1 /* dsa-2.1.1.js (c) 2016-2017 Kenji Urushimma | kjur.github.com/jsrsasign/license
  2  */
  3 /*
  4  * dsa.js - new DSA class
  5  *
  6  * Copyright (c) 2016-2017 Kenji Urushima (kenji.urushima@gmail.com)
  7  *
  8  * This software is licensed under the terms of the MIT License.
  9  * https://kjur.github.io/jsrsasign/license
 10  *
 11  * The above copyright and license notice shall be 
 12  * included in all copies or substantial portions of the Software.
 13  */
 14 
 15 /**
 16  * @fileOverview
 17  * @name dsa-2.0.js
 18  * @author Kenji Urushima kenji.urushima@gmail.com
 19  * @version jsrsasign 7.2.0 dsa 2.1.1 (2017-May-11)
 20  * @since jsrsasign 7.0.0
 21  * @license <a href="https://kjur.github.io/jsrsasign/license/">MIT License</a>
 22  */
 23 
 24 if (typeof KJUR == "undefined" || !KJUR) KJUR = {};
 25 if (typeof KJUR.crypto == "undefined" || !KJUR.crypto) KJUR.crypto = {};
 26 
 27 /**
 28  * class for DSA signing and verification
 29  * @name KJUR.crypto.DSA
 30  * @class class for DSA signing and verifcation
 31  * @since jsrsasign 7.0.0 dsa 2.0.0
 32  * @description
 33  * <p>
 34  * CAUTION: Most of the case, you don't need to use this class.
 35  * Please use {@link KJUR.crypto.Signature} class instead.
 36  * </p>
 37  * <p>
 38  * NOTE: Until jsrsasign 6.2.3, DSA class have used codes from openpgpjs library 1.0.0
 39  * licenced under LGPL licence. To avoid license issue dsa-2.0.js was re-written with
 40  * my own codes in jsrsasign 7.0.0. 
 41  * Some random number generators used in dsa-2.0.js was newly defined
 42  * in KJUR.crypto.Util class. Now all of LGPL codes are removed.
 43  * </p>
 44  */
 45 KJUR.crypto.DSA = function() {
 46     this.p = null;
 47     this.q = null;
 48     this.g = null;
 49     this.y = null;
 50     this.x = null;
 51     this.type = "DSA";
 52     this.isPrivate = false;
 53     this.isPublic = false;
 54 
 55     //===========================
 56     // PUBLIC METHODS
 57     //===========================
 58 
 59     /**
 60      * set DSA private key by key parameters of BigInteger object
 61      * @name setPrivate
 62      * @memberOf KJUR.crypto.DSA#
 63      * @function
 64      * @param {BigInteger} p prime P parameter
 65      * @param {BigInteger} q sub prime Q parameter
 66      * @param {BigInteger} g base G parameter
 67      * @param {BigInteger} y public key Y or null
 68      * @param {BigInteger} x private key X
 69      * @since jsrsasign 7.0.0 dsa 2.0.0
 70      */
 71     this.setPrivate = function(p, q, g, y, x) {
 72 	this.isPrivate = true;
 73 	this.p = p;
 74 	this.q = q;
 75 	this.g = g;
 76 	this.y = y;
 77 	this.x = x;
 78     };
 79 
 80     /**
 81      * set DSA private key by key parameters of hexadecimal string
 82      * @name setPrivateHex
 83      * @memberOf KJUR.crypto.DSA#
 84      * @function
 85      * @param {String} hP prime P parameter
 86      * @param {String} hQ sub prime Q parameter
 87      * @param {String} hG base G parameter
 88      * @param {String} hY public key Y or null
 89      * @param {String} hX private key X
 90      * @since jsrsasign 7.1.0 dsa 2.1.0
 91      */
 92     this.setPrivateHex = function(hP, hQ, hG, hY, hX) {
 93 	var biP, biQ, biG, biY, biX;
 94         biP = new BigInteger(hP, 16);
 95         biQ = new BigInteger(hQ, 16);
 96         biG = new BigInteger(hG, 16);
 97 	if (typeof hY === "string" && hY.length > 1) {
 98             biY = new BigInteger(hY, 16);
