std::string_view chosen_padding,
                                         std::string_view user_specified_padding) {
   std::ostringstream oss;

   oss << "Specified hash function " << user_hash_fn << " is incompatible with " << key_name;

   if(!signer_hash_fn.empty()) {
      oss << " chose hash function " << signer_hash_fn;
   }

   if(!chosen_padding.empty()) {
      oss << " chose padding " << chosen_padding;
   }
   if(!user_specified_padding.empty()) {
      oss << " with user specified padding " << user_specified_padding;
   }

   return oss.str();
}

}  // namespace

/*
* Choose a signing format for the key
*/
std::unique_ptr<PK_Signer> X509_Object::choose_sig_format(const Private_Key& key,
                                                          RandomNumberGenerator& rng,
                                                          std::string_view hash_fn,
                                                          std::string_view user_specified_padding) {
   const Signature_Format format = key.default_x509_signature_format();

   if(!user_specified_padding.empty()) {
      try {
         auto pk_signer = std::make_unique<PK_Signer>(key, rng, user_specified_padding, format);
         if(!hash_fn.empty() && pk_signer->hash_function() != hash_fn) {
            throw Invalid_Argument(format_padding_error_message(
               key.algo_name(), pk_signer->hash_function(), hash_fn, "", user_specified_padding));
         }
         return pk_signer;
      } catch(Lookup_Error&) {}
   }

   const std::string padding = x509_signature_padding_for(key.algo_name(), hash_fn, user_specified_padding);

   try {
      auto pk_signer = std::make_unique<PK_Signer>(key, rng, padding, format);
      if(!hash_fn.empty() && pk_signer->hash_function() != hash_fn) {
         throw Invalid_Argument(format_padding_error_message(
            key.algo_name(), pk_signer->hash_function(), hash_fn, padding, user_specified_padding));
      }
      return pk_signer;
   } catch(Not_Implemented&) {
      throw Invalid_Argument("Signatures using " + key.algo_name() + "/" + padding + " are not supported");
   }
}

