380 lines
14 KiB
Python
380 lines
14 KiB
Python
|
# -*- coding: utf-8 -*-
|
||
|
#
|
||
|
# PublicKey/DSA.py : DSA signature primitive
|
||
|
#
|
||
|
# Written in 2008 by Dwayne C. Litzenberger <dlitz@dlitz.net>
|
||
|
#
|
||
|
# ===================================================================
|
||
|
# The contents of this file are dedicated to the public domain. To
|
||
|
# the extent that dedication to the public domain is not available,
|
||
|
# everyone is granted a worldwide, perpetual, royalty-free,
|
||
|
# non-exclusive license to exercise all rights associated with the
|
||
|
# contents of this file for any purpose whatsoever.
|
||
|
# No rights are reserved.
|
||
|
#
|
||
|
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
|
||
|
# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
|
||
|
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
|
||
|
# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
|
||
|
# BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
|
||
|
# ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
|
||
|
# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
|
||
|
# SOFTWARE.
|
||
|
# ===================================================================
|
||
|
|
||
|
"""DSA public-key signature algorithm.
|
||
|
|
||
|
DSA_ is a widespread public-key signature algorithm. Its security is
|
||
|
based on the discrete logarithm problem (DLP_). Given a cyclic
|
||
|
group, a generator *g*, and an element *h*, it is hard
|
||
|
to find an integer *x* such that *g^x = h*. The problem is believed
|
||
|
to be difficult, and it has been proved such (and therefore secure) for
|
||
|
more than 30 years.
|
||
|
|
||
|
The group is actually a sub-group over the integers modulo *p*, with *p* prime.
|
||
|
The sub-group order is *q*, which is prime too; it always holds that *(p-1)* is a multiple of *q*.
|
||
|
The cryptographic strength is linked to the magnitude of *p* and *q*.
|
||
|
The signer holds a value *x* (*0<x<q-1*) as private key, and its public
|
||
|
key (*y* where *y=g^x mod p*) is distributed.
|
||
|
|
||
|
In 2012, a sufficient size is deemed to be 2048 bits for *p* and 256 bits for *q*.
|
||
|
For more information, see the most recent ECRYPT_ report.
|
||
|
|
||
|
DSA is reasonably secure for new designs.
|
||
|
|
||
|
The algorithm can only be used for authentication (digital signature).
|
||
|
DSA cannot be used for confidentiality (encryption).
|
||
|
|
||
|
The values *(p,q,g)* are called *domain parameters*;
|
||
|
they are not sensitive but must be shared by both parties (the signer and the verifier).
|
||
|
Different signers can share the same domain parameters with no security
|
||
|
concerns.
|
||
|
|
||
|
The DSA signature is twice as big as the size of *q* (64 bytes if *q* is 256 bit
|
||
|
long).
|
||
|
|
||
|
This module provides facilities for generating new DSA keys and for constructing
|
||
|
them from known components. DSA keys allows you to perform basic signing and
|
||
|
verification.
|
||
|
|
||
|
>>> from Crypto.Random import random
|
||
|
>>> from Crypto.PublicKey import DSA
|
||
|
>>> from Crypto.Hash import SHA
|
||
|
>>>
|
||
|
>>> message = "Hello"
|
||
|
>>> key = DSA.generate(1024)
|
||
|
>>> h = SHA.new(message).digest()
|
||
|
>>> k = random.StrongRandom().randint(1,key.q-1)
|
||
|
>>> sig = key.sign(h,k)
|
||
|
>>> ...
|
||
|
>>> if key.verify(h,sig):
|
||
|
>>> print "OK"
|
||
|
>>> else:
|
||
|
>>> print "Incorrect signature"
|
||
|
|
||
|
.. _DSA: http://en.wikipedia.org/wiki/Digital_Signature_Algorithm
|
||
|
.. _DLP: http://www.cosic.esat.kuleuven.be/publications/talk-78.pdf
|
||
|
.. _ECRYPT: http://www.ecrypt.eu.org/documents/D.SPA.17.pdf
|
||
|
"""
|
||
|
|
||
|
__revision__ = "$Id$"
|
||
|
|
||
|
__all__ = ['generate', 'construct', 'error', 'DSAImplementation', '_DSAobj']
|
||
|
|
||
|
import sys
|
||
|
if sys.version_info[0] == 2 and sys.version_info[1] == 1:
|
||
|
from Crypto.Util.py21compat import *
|
||
|
|
||
|
from Crypto.PublicKey import _DSA, _slowmath, pubkey
|
||
|
from Crypto import Random
|
||
|
|
||
|
try:
|
||
|
from Crypto.PublicKey import _fastmath
|
||
|
except ImportError:
|
||
|
_fastmath = None
|
||
|
|
||
|
class _DSAobj(pubkey.pubkey):
|
||
|
"""Class defining an actual DSA key.
