# -*- coding: utf-8 -*- # # PublicKey/DSA.py : DSA signature primitive # # Written in 2008 by Dwayne C. Litzenberger # # =================================================================== # The contents of this file are dedicated to the public domain. To # the extent that dedication to the public domain is not available, # everyone is granted a worldwide, perpetual, royalty-free, # non-exclusive license to exercise all rights associated with the # contents of this file for any purpose whatsoever. # No rights are reserved. # # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, # EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF # MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND # NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS # BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN # ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN # CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE # SOFTWARE. # =================================================================== """DSA public-key signature algorithm. DSA_ is a widespread public-key signature algorithm. Its security is based on the discrete logarithm problem (DLP_). Given a cyclic group, a generator *g*, and an element *h*, it is hard to find an integer *x* such that *g^x = h*. The problem is believed to be difficult, and it has been proved such (and therefore secure) for more than 30 years. The group is actually a sub-group over the integers modulo *p*, with *p* prime. The sub-group order is *q*, which is prime too; it always holds that *(p-1)* is a multiple of *q*. The cryptographic strength is linked to the magnitude of *p* and *q*. The signer holds a value *x* (*0>> from Crypto.Random import random >>> from Crypto.PublicKey import DSA >>> from Crypto.Hash import SHA >>> >>> message = "Hello" >>> key = DSA.generate(1024) >>> h = SHA.new(message).digest() >>> k = random.StrongRandom().randint(1,key.q-1) >>> sig = key.sign(h,k) >>> ... >>> if key.verify(h,sig): >>> print "OK" >>> else: >>> print "Incorrect signature" .. _DSA: http://en.wikipedia.org/wiki/Digital_Signature_Algorithm .. _DLP: http://www.cosic.esat.kuleuven.be/publications/talk-78.pdf .. _ECRYPT: http://www.ecrypt.eu.org/documents/D.SPA.17.pdf """ __revision__ = "$Id$" __all__ = ['generate', 'construct', 'error', 'DSAImplementation', '_DSAobj'] import sys if sys.version_info[0] == 2 and sys.version_info[1] == 1: from Crypto.Util.py21compat import * from Crypto.PublicKey import _DSA, _slowmath, pubkey from Crypto import Random try: from Crypto.PublicKey import _fastmath except ImportError: _fastmath = None class _DSAobj(pubkey.pubkey): """Class defining an actual DSA key. :undocumented: __getstate__, __setstate__, __repr__, __getattr__ """ #: Dictionary of DSA parameters. #: #: A public key will only have the following entries: #: #: - **y**, the public key. #: - **g**, the generator. #: - **p**, the modulus. #: - **q**, the order of the sub-group. #: #: A private key will also have: #: #: - **x**, the private key. keydata = ['y', 'g', 'p', 'q', 'x'] def __init__(self, implementation, key): self.implementation = implementation self.key = key def __getattr__(self, attrname): if attrname in self.keydata: # For backward compatibility, allow the user to get (not set) the # DSA key parameters directly from this object. return getattr(self.key, attrname) else: raise AttributeError("%s object has no %r attribute" % (self.__class__.__name__, attrname,)) def sign(self, M, K): """Sign a piece of data with DSA. :Parameter M: The piece of data to sign with DSA. It may not be longer in bit size than the sub-group order (*q*). :Type M: byte string or long :Parameter K: A secret number, chosen randomly in the closed range *[1,q-1]*. :Type K: long (recommended) or byte string (not recommended) :attention: selection of *K* is crucial for security. Generating a random number larger than *q* and taking the modulus by *q* is **not** secure, since smaller values will occur more frequently. Generating a random number systematically smaller than *q-1* (e.g. *floor((q-1)/8)* random bytes) is also **not** secure. In general, it shall not be possible for an attacker to know the value of `any bit of K`__. :attention: The number *K* shall not be reused for any other operation and shall be discarded immediately. :attention: M must be a digest cryptographic hash, otherwise an attacker may mount an existential forgery attack. :Return: A tuple with 2 longs. .. __: http://www.di.ens.fr/~pnguyen/pub_NgSh00.htm """ return pubkey.pubkey.sign(self, M, K) def verify(self, M, signature): """Verify the validity of a DSA signature. :Parameter M: The expected message. :Type M: byte string or long :Parameter signature: The DSA signature to verify. :Type signature: A tuple with 2 longs as return by `sign` :Return: True if the signature is correct, False otherwise. """ return pubkey.pubkey.verify(self, M, signature) def _encrypt(self, c, K): raise TypeError("DSA cannot encrypt") def _decrypt(self, c): raise TypeError("DSA cannot decrypt") def _blind(self, m, r): raise TypeError("DSA cannot blind") def _unblind(self, m, r): raise