2013-08-21 00:35:15 +00:00
|
|
|
/*
|
2013-12-16 19:50:11 +00:00
|
|
|
Package rfc6979 is an implementation of RFC 6979's deterministic DSA.
|
2013-09-03 16:59:03 +00:00
|
|
|
|
|
|
|
Such signatures are compatible with standard Digital Signature Algorithm
|
|
|
|
(DSA) and Elliptic Curve Digital Signature Algorithm (ECDSA) digital
|
|
|
|
signatures and can be processed with unmodified verifiers, which need not be
|
|
|
|
aware of the procedure described therein. Deterministic signatures retain
|
|
|
|
the cryptographic security features associated with digital signatures but
|
|
|
|
can be more easily implemented in various environments, since they do not
|
|
|
|
need access to a source of high-quality randomness.
|
2013-08-21 00:35:15 +00:00
|
|
|
|
2013-12-16 19:50:11 +00:00
|
|
|
(https://tools.ietf.org/html/rfc6979)
|
2013-08-21 00:49:14 +00:00
|
|
|
|
2013-12-16 19:50:11 +00:00
|
|
|
Provides functions similar to crypto/dsa and crypto/ecdsa.
|
2013-08-21 00:35:15 +00:00
|
|
|
*/
|
|
|
|
package rfc6979
|
|
|
|
|
|
|
|
import (
|
|
|
|
"bytes"
|
|
|
|
"crypto/hmac"
|
|
|
|
"hash"
|
|
|
|
"math/big"
|
|
|
|
)
|
|
|
|
|
2013-09-03 16:59:03 +00:00
|
|
|
// HashFunc is a function which provides a fresh Hash (e.g., sha256.New).
|
|
|
|
type HashFunc func() hash.Hash
|
2013-08-21 00:35:15 +00:00
|
|
|
|
2013-08-27 02:48:12 +00:00
|
|
|
// mac returns an HMAC of the given key and message.
|
2013-09-03 17:02:20 +00:00
|
|
|
func (alg HashFunc) mac(k, m, buf []byte) []byte {
|
2013-08-21 00:35:15 +00:00
|
|
|
h := hmac.New(alg, k)
|
|
|
|
h.Write(m)
|
2013-09-03 17:02:20 +00:00
|
|
|
return h.Sum(buf[:0])
|
2013-08-21 00:35:15 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
// https://tools.ietf.org/html/rfc6979#section-2.3.2
|
|
|
|
func bits2int(in []byte, qlen int) *big.Int {
|
|
|
|
vlen := len(in) * 8
|
|
|
|
v := new(big.Int).SetBytes(in)
|
|
|
|
if vlen > qlen {
|
|
|
|
v = new(big.Int).Rsh(v, uint(vlen-qlen))
|
|
|
|
}
|
|
|
|
return v
|
|
|
|
}
|
|
|
|
|
|
|
|
// https://tools.ietf.org/html/rfc6979#section-2.3.3
|
|
|
|
func int2octets(v *big.Int, rolen int) []byte {
|
|
|
|
out := v.Bytes()
|
|
|
|
|
|
|
|
// pad with zeros if it's too short
|
|
|
|
if len(out) < rolen {
|
|
|
|
out2 := make([]byte, rolen)
|
|
|
|
copy(out2[rolen-len(out):], out)
|
|
|
|
return out2
|
|
|
|
}
|
|
|
|
|
|
|
|
// drop most significant bytes if it's too long
|
|
|
|
if len(out) > rolen {
|
|
|
|
out2 := make([]byte, rolen)
|
|
|
|
copy(out2, out[len(out)-rolen:])
|
|
|
|
return out2
|
|
|
|
}
|
|
|
|
|
|
|
|
return out
|
|
|
|
}
|
|
|
|
|
|
|
|
// https://tools.ietf.org/html/rfc6979#section-2.3.4
|
|
|
|
func bits2octets(in []byte, q *big.Int, qlen, rolen int) []byte {
|
|
|
|
z1 := bits2int(in, qlen)
|
|
|
|
z2 := new(big.Int).Sub(z1, q)
|
|
|
|
if z2.Sign() < 0 {
|
|
|
|
return int2octets(z1, rolen)
|
|
|
|
}
|
|
|
|
return int2octets(z2, rolen)
|
|
|
|
}
|
|
|
|
|
2013-08-27 02:48:12 +00:00
|
|
|
var one = big.NewInt(1)
|
|
|
|
|
2013-08-21 00:35:15 +00:00
|
|
|
// https://tools.ietf.org/html/rfc6979#section-3.2
|
2013-09-03 16:59:03 +00:00
|
|
|
func generateSecret(q, x *big.Int, alg HashFunc, hash []byte, test func(*big.Int) bool) {
|
2013-08-21 00:35:15 +00:00
|
|
|
qlen := q.BitLen()
|
|
|
|
holen := alg().Size()
|
|
|
|
rolen := (qlen + 7) >> 3
|
2013-08-21 00:39:06 +00:00
|
|
|
bx := append(int2octets(x, rolen), bits2octets(hash, q, qlen, rolen)...)
|
2013-08-21 00:35:15 +00:00
|
|
|
|
|
|
|
// Step B
|
|
|
|
v := bytes.Repeat([]byte{0x01}, holen)
|
|
|
|
|
|
|
|
// Step C
|
|
|
|
k := bytes.Repeat([]byte{0x00}, holen)
|
|
|
|
|
|
|
|
// Step D
|
2013-09-03 17:02:20 +00:00
|
|
|
k = alg.mac(k, append(append(v, 0x00), bx...), k)
|
2013-08-21 00:35:15 +00:00
|
|
|
|
|
|
|
// Step E
|
2013-09-03 17:02:20 +00:00
|
|
|
v = alg.mac(k, v, v)
|
2013-08-21 00:35:15 +00:00
|
|
|
|
|
|
|
// Step F
|
2013-09-03 17:02:20 +00:00
|
|
|
k = alg.mac(k, append(append(v, 0x01), bx...), k)
|
2013-08-21 00:35:15 +00:00
|
|
|
|
|
|
|
// Step G
|
2013-09-03 17:02:20 +00:00
|
|
|
v = alg.mac(k, v, v)
|
2013-08-21 00:35:15 +00:00
|
|
|
|
2013-08-21 00:39:06 +00:00
|
|
|
// Step H
|
2013-08-21 00:35:15 +00:00
|
|
|
for {
|
|
|
|
// Step H1
|
|
|
|
t := make([]byte, 0)
|
|
|
|
|
|
|
|
// Step H2
|
|
|
|
for len(t) < qlen/8 {
|
2013-09-03 17:02:20 +00:00
|
|
|
v = alg.mac(k, v, v)
|
2013-08-21 00:35:15 +00:00
|
|
|
t = append(t, v...)
|
|
|
|
}
|
|
|
|
|
2013-08-21 00:39:06 +00:00
|
|
|
// Step H3
|
2013-08-21 00:35:15 +00:00
|
|
|
secret := bits2int(t, qlen)
|
2013-08-27 02:48:12 +00:00
|
|
|
if secret.Cmp(one) >= 0 && secret.Cmp(q) < 0 && test(secret) {
|
2013-08-21 00:35:15 +00:00
|
|
|
return
|
|
|
|
}
|
2013-09-03 17:02:20 +00:00
|
|
|
k = alg.mac(k, append(v, 0x00), k)
|
|
|
|
v = alg.mac(k, v, v)
|
2013-08-21 00:35:15 +00:00
|
|
|
}
|
|
|
|
}
|