|
||
|
|
||
|
:undocumented: __getstate__, __setstate__, __repr__, __getattr__
|
||
|
"""
|
||
|
#: Dictionary of DSA parameters.
|
||
|
#:
|
||
|
#: A public key will only have the following entries:
|
||
|
#:
|
||
|
#: - **y**, the public key.
|
||
|
#: - **g**, the generator.
|
||
|
#: - **p**, the modulus.
|
||
|
#: - **q**, the order of the sub-group.
|
||
|
#:
|
||
|
#: A private key will also have:
|
||
|
#:
|
||
|
#: - **x**, the private key.
|
||
|
keydata = ['y', 'g', 'p', 'q', 'x']
|
||
|
|
||
|
def __init__(self, implementation, key):
|
||
|
self.implementation = implementation
|
||
|
self.key = key
|
||
|
|
||
|
def __getattr__(self, attrname):
|
||
|
if attrname in self.keydata:
|
||
|
# For backward compatibility, allow the user to get (not set) the
|
||
|
# DSA key parameters directly from this object.
|
||
|
return getattr(self.key, attrname)
|
||
|
else:
|
||
|
raise AttributeError("%s object has no %r attribute" % (self.__class__.__name__, attrname,))
|
||
|
|
||
|
def sign(self, M, K):
|
||
|
"""Sign a piece of data with DSA.
|
||
|
|
||
|
:Parameter M: The piece of data to sign with DSA. It may
|
||
|
not be longer in bit size than the sub-group order (*q*).
|
||
|
:Type M: byte string or long
|
||
|
|
||
|
:Parameter K: A secret number, chosen randomly in the closed
|
||
|
range *[1,q-1]*.
|
||
|
:Type K: long (recommended) or byte string (not recommended)
|
||
|
|
||
|
:attention: selection of *K* is crucial for security. Generating a
|
||
|
random number larger than *q* and taking the modulus by *q* is
|
||
|
**not** secure, since smaller values will occur more frequently.
|
||
|
Generating a random number systematically smaller than *q-1*
|
||
|
(e.g. *floor((q-1)/8)* random bytes) is also **not** secure. In general,
|
||
|
it shall not be possible for an attacker to know the value of `any
|
||
|
bit of K`__.
|
||
|
|
||
|
:attention: The number *K* shall not be reused for any other
|
||
|
operation and shall be discarded immediately.
|
||
|
|
||
|
:attention: M must be a digest cryptographic hash, otherwise
|
||
|
an attacker may mount an existential forgery attack.
|
||
|
|
||
|
:Return: A tuple with 2 longs.
|
||
|
|
||
|
.. __: http://www.di.ens.fr/~pnguyen/pub_NgSh00.htm
|
||
|
"""
|
||
|
return pubkey.pubkey.sign(self, M, K)
|
||
|
|
||
|
def verify(self, M, signature):
|
||
|
"""Verify the validity of a DSA signature.
|
||
|
|
||
|
:Parameter M: The expected message.
|
||
|
:Type M: byte string or long
|
||
|
|
||
|
:Parameter signature: The DSA signature to verify.
|
||
|
:Type signature: A tuple with 2 longs as return by `sign`
|
||
|
|
||
|
:Return: True if the signature is correct, False otherwise.
