From: Bert Hubert <bert.hubert@netherlabs.nl>
Date: Tue, 15 Jan 2013 18:26:01 +0000 (+0000)
Subject: the wonderful Aki Tuomi fixed our ECDSA implementation for both crypto++ and botan1.8!
X-Git-Tag: rec-3.5-rc1~21
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=6d40be6aa0f07f8fdbb1084a0247f9f44c7edc63;p=thirdparty%2Fpdns.git

the wonderful Aki Tuomi fixed our ECDSA implementation for both crypto++ and botan1.8!


git-svn-id: svn://svn.powerdns.com/pdns/trunk/pdns@3055 d19b8d6e-7fed-0310-83ef-9ca221ded41b
---

diff --git a/pdns/botan18signers.cc b/pdns/botan18signers.cc
index e7c56c4794..9cad576a76 100644
--- a/pdns/botan18signers.cc
+++ b/pdns/botan18signers.cc
@@ -38,7 +38,6 @@ private:
   static EC_Domain_Params getECParams(unsigned int algorithm);
   shared_ptr<ECDSA_PrivateKey> d_key;
   shared_ptr<ECDSA_PublicKey> d_pubkey;
-  unsigned int d_algorithm;
 };
 
 EC_Domain_Params ECDSADNSCryptoKeyEngine::getECParams(unsigned int algorithm) 
@@ -59,13 +58,13 @@ void ECDSADNSCryptoKeyEngine::create(unsigned int bits)
   }
   d_key = shared_ptr<ECDSA_PrivateKey>(new ECDSA_PrivateKey(rng, getECParams((bits == 256) ? 13 : 14)));
   
-  PKCS8_Encoder* pk8e= d_key->pkcs8_encoder();
-  MemoryVector<byte> getbits=pk8e->key_bits();
+//  PKCS8_Encoder* pk8e= d_key->pkcs8_encoder();
+//  MemoryVector<byte> getbits=pk8e->key_bits();
 //  cerr<<makeHexDump(string((char*)&*getbits.begin(), (char*)&*getbits.end()))<<endl;
   
-  const BigInt&x = d_key->private_value();
-  SecureVector<byte> buffer=BigInt::encode(x);
-  // cerr<<makeHexDump(string((char*)&*buffer.begin(), (char*)&*buffer.end()))<<endl;
+//  const BigInt&x = d_key->private_value();
+//  SecureVector<byte> buffer=BigInt::encode(x);
+//   cerr<<makeHexDump(string((char*)&*buffer.begin(), (char*)&*buffer.end()))<<endl;
 }
 
 int ECDSADNSCryptoKeyEngine::getBits() const
@@ -104,7 +103,10 @@ void ECDSADNSCryptoKeyEngine::fromISCMap(DNSKEYRecordContent& drc, std::map<std:
    Algorithm: 13 (ECDSAP256SHA256)
    PrivateKey: GU6SnQ/Ou+xC5RumuIUIuJZteXT2z0O/ok1s38Et6mQ= */
      
-  d_algorithm = drc.d_algorithm = atoi(stormap["algorithm"].c_str());
+  drc.d_algorithm = atoi(stormap["algorithm"].c_str());
+  if(drc.d_algorithm != d_algorithm) 
+    throw runtime_error("Tried to feed an algorithm "+lexical_cast<string>(drc.d_algorithm)+" to a "+lexical_cast<string>(d_algorithm)+" key!");
+
   string privateKey = stormap["privatekey"];
   
   BigInt bigint((byte*)privateKey.c_str(), privateKey.length());
@@ -112,37 +114,40 @@ void ECDSADNSCryptoKeyEngine::fromISCMap(DNSKEYRecordContent& drc, std::map<std:
   EC_Domain_Params params=getECParams(drc.d_algorithm);
   