TypeError("DSA cannot unblind") def _sign(self, m, k): return self.key._sign(m, k) def _verify(self, m, sig): (r, s) = sig return self.key._verify(m, r, s) def has_private(self): return self.key.has_private() def size(self): return self.key.size() def can_blind(self): return False def can_encrypt(self): return False def can_sign(self): return True def publickey(self): return self.implementation.construct((self.key.y, self.key.g, self.key.p, self.key.q)) def __getstate__(self): d = {} for k in self.keydata: try: d[k] = getattr(self.key, k) except AttributeError: pass return d def __setstate__(self, d): if not hasattr(self, 'implementation'): self.implementation = DSAImplementation() t = [] for k in self.keydata: if k not in d: break t.append(d[k]) self.key = self.implementation._math.dsa_construct(*tuple(t)) def __repr__(self): attrs = [] for k in self.keydata: if k == 'p': attrs.append("p(%d)" % (self.size()+1,)) elif hasattr(self.key, k): attrs.append(k) if self.has_private(): attrs.append("private") # PY3K: This is meant to be text, do not change to bytes (data) return "<%s @0x%x %s>" % (self.__class__.__name__, id(self), ",".join(attrs)) class DSAImplementation(object): """ A DSA key factory. This class is only internally used to implement the methods of the `Crypto.PublicKey.DSA` module. """ def __init__(self, **kwargs): """Create a new DSA key factory. :Keywords: use_fast_math : bool Specify which mathematic library to use: - *None* (default). Use fastest math available. - *True* . Use fast math. - *False* . Use slow math. default_randfunc : callable Specify how to collect random data: - *None* (default). Use Random.new().read(). - not *None* . Use the specified function directly. :Raise RuntimeError: When **use_fast_math** =True but fast math is not available. """ use_fast_math = kwargs.get('use_fast_math', None) if use_fast_math is None: # Automatic if _fastmath is not None: self._math = _fastmath else: self._math = _slowmath elif use_fast_math: # Explicitly select fast math if _fastmath is not None: self._math = _fastmath else: raise RuntimeError("fast math module not available") else: # Explicitly select slow math self._math = _slowmath self.error = self._math.error # 'default_randfunc' parameter: # None (default) - use Random.new().read # not None - use the specified function self._default_randfunc = kwargs.get('default_randfunc', None) self._current_randfunc = None def _get_randfunc(self, randfunc): if randfunc is not None: return randfunc elif self._current_randfunc is None: self._current_randfunc = Random.new().read return self._current_randfunc def generate(self, bits, randfunc=None, progress_func=None): """Randomly generate a fresh, new DSA key. :Parameters: bits : int Key length, or size (in bits) of the DSA modulus *p*. It must be a multiple of 64, in the closed interval [512,1024]. randfunc : callable Random number generation function; it should accept a single integer N and return a string of random data N bytes long. If not specified, a new one will be instantiated from ``Crypto.Random``. progress_func : callable Optional function that will be called with a short string containing the key parameter currently being generated; it's useful for interactive applications where a user is waiting for a key to be generated. :attention: You should always use a cryptographically secure random number generator, such as the one defined in the ``Crypto.Random`` module; **don't** just use the current time and the ``random`` module. :Return: A DSA key object (`_DSAobj`). :Raise ValueError: When **bits** is too little, too big, or not a multiple of 64. """ # Check against FIPS 186-2, which says that the size of the prime p # must be a multiple of 64 bits between 512 and 1024 for i in (0, 1, 2, 3, 4, 5, 6, 7, 8): if bits == 512 + 64*i: return self._generate(bits, randfunc, progress_func) # The March 2006 draft of FIPS 186-3 also allows 2048 and 3072-bit # primes, but only with longer q values. Since the current DSA # implementation only supports a 160-bit q, we don't support larger # values. raise ValueError("Number of bits in p must be a multiple of 64 between 512 and 1024, not %d bits" % (bits,)) def _generate(self, bits, randfunc=None, progress_func=None): rf = self._get_randfunc(randfunc) obj = _DSA.generate_py(bits, rf, progress_func) # TODO: Don't use legacy _DSA module key = self._math.dsa_construct(obj.y, obj.g, obj.p, obj.q, obj.x) return _DSAobj(self, key) def construct(self, tup): """Construct a DSA key from a tuple of valid DSA components. The modulus *p* must be a prime. The following equations must apply: - p-1 = 0 mod q - g^x = y mod p - 0 < x < q - 1 < g < p :Parameters: tup : tuple A tuple of long integers, with 4 or 5 items in the following order: 1. Public key (*y*). 2. Sub-group generator (*g*). 3. Modulus, finite field order (*p*). 4. Sub-group order (*q*). 5. Private key (*x*). Optional. :Return: A DSA key object (`_DSAobj`). """ key = self._math.dsa_construct(*tup) return _DSAobj(self, key) _impl = DSAImplementation() generate = _impl.generate construct = _impl.construct error = _impl.error # vim:set ts=4 sw=4 sts=4 expandtab: