1 /* 2 * Copyright (c) 2006-2011 Christian Plattner. All rights reserved. 3 * Please refer to the LICENSE.txt for licensing details. 4 */ 5 package ch.ethz.ssh2.signature; 6 7 import java.io.IOException; 8 import java.math.BigInteger; 9 import java.security.SecureRandom; 10 11 import ch.ethz.ssh2.crypto.digest.SHA1; 12 import ch.ethz.ssh2.log.Logger; 13 import ch.ethz.ssh2.packets.TypesReader; 14 import ch.ethz.ssh2.packets.TypesWriter; 15 16 /** 17 * DSASHA1Verify. 18 * 19 * @author Christian Plattner 20 * @version $Id: DSASHA1Verify.java 41 2011-06-02 10:36:41Z dkocher@sudo.ch $ 21 */ 22 public class DSASHA1Verify 23 { 24 private static final Logger log = Logger.getLogger(DSASHA1Verify.class); 25 decodeSSHDSAPublicKey(byte[] key)26 public static DSAPublicKey decodeSSHDSAPublicKey(byte[] key) throws IOException 27 { 28 TypesReader tr = new TypesReader(key); 29 30 String key_format = tr.readString(); 31 32 if (key_format.equals("ssh-dss") == false) 33 throw new IllegalArgumentException("This is not a ssh-dss public key!"); 34 35 BigInteger p = tr.readMPINT(); 36 BigInteger q = tr.readMPINT(); 37 BigInteger g = tr.readMPINT(); 38 BigInteger y = tr.readMPINT(); 39 40 if (tr.remain() != 0) 41 throw new IOException("Padding in DSA public key!"); 42 43 return new DSAPublicKey(p, q, g, y); 44 } 45 encodeSSHDSAPublicKey(DSAPublicKey pk)46 public static byte[] encodeSSHDSAPublicKey(DSAPublicKey pk) throws IOException 47 { 48 TypesWriter tw = new TypesWriter(); 49 50 tw.writeString("ssh-dss"); 51 tw.writeMPInt(pk.getP()); 52 tw.writeMPInt(pk.getQ()); 53 tw.writeMPInt(pk.getG()); 54 tw.writeMPInt(pk.getY()); 55 56 return tw.getBytes(); 57 } 58 encodeSSHDSASignature(DSASignature ds)59 public static byte[] encodeSSHDSASignature(DSASignature ds) 60 { 61 TypesWriter tw = new TypesWriter(); 62 63 tw.writeString("ssh-dss"); 64 65 byte[] r = ds.getR().toByteArray(); 66 byte[] s = ds.getS().toByteArray(); 67 68 byte[] a40 = new byte[40]; 69 70 /* Patch (unsigned) r and s into the target array. */ 71 72 int r_copylen = (r.length < 20) ? r.length : 20; 73 int s_copylen = (s.length < 20) ? s.length : 20; 74 75 System.arraycopy(r, r.length - r_copylen, a40, 20 - r_copylen, r_copylen); 76 System.arraycopy(s, s.length - s_copylen, a40, 40 - s_copylen, s_copylen); 77 78 tw.writeString(a40, 0, 40); 79 80 return tw.getBytes(); 81 } 82 decodeSSHDSASignature(byte[] sig)83 public static DSASignature decodeSSHDSASignature(byte[] sig) throws IOException 84 { 85 byte[] rsArray; 86 87 if (sig.length == 40) 88 { 89 rsArray = sig; 90 } 91 else 92 { 93 TypesReader tr = new TypesReader(sig); 94 95 String sig_format = tr.readString(); 96 97 if (sig_format.equals("ssh-dss") == false) 98 throw new IOException("Peer sent wrong signature format"); 99 100 rsArray = tr.readByteString(); 101 102 if (rsArray.length != 40) 103 throw new IOException("Peer sent corrupt signature"); 104 105 if (tr.remain() != 0) 106 throw new IOException("Padding in DSA signature!"); 107 } 108 109 /* Remember, s