diff options
| author | Determinant <[email protected]> | 2022-11-17 18:08:59 -0800 |
|---|---|---|
| committer | Determinant <[email protected]> | 2022-11-17 18:08:59 -0800 |
| commit | 8154806fe2fccacdc3dafaa68181a07bcf8d6c4c (patch) | |
| tree | f477e6a005599bb88c18db142c267b9297c6060b /frozen_deps/Cryptodome/Signature/DSS.py | |
| parent | be4dc086591c9bced04a507d127c83811c5700c4 (diff) | |
v0.1.7
Diffstat (limited to 'frozen_deps/Cryptodome/Signature/DSS.py')
| -rw-r--r-- | frozen_deps/Cryptodome/Signature/DSS.py | 158 |
1 files changed, 74 insertions, 84 deletions
diff --git a/frozen_deps/Cryptodome/Signature/DSS.py b/frozen_deps/Cryptodome/Signature/DSS.py index 3dcbeb4..67f23ac 100644 --- a/frozen_deps/Cryptodome/Signature/DSS.py +++ b/frozen_deps/Cryptodome/Signature/DSS.py @@ -31,15 +31,15 @@ # POSSIBILITY OF SUCH DAMAGE. # =================================================================== -__all__ = ['new'] - - from Cryptodome.Util.asn1 import DerSequence from Cryptodome.Util.number import long_to_bytes from Cryptodome.Math.Numbers import Integer from Cryptodome.Hash import HMAC from Cryptodome.PublicKey.ECC import EccKey +from Cryptodome.PublicKey.DSA import DsaKey + +__all__ = ['DssSigScheme', 'new'] class DssSigScheme(object): @@ -75,24 +75,23 @@ class DssSigScheme(object): raise NotImplementedError("To be provided by subclasses") def sign(self, msg_hash): - """Produce the DSA/ECDSA signature of a message. + """Compute the DSA/ECDSA signature of a message. - :parameter msg_hash: + Args: + msg_hash (hash object): The hash that was carried out over the message. The object belongs to the :mod:`Cryptodome.Hash` package. + Under mode ``'fips-186-3'``, the hash must be a FIPS + approved secure hash (SHA-2 or SHA-3). - Under mode *'fips-186-3'*, the hash must be a FIPS - approved secure hash (SHA-1 or a member of the SHA-2 family), - of cryptographic strength appropriate for the DSA key. - For instance, a 3072/256 DSA key can only be used - in combination with SHA-512. - :type msg_hash: hash object - - :return: The signature as a *byte string* + :return: The signature as ``bytes`` :raise ValueError: if the hash algorithm is incompatible to the (EC)DSA key :raise TypeError: if the (EC)DSA key has no private half """ + if not self._key.has_private(): + raise TypeError("Private key is needed to sign") + if not self._valid_hash(msg_hash): raise ValueError("Hash is not sufficiently strong") @@ -106,7 +105,7 @@ class DssSigScheme(object): # Encode the signature into a single byte string if self._encoding == 'binary': output = b"".join([long_to_bytes(x, self._order_bytes) - for x in sig_pair]) + for x in sig_pair]) else: # Dss-sig ::= SEQUENCE { # r INTEGER, @@ -123,20 +122,15 @@ class DssSigScheme(object): def verify(self, msg_hash, signature): """Check if a certain (EC)DSA signature is authentic. - :parameter msg_hash: + Args: + msg_hash (hash object): The hash that was carried out over the message. This is an object belonging to the :mod:`Cryptodome.Hash` module. + Under mode ``'fips-186-3'``, the hash must be a FIPS + approved secure hash (SHA-2 or SHA-3). - Under mode *'fips-186-3'*, the hash must be a FIPS - approved secure hash (SHA-1 or a member of the SHA-2 family), - of cryptographic strength appropriate for the DSA key. - For instance, a 3072/256 DSA key can only be used in - combination with SHA-512. - :type msg_hash: hash object - - :parameter signature: - The signature that needs to be validated - :type signature: byte string + signature (``bytes``): + The signature that needs to be validated. :raise ValueError: if the signature is not authentic """ @@ -294,85 +288,77 @@ class FipsEcDsaSigScheme(DssSigScheme): randfunc=self._randfunc) def _valid_hash(self, msg_hash): - """Verify that SHA-[23] (256|384|512) bits are used to - match the security of P-256 (128 bits), P-384 (192 bits) - or P-521 (256 bits)""" + """Verify that the strength of the hash matches or exceeds + the strength of the EC. We fail if the hash is too weak.""" modulus_bits = self._key.pointQ.size_in_bits() - sha256 = ( "2.16.840.1.101.3.4.2.1", "2.16.840.1.101.3.4.2.8" ) - sha384 = ( "2.16.840.1.101.3.4.2.2", "2.16.840.1.101.3.4.2.9" ) - sha512 = ( "2.16.840.1.101.3.4.2.3", "2.16.840.1.101.3.4.2.10") - - if msg_hash.oid in sha256: - return modulus_bits <= 256 - elif msg_hash.oid in sha384: - return modulus_bits <= 384 - else: - return msg_hash.oid in sha512 + # SHS: SHA-2, SHA-3, truncated SHA-512 + sha224 = ("2.16.840.1.101.3.4.2.4", "2.16.840.1.101.3.4.2.7", "2.16.840.1.101.3.4.2.5") + sha256 = ("2.16.840.1.101.3.4.2.1", "2.16.840.1.101.3.4.2.8", "2.16.840.1.101.3.4.2.6") + sha384 = ("2.16.840.1.101.3.4.2.2", "2.16.840.1.101.3.4.2.9") + sha512 = ("2.16.840.1.101.3.4.2.3", "2.16.840.1.101.3.4.2.10") + shs = sha224 + sha256 + sha384 + sha512 + + try: + result = msg_hash.oid in shs + except AttributeError: + result = False + return result def new(key, mode, encoding='binary', randfunc=None): - """Create a signature object :class:`DSS_SigScheme` that + """Create a signature object :class:`DssSigScheme` that can perform (EC)DSA signature or verification. .. note:: Refer to `NIST SP 800 Part 1 Rev 4`_ (or newer release) for an overview of the recommended key lengths. - :parameter key: - The key to use for computing the signature (*private* keys only) - or verifying one: it must be either - :class:`Cryptodome.PublicKey.DSA` or :class:`Cryptodome.PublicKey.ECC`. - - For DSA keys, let ``L`` and ``N`` be the bit lengths of the modulus ``p`` - and of ``q``: the pair ``(L,N)`` must appear in the following list, - in compliance to section 4.2 of `FIPS 186-4`_: - - - (1024, 160) *legacy only; do not create new signatures with this* - - (2048, 224) *deprecated; do not create new signatures with this* - - (2048, 256) - - (3072, 256) + Args: + key (:class:`Cryptodome.PublicKey.DSA` or :class:`Cryptodome.PublicKey.ECC`): + The key to use for computing the signature (*private* keys only) + or for verifying one. + For DSA keys, let ``L`` and ``N`` be the bit lengths of the modulus ``p`` + and of ``q``: the pair ``(L,N)`` must appear in the following list, + in compliance to section 4.2 of `FIPS 186-4`_: - For ECC, only keys over P-256, P384, and P-521 are accepted. - :type key: - a key object + - (1024, 160) *legacy only; do not create new signatures with this* + - (2048, 224) *deprecated; do not create new signatures with this* + - (2048, 256) + - (3072, 256) - :parameter mode: - The parameter can take these values: + For ECC, only keys over P-224, P-256, P-384, and P-521 are accepted. - - *'fips-186-3'*. The signature generation is randomized and carried out - according to `FIPS 186-3`_: the nonce ``k`` is taken from the RNG. - - *'deterministic-rfc6979'*. The signature generation is not - randomized. See RFC6979_. - :type mode: - string + mode (string): + The parameter can take these values: - :parameter encoding: - How the signature is encoded. This value determines the output of - :meth:`sign` and the input to :meth:`verify`. + - ``'fips-186-3'``. The signature generation is randomized and carried out + according to `FIPS 186-3`_: the nonce ``k`` is taken from the RNG. + - ``'deterministic-rfc6979'``. The signature generation is not + randomized. See RFC6979_. - The following values are accepted: + encoding (string): + How the signature is encoded. This value determines the output of + :meth:`sign` and the input to :meth:`verify`. - - *'binary'* (default), the signature is the raw concatenation - of ``r`` and ``s``. It is defined in the IEEE P.1363 standard. + The following values are accepted: - For DSA, the size in bytes of the signature is ``N/4`` bytes - (e.g. 64 for ``N=256``). + - ``'binary'`` (default), the signature is the raw concatenation + of ``r`` and ``s``. It is defined in the IEEE P.1363 standard. + For DSA, the size in bytes of the signature is ``N/4`` bytes + (e.g. 64 for ``N=256``). + For ECDSA, the signature is always twice the length of a point + coordinate (e.g. 64 bytes for P-256). - For ECDSA, the signature is always twice the length of a point - coordinate (e.g. 64 bytes for P-256). + - ``'der'``, the signature is a ASN.1 DER SEQUENCE + with two INTEGERs (``r`` and ``s``). It is defined in RFC3279_. + The size of the signature is variable. - - *'der'*, the signature is a ASN.1 DER SEQUENCE - with two INTEGERs (``r`` and ``s``). It is defined in RFC3279_. - The size of the signature is variable. - :type encoding: string - - :parameter randfunc: - A function that returns random *byte strings*, of a given length. - If omitted, the internal RNG is used. - Only applicable for the *'fips-186-3'* mode. - :type randfunc: callable + randfunc (callable): + A function that returns random ``bytes``, of a given length. + If omitted, the internal RNG is used. + Only applicable for the *'fips-186-3'* mode. .. _FIPS 186-3: http://csrc.nist.gov/publications/fips/fips186-3/fips_186-3.pdf .. _FIPS 186-4: http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf @@ -393,9 +379,13 @@ def new(key, mode, encoding='binary', randfunc=None): if isinstance(key, EccKey): order = key._curve.order private_key_attr = 'd' - else: + if key._curve.name == "ed25519": + raise ValueError("ECC key is not on a NIST P curve") + elif isinstance(key, DsaKey): order = Integer(key.q) private_key_attr = 'x' + else: + raise ValueError("Unsupported key type " + str(type(key))) if key.has_private(): private_key = getattr(key, private_key_attr) |