📄 lib_dsa.c
字号:
/****************************************************************************
* *
* cryptlib DSA Encryption Routines *
* Copyright Peter Gutmann 1995-2002 *
* *
****************************************************************************/
#include <stdlib.h>
#if defined( INC_ALL )
#include "crypt.h"
#include "context.h"
#include "libs.h"
#elif defined( INC_CHILD )
#include "../crypt.h"
#include "../misc/context.h"
#include "libs.h"
#else
#include "crypt.h"
#include "misc/context.h"
#include "libs/libs.h"
#endif /* Compiler-specific includes */
/****************************************************************************
* *
* Predefined DSA p, q, and g Parameters *
* *
****************************************************************************/
/* We never use shared DSA parameters because they allow forgery of
signatures on certificates. This works as follows: Suppose that the
certificate contains a copy of the certificate signer's DSA parameters,
and the verifier of the certificate has a copy of the signer's public key
but not the signer's DSA parameters (which are shared with other keys).
If the verifier uses the DSA parameters from the certificate along with
the signer's public key to verify the signature on the certificate, then
an attacker can create bogus certificates by choosing a random u and
finding its inverse v modulo q (uv is congruent to 1 modulo q). Then
take the certificate signer's public key g^x and compute g' = (g^x)^u.
Then g'^v = g^x. Using the DSA parameters p, q, g', the signer's public
key corresponds to the private key v, which the attacker knows. The
attacker can then create a bogus certificate, put parameters (p, q, g')
in it, and sign it with the DSA private key v to create an apparently
valid certificate. This works with the DSA OID which makes p, q, and g
unauthenticated public parameters and y the public key, but not the one
which makes p, q, g, and y the public key */
/****************************************************************************
* *
* Algorithm Self-test *
* *
****************************************************************************/
/* Test the DSA implementation using the sample key and hash from FIPS 186.
Because a lot of the high-level encryption routines don't exist yet, we
cheat a bit and set up a dummy encryption context with just enough
information for the following code to work */
typedef struct {
const int pLen; const BYTE p[ 64 ];
const int qLen; const BYTE q[ 20 ];
const int gLen; const BYTE g[ 64 ];
const int xLen; const BYTE x[ 20 ];
const int yLen; const BYTE y[ 64 ];
} DLP_PRIVKEY;
static const FAR_BSS DLP_PRIVKEY dlpTestKey = {
/* p */
64,
{ 0x8D, 0xF2, 0xA4, 0x94, 0x49, 0x22, 0x76, 0xAA,
0x3D, 0x25, 0x75, 0x9B, 0xB0, 0x68, 0x69, 0xCB,
0xEA, 0xC0, 0xD8, 0x3A, 0xFB, 0x8D, 0x0C, 0xF7,
0xCB, 0xB8, 0x32, 0x4F, 0x0D, 0x78, 0x82, 0xE5,
0xD0, 0x76, 0x2F, 0xC5, 0xB7, 0x21, 0x0E, 0xAF,
0xC2, 0xE9, 0xAD, 0xAC, 0x32, 0xAB, 0x7A, 0xAC,
0x49, 0x69, 0x3D, 0xFB, 0xF8, 0x37, 0x24, 0xC2,
0xEC, 0x07, 0x36, 0xEE, 0x31, 0xC8, 0x02, 0x91 },
/* q */
20,
{ 0xC7, 0x73, 0x21, 0x8C, 0x73, 0x7E, 0xC8, 0xEE,
0x99, 0x3B, 0x4F, 0x2D, 0xED, 0x30, 0xF4, 0x8E,
0xDA, 0xCE, 0x91, 0x5F },
/* g */
64,
{ 0x62, 0x6D, 0x02, 0x78, 0x39, 0xEA, 0x0A, 0x13,
0x41, 0x31, 0x63, 0xA5, 0x5B, 0x4C, 0xB5, 0x00,
0x29, 0x9D, 0x55, 0x22, 0x95, 0x6C, 0xEF, 0xCB,
0x3B, 0xFF, 0x10, 0xF3, 0x99, 0xCE, 0x2C, 0x2E,
0x71, 0xCB, 0x9D, 0xE5, 0xFA, 0x24, 0xBA, 0xBF,
0x58, 0xE5, 0xB7, 0x95, 0x21, 0x92, 0x5C, 0x9C,
0xC4, 0x2E, 0x9F, 0x6F, 0x46, 0x4B, 0x08, 0x8C,
0xC5, 0x72, 0xAF, 0x53, 0xE6, 0xD7, 0x88, 0x02 },
/* x */
20,
{ 0x20, 0x70, 0xB3, 0x22, 0x3D, 0xBA, 0x37, 0x2F,
0xDE, 0x1C, 0x0F, 0xFC, 0x7B, 0x2E, 0x3B, 0x49,
0x8B, 0x26, 0x06, 0x14 },
/* y */
64,
{ 0x19, 0x13, 0x18, 0x71, 0xD7, 0x5B, 0x16, 0x12,
0xA8, 0x19, 0xF2, 0x9D, 0x78, 0xD1, 0xB0, 0xD7,
