sdsa.h

伯克利做的SFTP安全文件传输协议

// sdsa.h
// my (Scott McPeak) implementation of DSA, working from
// _Applied Cryptography_ by Bruce Schneier, and using
// Wei Dai's Integer class from his crypto++ 2.3
// copyright SafeTP Development Group, Inc., 2000  Terms of use are as specified in license.txt

#ifndef __SDSA_H
#define __SDSA_H

#include "trans.h"               // Trans
#include "integer.h"             // Integer
#include "datablok.h"            // DataBlock
#include "str.h"                 // string

class RandomNumberGenerator;     // cryptlib.h


// constants
enum {
  MIN_DSA_PRIME_LENGTH = 512,
  MAX_DSA_PRIME_LENGTH = 1024,
  DSA_PRIME_LENGTH_INC = 64,      // modulus length must be a multiple of this
  DSA_SIGNATURE_LENGTH = 40,      // bytes per DSA signature

  CURRENT_KEY_VERSION  = 1,       // key version generated by default
  MAX_POSSIBLE_VERSION = 0xff,    // because it is stored as a single byte
};


// these tell what the min and max known versions are
void knownDSAPublicKeyVersions(int &minimum, int &maximum);


// hardcoded parameters ([0] is p, [1] is q, [2] is g, in ascii decimal)
extern char const * const DSA_512bit_parameters[3];
extern char const * const DSA_1024bit_parameters[3];


// functional interface
void DSA_sign(
  Integer &r, Integer &s,                // output signature
  Integer const &p, Integer const &q,
  Integer const &g,                      // parameters
  Integer const &x,                      // private key
  Integer const &digest,
  RandomNumberGenerator &rng);           // per-message

// returns true if the signature is valid, false otherwise
bool DSA_verify(
  Integer const &p, Integer const &q,
  Integer const &g,                      // parameters
  Integer const &y,                      // public key
  Integer const &r, Integer const &s,    // signature
  Integer const &digest);                // per-message

// generate keys randomly
void DSA_keygen(
  Integer &x, Integer &y,                // keys (x is private)
  Integer const &p, Integer const &q,
  Integer const &g,                      // parameters
  RandomNumberGenerator &rng);           // source of randomness


// storage and retrieval of cryptosystem parameters
class DSAParameters {
protected:
  Integer p, q, g;                  // system parameters

public:
  DSAParameters();                  // init to zeroes
  DSAParameters(DSAParameters const &obj);
  DSAParameters(Integer const &p, Integer const &q, Integer const &g);
  DSAParameters(char const * const *params);     // format of parameters above
  ~DSAParameters();

  DSAParameters& operator= (DSAParameters const &obj);
  bool operator== (DSAParameters const &obj) const;

  // encode and decode
  void encode(DataBlock &stream) const;
  DSAParameters(DataBlock &stream);

  // selectors
  Integer const &getP() const { return p; }
  Integer const &getQ() const { return q; }
  Integer const &getG() const { return g; }
};


// public key storage and retrieval
class DSAPublicKey : public DSAParameters {
protected:
  Integer y;                     // public key

public:
  DSAPublicKey();
  DSAPublicKey(DSAPublicKey const &obj);
  DSAPublicKey(DSAParameters const &params, Integer const &y);
  ~DSAPublicKey();

  DSAPublicKey& operator= (DSAPublicKey const &obj);
  bool operator== (DSAPublicKey const &obj) const;
  bool operator != (DSAPublicKey const &obj) const  
    { return !operator==(obj); }

  // encode / decode
  void encode(DataBlock &stream) const;
  DSAPublicKey(DataBlock &stream);

  // selectors
  Integer const &getY() const { return y; }

  // ascii summary
  void insertOstream(ostream &os) const;
  friend ostream& operator<< (ostream &os, DSAPublicKey const &obj)
    { obj.insertOstream(os); return os; }
};


