aboutsummaryrefslogtreecommitdiff
path: root/frozen_deps/Cryptodome/Signature/DSS.py
diff options
context:
space:
mode:
Diffstat (limited to 'frozen_deps/Cryptodome/Signature/DSS.py')
-rw-r--r--frozen_deps/Cryptodome/Signature/DSS.py158
1 files changed, 74 insertions, 84 deletions
diff --git a/frozen_deps/Cryptodome/Signature/DSS.py b/frozen_deps/Cryptodome/Signature/DSS.py
index 3dcbeb4..67f23ac 100644
--- a/frozen_deps/Cryptodome/Signature/DSS.py
+++ b/frozen_deps/Cryptodome/Signature/DSS.py
@@ -31,15 +31,15 @@
# POSSIBILITY OF SUCH DAMAGE.
# ===================================================================
-__all__ = ['new']
-
-
from Cryptodome.Util.asn1 import DerSequence
from Cryptodome.Util.number import long_to_bytes
from Cryptodome.Math.Numbers import Integer
from Cryptodome.Hash import HMAC
from Cryptodome.PublicKey.ECC import EccKey
+from Cryptodome.PublicKey.DSA import DsaKey
+
+__all__ = ['DssSigScheme', 'new']
class DssSigScheme(object):
@@ -75,24 +75,23 @@ class DssSigScheme(object):
raise NotImplementedError("To be provided by subclasses")
def sign(self, msg_hash):
- """Produce the DSA/ECDSA signature of a message.
+ """Compute the DSA/ECDSA signature of a message.
- :parameter msg_hash:
+ Args:
+ msg_hash (hash object):
The hash that was carried out over the message.
The object belongs to the :mod:`Cryptodome.Hash` package.
+ Under mode ``'fips-186-3'``, the hash must be a FIPS
+ approved secure hash (SHA-2 or SHA-3).
- Under mode *'fips-186-3'*, the hash must be a FIPS
- approved secure hash (SHA-1 or a member of the SHA-2 family),
- of cryptographic strength appropriate for the DSA key.
- For instance, a 3072/256 DSA key can only be used
- in combination with SHA-512.
- :type msg_hash: hash object
-
- :return: The signature as a *byte string*
+ :return: The signature as ``bytes``
:raise ValueError: if the hash algorithm is incompatible to the (EC)DSA key
:raise TypeError: if the (EC)DSA key has no private half
"""
+ if not self._key.has_private():
+ raise TypeError("Private key is needed to sign")
+
if not self._valid_hash(msg_hash):
raise ValueError("Hash is not sufficiently strong")
@@ -106,7 +105,7 @@ class DssSigScheme(object):
# Encode the signature into a single byte string
if self._encoding == 'binary':
output = b"".join([long_to_bytes(x, self._order_bytes)
- for x in sig_pair])
+ for x in sig_pair])
else:
# Dss-sig ::= SEQUENCE {
# r INTEGER,
@@ -123,20 +122,15 @@ class DssSigScheme(object):
def verify(self, msg_hash, signature):
"""Check if a certain (EC)DSA signature is authentic.
- :parameter msg_hash:
+ Args:
+ msg_hash (hash object):
The hash that was carried out over the message.
This is an object belonging to the :mod:`Cryptodome.Hash` module.
+ Under mode ``'fips-186-3'``, the hash must be a FIPS
+ approved secure hash (SHA-2 or SHA-3).
- Under mode *'fips-186-3'*, the hash must be a FIPS
- approved secure hash (SHA-1 or a member of the SHA-2 family),
- of cryptographic strength appropriate for the DSA key.
- For instance, a 3072/256 DSA key can only be used in
- combination with SHA-512.
- :type msg_hash: hash object
-
- :parameter signature:
- The signature that needs to be validated
- :type signature: byte string
+ signature (``bytes``):
+ The signature that needs to be validated.
:raise ValueError: if the signature is not authentic
"""
@@ -294,85 +288,77 @@ class FipsEcDsaSigScheme(DssSigScheme):
randfunc=self._randfunc)
def _valid_hash(self, msg_hash):
- """Verify that SHA-[23] (256|384|512) bits are used to
- match the security of P-256 (128 bits), P-384 (192 bits)
- or P-521 (256 bits)"""
+ """Verify that the strength of the hash matches or exceeds
+ the strength of the EC. We fail if the hash is too weak."""
modulus_bits = self._key.pointQ.size_in_bits()
- sha256 = ( "2.16.840.1.101.3.4.2.1", "2.16.840.1.101.3.4.2.8" )
- sha384 = ( "2.16.840.1.101.3.4.2.2", "2.16.840.1.101.3.4.2.9" )
- sha512 = ( "2.16.840.1.101.3.4.2.3", "2.16.840.1.101.3.4.2.10")
-
- if msg_hash.oid in sha256:
- return modulus_bits <= 256
- elif msg_hash.oid in sha384:
- return modulus_bits <= 384
- else:
- return msg_hash.oid in sha512
+ # SHS: SHA-2, SHA-3, truncated SHA-512
+ sha224 = ("2.16.840.1.101.3.4.2.4", "2.16.840.1.101.3.4.2.7", "2.16.840.1.101.3.4.2.5")
+ sha256 = ("2.16.840.1.101.3.4.2.1", "2.16.840.1.101.3.4.2.8", "2.16.840.1.101.3.4.2.6")
+ sha384 = ("2.16.840.1.101.3.4.2.2", "2.16.840.1.101.3.4.2.9")
+ sha512 = ("2.16.840.1.101.3.4.2.3", "2.16.840.1.101.3.4.2.10")
+ shs = sha224 + sha256 + sha384 + sha512
+
+ try:
+ result = msg_hash.oid in shs
+ except AttributeError:
+ result = False
+ return result
def new(key, mode, encoding='binary', randfunc=None):
- """Create a signature object :class:`DSS_SigScheme` that
+ """Create a signature object :class:`DssSigScheme` that
can perform (EC)DSA signature or verification.
