gnu.crypto.sig.dss.DSSSignature Maven / Gradle / Ivy

Go to download
Show more of this group Show more artifacts with this name
Show all versions of gnu-crypto Show documentation
The GNU Crypto project
The newest version!
package gnu.crypto.sig.dss;

// ----------------------------------------------------------------------------
// $Id: DSSSignature.java,v 1.8 2003/10/25 03:58:56 raif Exp $
//
// Copyright (C) 2001, 2002, 2003 Free Software Foundation, Inc.
//
// This file is part of GNU Crypto.
//
// GNU Crypto is free software; you can redistribute it and/or modify
// it under the terms of the GNU General Public License as published by
// the Free Software Foundation; either version 2, or (at your option)
// any later version.
//
// GNU Crypto is distributed in the hope that it will be useful, but
// WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
// General Public License for more details.
//
// You should have received a copy of the GNU General Public License
// along with this program; see the file COPYING.  If not, write to the
//
//    Free Software Foundation Inc.,
//    59 Temple Place - Suite 330,
//    Boston, MA 02111-1307
//    USA
//
// Linking this library statically or dynamically with other modules is
// making a combined work based on this library.  Thus, the terms and
// conditions of the GNU General Public License cover the whole
// combination.
//
// As a special exception, the copyright holders of this library give
// you permission to link this library with independent modules to
// produce an executable, regardless of the license terms of these
// independent modules, and to copy and distribute the resulting
// executable under terms of your choice, provided that you also meet,
// for each linked independent module, the terms and conditions of the
// license of that module.  An independent module is a module which is
// not derived from or based on this library.  If you modify this
// library, you may extend this exception to your version of the
// library, but you are not obligated to do so.  If you do not wish to
// do so, delete this exception statement from your version.
// ----------------------------------------------------------------------------

import gnu.crypto.Registry;
import gnu.crypto.hash.IMessageDigest;
import gnu.crypto.hash.Sha160;
import gnu.crypto.prng.IRandom;
import gnu.crypto.sig.BaseSignature;
import gnu.crypto.sig.ISignature;

import java.math.BigInteger;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.interfaces.DSAPrivateKey;
import java.security.interfaces.DSAPublicKey;
import java.util.HashMap;
import java.util.Map;
import java.util.Random;

/**
 * The DSS (Digital Signature Standard) algorithm makes use of the following
 * parameters:
 *
 * 
 *    p: A prime modulus, where 2^L-1 < p < 2^L
 *     for 512 <= L <= 1024 and L a
 *    multiple of 64.
 *    q: A prime divisor of p - 1, where 2¹⁵⁹
 *    < q < 2¹⁶⁰.
 *    g: Where g = h^(p-1)/q mod p, where
 *    h is any integer with 1 < h < p - 1 such
 *    that h^(p-1)/q mod p > 1 (g has order
 *    q mod p).
 *    x: A randomly or pseudorandomly generated integer with 0 < x
 *    < q.
 *    y: y = g^x mod p.
 *    k: A randomly or pseudorandomly generated integer with 0 < k
 *    < q.
 * 
 *
 * The integers p, q, and g can be
 * public and can be common to a group of users. A user's private and public
 * keys are x and y, respectively. They are normally
 * fixed for a period of time. Parameters x and k are
 * used for signature generation only, and must be kept secret. Parameter
 * k must be regenerated for each signature.
 *
 * The signature of a message M is the pair of numbers r
 * and s computed according to the equations below:
 *
 * 
 *    r = (g^k mod p) mod q and
 *    s = (k^-1(SHA(M) + xr)) mod q.
 * 
 *
 * In the above, k^-1 is the multiplicative inverse of
 * k, mod q; i.e., (k^-1 k) mod q = 1
 *  and 0 < k-1 < q. The value of SHA(M)
 * is a 160-bit string output by the Secure Hash Algorithm specified in FIPS 180.
 * For use in computing s, this string must be converted to an
 * integer.
 *
 * As an option, one may wish to check if r == 0 or s == 0
 * . If either r == 0 or s == 0, a new value
 * of k should be generated and the signature should be
 * recalculated (it is extremely unlikely that r == 0 or s ==
 * 0 if signatures are generated properly).
 *
 * The signature is transmitted along with the message to the verifier.
 *
 * References:
 * 
 *    Digital
 *    Signature Standard (DSS), Federal Information Processing Standards
 *    Publication 186. National Institute of Standards and Technology.
 * 
 *
 * @version $Revision: 1.8 $
 */
public class DSSSignature extends BaseSignature {

