6642806734

Committed 25 Oct 2023 03:40PM UTC coverage: 91.687% (+0.01%) from 91.677%

Build # 6642806734

Build Type

push

github

Committed by

web-flow

Commit Message

Merge pull request #3770 from Rohde-Schwarz/feature/pubkey_create_another

Feature: `AsymmetricKey::generate_another()`

Run Details

80170 of 87439 relevant lines covered (91.69%)

8623809.04 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

94.92

/src/lib/pubkey/dsa/dsa.cpp

/*
* DSA
* (C) 1999-2010,2014,2016,2023 Jack Lloyd
* (C) 2016 René Korthaus
*
* Botan is released under the Simplified BSD License (see license.txt)
*/

#include <botan/dsa.h>

#include <botan/numthry.h>
#include <botan/internal/divide.h>
#include <botan/internal/dl_scheme.h>
#include <botan/internal/keypair.h>
#include <botan/internal/pk_ops_impl.h>

#if defined(BOTAN_HAS_RFC6979_GENERATOR)
   #include <botan/internal/rfc6979.h>
#endif

namespace Botan {

size_t DSA_PublicKey::message_part_size() const {
   return m_public_key->group().q_bytes();
}

size_t DSA_PublicKey::estimated_strength() const {
   return m_public_key->estimated_strength();
}

size_t DSA_PublicKey::key_length() const {
   return m_public_key->p_bits();
}

const BigInt& DSA_PublicKey::get_int_field(std::string_view field) const {
   return m_public_key->get_int_field(algo_name(), field);
}

AlgorithmIdentifier DSA_PublicKey::algorithm_identifier() const {
   return AlgorithmIdentifier(object_identifier(), m_public_key->group().DER_encode(DL_Group_Format::ANSI_X9_57));
}

std::vector<uint8_t> DSA_PublicKey::public_key_bits() const {
   return m_public_key->DER_encode();
}

bool DSA_PublicKey::check_key(RandomNumberGenerator& rng, bool strong) const {
   return m_public_key->check_key(rng, strong);
}

std::unique_ptr<Private_Key> DSA_PublicKey::generate_another(RandomNumberGenerator& rng) const {
   return std::make_unique<DSA_PrivateKey>(rng, m_public_key->group());
}

DSA_PublicKey::DSA_PublicKey(const AlgorithmIdentifier& alg_id, std::span<const uint8_t> key_bits) {
   m_public_key = std::make_shared<DL_PublicKey>(alg_id, key_bits, DL_Group_Format::ANSI_X9_57);

   BOTAN_ARG_CHECK(m_public_key->group().has_q(), "Q parameter must be set for DSA");
}

DSA_PublicKey::DSA_PublicKey(const DL_Group& group, const BigInt& y) {
   m_public_key = std::make_shared<DL_PublicKey>(group, y);

   BOTAN_ARG_CHECK(m_public_key->group().has_q(), "Q parameter must be set for DSA");
}

DSA_PrivateKey::DSA_PrivateKey(RandomNumberGenerator& rng, const DL_Group& group) {
   BOTAN_ARG_CHECK(group.has_q(), "Q parameter must be set for DSA");

   m_private_key = std::make_shared<DL_PrivateKey>(group, rng);
   m_public_key = m_private_key->public_key();
}

DSA_PrivateKey::DSA_PrivateKey(const DL_Group& group, const BigInt& x) {
   BOTAN_ARG_CHECK(group.has_q(), "Q parameter must be set for DSA");

   m_private_key = std::make_shared<DL_PrivateKey>(group, x);
   m_public_key = m_private_key->public_key();
}

DSA_PrivateKey::DSA_PrivateKey(const AlgorithmIdentifier& alg_id, std::span<const uint8_t> key_bits) {
   m_private_key = std::make_shared<DL_PrivateKey>(alg_id, key_bits, DL_Group_Format::ANSI_X9_57);
   m_public_key = m_private_key->public_key();

