1 /** 2 * @license 3 * Copyright 2016 Google Inc. All rights reserved. 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 17 // TODO(bleichen): 18 // - add tests for SHA1WithDSA with wrong key 19 // - add tests for "alternative" algorithm names 20 // - convert tests for deterministic DSA variants. 21 // Deterministic DSA has a few new drawbacks: 22 // * implementations flaws that generate k incorrectly can leak 23 // the key if multiple implementations (e.g. one correct one incorrect) 24 // is used. 25 // * timing attacks are more serious if the attacker can ask for the same 26 // signature multiple times, since this allows to get more accurate timings. 27 package com.google.security.wycheproof; 28 29 import com.google.security.wycheproof.WycheproofRunner.ExcludedTest; 30 import com.google.security.wycheproof.WycheproofRunner.ProviderType; 31 import com.google.security.wycheproof.WycheproofRunner.SlowTest; 32 // Android-removed: Android doesn't support JMX 33 // import java.lang.management.ManagementFactory; 34 // import java.lang.management.ThreadMXBean; 35 import java.math.BigInteger; 36 import java.security.GeneralSecurityException; 37 import java.security.KeyFactory; 38 import java.security.KeyPair; 39 import java.security.KeyPairGenerator; 40 import java.security.MessageDigest; 41 import java.security.NoSuchAlgorithmException; 42 import java.security.PublicKey; 43 import java.security.Signature; 44 import java.security.SignatureException; 45 import java.security.interfaces.DSAParams; 46 import java.security.interfaces.DSAPrivateKey; 47 import java.security.interfaces.DSAPublicKey; 48 import java.security.spec.DSAPrivateKeySpec; 49 import java.security.spec.DSAPublicKeySpec; 50 import java.util.Arrays; 51 import javax.crypto.Cipher; 52 import junit.framework.TestCase; 53 54 /** 55 * Tests DSA against invalid signatures. The motivation for this test is the DSA implementation in 56 * gpg4browsers. This implementation accepts signatures with r=1 and s=0 as valid. 57 * 58 * @author bleichen@google.com (Daniel Bleichenbacher) 59 */ 60 public class DsaTest extends TestCase { 61 static final String MESSAGE = "Hello"; 62 63 static final DSAPrivateKeySpec privateKey1 = 64 new DSAPrivateKeySpec( 65 // x 66 new BigInteger("15382583218386677486843706921635237927801862255437148328980464126979"), 67 // p 68 new BigInteger( 69 "181118486631420055711787706248812146965913392568235070235446058914" 70 + "1170708161715231951918020125044061516370042605439640379530343556" 71 + "4101919053459832890139496933938670005799610981765220283775567361" 72 + "4836626483403394052203488713085936276470766894079318754834062443" 73 + "1033792580942743268186462355159813630244169054658542719322425431" 74 + "4088256212718983105131138772434658820375111735710449331518776858" 75 + "7867938758654181244292694091187568128410190746310049564097068770" 76 + "8161261634790060655580211122402292101772553741704724263582994973" 77 + "9109274666495826205002104010355456981211025738812433088757102520" 78 + "562459649777989718122219159982614304359"), 79 // q 80 new BigInteger("19689526866605154788513693571065914024068069442724893395618704484701"), 81 // g 82 new BigInteger( 83 "2859278237642201956931085611015389087970918161297522023542900348" 84 + "0877180630984239764282523693409675060100542360520959501692726128" 85 + "3149190229583566074777557293475747419473934711587072321756053067" 86 + "2532404847508798651915566434553729839971841903983916294692452760" 87 + "2490198571084091890169933809199002313226100830607842692992570749" 88 + "0504363602970812128803790973955960534785317485341020833424202774" 89 + "0275688698461842637641566056165699733710043802697192696426360843" 90 + "1736206792141319514001488556117408586108219135730880594044593648" 91 + "9237302749293603778933701187571075920849848690861126195402696457" 92 + "4111219599568903257472567764789616958430")); 93 94 static final DSAPublicKeySpec publicKey1 = 95 new DSAPublicKeySpec( 96 new BigInteger( 97 "3846308446317351758462473207111709291533523711306097971550086650" 98 + "2577333637930103311673872185522385807498738696446063139653693222" 99 + "3528823234976869516765207838304932337200968476150071617737755913" 100 + "3181601169463467065599372409821150709457431511200322947508290005" 101 + "1780020974429072640276810306302799924668893998032630777409440831" 102 + "4314588994475223696460940116068336991199969153649625334724122468" 103 + "7497038281983541563359385775312520539189474547346202842754393945" 104 + "8755803223951078082197762886933401284142487322057236814878262166" 105 + "5072306622943221607031324846468109901964841479558565694763440972" 106 + "5447389416166053148132419345627682740529"), 107 privateKey1.getP(), 108 privateKey1.getQ(), 109 privateKey1.getG()); 110 111 // Signatures for Key1. 112 static final String[] VALID_SIGNATURES = { 113 "303d021c1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9cd" 114 + "021d00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe8786236", 115 }; 116 117 /** 118 * The following test vectos are derived from a valid signature by 119 * using alternative BER encoding as well as legacy formats. 120 * Accepting such signatures is in many cases benign. Hence the tests 121 * below will pass if such signatures are accepted as valid. 122 * The test vectors could be used to check for signature malleability. 123 * An example where this kind of signature malleability was a problem is 124 * https://en.bitcoin.it/wiki/Transaction_Malleability 125 */ 126 static final String[] MODIFIED_SIGNATURES = { 127 // BER:long form encoding of length 128 "30813d021c1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9" 129 + "cd021d00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe8786236", 130 "303e02811c1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9" 131 + "cd021d00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe8786236", 132 "303e021c1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9cd" 133 + "02811d00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe8786236", 134 // BER:length contains leading 0 135 "3082003d021c1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8" 136 + "c9cd021d00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe87862" 137 + "36", 138 "303f0282001c1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8" 139 + "c9cd021d00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe87862" 140 + "36", 141 "303f021c1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9cd" 142 + "0282001d00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe87862" 143 + "36", 144 // BER:prepending 0's to integer 145 "303f021e00001e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8" 146 + "c9cd021d00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe87862" 147 + "36", 148 "303f021c1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9cd" 149 + "021f000000ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe87862" 150 + "36", 151 // The Sun provider accepts DSA signatures where a leading 00 has 152 // been omitted in the ASN encoding. 153 "303c021c1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9cd" 154 + "021cade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe8786236", 155 }; 156 157 /** 158 * The following test vectors are invalid DSA signatures. 159 * According to {@link java.security.Signature#verify(byte[])} verifying an invalid 160 * signature may either return false or throw a SignatureException. 161 * We expect that a correct implementation of DSA signatures satisfies this contract. 162 * Throwing a RuntimeException instead of a SignatureException could for example 163 * result in a denial of service attack. 