   d_key=shared_ptr<ECDSA_PrivateKey>(new ECDSA_PrivateKey);
-//  cerr<<"Reading!"<<endl;
   AutoSeeded_RNG rng;
-  PKCS8_Decoder* p8e = d_key->pkcs8_decoder(rng);
-  unsigned char pkcs8header[]= {0x30, 0x25, 0x02, 0x01, 0x01, 0x04, 0x20};
-  if(privateKey.length()*8 == 384) {
-    pkcs8header[1]+=0x10;
-    pkcs8header[6]+=0x10;
-    d_key->set_domain_parameters(getECParams(14));
-  }
+
+  SecureVector<byte> octstr_secret = BigInt::encode_1363(bigint, getBits()/8);
+  SecureVector<byte> octstr_params = encode_der_ec_dompar(params, ENC_EXPLICIT);
+
+  MemoryVector<byte> data = DER_Encoder()
+          .start_cons(SEQUENCE)
+          .encode(BigInt(1))
+          .encode(octstr_secret, OCTET_STRING)
+          .end_cons()
+          .get_contents();
+
+  PKCS8_Decoder *p8e = d_key->pkcs8_decoder(rng);
+
+  if (d_algorithm == 13)
+     p8e->alg_id(AlgorithmIdentifier("1.2.840.10045.3.1.7", octstr_params));
   else
-    d_key->set_domain_parameters(getECParams(13));
-  
-  string noIdea((char*)pkcs8header, sizeof(pkcs8header));
-  noIdea.append(privateKey);
-  
-  MemoryVector<byte> tmp((byte*)noIdea.c_str(), noIdea.length());
-  p8e->key_bits(tmp);
+     p8e->alg_id(AlgorithmIdentifier("1.3.132.0.34", octstr_params));
+
+  p8e->key_bits(data);
   delete p8e;
 }
 
 std::string ECDSADNSCryptoKeyEngine::getPubKeyHash() const
 {
-  const BigInt&x = d_key->private_value();
+  BigInt x = d_key->private_value();
   SecureVector<byte> buffer=BigInt::encode(x);
   return string((const char*)buffer.begin(), (const char*)buffer.end());
 }
 
 std::string ECDSADNSCryptoKeyEngine::getPublicKeyString() const
 {
-  const BigInt&x =d_key->public_point().get_affine_x().get_value();
-  const BigInt&y =d_key->public_point().get_affine_y().get_value();
+  BigInt x =d_key->public_point().get_affine_x().get_value();
+  BigInt y =d_key->public_point().get_affine_y().get_value();
   
   size_t part_size = std::max(x.bytes(), y.bytes());
   MemoryVector<byte> bits(2*part_size);
@@ -171,8 +176,8 @@ std::string ECDSADNSCryptoKeyEngine::sign(const std::string& msg) const
 {
   AutoSeeded_RNG rng;
   string hash = this->hash(msg);
-  SecureVector<byte> signature=d_key->sign((byte*)hash.c_str(), hash.length(), rng);
-  
+  Default_ECDSA_Op ops(d_key->domain_parameters(), d_key->private_value(), d_key->public_point());
+  SecureVector<byte> signature=ops.sign((byte*)hash.c_str(), hash.length(), rng);
   return string((const char*)signature.begin(), (const char*) signature.end());
 }
 
@@ -195,7 +200,8 @@ bool ECDSADNSCryptoKeyEngine::verify(const std::string& msg, const std::string&
 {
   string hash = this->hash(msg);
   ECDSA_PublicKey* key = d_key ? d_key.get() : d_pubkey.get();
-  return key->verify((byte*)hash.c_str(), hash.length(), (byte*)signature.c_str(), signature.length());
+  Default_ECDSA_Op ops(key->domain_parameters(), BigInt(0), key->public_point());
+  return ops.verify((byte*)signature.c_str(), signature.length(), (byte*)hash.c_str(), hash.length());
 }
 namespace {
 struct LoaderBotan18Struct
diff --git a/pdns/cryptoppsigners.cc b/pdns/cryptoppsigners.cc
index b83e9f6869..2812dc88b4 100644
--- a/pdns/cryptoppsigners.cc
+++ b/pdns/cryptoppsigners.cc
@@ -93,7 +93,7 @@ void CryptoPPECDSADNSCryptoKeyEngine<HASHER,CURVE,BITS>::fromISCMap(DNSKEYRecord
   privateKey->Initialize(oid, x);
   bool result = privateKey->Validate(prng, 3);
   if (!result) {
-      throw "Cannot load private key - validation failed!";
+      throw runtime_error("Cannot load private key - validation failed!");
   }
   d_key = shared_ptr<privatekey_t>(privateKey);
   publickey_t* publicKey = new publickey_t();