0x34, 0x6F, 0x7A, 0xA7, 0x7B, 0xB6, 0x2A, 0x85,
0x9B, 0xFD, 0x6C, 0x56, 0x75, 0xDA, 0x9D, 0x21,
0x2D, 0x3A, 0x36, 0xEF, 0x16, 0x72, 0xEF, 0x66,
0x0B, 0x8C, 0x7C, 0x25, 0x5C, 0xC0, 0xEC, 0x74,
0x85, 0x8F, 0xBA, 0x33, 0xF4, 0x4C, 0x06, 0x69,
0x96, 0x30, 0xA7, 0x6B, 0x03, 0x0E, 0xE3, 0x33 }
};
static const FAR_BSS BYTE shaM[] = {
0xA9, 0x99, 0x3E, 0x36, 0x47, 0x06, 0x81, 0x6A,
0xBA, 0x3E, 0x25, 0x71, 0x78, 0x50, 0xC2, 0x6C,
0x9C, 0xD0, 0xD8, 0x9D
};
/* If we're doing a self-test using the FIPS 186 values we use the following
fixed k data rather than a randomly-generated value */
static const FAR_BSS BYTE kVal[] = {
0x35, 0x8D, 0xAD, 0x57, 0x14, 0x62, 0x71, 0x0F,
0x50, 0xE2, 0x54, 0xCF, 0x1A, 0x37, 0x6B, 0x2B,
0xDE, 0xAA, 0xDF, 0xBF
};
int dsaSelfTest( void )
{
void initKeyReadWrite( CONTEXT_INFO *contextInfoPtrPtr );
CONTEXT_INFO contextInfoPtr;
PKC_INFO pkcInfoStorage, *pkcInfo;
static const FAR_BSS CAPABILITY_INFO capabilityInfo = \
{ CRYPT_ALGO_DSA, 0, NULL, 64, 128, 512, 0 };
DLP_PARAMS dlpParams;
BYTE buffer[ 128 ];
int status;
/* Initialise the key components */
memset( &contextInfoPtr, 0, sizeof( CONTEXT_INFO ) );
memset( &pkcInfoStorage, 0, sizeof( PKC_INFO ) );
contextInfoPtr.ctxPKC = pkcInfo = &pkcInfoStorage;
BN_init( &pkcInfo->dlpParam_p );
BN_init( &pkcInfo->dlpParam_q );
BN_init( &pkcInfo->dlpParam_g );
BN_init( &pkcInfo->dlpParam_y );
BN_init( &pkcInfo->dlpParam_x );
BN_init( &pkcInfo->tmp1 );
BN_init( &pkcInfo->tmp2 );
BN_init( &pkcInfo->tmp3 );
BN_init( &pkcInfo->dlpTmp1 );
BN_init( &pkcInfo->dlpTmp2 );
BN_CTX_init( &pkcInfo->bnCTX );
BN_MONT_CTX_init( &pkcInfo->rsaParam_mont_p );
contextInfoPtr.capabilityInfo = &capabilityInfo;
initKeyReadWrite( &contextInfoPtr );
BN_bin2bn( dlpTestKey.p, dlpTestKey.pLen, &pkcInfo->dlpParam_p );
BN_bin2bn( dlpTestKey.q, dlpTestKey.qLen, &pkcInfo->dlpParam_q );
BN_bin2bn( dlpTestKey.g, dlpTestKey.gLen, &pkcInfo->dlpParam_g );
BN_bin2bn( dlpTestKey.y, dlpTestKey.yLen, &pkcInfo->dlpParam_y );
BN_bin2bn( dlpTestKey.x, dlpTestKey.xLen, &pkcInfo->dlpParam_x );
/* Perform the test sign/sig.check of the FIPS 186 test values */
setDLPParams( &dlpParams, shaM, 20, buffer, 128 )
dlpParams.inLen2 = -999;
status = dsaInitKey( &contextInfoPtr, NULL, 0 );
if( !cryptStatusError( status ) )
status = dsaSign( &contextInfoPtr, ( BYTE * ) &dlpParams,
sizeof( DLP_PARAMS ) );
if( !cryptStatusError( status ) )
{
const int sigSize = dlpParams.outLen;
setDLPParams( &dlpParams, shaM, 20, NULL, 0 )
dlpParams.inParam2 = buffer;
dlpParams.inLen2 = sigSize;
status = dsaSigCheck( &contextInfoPtr, ( BYTE * ) &dlpParams,
sizeof( DLP_PARAMS ) );
}
if( cryptStatusError( status ) )
status = CRYPT_ERROR;
/* Clean up */
BN_clear_free( &pkcInfo->dlpParam_p );
BN_clear_free( &pkcInfo->dlpParam_q );
BN_clear_free( &pkcInfo->dlpParam_g );
BN_clear_free( &pkcInfo->dlpParam_y );
BN_clear_free( &pkcInfo->dlpParam_x );
BN_clear_free( &pkcInfo->tmp1 );
BN_clear_free( &pkcInfo->tmp2 );
BN_clear_free( &pkcInfo->tmp3 );
BN_clear_free( &pkcInfo->dlpTmp1 );
BN_clear_free( &pkcInfo->dlpTmp2 );
BN_CTX_free( &pkcInfo->bnCTX );
BN_MONT_CTX_free( &pkcInfo->dlpParam_mont_p );
zeroise( &pkcInfoStorage, sizeof( PKC_INFO ) );
zeroise( &contextInfoPtr, sizeof( CONTEXT_INFO ) );
return( status );
}
/****************************************************************************
* *
* Create/Check a Signature *
* *
****************************************************************************/
/* Since DSA signature generation produces two values and the cryptEncrypt()
model only provides for passing a byte string in and out (or, more
specifically, the internal bignum data can't be exported to the outside
world), we need to encode the resulting data into a flat format. This is
done by encoding the output as an X9.31 Dss-Sig record:
Dss-Sig ::= SEQUENCE {
r INTEGER,
s INTEGER
}
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -