aboutsummaryrefslogtreecommitdiffstats
path: root/src/lib/pubkey/rfc6979/rfc6979.cpp
blob: 3bd723d6d21060baa767b41a6f6e0566d14531f4 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
/*
* RFC 6979 Deterministic Nonce Generator
* (C) 2014 Jack Lloyd
*
* Botan is released under the Simplified BSD License (see license.txt)
*/

#include <botan/rfc6979.h>
#include <botan/hmac_drbg.h>
#include <botan/scan_name.h>
#include <botan/lookup.h>

namespace Botan {

std::string hash_for_deterministic_signature(const std::string& emsa)
   {
   SCAN_Name emsa_name(emsa);

   if(emsa_name.arg_count() > 0)
      {
      const std::string pos_hash = emsa_name.arg(0);
      return pos_hash;
      }

   return "SHA-512"; // safe default if nothing we understand
   }

BigInt generate_rfc6979_nonce(const BigInt& x,
                              const BigInt& q,
                              const BigInt& h,
                              const std::string& hash)
   {
   HMAC_DRBG rng(make_message_auth("HMAC(" + hash + ")").release(), nullptr);

   const size_t qlen = q.bits();
   const size_t rlen = qlen / 8 + (qlen % 8 ? 1 : 0);

   secure_vector<byte> input = BigInt::encode_1363(x, rlen);

   input += BigInt::encode_1363(h, rlen);

   rng.add_entropy(&input[0], input.size());

   BigInt k;

   secure_vector<byte> kbits(rlen);

   while(k == 0 || k >= q)
      {
      rng.randomize(&kbits[0], kbits.size());
      k = BigInt::decode(kbits) >> (8*rlen - qlen);
      }

   return k;
   }

}