3e93c42004-02-07Martin Nilsson 
b3e4a02013-10-28Martin Nilsson //! The Digital Signature Algorithm DSA is part of the NIST Digital //! Signature Standard DSS, FIPS-186 (1993).
3e93c42004-02-07Martin Nilsson #pike __REAL_VERSION__ #pragma strict_types
e1fb092014-02-14Martin Nilsson #require constant(Crypto.Hash)
b3e4a02013-10-28Martin Nilsson 
9104d02014-01-13Henrik Grubbström (Grubba) inherit Crypto.Sign;
119b8d2014-08-14Henrik Grubbström (Grubba) //! Returns the string @expr{"DSA"@}. string(8bit) name() { return "DSA"; } class State { inherit ::this_program;
53d1d32014-04-26Martin Nilsson protected string _sprintf(int t) {
2037ab2014-04-30Martin Nilsson  return t=='O' && sprintf("%O(%d,%d)", this_program, p->size(), q->size());
53d1d32014-04-26Martin Nilsson }
b3e4a02013-10-28Martin Nilsson // // --- Variables and accessors //
3e93c42004-02-07Martin Nilsson 
9eaf1d2008-06-28Martin Nilsson protected Gmp.mpz p; // Modulo protected Gmp.mpz q; // Group order protected Gmp.mpz g; // Generator
3e93c42004-02-07Martin Nilsson 
9eaf1d2008-06-28Martin Nilsson protected Gmp.mpz y; // Public key protected Gmp.mpz x; // Private key
3e93c42004-02-07Martin Nilsson 
b432312014-04-06Martin Nilsson protected function(int(0..):string(8bit)) random = .Random.random_string;
3e93c42004-02-07Martin Nilsson 
b3e4a02013-10-28Martin Nilsson Gmp.mpz get_p() { return p; } //! Returns the DSA modulo (p). Gmp.mpz get_q() { return q; } //! Returns the DSA group order (q). Gmp.mpz get_g() { return g; } //! Returns the DSA generator (g). Gmp.mpz get_y() { return y; } //! Returns the DSA public key (y). Gmp.mpz get_x() { return x; } //! Returns the DSA private key (x).
3e93c42004-02-07Martin Nilsson 
2d125d2004-02-07Martin Nilsson //! Sets the random function, used to generate keys and parameters, to //! the function @[r]. Default is @[Crypto.Random.random_string].
b432312014-04-06Martin Nilsson this_program set_random(function(int(0..):string(8bit)) r)
3e93c42004-02-07Martin Nilsson { random = r; return this; }
b3e4a02013-10-28Martin Nilsson //! Returns the string @expr{"DSA"@}.
387ff92013-12-19Martin Nilsson string(8bit) name() { return "DSA"; }
3e93c42004-02-07Martin Nilsson 
b3e4a02013-10-28Martin Nilsson // // --- Key methods //
3e93c42004-02-07Martin Nilsson 
b3e4a02013-10-28Martin Nilsson //! Sets the public key in this DSA object. //! @param modulo //! This is the p parameter. //! @param order //! This is the group order q parameter. //! @param generator //! This is the g parameter. //! @param kye //! This is the public key y parameter. this_program set_public_key(Gmp.mpz modulo, Gmp.mpz order, Gmp.mpz generator, Gmp.mpz key)
3e93c42004-02-07Martin Nilsson {
b3e4a02013-10-28Martin Nilsson  p = modulo; q = order; g = generator; y = key; return this;
3e93c42004-02-07Martin Nilsson }
b3e4a02013-10-28Martin Nilsson //! Compares the public key in this object with that in the provided //! DSA object. int(0..1) public_key_equal(this_program dsa)
3e93c42004-02-07Martin Nilsson {
b3e4a02013-10-28Martin Nilsson  return (p == dsa->get_p()) && (q == dsa->get_q()) && (g == dsa->get_g()) && (y == dsa->get_y());
3e93c42004-02-07Martin Nilsson }
7c383a2014-02-22Henrik Grubbström (Grubba) //! Compares the keys of this DSA object with something other. protected int(0..1) _equal(mixed other) { if (!objectp(other) || (object_program(other) != object_program(this)) || !public_key_equal([object(this_program)]other)) { return 0; } this_program dsa = [object(this_program)]other; return x == dsa->get_x(); }
