frostfs-crypto/rfc6979.go

package crypto

import (
	"crypto/ecdsa"
	"crypto/sha256"
	"math/big"

	"github.com/nspcc-dev/neofs-crypto/internal"
	"github.com/nspcc-dev/rfc6979"
	"github.com/pkg/errors"
)

const (
	// RFC6979SignatureSize contains r and s coordinates (32 bytes)
	RFC6979SignatureSize = 64

	// ErrWrongHashSize when passed signature to VerifyRFC6979 has wrong size.
	ErrWrongHashSize = internal.Error("wrong hash size")

	// ErrWrongSignature when passed signature to VerifyRFC6979 isn't valid.
	ErrWrongSignature = internal.Error("wrong signature")
)

// hashBytesRFC6979 returns the sha256 sum.
func hashBytesRFC6979(data []byte) []byte {
	sign := sha256.Sum256(data)
	return sign[:]
}

// SignRFC6979 signs an arbitrary length hash (which should be the result of
// hashing a larger message) using the private key. It returns the
// signature as a pair of integers.
//
// Note that FIPS 186-3 section 4.6 specifies that the hash should be truncated
// to the byte-length of the subgroup. This function does not perform that.
func SignRFC6979(key *ecdsa.PrivateKey, msg []byte) ([]byte, error) {
	if key == nil {
		return nil, ErrEmptyPrivateKey
	}
	r, s := rfc6979.SignECDSA(key, hashBytesRFC6979(msg), sha256.New)
	rBytes, sBytes := r.Bytes(), s.Bytes()
	signature := make([]byte, RFC6979SignatureSize)

	// if `r` has less than 32 bytes, add leading zeros
	ind := RFC6979SignatureSize/2 - len(rBytes)
	copy(signature[ind:], rBytes)

	// if `s` has less than 32 bytes, add leading zeros
	ind = RFC6979SignatureSize - len(sBytes)
	copy(signature[ind:], sBytes)

	return signature, nil
}

func decodeSignature(sig []byte) (*big.Int, *big.Int, error) {
	if ln := len(sig); ln != RFC6979SignatureSize {
		return nil, nil, errors.Wrapf(ErrWrongHashSize, "actual=%d, expect=%d", ln, RFC6979SignatureSize)
	}

	return new(big.Int).SetBytes(sig[:32]), new(big.Int).SetBytes(sig[32:]), nil
}

// VerifyRFC6979 verifies the signature of msg using the public key. It
// return nil only if signature is valid.
func VerifyRFC6979(key *ecdsa.PublicKey, msg, sig []byte) error {
	if key == nil {
		return ErrEmptyPublicKey
	} else if r, s, err := decodeSignature(sig); err != nil {
		return err
	} else if !ecdsa.Verify(key, hashBytesRFC6979(msg), r, s) {
		return ErrWrongSignature
	}

	return nil
}
initial 2019-10-17 13:11:58 +00:00			`package crypto`

			`import (`
			`"crypto/ecdsa"`
			`"crypto/sha256"`
			`"math/big"`

			`"github.com/nspcc-dev/neofs-crypto/internal"`
			`"github.com/nspcc-dev/rfc6979"`
			`"github.com/pkg/errors"`
			`)`

			`const (`
			`// RFC6979SignatureSize contains r and s coordinates (32 bytes)`
			`RFC6979SignatureSize = 64`

Use consistent parameter names for Sign and Verify functions It may be misleading when verify function takes signature as a hash parameter. This commit suggested to use rfc6979 original naming for the parameters: - `msg` as the message to sign, - `sig` as the signature of message. All hashing operations are encapsulated inside of the Sign and Verify functions. Also there are comment fixes and re-usage of `hashBytes()` in rfc6979. 2019-11-12 08:13:12 +00:00			`// ErrWrongHashSize when passed signature to VerifyRFC6979 has wrong size.`
initial 2019-10-17 13:11:58 +00:00			`ErrWrongHashSize = internal.Error("wrong hash size")`

Use consistent parameter names for Sign and Verify functions It may be misleading when verify function takes signature as a hash parameter. This commit suggested to use rfc6979 original naming for the parameters: - `msg` as the message to sign, - `sig` as the signature of message. All hashing operations are encapsulated inside of the Sign and Verify functions. Also there are comment fixes and re-usage of `hashBytes()` in rfc6979. 2019-11-12 08:13:12 +00:00			`// ErrWrongSignature when passed signature to VerifyRFC6979 isn't valid.`
initial 2019-10-17 13:11:58 +00:00			`ErrWrongSignature = internal.Error("wrong signature")`
			`)`