   BOTAN_ARG_CHECK(m_private_key->group().has_q(), "Q parameter must be set for DSA");
}

bool DSA_PrivateKey::check_key(RandomNumberGenerator& rng, bool strong) const {
   if(!m_private_key->check_key(rng, strong)) {
      return false;
   }

   if(m_private_key->private_key() >= m_private_key->group().get_q()) {
      return false;
   }

   return KeyPair::signature_consistency_check(rng, *this, "SHA-256");
}

secure_vector<uint8_t> DSA_PrivateKey::private_key_bits() const {
   return m_private_key->DER_encode();
}

secure_vector<uint8_t> DSA_PrivateKey::raw_private_key_bits() const {
   return m_private_key->raw_private_key_bits();
}

const BigInt& DSA_PrivateKey::get_int_field(std::string_view field) const {
   return m_private_key->get_int_field(algo_name(), field);
}

std::unique_ptr<Public_Key> DSA_PrivateKey::public_key() const {
   // can't use make_unique here due to private constructor
   return std::unique_ptr<DSA_PublicKey>(new DSA_PublicKey(m_public_key));
}

namespace {

/**
* Object that can create a DSA signature
*/
class DSA_Signature_Operation final : public PK_Ops::Signature_with_Hash {
   public:
      DSA_Signature_Operation(const std::shared_ptr<const DL_PrivateKey>& key,
                              std::string_view emsa,
                              RandomNumberGenerator& rng) :
            PK_Ops::Signature_with_Hash(emsa), m_key(key) {
         m_b = BigInt::random_integer(rng, 2, m_key->group().get_q());
         m_b_inv = m_key->group().inverse_mod_q(m_b);
      }

      size_t signature_length() const override { return 2 * m_key->group().q_bytes(); }

      secure_vector<uint8_t> raw_sign(const uint8_t msg[], size_t msg_len, RandomNumberGenerator& rng) override;

      AlgorithmIdentifier algorithm_identifier() const override;

   private:
      std::shared_ptr<const DL_PrivateKey> m_key;
      BigInt m_b, m_b_inv;
};

AlgorithmIdentifier DSA_Signature_Operation::algorithm_identifier() const {
   const std::string full_name = "DSA/" + hash_function();
   const OID oid = OID::from_string(full_name);
   return AlgorithmIdentifier(oid, AlgorithmIdentifier::USE_EMPTY_PARAM);
}

secure_vector<uint8_t> DSA_Signature_Operation::raw_sign(const uint8_t msg[],
                                                         size_t msg_len,
                                                         RandomNumberGenerator& rng) {
   const DL_Group& group = m_key->group();
   const BigInt& q = group.get_q();

   BigInt m = BigInt::from_bytes_with_max_bits(msg, msg_len, group.q_bits());

   if(m >= q) {
      m -= q;
   }

#if defined(BOTAN_HAS_RFC6979_GENERATOR)
   BOTAN_UNUSED(rng);
   const BigInt k = generate_rfc6979_nonce(m_key->private_key(), q, m, this->rfc6979_hash_function());
#else
   const BigInt k = BigInt::random_integer(rng, 1, q);
#endif

   const BigInt k_inv = group.inverse_mod_q(k);

   /*
   * It may not be strictly necessary for the reduction (g^k mod p) mod q to be
   * const time, since r is published as part of the signature, and deriving
   * anything useful about k from g^k mod p would seem to require computing a
   * discrete logarithm.
   *
   * However it only increases the cost of signatures by about 7-10%, and DSA is
   * only for legacy use anyway so we don't care about the performance so much.
   */
   const BigInt r = ct_modulo(group.power_g_p(k, group.q_bits()), group.get_q());

   /*
   * Blind the input message and compute x*r+m as (x*r*b + m*b)/b
   */
   m_b = group.square_mod_q(m_b);
   m_b_inv = group.square_mod_q(m_b_inv);

   m = group.multiply_mod_q(m_b, m);
   const BigInt xr = group.multiply_mod_q(m_b, m_key->private_key(), r);

   const BigInt s = group.multiply_mod_q(m_b_inv, k_inv, group.mod_q(xr + m));

