diff options
| author | lloyd <[email protected]> | 2014-12-10 04:08:39 +0000 |
|---|---|---|
| committer | lloyd <[email protected]> | 2014-12-10 04:08:39 +0000 |
| commit | 63215db88ae3bbb982966de37fe112c44f616a1d (patch) | |
| tree | 7c73da7eaf981de4bfbeb15e137320940dcbcfd5 | |
| parent | 10cfa8fd826e072a5cd76bf52f4ae80d34eba507 (diff) | |
Implement RFC 6979 determinstic signatures for DSA and ECDSA.
Drop the GNU MP engine. Its implementations were potentially faster in
some scenarios but not well protected against side channels.
29 files changed, 331 insertions, 911 deletions
diff --git a/configure.py b/configure.py index f850b2a51..87dd3af78 100755 --- a/configure.py +++ b/configure.py @@ -386,10 +386,13 @@ def process_command_line(args): mods_group.add_option('--no-autoload', action='store_true', default=False, help='disable automatic loading') - for mod in ['boost', 'sqlite3', 'zlib', 'bzip2', 'lzma', 'gnump', 'openssl']: + third_party = ['boost', 'sqlite3', 'zlib', 'bzip2', 'lzma'] + hidden_third_party = ['gnump'] + + for mod in third_party + hidden_third_party: mods_group.add_option('--with-%s' % (mod), - help='add support for using %s' % (mod), + help=('add support for using %s' % (mod)) if mod in third_party else optparse.SUPPRESS_HELP, action='append_const', const=mod, dest='enabled_modules') diff --git a/doc/relnotes/1_11_10.rst b/doc/relnotes/1_11_10.rst index 75c6cbade..fdc7500a1 100644 --- a/doc/relnotes/1_11_10.rst +++ b/doc/relnotes/1_11_10.rst @@ -11,6 +11,8 @@ Version 1.11.10, Not Yet Released http://www.cryptosource.de/docs/mceliece_in_botan.pdf and http://cryptosource.de/news_mce_in_botan_en.html +* DSA and ECDSA now create RFC 6979 deterministic signatures. + * Add support for TLS fallback signaling (draft-ietf-tls-downgrade-scsv-00). Clients will send a fallback SCSV if the version passed to the Client constructor is less than the latest version supported by local policy, @@ -66,6 +68,8 @@ Version 1.11.10, Not Yet Released * Fix decoding indefinite length BER constructs that contain a context sensitive tag of zero. Github pull 26 from Janusz Chorko. +* The GNU MP engine has been removed. + * Added AltiVec detection for POWER8 processors. * Add a new install script written in Python which replaces shell hackery in the diff --git a/src/lib/engine/core_engine/core_engine.h b/src/lib/engine/core_engine/core_engine.h index ca660d21b..d12895662 100644 --- a/src/lib/engine/core_engine/core_engine.h +++ b/src/lib/engine/core_engine/core_engine.h @@ -23,10 +23,11 @@ class Core_Engine : public Engine PK_Ops::Key_Agreement* get_key_agreement_op(const Private_Key& key, RandomNumberGenerator& rng) const override; - PK_Ops::Signature* - get_signature_op(const Private_Key& key, RandomNumberGenerator& rng) const override; + PK_Ops::Signature* get_signature_op(const Private_Key& key, const std::string& emsa, + RandomNumberGenerator& rng) const override; - PK_Ops::Verification* get_verify_op(const Public_Key& key, RandomNumberGenerator& rng) const override; + PK_Ops::Verification* get_verify_op(const Public_Key& key, const std::string& emsa, + RandomNumberGenerator& rng) const override; PK_Ops::Encryption* get_encryption_op(const Public_Key& key, RandomNumberGenerator& rng) const override; diff --git a/src/lib/engine/core_engine/def_pk_ops.cpp b/src/lib/engine/core_engine/def_pk_ops.cpp index e99945633..b21877b16 100644 --- a/src/lib/engine/core_engine/def_pk_ops.cpp +++ b/src/lib/engine/core_engine/def_pk_ops.cpp @@ -94,7 +94,7 @@ Core_Engine::get_key_agreement_op(const Private_Key& key, RandomNumberGenerator& } PK_Ops::Signature* -Core_Engine::get_signature_op(const Private_Key& key, RandomNumberGenerator& rng) const +Core_Engine::get_signature_op(const Private_Key& key, const std::string& emsa, RandomNumberGenerator& rng) const { #if defined(BOTAN_HAS_RSA) if(const RSA_PrivateKey* s = dynamic_cast<const RSA_PrivateKey*>(&key)) @@ -108,12 +108,12 @@ Core_Engine::get_signature_op(const Private_Key& key, RandomNumberGenerator& rng #if defined(BOTAN_HAS_DSA) if(const DSA_PrivateKey* s = dynamic_cast<const DSA_PrivateKey*>(&key)) - return new DSA_Signature_Operation(*s); + return new DSA_Signature_Operation(*s, emsa); #endif #if defined(BOTAN_HAS_ECDSA) if(const ECDSA_PrivateKey* s = dynamic_cast<const ECDSA_PrivateKey*>(&key)) - return new ECDSA_Signature_Operation(*s); + return new ECDSA_Signature_Operation(*s, emsa); #endif #if defined(BOTAN_HAS_GOST_34_10_2001) @@ -131,7 +131,7 @@ Core_Engine::get_signature_op(const Private_Key& key, RandomNumberGenerator& rng } PK_Ops::Verification* -Core_Engine::get_verify_op(const Public_Key& key, RandomNumberGenerator&) const +Core_Engine::get_verify_op(const Public_Key& key, const std::string& emsa, RandomNumberGenerator&) const { #if defined(BOTAN_HAS_RSA) if(const RSA_PublicKey* s = dynamic_cast<const RSA_PublicKey*>(&key)) diff --git a/src/lib/engine/dyn_engine/dyn_engine.h b/src/lib/engine/dyn_engine/dyn_engine.h index 39e13ab36..a9671b5b5 100644 --- a/src/lib/engine/dyn_engine/dyn_engine.h +++ b/src/lib/engine/dyn_engine/dyn_engine.h @@ -82,15 +82,15 @@ class BOTAN_DLL Dynamically_Loaded_Engine : public Engine } PK_Ops::Signature* - get_signature_op(const Private_Key& key, RandomNumberGenerator& rng) const override + get_signature_op(const Private_Key& key, const std::string& emsa, RandomNumberGenerator& rng) const override { - return engine->get_signature_op(key, rng); + return engine->get_signature_op(key, emsa, rng); } PK_Ops::Verification* - get_verify_op(const Public_Key& key, RandomNumberGenerator& rng) const override + get_verify_op(const Public_Key& key, const std::string& emsa, RandomNumberGenerator& rng) const override { - return engine->get_verify_op(key, rng); + return engine->get_verify_op(key, emsa, rng); } PK_Ops::Encryption* diff --git a/src/lib/engine/engine.cpp b/src/lib/engine/engine.cpp index a50f1e7b2..bfb08ec91 100644 --- a/src/lib/engine/engine.cpp +++ b/src/lib/engine/engine.cpp @@ -65,13 +65,13 @@ Engine::get_key_agreement_op(const Private_Key&, RandomNumberGenerator&) const } PK_Ops::Signature* -Engine::get_signature_op(const Private_Key&, RandomNumberGenerator&) const +Engine::get_signature_op(const Private_Key&, const std::string&, RandomNumberGenerator&) const { return nullptr; } PK_Ops::Verification* -Engine::get_verify_op(const Public_Key&, RandomNumberGenerator&) const +Engine::get_verify_op(const Public_Key&, const std::string&, RandomNumberGenerator&) const { return nullptr; } diff --git a/src/lib/engine/engine.h b/src/lib/engine/engine.h index a03a6e1ec..9774a941f 100644 --- a/src/lib/engine/engine.h +++ b/src/lib/engine/engine.h @@ -118,7 +118,7 @@ class BOTAN_DLL Engine * @return newly allocated operator object, or NULL */ virtual PK_Ops::Signature* - get_signature_op(const Private_Key& key, RandomNumberGenerator& rng) const; + get_signature_op(const Private_Key& key, const std::string& hash, RandomNumberGenerator& rng) const; /** * Return a new operator object for this key, if possible @@ -126,7 +126,7 @@ class BOTAN_DLL Engine * @return newly allocated operator object, or NULL */ virtual PK_Ops::Verification* - get_verify_op(const Public_Key& key, RandomNumberGenerator& rng) const; + get_verify_op(const Public_Key& key, const std::string& hash, RandomNumberGenerator& rng) const; /** * Return a new operator object for this key, if possible diff --git a/src/lib/engine/gnump/gmp_mem.cpp b/src/lib/engine/gnump/gmp_mem.cpp deleted file mode 100644 index b5a5a303e..000000000 --- a/src/lib/engine/gnump/gmp_mem.cpp +++ /dev/null @@ -1,83 +0,0 @@ -/* -* GNU MP Memory Handlers -* (C) 1999-2010 Jack Lloyd -* -* Distributed under the terms of the Botan license -*/ - -#include <botan/internal/gnump_engine.h> -#include <cstring> -#include <atomic> -#include <gmp.h> - -namespace Botan { - -namespace { - -/* -* For keeping track of existing GMP_Engines and only -* resetting the memory when none are in use. -*/ -std::atomic<size_t> gmp_alloc_refcnt(0); - -/* -* Allocation Function for GNU MP -*/ -void* gmp_malloc(size_t n) - { - // Maintain alignment, mlock goes for sizeof(T) alignment - if(n % 8 == 0) - return secure_allocator<u64bit>().allocate(n / 8); - else if(n % 4 == 0) - return