U g;@sddlmZddlmZddlmZddlmZddlm Z ddl m Z ddgZ Gd dde ZGd d d eZGd d d eZGdddeZdddZdS)) DerSequence) long_to_bytes)Integer)HMAC)EccKey)DsaKey DssSigSchemenewc@s@eZdZdZddZddZddZdd Zd d Zd d Z dS)rzoA (EC)DSA signature object. Do not instantiate directly. Use :func:`Cryptodome.Signature.DSS.new`. cCs6||_||_||_|j|_|jddd|_dS)zCreate a new Digital Signature Standard (DSS) object. Do not instantiate this object directly, use `Cryptodome.Signature.DSS.new` instead. N)_key _encoding_order size_in_bits _order_bits _order_bytes)selfkeyencodingorderrksz%DssSigScheme.sign..)r r TypeErrorr" ValueErrorr!r from_bytesdigestr_signr joinrencode)rr noncezZsig_pairoutputrrrsignMs     zDssSigScheme.signc CsJ||std|jdkrbt|d|jkr6tddd|d|j||jdfD\}}nlztj|dd }Wn ttfk rtd YnXt|dks|std t |d t |d }}d |kr|j krnnd |kr|j ksntdt | d|j}|j |||f}|sFtddS)aCheck if a certain (EC)DSA signature is authentic. Args: msg_hash (hash object): The hash that was carried out over the message. This is an object belonging to the :mod:`Cryptodome.Hash` module. Under mode ``'fips-186-3'``, the hash must be a FIPS approved secure hash (SHA-2 or SHA-3). signature (``bytes``): The signature that needs to be validated. :raise ValueError: if the signature is not authentic r#r$z'The signature is not authentic (length)cSsg|]}t|qSr)rr,r&rrrr)sz'DssSigScheme.verify..NT)strictz$The signature is not authentic (DER)z,The signature is not authentic (DER content)rr z"The signature is not authentic (d)zThe signature is not authenticF)r"r+r lenrrdecode IndexErrorZ hasOnlyIntsrrr,r-r Z_verify)rr signatureZr_primeZs_primeZder_seqr2resultrrrverifyzs0     8zDssSigScheme.verifyN) __name__ __module__ __qualname____doc__rrr!r"r4r<rrrrr-s-csDeZdZfddZddZddZddZd d Zd d ZZ S) DeterministicDsaSigSchemecstt||||||_dSN)superrAr _private_key)rrrr private_key __class__rrrsz"DeterministicDsaSigScheme.__init__cCs8t|}|j}t|d}||kr4|||L}|S)zSee 2.3.2 in RFC6979r )rr,rrr7)rbstrr;Zq_lenZb_lenrrr _bits2ints     z#DeterministicDsaSigScheme._bits2intcCs(d|kr|jksntt||jS)zSee 2.3.3 in RFC6979r)rAssertionErrorrr)rZ int_mod_qrrr _int2octetssz%DeterministicDsaSigScheme._int2octetscCs.||}||jkr|}n ||j}||S)zSee 2.3.4 in RFC6979)rIrrK)rrHZz1Zz2rrr _bits2octetss    z&DeterministicDsaSigScheme._bits2octetscCs|}d|j}d|j}dD]B}t|||||j|||}t|||}q d}d|kr~|jksn|dkrt||d|}t|||}d}t||j krt|||}||7}q| |}qh|S)z!Generate k in a deterministic way)rNrMrr%) r- digest_sizerr rKrDrLrr7rrI)rZmhashh1Zmask_vZnonce_kZint_octr1Zmask_trrrr!s4      z(DeterministicDsaSigScheme._compute_noncecCsdS)NTrrrrrr"sz%DeterministicDsaSigScheme._valid_hash) r=r>r?rrIrKrLr!r" __classcell__rrrFrrAs    (rAcs0eZdZdZfddZddZddZZS)FipsDsaSigScheme))i))rU)i rWcsRtt||||||_t|j}||jf|jkrNd||jf}t |dS)Nz+L/N (%d, %d) is not compliant to FIPS 186-3) rCrSr _randfuncrprr_fips_186_3_L_Nr+)rrrrrandfuncLerrorrFrrrszFipsDsaSigScheme.__init__cCstjd|j|jdSNr )Z min_inclusiveZ max_exclusiver[)r random_rangerrXrrrrr! szFipsDsaSigScheme._compute_noncecCs|jdkp|jdS)z*Verify that SHA-1, SHA-2 or SHA-3 are usedz 1.3.14.3.2.26z2.16.840.1.101.3.4.2.)oid startswithrrrrr"s  zFipsDsaSigScheme._valid_hash)r=r>r?rZrr!r"rRrrrFrrSs rScs,eZdZfddZddZddZZS)FipsEcDsaSigSchemecstt||||||_dSrB)rCrbrrX)rrrrr[rFrrrszFipsEcDsaSigScheme.