 99 	} else {
100 	    biY = null;
101 	}
102         biX = new BigInteger(hX, 16);
103         this.setPrivate(biP, biQ, biG, biY, biX);
104     };
105 
106     /**
107      * set DSA public key by key parameters of BigInteger object
108      * @name setPublic
109      * @memberOf KJUR.crypto.DSA#
110      * @function
111      * @param {BigInteger} p prime P parameter
112      * @param {BigInteger} q sub prime Q parameter
113      * @param {BigInteger} g base G parameter
114      * @param {BigInteger} y public key Y
115      * @since jsrsasign 7.0.0 dsa 2.0.0
116      */
117     this.setPublic = function(p, q, g, y) {
118 	this.isPublic = true;
119 	this.p = p;
120 	this.q = q;
121 	this.g = g;
122 	this.y = y;
123 	this.x = null;
124     };
125 
126     /**
127      * set DSA public key by key parameters of hexadecimal string
128      * @name setPublicHex
129      * @memberOf KJUR.crypto.DSA#
130      * @function
131      * @param {String} hP prime P parameter
132      * @param {String} hQ sub prime Q parameter
133      * @param {String} hG base G parameter
134      * @param {String} hY public key Y
135      * @since jsrsasign 7.1.0 dsa 2.1.0
136      */
137     this.setPublicHex = function(hP, hQ, hG, hY) {
138 	var biP, biQ, biG, biY;
139         biP = new BigInteger(hP, 16);
140         biQ = new BigInteger(hQ, 16);
141         biG = new BigInteger(hG, 16);
142         biY = new BigInteger(hY, 16);
143         this.setPublic(biP, biQ, biG, biY);
144     };
145 
146     /**
147      * sign to hashed message by this DSA private key object
148      * @name signWithMessageHash
149      * @memberOf KJUR.crypto.DSA#
150      * @function
151      * @param {String} sHashHex hexadecimal string of hashed message
152      * @return {String} hexadecimal string of ASN.1 encoded DSA signature value
153      * @since jsrsasign 7.0.0 dsa 2.0.0
154      */
155     this.signWithMessageHash = function(sHashHex) {
156 	var p = this.p; // parameter p
157 	var q = this.q; // parameter q
158 	var g = this.g; // parameter g
159 	var y = this.y; // public key (p q g y)
160 	var x = this.x; // private key
161 
162 	// NIST FIPS 186-4 4.5 DSA Per-Message Secret Number (p18)
163 	// 1. get random k where 0 < k < q
164 	var k = KJUR.crypto.Util.getRandomBigIntegerMinToMax(BigInteger.ONE.add(BigInteger.ONE),
165 							     q.subtract(BigInteger.ONE));
166 
167 	// NIST FIPS 186-4 4.6 DSA Signature Generation (p19)
168 	// 2. get z where the left most min(N, outlen) bits of Hash(M)
169 	var hZ = sHashHex.substr(0, q.bitLength() / 4);
170 	var z = new BigInteger(hZ, 16);
171 
172 	// 3. get r where (g^k mod p) mod q, r != 0
173 	var r = (g.modPow(k,p)).mod(q); 
174 
175 	// 4. get s where k^-1 (z + xr) mod q, s != 0
176 	var s = (k.modInverse(q).multiply(z.add(x.multiply(r)))).mod(q);
177 
178 	// 5. signature (r, s)
179 	var result = KJUR.asn1.ASN1Util.jsonToASN1HEX({
180 	    "seq": [{"int": {"bigint": r}}, {"int": {"bigint": s}}] 
181 	});
182 	return result;
183     };
184 
185     /**
186      * verify signature by this DSA public key object
187      * @name verifyWithMessageHash
188      * @memberOf KJUR.crypto.DSA#
189      * @function
190      * @param {String} sHashHex hexadecimal string of hashed message
191      * @param {String} hSigVal hexadecimal string of ASN.1 encoded DSA signature value
192      * @return {Boolean} true if the signature is valid otherwise false.