   // With overwhelming probability, a bug rather than actual zero r/s
   if(r.is_zero() || s.is_zero()) {
      throw Internal_Error("Computed zero r/s during DSA signature");
   }

   return BigInt::encode_fixed_length_int_pair(r, s, q.bytes());
}

/**
* Object that can verify a DSA signature
*/
class DSA_Verification_Operation final : public PK_Ops::Verification_with_Hash {
   public:
      DSA_Verification_Operation(const std::shared_ptr<const DL_PublicKey>& key, std::string_view emsa) :
            PK_Ops::Verification_with_Hash(emsa), m_key(key) {}

      DSA_Verification_Operation(const std::shared_ptr<const DL_PublicKey>& key, const AlgorithmIdentifier& alg_id) :
            PK_Ops::Verification_with_Hash(alg_id, "DSA"), m_key(key) {}

      bool verify(const uint8_t msg[], size_t msg_len, const uint8_t sig[], size_t sig_len) override;

   private:
      std::shared_ptr<const DL_PublicKey> m_key;
};

bool DSA_Verification_Operation::verify(const uint8_t msg[], size_t msg_len, const uint8_t sig[], size_t sig_len) {
   const auto group = m_key->group();

   const BigInt& q = group.get_q();
   const size_t q_bytes = q.bytes();

   if(sig_len != 2 * q_bytes) {
      return false;
   }

   BigInt r(sig, q_bytes);
   BigInt s(sig + q_bytes, q_bytes);
   BigInt i = BigInt::from_bytes_with_max_bits(msg, msg_len, group.q_bits());
   if(i >= q) {
      i -= q;
   }

   if(r <= 0 || r >= q || s <= 0 || s >= q) {
      return false;
   }

   s = inverse_mod(s, q);

   const BigInt sr = group.multiply_mod_q(s, r);
   const BigInt si = group.multiply_mod_q(s, i);

   s = group.multi_exponentiate(si, m_key->public_key(), sr);

   // s is too big for Barrett, and verification doesn't need to be const-time
   return (s % group.get_q() == r);
}

}  // namespace

std::unique_ptr<PK_Ops::Verification> DSA_PublicKey::create_verification_op(std::string_view params,
                                                                            std::string_view provider) const {
   if(provider == "base" || provider.empty()) {
      return std::make_unique<DSA_Verification_Operation>(this->m_public_key, params);
   }
   throw Provider_Not_Found(algo_name(), provider);
}

std::unique_ptr<PK_Ops::Verification> DSA_PublicKey::create_x509_verification_op(
   const AlgorithmIdentifier& signature_algorithm, std::string_view provider) const {
   if(provider == "base" || provider.empty()) {
      return std::make_unique<DSA_Verification_Operation>(this->m_public_key, signature_algorithm);
   }

   throw Provider_Not_Found(algo_name(), provider);
}

std::unique_ptr<PK_Ops::Signature> DSA_PrivateKey::create_signature_op(RandomNumberGenerator& rng,
                                                                       std::string_view params,
                                                                       std::string_view provider) const {
   if(provider == "base" || provider.empty()) {
      return std::make_unique<DSA_Signature_Operation>(this->m_private_key, params, rng);
   }
   throw Provider_Not_Found(algo_name(), provider);
}