// verification as transformation; verifies the signature
// of the appended data, and throws xSecurity if the
// signature does not match
class DSAVerifier : public Trans, public DSAPublicKey {
public:
  DSAVerifier(DSAPublicKey const &pubkey);
  ~DSAVerifier();

  // decode
  DSAVerifier(DataBlock &stream);

  // direct verification interface (alternative to trans)
  void verify(DataBlock const &data, DataBlock &signature);
    // signature is consumed by this operation (make a copy first
    // if you'll need it later)

  // Trans interface
  virtual int minInputSize() const;
  virtual int maxInputSize() const;
  virtual int minOutputSize(int inputSize) const;
  virtual int maxOutputSize(int inputSize) const;
  virtual void trans(DataBlock &data);
};


// private key storage and retrieval
class DSAPrivateKey : public DSAPublicKey {
protected:
  Integer x;              // private key

public:
  DSAPrivateKey(DSAPrivateKey const &obj);
  DSAPrivateKey(DSAPublicKey const &pubkey,
                Integer const &x);
  DSAPrivateKey(DSAParameters const &params,
                RandomNumberGenerator &rng);    // make up a new key pair
  ~DSAPrivateKey();

  // encode / decode
  void encode(DataBlock &stream) const;
  DSAPrivateKey(DataBlock &stream);

  // selectors
  Integer const &getX() const;
};


// transformation interface for signing; the data is 'transformed'
// by appending the signature
class DSASigner : public Trans, public DSAPrivateKey {
  RandomNumberGenerator &rng;    // source of randomness

public:
  DSASigner(DSAPrivateKey const &key, RandomNumberGenerator &rng);
  virtual ~DSASigner();

  // decode (encode is same as DSAPublicKey)
  DSASigner(DataBlock &stream, RandomNumberGenerator &rng);

  // direct signing interface (alternative to trans)
  void sign(DataBlock const &data, DataBlock &signature);

  // Trans interface
  virtual int minInputSize() const;
  virtual int maxInputSize() const;
  virtual int minOutputSize(int inputSize) const;
  virtual int maxOutputSize(int inputSize) const;
  virtual void trans(DataBlock &data);
};


// public key with some human-readable identifying information
// attached, and signed with the corresponding private key
// (see end of file)
class DSABrandedPublicKey : public DSAPublicKey {
  string name;           // identifying information
  DataBlock brandedKey;  // encoded key with branding info
  int version;           // version of encoding

protected:
  void validateVersion();  

public:
  DSABrandedPublicKey(DSABrandedPublicKey const &obj);
  DSABrandedPublicKey(DSASigner &signer,
                      char const *name,
                      int version = CURRENT_KEY_VERSION);
  ~DSABrandedPublicKey();

  // encode / decode
  // (this interface is a little different because, unlike
  // some of the others, the 'decode' function assumes the
  // entire block is for its consumption)
  DataBlock const &encode() const { return brandedKey; }
  DSABrandedPublicKey(DataBlock const &stream);

  // selectors
  string const &getName() const { return name; }
  int getVersion() const { return version; }

  // this returns a Sha of the key data, rendered in hex
  string getShaString() const;
};


/* --------- version numbers for DSA public keys -------------
  Versioning for DSA public keys is deemed necessary because we do not want
  routine software updates, which may include minor formatting changes, to
  undermine the installed base of public keys.  Therefore each key is tagged
  with a version number.
 
  I don't know what the right policy is with respect to reading or writing
  older versions.. so I'm gonna punt on that for now.

  The version number is a single-byte value appended to the format as otherwise
  described with each version identifier.  E.g. version 1 keys are really:
    [ encoded public key ][ encoded name ][ signature ][ 1 ]

  Number Date      Description
  ------ --------  -----------
  1       2/ 3/99  Initial format: [ encoded public key ][ encoded name ][ signature ]


   ----------------------------------------------------------- */

#endif // __SDSA_H