1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
|
/*
This file is part of GNUnet.
Copyright (C) 2012, 2013 Christian Grothoff (and other contributing authors)
GNUnet is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published
by the Free Software Foundation; either version 3, or (at your
option) any later version.
GNUnet is distributed in the hope that it will be useful, but
WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
General Public License for more details.
You should have received a copy of the GNU General Public License
along with GNUnet; see the file COPYING. If not, write to the
Free Software Foundation, Inc., 59 Temple Place - Suite 330,
Boston, MA 02111-1307, USA.
*/
package org.gnunet.util.crypto;
import org.gnunet.construct.FixedSizeIntegerArray;
import org.gnunet.construct.Message;
import org.gnunet.util.Strings;
import java.io.ByteArrayOutputStream;
import java.io.DataOutputStream;
import java.io.IOError;
import java.io.IOException;
import java.math.BigInteger;
import java.nio.ByteBuffer;
import java.security.SecureRandom;
public class EddsaSignature implements Message {
/**
* R value of the signature in compressed form.
* The number is stored as little endian.
*/
@FixedSizeIntegerArray(bitSize = 8, signed = false, length = 32)
public byte[] r;
/**
* S-value of the signature.
* The number is stored as little endian.
*/
@FixedSizeIntegerArray(bitSize = 8, signed = false, length = 32)
public byte[] s;
public EddsaSignature() {
this.r = new byte[32];
this.s = new byte[32];
}
public EddsaSignature(Ed25519 r, BigInteger s) {
this.r = r.encode();
this.s = Ed25519.encodeScalar(s);
}
/**
* Verify the signature on a message with given purpose.
*
* @param m the message signed by this signature
* @param publicKey public key of the signer
* @return true if the signature is valid, false otherwise
*/
public boolean verifyRaw(byte[] m, EddsaPublicKey publicKey) {
Ed25519 R = Ed25519.decode(r);
if (!R.isOnCurve())
return false;
Ed25519 A = publicKey.asPoint();
BigInteger S = Ed25519.decodeScalar(s);
ByteBuffer Stemp = ByteBuffer.allocate(32 + 32 + m.length);
Stemp.put(R.encode()).put(A.encode()).put(m);
BigInteger h = Ed25519.Hint(Stemp.array());
Ed25519 ra = Ed25519.B.scalarmult(S);
Ed25519 rb = R.add(A.scalarmult(h));
if (!A.isOnCurve()) {
throw new AssertionError();
}
if (!R.isOnCurve()) {
throw new AssertionError();
}
if (!ra.isOnCurve()) {
throw new AssertionError();
}
if (!rb.isOnCurve()) {
throw new AssertionError();
}
return ra.equals(rb);
}
public static EddsaSignature fromString(String value) {
byte[] data = new byte[64];
if (!Strings.stringToData(value, data)) {
throw new AssertionError();
}
EddsaSignature sig = new EddsaSignature();
System.arraycopy(data, 0, sig.r, 0, 32);
System.arraycopy(data, 32, sig.s, 0, 32);
return sig;
}
public boolean verify(byte[] data, int purpose, EddsaPublicKey publicKey) {
ByteArrayOutputStream os = new ByteArrayOutputStream(data.length + 8);
DataOutputStream dos = new DataOutputStream(os);
try {
dos.writeInt(data.length);
dos.writeInt(purpose);
dos.write(data);
} catch (IOException e) {
throw new IOError(e);
}
return verifyRaw(os.toByteArray(), publicKey);
}
/**
* Return a signature that is invalid with very, very high probability.
*
* @return signature with random garbage
*/
public static EddsaSignature randomGarbage() {
EddsaSignature sig = new EddsaSignature();
SecureRandom r = new SecureRandom();
r.nextBytes(sig.r);
r.nextBytes(sig.s);
return sig;
}
@Override
public String toString() {
byte[] sigData = new byte[64];
System.arraycopy(r, 0, sigData, 0, 32);
System.arraycopy(s, 0, sigData, 32, 32);
return Strings.dataToString(sigData);
}
}
|
