1 /* dsa-2.1.1.js (c) 2016-2017 Kenji Urushimma | kjur.github.com/jsrsasign/license 2 */ 3 /* 4 * dsa.js - new DSA class 5 * 6 * Copyright (c) 2016-2017 Kenji Urushima (kenji.urushima@gmail.com) 7 * 8 * This software is licensed under the terms of the MIT License. 9 * https://kjur.github.io/jsrsasign/license 10 * 11 * The above copyright and license notice shall be 12 * included in all copies or substantial portions of the Software. 13 */ 14 15 /** 16 * @fileOverview 17 * @name dsa-2.0.js 18 * @author Kenji Urushima kenji.urushima@gmail.com 19 * @version jsrsasign 7.2.0 dsa 2.1.1 (2017-May-11) 20 * @since jsrsasign 7.0.0 21 * @license <a href="https://kjur.github.io/jsrsasign/license/">MIT License</a> 22 */ 23 24 if (typeof KJUR == "undefined" || !KJUR) KJUR = {}; 25 if (typeof KJUR.crypto == "undefined" || !KJUR.crypto) KJUR.crypto = {}; 26 27 /** 28 * class for DSA signing and verification 29 * @name KJUR.crypto.DSA 30 * @class class for DSA signing and verifcation 31 * @since jsrsasign 7.0.0 dsa 2.0.0 32 * @description 33 * <p> 34 * CAUTION: Most of the case, you don't need to use this class. 35 * Please use {@link KJUR.crypto.Signature} class instead. 36 * </p> 37 * <p> 38 * NOTE: Until jsrsasign 6.2.3, DSA class have used codes from openpgpjs library 1.0.0 39 * licenced under LGPL licence. To avoid license issue dsa-2.0.js was re-written with 40 * my own codes in jsrsasign 7.0.0. 41 * Some random number generators used in dsa-2.0.js was newly defined 42 * in KJUR.crypto.Util class. Now all of LGPL codes are removed. 43 * </p> 44 */ 45 KJUR.crypto.DSA = function() { 46 this.p = null; 47 this.q = null; 48 this.g = null; 49 this.y = null; 50 this.x = null; 51 this.type = "DSA"; 52 this.isPrivate = false; 53 this.isPublic = false; 54 55 //=========================== 56 // PUBLIC METHODS 57 //=========================== 58 59 /** 60 * set DSA private key by key parameters of BigInteger object 61 * @name setPrivate 62 * @memberOf KJUR.crypto.DSA# 63 * @function 64 * @param {BigInteger} p prime P parameter 65 * @param {BigInteger} q sub prime Q parameter 66 * @param {BigInteger} g base G parameter 67 * @param {BigInteger} y public key Y or null 68 * @param {BigInteger} x private key X 69 * @since jsrsasign 7.0.0 dsa 2.0.0 70 */ 71 this.setPrivate = function(p, q, g, y, x) { 72 this.isPrivate = true; 73 this.p = p; 74 this.q = q; 75 this.g = g; 76 this.y = y; 77 this.x = x; 78 }; 79 80 /** 81 * set DSA private key by key parameters of hexadecimal string 82 * @name setPrivateHex 83 * @memberOf KJUR.crypto.DSA# 84 * @function 85 * @param {String} hP prime P parameter 86 * @param {String} hQ sub prime Q parameter 87 * @param {String} hG base G parameter 88 * @param {String} hY public key Y or null 89 * @param {String} hX private key X 90 * @since jsrsasign 7.1.0 dsa 2.1.0 91 */ 92 this.setPrivateHex = function(hP, hQ, hG, hY, hX) { 93 var biP, biQ, biG, biY, biX; 94 biP = new BigInteger(hP, 16); 95 biQ = new