secure_allocator<u32bit>().allocate(n / 4); - else if(n % 2 == 0) - return secure_allocator<u16bit>().allocate(n / 2); - - return secure_allocator<byte>().allocate(n); - } - -/* -* Deallocation Function for GNU MP -*/ -void gmp_free(void* ptr, size_t n) - { - secure_allocator<byte>().deallocate(static_cast<byte*>(ptr), n); - } - -/* -* Reallocation Function for GNU MP -*/ -void* gmp_realloc(void* ptr, size_t old_n, size_t new_n) - { - void* new_buf = gmp_malloc(new_n); - std::memcpy(new_buf, ptr, std::min(old_n, new_n)); - gmp_free(ptr, old_n); - return new_buf; - } - -} - -/* -* GMP_Engine Constructor -*/ -GMP_Engine::GMP_Engine() - { - /* - if(gmp_alloc_refcnt == 0) - mp_set_memory_functions(gmp_malloc, gmp_realloc, gmp_free); - - gmp_alloc_refcnt++; - */ - } - -GMP_Engine::~GMP_Engine() - { - /* - --gmp_alloc_refcnt; - - if(gmp_alloc_refcnt == 0) - mp_set_memory_functions(NULL, NULL, NULL); - */ - } - -} diff --git a/src/lib/engine/gnump/gmp_powm.cpp b/src/lib/engine/gnump/gmp_powm.cpp deleted file mode 100644 index 70c2b2f5e..000000000 --- a/src/lib/engine/gnump/gmp_powm.cpp +++ /dev/null @@ -1,53 +0,0 @@ -/* -* GMP Modular Exponentiation -* (C) 1999-2007 Jack Lloyd -* -* Distributed under the terms of the Botan license -*/ - -#include <botan/internal/gnump_engine.h> -#include <botan/internal/gmp_wrap.h> - -namespace Botan { - -namespace { - -/* -* GMP Modular Exponentiator -*/ -class GMP_Modular_Exponentiator : public Modular_Exponentiator - { - public: - void set_base(const BigInt& b) { base = b; } - void set_exponent(const BigInt& e) { exp = e; } - BigInt execute() const; - Modular_Exponentiator* copy() const - { return new GMP_Modular_Exponentiator(*this); } - - GMP_Modular_Exponentiator(const BigInt& n) : mod(n) {} - private: - GMP_MPZ base, exp, mod; - }; - -/* -* Compute the result -*/ -BigInt GMP_Modular_Exponentiator::execute() const - { - GMP_MPZ r; - mpz_powm(r.value, base.value, exp.value, mod.value); - return r.to_bigint(); - } - -} - -/* -* Return the GMP-based modular exponentiator -*/ -Modular_Exponentiator* GMP_Engine::mod_exp(const BigInt& n, - Power_Mod::Usage_Hints) const - { - return new GMP_Modular_Exponentiator(n); - } - -} diff --git a/src/lib/engine/gnump/gmp_wrap.cpp b/src/lib/engine/gnump/gmp_wrap.cpp deleted file mode 100644 index 974593d02..000000000 --- a/src/lib/engine/gnump/gmp_wrap.cpp +++ /dev/null @@ -1,101 +0,0 @@ -/* -* GMP Wrapper -* (C) 1999-2007 Jack Lloyd -* -* Distributed under the terms of the Botan license -*/ - -#include <botan/internal/gmp_wrap.h> - -#define GNU_MP_VERSION_CODE_FOR(a,b,c) ((a << 16) | (b << 8) | (c)) - -#define GNU_MP_VERSION_CODE \ - GNU_MP_VERSION_CODE_FOR(__GNU_MP_VERSION, __GNU_MP_VERSION_MINOR, \ - __GNU_MP_VERSION_PATCHLEVEL) - -#if GNU_MP_VERSION_CODE < GNU_MP_VERSION_CODE_FOR(4,1,0) - #error Your GNU MP install is too old, upgrade to 4.1 or later -#endif - -namespace Botan { - -/* -* GMP_MPZ Constructor -*/ -GMP_MPZ::GMP_MPZ(const BigInt& in) - { - mpz_init(value); - if(in != 0) - mpz_import(value, in.sig_words(), -1, sizeof(word), 0, 0, in.data()); - } - -/* -* GMP_MPZ Constructor -*/ -GMP_MPZ::GMP_MPZ(const byte in[], size_t length) - { - mpz_init(value); - mpz_import(value, length, 1, 1, 0, 0, in); - } - -/* -* GMP_MPZ Copy Constructor -*/ -GMP_MPZ::GMP_MPZ(const GMP_MPZ& other) - { - mpz_init_set(value, other.value); - } - -/* -* GMP_MPZ Destructor -*/ -GMP_MPZ::~GMP_MPZ() - { - mpz_clear(value); - } - -/* -* GMP_MPZ Assignment Operator -*/ -GMP_MPZ& GMP_MPZ::operator=(const GMP_MPZ& other) - { - mpz_set(value, other.value); - return (*this); - } - -/* -* Export the mpz_t as a bytestring -*/ -void GMP_MPZ::encode(byte out[], size_t length) const - { - size_t dummy = 0; - mpz_export(out + (length - bytes()), &dummy, 1, 1, 0, 0, value); - } - -/* -* Return the number of significant bytes -*/ -size_t GMP_MPZ::bytes() const - { - return ((mpz_sizeinbase(value, 2) + 7) / 8); - } - -/* -* GMP to BigInt Conversions -*/ -BigInt GMP_MPZ::to_bigint() const - { - BigInt out(BigInt::Positive, (bytes() + sizeof(word) - 1) / sizeof(word)); - size_t dummy = 0; - - word* reg = out.mutable_data(); - - mpz_export(reg, &dummy, -1, sizeof(word), 0, 0, value); - - if(mpz_sgn(value) < 0) - out.flip_sign(); - - return out; - } - -} diff --git a/src/lib/engine/gnump/gmp_wrap.h b/src/lib/engine/gnump/gmp_wrap.h deleted file mode 100644 index 291d65a01..000000000 --- a/src/lib/engine/gnump/gmp_wrap.h +++ /dev/null @@ -1,41 +0,0 @@ -/* -* GMP MPZ Wrapper -* (C) 1999-2007 Jack Lloyd -* -* Distributed under the terms of the Botan license -*/ - -#ifndef BOTAN_GMP_MPZ_WRAP_H__ -#define BOTAN_GMP_MPZ_WRAP_H__ - -#include <botan/bigint.h> -#include <gmp.h> - -namespace Botan { - -/** -* Lightweight GMP mpz_t wrapper. For internal use only. -*/ -class GMP_MPZ - { - public: - mpz_t value; - - BigInt to_bigint() const; - void encode(byte[], size_t) const; - size_t bytes() const; - - secure_vector<byte> to_bytes() const - { return BigInt::encode_locked(to_bigint()); } - - GMP_MPZ& operator=(const GMP_MPZ&); - - GMP_MPZ(const GMP_MPZ&); - GMP_MPZ(const BigInt& = 0); - GMP_MPZ(const byte[], size_t); - ~GMP_MPZ(); - }; - -} - -#endif diff --git a/src/lib/engine/gnump/gnump_engine.h b/src/lib/engine/gnump/gnump_engine.h deleted file mode 100644 index ccc723514..000000000 --- a/src/lib/engine/gnump/gnump_engine.h +++ /dev/null @@ -1,44 +0,0 @@ -/* -* GMP Engine -* (C) 1999-2007 Jack Lloyd -* -* Distributed under the terms of the Botan license -*/ - -#ifndef BOTAN_ENGINE_GMP_H__ -#define BOTAN_ENGINE_GMP_H__ - -#include <botan/engine.h> - -namespace Botan { - -/** -* Engine using GNU MP -*/ -class GMP_Engine : public Engine - { - public: - GMP_Engine(); - ~GMP_Engine(); - - std::string provider_name() const override { return "gmp"; } - - PK_Ops::Key_Agreement* - get_key_agreement_op(const Private_Key& key, RandomNumberGenerator&) const override; - - PK_Ops::Signature* - get_signature_op(const Private_Key& key, RandomNumberGenerator&) const override; - - PK_Ops::Verification* get_verify_op(const Public_Key& key, RandomNumberGenerator&) const override; - - PK_Ops::Encryption* get_encryption_op(const Public_Key& key, RandomNumberGenerator&) const override; - - PK_Ops::Decryption* get_decryption_op(const Private_Key& key, RandomNumberGenerator&) const override; - - Modular_Exponentiator* mod_exp(const BigInt&, - Power_Mod::Usage_Hints) const override; - }; - -} - -#endif diff --git a/src/lib/engine/gnump/gnump_pk.cpp b/src/lib/engine/gnump/gnump_pk.cpp deleted file mode 100644 index 29e172d47..000000000 --- a/src/lib/engine/gnump/gnump_pk.cpp +++ /dev/null @@ -1,338 +0,0 @@ -/* -* GnuMP PK operations -* (C) 1999-2010 Jack Lloyd -* -* Distributed under the terms of the Botan license -*/ - -#include <botan/internal/gnump_engine.h> -#include <botan/internal/gmp_wrap.h> -#include <gmp.h> - -/* GnuMP 5.0 and later have a side-channel resistent powm */ -#if defined(HAVE_MPZ_POWM_SEC) - #undef mpz_powm - #define mpz_powm mpz_powm_sec -#endif - -#if defined(BOTAN_HAS_RSA) - #include <botan/rsa.h> -#endif - -#if defined(BOTAN_HAS_DSA) - #include <botan/dsa.h> -#endif - -#if defined(BOTAN_HAS_DIFFIE_HELLMAN) - #include <botan/dh.h> -#endif - -namespace Botan { - -namespace { - -#if defined(BOTAN_HAS_DIFFIE_HELLMAN) -class GMP_DH_KA_Operation : public PK_Ops::Key_Agreement - { - public: - GMP_DH_KA_Operation(const DH_PrivateKey& dh) : - x(dh.get_x()), p(dh.group_p()) {} - - secure_vector<byte> agree(const byte w[], size_t w_len) - { - GMP_MPZ z(w, w_len); - mpz_powm(z.value, z.value, x.value, p.value); - return z.to_bytes(); - } - - private: - GMP_MPZ x, p; - }; -#endif - -#if defined(BOTAN_HAS_DSA) - -class GMP_DSA_Signature_Operation : public PK_Ops::Signature - { - public: - GMP_DSA_Signature_Operation(const DSA_PrivateKey& dsa) : - x(dsa.get_x()), - p(dsa.group_p()), - q(dsa.group_q()), - g(dsa.group_g()), - q_bits(dsa.group_q().bits()) {} - - size_t message_parts() const { return 2; } - size_t message_part_size() const { return (q_bits + 7) / 8; } - size_t max_input_bits() const { return q_bits; } - - secure_vector<byte> sign(const byte msg[], size_t msg_len, - RandomNumberGenerator& rng); - private: - const GMP_MPZ x, p, q, g; - size_t