   // Constants and variables
   // -------------------------------------------------------------------------

   // Constructor(s)
   // -------------------------------------------------------------------------

   /** Trivial 0-arguments constructor. */
   public DSSSignature() {
      super(Registry.DSS_SIG, new Sha160());
   }

   /** Private constructor for cloning purposes. */
   private DSSSignature(DSSSignature that) {
      this();

      this.publicKey = that.publicKey;
      this.privateKey = that.privateKey;
      this.md = (IMessageDigest) that.md.clone();
   }

   // Class methods
   // -------------------------------------------------------------------------

   public static final BigInteger[] sign(final DSAPrivateKey k, final byte[] h) {
      final DSSSignature sig = new DSSSignature();
      final Map attributes = new HashMap();
      attributes.put(ISignature.SIGNER_KEY, k);
      sig.setupSign(attributes);

      return sig.computeRS(h);
   }

   public static final BigInteger[]
   sign(final DSAPrivateKey k, final byte[] h, Random rnd) {
      final DSSSignature sig = new DSSSignature();
      final Map attributes = new HashMap();
      attributes.put(ISignature.SIGNER_KEY, k);
      if (rnd != null) {
         attributes.put(ISignature.SOURCE_OF_RANDOMNESS, rnd);
      }
      sig.setupSign(attributes);

      return sig.computeRS(h);
   }

   public static final BigInteger[]
   sign(final DSAPrivateKey k, final byte[] h, IRandom irnd) {
      final DSSSignature sig = new DSSSignature();
      final Map attributes = new HashMap();
      attributes.put(ISignature.SIGNER_KEY, k);
      if (irnd != null) {
         attributes.put(ISignature.SOURCE_OF_RANDOMNESS, irnd);
      }
      sig.setupSign(attributes);

      return sig.computeRS(h);
   }

   public static final boolean
   verify(final DSAPublicKey k, final byte[] h, final BigInteger[] rs) {
      final DSSSignature sig = new DSSSignature();
      final Map attributes = new HashMap();
      attributes.put(ISignature.VERIFIER_KEY, k);
      sig.setupVerify(attributes);

      return sig.checkRS(rs, h);
   }

   // Implementation of abstract methods in superclass
   // -------------------------------------------------------------------------

   public Object clone() {
      return new DSSSignature(this);
   }

   protected void setupForVerification(PublicKey k)
   throws IllegalArgumentException {
      if (!(k instanceof DSAPublicKey)) {
         throw new IllegalArgumentException();
      }
      this.publicKey = k;
   }

   protected void setupForSigning(PrivateKey k)
   throws IllegalArgumentException {
      if (!(k instanceof DSAPrivateKey)) {
         throw new IllegalArgumentException();
      }
      this.privateKey = k;
   }

   protected Object generateSignature() throws IllegalStateException {
//      BigInteger p = ((DSAPrivateKey) privateKey).getParams().getP();
//      BigInteger q = ((DSAPrivateKey) privateKey).getParams().getQ();
//      BigInteger g = ((DSAPrivateKey) privateKey).getParams().getG();
//      BigInteger x = ((DSAPrivateKey) privateKey).getX();
//      BigInteger m = new BigInteger(1, md.digest());
//      BigInteger k, r, s;
//
//      byte[] kb = new byte[20]; // we'll use 159 bits only
//      while (true) {
//         this.nextRandomBytes(kb);
//         k = new BigInteger(1, kb);
//         k.clearBit(159);
//         r = g.modPow(k, p).mod(q);
//         if (r.equals(BigInteger.ZERO)) {
//            continue;
//         }
//         s = m.add(x.multiply(r)).multiply(k.modInverse(q)).mod(q);
//         if (s.equals(BigInteger.ZERO)) {
//            continue;
//         }
//         break;
//      }
      final BigInteger[] rs = computeRS(md.digest());