and r are unsigned ints. */ 110 111 byte[] tmp = new byte[20]; 112 113 System.arraycopy(rsArray, 0, tmp, 0, 20); 114 BigInteger r = new BigInteger(1, tmp); 115 116 System.arraycopy(rsArray, 20, tmp, 0, 20); 117 BigInteger s = new BigInteger(1, tmp); 118 119 if (log.isDebugEnabled()) 120 { 121 log.debug("decoded ssh-dss signature: first bytes r(" + ((rsArray[0]) & 0xff) + "), s(" 122 + ((rsArray[20]) & 0xff) + ")"); 123 } 124 125 return new DSASignature(r, s); 126 } 127 verifySignature(byte[] message, DSASignature ds, DSAPublicKey dpk)128 public static boolean verifySignature(byte[] message, DSASignature ds, DSAPublicKey dpk) throws IOException 129 { 130 /* Inspired by Bouncycastle's DSASigner class */ 131 132 SHA1 md = new SHA1(); 133 md.update(message); 134 byte[] sha_message = new byte[md.getDigestLength()]; 135 md.digest(sha_message); 136 137 BigInteger m = new BigInteger(1, sha_message); 138 139 BigInteger r = ds.getR(); 140 BigInteger s = ds.getS(); 141 142 BigInteger g = dpk.getG(); 143 BigInteger p = dpk.getP(); 144 BigInteger q = dpk.getQ(); 145 BigInteger y = dpk.getY(); 146 147 BigInteger zero = BigInteger.ZERO; 148 149 if (log.isDebugEnabled()) 150 { 151 log.debug("ssh-dss signature: m: " + m.toString(16)); 152 log.debug("ssh-dss signature: r: " + r.toString(16)); 153 log.debug("ssh-dss signature: s: " + s.toString(16)); 154 log.debug("ssh-dss signature: g: " + g.toString(16)); 155 log.debug("ssh-dss signature: p: " + p.toString(16)); 156 log.debug("ssh-dss signature: q: " + q.toString(16)); 157 log.debug("ssh-dss signature: y: " + y.toString(16)); 158 } 159 160 if (zero.compareTo(r) >= 0 || q.compareTo(r) <= 0) 161 { 162 log.warning("ssh-dss signature: zero.compareTo(r) >= 0 || q.compareTo(r) <= 0"); 163 return false; 164 } 165 166 if (zero.compareTo(s) >= 0 || q.compareTo(s) <= 0) 167 { 168 log.warning("ssh-dss signature: zero.compareTo(s) >= 0 || q.compareTo(s) <= 0"); 169 return false; 170 } 171 172 BigInteger w = s.modInverse(q); 173 174 BigInteger u1 = m.multiply(w).mod(q); 175 BigInteger u2 = r.multiply(w).mod(q); 176 177 u1 = g.modPow(u1, p); 178 u2 = y.modPow(u2, p); 179 180 BigInteger v = u1.multiply(u2).mod(p).mod(q); 181 182 return v.equals(r); 183 } 184 generateSignature(byte[] message, DSAPrivateKey pk, SecureRandom rnd)185 public static DSASignature generateSignature(byte[] message, DSAPrivateKey pk, SecureRandom rnd) 186 { 187 SHA1 md = new SHA1(); 188 md.update(message); 189 byte[] sha_message = new byte[md.getDigestLength()]; 190 md.digest(sha_message); 191 192 BigInteger m = new BigInteger(1, sha_message); 193 BigInteger k; 194 int qBitLength = pk.getQ().bitLength(); 195 196 do 197 { 198 k = new BigInteger(qBitLength, rnd); 199 } 200 while (k.compareTo(pk.getQ()) >= 0); 201 202 BigInteger r = pk.getG().modPow(k, pk.getP()).mod(pk.getQ()); 203 204 k = k.modInverse(pk.getQ()).multiply(m.add((pk).getX().multiply(r))); 205 206 BigInteger s = k.mod(pk.getQ()); 207 208 return new DSASignature(r, s); 209 } 210 } 211