}  // namespace Botan

1	/*
2	* DSA
3	* (C) 1999-2010,2014,2016,2023 Jack Lloyd
4	* (C) 2016 René Korthaus
5	*
6	* Botan is released under the Simplified BSD License (see license.txt)
7	*/
8
9	#include <botan/dsa.h>
10
11	#include <botan/numthry.h>
12	#include <botan/internal/divide.h>
13	#include <botan/internal/dl_scheme.h>
14	#include <botan/internal/keypair.h>
15	#include <botan/internal/pk_ops_impl.h>
16
17	#if defined(BOTAN_HAS_RFC6979_GENERATOR)
18	#include <botan/internal/rfc6979.h>
19	#endif
20
21	namespace Botan {
22
23	size_t DSA_PublicKey::message_part_size() const {	444✔
24	return m_public_key->group().q_bytes();	444✔
25	}
26
27	size_t DSA_PublicKey::estimated_strength() const {	28✔
28	return m_public_key->estimated_strength();	28✔
29	}
30
31	size_t DSA_PublicKey::key_length() const {	1✔
32	return m_public_key->p_bits();	1✔
33	}
34
35	const BigInt& DSA_PublicKey::get_int_field(std::string_view field) const {	8✔
36	return m_public_key->get_int_field(algo_name(), field);	8✔
37	}
38
39	AlgorithmIdentifier DSA_PublicKey::algorithm_identifier() const {	93✔
40	return AlgorithmIdentifier(object_identifier(), m_public_key->group().DER_encode(DL_Group_Format::ANSI_X9_57));	186✔
41	}
42
43	std::vector<uint8_t> DSA_PublicKey::public_key_bits() const {	66✔
44	return m_public_key->DER_encode();	66✔
45	}
46
47	bool DSA_PublicKey::check_key(RandomNumberGenerator& rng, bool strong) const {	7✔
48	return m_public_key->check_key(rng, strong);	7✔
49	}
50
51	std::unique_ptr<Private_Key> DSA_PublicKey::generate_another(RandomNumberGenerator& rng) const {	1✔
52	return std::make_unique<DSA_PrivateKey>(rng, m_public_key->group());	2✔
53	}
54
55	DSA_PublicKey::DSA_PublicKey(const AlgorithmIdentifier& alg_id, std::span<const uint8_t> key_bits) {	236✔
56	m_public_key = std::make_shared<DL_PublicKey>(alg_id, key_bits, DL_Group_Format::ANSI_X9_57);	236✔
57
58	BOTAN_ARG_CHECK(m_public_key->group().has_q(), "Q parameter must be set for DSA");	122✔
59	}	236✔
60
61	DSA_PublicKey::DSA_PublicKey(const DL_Group& group, const BigInt& y) {	4✔
62	m_public_key = std::make_shared<DL_PublicKey>(group, y);	4✔
63
64	BOTAN_ARG_CHECK(m_public_key->group().has_q(), "Q parameter must be set for DSA");	4✔
65	}	4✔
66
67	DSA_PrivateKey::DSA_PrivateKey(RandomNumberGenerator& rng, const DL_Group& group) {	16✔
68	BOTAN_ARG_CHECK(group.has_q(), "Q parameter must be set for DSA");	16✔
69
70	m_private_key = std::make_shared<DL_PrivateKey>(group, rng);	16✔
71	m_public_key = m_private_key->public_key();	16✔
72	}	16✔
73
74	DSA_PrivateKey::DSA_PrivateKey(const DL_Group& group, const BigInt& x) {	325✔
75	BOTAN_ARG_CHECK(group.has_q(), "Q parameter must be set for DSA");	325✔
76
77	m_private_key = std::make_shared<DL_PrivateKey>(group, x);	325✔
78	m_public_key = m_private_key->public_key();	325✔
79	}	325✔
80
81	DSA_PrivateKey::DSA_PrivateKey(const AlgorithmIdentifier& alg_id, std::span<const uint8_t> key_bits) {	316✔
82	m_private_key = std::make_shared<DL_PrivateKey>(alg_id, key_bits, DL_Group_Format::ANSI_X9_57);	316✔
83	m_public_key = m_private_key->public_key();	67✔
84
85	BOTAN_ARG_CHECK(m_private_key->group().has_q(), "Q parameter must be set for DSA");	67✔
86	}	326✔
87
88	bool DSA_PrivateKey::check_key(RandomNumberGenerator& rng, bool strong) const {	5✔
89	if(!m_private_key->check_key(rng, strong)) {	5✔
90	return false;
91	}
92
93	if(m_private_key->private_key() >= m_private_key->group().get_q()) {	5✔
94	return false;
95	}
96
