| | | 1 | | using System; |
| | | 2 | | using System.Security.Cryptography; |
| | | 3 | | |
| | | 4 | | using Renci.SshNet.Abstractions; |
| | | 5 | | using Renci.SshNet.Common; |
| | | 6 | | |
| | | 7 | | namespace Renci.SshNet.Security.Cryptography |
| | | 8 | | { |
| | | 9 | | /// <summary> |
| | | 10 | | /// Implements DSA digital signature algorithm. |
| | | 11 | | /// </summary> |
| | | 12 | | public class DsaDigitalSignature : DigitalSignature, IDisposable |
| | | 13 | | { |
| | | 14 | | private readonly DsaKey _key; |
| | | 15 | | private HashAlgorithm _hash; |
| | | 16 | | private bool _isDisposed; |
| | | 17 | | |
| | | 18 | | /// <summary> |
| | | 19 | | /// Initializes a new instance of the <see cref="DsaDigitalSignature" /> class. |
| | | 20 | | /// </summary> |
| | | 21 | | /// <param name="key">The DSA key.</param> |
| | | 22 | | /// <exception cref="ArgumentNullException"><paramref name="key"/> is <see langword="null"/>.</exception> |
| | 16 | 23 | | public DsaDigitalSignature(DsaKey key) |
| | 16 | 24 | | { |
| | 16 | 25 | | if (key is null) |
| | 0 | 26 | | { |
| | 0 | 27 | | throw new ArgumentNullException(nameof(key)); |
| | | 28 | | } |
| | | 29 | | |
| | 16 | 30 | | _key = key; |
| | | 31 | | |
| | 16 | 32 | | _hash = CryptoAbstraction.CreateSHA1(); |
| | 16 | 33 | | } |
| | | 34 | | |
| | | 35 | | /// <summary> |
| | | 36 | | /// Verifies the signature. |
| | | 37 | | /// </summary> |
| | | 38 | | /// <param name="input">The input.</param> |
| | | 39 | | /// <param name="signature">The signature.</param> |
| | | 40 | | /// <returns> |
| | | 41 | | /// <see langword="true"/> if signature was successfully verified; otherwise <see langword="false"/>. |
| | | 42 | | /// </returns> |
| | | 43 | | /// <exception cref="InvalidOperationException">Invalid signature.</exception> |
| | | 44 | | public override bool Verify(byte[] input, byte[] signature) |
| | 3 | 45 | | { |
| | 3 | 46 | | var hashInput = _hash.ComputeHash(input); |
| | | 47 | | |
| | 3 | 48 | | var hm = new BigInteger(hashInput.Reverse().Concat(new byte[] { 0 })); |
| | | 49 | | |
| | 3 | 50 | | if (signature.Length != 40) |
| | 0 | 51 | | { |
| | 0 | 52 | | throw new InvalidOperationException("Invalid signature."); |
| | | 53 | | } |
| | | 54 | | |
| | | 55 | | // Extract r and s numbers from the signature |
| | 3 | 56 | | var rBytes = new byte[21]; |
| | 3 | 57 | | var sBytes = new byte[21]; |
| | | 58 | | |
| | 189 | 59 | | for (int i = 0, j = 20; i < 20; i++, j--) |
| | 60 | 60 | | { |
| | 60 | 61 | | rBytes[i] = signature[j - 1]; |
| | 60 | 62 | | sBytes[i] = signature[j + 20 - 1]; |
| | 60 | 63 | | } |
| | | 64 | | |
| | 3 | 65 | | var r = new BigInteger(rBytes); |
| | 3 | 66 | | var s = new BigInteger(sBytes); |
| | | 67 | | |
| | | 68 | | // Reject the signature if 0 < r < q or 0 < s < q is not satisfied. |
| | 3 | 69 | | if (r <= 0 || r >= _key.Q) |
| | 0 | 70 | | { |
| | 0 | 71 | | return false; |
| | | 72 | | } |
| | | 73 | | |
| | 3 | 74 | | if (s <= 0 || s >= _key.Q) |
| | 0 | 75 | | { |
| | 0 | 76 | | return false; |
| | | 77 | | } |
| | | 78 | | |
| | | 79 | | // Calculate w = sā1 mod q |
| | 3 | 80 | | var w = BigInteger.ModInverse(s, _key.Q); |
| | | 81 | | |
| | | 82 | | // Calculate u1 = H(m)·w mod q |
| | 3 | 83 | | var u1 = (hm * w) % _key.Q; |
| | | 84 | | |
| | | 85 | | // Calculate u2 = r * w mod q |
| | 3 | 86 | | var u2 = (r * w) % _key.Q; |
| | | 87 | | |
| | 3 | 88 | | u1 = BigInteger.ModPow(_key.G, u1, _key.P); |
| | 3 | 89 | | u2 = BigInteger.ModPow(_key.Y, u2, _key.P); |
| | | 90 | | |
| | | 91 | | // Calculate v = ((g pow u1 * y pow u2) mod p) mod q |
| | 3 | 92 | | var v = ((u1 * u2) % _key.P) % _key.Q; |
| | | 93 | | |
| | | 94 | | // The signature is valid if v = r |
| | 3 | 95 | | return v == r; |
| | 3 | 96 | | } |
| | | 97 | | |
| | | 98 | | /// <summary> |
| | | 99 | | /// Creates the signature. |
| | | 100 | | /// </summary> |
| | | 101 | | /// <param name="input">The input.</param> |
