aboutsummaryrefslogtreecommitdiff
path: root/src/main/java/org/gnunet/util/crypto/EcdsaSignature.java
blob: 204ab9e22db5ea905cbdffbffafd2fe086fb81ef (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
/*
 This file is part of GNUnet.
  Copyright (C) 2012, 2013 Christian Grothoff (and other contributing authors)

  GNUnet is free software; you can redistribute it and/or modify
  it under the terms of the GNU General Public License as published
  by the Free Software Foundation; either version 3, or (at your
  option) any later version.

  GNUnet is distributed in the hope that it will be useful, but
  WITHOUT ANY WARRANTY; without even the implied warranty of
  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
  General Public License for more details.

  You should have received a copy of the GNU General Public License
  along with GNUnet; see the file COPYING.  If not, write to the
  Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
  Boston, MA 02110-1301, USA.
 */

package org.gnunet.util.crypto;


import org.gnunet.construct.FixedSizeIntegerArray;
import org.gnunet.construct.Message;
import org.gnunet.util.HashCode;
import org.gnunet.util.Strings;

import java.io.ByteArrayOutputStream;
import java.io.DataOutputStream;
import java.io.IOError;
import java.io.IOException;
import java.math.BigInteger;
import java.security.SecureRandom;

/**
 * ECDSA Signature.
 */
public class EcdsaSignature implements Message {
    /**
     * R value of the signature in compressed form.
     * The number is stored as little endian.
     */
    @FixedSizeIntegerArray(bitSize = 8, signed = false, length = 32)
    public byte[] r;

    /**
     * S-value of the signature.
     * The number is stored as little endian.
     */
    @FixedSizeIntegerArray(bitSize = 8, signed = false, length = 32)
    public byte[] s;

    public EcdsaSignature() {
        this.r = new byte[32];
        this.s = new byte[32];
    }

    /**
     * Verify that this signature has been created by the given public key and signs the
     * given data and purpose.
     *
     * @param m message that was signed
     * @param publicKey public key to check for
     * @return whether the signature is valid
     */
    public boolean verifyRaw(byte[] m, EcdsaPublicKey publicKey) {
        if (publicKey.asPoint().isIdentity()) {
            throw new AssertionError();
        }

        if (!publicKey.asPoint().isOnCurve()) {
            throw new AssertionError();
        }

        if (!publicKey.asPoint().scalarmult(Ed25519.l).isIdentity()) {
            throw new AssertionError("invalid public key");
        }

        HashCode h = HashCode.hash(m);
        BigInteger z = new BigInteger(1, h.data);
        BigInteger sCoeff = Ed25519.decodeScalar(s);

        if (sCoeff.equals(BigInteger.ZERO) || sCoeff.compareTo(Ed25519.l) >= 0) {
            return false;
        }

        BigInteger rCoeff = Ed25519.decodeScalar(r);
        if (rCoeff.equals(BigInteger.ZERO) || rCoeff.compareTo(Ed25519.l) >= 0) {
            return false;
        }

        BigInteger w = sCoeff.modInverse(Ed25519.l);
        BigInteger u1 = z.multiply(w).mod(Ed25519.l);
        BigInteger u2 = rCoeff.multiply(w).mod(Ed25519.l);
        // P = u1*B + u2*Q
        Ed25519 P = Ed25519.B.scalarmult(u1).add(publicKey.asPoint().scalarmult(u2));
        return P.P0.mod(Ed25519.l).equals(rCoeff);
    }

    public boolean verify(byte[] data, int purpose, EcdsaPublicKey publicKey) {
        ByteArrayOutputStream os = new ByteArrayOutputStream(data.length + 8);
        DataOutputStream dos = new DataOutputStream(os);
        try {
            dos.writeInt(data.length);
            dos.writeInt(purpose);
            dos.write(data);
        } catch (IOException e) {
            throw new IOError(e);
        }
        return verifyRaw(os.toByteArray(), publicKey);
    }

    /**
     * Load a signature from a string.
     *
     * @param value serialized signature
     * @return signature
     */
    public static EcdsaSignature fromString(String value) {
        byte[] data = new byte[64];
        if (! Strings.stringToData(value, data)) {
            throw new AssertionError();
        }
        EcdsaSignature sig = new EcdsaSignature();
        System.arraycopy(data, 0, sig.r, 0, 32);
        System.arraycopy(data, 32, sig.s, 0, 32);
        return sig;
    }


    /**
     * Serialize the signature to a string.
     *
     * @return serialized signature
     */
    @Override
    public String toString() {
        byte[] sigData = new byte[64];
        System.arraycopy(r, 0, sigData, 0, 32);
        System.arraycopy(s, 0, sigData, 32, 32);
        return Strings.dataToString(sigData);
    }


    /**
     * Return a signature that is invalid with very, very high probability.
     *
     * @return signature with random garbage
     */
    public static EcdsaSignature randomGarbage() {
        EcdsaSignature sig = new EcdsaSignature();
        SecureRandom r = new SecureRandom();
        r.nextBytes(sig.r);
        r.nextBytes(sig.s);
        return sig;
    }
}