97	return KeyPair::signature_consistency_check(rng, *this, "SHA-256");	5✔
98	}
99
100	secure_vector<uint8_t> DSA_PrivateKey::private_key_bits() const {	33✔
101	return m_private_key->DER_encode();	33✔
102	}
103
104	secure_vector<uint8_t> DSA_PrivateKey::raw_private_key_bits() const {	×
105	return m_private_key->raw_private_key_bits();	×
106	}
107
108	const BigInt& DSA_PrivateKey::get_int_field(std::string_view field) const {	10✔
109	return m_private_key->get_int_field(algo_name(), field);	10✔
110	}
111
112	std::unique_ptr<Public_Key> DSA_PrivateKey::public_key() const {	306✔
113	// can't use make_unique here due to private constructor
114	return std::unique_ptr<DSA_PublicKey>(new DSA_PublicKey(m_public_key));	306✔
115	}
116
117	namespace {
118
119	/**
120	* Object that can create a DSA signature
121	*/
122	class DSA_Signature_Operation final : public PK_Ops::Signature_with_Hash {	×
123	public:
124	DSA_Signature_Operation(const std::shared_ptr<const DL_PrivateKey>& key,	69✔
125	std::string_view emsa,
126	RandomNumberGenerator& rng) :	69✔
127	PK_Ops::Signature_with_Hash(emsa), m_key(key) {	69✔
128	m_b = BigInt::random_integer(rng, 2, m_key->group().get_q());	138✔
129	m_b_inv = m_key->group().inverse_mod_q(m_b);	138✔
130	}	69✔
131
132	size_t signature_length() const override { return 2 * m_key->group().q_bytes(); }	23✔
133
134	secure_vector<uint8_t> raw_sign(const uint8_t msg[], size_t msg_len, RandomNumberGenerator& rng) override;
135
136	AlgorithmIdentifier algorithm_identifier() const override;
137
138	private:
139	std::shared_ptr<const DL_PrivateKey> m_key;
140	BigInt m_b, m_b_inv;
141	};
142
143	AlgorithmIdentifier DSA_Signature_Operation::algorithm_identifier() const {	37✔
144	const std::string full_name = "DSA/" + hash_function();	37✔
145	const OID oid = OID::from_string(full_name);	37✔
146	return AlgorithmIdentifier(oid, AlgorithmIdentifier::USE_EMPTY_PARAM);	37✔
147	}	37✔
148
149	secure_vector<uint8_t> DSA_Signature_Operation::raw_sign(const uint8_t msg[],	78✔
150	size_t msg_len,
151	RandomNumberGenerator& rng) {
152	const DL_Group& group = m_key->group();	78✔
153	const BigInt& q = group.get_q();	78✔
154
155	BigInt m = BigInt::from_bytes_with_max_bits(msg, msg_len, group.q_bits());	78✔
156
157	if(m >= q) {	78✔
158	m -= q;	26✔
159	}
160
161	#if defined(BOTAN_HAS_RFC6979_GENERATOR)
162	BOTAN_UNUSED(rng);	78✔
163	const BigInt k = generate_rfc6979_nonce(m_key->private_key(), q, m, this->rfc6979_hash_function());	78✔
164	#else
165	const BigInt k = BigInt::random_integer(rng, 1, q);
166	#endif
167
168	const BigInt k_inv = group.inverse_mod_q(k);	78✔
169
170	/*
171	* It may not be strictly necessary for the reduction (g^k mod p) mod q to be
172	* const time, since r is published as part of the signature, and deriving
173	* anything useful about k from g^k mod p would seem to require computing a
174	* discrete logarithm.
175	*
176	* However it only increases the cost of signatures by about 7-10%, and DSA is
177	* only for legacy use anyway so we don't care about the performance so much.
178	*/
179	const BigInt r = ct_modulo(group.power_g_p(k, group.q_bits()), group.get_q());	78✔
180
181	/*
182	* Blind the input message and compute xr+m as (xrb + mb)/b
183	*/
184	m_b = group.square_mod_q(m_b);	78✔
185	m_b_inv = group.square_mod_q(m_b_inv);	78✔
186
187	m = group.multiply_mod_q(m_b, m);	78✔
188	const BigInt xr = group.multiply_mod_q(m_b, m_key->private_key(), r);	78✔
189