b3e4a02013-10-28Martin Nilsson //! Sets the private key, the x parameter, in this DSA object. this_program set_private_key(Gmp.mpz secret)
3e93c42004-02-07Martin Nilsson {
b3e4a02013-10-28Martin Nilsson  x = secret; return this;
3e93c42004-02-07Martin Nilsson }
b3e4a02013-10-28Martin Nilsson // // --- Key generation //
3e93c42004-02-07Martin Nilsson 
3f6dd02013-12-02Martin Nilsson #if !constant(Nettle.dsa_generate_keypair)
3e93c42004-02-07Martin Nilsson #define SEED_LENGTH 20
387ff92013-12-19Martin Nilsson protected string(8bit) nist_hash(Gmp.mpz x)
3e93c42004-02-07Martin Nilsson {
387ff92013-12-19Martin Nilsson  string(8bit) s = x->digits(256);
3e93c42004-02-07Martin Nilsson  return .SHA1.hash(s[sizeof(s) - SEED_LENGTH..]); }
b3e4a02013-10-28Martin Nilsson // The (slow) NIST method of generating a DSA prime pair. Algorithm // 4.56 of Handbook of Applied Cryptography. protected array(Gmp.mpz) nist_primes(int l)
3e93c42004-02-07Martin Nilsson { if ( (l < 0) || (l > 8) ) error( "Unsupported key size.\n" ); int L = 512 + 64 * l; int n = (L-1) / 160;
0423a82008-04-15Martin Nilsson  // int b = (L-1) % 160;
3e93c42004-02-07Martin Nilsson  for (;;) { /* Generate q */
387ff92013-12-19Martin Nilsson  string(8bit) seed = random(SEED_LENGTH);
3e93c42004-02-07Martin Nilsson  Gmp.mpz s = Gmp.mpz(seed, 256);
387ff92013-12-19Martin Nilsson  string(8bit) h = [string(8bit)]
78b5c92013-12-10Henrik Grubbström (Grubba)  (nist_hash(s) ^ nist_hash( [object(Gmp.mpz)](s + 1) ));
3e93c42004-02-07Martin Nilsson 
387ff92013-12-19Martin Nilsson  h = sprintf("%c%s%c", h[0] | 0x80, h[1..<1], h[-1] | 1);
3e93c42004-02-07Martin Nilsson  Gmp.mpz q = Gmp.mpz(h, 256);
ce0c2a2014-05-05Martin Nilsson  if (!q->probably_prime_p())
3e93c42004-02-07Martin Nilsson  continue; /* q is a prime, with overwelming probability. */ int i, j; for (i = 0, j = 2; i < 4096; i++, j += n+1) {
387ff92013-12-19Martin Nilsson  string(8bit) buffer = "";
3e93c42004-02-07Martin Nilsson  int k; for (k = 0; k<= n; k++) buffer = nist_hash( [object(Gmp.mpz)](s + j + k) ) + buffer; buffer = buffer[sizeof(buffer) - L/8 ..];
387ff92013-12-19Martin Nilsson  buffer[0] = [int(8bit)](buffer[0] | 0x80);
3e93c42004-02-07Martin Nilsson  Gmp.mpz p = Gmp.mpz(buffer, 256); p -= p % (2 * q) - 1;
ce0c2a2014-05-05Martin Nilsson  if (p->probably_prime_p())
3e93c42004-02-07Martin Nilsson  { /* Done */ return ({ p, q }); } } } }
9eaf1d2008-06-28Martin Nilsson protected Gmp.mpz find_generator(Gmp.mpz p, Gmp.mpz q)
3e93c42004-02-07Martin Nilsson { Gmp.mpz e = [object(Gmp.mpz)]((p - 1) / q); Gmp.mpz g; do { /* A random number in { 2, 3, ... p - 2 } */ g = ([object(Gmp.mpz)](random_number( [object(Gmp.mpz)](p-3) ) + 2)) /* Exponentiate to get an element of order 1 or q */ ->powm(e, p); } while (g == 1); return g; }
3f6dd02013-12-02Martin Nilsson // Generate key parameters (p, q and g) using the NIST DSA prime pair // generation algorithm. @[bits] must be multiple of 64. protected void generate_parameters(int bits)
3e93c42004-02-07Martin Nilsson {
b3e4a02013-10-28Martin Nilsson  if (!bits || bits % 64)
3e93c42004-02-07Martin Nilsson  error( "Unsupported key size.\n" ); [p, q] = nist_primes(bits / 64 - 8); if (p % q != 1) error( "Internal error.\n" ); if (q->size() != 160) error( "Internal error.\n" ); g = find_generator(p, q); if ( (g == 1) || (g->powm(q, p) != 1)) error( "Internal error.\n" );