164 * 165 * <p>A list of problems that are caught by these signatures: 166 * <li> CVE-2016-5546: OpenJDK8 throwed java.lang.ArrayIndexOutOfBoundsException for 167 * some invalid DSA signatures. 168 * </ul> 169 */ 170 static final String[] INVALID_SIGNATURES = { 171 // wrong length 172 "303e021c1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9cd" 173 + "021d00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe8786236", 174 "303c021c1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9cd" 175 + "021d00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe8786236", 176 "303d021d1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9cd" 177 + "021d00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe8786236", 178 "303d021b1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9cd" 179 + "021d00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe8786236", 180 "303d021c1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9cd" 181 + "021e00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe8786236", 182 "303d021c1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9cd" 183 + "021c00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe8786236", 184 // uint32 overflow in length 185 "3085010000003d021c1e41b479ad576905b960fe14eadb91b0ccf34843dab916" 186 + "173bb8c9cd021d00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813f" 187 + "e8786236", 188 "30420285010000001c1e41b479ad576905b960fe14eadb91b0ccf34843dab916" 189 + "173bb8c9cd021d00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813f" 190 + "e8786236", 191 "3042021c1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9cd" 192 + "0285010000001d00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813f" 193 + "e8786236", 194 // uint64 overflow in length 195 "308901000000000000003d021c1e41b479ad576905b960fe14eadb91b0ccf348" 196 + "43dab916173bb8c9cd021d00ade65988d237d30f9ef41dd424a4e1c8f16967cf" 197 + "3365813fe8786236", 198 "3046028901000000000000001c1e41b479ad576905b960fe14eadb91b0ccf348" 199 + "43dab916173bb8c9cd021d00ade65988d237d30f9ef41dd424a4e1c8f16967cf" 200 + "3365813fe8786236", 201 "3046021c1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9cd" 202 + "028901000000000000001d00ade65988d237d30f9ef41dd424a4e1c8f16967cf" 203 + "3365813fe8786236", 204 // length = 2**31 - 1 205 "30847fffffff021c1e41b479ad576905b960fe14eadb91b0ccf34843dab91617" 206 + "3bb8c9cd021d00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe8" 207 + "786236", 208 "304102847fffffff1e41b479ad576905b960fe14eadb91b0ccf34843dab91617" 209 + "3bb8c9cd021d00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe8" 210 + "786236", 211 "3041021c1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9cd" 212 + "02847fffffff00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe8" 213 + "786236", 214 // length = 2**32 - 1 215 "3084ffffffff021c1e41b479ad576905b960fe14eadb91b0ccf34843dab91617" 216 + "3bb8c9cd021d00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe8" 217 + "786236", 218 "30410284ffffffff1e41b479ad576905b960fe14eadb91b0ccf34843dab91617" 219 + "3bb8c9cd021d00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe8" 220 + "786236", 221 "3041021c1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9cd" 222 + "0284ffffffff00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe8" 223 + "786236", 224 // length = 2**64 - 1 225 "3088ffffffffffffffff021c1e41b479ad576905b960fe14eadb91b0ccf34843" 226 + "dab916173bb8c9cd021d00ade65988d237d30f9ef41dd424a4e1c8f16967cf33" 227 + "65813fe8786236", 228 "30450288ffffffffffffffff1e41b479ad576905b960fe14eadb91b0ccf34843" 229 + "dab916173bb8c9cd021d00ade65988d237d30f9ef41dd424a4e1c8f16967cf33" 230 + "65813fe8786236", 231 "3045021c1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9cd" 232 + "0288ffffffffffffffff00ade65988d237d30f9ef41dd424a4e1c8f16967cf33" 233 + "65813fe8786236", 234 // removing sequence 235 "", 236 // appending 0's to sequence 237 "303f021c1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9cd" 238 + "021d00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe878623600" 239 + "00", 240 // prepending 0's to sequence 241 "303f0000021c1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8" 242 + "c9cd021d00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe87862" 243 + "36", 244 // appending unused 0's 245 "303f021c1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9cd" 246 + "0000021d00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe87862" 247 + "36", 248 // appending null value 249 "303f021c1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9cd" 250 + "021d00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe878623605" 251 + "00", 252 "303f021e1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9cd" 253 + "0500021d00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe87862" 254 + "36", 255 "303f021c1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9cd" 256 + "021f00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe878623605" 257 + "00", 258 // including garbage 259 "3042498177303d021c1e41b479ad576905b960fe14eadb91b0ccf34843dab916" 260 + "173bb8c9cd021d00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813f" 261 + "e8786236", 262 "30412500303d021c1e41b479ad576905b960fe14eadb91b0ccf34843dab91617" 263 + "3bb8c9cd021d00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe8" 264 + "786236", 265 "303f303d021c1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8" 266 + "c9cd021d00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe87862" 267 + "360004deadbeef", 268 "30422221498177021c1e41b479ad576905b960fe14eadb91b0ccf34843dab916" 269 + "173bb8c9cd021d00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813f" 270 + "e8786236", 271 "304122202500021c1e41b479ad576905b960fe14eadb91b0ccf34843dab91617" 272 + "3bb8c9cd021d00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe8" 273 + "786236", 274 "3045221e021c1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8" 275 + "c9cd0004deadbeef021d00ade65988d237d30f9ef41dd424a4e1c8f16967cf33" 276 + "65813fe8786236", 277 "3042021c1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9cd" 278 + "2222498177021d00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813f" 279 + "e8786236", 280 "3041021c1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9cd" 281 + "22212500021d00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe8" 282 + "786236", 283 "3045021c1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9cd" 284 + "221f021d00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe87862" 285 + "360004deadbeef", 286 // including undefined tags 287 "3045aa00bb00cd00303d021c1e41b479ad576905b960fe14eadb91b0ccf34843" 288 + "dab916173bb8c9cd021d00ade65988d237d30f9ef41dd424a4e1c8f16967cf33" 289 + "65813fe8786236", 290 "3043aa02aabb303d021c1e41b479ad576905b960fe14eadb91b0ccf34843dab9" 291 + "16173bb8c9cd021d00ade65988d237d30f9ef41dd424a4e1c8f16967cf336581" 292 + "3fe8786236", 293 "30452224aa00bb00cd00021c1e41b479ad576905b960fe14eadb91b0ccf34843" 294 + "dab916173bb8c9cd021d00ade65988d237d30f9ef41dd424a4e1c8f16967cf33" 295 + "65813fe8786236", 296 "30432222aa02aabb021c1e41b479ad576905b960fe14eadb91b0ccf34843dab9" 297 + "16173bb8c9cd021d00ade65988d237d30f9ef41dd424a4e1c8f16967cf336581" 298 + "3fe8786236", 299 "3045021c1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9cd" 300 + "2225aa00bb00cd00021d00ade65988d237d30f9ef41dd424a4e1c8f16967cf33" 301 + "65813fe8786236", 302 "3043021c1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9cd" 303 + "2223aa02aabb021d00ade65988d237d30f9ef41dd424a4e1c8f16967cf336581" 304 + "3fe8786236", 305 // changing tag value 306 "2e3d021c1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9cd" 307 + "021d00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe8786236", 308 "323d021c1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9cd" 309 + "021d00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe8786236", 310 "ff3d021c1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9cd" 311 + "021d00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe8786236", 312 "303d001c1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9cd" 313 + "021d00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe8786236", 314 "303d041c1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9cd" 315 + "021d00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe8786236", 316 "303dff1c1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9cd" 317 + "021d00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe8786236", 318 "303d021c1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9cd" 319 + "001d00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe8786236", 320 "303d021c1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9cd" 321 + "041d00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe8786236", 322 "303d021c1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9cd" 323 + "ff1d00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe8786236", 324 // dropping value of sequence 325 "3000", 326 // using composition 327 "3041300102303c1c1e41b479ad576905b960fe14eadb91b0ccf34843dab91617" 328 + "3bb8c9cd021d00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe8" 329 + "786236", 330 "3041222002011e021b41b479ad576905b960fe14eadb91b0ccf34843dab91617" 331 + "3bb8c9cd021d00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe8" 332 + "786236", 333 "3041021c1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9cd" 334 + "2221020100021cade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe8" 335 + "786236", 336 // truncate sequence 337 "303c021c1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9cd" 338 + "021d00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe87862", 339 "303c1c1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9cd02" 340 + "1d00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe8786236", 341 // indefinite length with no delimiter 342 "3080021c1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9cd" 343 + "021d00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe8786236", 344 // prepend empty sequence 345 "303f3000021c1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8" 346 + "c9cd021d00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe87862" 347 + "36", 348 // append empty sequence 349 "303f021c1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9cd" 350 + "021d00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe878623630" 351 + "00", 352 // sequence of sequence 353 "303f303d021c1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8" 354 + "c9cd021d00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe87862" 355 + "36", 356 // truncated sequence 357 "301e021c1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9cd", 358 // repeat element in sequence 359 "305c021c1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9cd" 360 + "021d00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe878623602" 361 + "1d00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe8786236", 362 // removing integer 363 "301f021d00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe8786236", 364 // appending 0's to integer 365 "303f021e1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9cd" 366 + "0000021d00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe87862" 367 + "36", 368 "303f021c1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9cd" 369 + "021f00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe878623600" 370 + "00", 371 // dropping value of integer 372 "30210200021d00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe8786236", 373 "3020021c1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9cd0200", 374 // modify first byte of integer 375 "303d021c1f41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9cd" 376 + "021d00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe8786236", 377 "303d021c1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9cd" 378 + "021d01ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe8786236", 379 // modify last byte of integer 380 "303d021c1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9cc" 381 + "021d00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe8786236", 382 "303d021c1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9cd" 383 + "021d00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe8786237", 384 // truncate integer 385 "303c021b1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c902" 386 + "1d00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe8786236", 387 "303c021b41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9cd02" 388 + "1d00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe8786236", 389 "303c021c1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9cd" 390 + "021c00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe87862", 391 // leading ff in integer 392 "303e021dff1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9" 393 + "cd021d00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe8786236", 394 "303e021c1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9cd" 395 + "021eff00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe8786236", 396 // infinity 397 "3022090180021d00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe8786236", 398 "3021021c1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9cd090180", 399 // Vectors where r or s have been modified e.g. by adding or subtracting the order of the 400 // group and hence violate the range check for r and s required by DSA. 401 "303d021c1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9cd" 402 + "021d0168dcf02f57b0caef7ddc183bee1ca94ee09c1a02ee4b0200a54dcb93", 403 "303c021c1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9cd" 404 + "021cf2efc2e24cbedb2fc00c236c5b2d1a430236b59b7880007f2ba2f8d9", 405 "303d021c1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9cd" 406 + "021dff5219a6772dc82cf0610be22bdb5b1e370e969830cc9a7ec017879dca", 407 "303d021c1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9cd" 408 + "021d01ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe8786236", 409 "303e021d00d9384b2032d060e59848f87cb4535936bc25fa77959e96d7f88e33" 410 + "2a021d00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe8786236", 411 "303e021d00d9384b2032d060e59848f87cb4535936bc25fa77959e96d7f88e33" 412 + "2a021d0168dcf02f57b0caef7ddc183bee1ca94ee09c1a02ee4b0200a54dcb93", 413 "303d021d00d9384b2032d060e59848f87cb4535936bc25fa77959e96d7f88e33" 414 + "2a021cf2efc2e24cbedb2fc00c236c5b2d1a430236b59b7880007f2ba2f8d9", 415 "303e021d00d9384b2032d060e59848f87cb4535936bc25fa77959e96d7f88e33" 416 + "2a021dff5219a6772dc82cf0610be22bdb5b1e370e969830cc9a7ec017879dca", 417 "303e021d00d9384b2032d060e59848f87cb4535936bc25fa77959e96d7f88e33" 418 + "2a021d01ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe8786236", 419 "303e021dff634b1dd327de7125da7903ad2163ca2addc096101fd395567ee360" 420 + "70021d00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe8786236", 421 "303e021dff634b1dd327de7125da7903ad2163ca2addc096101fd395567ee360" 422 + "70021d0168dcf02f57b0caef7ddc183bee1ca94ee09c1a02ee4b0200a54dcb93", 423 "303d021dff634b1dd327de7125da7903ad2163ca2addc096101fd395567ee360" 424 + "70021cf2efc2e24cbedb2fc00c236c5b2d1a430236b59b7880007f2ba2f8d9", 425 "303e021dff634b1dd327de7125da7903ad2163ca2addc096101fd395567ee360" 426 + "70021dff5219a6772dc82cf0610be22bdb5b1e370e969830cc9a7ec017879dca", 427 "303e021dff634b1dd327de7125da7903ad2163ca2addc096101fd395567ee360" 428 + "70021d01ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe8786236", 429 "303d021ce1be4b8652a896fa469f01eb15246e4f330cb7bc2546e9e8c4473633" 