193      * @since jsrsasign 7.0.0 dsa 2.0.0
194      */
195     this.verifyWithMessageHash = function(sHashHex, hSigVal) {
196 	var p = this.p; // parameter p
197 	var q = this.q; // parameter q
198 	var g = this.g; // parameter g
199 	var y = this.y; // public key (p q g y)
200 
201 	// 1. parse ASN.1 signature (r, s)
202 	var rs = this.parseASN1Signature(hSigVal);
203         var r = rs[0];
204         var s = rs[1];
205 
206 	// NIST FIPS 186-4 4.6 DSA Signature Generation (p19)
207 	// 2. get z where the left most min(N, outlen) bits of Hash(M)
208 	var hZ = sHashHex.substr(0, q.bitLength() / 4);
209 	var z = new BigInteger(hZ, 16);
210 
211 	// NIST FIPS 186-4 4.7 DSA Signature Validation (p19)
212 	// 3.1. 0 < r < q
213 	if (BigInteger.ZERO.compareTo(r) > 0 || r.compareTo(q) > 0)
214 	    throw "invalid DSA signature";
215 
216 	// 3.2. 0 < s < q
217 	if (BigInteger.ZERO.compareTo(s) >= 0 || s.compareTo(q) > 0)
218 	    throw "invalid DSA signature";
219 
220 	// 4. get w where w = s^-1 mod q
221 	var w = s.modInverse(q);
222 
223 	// 5. get u1 where u1 = z w mod q
224 	var u1 = z.multiply(w).mod(q);
225 
226 	// 6. get u2 where u2 = r w mod q
227 	var u2 = r.multiply(w).mod(q);
228 
229 	// 7. get v where v = ((g^u1 y^u2) mod p) mod q
230 	var v = g.modPow(u1,p).multiply(y.modPow(u2,p)).mod(p).mod(q);
231 
232 	// 8. signature is valid when v == r
233 	return v.compareTo(r) == 0;
234     };
235 
236     /**
237      * parse hexadecimal ASN.1 DSA signature value
238      * @name parseASN1Signature
239      * @memberOf KJUR.crypto.DSA#
240      * @function
241      * @param {String} hSigVal hexadecimal string of ASN.1 encoded DSA signature value
242      * @return {Array} array [r, s] of DSA signature value. Both r and s are BigInteger.
243      * @since jsrsasign 7.0.0 dsa 2.0.0
244      */
245     this.parseASN1Signature = function(hSigVal) {
246 	try {
247 	    var r = new BigInteger(ASN1HEX.getVbyList(hSigVal, 0, [0], "02"), 16);
248 	    var s = new BigInteger(ASN1HEX.getVbyList(hSigVal, 0, [1], "02"), 16);
249 	    return [r, s];
250 	} catch (ex) {
251 	    throw "malformed ASN.1 DSA signature";
252 	}
253     }
254 
255     /**
256      * read an ASN.1 hexadecimal string of PKCS#1/5 plain DSA private key<br/>
257      * @name readPKCS5PrvKeyHex
258      * @memberOf KJUR.crypto.DSA#
259      * @function
260      * @param {String} h hexadecimal string of PKCS#1/5 DSA private key
261      * @since jsrsasign 7.1.0 dsa 2.1.0
262      */
263     this.readPKCS5PrvKeyHex = function(h) {
264 	var hP, hQ, hG, hY, hX;
265 	var _ASN1HEX = ASN1HEX;
266 	var _getVbyList = _ASN1HEX.getVbyList;
267 
268 	if (_ASN1HEX.isASN1HEX(h) === false)
269 	    throw "not ASN.1 hex string";
270 
271 	try {
272 	    hP = _getVbyList(h, 0, [1], "02");
273 	    hQ = _getVbyList(h, 0, [2], "02");
274 	    hG = _getVbyList(h, 0, [3], "02");
275 	    hY = _getVbyList(h, 0, [4], "02");
276 	    hX = _getVbyList(h, 0, [5], "02");
277 	} catch(ex) {
278 	    console.log("EXCEPTION:" + ex);
279 	    throw "malformed PKCS#1/5 plain DSA private key";
280 	}
281 