BigInteger(hQ, 16); 96 biG = new BigInteger(hG, 16); 97 if (typeof hY === "string" && hY.length > 1) { 98 biY = new BigInteger(hY, 16); 99 } else { 100 biY = null; 101 } 102 biX = new BigInteger(hX, 16); 103 this.setPrivate(biP, biQ, biG, biY, biX); 104 }; 105 106 /** 107 * set DSA public key by key parameters of BigInteger object 108 * @name setPublic 109 * @memberOf KJUR.crypto.DSA# 110 * @function 111 * @param {BigInteger} p prime P parameter 112 * @param {BigInteger} q sub prime Q parameter 113 * @param {BigInteger} g base G parameter 114 * @param {BigInteger} y public key Y 115 * @since jsrsasign 7.0.0 dsa 2.0.0 116 */ 117 this.setPublic = function(p, q, g, y) { 118 this.isPublic = true; 119 this.p = p; 120 this.q = q; 121 this.g = g; 122 this.y = y; 123 this.x = null; 124 }; 125 126 /** 127 * set DSA public key by key parameters of hexadecimal string 128 * @name setPublicHex 129 * @memberOf KJUR.crypto.DSA# 130 * @function 131 * @param {String} hP prime P parameter 132 * @param {String} hQ sub prime Q parameter 133 * @param {String} hG base G parameter 134 * @param {String} hY public key Y 135 * @since jsrsasign 7.1.0 dsa 2.1.0 136 */ 137 this.setPublicHex = function(hP, hQ, hG, hY) { 138 var biP, biQ, biG, biY; 139 biP = new BigInteger(hP, 16); 140 biQ = new BigInteger(hQ, 16); 141 biG = new BigInteger(hG, 16); 142 biY = new BigInteger(hY, 16); 143 this.setPublic(biP, biQ, biG, biY); 144 }; 145 146 /** 147 * sign to hashed message by this DSA private key object 148 * @name signWithMessageHash 149 * @memberOf KJUR.crypto.DSA# 150 * @function 151 * @param {String} sHashHex hexadecimal string of hashed message 152 * @return {String} hexadecimal string of ASN.1 encoded DSA signature value 153 * @since jsrsasign 7.0.0 dsa 2.0.0 154 */ 155 this.signWithMessageHash = function(sHashHex) { 156 var p = this.p; // parameter p 157 var q = this.q; // parameter q 158 var g = this.g; // parameter g 159 var y = this.y; // public key (p q g y) 160 var x = this.x; // private key 161 162 // NIST FIPS 186-4 4.5 DSA Per-Message Secret Number (p18) 163 // 1. get random k where 0 < k < q 164 var k = KJUR.crypto.Util.getRandomBigIntegerMinToMax(BigInteger.ONE.add(BigInteger.ONE), 165 q.subtract(BigInteger.ONE)); 166 167 // NIST FIPS 186-4 4.6 DSA Signature Generation (p19) 168 // 2. get z where the left most min(N, outlen) bits of Hash(M) 169 var hZ = sHashHex.substr(0, q.bitLength() / 4); 170 var z = new BigInteger(hZ, 16); 171 172 // 3. get r where (g^k mod p) mod q, r != 0 173 var r = (g.modPow(k,p)).mod(q); 174 175 // 4. get s where k^-1 (z + xr) mod q, s != 0 176 var s = (k.modInverse(q).multiply(z.add(x.multiply(r)))).mod(q); 177 178 // 5. signature (r, s) 179 var result = KJUR.asn1.ASN1Util.jsonToASN1HEX({ 180 "seq": [{"int": {"bigint": r}}, {"int": {"bigint": s}}] 181 }); 182 return result; 183 }; 184 185 /** 186 * verify signature by this DSA public key object 187 * @name verifyWithMessageHash 188 * @memberOf KJUR.crypto.DSA# 189 * @function 190 * @param {String} sHashHex hexadecimal string of hashed message 191 * @param {String} hSigVal hexadecimal string of ASN.1 encoded DSA signature value 192 * @return {Boolean} true if the signature is valid otherwise false. 