q_bits; - }; - -secure_vector<byte> -GMP_DSA_Signature_Operation::sign(const byte msg[], size_t msg_len, - RandomNumberGenerator& rng) - { - const size_t q_bytes = (q_bits + 7) / 8; - - rng.add_entropy(msg, msg_len); - - BigInt k_bn; - do - k_bn.randomize(rng, q_bits); - while(k_bn >= q.to_bigint()); - - GMP_MPZ i(msg, msg_len); - GMP_MPZ k(k_bn); - - GMP_MPZ r; - mpz_powm(r.value, g.value, k.value, p.value); - mpz_mod(r.value, r.value, q.value); - - mpz_invert(k.value, k.value, q.value); - - GMP_MPZ s; - mpz_mul(s.value, x.value, r.value); - mpz_add(s.value, s.value, i.value); - mpz_mul(s.value, s.value, k.value); - mpz_mod(s.value, s.value, q.value); - - if(mpz_cmp_ui(r.value, 0) == 0 || mpz_cmp_ui(s.value, 0) == 0) - throw Internal_Error("GMP_DSA_Op::sign: r or s was zero"); - - secure_vector<byte> output(2*q_bytes); - r.encode(&output[0], q_bytes); - s.encode(&output[q_bytes], q_bytes); - return output; - } - -class GMP_DSA_Verification_Operation : public PK_Ops::Verification - { - public: - GMP_DSA_Verification_Operation(const DSA_PublicKey& dsa) : - y(dsa.get_y()), - p(dsa.group_p()), - q(dsa.group_q()), - g(dsa.group_g()), - q_bits(dsa.group_q().bits()) {} - - size_t message_parts() const { return 2; } - size_t message_part_size() const { return (q_bits + 7) / 8; } - size_t max_input_bits() const { return q_bits; } - - bool with_recovery() const { return false; } - - bool verify(const byte msg[], size_t msg_len, - const byte sig[], size_t sig_len); - private: - const GMP_MPZ y, p, q, g; - size_t q_bits; - }; - -bool GMP_DSA_Verification_Operation::verify(const byte msg[], size_t msg_len, - const byte sig[], size_t sig_len) - { - const size_t q_bytes = q.bytes(); - - if(sig_len != 2*q_bytes || msg_len > q_bytes) - return false; - - GMP_MPZ r(sig, q_bytes); - GMP_MPZ s(sig + q_bytes, q_bytes); - GMP_MPZ i(msg, msg_len); - - if(mpz_cmp_ui(r.value, 0) <= 0 || mpz_cmp(r.value, q.value) >= 0) - return false; - if(mpz_cmp_ui(s.value, 0) <= 0 || mpz_cmp(s.value, q.value) >= 0) - return false; - - if(mpz_invert(s.value, s.value, q.value) == 0) - return false; - - GMP_MPZ si; - mpz_mul(si.value, s.value, i.value); - mpz_mod(si.value, si.value, q.value); - mpz_powm(si.value, g.value, si.value, p.value); - - GMP_MPZ sr; - mpz_mul(sr.value, s.value, r.value); - mpz_mod(sr.value, sr.value, q.value); - mpz_powm(sr.value, y.value, sr.value, p.value); - - mpz_mul(si.value, si.value, sr.value); - mpz_mod(si.value, si.value, p.value); - mpz_mod(si.value, si.value, q.value); - - if(mpz_cmp(si.value, r.value) == 0) - return true; - return false; - } - -#endif - -#if defined(BOTAN_HAS_RSA) - -class GMP_RSA_Private_Operation : public PK_Ops::Signature, - public PK_Ops::Decryption - { - public: - GMP_RSA_Private_Operation(const RSA_PrivateKey& rsa) : - mod(rsa.get_n()), - p(rsa.get_p()), - q(rsa.get_q()), - d1(rsa.get_d1()), - d2(rsa.get_d2()), - c(rsa.get_c()), - n_bits(rsa.get_n().bits()) - {} - - size_t max_input_bits() const { return (n_bits - 1); } - - secure_vector<byte> sign(const byte msg[], size_t msg_len, - RandomNumberGenerator&) - { - BigInt m(msg, msg_len); - BigInt x = private_op(m); - return BigInt::encode_1363(x, (n_bits + 7) / 8); - } - - secure_vector<byte> decrypt(const byte msg[], size_t msg_len) - { - BigInt m(msg, msg_len); - return BigInt::encode_locked(private_op(m)); - } - - private: - BigInt private_op(const BigInt& m) const; - - GMP_MPZ mod, p, q, d1, d2, c; - size_t n_bits; - }; - -BigInt GMP_RSA_Private_Operation::private_op(const BigInt& m) const - { - GMP_MPZ j1, j2, h(m); - - mpz_powm(j1.value, h.value, d1.value, p.value); - mpz_powm(j2.value, h.value, d2.value, q.value); - mpz_sub(h.value, j1.value, j2.value); - mpz_mul(h.value, h.value, c.value); - mpz_mod(h.value, h.value, p.value); - mpz_mul(h.value, h.value, q.value); - mpz_add(h.value, h.value, j2.value); - return h.to_bigint(); - } - -class GMP_RSA_Public_Operation : public PK_Ops::Verification, - public PK_Ops::Encryption - { - public: - GMP_RSA_Public_Operation(const RSA_PublicKey& rsa) : - n(rsa.get_n()), e(rsa.get_e()), mod(rsa.get_n()) - {} - - size_t max_input_bits() const { return (n.bits() - 1); } - bool with_recovery() const { return true; } - - secure_vector<byte> encrypt(const byte msg[], size_t msg_len, - RandomNumberGenerator&) - { - BigInt m(msg, msg_len); - return BigInt::encode_1363(public_op(m), n.bytes()); - } - - secure_vector<byte> verify_mr(const byte msg[], size_t msg_len) - { - BigInt m(msg, msg_len); - return BigInt::encode_locked(public_op(m)); - } - - private: - BigInt public_op(const BigInt& m) const - { - if(m >= n) - throw Invalid_Argument("RSA public op - input is too large"); - - GMP_MPZ m_gmp(m); - mpz_powm(m_gmp.value, m_gmp.value, e.value, mod.value); - return m_gmp.to_bigint(); - } - - const BigInt& n; - const GMP_MPZ e, mod; - }; - -#endif - -} - -PK_Ops::Key_Agreement* -GMP_Engine::get_key_agreement_op(const Private_Key& key, RandomNumberGenerator&) const - { -#if defined(BOTAN_HAS_DIFFIE_HELLMAN) - if(const DH_PrivateKey* dh = dynamic_cast<const DH_PrivateKey*>(&key)) - return new GMP_DH_KA_Operation(*dh); -#endif - - return nullptr; - } - -PK_Ops::Signature* -GMP_Engine::get_signature_op(const Private_Key& key, RandomNumberGenerator&) const - { -#if defined(BOTAN_HAS_RSA) - if(const RSA_PrivateKey* s = dynamic_cast<const RSA_PrivateKey*>(&key)) - return new GMP_RSA_Private_Operation(*s); -#endif - -#if defined(BOTAN_HAS_DSA) - if(const DSA_PrivateKey* s = dynamic_cast<const DSA_PrivateKey*>(&key)) - return new GMP_DSA_Signature_Operation(*s); -#endif - - return nullptr; - } - -PK_Ops::Verification* -GMP_Engine::get_verify_op(const Public_Key& key, RandomNumberGenerator&) const - { -#if defined(BOTAN_HAS_RSA) - if(const RSA_PublicKey* s = dynamic_cast<const RSA_PublicKey*>(&key)) - return new GMP_RSA_Public_Operation(*s); -#endif - -#if defined(BOTAN_HAS_DSA) - if(const DSA_PublicKey* s = dynamic_cast<const DSA_PublicKey*>(&key)) - return new GMP_DSA_Verification_Operation(*s); -#endif - - return nullptr; - } - -PK_Ops::Encryption* -GMP_Engine::get_encryption_op(const Public_Key& key, RandomNumberGenerator&) const - { -#if defined(BOTAN_HAS_RSA) - if(const RSA_PublicKey* s = dynamic_cast<const RSA_PublicKey*>(&key)) - return new GMP_RSA_Public_Operation(*s); -#endif - - return nullptr; - } - -PK_Ops::Decryption* -GMP_Engine::get_decryption_op(const Private_Key& key, RandomNumberGenerator&) const - { -#if defined(BOTAN_HAS_RSA) - if(const RSA_PrivateKey* s = dynamic_cast<const RSA_PrivateKey*>(&key)) - return new GMP_RSA_Private_Operation(*s); -#endif - - return nullptr; - } - -} diff --git a/src/lib/engine/gnump/info.txt b/src/lib/engine/gnump/info.txt deleted file mode 100644 index ad03339e4..000000000 --- a/src/lib/engine/gnump/info.txt +++ /dev/null @@ -1,23 +0,0 @@ -define ENGINE_GNU_MP 20131128 - -load_on request - -<libs> -all -> gmp -</libs> - -<header:internal> -gnump_engine.h -gmp_wrap.h -</header:internal> - -<source> -gmp_mem.cpp -gmp_powm.cpp -gmp_wrap.cpp -gnump_pk.cpp -</source> - -<requires> -bigint -</requires> diff --git a/src/lib/engine/openssl/openssl_engine.h b/src/lib/engine/openssl/openssl_engine.h index 90f315c00..5c0d1511d 100644 --- a/src/lib/engine/openssl/openssl_engine.h +++ b/src/lib/engine/openssl/openssl_engine.h @@ -23,10 +23,11 @@ class OpenSSL_Engine : public Engine PK_Ops::Key_Agreement* get_key_agreement_op(const Private_Key& key, RandomNumberGenerator& rng) const override; - PK_Ops::Signature* - get_signature_op(const Private_Key& key, RandomNumberGenerator& rng) const override; + PK_Ops::Signature* get_signature_op(const Private_Key& key, const std::string& emsa, + RandomNumberGenerator& rng) const override; - PK_Ops::Verification* get_verify_op(const Public_Key& key, RandomNumberGenerator& rng) const override; + PK_Ops::Verification* get_verify_op(const Public_Key& key, const std::string& emsa, + RandomNumberGenerator& rng) const override; PK_Ops::Encryption* get_encryption_op(const Public_Key& key, RandomNumberGenerator& rng) const override; diff --git a/src/lib/engine/openssl/ossl_pk.cpp b/src/lib/engine/openssl/ossl_pk.cpp index cbe03d7b3..b489ad454 100644 --- a/src/lib/engine/openssl/ossl_pk.cpp +++ b/src/lib/engine/openssl/ossl_pk.cpp @@ -282,7 +282,7 @@ OpenSSL_Engine::get_key_agreement_op(const Private_Key& key, RandomNumberGenerat } PK_Ops::Signature* -OpenSSL_Engine::get_signature_op(const Private_Key& key, RandomNumberGenerator&) const +OpenSSL_Engine::get_signature_op(const Private_Key& key, const std::string&, RandomNumberGenerator&) const { #if defined(BOTAN_HAS_RSA) if(const RSA_PrivateKey* s = dynamic_cast<const RSA_PrivateKey*>(&key)) @@ -298,7 +298,7 @@ OpenSSL_Engine::get_signature_op(const Private_Key& key, RandomNumberGenerator&) } PK_Ops::Verification* -OpenSSL_Engine::get_verify_op(const Public_Key& key, RandomNumberGenerator&) const +OpenSSL_Engine::get_verify_op(const Public_Key& key, const std::string&, RandomNumberGenerator&) const { #if defined(BOTAN_HAS_RSA) if(const RSA_PublicKey* s = dynamic_cast<const RSA_PublicKey*>(&key)) diff --git a/src/lib/pubkey/dsa/dsa.cpp b/src/lib/pubkey/dsa/dsa.cpp index c66db52f6..1dc2173da 100644 --- a/src/lib/pubkey/dsa/dsa.cpp +++ b/src/lib/pubkey/dsa/dsa.cpp @@ -1,6 +1,6 @@ /* * DSA -* (C) 1999-2010 Jack Lloyd +* (C) 1999-2010,2014 Jack Lloyd * * Distributed under the terms of the Botan license */ @@ -8,7 +8,9 @@ #include <botan/dsa.h> #include <botan/numthry.h> #include <botan/keypair.h> +#include <botan/rfc6979.h> #include <future> + namespace Botan { /* @@ -65,11 +67,13 @@ bool DSA_PrivateKey::check_key(RandomNumberGenerator& rng, bool strong) const return KeyPair::signature_consistency_check(rng, *this, "EMSA1(SHA-1)"); } -DSA_Signature_Operation::DSA_Signature_Operation(const DSA_PrivateKey& dsa) : +DSA_Signature_Operation::DSA_Signature_Operation(const DSA_PrivateKey& dsa, + const std::string& emsa) : q(dsa.group_q()), x(dsa.get_x()), powermod_g_p(dsa.group_g(), dsa.group_p()), - mod_q(dsa.group_q()) + mod_q(dsa.group_q()), + m_hash(hash_for_deterministic_signature(emsa)) { } @@ -80,22 +84,22 @@ DSA_Signature_Operation::sign(const byte msg[], size_t msg_len, rng.add_entropy(msg, msg_len); BigInt i(msg, msg_len); - BigInt r = 0, s = 0; - - while(r == 0 || s == 0) - { - BigInt k; - do - k.randomize(rng, q.bits()); - while(k >= q); - - auto future_r = std::async(std::launch::async, - [&]() { return mod_q.reduce(powermod_g_p(k)); }); - - s = inverse_mod(k, q); - r = future_r.get(); - s = mod_q.multiply(s, mul_add(x, r, i)); - } + + if(i >= q) + i -= q; + + const BigInt k = generate_rfc6979_nonce(x, q, i, m_hash); + + auto future_r = std::async(std::launch::async, + [&]() { return mod_q.reduce(powermod_g_p(k)); }); + + BigInt s = inverse_mod(k, q); + const BigInt r = future_r.get(); + s = mod_q.multiply(s, mul_add(x, r, i)); + + // With overwhelming probability, a bug rather than actual zero r/s + BOTAN_ASSERT(s != 0, "invalid s"); + BOTAN_ASSERT(r != 0, "invalid r"); secure_vector<byte> output(2*q.bytes()); r.binary_encode(&output[output.size() / 2 - r.bytes()]); diff --git a/src/lib/pubkey/dsa/dsa.h b/src/lib/pubkey/dsa/dsa.h index 7d51cfdd0..19c6c22d6 100644 --- a/src/lib/pubkey/dsa/dsa.h +++ b/src/lib/pubkey/dsa/dsa.h @@ -63,7 +63,7 @@ class BOTAN_DLL DSA_PrivateKey : public DSA_PublicKey, class BOTAN_DLL DSA_Signature_Operation : public PK_Ops::Signature { public: - DSA_Signature_Operation(const DSA_PrivateKey& dsa); + DSA_Signature_Operation(const DSA_PrivateKey& dsa, const std::string& hash); size_t message_parts() const { return 2; } size_t message_part_size() const { return q.bytes(); } @@ -76,6 +76,7 @@ class BOTAN_DLL DSA_Signature_Operation : public PK_Ops::Signature const BigInt& x; Fixed_Base_Power_Mod powermod_g_p; Modular_Reducer mod_q; + std::string m_hash; }; /** diff --git a/src/lib/pubkey/dsa/info.txt b/src/lib/pubkey/dsa/info.txt index a3f2a1ee4..ad14494a2 100644 --- a/src/lib/pubkey/dsa/info.txt +++ b/src/lib/pubkey/dsa/info.txt @@ -6,4 +6,5 @@ dl_group keypair libstate numbertheory +rfc6979 </requires> diff --git a/src/lib/pubkey/ecdsa/ecdsa.cpp b/src/lib/pubkey/ecdsa/ecdsa.cpp index 6ff082649..b83a41e68 100644 --- a/src/lib/pubkey/ecdsa/ecdsa.cpp +++ b/src/lib/pubkey/ecdsa/ecdsa.cpp @@ -9,6 +9,7 @@ #include <botan/ecdsa.h> #include <botan/keypair.h> +#include <botan/rfc6979.h> namespace Botan { @@ -24,37 +25,30 @@ bool ECDSA_PrivateKey::check_key(RandomNumberGenerator& rng, return KeyPair::signature_consistency_check(rng, *this, "EMSA1(SHA-1)"); } -ECDSA_Signature_Operation::ECDSA_Signature_Operation(const ECDSA_PrivateKey& ecdsa) : +ECDSA_Signature_Operation::ECDSA_Signature_Operation(const ECDSA_PrivateKey& ecdsa, const std::string& emsa) : base_point(ecdsa.domain().get_base_point()), order(ecdsa.domain().get_order()), x(ecdsa.private_value()), - mod_order(order) + mod_order(order), + m_hash(hash_for_deterministic_signature(emsa)) { } secure_vector<byte> ECDSA_Signature_Operation::sign(const byte msg[], size_t msg_len, - RandomNumberGenerator& rng) + RandomNumberGenerator&) { - rng.add_entropy(msg, msg_len); + const BigInt m(msg, msg_len); - BigInt m(msg, msg_len); + const BigInt k = generate_rfc6979_nonce(x, order, m, m_hash); - BigInt r = 0, s = 0; + const PointGFp k_times_P = base_point * k; + const BigInt r = mod_order.reduce(k_times_P.get_affine_x()); + const BigInt s = mod_order.multiply(inverse_mod(k, order), mul_add(x, r, m)); - while(r == 0 || s == 0) - { - // This contortion is necessary for the tests - BigInt k; - k.randomize(rng, order.bits()); - - while(k >= order) - k.randomize(rng, order.bits() - 1); - - PointGFp k_times_P = base_point * k; - r = mod_order.reduce(k_times_P.get_affine_x()); - s = mod_order.multiply(inverse_mod(k, order), mul_add(x, r, m)); - } + // With overwhelming probability, a bug rather than actual zero r/s + BOTAN_ASSERT(s != 0, "invalid s"); + BOTAN_ASSERT(r != 0, "invalid r"); secure_vector<byte> output(2*order.bytes()); r.binary_encode(&output[output.size() / 2 - r.bytes()]); diff --git a/src/lib/pubkey/ecdsa/ecdsa.h b/src/lib/pubkey/ecdsa/ecdsa.h index e37fa1562..40eb9c7a7 100644 --- a/src/lib/pubkey/ecdsa/ecdsa.h +++ b/src/lib/pubkey/ecdsa/ecdsa.h @@ -95,7 +95,8 @@ class BOTAN_DLL ECDSA_PrivateKey : public ECDSA_PublicKey, class BOTAN_DLL ECDSA_Signature_Operation : public PK_Ops::Signature { public: - ECDSA_Signature_Operation(const ECDSA_PrivateKey& ecdsa); + ECDSA_Signature_Operation(const ECDSA_PrivateKey& ecdsa, + const std::string& hash); secure_vector<byte> sign(const byte msg[], size_t msg_len, RandomNumberGenerator& rng); @@ -109,6 +110,7 @@ class BOTAN_DLL ECDSA_Signature_Operation : public PK_Ops::Signature const BigInt& order; const BigInt& x; Modular_Reducer mod_order; + std::string m_hash; }; /** diff --git a/src/lib/pubkey/ecdsa/info.txt b/src/lib/pubkey/ecdsa/info.txt index fcf688402..26640328f 100644 --- a/src/lib/pubkey/ecdsa/info.txt +++ b/src/lib/pubkey/ecdsa/info.txt @@ -6,4 +6,5 @@ ec_group ecc_key numbertheory rng +rfc6979 </requires> diff --git a/src/lib/pubkey/pubkey.cpp b/src/lib/pubkey/pubkey.cpp index a2c5cb745..a6fc7b2c9 100644 --- a/src/lib/pubkey/pubkey.cpp +++ b/src/lib/pubkey/pubkey.cpp @@ -134,10 +134,10 @@ PK_Signer::PK_Signer(const Private_Key& key, while(const Engine* engine = i.next()) { if(!m_op) - m_op.reset(engine->get_signature_op(key, rng)); + m_op.reset(engine->get_signature_op(key, emsa_name, rng)); if(!m_verify_op && prot == ENABLE_FAULT_PROTECTION) - m_verify_op.reset(engine->get_verify_op(key, rng)); + m_verify_op.reset(engine->get_verify_op(key, emsa_name, rng)); if(m_op && (m_verify_op || prot == DISABLE_FAULT_PROTECTION)) break; @@ -249,7 +249,7 @@ PK_Verifier::PK_Verifier(const Public_Key& key, while(const Engine* engine = i.next()) { - m_op.reset(engine->get_verify_op(key, rng)); + m_op.reset(engine->get_verify_op(key, emsa_name, rng)); if(m_op) break; } diff --git a/src/lib/pubkey/rfc6979/rfc6979.cpp b/src/lib/pubkey/rfc6979/rfc6979.cpp index 0bad4ecbf..21d6c356a 100644 --- a/src/lib/pubkey/rfc6979/rfc6979.cpp +++ b/src/lib/pubkey/rfc6979/rfc6979.cpp @@ -8,9 +8,24 @@ #include <botan/rfc6979.h> #include <botan/hmac_drbg.h> #include <botan/libstate.h> +#include <botan/scan_name.h> namespace Botan { +std::string hash_for_deterministic_signature(const std::string& emsa) + { + SCAN_Name emsa_name(emsa); + + if(emsa_name.arg_count() > 0) + { + const std::string pos_hash = emsa_name.arg(0); + if(global_state().algorithm_factory().prototype_hash_function(pos_hash)) + return