URL https://opencores.org/ocsvn/openrisc/openrisc/trunk

Subversion Repositories openrisc

[/] [openrisc/] [trunk/] [gnu-dev/] [or1k-gcc/] [libgo/] [go/] [crypto/] [dsa/] [dsa.go] - Blame information for rev 747

Details | Compare with Previous | View Log


// Copyright 2011 The Go Authors. All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.
 
// Package dsa implements the Digital Signature Algorithm, as defined in FIPS 186-3
package dsa
 
import (
        "errors"
        "io"
        "math/big"
)
 
// Parameters represents the domain parameters for a key. These parameters can
// be shared across many keys. The bit length of Q must be a multiple of 8.
type Parameters struct {
        P, Q, G *big.Int
}
 
// PublicKey represents a DSA public key.
type PublicKey struct {
        Parameters
        Y *big.Int
}
 
// PrivateKey represents a DSA private key.
type PrivateKey struct {
        PublicKey
        X *big.Int
}
 
type invalidPublicKeyError int
 
func (invalidPublicKeyError) Error() string {
        return "crypto/dsa: invalid public key"
}
 
// ErrInvalidPublicKey results when a public key is not usable by this code.
// FIPS is quite strict about the format of DSA keys, but other code may be
// less so. Thus, when using keys which may have been generated by other code,
// this error must be handled.
var ErrInvalidPublicKey error = invalidPublicKeyError(0)
 
// ParameterSizes is a enumeration of the acceptable bit lengths of the primes
// in a set of DSA parameters. See FIPS 186-3, section 4.2.
type ParameterSizes int
 
const (
        L1024N160 ParameterSizes = iota
        L2048N224
        L2048N256
        L3072N256
)
 
// numMRTests is the number of Miller-Rabin primality tests that we perform. We
// pick the largest recommended number from table C.1 of FIPS 186-3.
const numMRTests = 64
 
// GenerateParameters puts a random, valid set of DSA parameters into params.
// This function takes many seconds, even on fast machines.
func GenerateParameters(params *Parameters, rand io.Reader, sizes ParameterSizes) (err error) {
        // This function doesn't follow FIPS 186-3 exactly in that it doesn't
        // use a verification seed to generate the primes. The verification
        // seed doesn't appear to be exported or used by other code and
        // omitting it makes the code cleaner.
 
        var L, N int
        switch sizes {
        case L1024N160:
                L = 1024
                N = 160
        case L2048N224:
                L = 2048
                N = 224
        case L2048N256:
                L = 2048
                N = 256
        case L3072N256:
                L = 3072
                N = 256
        default:
                return errors.New("crypto/dsa: invalid ParameterSizes")
        }
 
        qBytes := make([]byte, N/8)
        pBytes := make([]byte, L/8)
 
        q := new(big.Int)
        p := new(big.Int)
        rem := new(big.Int)
        one := new(big.Int)
        one.SetInt64(1)
 
GeneratePrimes:
        for {
                _, err = io.ReadFull(rand, qBytes)
                if err != nil {
                        return
                }
 
                qBytes[len(qBytes)-1] |= 1
                qBytes[0] |= 0x80
                q.SetBytes(qBytes)
 
                if !q.ProbablyPrime(numMRTests) {
                        continue
                }
 
                for i := 0; i < 4*L; i++ {
                        _, err = io.ReadFull(rand, pBytes)
                        if err != nil {
                                return
                        }
 
                        pBytes[len(pBytes)-1] |= 1
                        pBytes[0] |= 0x80
 
                        p.SetBytes(pBytes)
                        rem.Mod(p, q)
                        rem.Sub(rem, one)
                        p.Sub(p, rem)
                        if p.BitLen() < L {
                                continue
                        }
 
                        if !p.ProbablyPrime(numMRTests) {
                                continue
                        }
 