}  // namespace Botan

1	/*
2	* X.509 SIGNED Object
3	* (C) 1999-2007,2020 Jack Lloyd
4	*
5	* Botan is released under the Simplified BSD License (see license.txt)
6	*/
7
8	#include <botan/x509_obj.h>
9
10	#include <botan/ber_dec.h>
11	#include <botan/der_enc.h>
12	#include <botan/pem.h>
13	#include <botan/pubkey.h>
14	#include <botan/internal/emsa.h>
15	#include <botan/internal/fmt.h>
16	#include <algorithm>
17	#include <sstream>
18
19	namespace Botan {
20
21	/*
22	* Read a PEM or BER X.509 object
23	*/
24	void X509_Object::load_data(DataSource& in) {	22,166✔
25	try {	22,166✔
26	if(ASN1::maybe_BER(in) && !PEM_Code::matches(in)) {	22,166✔
27	BER_Decoder dec(in);	17,866✔
28	decode_from(dec);	17,866✔
29	} else {	17,866✔
30	std::string got_label;	4,096✔
31	DataSource_Memory ber(PEM_Code::decode(in, got_label));	4,096✔
32
33	if(got_label != PEM_label()) {	2,925✔
34	bool is_alternate = false;	72✔
35	for(std::string_view alt_label : alternate_PEM_labels()) {	142✔
36	if(got_label == alt_label) {	74✔
37	is_alternate = true;
38	break;
39	}
40	}	72✔
41
42	if(!is_alternate) {	72✔
43	throw Decoding_Error("Unexpected PEM label for " + PEM_label() + " of " + got_label);	140✔
44	}
45	}
46
47	BER_Decoder dec(ber);	2,838✔
48	decode_from(dec);	2,838✔
49	}	7,028✔
50	} catch(Decoding_Error& e) {	7,345✔
51	throw Decoding_Error(PEM_label() + " decoding", e);	13,306✔
52	}	6,653✔
53	}	14,617✔
54
55	void X509_Object::encode_into(DER_Encoder& to) const {	15,912✔
56	to.start_sequence()	15,912✔
57	.start_sequence()	15,912✔
58	.raw_bytes(signed_body())	15,912✔
59	.end_cons()	15,912✔
60	.encode(signature_algorithm())	15,912✔
61	.encode(signature(), ASN1_Type::BitString)	15,912✔
62	.end_cons();	15,912✔
63	}	15,912✔
64
65	/*
66	* Read a BER encoded X.509 object
67	*/
68	void X509_Object::decode_from(BER_Decoder& from) {	20,959✔
69	from.start_sequence()	20,959✔
70	.start_sequence()	21,687✔
71	.raw_bytes(m_tbs_bits)	18,596✔
72	.end_cons()	18,596✔
73	.decode(m_sig_algo)	18,596✔
74	.decode(m_sig, ASN1_Type::BitString)	17,397✔
75	.end_cons();	17,324✔
76
77	force_decode();	17,316✔
78	}	14,872✔
79
80	/*
81	* Return a PEM encoded X.509 object
82	*/
83	std::string X509_Object::PEM_encode() const { return PEM_Code::encode(BER_encode(), PEM_label()); }	480✔
84
85	/*
86	* Return the TBS data
87	*/
88	std::vector<uint8_t> X509_Object::tbs_data() const { return ASN1::put_in_sequence(m_tbs_bits); }	10,829✔
89
90	/*
91	* Check the signature on an object
92	*/
93	bool X509_Object::check_signature(const Public_Key& pub_key) const {	922✔
94	const auto result = this->verify_signature(pub_key);	922✔
95	return (result.first == Certificate_Status_Code::VERIFIED);	922✔
96	}	922✔
97
98	std::pair<Certificate_Status_Code, std::string> X509_Object::verify_signature(const Public_Key& pub_key) const {	10,885✔
99	try {	10,885✔
100	PK_Verifier verifier(pub_key, signature_algorithm());	10,885✔
101	const bool valid = verifier.verify_message(tbs_data(), signature());	10,829✔
102
103	if(valid) {	10,829✔
104	return std::make_pair(Certificate_Status_Code::VERIFIED, verifier.hash_function());	20,334✔
105	} else {
106	return std::make_pair(Certificate_Status_Code::SIGNATURE_ERROR, "");	662✔
107	}
108	} catch(Decoding_Error&) {	10,885✔
109	return std::make_pair(Certificate_Status_Code::SIGNATURE_ALGO_BAD_PARAMS, "");	55✔
110	} catch(Algorithm_Not_Found&) {	55✔
111	return std::make_pair(Certificate_Status_Code::SIGNATURE_ALGO_UNKNOWN, "");	×
112	} catch(...) {	1✔
113	// This shouldn't happen, fallback to generic signature error
114	return std::make_pair(Certificate_Status_Code::SIGNATURE_ERROR, "");	1✔
115	}	1✔
116	}
117
118	/*
119	* Apply the X.509 SIGNED macro
120	*/
121	std::vector<uint8_t> X509_Object::make_signed(PK_Signer& signer,	441✔
122	RandomNumberGenerator& rng,
123	const AlgorithmIdentifier& algo,
124	const secure_vector<uint8_t>& tbs_bits) {
125	const std::vector<uint8_t> signature = signer.sign_message(tbs_bits, rng);	441✔
126
127	std::vector<uint8_t> output;	441✔
128	DER_Encoder(output)	882✔
129	.start_sequence()	441✔