pos_hash; + } + + return "SHA-512"; // safe default if nothing we understand + } + BigInt generate_rfc6979_nonce(const BigInt& x, const BigInt& q, const BigInt& h, diff --git a/src/lib/pubkey/rfc6979/rfc6979.h b/src/lib/pubkey/rfc6979/rfc6979.h index 6184d0dbb..6e6073154 100644 --- a/src/lib/pubkey/rfc6979/rfc6979.h +++ b/src/lib/pubkey/rfc6979/rfc6979.h @@ -24,6 +24,8 @@ BigInt BOTAN_DLL generate_rfc6979_nonce(const BigInt& x, const BigInt& h, const std::string& hash); +std::string hash_for_deterministic_signature(const std::string& emsa); + } #endif diff --git a/src/tests/data/pubkey/dsa.vec b/src/tests/data/pubkey/dsa.vec index 561bdf3f9..73b4efe38 100644 --- a/src/tests/data/pubkey/dsa.vec +++ b/src/tests/data/pubkey/dsa.vec @@ -1,99 +1,87 @@ -Hash = SHA-1 -P = 12270257065277902172111596494483961231804192474187036121797836181131247584932089780250846976703010051122719674458164945374286479988150443637157475734107133 -Q = 1299375671246779600593676384772532093813584338541 -G = 780366311785426093047354159864846769169488815644536449156874587202746748258854623523640019827614715587575157331420659030384035201791567262145164445837006 -X = 64304226652797075136199428090917889602951747558 -Msg = D05268DA47ADDDBA11A45CD2FA71347F6137215B2CCDC40E -Nonce = 868788898A8B8C8D8E8F9091929394959697989A -Signature = 19F24178D7369B619E566C5256C49EA648B68CC2D5EA2ADA04CBD68BCB6F014FD3FE0396B821BFEE +# RFC 6979 A.2.1: DSA, 1024 bits +P = 86F5CA03DCFEB225063FF830A0C769B9DD9D6153AD91D7CE27F787C43278B447E6533B86B18BED6E8A48B784A14C252C5BE0DBF60B86D6385BD2F12FB763ED8873ABFD3F5BA2E0A8C0A59082EAC056935E529DAF7C610467899C77ADEDFC846C881870B7B19B2B58F9BE0521A17002E3BDD6B86685EE90B3D9A1B02B782B1779 -Hash = SHA-1 -P = 116287679779556070551056667401322457124428937948811753832732071945687103664949020587235486764623919984456165465659742357205828499991902160607812393791250953806382262794445968225940191930980124228681014089245560854991186229842247618249551974137659243602699006879085681802942426221155596604515130484595210072293 -Q = 1299375671246779600593676384772532093813584338541 -G = 91963941661165653481506208908042102495395838370431364316429648751864248773470550304639855199811515520116277650040132595821755678017635203540593532285834289308326953040029637669980656056560371005963728192838069291844676216080955671709984396020486302047753813502224578933361166080321370120163932404242709356753 -X = 71927177082234296737505723835963793790598265833 -Msg = 1B83134583EF63C7F583AC69F4655B4BCA5D67D8C90779F9 -Nonce = DBDCDDDEDFE0E1E2E3E4E5E6E7E8E9EAEBECEDEF -Signature = 4B4471C82B030F2C2115B65309DF23A8B6AE1EEAAD2F0A376C1C76689601C174AAAD979F4925AFAF +Q = 996F967F6C8E388D9E28D01E205FBA957A5698B1 -Hash = SHA-1 -P = 116287679779556070551056667401322457124428937948811753832732071945687103664949020587235486764623919984456165465659742357205828499991902160607812393791250953806382262794445968225940191930980124228681014089245560854991186229842247618249551974137659243602699006879085681802942426221155596604515130484595210072293 -Q = 1299375671246779600593676384772532093813584338541 -G = 91963941661165653481506208908042102495395838370431364316429648751864248773470550304639855199811515520116277650040132595821755678017635203540593532285834289308326953040029637669980656056560371005963728192838069291844676216080955671709984396020486302047753813502224578933361166080321370120163932404242709356753 -X = 71927177082234296737505723835963793790598265833 -Msg = F1E6950AAFB240F0194B198C485FC220770005E25A480C87 -Nonce = A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B8 -Signature = 76EC77EFBCE0F6B01C1AA676ADC3AC6409950FB7A87A9A50C9EF2C7B6C86C9027C1E29F2C6EA3850 +G = 07B0F92546150B62514BB771E2A0C0CE387F03BDA6C56B505209FF25FD3C133D89BBCD97E904E09114D9A7DEFDEADFC9078EA544D2E401AEECC40BB9FBBF78FD87995A10A1C27CB7789B594BA7EFB5C4326A9FE59A070E136DB77175464ADCA417BE5DCE2F40D10A46A3A3943F26AB7FD9C0398FF8C76EE0A56826A8A88F1DBD -Hash = SHA-1 -P = 179061322616957523501082979787244857703143582663248572464728559525843535653041237790950443729585243285067018308147507587925460515475949403044102584688905165345956326447092984983582289097765732846470739503353674290771140413677218977736207600855242504919731099465680843141955234196886838647266836329406137291281 -Q = 1227568936457257613747765910894852424387637950163 -G = 55447061991728779589680157097062966147565874042495386924694902509061920947933753585694730820135472163697844025253877093898637466023512984242017402181163445107016270882028418023556239620248016750612928161807785164917703625378097995273657411171969180273661711818279079729015760720382420596198792615660396499411 -X = 1108576690978860937069619874422023955377068860619 -Msg = 2F31C0661BA2AB812B7776CFE5CC710AA268D462508FE43D -Nonce = A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B9 -Signature = 22E16319CB7FCC90CA03D66B1550FBEB6121AB42A9B5E784F8CA84CA30F40BEE98BB6A666268555B +X = 411602CB19A6CCC34494D79D98EF1E7ED5AF25F7 + +Msg = 73616D706C65 Hash = SHA-1 -P = 153848637714378494121507252512351480198698539914612689589619905857639664771273480299531255805737005247736828979714623202273316303866329872202516762692840131109369194006819849976424451192783095403989464996900096015982142140347841528939943400412700889598881068604690211351508245054730312753410665964001982682387 -Q = 1157461304199822560740260885592916189587941196301 -G = 138731668224947034741376895340429389869127677162443845224328339067172119781040113593036256835061047595748259555206737655274672301070819086599094699066976480431573785510473992262585066025459933281879258914089312906907867956614804081132801646896267441802665976654976982650943307061527326133693843030788022448650 -X = 294970044949972528355990574740760666660648211949 -Msg = 23427F57C6A99405244AEC6915BB38502969838F34364FDA -Nonce = 9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB1 -Signature = 033A7684B382E2D2DE424111A110A7A326BA215866B3447002C3A535EBB705C99B0CF658FC2B45A4 +Signature = 2E1A0C2562B2912CAAF89186FB0F42001585DA5529EFB6B0AFF2D7A68EB70CA313022253B9A88DF5 + +Hash = SHA-224 +Signature = 4BC3B686AEA70145856814A6F1BB53346F02101E410697B92295D994D21EDD2F4ADA85566F6F94C1 + +Hash = SHA-256 +Signature = 81F2F5850BE5BC123C43F71A3033E9384611C5454CDD914B65EB6C66A8AAAD27299BEE6B035F5E89 + +Hash = SHA-384 +Signature = 07F2108557EE0E3921BC1774F1CA9B410B4CE65A54DF70456C86FAC10FAB47C1949AB83F2C6F7595 + +Hash = SHA-512 +Signature = 16C3491F9B8C3FBBDD5E7A7B667057F0D8EE8E1B02C36A127A7B89EDBB72E4FFBC71DABC7D4FC69C + +Msg = 74657374 Hash = SHA-1 -P = 7318407741184033161915019415806929514902398271860940485494758459651720440471717049441378896687658372847221985077822765330881711812272784111398214531294272570213296245387537371167383674169937208840427330310842646876411141060291337039874386670690146731629355191104879436323063016236595588393 -Q = 1010279367844055013509519219776168651578654964327 -G = 6709335784123324431386179160425131080354942838640753665935072907643408074801183749770889868137836713472340469855926685366755487482940656296783284360653270628425985278296202932654816025967424120607749637377320014928197989459952847122540896348804229893726789010978436642041268110684967356081 -X = 173695667654521850017182626401352723577822440571 -Msg = 8A8BA6DE6D4F6E80837F5250171E3534883BB97B1CCD6984 -Nonce = 8788898A8B8C8D8E8F909192939495969798999B -Signature = 4AF54C9F782C3B4B1D5000985F684B64D5EF030F5F71CA624A7145BD80674D8B323A191E7069F0EB +Signature = 42AB2052FD43E123F0607F115052A67DCD9C5C77183916B0230D45B9931491D4C6B0BD2FB4AAF088 + +Hash = SHA-224 +Signature = 6868E9964E36C1689F6037F91F28D5F2C30610F249CEC3ACDC83018C5BD2674ECAAD35B8CD22940F + +Hash = SHA-256 +Signature = 22518C127299B0F6FDC9872B282B9E70D07908126837EC18F150D55DE95B5E29BE7AF5D01E4FE160 + +Hash = SHA-384 +Signature = 854CF929B58D73C3CBFDC421E8D5430CD6DB5E6691D0E0F53E22F898D158380676A871A157CDA622 + +Hash = SHA-512 +Signature = 8EA47E475BA8AC6F2D821DA3BD212D11A3DEB9A07C670C7AD72B6C050C109E1790008097125433E8 + +# RFC 6979 A.2.2: DSA, 2048 bits + +P = 