282 	this.setPrivateHex(hP, hQ, hG, hY, hX);
283     };
284 
285     /**
286      * read an ASN.1 hexadecimal string of PKCS#8 plain DSA private key<br/>
287      * @name readPKCS8PrvKeyHex
288      * @memberOf KJUR.crypto.DSA#
289      * @function
290      * @param {String} h hexadecimal string of PKCS#8 DSA private key
291      * @since jsrsasign 7.1.0 dsa 2.1.0
292      */
293     this.readPKCS8PrvKeyHex = function(h) {
294 	var hP, hQ, hG, hX;
295 	var _ASN1HEX = ASN1HEX;
296 	var _getVbyList = _ASN1HEX.getVbyList;
297 
298 	if (_ASN1HEX.isASN1HEX(h) === false)
299 	    throw "not ASN.1 hex string";
300 
301 	try {
302 	    hP = _getVbyList(h, 0, [1, 1, 0], "02");
303 	    hQ = _getVbyList(h, 0, [1, 1, 1], "02");
304 	    hG = _getVbyList(h, 0, [1, 1, 2], "02");
305 	    hX = _getVbyList(h, 0, [2, 0], "02");
306 	} catch(ex) {
307 	    console.log("EXCEPTION:" + ex);
308 	    throw "malformed PKCS#8 plain DSA private key";
309 	}
310 
311 	this.setPrivateHex(hP, hQ, hG, null, hX);
312     };
313 
314     /**
315      * read an ASN.1 hexadecimal string of PKCS#8 plain DSA private key<br/>
316      * @name readPKCS8PubKeyHex
317      * @memberOf KJUR.crypto.DSA#
318      * @function
319      * @param {String} h hexadecimal string of PKCS#8 DSA private key
320      * @since jsrsasign 7.1.0 dsa 2.1.0
321      */
322     this.readPKCS8PubKeyHex = function(h) {
323 	var hP, hQ, hG, hY;
324 	var _ASN1HEX = ASN1HEX;
325 	var _getVbyList = _ASN1HEX.getVbyList;
326 
327 	if (_ASN1HEX.isASN1HEX(h) === false)
328 	    throw "not ASN.1 hex string";
329 
330 	try {
331 	    hP = _getVbyList(h, 0, [0, 1, 0], "02");
332 	    hQ = _getVbyList(h, 0, [0, 1, 1], "02");
333 	    hG = _getVbyList(h, 0, [0, 1, 2], "02");
334 	    hY = _getVbyList(h, 0, [1, 0], "02");
335 	} catch(ex) {
336 	    console.log("EXCEPTION:" + ex);
337 	    throw "malformed PKCS#8 DSA public key";
338 	}
339 
340 	this.setPublicHex(hP, hQ, hG, hY);
341     };
342 
343     /**
344      * read an ASN.1 hexadecimal string of X.509 DSA public key certificate<br/>
345      * @name readCertPubKeyHex
346      * @memberOf KJUR.crypto.DSA#
347      * @function
348      * @param {String} h hexadecimal string of X.509 DSA public key certificate
349      * @param {Integer} nthPKI nth index of publicKeyInfo. (DEFAULT: 6 for X509v3)
350      * @since jsrsasign 7.1.0 dsa 2.1.0
351      */
352     this.readCertPubKeyHex = function(h, nthPKI) {
353 	if (nthPKI !== 5) nthPKI = 6;
354 	var hP, hQ, hG, hY;
355 	var _ASN1HEX = ASN1HEX;
356 	var _getVbyList = _ASN1HEX.getVbyList;
357 
358 	if (_ASN1HEX.isASN1HEX(h) === false)
359 	    throw "not ASN.1 hex string";
360 
361 	try {
362 	    hP = _getVbyList(h, 0, [0, nthPKI, 0, 1, 0], "02");
363 	    hQ = _getVbyList(h, 0, [0, nthPKI, 0, 1, 1], "02");
364 	    hG = _getVbyList(h, 0, [0, nthPKI, 0, 1, 2], "02");
365 	    hY = _getVbyList(h, 0, [0, nthPKI, 1, 0], "02");
366 	} catch(ex) {
367 	    console.log("EXCEPTION:" + ex);
368 	    throw "malformed X.509 certificate DSA public key";
369 	}
370 
371 	this.setPublicHex(hP, hQ, hG, hY);
372     };
373 }
374