                        params.P = p
                        params.Q = q
                        break GeneratePrimes
                }
        }
 
        h := new(big.Int)
        h.SetInt64(2)
        g := new(big.Int)
 
        pm1 := new(big.Int).Sub(p, one)
        e := new(big.Int).Div(pm1, q)
 
        for {
                g.Exp(h, e, p)
                if g.Cmp(one) == 0 {
                        h.Add(h, one)
                        continue
                }
 
                params.G = g
                return
        }
 
        panic("unreachable")
}
 
// GenerateKey generates a public&private key pair. The Parameters of the
// PrivateKey must already be valid (see GenerateParameters).
func GenerateKey(priv *PrivateKey, rand io.Reader) error {
        if priv.P == nil || priv.Q == nil || priv.G == nil {
                return errors.New("crypto/dsa: parameters not set up before generating key")
        }
 
        x := new(big.Int)
        xBytes := make([]byte, priv.Q.BitLen()/8)
 
        for {
                _, err := io.ReadFull(rand, xBytes)
                if err != nil {
                        return err
                }
                x.SetBytes(xBytes)
                if x.Sign() != 0 && x.Cmp(priv.Q) < 0 {
                        break
                }
        }
 
        priv.X = x
        priv.Y = new(big.Int)
        priv.Y.Exp(priv.G, x, priv.P)
        return nil
}
 
// Sign signs an arbitrary length hash (which should be the result of hashing a
// larger message) using the private key, priv. It returns the signature as a
// pair of integers. The security of the private key depends on the entropy of
// rand.
//
// Note that FIPS 186-3 section 4.6 specifies that the hash should be truncated
// to the byte-length of the subgroup. This function does not perform that
// truncation itself.
func Sign(rand io.Reader, priv *PrivateKey, hash []byte) (r, s *big.Int, err error) {
        // FIPS 186-3, section 4.6
 
        n := priv.Q.BitLen()
        if n&7 != 0 {
                err = ErrInvalidPublicKey
                return
        }
        n >>= 3
 
        for {
                k := new(big.Int)
                buf := make([]byte, n)
                for {
                        _, err = io.ReadFull(rand, buf)
                        if err != nil {
                                return
                        }
                        k.SetBytes(buf)
                        if k.Sign() > 0 && k.Cmp(priv.Q) < 0 {
                                break
                        }
                }
 
                kInv := new(big.Int).ModInverse(k, priv.Q)
 
                r = new(big.Int).Exp(priv.G, k, priv.P)
                r.Mod(r, priv.Q)
 
                if r.Sign() == 0 {
                        continue
                }
 
                z := k.SetBytes(hash)
 
                s = new(big.Int).Mul(priv.X, r)
                s.Add(s, z)
                s.Mod(s, priv.Q)
                s.Mul(s, kInv)
                s.Mod(s, priv.Q)
 
                if s.Sign() != 0 {
                        break
                }
        }
 
        return
}
 
// Verify verifies the signature in r, s of hash using the public key, pub. It
// reports whether the signature is valid.
//
// Note that FIPS 186-3 section 4.6 specifies that the hash should be truncated
// to the byte-length of the subgroup. This function does not perform that
// truncation itself.
func Verify(pub *PublicKey, hash []byte, r, s *big.Int) bool {
        // FIPS 186-3, section 4.7
 
        if r.Sign() < 1 || r.Cmp(pub.Q) >= 0 {
                return false
        }
        if s.Sign() < 1 || s.Cmp(pub.Q) >= 0 {
                return false
        }
 
        w := new(big.Int).ModInverse(s, pub.Q)
 
        n := pub.Q.BitLen()
        if n&7 != 0 {
                return false
        }
        z := new(big.Int).SetBytes(hash)
 
        u1 := new(big.Int).Mul(z, w)
        u1.Mod(u1, pub.Q)
        u2 := w.Mul(r, w)
        u2.Mod(u2, pub.Q)
        v := u1.Exp(pub.G, u1, pub.P)
        u2.Exp(pub.Y, u2, pub.P)
        v.Mul(v, u2)
        v.Mod(v, pub.P)
        v.Mod(v, pub.Q)
 
        return v.Cmp(r) == 0
}

Browse

Tools

Subversion Repositories openrisc

[/] [openrisc/] [trunk/] [gnu-dev/] [or1k-gcc/] [libgo/] [go/] [crypto/] [dsa/] [dsa.go] - Blame information for rev 747

