| Frames | No Frames |
1: /* DSSSignature.java -- 2: Copyright (C) 2001, 2002, 2003, 2006 Free Software Foundation, Inc. 3: 4: This file is a part of GNU Classpath. 5: 6: GNU Classpath is free software; you can redistribute it and/or modify 7: it under the terms of the GNU General Public License as published by 8: the Free Software Foundation; either version 2 of the License, or (at 9: your option) any later version. 10: 11: GNU Classpath is distributed in the hope that it will be useful, but 12: WITHOUT ANY WARRANTY; without even the implied warranty of 13: MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 14: General Public License for more details. 15: 16: You should have received a copy of the GNU General Public License 17: along with GNU Classpath; if not, write to the Free Software 18: Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 19: USA 20: 21: Linking this library statically or dynamically with other modules is 22: making a combined work based on this library. Thus, the terms and 23: conditions of the GNU General Public License cover the whole 24: combination. 25: 26: As a special exception, the copyright holders of this library give you 27: permission to link this library with independent modules to produce an 28: executable, regardless of the license terms of these independent 29: modules, and to copy and distribute the resulting executable under 30: terms of your choice, provided that you also meet, for each linked 31: independent module, the terms and conditions of the license of that 32: module. An independent module is a module which is not derived from 33: or based on this library. If you modify this library, you may extend 34: this exception to your version of the library, but you are not 35: obligated to do so. If you do not wish to do so, delete this 36: exception statement from your version. */ 37: 38: 39: package gnu.java.security.sig.dss; 40: 41: import gnu.java.security.Registry; 42: import gnu.java.security.hash.IMessageDigest; 43: import gnu.java.security.hash.Sha160; 44: import gnu.java.security.prng.IRandom; 45: import gnu.java.security.sig.BaseSignature; 46: import gnu.java.security.sig.ISignature; 47: 48: import java.math.BigInteger; 49: import java.security.PrivateKey; 50: import java.security.PublicKey; 51: import java.security.interfaces.DSAPrivateKey; 52: import java.security.interfaces.DSAPublicKey; 53: import java.util.HashMap; 54: import java.util.Map; 55: import java.util.Random; 56: 57: /** 58: * The DSS (Digital Signature Standard) algorithm makes use of the following 59: * parameters: 60: * <ol> 61: * <li>p: A prime modulus, where 62: * <code>2<sup>L-1</sup> < p < 2<sup>L</sup> </code> for <code>512 <= L 63: * <= 1024</code> and <code>L</code> a multiple of <code>64</code>.</li> 64: * <li>q: A prime divisor of <code>p - 1</code>, where <code>2<sup>159</sup> 65: * < q < 2<sup>160</sup></code>.</li> 66: * <li>g: Where <code>g = h<sup>(p-1)</sup>/q mod p</code>, where 67: * <code>h</code> is any integer with <code>1 < h < p - 1</code> such 68: * that <code>h<sup> (p-1)</sup>/q mod p > 1</code> (<code>g</code> has order 69: * <code>q mod p</code>).</li> 70: * <li>x: A randomly or pseudorandomly generated integer with <code>0 < x 71: * < q</code>.</li> 72: * <li>y: <code>y = g<sup>x</sup> mod p</code>.</li> 73: * <li>k: A randomly or pseudorandomly generated integer with <code>0 < k 74: * < q</code>.</li> 75: * </ol> 76: * <p> 77: * The integers <code>p</code>, <code>q</code>, and <code>g</code> can be 78: * public and can be common to a group of users. A user's private and public 79: * keys are <code>x</code> and <code>y</code>, respectively. They are 80: * normally fixed for a period of time. Parameters <code>x</code> and 81: * <code>k</code> are used for signature generation only, and must be kept 82: * secret. Parameter <code>k</code> must be regenerated for each signature. 83: * <p> 84: * The signature of a message <code>M</code> is the pair of numbers 85: * <code>r</code> and <code>s</code> computed according to the equations below: 86: * <ul> 87: * <li><code>r = (g<sup>k</sup> mod p) mod q</code> and</li> 88: * <li><code>s = (k<sup>-1</sup>(SHA(M) + xr)) mod q</code>.</li> 89: * </ul> 90: * <p> 91: * In the above, <code>k<sup>-1</sup></code> is the multiplicative inverse of 92: * <code>k</code>, <code>mod q</code>; i.e., <code>(k<sup>-1</sup> k) mod q = 93: * 1</code> and <code>0 < k-1 < q</code>. The value of <code>SHA(M)</code> 94: * is a 160-bit string output by the Secure Hash Algorithm specified in FIPS 95: * 180. For use in computing <code>s</code>, this string must be converted to 96: * an integer. 97: * <p> 98: * As an option, one may wish to check if <code>r == 0</code> or <code>s == 0 99: * </code>. 100: * If either <code>r == 0</code> or <code>s == 0</code>, a new value of 101: * <code>k</code> should be generated and the signature should be recalculated 102: * (it is extremely unlikely that <code>r == 0</code> or <code>s == 0</code> if 103: * signatures are generated properly). 104: * <p> 105: * The signature is transmitted along with the message to the verifier. 