3f6dd02013-12-02Martin Nilsson } variant this_program generate_key(int p_bits, int q_bits) { if(q_bits!=160) error("Only 1024/160 supported with Nettle version < 2.0\n"); generate_parameters(1024); return generate_key(); }
3e93c42004-02-07Martin Nilsson 
3f6dd02013-12-02Martin Nilsson #else // !constant(Nettle.dsa_generate_keypair) //! Generates DSA parameters (p, q, g) and key (x, y). Depending on //! Nettle version @[q_bits] can be 160, 224 and 256 bits. 160 works //! for all versions. variant this_program generate_key(int p_bits, int q_bits) { [ p, q, g, y, x ] = Nettle.dsa_generate_keypair(p_bits, q_bits, random);
3e93c42004-02-07Martin Nilsson  return this; }
3f6dd02013-12-02Martin Nilsson #endif
3e93c42004-02-07Martin Nilsson //! Generates a public/private key pair. Needs the public parameters //! p, q and g set, either through @[set_public_key] or
3f6dd02013-12-02Martin Nilsson //! @[generate_key(int,int)]. variant this_program generate_key()
3e93c42004-02-07Martin Nilsson { /* x in { 2, 3, ... q - 1 } */ if(!p || !q || !g) error("Public parameters not set..\n"); x = [object(Gmp.mpz)](random_number( [object(Gmp.mpz)](q-2) ) + 2); y = g->powm(x, p); return this; }
3f6dd02013-12-02Martin Nilsson 
b3e4a02013-10-28Martin Nilsson // // --- PKCS methods // #define Sequence Standards.ASN1.Types.Sequence
a2a39b2014-01-11Henrik Grubbström (Grubba) #define Integer Standards.ASN1.Types.Integer #define BitString Standards.ASN1.Types.BitString
b3e4a02013-10-28Martin Nilsson 
a2a39b2014-01-11Henrik Grubbström (Grubba) //! Returns the AlgorithmIdentifier as defined in RFC5280 section //! 4.1.1.2 including the DSA parameters. Sequence pkcs_algorithm_identifier() { return Sequence( ({ Standards.PKCS.Identifiers.dsa_id, Sequence( ({ Integer(get_p()), Integer(get_q()), Integer(get_g()) }) ) }) ); } //! Returns the PKCS-1 algorithm identifier for DSA and the provided //! hash algorithm. Only @[SHA1] supported.
0fbdf62014-01-11Henrik Grubbström (Grubba) Sequence pkcs_signature_algorithm_id(.Hash hash)
3e93c42004-02-07Martin Nilsson {
a2a39b2014-01-11Henrik Grubbström (Grubba)  switch(hash->name()) { case "sha1": return Sequence( ({ Standards.PKCS.Identifiers.dsa_sha_id }) ); break; case "sha224": return Sequence( ({ Standards.PKCS.Identifiers.dsa_sha224_id }) ); break; case "sha256": return Sequence( ({ Standards.PKCS.Identifiers.dsa_sha256_id }) ); break; } return 0;
3e93c42004-02-07Martin Nilsson }
a2a39b2014-01-11Henrik Grubbström (Grubba) //! Creates a SubjectPublicKeyInfo ASN.1 sequence for the object. //! See RFC 5280 section 4.1.2.7.
b3e4a02013-10-28Martin Nilsson Sequence pkcs_public_key() {
a2a39b2014-01-11Henrik Grubbström (Grubba)  return Sequence(({ pkcs_algorithm_identifier(), BitString(Integer(get_y())->get_der()), }));
b3e4a02013-10-28Martin Nilsson }
a2a39b2014-01-11Henrik Grubbström (Grubba) #undef BitString #undef Integer
b3e4a02013-10-28Martin Nilsson #undef Sequence
ee804c2013-11-21Martin Nilsson //! Signs the @[message] with a PKCS-1 signature using hash algorithm //! @[h].
387ff92013-12-19Martin Nilsson string(8bit) pkcs_sign(string(8bit) message, .Hash h)
ee804c2013-11-21Martin Nilsson { array sign = map(raw_sign(hash(message, h)), Standards.ASN1.Types.Integer); return Standards.ASN1.Types.Sequence(sign)->get_der(); } #define Object Standards.ASN1.Types.Object //! Verify PKCS-1 signature @[sign] of message @[message] using hash //! algorithm @[h].