Line No.	Rev	Author	Line
1	747	jeremybenn	`// Copyright 2011 The Go Authors. All rights reserved.`
2			`// Use of this source code is governed by a BSD-style`
3			`// license that can be found in the LICENSE file.`
4
5			`// Package dsa implements the Digital Signature Algorithm, as defined in FIPS 186-3`
6			`package dsa`
7
8			`import (`
9			`"errors"`
10			`"io"`
11			`"math/big"`
12			`)`
13
14			`// Parameters represents the domain parameters for a key. These parameters can`
15			`// be shared across many keys. The bit length of Q must be a multiple of 8.`
16			`type Parameters struct {`
17			`P, Q, G *big.Int`
18			`}`
19
20			`// PublicKey represents a DSA public key.`
21			`type PublicKey struct {`
22			`Parameters`
23			`Y *big.Int`
24			`}`
25
26			`// PrivateKey represents a DSA private key.`
27			`type PrivateKey struct {`
28			`PublicKey`
29			`X *big.Int`
30			`}`
31
32			`type invalidPublicKeyError int`
33
34			`func (invalidPublicKeyError) Error() string {`
35			`return "crypto/dsa: invalid public key"`
36			`}`
37
38			`// ErrInvalidPublicKey results when a public key is not usable by this code.`
39			`// FIPS is quite strict about the format of DSA keys, but other code may be`
40			`// less so. Thus, when using keys which may have been generated by other code,`
41			`// this error must be handled.`
42			`var ErrInvalidPublicKey error = invalidPublicKeyError(0)`
43
44			`// ParameterSizes is a enumeration of the acceptable bit lengths of the primes`
45			`// in a set of DSA parameters. See FIPS 186-3, section 4.2.`
46			`type ParameterSizes int`
47
48			`const (`
49			`L1024N160 ParameterSizes = iota`
50			`L2048N224`
51			`L2048N256`
52			`L3072N256`
53			`)`
54
55			`// numMRTests is the number of Miller-Rabin primality tests that we perform. We`
56			`// pick the largest recommended number from table C.1 of FIPS 186-3.`
57			`const numMRTests = 64`
58
59			`// GenerateParameters puts a random, valid set of DSA parameters into params.`
60			`// This function takes many seconds, even on fast machines.`
61			`func GenerateParameters(params *Parameters, rand io.Reader, sizes ParameterSizes) (err error) {`
62			`// This function doesn't follow FIPS 186-3 exactly in that it doesn't`
63			`// use a verification seed to generate the primes. The verification`
64			`// seed doesn't appear to be exported or used by other code and`
65			`// omitting it makes the code cleaner.`
66
67			`var L, N int`
68			`switch sizes {`
69			`case L1024N160:`
70			`L = 1024`
71			`N = 160`
72			`case L2048N224:`
73			`L = 2048`
74			`N = 224`
75			`case L2048N256:`
76			`L = 2048`
77			`N = 256`
78			`case L3072N256:`
79			`L = 3072`
80			`N = 256`
81			`default:`
82			`return errors.New("crypto/dsa: invalid ParameterSizes")`
83			`}`
84
85			`qBytes := make([]byte, N/8)`
86			`pBytes := make([]byte, L/8)`
87
88			`q := new(big.Int)`
89			`p := new(big.Int)`
90			`rem := new(big.Int)`
91			`one := new(big.Int)`
92			`one.SetInt64(1)`
93
94			`GeneratePrimes:`
95			`for {`
96			`_, err = io.ReadFull(rand, qBytes)`
97			`if err != nil {`
98			`return`
99			`}`
100
101			`qBytes[len(qBytes)-1] \|= 1`
102			`qBytes[0] \|= 0x80`
103			`q.SetBytes(qBytes)`
104
105			`if !q.ProbablyPrime(numMRTests) {`
106			`continue`
107			`}`
108
109			`for i := 0; i < 4*L; i++ {`
110			`_, err = io.ReadFull(rand, pBytes)`
111			`if err != nil {`
112			`return`
113			`}`
114
115			`pBytes[len(pBytes)-1] \|= 1`
116			`pBytes[0] \|= 0x80`
117
118			`p.SetBytes(pBytes)`
119			`rem.Mod(p, q)`
120			`rem.Sub(rem, one)`
121			`p.Sub(p, rem)`
122			`if p.BitLen() < L {`
123			`continue`
124			`}`
125
126			`if !p.ProbablyPrime(numMRTests) {`
127			`continue`
128			`}`
129
130			`params.P = p`
131			`params.Q = q`
132			`break GeneratePrimes`
133			`}`
134			`}`
135
136			`h := new(big.Int)`
137			`h.SetInt64(2)`
138			`g := new(big.Int)`
139
140			`pm1 := new(big.Int).Sub(p, one)`
141			`e := new(big.Int).Div(pm1, q)`
142
143			`for {`
144			`g.Exp(h, e, p)`
145			`if g.Cmp(one) == 0 {`
146			`h.Add(h, one)`
147			`continue`
148			`}`
149
150			`params.G = g`
151			`return`
152			`}`
153
154			`panic("unreachable")`
155			`}`
156
157			`// GenerateKey generates a public&private key pair. The Parameters of the`
158			`// PrivateKey must already be valid (see GenerateParameters).`
159			`func GenerateKey(priv *PrivateKey, rand io.Reader) error {`
160			`if priv.P == nil \|\| priv.Q == nil \|\| priv.G == nil {`
161			`return errors.New("crypto/dsa: parameters not set up before generating key")`
162			`}`
163
164			`x := new(big.Int)`
165			`xBytes := make([]byte, priv.Q.BitLen()/8)`
166
167			`for {`
168			`_, err := io.ReadFull(rand, xBytes)`
169			`if err != nil {`
170			`return err`
171			`}`
172			`x.SetBytes(xBytes)`
173			`if x.Sign() != 0 && x.Cmp(priv.Q) < 0 {`
174			`break`
175			`}`
176			`}`
177
178			`priv.X = x`
179			`priv.Y = new(big.Int)`
180			`priv.Y.Exp(priv.G, x, priv.P)`
181			`return nil`
182			`}`
183
184			`// Sign signs an arbitrary length hash (which should be the result of hashing a`
185			`// larger message) using the private key, priv. It returns the signature as a`
186			`// pair of integers. The security of the private key depends on the entropy of`
187			`// rand.`
188			`//`
189			`// Note that FIPS 186-3 section 4.6 specifies that the hash should be truncated`
190			`// to the byte-length of the subgroup. This function does not perform that`
191			`// truncation itself.`
192			`func Sign(rand io.Reader, priv PrivateKey, hash []byte) (r, s big.Int, err error) {`
193			`// FIPS 186-3, section 4.6`
194
195			`n := priv.Q.BitLen()`
196			`if n&7 != 0 {`
197			`err = ErrInvalidPublicKey`
198			`return`
199			`}`
200			`n >>= 3`
201
202			`for {`
203			`k := new(big.Int)`
204			`buf := make([]byte, n)`
205			`for {`
206			`_, err = io.ReadFull(rand, buf)`
207			`if err != nil {`
208			`return`
209			`}`
210			`k.SetBytes(buf)`
211			`if k.Sign() > 0 && k.Cmp(priv.Q) < 0 {`
212			`break`
213			`}`
214			`}`
215
216			`kInv := new(big.Int).ModInverse(k, priv.Q)`
217
218			`r = new(big.Int).Exp(priv.G, k, priv.P)`
219			`r.Mod(r, priv.Q)`
220
221			`if r.Sign() == 0 {`
222			`continue`
223			`}`
224
225			`z := k.SetBytes(hash)`
226
227			`s = new(big.Int).Mul(priv.X, r)`
228			`s.Add(s, z)`
229			`s.Mod(s, priv.Q)`
230			`s.Mul(s, kInv)`
231			`s.Mod(s, priv.Q)`
232
233			`if s.Sign() != 0 {`
234			`break`
235			`}`
236			`}`
237
238			`return`
239			`}`
240
241			`// Verify verifies the signature in r, s of hash using the public key, pub. It`
242			`// reports whether the signature is valid.`
243			`//`
244			`// Note that FIPS 186-3 section 4.6 specifies that the hash should be truncated`
245			`// to the byte-length of the subgroup. This function does not perform that`
246			`// truncation itself.`
247			`func Verify(pub PublicKey, hash []byte, r, s big.Int) bool {`
248			`// FIPS 186-3, section 4.7`
249
250			`if r.Sign() < 1 \|\| r.Cmp(pub.Q) >= 0 {`
251			`return false`
252			`}`
253			`if s.Sign() < 1 \|\| s.Cmp(pub.Q) >= 0 {`
254			`return false`
255			`}`
256
257			`w := new(big.Int).ModInverse(s, pub.Q)`
258
259			`n := pub.Q.BitLen()`
260			`if n&7 != 0 {`
261			`return false`
262			`}`
263			`z := new(big.Int).SetBytes(hash)`
264
265			`u1 := new(big.Int).Mul(z, w)`
266			`u1.Mod(u1, pub.Q)`
267			`u2 := w.Mul(r, w)`
268			`u2.Mod(u2, pub.Q)`
269			`v := u1.Exp(pub.G, u1, pub.P)`
270			`u2.Exp(pub.Y, u2, pub.P)`
271			`v.Mul(v, u2)`
272			`v.Mod(v, pub.P)`
273			`v.Mod(v, pub.Q)`
274
275			`return v.Cmp(r) == 0`
276			`}`