430 + "021d00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe8786236", 431 "303d021ce1be4b8652a896fa469f01eb15246e4f330cb7bc2546e9e8c4473633" 432 + "021d0168dcf02f57b0caef7ddc183bee1ca94ee09c1a02ee4b0200a54dcb93", 433 "303c021ce1be4b8652a896fa469f01eb15246e4f330cb7bc2546e9e8c4473633" 434 + "021cf2efc2e24cbedb2fc00c236c5b2d1a430236b59b7880007f2ba2f8d9", 435 "303d021ce1be4b8652a896fa469f01eb15246e4f330cb7bc2546e9e8c4473633" 436 + "021dff5219a6772dc82cf0610be22bdb5b1e370e969830cc9a7ec017879dca", 437 "303d021ce1be4b8652a896fa469f01eb15246e4f330cb7bc2546e9e8c4473633" 438 + "021d01ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe8786236", 439 "303e021d011e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9" 440 + "cd021d00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe8786236", 441 "303e021d011e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9" 442 + "cd021d0168dcf02f57b0caef7ddc183bee1ca94ee09c1a02ee4b0200a54dcb93", 443 "303d021d011e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9" 444 + "cd021cf2efc2e24cbedb2fc00c236c5b2d1a430236b59b7880007f2ba2f8d9", 445 "303e021d011e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9" 446 + "cd021dff5219a6772dc82cf0610be22bdb5b1e370e969830cc9a7ec017879dca", 447 "303e021d011e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9" 448 + "cd021d01ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe8786236", 449 // Signatures with special case values for r and s. E.g. r=1, s=0 are values that can lead to 450 // forgeries if the DSA implementation does not check boundaries and computes s^(-1) == 0. 451 "3022020100021dff450969597a870820211805983688387a10cd4dcc451a7f3f432a96a3", 452 "3006020100020101", 453 "30060201000201ff", 454 "3022020100021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695d", 455 "3022020100021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695e", 456 "3022020100021d0100000000000000000000000000000000000000000000000000000000", 457 "3082010802010002820101008f7935d9b9aae9bfabed887acf4951b6f32ec59e" 458 + "3baf3718e8eac4961f3efd3606e74351a9c4183339b809e7c2ae1c539ba7475b" 459 + "85d011adb8b47987754984695cac0e8f14b3360828a22ffa27110a3d62a99345" 460 + "3409a0fe696c4658f84bdd20819c3709a01057b195adcd00233dba5484b6291f" 461 + "9d648ef883448677979cec04b434a6ac2e75e9985de23db0292fc1118c9ffa9d" 462 + "8181e7338db792b730d7b9e349592f68099872153915ea3d6b8b4653c633458f" 463 + "803b32a4c2e0f27290256e4e3f8a3b0838a1c450e4e18c1a29a37ddf5ea143de" 464 + "4b66ff04903ed5cf1623e158d487c608e97f211cd81dca23cb6e380765f822e3" 465 + "42be484c05763939601cd667", 466 "3008020100090380fe01", 467 "3022020101021dff450969597a870820211805983688387a10cd4dcc451a7f3f432a96a3", 468 "3006020101020101", 469 "30060201010201ff", 470 "3022020101021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695d", 471 "3022020101021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695e", 472 "3022020101021d0100000000000000000000000000000000000000000000000000000000", 473 "3082010802010102820101008f7935d9b9aae9bfabed887acf4951b6f32ec59e" 474 + "3baf3718e8eac4961f3efd3606e74351a9c4183339b809e7c2ae1c539ba7475b" 475 + "85d011adb8b47987754984695cac0e8f14b3360828a22ffa27110a3d62a99345" 476 + "3409a0fe696c4658f84bdd20819c3709a01057b195adcd00233dba5484b6291f" 477 + "9d648ef883448677979cec04b434a6ac2e75e9985de23db0292fc1118c9ffa9d" 478 + "8181e7338db792b730d7b9e349592f68099872153915ea3d6b8b4653c633458f" 479 + "803b32a4c2e0f27290256e4e3f8a3b0838a1c450e4e18c1a29a37ddf5ea143de" 480 + "4b66ff04903ed5cf1623e158d487c608e97f211cd81dca23cb6e380765f822e3" 481 + "42be484c05763939601cd667", 482 "3008020101090380fe01", 483 "30220201ff021dff450969597a870820211805983688387a10cd4dcc451a7f3f432a96a3", 484 "30060201ff020101", 485 "30060201ff0201ff", 486 "30220201ff021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695d", 487 "30220201ff021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695e", 488 "30220201ff021d0100000000000000000000000000000000000000000000000000000000", 489 "308201080201ff02820101008f7935d9b9aae9bfabed887acf4951b6f32ec59e" 490 + "3baf3718e8eac4961f3efd3606e74351a9c4183339b809e7c2ae1c539ba7475b" 491 + "85d011adb8b47987754984695cac0e8f14b3360828a22ffa27110a3d62a99345" 492 + "3409a0fe696c4658f84bdd20819c3709a01057b195adcd00233dba5484b6291f" 493 + "9d648ef883448677979cec04b434a6ac2e75e9985de23db0292fc1118c9ffa9d" 494 + "8181e7338db792b730d7b9e349592f68099872153915ea3d6b8b4653c633458f" 495 + "803b32a4c2e0f27290256e4e3f8a3b0838a1c450e4e18c1a29a37ddf5ea143de" 496 + "4b66ff04903ed5cf1623e158d487c608e97f211cd81dca23cb6e380765f822e3" 497 + "42be484c05763939601cd667", 498 "30080201ff090380fe01", 499 "303e021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd569" 500 + "5d021dff450969597a870820211805983688387a10cd4dcc451a7f3f432a96a3", 501 "3022021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695d020100", 502 "3022021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695d020101", 503 "3022021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695d0201ff", 504 "303e021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd569" 505 + "5d021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695d", 506 "303e021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd569" 507 + "5d021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695e", 508 "303e021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd569" 509 + "5d021d0100000000000000000000000000000000000000000000000000000000", 510 "30820124021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bc" 511 + "d5695d02820101008f7935d9b9aae9bfabed887acf4951b6f32ec59e3baf3718" 512 + "e8eac4961f3efd3606e74351a9c4183339b809e7c2ae1c539ba7475b85d011ad" 513 + "b8b47987754984695cac0e8f14b3360828a22ffa27110a3d62a993453409a0fe" 514 + "696c4658f84bdd20819c3709a01057b195adcd00233dba5484b6291f9d648ef8" 515 + "83448677979cec04b434a6ac2e75e9985de23db0292fc1118c9ffa9d8181e733" 516 + "8db792b730d7b9e349592f68099872153915ea3d6b8b4653c633458f803b32a4" 517 + "c2e0f27290256e4e3f8a3b0838a1c450e4e18c1a29a37ddf5ea143de4b66ff04" 518 + "903ed5cf1623e158d487c608e97f211cd81dca23cb6e380765f822e342be484c" 519 + "05763939601cd667", 520 "3024021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695d090380fe01", 521 "303e021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd569" 522 + "5e021dff450969597a870820211805983688387a10cd4dcc451a7f3f432a96a3", 523 "3022021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695e020100", 524 "3022021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695e020101", 525 "3022021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695e0201ff", 526 "303e021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd569" 527 + "5e021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695d", 528 "303e021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd569" 529 + "5e021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695e", 530 "303e021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd569" 531 + "5e021d0100000000000000000000000000000000000000000000000000000000", 532 "30820124021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bc" 533 + "d5695e02820101008f7935d9b9aae9bfabed887acf4951b6f32ec59e3baf3718" 534 + "e8eac4961f3efd3606e74351a9c4183339b809e7c2ae1c539ba7475b85d011ad" 535 + "b8b47987754984695cac0e8f14b3360828a22ffa27110a3d62a993453409a0fe" 536 + "696c4658f84bdd20819c3709a01057b195adcd00233dba5484b6291f9d648ef8" 537 + "83448677979cec04b434a6ac2e75e9985de23db0292fc1118c9ffa9d8181e733" 538 + "8db792b730d7b9e349592f68099872153915ea3d6b8b4653c633458f803b32a4" 539 + "c2e0f27290256e4e3f8a3b0838a1c450e4e18c1a29a37ddf5ea143de4b66ff04" 540 + "903ed5cf1623e158d487c608e97f211cd81dca23cb6e380765f822e342be484c" 541 + "05763939601cd667", 542 "3024021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695e090380fe01", 543 "303e021d01000000000000000000000000000000000000000000000000000000" 544 + "00021dff450969597a870820211805983688387a10cd4dcc451a7f3f432a96a3", 545 "3022021d0100000000000000000000000000000000000000000000000000000000020100", 546 "3022021d0100000000000000000000000000000000000000000000000000000000020101", 547 "3022021d01000000000000000000000000000000000000000000000000000000000201ff", 548 "303e021d01000000000000000000000000000000000000000000000000000000" 549 + "00021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695d", 550 "303e021d01000000000000000000000000000000000000000000000000000000" 551 + "00021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695e", 552 "303e021d01000000000000000000000000000000000000000000000000000000" 553 + "00021d0100000000000000000000000000000000000000000000000000000000", 554 "30820124021d0100000000000000000000000000000000000000000000000000" 555 + "00000002820101008f7935d9b9aae9bfabed887acf4951b6f32ec59e3baf3718" 556 + "e8eac4961f3efd3606e74351a9c4183339b809e7c2ae1c539ba7475b85d011ad" 557 + "b8b47987754984695cac0e8f14b3360828a22ffa27110a3d62a993453409a0fe" 558 + "696c4658f84bdd20819c3709a01057b195adcd00233dba5484b6291f9d648ef8" 559 + "83448677979cec04b434a6ac2e75e9985de23db0292fc1118c9ffa9d8181e733" 560 + "8db792b730d7b9e349592f68099872153915ea3d6b8b4653c633458f803b32a4" 561 + "c2e0f27290256e4e3f8a3b0838a1c450e4e18c1a29a37ddf5ea143de4b66ff04" 562 + "903ed5cf1623e158d487c608e97f211cd81dca23cb6e380765f822e342be484c" 563 + "05763939601cd667", 564 "3024021d0100000000000000000000000000000000000000000000000000000000090380fe01", 565 "3082012402820101008f7935d9b9aae9bfabed887acf4951b6f32ec59e3baf37" 566 + "18e8eac4961f3efd3606e74351a9c4183339b809e7c2ae1c539ba7475b85d011" 567 + "adb8b47987754984695cac0e8f14b3360828a22ffa27110a3d62a993453409a0" 568 + "fe696c4658f84bdd20819c3709a01057b195adcd00233dba5484b6291f9d648e" 569 + "f883448677979cec04b434a6ac2e75e9985de23db0292fc1118c9ffa9d8181e7" 570 + "338db792b730d7b9e349592f68099872153915ea3d6b8b4653c633458f803b32" 571 + "a4c2e0f27290256e4e3f8a3b0838a1c450e4e18c1a29a37ddf5ea143de4b66ff" 572 + "04903ed5cf1623e158d487c608e97f211cd81dca23cb6e380765f822e342be48" 573 + "4c05763939601cd667021dff450969597a870820211805983688387a10cd4dcc" 574 + "451a7f3f432a96a3", 575 "3082010802820101008f7935d9b9aae9bfabed887acf4951b6f32ec59e3baf37" 576 + "18e8eac4961f3efd3606e74351a9c4183339b809e7c2ae1c539ba7475b85d011" 577 + "adb8b47987754984695cac0e8f14b3360828a22ffa27110a3d62a993453409a0" 578 + "fe696c4658f84bdd20819c3709a01057b195adcd00233dba5484b6291f9d648e" 579 + "f883448677979cec04b434a6ac2e75e9985de23db0292fc1118c9ffa9d8181e7" 580 + "338db792b730d7b9e349592f68099872153915ea3d6b8b4653c633458f803b32" 581 + "a4c2e0f27290256e4e3f8a3b0838a1c450e4e18c1a29a37ddf5ea143de4b66ff" 582 + "04903ed5cf1623e158d487c608e97f211cd81dca23cb6e380765f822e342be48" 583 + "4c05763939601cd667020100", 584 "3082010802820101008f7935d9b9aae9bfabed887acf4951b6f32ec59e3baf37" 585 + "18e8eac4961f3efd3606e74351a9c4183339b809e7c2ae1c539ba7475b85d011" 586 + "adb8b47987754984695cac0e8f14b3360828a22ffa27110a3d62a993453409a0" 587 + "fe696c4658f84bdd20819c3709a01057b195adcd00233dba5484b6291f9d648e" 588 + "f883448677979cec04b434a6ac2e75e9985de23db0292fc1118c9ffa9d8181e7" 589 + "338db792b730d7b9e349592f68099872153915ea3d6b8b4653c633458f803b32" 590 + "a4c2e0f27290256e4e3f8a3b0838a1c450e4e18c1a29a37ddf5ea143de4b66ff" 591 + "04903ed5cf1623e158d487c608e97f211cd81dca23cb6e380765f822e342be48" 592 + "4c05763939601cd667020101", 593 "3082010802820101008f7935d9b9aae9bfabed887acf4951b6f32ec59e3baf37" 594 + "18e8eac4961f3efd3606e74351a9c4183339b809e7c2ae1c539ba7475b85d011" 595 + "adb8b47987754984695cac0e8f14b3360828a22ffa27110a3d62a993453409a0" 596 + "fe696c4658f84bdd20819c3709a01057b195adcd00233dba5484b6291f9d648e" 597 + "f883448677979cec04b434a6ac2e75e9985de23db0292fc1118c9ffa9d8181e7" 598 + "338db792b730d7b9e349592f68099872153915ea3d6b8b4653c633458f803b32" 599 + "a4c2e0f27290256e4e3f8a3b0838a1c450e4e18c1a29a37ddf5ea143de4b66ff" 600 + "04903ed5cf1623e158d487c608e97f211cd81dca23cb6e380765f822e342be48" 601 + "4c05763939601cd6670201ff", 602 "3082012402820101008f7935d9b9aae9bfabed887acf4951b6f32ec59e3baf37" 603 + "18e8eac4961f3efd3606e74351a9c4183339b809e7c2ae1c539ba7475b85d011" 604 + "adb8b47987754984695cac0e8f14b3360828a22ffa27110a3d62a993453409a0" 605 + "fe696c4658f84bdd20819c3709a01057b195adcd00233dba5484b6291f9d648e" 606 + "f883448677979cec04b434a6ac2e75e9985de23db0292fc1118c9ffa9d8181e7" 607 + "338db792b730d7b9e349592f68099872153915ea3d6b8b4653c633458f803b32" 608 + "a4c2e0f27290256e4e3f8a3b0838a1c450e4e18c1a29a37ddf5ea143de4b66ff" 609 + "04903ed5cf1623e158d487c608e97f211cd81dca23cb6e380765f822e342be48" 610 + "4c05763939601cd667021d00baf696a68578f7dfdee7fa67c977c785ef32b233" 611 + "bae580c0bcd5695d", 612 "3082012402820101008f7935d9b9aae9bfabed887acf4951b6f32ec59e3baf37" 613 + "18e8eac4961f3efd3606e74351a9c4183339b809e7c2ae1c539ba7475b85d011" 614 + "adb8b47987754984695cac0e8f14b3360828a22ffa27110a3d62a993453409a0" 615 + "fe696c4658f84bdd20819c3709a01057b195adcd00233dba5484b6291f9d648e" 616 + "f883448677979cec04b434a6ac2e75e9985de23db0292fc1118c9ffa9d8181e7" 617 + "338db792b730d7b9e349592f68099872153915ea3d6b8b4653c633458f803b32" 618 + "a4c2e0f27290256e4e3f8a3b0838a1c450e4e18c1a29a37ddf5ea143de4b66ff" 619 + "04903ed5cf1623e158d487c608e97f211cd81dca23cb6e380765f822e342be48" 620 + "4c05763939601cd667021d00baf696a68578f7dfdee7fa67c977c785ef32b233" 621 + "bae580c0bcd5695e", 622 "3082012402820101008f7935d9b9aae9bfabed887acf4951b6f32ec59e3baf37" 623 + "18e8eac4961f3efd3606e74351a9c4183339b809e7c2ae1c539ba7475b85d011" 624 + "adb8b47987754984695cac0e8f14b3360828a22ffa27110a3d62a993453409a0" 625 + "fe696c4658f84bdd20819c3709a01057b195adcd00233dba5484b6291f9d648e" 626 + "f883448677979cec04b434a6ac2e75e9985de23db0292fc1118c9ffa9d8181e7" 627 + "338db792b730d7b9e349592f68099872153915ea3d6b8b4653c633458f803b32" 628 + "a4c2e0f27290256e4e3f8a3b0838a1c450e4e18c1a29a37ddf5ea143de4b66ff" 629 + "04903ed5cf1623e158d487c608e97f211cd81dca23cb6e380765f822e342be48" 630 + "4c05763939601cd667021d010000000000000000000000000000000000000000" 631 + "0000000000000000", 632 "3082020a02820101008f7935d9b9aae9bfabed887acf4951b6f32ec59e3baf37" 633 + "18e8eac4961f3efd3606e74351a9c4183339b809e7c2ae1c539ba7475b85d011" 634 + "adb8b47987754984695cac0e8f14b3360828a22ffa27110a3d62a993453409a0" 635 + "fe696c4658f84bdd20819c3709a01057b195adcd00233dba5484b6291f9d648e" 636 + "f883448677979cec04b434a6ac2e75e9985de23db0292fc1118c9ffa9d8181e7" 637 + "338db792b730d7b9e349592f68099872153915ea3d6b8b4653c633458f803b32" 638 + "a4c2e0f27290256e4e3f8a3b0838a1c450e4e18c1a29a37ddf5ea143de4b66ff" 639 + "04903ed5cf1623e158d487c608e97f211cd81dca23cb6e380765f822e342be48" 640 + "4c05763939601cd66702820101008f7935d9b9aae9bfabed887acf4951b6f32e" 641 + "c59e3baf3718e8eac4961f3efd3606e74351a9c4183339b809e7c2ae1c539ba7" 642 + "475b85d011adb8b47987754984695cac0e8f14b3360828a22ffa27110a3d62a9" 643 + "93453409a0fe696c4658f84bdd20819c3709a01057b195adcd00233dba5484b6" 644 + "291f9d648ef883448677979cec04b434a6ac2e75e9985de23db0292fc1118c9f" 645 + "fa9d8181e7338db792b730d7b9e349592f68099872153915ea3d6b8b4653c633" 646 + "458f803b32a4c2e0f27290256e4e3f8a3b0838a1c450e4e18c1a29a37ddf5ea1" 647 + "43de4b66ff04903ed5cf1623e158d487c608e97f211cd81dca23cb6e380765f8" 648 + "22e342be484c05763939601cd667", 649 "3082010a02820101008f7935d9b9aae9bfabed887acf4951b6f32ec59e3baf37" 650 + "18e8eac4961f3efd3606e74351a9c4183339b809e7c2ae1c539ba7475b85d011" 651 + "adb8b47987754984695cac0e8f14b3360828a22ffa27110a3d62a993453409a0" 652 + "fe696c4658f84bdd20819c3709a01057b195adcd00233dba5484b6291f9d648e" 653 + "f883448677979cec04b434a6ac2e75e9985de23db0292fc1118c9ffa9d8181e7" 654 + "338db792b730d7b9e349592f68099872153915ea3d6b8b4653c633458f803b32" 655 + "a4c2e0f27290256e4e3f8a3b0838a1c450e4e18c1a29a37ddf5ea143de4b66ff" 656 + "04903ed5cf1623e158d487c608e97f211cd81dca23cb6e380765f822e342be48" 657 + "4c05763939601cd667090380fe01", 658 "3024090380fe01021dff450969597a870820211805983688387a10cd4dcc451a7f3f432a96a3", 659 "3008090380fe01020100", 660 "3008090380fe01020101", 661 "3008090380fe010201ff", 662 "3024090380fe01021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695d", 663 "3024090380fe01021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695e", 664 "3024090380fe01021d0100000000000000000000000000000000000000000000000000000000", 665 "3082010a090380fe0102820101008f7935d9b9aae9bfabed887acf4951b6f32e" 666 + "c59e3baf3718e8eac4961f3efd3606e74351a9c4183339b809e7c2ae1c539ba7" 667 + "475b85d011adb8b47987754984695cac0e8f14b3360828a22ffa27110a3d62a9" 668 + "93453409a0fe696c4658f84bdd20819c3709a01057b195adcd00233dba5484b6" 669 + "291f9d648ef883448677979cec04b434a6ac2e75e9985de23db0292fc1118c9f" 670 + "fa9d8181e7338db792b730d7b9e349592f68099872153915ea3d6b8b4653c633" 671 + "458f803b32a4c2e0f27290256e4e3f8a3b0838a1c450e4e18c1a29a37ddf5ea1" 672 + "43de4b66ff04903ed5cf1623e158d487c608e97f211cd81dca23cb6e380765f8" 673 + "22e342be484c05763939601cd667", 674 "300a090380fe01090380fe01", 675 }; 676 677 @SuppressWarnings("InsecureCryptoUsage") testVectors( String[] signatures, DSAPublicKeySpec key, String message, String algorithm, String signatureType, boolean isValidDER, boolean isValidBER)678 public void testVectors( 679 String[] signatures, 680 DSAPublicKeySpec key, 681 String message, 682 String algorithm, 683 String signatureType, 684 boolean isValidDER, 685 boolean isValidBER) 686 throws Exception { 687 byte[] messageBytes = message.getBytes("UTF-8"); 688 Signature verifier = Signature.getInstance(algorithm); 689 KeyFactory kf = KeyFactory.getInstance("DSA"); 690 PublicKey pub = kf.generatePublic(key); 691 int errors = 0; 692 for (String signature : signatures) { 693 byte[] signatureBytes = TestUtil.hexToBytes(signature); 694 verifier.initVerify(pub); 695 verifier.update(messageBytes); 696 boolean verified = false; 697 try { 698 verified = verifier.verify(signatureBytes); 699 } catch (SignatureException ex) { 700 // verify can throw SignatureExceptions if the signature is malformed. 701 // We don't flag these cases and simply consider the signature as invalid. 702 verified = false; 703 } catch (Exception ex) { 704 // Other exceptions indicate some internal error, e.g. careless ASN parsing. 705 // We count these as errors. 706 System.out.println(signatureType + ":" + signature + " throws:" + ex.toString()); 707 errors++; 708 continue; 709 } 710 if (isValidDER && !verified) { 711 System.out.println(signatureType + " was not verified:" + signature); 712 errors++; 713 } else if (!isValidBER && verified) { 714 System.out.println(signatureType + " was verified:" + signature); 715 errors++; 716 } 717 } 718 assertEquals(0, errors); 719 } 720 testValidSignatures()721 public void testValidSignatures() throws Exception { 722 testVectors( 723 VALID_SIGNATURES, publicKey1, "Hello", "SHA224WithDSA", "Valid DSA signature", true, true); 724 } 725 testModifiedSignatures()726 public void testModifiedSignatures() throws Exception { 727 testVectors( 728 MODIFIED_SIGNATURES, publicKey1, "Hello", "SHA224WithDSA", "Modified DSA signature", 729 false, true); 730 } 731 testInvalidSignatures()732 public void testInvalidSignatures() throws Exception { 733 testVectors( 734 INVALID_SIGNATURES, publicKey1, "Hello", "SHA224WithDSA", "Invalid DSA signature", 735 false, false); 736 } 737 738 // Extract the integer r from a DSA signature. 739 // This method implicitely assumes that the DSA signature is DER encoded. extractR(byte[] signature)740 BigInteger extractR(byte[] signature) throws Exception { 741 int lengthR = signature[3]; 742 return new BigInteger(Arrays.copyOfRange(signature, 4, 4 + lengthR)); 743 } 744 extractS(byte[] signature)745 BigInteger extractS(byte[] signature) throws Exception { 746 int lengthR = signature[3]; 747 int startS = 4 + lengthR; 748 int lengthS = signature[startS + 1]; 749 return new BigInteger(Arrays.copyOfRange(signature, startS + 2, startS + 2 + lengthS)); 750 } 751 752 /** Extract the k that was used to sign the signature. Validates the k if check == true. */ extractK(byte[] signature, BigInteger h, DSAPrivateKey priv, boolean check)753 BigInteger extractK(byte[] signature, BigInteger h, DSAPrivateKey priv, boolean check) 754 throws Exception { 755 BigInteger x = priv.getX(); 756 BigInteger q = priv.getParams().getQ(); 757 BigInteger r = extractR(signature); 758 BigInteger s = extractS(signature); 759 BigInteger k = x.multiply(r).add(h).multiply(s.modInverse(q)).mod(q); 760 if (check) { 761 BigInteger p = priv.getParams().getP(); 762 BigInteger g = priv.getParams().getG(); 763 BigInteger r2 = g.modPow(k, p).mod(q); 764 assertEquals(r.toString(), r2.toString()); 765 } 766 return k; 767 } 768 769 /** 770 * Providers that implement SHA1WithDSA but not at least SHA256WithDSA are outdated and should be 771 * avoided even if DSA is currently not used in a project. Such providers promote using a weak 772 * signature scheme. It can also "inspire" developers to use invalid schemes such as SHA1WithDSA 773 * together with 2048-bit key. Such invalid use cases are often untested and can have serious 774 * flaws. For example the SUN provider leaked the private keys with 3 to 5 signatures in such 775 * instances. 776 */ testOutdatedProvider()777 public void testOutdatedProvider() throws Exception { 778 try { 779 Signature sig = Signature.getInstance("SHA1WithDSA"); 780 try { 781 Signature.getInstance("SHA256WithDSA"); 782 } catch (NoSuchAlgorithmException ex) { 783 fail("Provider " + sig.getProvider().getName() + " is outdated and should not be used."); 784 } 785 } catch (NoSuchAlgorithmException ex) { 786 System.out.println("SHA1WithDSA is not supported"); 787 } 788 } 789 790 /** 791 * This is just a test for basic functionality of DSA. The test generates a public and private 792 * key, generates a signature, verifies it and prints the whole thing out. This test is useful 793 * when an implementation is seriously broken. 794 */ 795 @SlowTest(providers = {ProviderType.BOUNCY_CASTLE, ProviderType.SPONGY_CASTLE}) 796 @SuppressWarnings("InsecureCryptoUsage") testBasic()797 public void testBasic() throws Exception { 798 int keySize = 2048; 799 String algorithm = "SHA256WithDSA"; 800 String hashAlgorithm = "SHA-256"; 801 String message = "Hello"; 802 803 byte[] messageBytes = message.getBytes("UTF-8"); 804 KeyPairGenerator generator = java.security.KeyPairGenerator.getInstance("DSA"); 805 generator.initialize(keySize); 806 KeyPair keyPair = generator.generateKeyPair(); 807 DSAPublicKey pub = (DSAPublicKey) keyPair.getPublic(); 808 DSAPrivateKey priv = (DSAPrivateKey) keyPair.getPrivate(); 809 Signature signer = Signature.getInstance(algorithm); 810 Signature verifier = Signature.getInstance(algorithm); 811 signer.initSign(priv); 812 signer.update(messageBytes); 813 byte[] signature = signer.sign(); 814 verifier.initVerify(pub); 815 verifier.update(messageBytes); 816 assertTrue(verifier.verify(signature)); 817 818 // Extract some parameters. 819 byte[] rawHash = MessageDigest.getInstance(hashAlgorithm).digest(messageBytes); 820 DSAParams params = priv.getParams(); 821 822 // Print keys and signature, so that it can be used to generate new test vectors. 