9DB6FB5951B66BB6FE1E140F1D2CE5502374161FD6538DF1648218642F0B5C48C8F7A41AADFA187324B87674FA1822B00F1ECF8136943D7C55757264E5A1A44FFE012E9936E00C1D3E9310B01C7D179805D3058B2A9F4BB6F9716BFE6117C6B5B3CC4D9BE341104AD4A80AD6C94E005F4B993E14F091EB51743BF33050C38DE235567E1B34C3D6A5C0CEAA1A0F368213C3D19843D0B4B09DCB9FC72D39C8DE41F1BF14D4BB4563CA28371621CAD3324B6A2D392145BEBFAC748805236F5CA2FE92B871CD8F9C36D3292B5509CA8CAA77A2ADFC7BFD77DDA6F71125A7456FEA153E433256A2261C6A06ED3693797E7995FAD5AABBCFBE3EDA2741E375404AE25B + +Q = F2C3119374CE76C9356990B465374A17F23F9ED35089BD969F61C6DDE9998C1F + +G = 5C7FF6B06F8F143FE8288433493E4769C4D988ACE5BE25A0E24809670716C613D7B0CEE6932F8FAA7C44D2CB24523DA53FBE4F6EC3595892D1AA58C4328A06C46A15662E7EAA703A1DECF8BBB2D05DBE2EB956C142A338661D10461C0D135472085057F3494309FFA73C611F78B32ADBB5740C361C9F35BE90997DB2014E2EF5AA61782F52ABEB8BD6432C4DD097BC5423B285DAFB60DC364E8161F4A2A35ACA3A10B1C4D203CC76A470A33AFDCBDD92959859ABD8B56E1725252D78EAC66E71BA9AE3F1DD2487199874393CD4D832186800654760E1E34C09E4D155179F9EC0DC4473F996BDCE6EED1CABED8B6F116F7AD9CF505DF0F998E34AB27514B0FFE7 + +X = 69C7548C21D0DFEA6B9A51C9EAD4E27C33D3B3F180316E5BCAB92C933F0E4DBC + +Msg = 73616D706C65 Hash = SHA-1 -P = 8935755085182300202840562857649004379495615290235088479492950900721336770042052891181606159390616674371951863451410382933233275674555471293006609026897548255280789813417096949229138589443391480427488120546160047028002551844879581932280442455032233819385096580847416819799924260586539182293 -Q = 1184902326419537393243522486863273599978341991611 -G = 8559968150211944280054444270994798417110755658009000644169699005202609308505754357699309109699635408886747004497498288142950588102719941677107548915157231660425441766752996603188440200356918433831853475826848609752662287353938819550109045981574044455759280514493264807281607095679230204054 -X = 160147330797281724589272447400884313616617945364 -Msg = 1A6236F82FE51AC757C46130EC50D19A6A1F6B4FB403B4C8 -Nonce = 9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B2 -Signature = 00F04C3A7E9D31CC7C76BAA9246F5A0BFC3B552B54E2083A33AB966101E28E39129B60B35FACB03E +Signature = 3A1B2DBD7489D6ED7E608FD036C83AF396E290DBD602408E8677DAABD6E7445AD26FCBA19FA3E3058FFC02CA1596CDBB6E0D20CB37B06054F7E36DED0CDBBCCF + +Hash = SHA-224 +Signature = DC9F4DEADA8D8FF588E98FED0AB690FFCE858DC8C79376450EB6B76C24537E2CA65A9C3BC7BABE286B195D5DA68616DA8D47FA0097F36DD19F517327DC848CEC + +Hash = SHA-256 +Signature = EACE8BDBBE353C432A795D9EC556C6D021F7A03F42C36E9BC87E4AC7932CC8097081E175455F9247B812B74583E9E94F9EA79BD640DC962533B0680793A38D53 + +Hash = SHA-384 +Signature = B2DA945E91858834FD9BF616EBAC151EDBC4B45D27D0DD4A7F6A22739F45C00B19048B63D9FD6BCA1D9BAE3664E1BCB97F7276C306130969F63F38FA8319021B + +Hash = SHA-512 +Signature = 2016ED092DC5FB669B8EFB3D1F31A91EECB199879BE0CF78F02BA062CB4C942ED0C76F84B5F091E141572A639A4FB8C230807EEA7D55C8A154A224400AFF2351 + +Msg = 74657374 Hash = SHA-1 -P = 6952436557537646587090929531666102667883680830933252880391568212775366999951638950134777728315624434028295734097226507523808572636836831945520720629817326446475380124056220000225929673190054721389910394225832373180142881574986581323395648215056944152876397949207398489534733298439561130831 -Q = 904902063384340613288207685993177321276784960423 -G = 1166392222505501999267089674315978923752001066747918964244755924988233130942152935755407165860205174592359699830399798532321885094397168420952237527213078759625955912857109816251163361612654571295923137210688076515441535658947722005749316750562689761828412344228654565498710983438994721064 -X = 858717154735867000325696579678678385404054322404 -Msg = EFDE5496CCC183385F3F2C163F7021FA809D32651FD9E05D -Nonce = 838485868788898A8B8C8D8E8F90919293949597 -Signature = 01224EAC2D585D92840280C76FB57306222E428030DAC78E2823E2027A20ADA84BF7B6FA085FD327 - -Hash = Tiger -P = 205054850158113653576829836564247298371201622947451914663896751620429728536031315180350575183383908345690236084423224529084967549443839371070056108793927 -Q = 193074564556225966993829585339141341 -G = 8548832339578358446511471601136373527478047970390383978214302554869382122537709118087250086263408180306289017866313401482488402043808366246047034469613 -X = 133169634476971613237222909192252611 -Msg = 54686973206973206D6F73746C792061207465737420666F7220454D53413120287365636F6E64207465737429 -Nonce = C40DA376ACBB379890ACDFB021E02A -Signature = 041A7C1033F50A295DA0C4D436BD612466FB65ECE1357D4770BF93413F2F - -Hash = Tiger -P = 11819714333207273755781886966397437460455801046676151765962122273237869684679809720402750716049313008848953257493413659821686810603139013041282248788197001 -Q = 1098833280265204589648408053971474113 -G = 222580847411197580365901496107580970370265551826671570655500495087455747131091969688056114339014381123211562197756976321153805057374694995100672420995880 -X = 1081994640113262843744111571724403826 -Msg = 492077616E7420736F6D65207069652E -Nonce = 8182838485868788898A8B8C8D8E90 -Signature = 6DD27F32F0012698CECB2D8BE550ED662111608A6586A481CC7E2E4C5CB4 - -Hash = Tiger -P = 49193932043586603554650065678017736254415576843018228127544238194142350774428159756136800009784734086661367788117828601294366770317736994024329572735631 -Q = 201614538311430967264501294067692331 -G = 39005338582959262509020817101138470855604262992168367049925650810184593292935164854796454599311349713861978196034391940372675432966108193229763558917892 -X = 189694880421939583935164356865720345 -Msg = 54686973206973206D6F73746C792061207465737420666F7220454D534131 -Nonce = 25ECC0ED4CE7118A72D133704D002A -Signature = 14593FBF63EAC64976987524044D8B11AB9A95B4B75A760FE22C45A3EFD6 +Signature = C18270A93CFC6063F57A4DFA86024F700D980E4CF4E2CB65A504397273D98EA0414F22E5F31A8B6D33295C7539C1C1BA3A6160D7D68D50AC0D3A5BEAC2884FAA + +Hash = SHA-224 +Signature = 272ABA31572F6CC55E30BF616B7A265312018DD325BE031BE0CC82AA17870EA3E9CC286A52CCE201586722D36D1E917EB96A4EBDB47932F9576AC645B3A60806 + +Hash = SHA-256 +Signature = 8190012A1969F9957D56FCCAAD223186F423398D58EF5B3CEFD5A4146A4476F07452A53F7075D417B4B013B278D1BB8BBD21863F5E7B1CEE679CF2188E1AB19E + +Hash = SHA-384 +Signature = 239E66DDBE8F8C230A3D071D601B6FFBDFB5901F94D444C6AF56F732BEB954BE6BD737513D5E72FE85D1C750E0F73921FE299B945AAD1C802F15C26A43D34961 + +Hash = SHA-512 +Signature = 89EC4BB1400ECCFF8E7D9AA515CD1DE7803F2DAFF09693EE7FD1353E90A68307C9F0BDABCC0D880BB137A994CC7F3980CE91CC10FAF529FC46565B15CEA854E1 diff --git a/src/tests/data/pubkey/ecdsa.vec b/src/tests/data/pubkey/ecdsa.vec index bc21299c3..d074e064b 100644 --- a/src/tests/data/pubkey/ecdsa.vec +++ b/src/tests/data/pubkey/ecdsa.vec @@ -1,105 +1,191 @@ +# RFC 6979 A.2.3. ECDSA, 192 Bits (Prime Field) + Group = secp192r1 -Hash = SHA-1 -X = 0x1A8D598FC15BF0FD89030B5CB1111AEB92AE8BAF5EA475FB -Msg = 616263 -Nonce = FA6DE29746BBEB7F8BB1E761F85F7DFB2983169D82FA2F4E -Signature = 885052380FF147B734C330C43D39B2C4A89F29B0F749FEADE9ECC78106DEF82BF1070CF1D4D804C3CB390046951DF686 +X = 0x6FAB034934E4C0FC9AE67F5B5659A9D7D1FEFD187EE09FD4 -Group = x962_p239v1 +Msg = 73616D706C65 Hash = SHA-1 -X = 0x7EF7C6FABEFFFDEA864206E80B0B08A9331ED93E698561B64CA0F7777F3D -Msg = 616263 -Nonce = 656C7196BF87DCC5D1F1020906DF2782360D36B2DE7A17ECE37D503784AF -Signature = 2CB7F36803EBB9C427C58D8265F11FC5084747133078FC279DE874FBECB02EEAE988104E9C2234A3C2BEB1F53BFA5DC11FF36A875D1E3CCB1F7E45CF +Signature = 98C6BD12B23EAF5E2A2045132086BE3EB8EBD62ABF6698FF57A22B07DEA9530F8DE9471B1DC6624472E8E2844BC25B64 + +Hash = SHA-224 +Signature = A1F00DAD97AEEC91C95585F36200C65F3C01812AA60378F5E07EC1304C7C6C9DEBBE980B9692668F81D4DE7922A0F97A + +Hash = SHA-256 +Signature = 4B0B8CE98A92866A2820E20AA6B75B56382E0F9BFD5ECB55CCDB006926EA9565CBADC840829D8C384E06DE1F1E381B85 + +Hash = SHA-384 +Signature = DA63BF0B9ABCF948FBB1E9167F136145F7A20426DCC287D5C3AA2C960972BD7A2003A57E1C4C77F0578F8AE95E31EC5E + +Hash = SHA-512 +Signature = 4D60C5AB1996BD848343B31C00850205E2EA6922DAC2E4B83F6E837448F027A1BF4B34E796E32A811CBB4050908D8F67 + +Msg = 74657374 -Group = brainpool160r1 Hash = SHA-1 -X = 0x1CA8A0ACE60292D2813D992C4EC7A4BCDF611C0 -Msg = 43727970746F2B2B20352E362E312045434453412074657374206D7367 -Nonce = 9CB692B33F02179D1A6F2A0669FD8DAAF17E4FC4 -Signature = 672EAFD043D30BAE7CA826828333FA70F10A14C70F49C076BB26178277D8E490D0C77F7A9649DE31 +Signature = 0F2141A0EBBC44D2E1AF90A50EBCFCE5E197B3B7D4DE036DEB18BC9E1F3D7387500CB99CF5F7C157070A8961E38700B7 + +Hash = SHA-224 +Signature = 