|
||
|
"""
|
||
|
return pubkey.pubkey.verify(self, M, signature)
|
||
|
|
||
|
def _encrypt(self, c, K):
|
||
|
raise TypeError("DSA cannot encrypt")
|
||
|
|
||
|
def _decrypt(self, c):
|
||
|
raise TypeError("DSA cannot decrypt")
|
||
|
|
||
|
def _blind(self, m, r):
|
||
|
raise TypeError("DSA cannot blind")
|
||
|
|
||
|
def _unblind(self, m, r):
|
||
|
raise TypeError("DSA cannot unblind")
|
||
|
|
||
|
def _sign(self, m, k):
|
||
|
return self.key._sign(m, k)
|
||
|
|
||
|
def _verify(self, m, sig):
|
||
|
(r, s) = sig
|
||
|
return self.key._verify(m, r, s)
|
||
|
|
||
|
def has_private(self):
|
||
|
return self.key.has_private()
|
||
|
|
||
|
def size(self):
|
||
|
return self.key.size()
|
||
|
|
||
|
def can_blind(self):
|
||
|
return False
|
||
|
|
||
|
def can_encrypt(self):
|
||
|
return False
|
||
|
|
||
|
def can_sign(self):
|
||
|
return True
|
||
|
|
||
|
def publickey(self):
|
||
|
return self.implementation.construct((self.key.y, self.key.g, self.key.p, self.key.q))
|
||
|
|
||
|
def __getstate__(self):
|
||
|
d = {}
|
||
|
for k in self.keydata:
|
||
|
try:
|
||
|
d[k] = getattr(self.key, k)
|
||
|
except AttributeError:
|
||
|
pass
|
||
|
return d
|
||
|
|
||
|
def __setstate__(self, d):
|
||
|
if not hasattr(self, 'implementation'):
|
||
|
self.implementation = DSAImplementation()
|
||
|
t = []
|
||
|
for k in self.keydata:
|
||
|
if k not in d:
|
||
|
break
|
||
|
t.append(d[k])
|
||
|
self.key = self.implementation._math.dsa_construct(*tuple(t))
|
||
|
|
||
|
def __repr__(self):
|
||
|
attrs = []
|
||
|
for k in self.keydata:
|
||
|
if k == 'p':
|
||
|
attrs.append("p(%d)" % (self.size()+1,))
|
||
|
elif hasattr(self.key, k):
|
||
|
attrs.append(k)
|
||
|
if self.has_private():
|
||
|
attrs.append("private")
|
||
|
# PY3K: This is meant to be text, do not change to bytes (data)
|
||
|
return "<%s @0x%x %s>" % (self.__class__.__name__, id(self), ",".join(attrs))
|
||
|
|
||
|
class DSAImplementation(object):
|
||
|
"""
|
||
|
A DSA key factory.
|
||
|
|
||
|
This class is only internally used to implement the methods of the
|
||
|
`Crypto.PublicKey.DSA` module.
|
||
|
"""
|
||
|
|
||
|
def __init__(self, **kwargs):
|
||
|
"""Create a new DSA key factory.
|
||
|
|
||
|
:Keywords:
|
||
|
use_fast_math : bool
|
||
|
Specify which mathematic library to use:
|
||
|
|
||
|
- *None* (default). Use fastest math available.
|
||
|
- *True* . Use fast math.
|
||
|
- *False* . Use slow math.
|
||
|
default_randfunc : callable
|
||
|
Specify how to collect random data:
|
||
|
|
||
|
- *None* (default). Use Random.new().read().
|
||
|
- not *None* . Use the specified function directly.
|
||
|
:Raise RuntimeError:
|
||
|
When **use_fast_math** =True but fast math is not available.
|
||
|
"""
|
||
|
use_fast_math = kwargs.get('use_fast_math', None)
|
||
|
if use_fast_math is None: # Automatic
|
||
|
if _fastmath is not None:
|
||
|
self._math = _fastmath
|
||
|
else:
|
||
|
self._math = _slowmath
|
||
|
|
||
|
elif use_fast_math: # Explicitly select fast math
|
||
|
if _fastmath is not None:
|
||
|
self._math = _fastmath
|
||
|
else:
|
||
|
raise RuntimeError("fast math module not available")
|
||
|
|
||
|
else: # Explicitly select slow math
|
||
|
self._math = _slowmath
|
||
|
|
||
|
self.error = self._math.error
|
||
|
|
||
|
# 'default_randfunc' parameter:
|
||
|
# None (default) - use Random.new().read
|
||
|
# not None - use the specified function
|
||
|
self._default_randfunc = kwargs.get('default_randfunc', None)
|
||
|
self._current_randfunc = None
|
||
|
|
||
|
def _get_randfunc(self, randfunc):
|
||
|
if randfunc is not None:
|
||
|
return randfunc
|
||
|
elif self._current_randfunc is None:
|
||
|
self._current_randfunc = Random.new().read
|
||
|
return self._current_randfunc
|
||
|
|
||
|
def generate(self, bits, randfunc=None, progress_func=None):
|
||
|
"""Randomly generate a fresh, new DSA key.