193 * @since jsrsasign 7.0.0 dsa 2.0.0 194 */ 195 this.verifyWithMessageHash = function(sHashHex, hSigVal) { 196 var p = this.p; // parameter p 197 var q = this.q; // parameter q 198 var g = this.g; // parameter g 199 var y = this.y; // public key (p q g y) 200 201 // 1. parse ASN.1 signature (r, s) 202 var rs = this.parseASN1Signature(hSigVal); 203 var r = rs[0]; 204 var s = rs[1]; 205 206 // NIST FIPS 186-4 4.6 DSA Signature Generation (p19) 207 // 2. get z where the left most min(N, outlen) bits of Hash(M) 208 var hZ = sHashHex.substr(0, q.bitLength() / 4); 209 var z = new BigInteger(hZ, 16); 210 211 // NIST FIPS 186-4 4.7 DSA Signature Validation (p19) 212 // 3.1. 0 < r < q 213 if (BigInteger.ZERO.compareTo(r) > 0 || r.compareTo(q) > 0) 214 throw "invalid DSA signature"; 215 216 // 3.2. 0 < s < q 217 if (BigInteger.ZERO.compareTo(s) >= 0 || s.compareTo(q) > 0) 218 throw "invalid DSA signature"; 219 220 // 4. get w where w = s^-1 mod q 221 var w = s.modInverse(q); 222 223 // 5. get u1 where u1 = z w mod q 224 var u1 = z.multiply(w).mod(q); 225 226 // 6. get u2 where u2 = r w mod q 227 var u2 = r.multiply(w).mod(q); 228 229 // 7. get v where v = ((g^u1 y^u2) mod p) mod q 230 var v = g.modPow(u1,p).multiply(y.modPow(u2,p)).mod(p).mod(q); 231 232 // 8. signature is valid when v == r 233 return v.compareTo(r) == 0; 234 }; 235 236 /** 237 * parse hexadecimal ASN.1 DSA signature value 238 * @name parseASN1Signature 239 * @memberOf KJUR.crypto.DSA# 240 * @function 241 * @param {String} hSigVal hexadecimal string of ASN.1 encoded DSA signature value 242 * @return {Array} array [r, s] of DSA signature value. Both r and s are BigInteger. 243 * @since jsrsasign 7.0.0 dsa 2.0.0 244 */ 245 this.parseASN1Signature = function(hSigVal) { 246 try { 247 var r = new BigInteger(ASN1HEX.getVbyList(hSigVal, 0, [0], "02"), 16); 248 var s = new BigInteger(ASN1HEX.getVbyList(hSigVal, 0, [1], "02"), 16); 249 return [r, s]; 250 } catch (ex) { 251 throw "malformed ASN.1 DSA signature"; 252 } 253 } 254 255 /** 256 * read an ASN.1 hexadecimal string of PKCS#1/5 plain DSA private key<br/> 257 * @name readPKCS5PrvKeyHex 258 * @memberOf KJUR.crypto.DSA# 259 * @function 260 * @param {String} h hexadecimal string of PKCS#1/5 DSA private key 261 * @since jsrsasign 7.1.0 dsa 2.1.0 262 */ 263 this.readPKCS5PrvKeyHex = function(h) { 264 var hP, hQ, hG, hY, hX; 265 var _ASN1HEX = ASN1HEX; 266 var _getVbyList = _ASN1HEX.getVbyList; 267 268 if (_ASN1HEX.isASN1HEX(h) === false) 269 throw "not ASN.1 hex string"; 270 271 try { 272 hP = _getVbyList(h, 0, [1], "02"); 273 hQ = _getVbyList(h, 0, [2], "02"); 274 hG = _getVbyList(h, 0, [3], "02"); 275 hY = _getVbyList(h, 0, [4], "02"); 276 hX = _getVbyList(h, 0, [5], "02"); 277 } catch(ex) { 278 console.log("EXCEPTION:" + ex); 279 throw "malformed PKCS#1/5 plain DSA private key"; 280 } 281 282 this.setPrivateHex(hP, hQ, hG, hY, hX); 283 }; 284 285 /** 286 * read an ASN.1 hexadecimal string of PKCS#8 plain DSA private key<br/> 287 * @name readPKCS8PrvKeyHex 288 * @memberOf KJUR.crypto.DSA# 289 * @function 290 * @param {String} h hexadecimal string of PKCS#8 DSA private key 291 * @since jsrsasign 7.1.0 dsa 2.1.0 292 */ 293 this.readPKCS8PrvKeyHex = function(h) { 294 var hP, hQ, hG, hX; 295 var _ASN1HEX = ASN1HEX; 296 var _getVbyList = _ASN1HEX.getVbyList; 297 298 if (_ASN1HEX.isASN1HEX(h) === false) 299 throw "not ASN.1 hex string"; 300 301 try { 302 hP = _getVbyList(h, 0, [1, 1, 0], "02"); 303 hQ = _getVbyList(h, 0, [1, 1, 1], "02"); 304 hG = _getVbyList(h, 0, [1, 1, 2], "02"); 305 hX = _getVbyList(h, 0, [2, 0], "02"); 306 } catch(ex) { 307 console.log("EXCEPTION:" + ex); 308 throw "malformed PKCS#8 plain DSA private key"; 309 } 310 311 this.setPrivateHex(hP, hQ, hG, null, hX); 312 }; 313 314 /** 315 * read an ASN.1 hexadecimal string of PKCS#8 plain DSA private key<br/> 316 * @name readPKCS8PubKeyHex 317 * @memberOf KJUR.crypto.DSA# 318 * @function 319 * @param {String} h hexadecimal string of PKCS#8 DSA private key 320 * @since jsrsasign 7.1.0 dsa 2.1.0 321 */ 322 this.readPKCS8PubKeyHex = function(h) { 323 var hP, hQ, hG, hY; 324 var _ASN1HEX = ASN1HEX; 325 var _getVbyList = _ASN1HEX.getVbyList; 326 327 if (_ASN1HEX.isASN1HEX(h) === false) 328 throw "not ASN.1 hex string"; 329 330 try { 331 hP = _getVbyList(h, 0, [0, 1, 0], "02"); 332 hQ = _getVbyList(h, 0, [0, 1, 1], "02"); 333 hG = _getVbyList(h, 0, [0, 1, 2], "02"); 334 hY = _getVbyList(h, 0, [1, 0], "02"); 335 } catch(ex) { 336 console.log("EXCEPTION:" + ex); 337 throw "malformed PKCS#8 DSA public key"; 338 } 339 340 this.setPublicHex(hP, hQ, hG, hY); 341 }; 342 343 /** 344 * read an ASN.1 hexadecimal string of X.509 DSA public key certificate<br/> 345 * @name readCertPubKeyHex 346 * @memberOf KJUR.crypto.DSA# 347 * @function 348 * @param {String} h hexadecimal string of X.509 DSA public key certificate 349 * @param {Integer} nthPKI nth index of publicKeyInfo. (DEFAULT: 6 for X509v3) 350 * @since jsrsasign 7.1.0 dsa 2.1.0 351 */ 352 this.readCertPubKeyHex = function(h, nthPKI) { 353 if (nthPKI !== 5) nthPKI = 6; 354 var hP, hQ, hG, hY; 355 var _ASN1HEX = ASN1HEX; 356 var _getVbyList = _ASN1HEX.getVbyList; 357 358 if (_ASN1HEX.isASN1HEX(h) === false) 359 throw "not ASN.1 hex string"; 360 361 try { 362 hP = _getVbyList(h, 0, [0, nthPKI, 0, 1, 0], "02"); 363 hQ = _getVbyList(h, 0, [0, nthPKI, 0, 1, 1], "02"); 364 hG = _getVbyList(h, 0, [0, nthPKI, 0, 1, 2], "02"); 365 hY = _getVbyList(h, 0, [0, nthPKI, 1, 0], "02"); 366 } catch(ex) { 367 console.log("EXCEPTION:" + ex); 368 throw "malformed X.509 certificate DSA public key"; 369 } 370 371 this.setPublicHex(hP, hQ, hG, hY); 372 }; 373 } 374