387ff92013-12-19Martin Nilsson int(0..1) pkcs_verify(string(8bit) message, .Hash h, string(8bit) sign)
ee804c2013-11-21Martin Nilsson { Object a = Standards.ASN1.Decode.simple_der_decode(sign);
0e0a0a2013-12-04Martin Nilsson  // The signature is the DER-encoded ASN.1 sequence Dss-Sig-Value // with the two integers r and s. See RFC 3279 section 2.2.2.
ee804c2013-11-21Martin Nilsson  if (!a || (a->type_name != "SEQUENCE") || (sizeof([array]a->elements) != 2) || (sizeof( ([array(object(Object))]a->elements)->type_name - ({ "INTEGER" })))) return 0; return raw_verify(hash(message, h), [object(Gmp.mpz)]([array(object(Object))]a->elements)[0]-> value, [object(Gmp.mpz)]([array(object(Object))]a->elements)[1]-> value); } #undef Object
b3e4a02013-10-28Martin Nilsson //
7f833d2014-04-12Henrik Grubbström (Grubba) // --- Below are methods for DSA applied in other standards.
b3e4a02013-10-28Martin Nilsson // //! Makes a DSA hash of the messge @[msg].
387ff92013-12-19Martin Nilsson Gmp.mpz hash(string(8bit) msg, .Hash h)
b3e4a02013-10-28Martin Nilsson {
387ff92013-12-19Martin Nilsson  string(8bit) digest = h->hash(msg)[..q->size()/8-1];
8f18ae2013-11-22Martin Nilsson  return [object(Gmp.mpz)](Gmp.mpz(digest, 256) % q);
b3e4a02013-10-28Martin Nilsson } protected Gmp.mpz random_number(Gmp.mpz n) {
b432312014-04-06Martin Nilsson  return [object(Gmp.mpz)](Gmp.mpz(random( [int(0..)](q->size() + 10 / 8)), 256) % n);
b3e4a02013-10-28Martin Nilsson } protected Gmp.mpz random_exponent() { return [object(Gmp.mpz)](random_number([object(Gmp.mpz)](q - 1)) + 1); } //! Sign the message @[h]. Returns the signature as two @[Gmp.mpz] //! objects. array(Gmp.mpz) raw_sign(Gmp.mpz h, void|Gmp.mpz k) { if(!k) k = random_exponent(); Gmp.mpz r = [object(Gmp.mpz)](g->powm(k, p) % q); Gmp.mpz s = [object(Gmp.mpz)]((k->invert(q) * (h + x*r)) % q); return ({ r, s }); } //! Verify the signature @[r],@[s] against the message @[h]. int(0..1) raw_verify(Gmp.mpz h, Gmp.mpz r, Gmp.mpz s) { Gmp.mpz w; if (catch { w = s->invert(q); }) /* Non-invertible */ return 0; /* The inner %q's are redundant, as g^q == y^q == 1 (mod p) */ return r == (g->powm( [object(Gmp.mpz)](w * h % q), p) * y->powm( [object(Gmp.mpz)](w * r % q), p) % p) % q; }
7f833d2014-04-12Henrik Grubbström (Grubba) int(0..) key_size() { return p->size(); }
b3e4a02013-10-28Martin Nilsson  // // --- Deprecated stuff // //! Make a RSA ref signature of message @[msg].
387ff92013-12-19Martin Nilsson __deprecated__ string(8bit) sign_rsaref(string(8bit) msg)
b3e4a02013-10-28Martin Nilsson {
ee804c2013-11-21Martin Nilsson  [Gmp.mpz r, Gmp.mpz s] = raw_sign(hash(msg, .SHA1));
b3e4a02013-10-28Martin Nilsson 
d8519c2013-12-19Martin Nilsson  return sprintf("%'\0'20s%'\0'20s", r->digits(256), s->digits(256));
b3e4a02013-10-28Martin Nilsson } //! Verify a RSA ref signature @[s] of message @[msg].
387ff92013-12-19Martin Nilsson __deprecated__ int(0..1) verify_rsaref(string(8bit) msg, string(8bit) s)
b3e4a02013-10-28Martin Nilsson { if (sizeof(s) != 40) return 0;
ee804c2013-11-21Martin Nilsson  return raw_verify(hash(msg, .SHA1),
b3e4a02013-10-28Martin Nilsson  Gmp.mpz(s[..19], 256), Gmp.mpz(s[20..], 256)); }
5b7ecf2004-02-07Martin Nilsson 
1321bc2013-11-22Henrik Grubbström (Grubba) //! Make an SSL signature of message @[msg].
387ff92013-12-19Martin Nilsson __deprecated__ string(8bit) sign_ssl(string(8bit) msg)
ee804c2013-11-21Martin Nilsson { return pkcs_sign(msg, .SHA1); } //! Verify an SSL signature @[s] of message @[msg].
387ff92013-12-19Martin Nilsson __deprecated__ int(0..1) verify_ssl(string(8bit) msg, string(8bit) s)
ee804c2013-11-21Martin Nilsson { return pkcs_verify(msg, .SHA1, s); }
119b8d2014-08-14Henrik Grubbström (Grubba)  } //! Calling `() will return a @[State] object. protected State `()() { return State(); }