|
||
|
|
||
|
:Parameters:
|
||
|
bits : int
|
||
|
Key length, or size (in bits) of the DSA modulus
|
||
|
*p*.
|
||
|
It must be a multiple of 64, in the closed
|
||
|
interval [512,1024].
|
||
|
randfunc : callable
|
||
|
Random number generation function; it should accept
|
||
|
a single integer N and return a string of random data
|
||
|
N bytes long.
|
||
|
If not specified, a new one will be instantiated
|
||
|
from ``Crypto.Random``.
|
||
|
progress_func : callable
|
||
|
Optional function that will be called with a short string
|
||
|
containing the key parameter currently being generated;
|
||
|
it's useful for interactive applications where a user is
|
||
|
waiting for a key to be generated.
|
||
|
|
||
|
:attention: You should always use a cryptographically secure random number generator,
|
||
|
such as the one defined in the ``Crypto.Random`` module; **don't** just use the
|
||
|
current time and the ``random`` module.
|
||
|
|
||
|
:Return: A DSA key object (`_DSAobj`).
|
||
|
|
||
|
:Raise ValueError:
|
||
|
When **bits** is too little, too big, or not a multiple of 64.
|
||
|
"""
|
||
|
|
||
|
# Check against FIPS 186-2, which says that the size of the prime p
|
||
|
# must be a multiple of 64 bits between 512 and 1024
|
||
|
for i in (0, 1, 2, 3, 4, 5, 6, 7, 8):
|
||
|
if bits == 512 + 64*i:
|
||
|
return self._generate(bits, randfunc, progress_func)
|
||
|
|
||
|
# The March 2006 draft of FIPS 186-3 also allows 2048 and 3072-bit
|
||
|
# primes, but only with longer q values. Since the current DSA
|
||
|
# implementation only supports a 160-bit q, we don't support larger
|
||
|
# values.
|
||
|
raise ValueError("Number of bits in p must be a multiple of 64 between 512 and 1024, not %d bits" % (bits,))
|
||
|
|
||
|
def _generate(self, bits, randfunc=None, progress_func=None):
|
||
|
rf = self._get_randfunc(randfunc)
|
||
|
obj = _DSA.generate_py(bits, rf, progress_func) # TODO: Don't use legacy _DSA module
|
||
|
key = self._math.dsa_construct(obj.y, obj.g, obj.p, obj.q, obj.x)
|
||
|
return _DSAobj(self, key)
|
||
|
|
||
|
def construct(self, tup):
|
||
|
"""Construct a DSA key from a tuple of valid DSA components.
|
||
|
|
||
|
The modulus *p* must be a prime.
|
||
|
|
||
|
The following equations must apply:
|
||
|
|
||
|
- p-1 = 0 mod q
|
||
|
- g^x = y mod p
|
||
|
- 0 < x < q
|
||
|
- 1 < g < p
|
||
|
|
||
|
:Parameters:
|
||
|
tup : tuple
|
||
|
A tuple of long integers, with 4 or 5 items
|
||
|
in the following order:
|
||
|
|
||
|
1. Public key (*y*).
|
||
|
2. Sub-group generator (*g*).
|
||
|
3. Modulus, finite field order (*p*).
|
||
|
4. Sub-group order (*q*).
|
||
|
5. Private key (*x*). Optional.
|
||
|
|
||
|
:Return: A DSA key object (`_DSAobj`).
|
||
|
"""
|
||
|
key = self._math.dsa_construct(*tup)
|
||
|
return _DSAobj(self, key)
|
||
|
|
||
|
_impl = DSAImplementation()
|
||
|
generate = _impl.generate
|
||
|
construct = _impl.construct
|
||
|
error = _impl.error
|
||
|
|
||
|
# vim:set ts=4 sw=4 sts=4 expandtab:
|
||
|
|