| | | 102 | | /// <returns> |
| | | 103 | | /// Signed input data. |
| | | 104 | | /// </returns> |
| | | 105 | | /// <exception cref="SshException">Invalid DSA key.</exception> |
| | | 106 | | public override byte[] Sign(byte[] input) |
| | 1 | 107 | | { |
| | 1 | 108 | | var hashInput = _hash.ComputeHash(input); |
| | | 109 | | |
| | 1 | 110 | | var m = new BigInteger(hashInput.Reverse().Concat(new byte[] { 0 })); |
| | | 111 | | |
| | | 112 | | BigInteger s; |
| | | 113 | | BigInteger r; |
| | | 114 | | |
| | | 115 | | do |
| | 1 | 116 | | { |
| | 1 | 117 | | var k = BigInteger.Zero; |
| | | 118 | | |
| | | 119 | | do |
| | 1 | 120 | | { |
| | | 121 | | // Generate a random per-message value k where 0 < k < q |
| | 1 | 122 | | var bitLength = _key.Q.BitLength; |
| | | 123 | | |
| | 1 | 124 | | if (_key.Q < BigInteger.Zero) |
| | 0 | 125 | | { |
| | 0 | 126 | | throw new SshException("Invalid DSA key."); |
| | | 127 | | } |
| | | 128 | | |
| | 2 | 129 | | while (k <= 0 || k >= _key.Q) |
| | 1 | 130 | | { |
| | 1 | 131 | | k = BigInteger.Random(bitLength); |
| | 1 | 132 | | } |
| | | 133 | | |
| | | 134 | | // Calculate r = ((g pow k) mod p) mod q |
| | 1 | 135 | | r = BigInteger.ModPow(_key.G, k, _key.P) % _key.Q; |
| | | 136 | | |
| | | 137 | | // In the unlikely case that r = 0, start again with a different random k |
| | 1 | 138 | | } |
| | 1 | 139 | | while (r.IsZero); |
| | | 140 | | |
| | | 141 | | // Calculate s = ((k pow ā1)(H(m) + x*r)) mod q |
| | 1 | 142 | | k = BigInteger.ModInverse(k, _key.Q) * (m + (_key.X * r)); |
| | | 143 | | |
| | 1 | 144 | | s = k % _key.Q; |
| | | 145 | | |
| | | 146 | | // In the unlikely case that s = 0, start again with a different random k |
| | 1 | 147 | | } |
| | 1 | 148 | | while (s.IsZero); |
| | | 149 | | |
| | | 150 | | // The signature is (r, s) |
| | 1 | 151 | | var signature = new byte[40]; |
| | | 152 | | |
| | | 153 | | // issue #1918: pad part with zero's on the left if length is less than 20 |
| | 1 | 154 | | var rBytes = r.ToByteArray().Reverse().TrimLeadingZeros(); |
| | 1 | 155 | | Array.Copy(rBytes, 0, signature, 20 - rBytes.Length, rBytes.Length); |
| | | 156 | | |
| | | 157 | | // issue #1918: pad part with zero's on the left if length is less than 20 |
| | 1 | 158 | | var sBytes = s.ToByteArray().Reverse().TrimLeadingZeros(); |
| | 1 | 159 | | Array.Copy(sBytes, 0, signature, 40 - sBytes.Length, sBytes.Length); |
| | | 160 | | |
| | 1 | 161 | | return signature; |
| | 1 | 162 | | } |
| | | 163 | | |
| | | 164 | | /// <summary> |
| | | 165 | | /// Performs application-defined tasks associated with freeing, releasing, or resetting unmanaged resources. |
| | | 166 | | /// </summary> |
| | | 167 | | public void Dispose() |
| | 0 | 168 | | { |
| | 0 | 169 | | Dispose(disposing: true); |
| | 0 | 170 | | GC.SuppressFinalize(this); |
| | 0 | 171 | | } |
| | | 172 | | |
| | | 173 | | /// <summary> |
| | | 174 | | /// Releases unmanaged and - optionally - managed resources. |
| | | 175 | | /// </summary> |
| | | 176 | | /// <param name="disposing"><see langword="true"/> to release both managed and unmanaged resources; <see langwor |
| | | 177 | | protected virtual void Dispose(bool disposing) |
| | 16 | 178 | | { |
| | 16 | 179 | | if (_isDisposed) |
| | 0 | 180 | | { |
| | 0 | 181 | | return; |
| | | 182 | | } |
| | | 183 | | |
| | 16 | 184 | | if (disposing) |
| | 0 | 185 | | { |
| | 0 | 186 | | var hash = _hash; |
| | 0 | 187 | | if (hash != null) |
| | 0 | 188 | | { |
| | 0 | 189 | | hash.Dispose(); |
| | 0 | 190 | | _hash = null; |
| | 0 | 191 | | } |
| | | 192 | | |
| | 0 | 193 | | _isDisposed = true; |
| | 0 | 194 | | } |
| | 16 | 195 | | } |
| | | 196 | | |
| | | 197 | | /// <summary> |
| | | 198 | | /// Finalizes an instance of the <see cref="DsaDigitalSignature"/> class. |
| | | 199 | | /// </summary> |
| | | 200 | | ~DsaDigitalSignature() |
| | 32 | 201 | | { |
| | 16 | 202 | | Dispose(disposing: false); |
| | 32 | 203 | | } |
| | | 204 | | } |
| | | 205 | | } |