//      return encodeSignature(r, s);
      return encodeSignature(rs[0], rs[1]);
   }

   protected boolean verifySignature(Object sig) throws IllegalStateException {
      final BigInteger[] rs = decodeSignature(sig);
//      BigInteger r = rs[0];
//      BigInteger s = rs[1];
//
//      BigInteger g = ((DSAPublicKey) publicKey).getParams().getG();
//      BigInteger p = ((DSAPublicKey) publicKey).getParams().getP();
//      BigInteger q = ((DSAPublicKey) publicKey).getParams().getQ();
//      BigInteger y = ((DSAPublicKey) publicKey).getY();
//      BigInteger w = s.modInverse(q);
//
//      byte bytes[] = md.digest();
//      BigInteger u1 = w.multiply(new BigInteger(1, bytes)).mod(q);
//      BigInteger u2 = r.multiply(w).mod(q);
//
//      BigInteger v = g.modPow(u1, p).multiply(y.modPow(u2, p)).mod(p).mod(q);
//      return v.equals(r);
      return checkRS(rs, md.digest());
   }

   // Other instance methods
   // -------------------------------------------------------------------------

   /**
    * Returns the output of a signature generation phase.
    *
    * @return an object encapsulating the DSS signature pair r and
    * s.
    */
   private Object encodeSignature(BigInteger r, BigInteger s) {
      return new BigInteger[] {r, s};
   }

   /**
    * Returns the output of a previously generated signature object as a pair
    * of {@link java.math.BigInteger}.
    *
    * @return the DSS signature pair r and s.
    */
   private BigInteger[] decodeSignature(Object signature) {
      return (BigInteger[]) signature;
   }

   private BigInteger[] computeRS(final byte[] digestBytes) {
      final BigInteger p = ((DSAPrivateKey) privateKey).getParams().getP();
      final BigInteger q = ((DSAPrivateKey) privateKey).getParams().getQ();
      final BigInteger g = ((DSAPrivateKey) privateKey).getParams().getG();
      final BigInteger x = ((DSAPrivateKey) privateKey).getX();
      final BigInteger m = new BigInteger(1, digestBytes);
      BigInteger k, r, s;

      final byte[] kb = new byte[20]; // we'll use 159 bits only
      while (true) {
         this.nextRandomBytes(kb);
         k = new BigInteger(1, kb);
         k.clearBit(159);
         r = g.modPow(k, p).mod(q);
         if (r.equals(BigInteger.ZERO)) {
            continue;
         }
         s = m.add(x.multiply(r)).multiply(k.modInverse(q)).mod(q);
         if (s.equals(BigInteger.ZERO)) {
            continue;
         }
         break;
      }

      return new BigInteger[] {r, s};
   }

   private boolean checkRS(final BigInteger[] rs, final byte[] digestBytes) {
      final BigInteger r = rs[0];
      final BigInteger s = rs[1];

      final BigInteger g = ((DSAPublicKey) publicKey).getParams().getG();
      final BigInteger p = ((DSAPublicKey) publicKey).getParams().getP();
      final BigInteger q = ((DSAPublicKey) publicKey).getParams().getQ();
      final BigInteger y = ((DSAPublicKey) publicKey).getY();
      final BigInteger w = s.modInverse(q);

      final BigInteger u1 = w.multiply(new BigInteger(1, digestBytes)).mod(q);
      final BigInteger u2 = r.multiply(w).mod(q);

      final BigInteger v = g.modPow(u1, p).multiply(y.modPow(u2, p)).mod(p).mod(q);
      return v.equals(r);
   }
}