rfc6979/rfc6979.go

123 lines
2.8 KiB
Go
Raw Normal View History

2013-08-21 00:35:15 +00:00
/*
Package rfc6979 is an implementation of RFC 6979's deterministic DSA:
Such signatures are compatible with standard Digital Signature Algorithm
(DSA) and Elliptic Curve Digital Signature Algorithm (ECDSA) digital
signatures and can be processed with unmodified verifiers, which need not be
aware of the procedure described therein. Deterministic signatures retain
the cryptographic security features associated with digital signatures but
can be more easily implemented in various environments, since they do not
need access to a source of high-quality randomness.
2013-08-21 00:35:15 +00:00
Provides functions similar to crypto/dsa and crypto/ecdsa.
2013-08-21 00:49:14 +00:00
See https://tools.ietf.org/html/rfc6979 for technical details.
2013-08-21 00:35:15 +00:00
*/
package rfc6979
import (
"bytes"
"crypto/hmac"
"hash"
"math/big"
)
// HashFunc is a function which provides a fresh Hash (e.g., sha256.New).
type HashFunc func() hash.Hash
2013-08-21 00:35:15 +00:00
2013-08-27 02:48:12 +00:00
// mac returns an HMAC of the given key and message.
2013-09-03 17:02:20 +00:00
func (alg HashFunc) mac(k, m, buf []byte) []byte {
2013-08-21 00:35:15 +00:00
h := hmac.New(alg, k)
h.Write(m)
2013-09-03 17:02:20 +00:00
return h.Sum(buf[:0])
2013-08-21 00:35:15 +00:00
}
// https://tools.ietf.org/html/rfc6979#section-2.3.2
func bits2int(in []byte, qlen int) *big.Int {
vlen := len(in) * 8
v := new(big.Int).SetBytes(in)
if vlen > qlen {
v = new(big.Int).Rsh(v, uint(vlen-qlen))
}
return v
}
// https://tools.ietf.org/html/rfc6979#section-2.3.3
func int2octets(v *big.Int, rolen int) []byte {
out := v.Bytes()
// pad with zeros if it's too short
if len(out) < rolen {
out2 := make([]byte, rolen)
copy(out2[rolen-len(out):], out)
return out2
}
// drop most significant bytes if it's too long
if len(out) > rolen {
out2 := make([]byte, rolen)
copy(out2, out[len(out)-rolen:])
return out2
}
return out
}
// https://tools.ietf.org/html/rfc6979#section-2.3.4
func bits2octets(in []byte, q *big.Int, qlen, rolen int) []byte {
z1 := bits2int(in, qlen)
z2 := new(big.Int).Sub(z1, q)
if z2.Sign() < 0 {
return int2octets(z1, rolen)
}
return int2octets(z2, rolen)
}
2013-08-27 02:48:12 +00:00
var one = big.NewInt(1)
2013-08-21 00:35:15 +00:00
// https://tools.ietf.org/html/rfc6979#section-3.2
func generateSecret(q, x *big.Int, alg HashFunc, hash []byte, test func(*big.Int) bool) {
2013-08-21 00:35:15 +00:00
qlen := q.BitLen()
holen := alg().Size()
rolen := (qlen + 7) >> 3
2013-08-21 00:39:06 +00:00
bx := append(int2octets(x, rolen), bits2octets(hash, q, qlen, rolen)...)
2013-08-21 00:35:15 +00:00
// Step B
v := bytes.Repeat([]byte{0x01}, holen)
// Step C
k := bytes.Repeat([]byte{0x00}, holen)
// Step D
2013-09-03 17:02:20 +00:00
k = alg.mac(k, append(append(v, 0x00), bx...), k)
2013-08-21 00:35:15 +00:00
// Step E
2013-09-03 17:02:20 +00:00
v = alg.mac(k, v, v)
2013-08-21 00:35:15 +00:00
// Step F
2013-09-03 17:02:20 +00:00
k = alg.mac(k, append(append(v, 0x01), bx...), k)
2013-08-21 00:35:15 +00:00
// Step G
2013-09-03 17:02:20 +00:00
v = alg.mac(k, v, v)
2013-08-21 00:35:15 +00:00
2013-08-21 00:39:06 +00:00
// Step H
2013-08-21 00:35:15 +00:00
for {
// Step H1
t := make([]byte, 0)
// Step H2
for len(t) < qlen/8 {
2013-09-03 17:02:20 +00:00
v = alg.mac(k, v, v)
2013-08-21 00:35:15 +00:00
t = append(t, v...)
}
2013-08-21 00:39:06 +00:00
// Step H3
2013-08-21 00:35:15 +00:00
secret := bits2int(t, qlen)
2013-08-27 02:48:12 +00:00
if secret.Cmp(one) >= 0 && secret.Cmp(q) < 0 && test(secret) {
2013-08-21 00:35:15 +00:00
return
}
2013-09-03 17:02:20 +00:00
k = alg.mac(k, append(v, 0x00), k)
v = alg.mac(k, v, v)
2013-08-21 00:35:15 +00:00
}
}