823 System.out.println("Message:" + message); 824 System.out.println("Hash:" + TestUtil.bytesToHex(rawHash)); 825 System.out.println("Params:"); 826 System.out.println("p:" + params.getP().toString()); 827 System.out.println("q:" + params.getQ().toString()); 828 System.out.println("g:" + params.getG().toString()); 829 System.out.println("Private key:"); 830 System.out.println("X:" + priv.getX().toString()); 831 System.out.println("encoded:" + TestUtil.bytesToHex(priv.getEncoded())); 832 System.out.println("Public key:"); 833 System.out.println("Y:" + pub.getY().toString()); 834 System.out.println("encoded:" + TestUtil.bytesToHex(pub.getEncoded())); 835 System.out.println("Signature:" + TestUtil.bytesToHex(signature)); 836 System.out.println("r:" + extractR(signature).toString()); 837 System.out.println("s:" + extractS(signature).toString()); 838 } 839 840 @SuppressWarnings("InsecureCryptoUsage") testKeyGeneration(int keysize)841 public void testKeyGeneration(int keysize) throws Exception { 842 KeyPairGenerator generator = KeyPairGenerator.getInstance("DSA"); 843 generator.initialize(keysize); 844 KeyPair keyPair = generator.generateKeyPair(); 845 DSAPrivateKey priv = (DSAPrivateKey) keyPair.getPrivate(); 846 DSAParams params = priv.getParams(); 847 assertEquals(keysize, params.getP().bitLength()); 848 // The NIST standard does not fully specify the size of q that 849 // must be used for a given key size. Hence there are differences. 850 // For example if keysize = 2048, then OpenSSL uses 256 bit q's by default, 851 // but the SUN provider uses 224 bits. Both are acceptable sizes. 852 // The tests below simply asserts that the size of q does not decrease the 853 // overall security of the DSA. 854 int qsize = params.getQ().bitLength(); 855 switch (keysize) { 856 case 1024: 857 assertTrue("Invalid qsize for 1024 bit key:" + qsize, qsize >= 160); 858 break; 859 case 2048: 860 assertTrue("Invalid qsize for 2048 bit key:" + qsize, qsize >= 224); 861 break; 862 case 3072: 863 assertTrue("Invalid qsize for 3072 bit key:" + qsize, qsize >= 256); 864 break; 865 default: 866 fail("Invalid key size:" + keysize); 867 } 868 // Check the length of the private key. 869 // For example GPG4Browsers or the KJUR library derived from it use 870 // q.bitCount() instead of q.bitLength() to determine the size of the private key 871 // and hence would generate keys that are much too small. 872 assertTrue(priv.getX().bitLength() >= qsize - 32); 873 } 874 875 /** 876 * Tests the key generation for DSA. 877 * 878 * <p>Problems found: 879 * <ul> 880 * <li> CVE-2016-1000343 BouncyCastle before v.1.56 always generated DSA keys with 881 * a 160-bit q. 882 * </ul> 883 */ 884 @SlowTest(providers = {ProviderType.BOUNCY_CASTLE, ProviderType.SPONGY_CASTLE}) testKeyGenerationAll()885 public void testKeyGenerationAll() throws Exception { 886 testKeyGeneration(1024); 887 testKeyGeneration(2048); 888 } 889 890 /** 891 * Checks whether the one time key k in DSA is biased. For example the SUN provider fell for this 892 * test until April 2016. 893 */ 894 @SuppressWarnings("InsecureCryptoUsage") 895 @ExcludedTest( 896 providers = {ProviderType.BOUNCY_CASTLE}, 897 comment = "Signature.SHA1WithDSA is removed") testDsaBias()898 public void testDsaBias() throws Exception { 899 // q is close to 2/3 * 2^160. 900 BigInteger q = new BigInteger("974317976835659416858874959372334979171063697271"); 901 BigInteger p = 902 new BigInteger( 903 "1106803511314772711673172950296693567629309594518393175860816428" 904 + "6658764043763662129010863568011543182924292444458455864283745070" 905 + "9908516713302345161980412667892373845670780253725557376379049862" 906 + "4062950082444499320797079243439689601679418602390654466821968220" 907 + "32212146727497041502702331623782703855119908989712161"); 908 BigInteger g = 909 new BigInteger( 910 "1057342118316953575810387190942009018497979302261477972033090351" 911 + "7561815639397594841480480197745063606756857212792356354588585967" 912 + "3837265237205154744016475608524531648654928648461175919672511710" 913 + "4878976887505840764543501512668232945506391524642105449699321960" 914 + "32410302985148400531470153936516167243072120845392903"); 915 BigInteger x = new BigInteger("13706102843888006547723575730792302382646994436"); 916 917 KeyFactory kf = KeyFactory.getInstance("DSA"); 918 DSAPrivateKey priv = (DSAPrivateKey) kf.generatePrivate(new DSAPrivateKeySpec(x, p, q, g)); 919 920 // If we make TESTS tests with a fair coin then the probability that 921 // either heads or tails appears less than MINCOUNT times is less than 922 // 2^{-32}. 923 // I.e. 2*sum(binomial(tests,i) for i in range(mincount))*2**32 < 2**tests 924 // Therefore the test below is not expected to fail unless the generation 925 // of the one time keys is indeed biased. 926 final int tests = 1024; 927 final int mincount = 410; 928 929 String hashAlgorithm = "SHA"; 930 String message = "Hello"; 931 byte[] messageBytes = message.getBytes("UTF-8"); 932 byte[] digest = MessageDigest.getInstance(hashAlgorithm).digest(messageBytes); 933 BigInteger h = new BigInteger(1, digest); 934 935 final BigInteger qHalf = q.shiftRight(1); 936 Signature signer = Signature.getInstance("SHA1WithDSA"); 937 signer.initSign(priv); 938 int countLsb = 0; // count the number of k's with msb set 939 int countMsb = 0; // count the number of k's with lsb set 940 for (int i = 0; i < tests; i++) { 941 signer.update(messageBytes); 942 byte[] signature = signer.sign(); 943 BigInteger k = extractK(signature, h, priv, i < 10); 944 if (k.testBit(0)) { 945 countLsb++; 946 } 947 if (k.compareTo(qHalf) == 1) { 948 countMsb++; 949 } 950 } 951 if (countLsb < mincount || countLsb > tests - mincount) { 952 fail("Bias detected in the least significant bit of k:" + countLsb); 953 } 954 if (countMsb < mincount || countMsb > tests - mincount) { 955 fail("Bias detected in the most significant bit of k:" + countMsb); 956 } 957 } 958 959 /** 960 * Checks whether CVE-2016-0695 has been fixed. Before the April 2016 security update, the SUN 961 * provider had a serious flaw that leaked the private key with about 3-5 signatures. In 962 * particular, "Sha1WithDSA" always generated 160 bit k's independently of q. Unfortunately, it is 963 * easily possible to use 2048 and 3072 bit DSA keys together with SHA1WithDSA. All a user has to 964 * do is to use the algorithm name "DSA" instead of "SHA256WithDSA" rsp. "SHA224WithDSA". 965 * 966 * <p>An algorithm to extract the key from the signatures has been described for example in the 967 * paper <a href="http://www.hpl.hp.com/techreports/1999/HPL-1999-90.pdf">Lattice Attacks on 968 * Digital Signature Schemes</a> by N.A. Howgrave-Graham, N.P. Smart. 969 * 970 * <p>This bug is the same as US-CERT: VU # 940388: GnuPG generated ElGamal signatures that leaked 971 * the private key. 972 */ 973 @SlowTest(providers = {ProviderType.BOUNCY_CASTLE, ProviderType.SPONGY_CASTLE}) 974 @SuppressWarnings("InsecureCryptoUsage") testBiasSha1WithDSA()975 public void testBiasSha1WithDSA() throws Exception { 976 String hashAlgorithm = "SHA"; 977 String message = "Hello"; 978 byte[] messageBytes = message.getBytes("UTF-8"); 979 byte[] digest = MessageDigest.getInstance(hashAlgorithm).digest(messageBytes); 980 BigInteger h = new BigInteger(1, digest); 981 982 KeyPairGenerator generator = java.security.KeyPairGenerator.getInstance("DSA"); 983 generator.initialize(2048); 984 KeyPair keyPair = generator.generateKeyPair(); 985 DSAPrivateKey priv = (DSAPrivateKey) keyPair.getPrivate(); 986 Signature signer = Signature.getInstance("DSA"); 987 try { 988 // Private key and selected algorithm by signer do not match. 989 // Hence throwing an exception at this point would be the reasonable. 990 signer.initSign(priv); 991 signer.update(messageBytes); 992 byte[] signature = signer.sign(); 993 BigInteger q = priv.getParams().getQ(); 994 BigInteger k = extractK(signature, h, priv, true); 995 996 // Now check if k is heavily biased. 