__init__cCstjd|jjj|jdSr^)rr_r _curverrXrrrrr!sz!FipsEcDsaSigScheme._compute_noncec CsX|jj}d}d}d}d}||||}z|j|k}Wntk rRd}YnX|S)zxVerify that the strength of the hash matches or exceeds the strength of the EC. We fail if the hash is too weak.)z2.16.840.1.101.3.4.2.4z2.16.840.1.101.3.4.2.7z2.16.840.1.101.3.4.2.5)z2.16.840.1.101.3.4.2.1z2.16.840.1.101.3.4.2.8z2.16.840.1.101.3.4.2.6)z2.16.840.1.101.3.4.2.2z2.16.840.1.101.3.4.2.9)z2.16.840.1.101.3.4.2.3z2.16.840.1.101.3.4.2.10F)r ZpointQrr`AttributeError) rr Z modulus_bitssha224sha256sha384sha512Zshsr;rrrr""s  zFipsEcDsaSigScheme._valid_hash)r=r>r?rr!r"rRrrrFrrbs rbr$NcCs|dkrtd|t|tr@|jj}d}|jdsntdn.t|trZt|j }d}ntdt t || rt ||}nd}|d krt||||S|d krt|trt||||St||||Sn td |dS) a Create a signature object :class:`DssSigScheme` that can perform (EC)DSA signature or verification. .. note:: Refer to `NIST SP 800 Part 1 Rev 4`_ (or newer release) for an overview of the recommended key lengths. Args: key (:class:`Cryptodome.PublicKey.DSA` or :class:`Cryptodome.PublicKey.ECC`): The key to use for computing the signature (*private* keys only) or for verifying one. For DSA keys, let ``L`` and ``N`` be the bit lengths of the modulus ``p`` and of ``q``: the pair ``(L,N)`` must appear in the following list, in compliance to section 4.2 of `FIPS 186-4`_: - (1024, 160) *legacy only; do not create new signatures with this* - (2048, 224) *deprecated; do not create new signatures with this* - (2048, 256) - (3072, 256) For ECC, only keys over P-224, P-256, P-384, and P-521 are accepted. mode (string): The parameter can take these values: - ``'fips-186-3'``. The signature generation is randomized and carried out according to `FIPS 186-3`_: the nonce ``k`` is taken from the RNG. - ``'deterministic-rfc6979'``. The signature generation is not randomized. See RFC6979_. encoding (string): How the signature is encoded. This value determines the output of :meth:`sign` and the input to :meth:`verify`. The following values are accepted: - ``'binary'`` (default), the signature is the raw concatenation of ``r`` and ``s``. It is defined in the IEEE P.1363 standard. For DSA, the size in bytes of the signature is ``N/4`` bytes (e.g. 64 for ``N=256``). For ECDSA, the signature is always twice the length of a point coordinate (e.g. 64 bytes for P-256). - ``'der'``, the signature is a ASN.1 DER SEQUENCE with two INTEGERs (``r`` and ``s``). It is defined in RFC3279_. The size of the signature is variable. randfunc (callable): A function that returns random ``bytes``, of a given length. If omitted, the internal RNG is used. Only applicable for the *'fips-186-3'* mode. .. _FIPS 186-3: http://csrc.nist.gov/publications/fips/fips186-3/fips_186-3.pdf .. _FIPS 186-4: http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf .. _NIST SP 800 Part 1 Rev 4: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r4.pdf .. _RFC6979: http://tools.ietf.org/html/rfc6979 .. _RFC3279: https://tools.ietf.org/html/rfc3279#section-2.2.2 )r$ZderzUnknown encoding '%s'dZNISTz ECC key is not on a NIST P curver(zUnsupported key type Nzdeterministic-rfc6979z fips-186-3zUnknown DSS mode '%s')r+ isinstancerrcrZcurverarrqstrtypergetattrrArbrS)rmoderr[rZprivate_key_attrrErrrr 6s*B        )r$N)ZCryptodome.Util.asn1rZCryptodome.Util.numberrZCryptodome.Math.NumbersrZCryptodome.HashrZCryptodome.PublicKey.ECCrZCryptodome.PublicKey.DSAr__all__objectrrArSrbr rrrr"s      zN"