190	const BigInt s = group.multiply_mod_q(m_b_inv, k_inv, group.mod_q(xr + m));	156✔
191
192	// With overwhelming probability, a bug rather than actual zero r/s
193	if(r.is_zero() \|\| s.is_zero()) {	156✔
194	throw Internal_Error("Computed zero r/s during DSA signature");	×
195	}
196
197	return BigInt::encode_fixed_length_int_pair(r, s, q.bytes());	78✔
198	}	468✔
199
200	/**
201	* Object that can verify a DSA signature
202	*/
203	class DSA_Verification_Operation final : public PK_Ops::Verification_with_Hash {	×
204	public:
205	DSA_Verification_Operation(const std::shared_ptr<const DL_PublicKey>& key, std::string_view emsa) :	336✔
206	PK_Ops::Verification_with_Hash(emsa), m_key(key) {}	336✔
207
208	DSA_Verification_Operation(const std::shared_ptr<const DL_PublicKey>& key, const AlgorithmIdentifier& alg_id) :	80✔
209	PK_Ops::Verification_with_Hash(alg_id, "DSA"), m_key(key) {}	80✔
210
211	bool verify(const uint8_t msg[], size_t msg_len, const uint8_t sig[], size_t sig_len) override;
212
213	private:
214	std::shared_ptr<const DL_PublicKey> m_key;
215	};
216
217	bool DSA_Verification_Operation::verify(const uint8_t msg[], size_t msg_len, const uint8_t sig[], size_t sig_len) {	7,237✔
218	const auto group = m_key->group();	7,237✔
219
220	const BigInt& q = group.get_q();	7,237✔
221	const size_t q_bytes = q.bytes();	7,237✔
222
223	if(sig_len != 2 * q_bytes) {	7,237✔
224	return false;
225	}
226
227	BigInt r(sig, q_bytes);	7,237✔
228	BigInt s(sig + q_bytes, q_bytes);	7,237✔
229	BigInt i = BigInt::from_bytes_with_max_bits(msg, msg_len, group.q_bits());	7,237✔
230	if(i >= q) {	7,237✔
231	i -= q;	1,367✔
232	}
233
234	if(r <= 0 \|\| r >= q \|\| s <= 0 \|\| s >= q) {	27,895✔
235	return false;	410✔
236	}
237
238	s = inverse_mod(s, q);	6,827✔
239
240	const BigInt sr = group.multiply_mod_q(s, r);	6,827✔
241	const BigInt si = group.multiply_mod_q(s, i);	6,827✔
242
243	s = group.multi_exponentiate(si, m_key->public_key(), sr);	6,827✔
244
245	// s is too big for Barrett, and verification doesn't need to be const-time
246	return (s % group.get_q() == r);	20,481✔
247	}	43,012✔
248
249	} // namespace
250
251	std::unique_ptr<PK_Ops::Verification> DSA_PublicKey::create_verification_op(std::string_view params,	1,311✔
252	std::string_view provider) const {
253	if(provider == "base" \|\| provider.empty()) {	1,637✔
254	return std::make_unique<DSA_Verification_Operation>(this->m_public_key, params);	336✔
255	}
256	throw Provider_Not_Found(algo_name(), provider);	1,950✔
257	}
258
259	std::unique_ptr<PK_Ops::Verification> DSA_PublicKey::create_x509_verification_op(	80✔
260	const AlgorithmIdentifier& signature_algorithm, std::string_view provider) const {
261	if(provider == "base" \|\| provider.empty()) {	80✔
262	return std::make_unique<DSA_Verification_Operation>(this->m_public_key, signature_algorithm);	80✔
263	}
264
265	throw Provider_Not_Found(algo_name(), provider);	×
266	}
267
268	std::unique_ptr<PK_Ops::Signature> DSA_PrivateKey::create_signature_op(RandomNumberGenerator& rng,	132✔
269	std::string_view params,
270	std::string_view provider) const {
271	if(provider == "base" \|\| provider.empty()) {	154✔
272	return std::make_unique<DSA_Signature_Operation>(this->m_private_key, params, rng);	69✔
273	}
274	throw Provider_Not_Found(algo_name(), provider);	126✔
275	}
276
277	} // namespace Botan

randombit / botan / 6642806734

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source File
Press 'n' to go to next uncovered line, 'b' for previous