997 int lengthDiff = q.bitLength() - k.bitLength(); 998 if (lengthDiff > 32) { 999 fail( 1000 "Severly biased DSA signature:" 1001 + " len(q)=" 1002 + q.bitLength() 1003 + " len(k)=" 1004 + k.bitLength()); 1005 } 1006 } catch (GeneralSecurityException ex) { 1007 // The key is invalid, hence getting here is reasonable. 1008 return; 1009 } 1010 } 1011 1012 /** 1013 * This test checks for potential of a timing attack. The test generates a number of signatures, 1014 * selects a fraction of them with a small timing and then compares the values k for the selected 1015 * signatures with a normal distribution. The test fails if these ks are much smaller than 1016 * expected. An implementation flaw that can lead to a test failure is to compute the signature 1017 * with a modular exponentiation with a runtime that depend on the length of the exponent. 1018 * 1019 * <p>A failing test simply means that the timing can be used to get information about k. Further 1020 * analysis is necessary to determine if the bias is exploitable and how many timings are 1021 * necessary for an attack. A passing test does not mean that the implementation is secure against 1022 * timing attacks. The test only catches relatively big timing differences. It requires high 1023 * confidence to fail. Noise on the test machine can prevent that a relation between timing and k 1024 * can be detected. 1025 * 1026 * <p>Claims of what is exploitable: http://www.hpl.hp.com/techreports/1999/HPL-1999-90.pdf 30 1027 * signatures are sufficient to find the private key if the attacker knows 8 bits of each k. 1028 * http://eprint.iacr.org/2004/277.pdf 27 signatures are sufficient if 8 bits of each k is known. 1029 * Our own old experiments (using 1GB memory on a Pentium-4? CPU): 2^11 signatures are sufficient 1030 * with a 3 bit leakage. 2^15 signatures are sufficient with a 2 bit leakage. 2^24 signatures are 1031 * sufficient with a 1 bit leakage. Estimate for biased generation in the NIST standard: e.g. 2^22 1032 * signatures, 2^40 memory, 2^64 time 1033 * 1034 * <p><b>Sample output for the SUN provider:</b> <code> 1035 * count:50000 cutoff:4629300 relative average:0.9992225872624547 sigmas:0.3010906585642381 1036 * count:25000 cutoff:733961 relative average:0.976146066585879 sigmas:6.532668708070148 1037 * count:12500 cutoff:688305 relative average:0.9070352192339134 sigmas:18.00255238454385 1038 * count:6251 cutoff:673971 relative average:0.7747148791368986 sigmas:30.850903417893825 1039 * count:3125 cutoff:667045 relative average:0.5901994097874541 sigmas:39.67877152897901 1040 * count:1563 cutoff:662088 relative average:0.4060286694971057 sigmas:40.67294313795137 1041 * count:782 cutoff:657921 relative average:0.2577955312387898 sigmas:35.94906247333319 1042 * count:391 cutoff:653608 relative average:0.1453438859272699 sigmas:29.271192100879457 1043 * count:196 cutoff:649280 relative average:0.08035497211567771 sigmas:22.300206785132406 1044 * count:98 cutoff:645122 relative average:0.05063589092661368 sigmas:16.27820353139225 1045 * count:49 cutoff:641582 relative average:0.018255560447883384 sigmas:11.903018745467488 1046 * count:25 cutoff:638235 relative average:0.009082660721102722 sigmas:8.581595888660086 1047 * count:13 cutoff:633975 relative average:0.0067892346039088326 sigmas:6.20259924188633 1048 * </code> 1049 * 1050 * <p><b>What this shows:</b> The first line uses all 50'000 signatures. The average k of these 1051 * signatures is close to the expected value q/2. Being more selective gives us signatures with a 1052 * more biased k. For example, the 196 signatures with the fastest timing have about a 3-bit bias. 1053 * From this we expect that 2^19 signatures and timings are sufficient to find the private key. 1054 * 1055 * <p>A list of problems caught by this test: 1056 * <ul> 1057 * <li> CVE-2016-5548 OpenJDK8's DSA is vulnerable to timing attacks. 1058 * <li> CVE-2016-1000341 BouncyCastle before v 1.56 is vulnernerable to timing attacks. 1059 * </ul> 1060 */ 1061 @SlowTest(providers = {ProviderType.BOUNCY_CASTLE, ProviderType.OPENJDK, 1062 ProviderType.SPONGY_CASTLE}) 1063 @SuppressWarnings("InsecureCryptoUsage") testTiming()1064 public void testTiming() throws Exception { 1065 // BEGIN Android-removed: Android doesn't support JMX 1066 /* 1067 ThreadMXBean bean = ManagementFactory.getThreadMXBean(); 1068 if (!bean.isCurrentThreadCpuTimeSupported()) { 1069 System.out.println("getCurrentThreadCpuTime is not supported. Skipping"); 1070 return; 1071 } 1072 String hashAlgorithm = "SHA-1"; 1073 String message = "Hello"; 1074 byte[] messageBytes = message.getBytes("UTF-8"); 1075 byte[] digest = MessageDigest.getInstance(hashAlgorithm).digest(messageBytes); 1076 BigInteger h = new BigInteger(1, digest); 1077 KeyPairGenerator generator = java.security.KeyPairGenerator.getInstance("DSA"); 1078 generator.initialize(1024); 1079 KeyPair keyPair = generator.generateKeyPair(); 1080 DSAPrivateKey priv = (DSAPrivateKey) keyPair.getPrivate(); 1081 Signature signer = Signature.getInstance("SHA1WITHDSA"); 1082 signer.initSign(priv); 1083 // The timings below are quite noisy. Thus we need a large number of samples. 1084 int samples = 50000; 1085 long[] timing = new long[samples]; 1086 BigInteger[] k = new BigInteger[samples]; 1087 for (int i = 0; i < samples; i++) { 1088 long start = bean.getCurrentThreadCpuTime(); 1089 signer.update(messageBytes); 1090 byte[] signature = signer.sign(); 1091 timing[i] = bean.getCurrentThreadCpuTime() - start; 1092 k[i] = extractK(signature, h, priv, false); 1093 } 1094 long[] sorted = Arrays.copyOf(timing, timing.length); 1095 Arrays.sort(sorted); 1096 // Here we are only interested in roughly the 8 most significant bits of the ks. 1097 // Hence, using double is sufficiently precise. 1098 double q = priv.getParams().getQ().doubleValue(); 1099 double expectedAverage = q / 2; 1100 double maxSigmas = 0; 1101 System.out.println("testTiming: SHA1WITHDSA"); 1102 for (int idx = samples - 1; idx > 10; idx /= 2) { 1103 long cutoff = sorted[idx]; 1104 int count = 0; 1105 double total = 0; 1106 for (int i = 0; i < samples; i++) { 1107 if (timing[i] <= cutoff) { 1108 total += k[i].doubleValue(); 1109 count += 1; 1110 } 1111 } 1112 double expectedStdDev = q / Math.sqrt(12 * count); 1113 double average = total / count; 1114 // Number of standard deviations that the average is away from 1115 // the expected value: 1116 double sigmas = (expectedAverage - average) / expectedStdDev; 1117 if (sigmas > maxSigmas) { 1118 maxSigmas = sigmas; 1119 } 1120 System.out.println( 1121 "count:" 1122 + count 1123 + " cutoff:" 1124 + cutoff 1125 + " relative average:" 1126 + (average / expectedAverage) 1127 + " sigmas:" 1128 + sigmas); 1129 } 1130 // Checks if the signatures with a small timing have a biased k. 1131 // We use 7 standard deviations, so that the probability of a false positive is smaller 1132 // than 10^{-10}. 1133 if (maxSigmas >= 7) { 1134 fail("Signatures with short timing have a biased k"); 1135 } 1136 */ 1137 // END Android-removed: Android doesn't support JMX 1138 } 1139 1140 /** 1141 * DSA does not allow encryption. This test verifies that a provider does not implement an ad hoc 1142 * scheme that attempts to turn DSA into a public key encryption scheme. 1143 */ 1144 @SuppressWarnings("InsecureCryptoUsage") testEncryptionWithDsa()1145 public void testEncryptionWithDsa() throws Exception { 1146 try { 1147 Cipher cipher = Cipher.getInstance("DSA"); 1148 fail("DSA must not be used as a cipher:" + cipher.getProvider().toString()); 1149 } catch (NoSuchAlgorithmException ex) { 1150 // This is expected 1151 } 1152 } 1153 } 1154