106: * <p> 107: * References: 108: * <ol> 109: * <li><a href="http://www.itl.nist.gov/fipspubs/fip186.htm">Digital Signature 110: * Standard (DSS)</a>, Federal Information Processing Standards Publication 111: * 186. National Institute of Standards and Technology.</li> 112: * </ol> 113: */ 114: public class DSSSignature 115: extends BaseSignature 116: { 117: /** Trivial 0-arguments constructor. */ 118: public DSSSignature() 119: { 120: super(Registry.DSS_SIG, new Sha160()); 121: } 122: 123: /** Private constructor for cloning purposes. */ 124: private DSSSignature(DSSSignature that) 125: { 126: this(); 127: 128: this.publicKey = that.publicKey; 129: this.privateKey = that.privateKey; 130: this.md = (IMessageDigest) that.md.clone(); 131: } 132: 133: public static final BigInteger[] sign(final DSAPrivateKey k, final byte[] h) 134: { 135: final DSSSignature sig = new DSSSignature(); 136: final Map attributes = new HashMap(); 137: attributes.put(ISignature.SIGNER_KEY, k); 138: sig.setupSign(attributes); 139: return sig.computeRS(h); 140: } 141: 142: public static final BigInteger[] sign(final DSAPrivateKey k, final byte[] h, 143: Random rnd) 144: { 145: final DSSSignature sig = new DSSSignature(); 146: final Map attributes = new HashMap(); 147: attributes.put(ISignature.SIGNER_KEY, k); 148: if (rnd != null) 149: attributes.put(ISignature.SOURCE_OF_RANDOMNESS, rnd); 150: 151: sig.setupSign(attributes); 152: return sig.computeRS(h); 153: } 154: 155: public static final BigInteger[] sign(final DSAPrivateKey k, final byte[] h, 156: IRandom irnd) 157: { 158: final DSSSignature sig = new DSSSignature(); 159: final Map attributes = new HashMap(); 160: attributes.put(ISignature.SIGNER_KEY, k); 161: if (irnd != null) 162: attributes.put(ISignature.SOURCE_OF_RANDOMNESS, irnd); 163: 164: sig.setupSign(attributes); 165: return sig.computeRS(h); 166: } 167: 168: public static final boolean verify(final DSAPublicKey k, final byte[] h, 169: final BigInteger[] rs) 170: { 171: final DSSSignature sig = new DSSSignature(); 172: final Map attributes = new HashMap(); 173: attributes.put(ISignature.VERIFIER_KEY, k); 174: sig.setupVerify(attributes); 175: return sig.checkRS(rs, h); 176: } 177: 178: public Object clone() 179: { 180: return new DSSSignature(this); 181: } 182: 183: protected void setupForVerification(PublicKey k) 184: throws IllegalArgumentException 185: { 186: if (! (k instanceof DSAPublicKey)) 187: throw new IllegalArgumentException(); 188: 189: this.publicKey = k; 190: } 191: 192: protected void setupForSigning(PrivateKey k) throws IllegalArgumentException 193: { 194: if (! (k instanceof DSAPrivateKey)) 195: throw new IllegalArgumentException(); 196: 197: this.privateKey = k; 198: } 199: 200: protected Object generateSignature() throws IllegalStateException 201: { 202: final BigInteger[] rs = computeRS(md.digest()); 203: return encodeSignature(rs[0], rs[1]); 204: } 205: 206: protected boolean verifySignature(Object sig) throws IllegalStateException 207: { 208: final BigInteger[] rs = decodeSignature(sig); 209: return checkRS(rs, md.digest()); 210: } 211: 212: /** 213: * Returns the output of a signature generation phase. 214: * 215: * @return an object encapsulating the DSS signature pair <code>r</code> and 216: * <code>s</code>. 217: */ 218: private Object encodeSignature(BigInteger r, BigInteger s) 219: { 220: return new BigInteger[] { r, s }; 221: } 222: 223: /** 224: * Returns the output of a previously generated signature object as a pair of 225: * {@link java.math.BigInteger}. 226: * 227: * @return the DSS signature pair <code>r</code> and <code>s</code>. 228: */ 229: private BigInteger[] decodeSignature(Object signature) 230: { 231: return (BigInteger[]) signature; 232: } 233: 234: private BigInteger[] computeRS(final byte[] digestBytes) 235: { 236: final BigInteger p = ((DSAPrivateKey) privateKey).getParams().getP(); 237: final BigInteger q = ((DSAPrivateKey) privateKey).getParams().getQ(); 238: final BigInteger g = ((DSAPrivateKey) privateKey).getParams().getG(); 239: final BigInteger x = ((DSAPrivateKey) privateKey).getX(); 240: final BigInteger m = new BigInteger(1, digestBytes); 241: BigInteger k, r, s; 242: final byte[] kb = new byte[20]; // we'll use 159 bits only 243: while (true) 244: { 245: this.nextRandomBytes(kb); 246: k = new BigInteger(1, kb); 247: k.clearBit(159); 248: r = g.modPow(k, p).mod(q); 249: if (r.equals(BigInteger.ZERO)) 250: continue; 251: 252: s = m.add(x.multiply(r)).multiply(k.modInverse(q)).mod(q); 253: if (s.equals(BigInteger.ZERO)) 254: continue; 255: 256: break; 257: } 258: return new BigInteger[] { r, s }; 259: } 260: 261: private boolean checkRS(final BigInteger[] rs, final byte[] digestBytes) 262: { 263: final BigInteger r = rs[0]; 264: final BigInteger s = rs[1]; 265: final BigInteger g = ((DSAPublicKey) publicKey).getParams().getG(); 266: final BigInteger p = ((DSAPublicKey) publicKey).getParams().getP(); 267: final BigInteger q = ((DSAPublicKey) publicKey).getParams().getQ(); 268: final BigInteger y = ((DSAPublicKey) publicKey).getY(); 269: final BigInteger w = s.modInverse(q); 270: final BigInteger u1 = w.multiply(new BigInteger(1, digestBytes)).mod(q); 271: final BigInteger u2 = r.multiply(w).mod(q); 272: final BigInteger v = g.modPow(u1, p).multiply(y.modPow(u2, p)).mod(p).mod(q); 273: return v.equals(r); 274: } 275: }