.. note::
Refer to `NIST SP 800 Part 1 Rev 4`_ (or newer release) for an
overview of the recommended key lengths.
- :parameter key:
- The key to use for computing the signature (*private* keys only)
- or verifying one: it must be either
- :class:`Cryptodome.PublicKey.DSA` or :class:`Cryptodome.PublicKey.ECC`.
-
- For DSA keys, let ``L`` and ``N`` be the bit lengths of the modulus ``p``
- and of ``q``: the pair ``(L,N)`` must appear in the following list,
- in compliance to section 4.2 of `FIPS 186-4`_:
-
- - (1024, 160) *legacy only; do not create new signatures with this*
- - (2048, 224) *deprecated; do not create new signatures with this*
- - (2048, 256)
- - (3072, 256)
+ Args:
+ key (:class:`Cryptodome.PublicKey.DSA` or :class:`Cryptodome.PublicKey.ECC`):
+ The key to use for computing the signature (*private* keys only)
+ or for verifying one.
+ For DSA keys, let ``L`` and ``N`` be the bit lengths of the modulus ``p``
+ and of ``q``: the pair ``(L,N)`` must appear in the following list,
+ in compliance to section 4.2 of `FIPS 186-4`_:
- For ECC, only keys over P-256, P384, and P-521 are accepted.
- :type key:
- a key object
+ - (1024, 160) *legacy only; do not create new signatures with this*
+ - (2048, 224) *deprecated; do not create new signatures with this*
+ - (2048, 256)
+ - (3072, 256)
- :parameter mode:
- The parameter can take these values:
+ For ECC, only keys over P-224, P-256, P-384, and P-521 are accepted.
- - *'fips-186-3'*. The signature generation is randomized and carried out
- according to `FIPS 186-3`_: the nonce ``k`` is taken from the RNG.
- - *'deterministic-rfc6979'*. The signature generation is not
- randomized. See RFC6979_.
- :type mode:
- string
+ mode (string):
+ The parameter can take these values:
- :parameter encoding:
- How the signature is encoded. This value determines the output of
- :meth:`sign` and the input to :meth:`verify`.
+ - ``'fips-186-3'``. The signature generation is randomized and carried out
+ according to `FIPS 186-3`_: the nonce ``k`` is taken from the RNG.
+ - ``'deterministic-rfc6979'``. The signature generation is not
+ randomized. See RFC6979_.
- The following values are accepted:
+ encoding (string):
+ How the signature is encoded. This value determines the output of
+ :meth:`sign` and the input to :meth:`verify`.
- - *'binary'* (default), the signature is the raw concatenation
- of ``r`` and ``s``. It is defined in the IEEE P.1363 standard.
+ The following values are accepted:
- For DSA, the size in bytes of the signature is ``N/4`` bytes
- (e.g. 64 for ``N=256``).
+ - ``'binary'`` (default), the signature is the raw concatenation
+ of ``r`` and ``s``. It is defined in the IEEE P.1363 standard.
+ For DSA, the size in bytes of the signature is ``N/4`` bytes
+ (e.g. 64 for ``N=256``).
+ For ECDSA, the signature is always twice the length of a point
+ coordinate (e.g. 64 bytes for P-256).
- For ECDSA, the signature is always twice the length of a point
- coordinate (e.g. 64 bytes for P-256).
+ - ``'der'``, the signature is a ASN.1 DER SEQUENCE
+ with two INTEGERs (``r`` and ``s``). It is defined in RFC3279_.
+ The size of the signature is variable.
- - *'der'*, the signature is a ASN.1 DER SEQUENCE
- with two INTEGERs (``r`` and ``s``). It is defined in RFC3279_.
- The size of the signature is variable.
- :type encoding: string
-
- :parameter randfunc:
- A function that returns random *byte strings*, of a given length.
- If omitted, the internal RNG is used.
- Only applicable for the *'fips-186-3'* mode.
- :type randfunc: callable
+ randfunc (callable):
+ A function that returns random ``bytes``, of a given length.
+ If omitted, the internal RNG is used.
+ Only applicable for the *'fips-186-3'* mode.
.. _FIPS 186-3: http://csrc.nist.gov/publications/fips/fips186-3/fips_186-3.pdf
.. _FIPS 186-4: http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf
@@ -393,9 +379,13 @@ def new(key, mode, encoding='binary', randfunc=None):
if isinstance(key, EccKey):
order = key._curve.order
private_key_attr = 'd'
- else:
+ if key._curve.name == "ed25519":
+ raise ValueError("ECC key is not on a NIST P curve")
+ elif isinstance(key, DsaKey):
order = Integer(key.q)
private_key_attr = 'x'
+ else:
+ raise ValueError("Unsupported key type " + str(type(key)))
if key.has_private():
private_key = getattr(key, private_key_attr)
Powered by cgit, Themed by Ted Yin.