Use SHA512 instead of SHA256 Fix issue #4 2019-11-12 13:00:27 +00:00			`// hashBytesRFC6979 returns the sha256 sum.`
			`func hashBytesRFC6979(data []byte) []byte {`
			`sign := sha256.Sum256(data)`
			`return sign[:]`
			`}`

initial 2019-10-17 13:11:58 +00:00			`// SignRFC6979 signs an arbitrary length hash (which should be the result of`
			`// hashing a larger message) using the private key. It returns the`
			`// signature as a pair of integers.`
			`//`
			`// Note that FIPS 186-3 section 4.6 specifies that the hash should be truncated`
Use consistent parameter names for Sign and Verify functions It may be misleading when verify function takes signature as a hash parameter. This commit suggested to use rfc6979 original naming for the parameters: - `msg` as the message to sign, - `sig` as the signature of message. All hashing operations are encapsulated inside of the Sign and Verify functions. Also there are comment fixes and re-usage of `hashBytes()` in rfc6979. 2019-11-12 08:13:12 +00:00			`// to the byte-length of the subgroup. This function does not perform that.`
initial 2019-10-17 13:11:58 +00:00			`func SignRFC6979(key *ecdsa.PrivateKey, msg []byte) ([]byte, error) {`
Update RFC6979 to new release 2020-01-14 09:06:13 +00:00			`if key == nil {`
			`return nil, ErrEmptyPrivateKey`
initial 2019-10-17 13:11:58 +00:00			`}`
Update RFC6979 to new release 2020-01-14 09:06:13 +00:00			`r, s := rfc6979.SignECDSA(key, hashBytesRFC6979(msg), sha256.New)`
rfc6979: Add leading zeros if `r` or `s` has less than 32 bytes SignECDSA function returns two coordinates on elliptic curve. Catenation of these coordinates is a 64 byte signature. If one of these coordinates have less than 32 significant bytes, then it should have leading zeros. 2020-03-01 13:50:38 +00:00			`rBytes, sBytes := r.Bytes(), s.Bytes()`
			`signature := make([]byte, RFC6979SignatureSize)`

			// if `r` has less than 32 bytes, add leading zeros
			`ind := RFC6979SignatureSize/2 - len(rBytes)`
			`copy(signature[ind:], rBytes)`

			// if `s` has less than 32 bytes, add leading zeros
			`ind = RFC6979SignatureSize - len(sBytes)`
			`copy(signature[ind:], sBytes)`

			`return signature, nil`
initial 2019-10-17 13:11:58 +00:00			`}`

			`func decodeSignature(sig []byte) (big.Int, big.Int, error) {`
			`if ln := len(sig); ln != RFC6979SignatureSize {`
			`return nil, nil, errors.Wrapf(ErrWrongHashSize, "actual=%d, expect=%d", ln, RFC6979SignatureSize)`
			`}`

			`return new(big.Int).SetBytes(sig[:32]), new(big.Int).SetBytes(sig[32:]), nil`
			`}`

Use consistent parameter names for Sign and Verify functions It may be misleading when verify function takes signature as a hash parameter. This commit suggested to use rfc6979 original naming for the parameters: - `msg` as the message to sign, - `sig` as the signature of message. All hashing operations are encapsulated inside of the Sign and Verify functions. Also there are comment fixes and re-usage of `hashBytes()` in rfc6979. 2019-11-12 08:13:12 +00:00			`// VerifyRFC6979 verifies the signature of msg using the public key. It`
			`// return nil only if signature is valid.`
Change func Verify signature - Before `func Verify(pub ecdsa.PublicKey, sig, msg []byte) error` - After `func Verify(pub ecdsa.PublicKey, msg, sig []byte) error` - Update tests and replace `hash` with `sign` for signatures Fix issue #5 2019-11-12 12:52:13 +00:00			`func VerifyRFC6979(key *ecdsa.PublicKey, msg, sig []byte) error {`
Update RFC6979 to new release 2020-01-14 09:06:13 +00:00			`if key == nil {`
			`return ErrEmptyPublicKey`
			`} else if r, s, err := decodeSignature(sig); err != nil {`
initial 2019-10-17 13:11:58 +00:00			`return err`
Use SHA512 instead of SHA256 Fix issue #4 2019-11-12 13:00:27 +00:00			`} else if !ecdsa.Verify(key, hashBytesRFC6979(msg), r, s) {`
initial 2019-10-17 13:11:58 +00:00			`return ErrWrongSignature`
			`}`

			`return nil`
			`}`