2
* XMSS Verification Operation
3
* Provides signature verification capabilities for Extended Hash-Based
6
* (C) 2016,2017 Matthias Gierlings
8
* Botan is released under the Simplified BSD License (see license.txt)
11
#include <botan/internal/xmss_verification_operation.h>
15
XMSS_Verification_Operation::XMSS_Verification_Operation(
16
const XMSS_PublicKey& public_key)
17
: XMSS_Common_Ops(public_key.xmss_oid()),
18
m_pub_key(public_key),
23
secure_vector<uint8_t>
24
XMSS_Verification_Operation::root_from_signature(const XMSS_Signature& sig,
25
const secure_vector<uint8_t>& msg,
27
const secure_vector<uint8_t>& seed)
29
adrs.set_type(XMSS_Address::Type::OTS_Hash_Address);
30
adrs.set_ots_address(sig.unused_leaf_index());
32
XMSS_WOTS_PublicKey pub_key_ots(m_pub_key.wots_parameters().oid(),
34
sig.tree().ots_signature(),
38
adrs.set_type(XMSS_Address::Type::LTree_Address);
39
adrs.set_ltree_address(sig.unused_leaf_index());
41
std::array<secure_vector<uint8_t>, 2> node;
42
create_l_tree(node[0], pub_key_ots, adrs, seed);
44
adrs.set_type(XMSS_Address::Type::Hash_Tree_Address);
45
adrs.set_tree_index(sig.unused_leaf_index());
47
for(size_t k = 0; k < m_xmss_params.tree_height(); k++)
49
adrs.set_tree_height(k);
50
if(((sig.unused_leaf_index() / (1 << k)) & 0x01) == 0)
52
adrs.set_tree_index(adrs.get_tree_index() >> 1);
53
randomize_tree_hash(node[1],
55
sig.tree().authentication_path()[k],
61
adrs.set_tree_index((adrs.get_tree_index() - 1) >> 1);
62
randomize_tree_hash(node[1],
63
sig.tree().authentication_path()[k],
74
XMSS_Verification_Operation::verify(const XMSS_Signature& sig,
75
const secure_vector<uint8_t>& msg,
76
const XMSS_PublicKey& public_key)
79
secure_vector<uint8_t> index_bytes;
80
XMSS_Tools::concat(index_bytes,
81
sig.unused_leaf_index(),
82
m_xmss_params.element_size());
83
secure_vector<uint8_t> msg_digest =
84
m_hash.h_msg(sig.randomness(),
89
secure_vector<uint8_t> node = root_from_signature(sig,
92
public_key.public_seed());
94
return (node == public_key.root());
97
// FIXME: XMSS signature verification requires the "randomness" parameter out
98
// of the XMSS signature, which is part of the prefix that is hashed before
99
// msg. Since the signature is unknown till sign() is called all message
100
// content has to be buffered. For large messages this can be inconvenient or
102
// Possible solution: Change PK_Ops::Verification interface to take the
103
// signature as constructor argument, make sign a parameterless member call.
104
void XMSS_Verification_Operation::update(const uint8_t msg[], size_t msg_len)
106
std::copy(msg, msg + msg_len, std::back_inserter(m_msg_buf));
109
bool XMSS_Verification_Operation::is_valid_signature(const uint8_t sig[],
114
XMSS_Signature signature(m_pub_key.xmss_parameters().oid(),
115
secure_vector<uint8_t>(sig, sig + sig_len));
116
bool result = verify(signature, m_msg_buf, m_pub_key);
120
catch(Integrity_Failure&)