6945A1C1D1B2206B8145548F633BB61CEF04891BAF26ED34B7FB7FDFC339C0B9BD61A9F5A8EAF9BE58FC5CBA2CB15293 + +Hash = SHA-256 +Signature = 3A718BD8B4926C3B52EE6BBE67EF79B18CB6EB62B1AD97AE5662E6848A4A19B1F1AE2F72ACD4B8BBE50F1EAC65D9124F + +Hash = SHA-384 +Signature = B234B60B4DB75A733E19280A7A6034BD6B1EE88AF53323677994090B2D59BB782BE57E74A44C9A1C700413F8ABEFE77A + +Hash = SHA-512 +Signature = FE4F4AE86A58B6507946715934FE2D8FF9D95B6B098FE73974CF5605C98FBA0E1EF34D4B5A1577A7DCF59457CAE52290 + +# RFC 6979 A.2.4. ECDSA, 224 Bits (Prime Field) Group = secp224r1 +X = 0xF220266E1105BFE3083E03EC7A3A654651F45E37167E88600BF257C1 + +Msg = 73616D706C65 +Hash = SHA-1 +Signature = 22226F9D40A96E19C4A301CE5B74B115303C0F3A4FD30FC257FB57AC66D1CDD83E3AF75605DD6E2FEFF196D30AA7ED7A2EDF7AF475403D69 + Hash = SHA-224 -X = 0x42D126D0E51F3D6AA9B4D60BD1290853AA964A9C8698D5D5BDBAADEB -Msg = 45434453412074657374206D657373616765203230313130323135 -Nonce = E1F6B207B4FC896879A51F65E85DB94CEB633FEC765739E689847D64 -Signature = A4C80AAF3D7B61200E66D6F41EC66D3D65E9E38DC06A88FE3B7F6C4C8A5CEE4E04FE240464EA2DBB52489D3FAC1CDE6DA24A0E4C6598BCD2 +Signature = 1CDFE6662DDE1E4A1EC4CDEDF6A1F5A2FB7FBD9145C12113E6ABFD3EA6694FD7718A21053F225D3F46197CA699D45006C06F871808F43EBC + +Hash = SHA-256 +Signature = 61AA3DA010E8E8406C656BC477A7A7189895E7E840CDFE8FF42307BABC814050DAB5D23770879494F9E0A680DC1AF7161991BDE692B10101 + +Hash = SHA-384 +Signature = 0B115E5E36F0F9EC81F1325A5952878D745E19D7BB3EABFABA77E953830F34CCDFE826CCFDC81EB4129772E20E122348A2BBD889A1B1AF1D + +Hash = SHA-512 +Signature = 074BD1D979D5F32BF958DDC61E4FB4872ADCAFEB2256497CDAC30397A4CECA196C3D5A1FF31027B33185DC8EE43F288B21AB342E5D8EB084 + +Msg = 74657374 +Hash = SHA-1 +Signature = DEAA646EC2AF2EA8AD53ED66B2E2DDAA49A12EFD8356561451F3E21C95987796F6CF2062AB8135271DE56AE55366C045F6D9593F53787BD2 -Group = brainpool224r1 Hash = SHA-224 -X = 0x47B5CCE9EED463CED28666DA57DA9D0A8BDD3F000CCFC0AE6054F1AD -Msg = 43727970746F2B2B20352E362E312045434453412074657374206D7367 -Nonce = 9E9D0C9E67FF5785C3AD89195567CD3990D54C628788F26DB926F5B6 -Signature = 40369F41BD0D15C92DFB855779DBF439376FB6EDC4153E9B99019B7940FEF076FC8D610EC12AFC9CC43A150BD0190E507622E6623906D6B8 +Signature = C441CE8E261DED634E4CF84910E4C5D1D22C5CF3B732BB204DBEF019902F42847A63BDC5F6046ADA114953120F99442D76510150F372A3F4 -Group = secp256r1 Hash = SHA-256 -X = 0x368E89CC30AE7A3B4B4903C30C238C010257FE97DB85AF35982A7960A0DBD2F3 -Msg = 43727970746F2B2B20352E362E312045434453412074657374206D7367 -Nonce = E2AAB3BD3AB1999651CD903F5385B8EC2EDA84C43B7801F08608C179DD373369 -Signature = CBED1CE0D581020D2F89174EC2DE450C1D547BAC3DCEECCDD476A6AADF46D24FC456F43F351605CC40FC2A000B4D291042B5AEEA7A783DF89FC86666D832DACF +Signature = AD04DDE87B84747A243A631EA47A1BA6D1FAA059149AD2440DE6FBA6178D49B1AE90E3D8B629BE3DB5683915F4E8C99FDF6E666CF37ADCFD + +Hash = SHA-384 +Signature = 389B92682E399B26518A95506B52C03BC9379A9DADF3391A21FB0EA4414A718ED3249FF6DBC5B50C27F71F01F070944DA22AB1F78F559AAB + +Hash = SHA-512 +Signature = 049F050477C5ADD858CAC56208394B5A55BAEBBE887FDF765047C17C077EB13E7005929CEFA3CD0403C7CDCC077ADF4E44F3C41B2F60ECFF + +# RFC 6979 A.2.5. ECDSA, 256 Bits (Prime Field) Group = secp256r1 -Hash = SHA-256 -X = 0x6CC691616D2C996A8F00A31C2EBF4E35C5EFFEAAFA2266F800768D5BF8EA2C1B -Msg = 45434453412074657374206D657373616765203230313130323135 -Nonce = C1DDAA59A4E0B5D95EB873C33BC465C6782EBF7BC43DB18058C9EC4816AD2A11 -Signature = A8369164EF54A67303760B77AA62C4DE8122396908EA5B06DBCC2BC48264C832ADB3A8855019D5AFF789EC1F276AD38A03AAF41F88593B74E5CB9DF7E4BD4922 +X = 0xC9AFA9D845BA75166B5C215767B1D6934E50C3DB36E89B127B8A622B120F6721 + +Msg = 73616D706C65 + +Hash = SHA-1 +Signature = 61340C88C3AAEBEB4F6D667F672CA9759A6CCAA9FA8811313039EE4A35471D326D7F147DAC089441BB2E2FE8F7A3FA264B9C475098FDCF6E00D7C996E1B8B7EB + +Hash = SHA-224 +Signature = 53B2FFF5D1752B2C689DF257C04C40A587FABABB3F6FC2702F1343AF7CA9AA3FB9AFB64FDC03DC1A131C7D2386D11E349F070AA432A4ACC918BEA988BF75C74C -Group = brainpool256r1 Hash = SHA-256 -X = 0x4EC702404A8047A08206721DE33F02E1F06B14E09A5582171EA9BB8AB3C9BC14 -Msg = 43727970746F2B2B20352E362E312045434453412074657374206D7367 -Nonce = A9952A1B896FB2C2AEA88EA578E2A5323114978A765E03E397969DC0F282708C -Signature = 54F843E89B084EEE1CFFED09F222DF041CD46DB0C48833667BA0790ECD6030895304039A927714E79E5FCDB1D043E093FD85C8DD98B835CD6C7BB492C05357E5 +Signature = EFD48B2AACB6A8FD1140DD9CD45E81D69D2C877B56AAF991C34D0EA84EAF3716F7CB1C942D657C41D436C7A1B6E29F65F3E900DBB9AFF4064DC4AB2F843ACDA8 + +Hash = SHA-384 +Signature = 0EAFEA039B20E9B42309FB1D89E213057CBF973DC0CFC8F129EDDDC800EF77194861F0491E6998B9455193E34E7B0D284DDD7149A74B95B9261F13ABDE940954 + +Hash = SHA-512 +Signature = 8496A60B5E9B47C825488827E0495B0E3FA109EC4568FD3F8D1097678EB97F002362AB1ADBE2B8ADF9CB9EDAB740EA6049C028114F2460F96554F61FAE3302FE + +Msg = 74657374 + +Hash = SHA-1 +Signature = 0CBCC86FD6ABD1D99E703E1EC50069EE5C0B4BA4B9AC60E409E8EC5910D81A8901B9D7B73DFAA60D5651EC4591A0136F87653E0FD780C3B1BC872FFDEAE479B1 + +Hash = SHA-224 +Signature = C37EDB6F0AE79D47C3C27E962FA269BB4F441770357E114EE511F662EC34A692C820053A05791E521FCAAD6042D40AEA1D6B1A540138558F47D0719800E18F2D -Group = brainpool256r1 Hash = SHA-256 -X = 0x416D7FCEB966DF966CAE7BE2608C5C4D8939A7B5B3CF6D3E441A64886AC5FAD7 -Msg = 43727970746F2B2B20352E362E312045434453412074657374206D7367 -Nonce = A07978494C1B301C1E44467853CD367624549E0E9F5092C0100A53F877AD2EF6 -Signature = 93935B733CCC6A8702191664346135D1D6320D86A2346DFCA41AEDFBC4260435A4A9C66485C02BC2DCC858364173FAE00EA02529BA21B56BBBB2EAA4B811416D +Signature = F1ABB023518351CD71D881567B1EA663ED3EFCF6C5132B354F28D3B0B7D38367019F4113742A2B14BD25926B49C649155F267E60D3814B4C0CC84250E46F0083 -Group = secp384r1 Hash = SHA-384 -X = 0x100CC52F0263DCB12FDB9E50D44A4C84831A98756265DF0CBFD092D27A739821043BFE282E2C8FAD46948C1F0365DD0C -Msg = 45434453412074657374206D657373616765203230313130323135 -Nonce = C27CC4947F7CA7AF386AF5BEA88582685A043BB3C83C0C8B2A4BB1E53A3971FA8161168E332B2F3735A50BB3E8694F43 -Signature = C8B93B3C4B97B87A918522F423E26194F1AEA2B83FE890893C15928B79BCAC75F66AB47309378A54771ED46AF6AA453BFD2404EECFCCE19ACE11E5D5883EE40A300A42BD9AC79E77E507DE9EAE0B54034DB17355EE2111990ED226701D4ED7EC +Signature = 83910E8B48BB0C74244EBDF7F07A1C5413D61472BD941EF3920E623FBCCEBEB68DDBEC54CF8CD5874883841D712142A56A8D0F218F5003CB0296B6B509619F2C + +Hash = SHA-512 +Signature = 461D93F31B6540894788FD206C07CFA0CC35F46FA3C91816FFF1040AD1581A0439AF9F15DE0DB8D97E72719C74820D304CE5226E32DEDAE67519E840D1194E55 + +# RFC 6979 A.2.6. ECDSA, 384 Bits (Prime Field) Group = secp384r1 +X = 0x6B9D3DAD2E1B8C1C05B19875B6659F4DE23C3B667BF297BA9AA47740787137D896D5724E4C70A825F872C9EA60D2EDF5 + +Msg = 73616D706C65 + +Hash = SHA-1 +Signature = EC748D839243D6FBEF4FC5C4859A7DFFD7F3ABDDF72014540C16D73309834FA37B9BA002899F6FDA3A4A9386790D4EB2A3BCFA947BEEF4732BF247AC17F71676CB31A847B9FF0CBC9C9ED4C1A5B3FACF26F49CA031D4857570CCB5CA4424A443 + +Hash = SHA-224 +Signature = 42356E76B55A6D9B4631C865445DBE54E056D3B3431766D0509244793C3F9366450F76EE3DE43F5A125333A6BE0601229DA0C81787064021E78DF658F2FBB0B042BF304665DB721F077A4298B095E4834C082C03D83028EFBF93A3C23940CA8D + +Hash = SHA-256 +Signature = 21B13D1E013C7FA1392D03C5F99AF8B30C570C6F98D4EA8E354B63A21D3DAA33BDE1E888E63355D92FA2B3C36D8FB2CDF3AA443FB107745BF4BD77CB3891674632068A10CA67E3D45DB2266FA7D1FEEBEFDC63ECCD1AC42EC0CB8668A4FA0AB0 + Hash = SHA-384 -X = 0x4AF67D00B7A8D964B38CC52CBC808D4693595A5B330E0B3EA52BDCD619D41B856961BDAC571D9BC93D16A9B1C4D5CC2F -Msg = 45434453412074657374206D657373616765203230313130323135 -Nonce = 8C5D8DDCF8AF127174577A60F9B5512813E33EA8E45B471F343806FBF68663E9915B81A33F6AD22007D57818023AF982 -Signature = FF83C10E8D84777D17B724957B83E1500F578F1096C48BE2BCACE73E6681CDD6A34F66CA2AF31241FAF85AEE2528438DA6BED934D75ACCF2E41176D8B661AB58B7B867D802C38B39E8227F9CF0865072D381948FFFF637D8FB9B37BEC6AE0772 +Signature = 94EDBB92A5ECB8AAD4736E56C691916B3F88140666CE9FA73D64C4EA95AD133C81A648152E44ACF96E36DD1E80FABE4699EF4AEB15F178CEA1FE40DB2603138F130E740A19624526203B6351D0A3A94FA329C145786E679E7B82C71A38628AC8 + +Hash = SHA-512 +Signature = ED0959D5880AB2D869AE7F6C2915C6D60F96507F9CB3E047C0046861DA4A799CFE30F35CC900056D7C99CD7882433709512C8CCEEE3890A84058CE1E22DBC2198F42323CE8ACA9135329F03C068E5112DC7CC3EF3446DEFCEB01A45C2667FDD5 + +Msg = 74657374 + +Hash = SHA-1 +Signature = 4BC35D3A50EF4E30576F58CD96CE6BF638025EE624004A1F7789A8B8E43D0678ACD9D29876DAF46638645F7F404B11C7D5A6326C494ED3FF614703878961C0FDE7B2C278F9A65FD8C4B7186201A2991695BA1C84541327E966FA7B50F7382282 + +Hash = SHA-224 +Signature = E8C9D0B6EA72A0E7837FEA1D14A1A9557F29FAA45D3E7EE888FC5BF954B5E62464A9A817C47FF78B8C11066B24080E7207041D4A7A0379AC7232FF72E6F77B6DDB8F09B16CCE0EC3286B2BD43FA8C6141C53EA5ABEF0D8231077A04540A96B66 + +Hash = SHA-256 +Signature = 6D6DEFAC9AB64DABAFE36C6BF510352A4CC27001263638E5B16D9BB51D451559F918EEDAF2293BE5B475CC8F0188636B2D46F3BECBCC523D5F1A1256BF0C9B024D879BA9E838144C8BA6BAEB4B53B47D51AB373F9845C0514EEFB14024787265 -Group = brainpool384r1 Hash = SHA-384 -X = 0x19AD48ECFB30F115AEF41CAFD29B265A586399C0F95166017AA7DB894413A2AE821B7BE4F4E7B6BBC22A4E2EB1CC0865 -Msg = 43727970746F2B2B20352E362E312045434453412074657374206D7367 -Nonce = 83928FD1219F1C6D5B128C0ECD2E39A83399CE609382D41890D43FD476318E0C26264E98E0D5A0DBCC28A8C01C2D63D7 -Signature = 4B800A206ED7807C0F15798509164709E94ED73B5E02B10D65F45B6C2B7FD69437F3B5D1342DAF0988CA100B8875C7392CFA819E10B76CFE12B2C6485D8326B66E6256CD2F4A6DFEB9B2B7BDD732EA9E9D5398DDECCBEAAF3FD53D554AA1FADD +Signature = 8203B63D3C853E8D77227FB377BCF7B7B772E97892A80F36AB775D509D7A5FEB0542A7F0812998DA8F1DD3CA3CF023DBDDD0760448D42D8A43AF45AF836FCE4DE8BE06B485E9B61B827C2F13173923E06A739F040649A667BF3B828246BAA5A5 -Group = secp521r1 Hash = SHA-512 -X = 0x1511908E830069DAD59E8BA8F1BD4045612A4844805F61F7ECD92A1DEE1877B7E62A57860314820C97FFC972732E3C4C0AE837103692E85B3A11B49EB3E20EF1599 -Msg = 45434453412F53484128353132292074657374206D657373616765203230313130323135 -Nonce = 01C352020AAA6D14B6FC2B78FD46209A9EEF6A357CD8B5D53738E3D655FE7A808396E1DC5742058D05F2D76C8CBF4832BE0580A6FD7B4C7426656D17680DEAAEEEC2 -Signature = 0138A515C79EECAAB50139FB5D9EF5A771CC1C0999F2E54B5A1A9370EA8ADCFDDDD6E9933A39EDA0862F3ECAEBD49EA5ED58D93DA8F72B1CFB11E52A1528AEC863870060D717B29AD6D36DE953A4753FAC58629429EF4DD8F98B5A4F5504C5B229C23C609905632CD8D839DC472693698D7A149E8F3F17462F86BA0A7A895D80583A46E9 +Signature = A0D5D090C9980FAF3C2CE57B7AE951D31977DD11C775D314AF55F76C676447D06FB6495CD21B4B6E340FC236584FB277976984E59B4C77B0E8E4460DCA3D9F20E07B9BB1F63BEEFAF576F6B2E8B224634A2092CD3792E0159AD9CEE37659C736 + +# RFC 6979 A.2.7. ECDSA, 521 Bits (Prime Field) + +Group = secp521r1 +X = 0x0FAD06DAA62BA3B25D2FB40133DA757205DE67F5BB0018FEE8C86E1B68C7E75CAA896EB32F1F47C70855836A6D16FCC1466F6D8FBEC67DB89EC0C08B0E996B83538 + +Msg = 73616D706C65 + +Hash = SHA-1 +Signature = 00343B6EC45728975EA5CBA6659BBB6062A5FF89EEA58BE3C80B619F322C87910FE092F7D45BB0F8EEE01ED3F20BABEC079D202AE677B243AB40B5431D497C55D75D00E7B0E675A9B24413D448B8CC119D2BF7B2D2DF032741C096634D6D65D0DBE3D5694625FB9E8104D3B842C1B0E2D0B98BEA19341E8676AEF66AE4EBA3D5475D5D16 +Hash = SHA-224 +Signature = 01776331CFCDF927D666E032E00CF776187BC9FDD8E69D0DABB4109FFE1B5E2A30715F4CC923A4A5E94D2503E9ACFED92857B7F31D7152E0F8C00C15FF3D87E2ED2E0050CB5265417FE2320BBB5A122B8E1A32BD699089851128E360E620A30C7E17BA41A666AF126CE100E5799B153B60528D5300D08489CA9178FB610A2006C254B41F + +Hash = SHA-256 +Signature = 01511BB4D675114FE266FC4372B87682BAECC01D3CC62CF2303C92B3526012659D16876E25C7C1E57648F23B73564D67F61C6F14D527D54972810421E7D87589E1A7004A171143A83163D6DF460AAF61522695F207A58B95C0644D87E52AA1A347916E4F7A72930B1BC06DBE22CE3F58264AFD23704CBB63B29B931F7DE6C9D949A7ECFC + +Hash = SHA-384 +Signature = 01EA842A0E17D2DE4F92C15315C63DDF72685C18195C2BB95E572B9C5136CA4B4B576AD712A52BE9730627D16054BA40CC0B8D3FF035B12AE75168397F5D50C6745101F21A3CEE066E1961025FB048BD5FE2B7924D0CD797BABE0A83B66F1E35EEAF5FDE143FA85DC394A7DEE766523393784484BDF3E00114A1C857CDE1AA203DB65D61 -Group = brainpool512r1 Hash = SHA-512 -X = 0x1433AE89858BE7DD9346AF015FEC69F0556982FFEB9CCEF7FB1CE71155F7620CED4A6ACD0F35461A17C8370C4E600BECBACC0F7C1D2D1A2C00203A0E6626C21C -Msg = 43727970746F2B2B20352E362E312045434453412074657374206D7367 -Nonce = AA72BC70ABD9E078DDE47F5440E75A93F136F6EAA5267F591E0D3F562DE48BD8FED21B9E3F6F5560250566A00C7AAE7E57770BFC7D18A3E7750DC6C7083CC5B0 -Signature = A058CD406C7F2D87FBBDDDD1870C67D1ACBD222D45A929565101842EDFAEFB893CF07AD22CAC0F3350A7D1300741AB5ECE38498F196690CBCEDBF8C866995E5C17F48EA66EB70ADE68F6C16103BE54DD004230270E1F8CAC2D6BD47F717C0D1B1E335FA4AAA5212321EE93E55FED129D781912A0D87B78A5B569DA272B3C9469 +Signature = 00C328FAFCBD79DD77850370C46325D987CB525569FB63C5D3BC53950E6D4C5F174E25A1EE9017B5D450606ADD152B534931D7D4E8455CC91F9B15BF05EC36E377FA00617CCE7CF5064806C467F678D3B4080D6F1CC50AF26CA209417308281B68AF282623EAA63E5B5C0723D8B8C37FF0777B1A20F8CCB1DCCC43997F1EE0E44DA4A67A + +Msg = 74657374 + +Hash = SHA-1 +Signature = 013BAD9F29ABE20DE37EBEB823C252CA0F63361284015A3BF430A46AAA80B87B0693F0694BD88AFE4E661FC33B094CD3B7963BED5A727ED8BD6A3A202ABE009D036701E9BB81FF7944CA409AD138DBBEE228E1AFCC0C890FC78EC8604639CB0DBDC90F717A99EAD9D272855D00162EE9527567DD6A92CBD629805C0445282BBC916797FF + +Hash = SHA-224 +Signature = 01C7ED902E123E6815546065A2C4AF977B22AA8EADDB68B2C1110E7EA44D42086BFE4A34B67DDC0E17E96536E358219B23A706C6A6E16BA77B65E1C595D43CAE17FB0177336676304FCB343CE028B38E7B4FBA76C1C1B277DA18CAD2A8478B2A9A9F5BEC0F3BA04F35DB3E4263569EC6AADE8C92746E4C82F8299AE1B8F1739F8FD519A4 + +Hash = SHA-256 +Signature = 000E871C4A14F993C6C7369501900C4BC1E9C7B0B4BA44E04868B30B41D8071042EB28C4C250411D0CE08CD197E4188EA4876F279F90B3D8D74A3C76E6F1E4656AA800CD52DBAA33B063C3A6CD8058A1FB0A46A4754B034FCC644766CA14DA8CA5CA9FDE00E88C1AD60CCBA759025299079D7A427EC3CC5B619BFBC828E7769BCD694E86 + +Hash = SHA-384 +Signature = 014BEE21A18B6D8B3C93FAB08D43E739707953244FDBE924FA926D76669E7AC8C89DF62ED8975C2D8397A65A49DCC09F6B0AC62272741924D479354D74FF6075578C0133330865C067A0EAF72362A65E2D7BC4E461E8C8995C3B6226A21BD1AA78F0ED94FE536A0DCA35534F0CD1510C41525D163FE9D74D134881E35141ED5E8E95B979 -Group = brainpool512r1 Hash = SHA-512 -X = 0x83DBEFECAF8CFF78C575BE9659C1A104767979497AD9B589B1B13705C71F1DEFAF5CA76C8700236CE2392268E0133CAADE358E3D4F2E64CB4AB8517079E3EFA0 -Msg = 43727970746F2B2B20352E362E312045434453412074657374206D7367 -Nonce = A110CC7BEF64F5C0349344025B97B151C735408BD2BC0D0CC4E54642EA0DF33E829E85916086B51624B830BB2CDF53DAD9003A6D194115051139DBC3E81DF197 -Signature = 3254388208915E0EEB99DA89AA198C6FDB1A31B21D3B69EF8EFE4848AE78C32A4C489347510A9DD04125BBE95F847E14A2DF3267A0A6D1B5EC442B130C9B5DD1924FCD9F365897570329BFEC41FBAF42961210F3FF850DE5736FFBAAB09C5C03E0058BD51C8A8EF0FF221F31CF93FE59572ADA3CFEC7016085258A45D1E8544C +Signature = 013E99020ABF5CEE7525D16B69B229652AB6BDF2AFFCAEF38773B4B7D08725F10CDB93482FDCC54EDCEE91ECA4166B2A7C6265EF0CE2BD7051B7CEF945BABD47EE6D01FBD0013C674AA79CB39849527916CE301C66EA7CE8B80682786AD60F98F7E78A19CA69EFF5C57400E3B3A0AD66CE0978214D13BAF4E9AC60752F7B155E2DE4DCE3 diff --git a/src/tests/test_dsa.cpp b/src/tests/test_dsa.cpp index 16f03fcc0..43c415b33 100644 --- a/src/tests/test_dsa.cpp +++ b/src/tests/test_dsa.cpp @@ -25,7 +25,7 @@ size_t dsa_sig_kat(const std::string& p, { AutoSeeded_RNG rng; - BigInt p_bn(p), q_bn(q), g_bn(g), x_bn(x); + BigInt p_bn("0x" + p), q_bn("0x" + q), g_bn("0x" + g), x_bn("0x" + x); DL_Group group(p_bn, q_bn, g_bn); DSA_PrivateKey privkey(rng, group, x_bn); @@ -50,7 +50,7 @@ size_t test_dsa() #if defined(BOTAN_HAS_DSA) std::ifstream dsa_sig(PK_TEST_DATA_DIR "/dsa.vec"); - fails += run_tests_bb(dsa_sig, "DSA Signature", "Signature", true, + fails += run_tests_bb(dsa_sig, "DSA Signature", "Signature", false, [](std::map<std::string, std::string> m) -> size_t { return dsa_sig_kat(m["P"], m["Q"], m["G"], m["X"], m["Hash"], m["Msg"], m["Nonce"], m["Signature"]); diff --git a/src/tests/test_ecdsa.cpp b/src/tests/test_ecdsa.cpp index 9b256bf9c..d83ba7a4b 100644 --- a/src/tests/test_ecdsa.cpp +++ b/src/tests/test_ecdsa.cpp @@ -92,7 +92,7 @@ size_t test_ecdsa() #if defined(BOTAN_HAS_ECDSA) std::ifstream ecdsa_sig(PK_TEST_DATA_DIR "/ecdsa.vec"); - fails += run_tests_bb(ecdsa_sig, "ECDSA Signature", "Signature", true, + fails += run_tests_bb(ecdsa_sig, "ECDSA Signature", "Signature", false, [](std::map<std::string, std::string> m) -> size_t { return ecdsa_sig_kat(m["Group"], m["X"], m["Hash"], m["Msg"], m["Nonce"], m["Signature"]); |