130	.raw_bytes(tbs_bits)	441✔
131	.encode(algo)	441✔
132	.encode(signature, ASN1_Type::BitString)	441✔
133	.end_cons();	441✔
134
135	return output;	441✔
136	}	441✔
137
138	namespace {
139
140	std::string x509_signature_padding_for(const std::string& algo_name,	210✔
141	std::string_view hash_fn,
142	std::string_view user_specified_padding) {
143	if(algo_name == "DSA" \|\| algo_name == "ECDSA" \|\| algo_name == "ECGDSA" \|\| algo_name == "ECKCDSA" \|\|	210✔
144	algo_name == "GOST-34.10" \|\| algo_name == "GOST-34.10-2012-256" \|\| algo_name == "GOST-34.10-2012-512") {	315✔
145	BOTAN_ARG_CHECK(user_specified_padding.empty() \|\| user_specified_padding == "EMSA1",	125✔
146	"Invalid padding scheme for DSA-like scheme");
147
148	return hash_fn.empty() ? "SHA-256" : std::string(hash_fn);	235✔
149	} else if(algo_name == "RSA") {	85✔
150	// set to PKCSv1.5 for compatibility reasons, originally it was the only option
151
152	if(user_specified_padding.empty()) {	38✔
153	if(hash_fn.empty()) {	36✔
154	return "EMSA3(SHA-256)";	6✔
155	} else {
156	return fmt("EMSA3({})", hash_fn);	30✔
157	}
158	} else {
159	if(hash_fn.empty()) {	2✔
160	return fmt("{}(SHA-256)", user_specified_padding);	×
161	} else {
162	return fmt("{}({})", user_specified_padding, hash_fn);	2✔
163	}
164	}
165	} else if(algo_name == "Ed25519") {	47✔
166	return user_specified_padding.empty() ? "Pure" : std::string(user_specified_padding);	20✔
167	} else if(algo_name.starts_with("Dilithium-")) {	27✔
168	return user_specified_padding.empty() ? "Randomized" : std::string(user_specified_padding);	27✔
169	} else {
170	throw Invalid_Argument("Unknown X.509 signing key type: " + algo_name);	×
171	}
172	}
173
174	std::string format_padding_error_message(std::string_view key_name,	1✔
175	std::string_view signer_hash_fn,
176	std::string_view user_hash_fn,
177	std::string_view chosen_padding,
178	std::string_view user_specified_padding) {
179	std::ostringstream oss;	1✔
180
181	oss << "Specified hash function " << user_hash_fn << " is incompatible with " << key_name;	1✔
182
183	if(!signer_hash_fn.empty()) {	1✔
184	oss << " chose hash function " << signer_hash_fn;	1✔
185	}
186
187	if(!chosen_padding.empty()) {	1✔
188	oss << " chose padding " << chosen_padding;	×
189	}
190	if(!user_specified_padding.empty()) {	1✔
191	oss << " with user specified padding " << user_specified_padding;	1✔
192	}
193
194	return oss.str();	2✔
195	}	1✔
196
197	} // namespace
198
199	/*
200	* Choose a signing format for the key
201	*/
202	std::unique_ptr<PK_Signer> X509_Object::choose_sig_format(const Private_Key& key,	366✔
203	RandomNumberGenerator& rng,
204	std::string_view hash_fn,
205	std::string_view user_specified_padding) {
206	const Signature_Format format = key.default_x509_signature_format();	366✔
207
208	if(!user_specified_padding.empty()) {	366✔
209	try {	158✔
210	auto pk_signer = std::make_unique<PK_Signer>(key, rng, user_specified_padding, format);	158✔
211	if(!hash_fn.empty() && pk_signer->hash_function() != hash_fn) {	468✔
212	throw Invalid_Argument(format_padding_error_message(	3✔
213	key.algo_name(), pk_signer->hash_function(), hash_fn, "", user_specified_padding));	2✔
214	}
215	return pk_signer;	155✔
216	} catch(Lookup_Error&) {}	159✔
217	}
218
219	const std::string padding = x509_signature_padding_for(key.algo_name(), hash_fn, user_specified_padding);	210✔
220
221	try {	210✔
222	auto pk_signer = std::make_unique<PK_Signer>(key, rng, padding, format);	210✔
223	if(!hash_fn.empty() && pk_signer->hash_function() != hash_fn) {	574✔
224	throw Invalid_Argument(format_padding_error_message(	×
225	key.algo_name(), pk_signer->hash_function(), hash_fn, padding, user_specified_padding));	×
226	}
227	return pk_signer;	210✔
228	} catch(Not_Implemented&) {	210✔
229	throw Invalid_Argument("Signatures using " + key.algo_name() + "/" + padding + " are not supported");	×
230	}	×
231	}	365✔
232
233	} // namespace Botan

randombit / botan / 5134090420

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source File
Press 'n' to go to next uncovered line, 'b' for previous