• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /*
2  * Copyright (c) 2006-2011 Christian Plattner. All rights reserved.
3  * Please refer to the LICENSE.txt for licensing details.
4  */
5 package ch.ethz.ssh2.signature;
6 
7 import java.io.IOException;
8 import java.math.BigInteger;
9 import java.security.SecureRandom;
10 
11 import ch.ethz.ssh2.crypto.digest.SHA1;
12 import ch.ethz.ssh2.log.Logger;
13 import ch.ethz.ssh2.packets.TypesReader;
14 import ch.ethz.ssh2.packets.TypesWriter;
15 
16 /**
17  * DSASHA1Verify.
18  *
19  * @author Christian Plattner
20  * @version $Id: DSASHA1Verify.java 41 2011-06-02 10:36:41Z dkocher@sudo.ch $
21  */
22 public class DSASHA1Verify
23 {
24 	private static final Logger log = Logger.getLogger(DSASHA1Verify.class);
25 
decodeSSHDSAPublicKey(byte[] key)26 	public static DSAPublicKey decodeSSHDSAPublicKey(byte[] key) throws IOException
27 	{
28 		TypesReader tr = new TypesReader(key);
29 
30 		String key_format = tr.readString();
31 
32 		if (key_format.equals("ssh-dss") == false)
33 			throw new IllegalArgumentException("This is not a ssh-dss public key!");
34 
35 		BigInteger p = tr.readMPINT();
36 		BigInteger q = tr.readMPINT();
37 		BigInteger g = tr.readMPINT();
38 		BigInteger y = tr.readMPINT();
39 
40 		if (tr.remain() != 0)
41 			throw new IOException("Padding in DSA public key!");
42 
43 		return new DSAPublicKey(p, q, g, y);
44 	}
45 
encodeSSHDSAPublicKey(DSAPublicKey pk)46 	public static byte[] encodeSSHDSAPublicKey(DSAPublicKey pk) throws IOException
47 	{
48 		TypesWriter tw = new TypesWriter();
49 
50 		tw.writeString("ssh-dss");
51 		tw.writeMPInt(pk.getP());
52 		tw.writeMPInt(pk.getQ());
53 		tw.writeMPInt(pk.getG());
54 		tw.writeMPInt(pk.getY());
55 
56 		return tw.getBytes();
57 	}
58 
encodeSSHDSASignature(DSASignature ds)59 	public static byte[] encodeSSHDSASignature(DSASignature ds)
60 	{
61 		TypesWriter tw = new TypesWriter();
62 
63 		tw.writeString("ssh-dss");
64 
65 		byte[] r = ds.getR().toByteArray();
66 		byte[] s = ds.getS().toByteArray();
67 
68 		byte[] a40 = new byte[40];
69 
70 		/* Patch (unsigned) r and s into the target array. */
71 
72 		int r_copylen = (r.length < 20) ? r.length : 20;
73 		int s_copylen = (s.length < 20) ? s.length : 20;
74 
75 		System.arraycopy(r, r.length - r_copylen, a40, 20 - r_copylen, r_copylen);
76 		System.arraycopy(s, s.length - s_copylen, a40, 40 - s_copylen, s_copylen);
77 
78 		tw.writeString(a40, 0, 40);
79 
80 		return tw.getBytes();
81 	}
82 
decodeSSHDSASignature(byte[] sig)83 	public static DSASignature decodeSSHDSASignature(byte[] sig) throws IOException
84 	{
85 		byte[] rsArray;
86 
87 		if (sig.length == 40)
88 		{
89 			rsArray = sig;
90 		}
91 		else
92 		{
93 			TypesReader tr = new TypesReader(sig);
94 
95 			String sig_format = tr.readString();
96 
97 			if (sig_format.equals("ssh-dss") == false)
98 				throw new IOException("Peer sent wrong signature format");
99 
100 			rsArray = tr.readByteString();
101 
102 			if (rsArray.length != 40)
103 				throw new IOException("Peer sent corrupt signature");
104 
105 			if (tr.remain() != 0)
106 				throw new IOException("Padding in DSA signature!");
107 		}
108 
109 		/* Remember, s and r are unsigned ints. */
110 
111 		byte[] tmp = new byte[20];
112 
113 		System.arraycopy(rsArray, 0, tmp, 0, 20);
114 		BigInteger r = new BigInteger(1, tmp);
115 
116 		System.arraycopy(rsArray, 20, tmp, 0, 20);
117 		BigInteger s = new BigInteger(1, tmp);
118 
119 		if (log.isDebugEnabled())
120 		{
121 			log.debug("decoded ssh-dss signature: first bytes r(" + ((rsArray[0]) & 0xff) + "), s("
122 					+ ((rsArray[20]) & 0xff) + ")");
123 		}
124 
125 		return new DSASignature(r, s);
126 	}
127 
verifySignature(byte[] message, DSASignature ds, DSAPublicKey dpk)128 	public static boolean verifySignature(byte[] message, DSASignature ds, DSAPublicKey dpk) throws IOException
129 	{
130 		/* Inspired by Bouncycastle's DSASigner class */
131 
132 		SHA1 md = new SHA1();
133 		md.update(message);
134 		byte[] sha_message = new byte[md.getDigestLength()];
135 		md.digest(sha_message);
136 
137 		BigInteger m = new BigInteger(1, sha_message);
138 
139 		BigInteger r = ds.getR();
140 		BigInteger s = ds.getS();
141 
142 		BigInteger g = dpk.getG();
143 		BigInteger p = dpk.getP();
144 		BigInteger q = dpk.getQ();
145 		BigInteger y = dpk.getY();
146 
147 		BigInteger zero = BigInteger.ZERO;
148 
149 		if (log.isDebugEnabled())
150 		{
151 			log.debug("ssh-dss signature: m: " + m.toString(16));
152 			log.debug("ssh-dss signature: r: " + r.toString(16));
153 			log.debug("ssh-dss signature: s: " + s.toString(16));
154 			log.debug("ssh-dss signature: g: " + g.toString(16));
155 			log.debug("ssh-dss signature: p: " + p.toString(16));
156 			log.debug("ssh-dss signature: q: " + q.toString(16));
157 			log.debug("ssh-dss signature: y: " + y.toString(16));
158 		}
159 
160 		if (zero.compareTo(r) >= 0 || q.compareTo(r) <= 0)
161 		{
162 			log.warning("ssh-dss signature: zero.compareTo(r) >= 0 || q.compareTo(r) <= 0");
163 			return false;
164 		}
165 
166 		if (zero.compareTo(s) >= 0 || q.compareTo(s) <= 0)
167 		{
168 			log.warning("ssh-dss signature: zero.compareTo(s) >= 0 || q.compareTo(s) <= 0");
169 			return false;
170 		}
171 
172 		BigInteger w = s.modInverse(q);
173 
174 		BigInteger u1 = m.multiply(w).mod(q);
175 		BigInteger u2 = r.multiply(w).mod(q);
176 
177 		u1 = g.modPow(u1, p);
178 		u2 = y.modPow(u2, p);
179 
180 		BigInteger v = u1.multiply(u2).mod(p).mod(q);
181 
182 		return v.equals(r);
183 	}
184 
generateSignature(byte[] message, DSAPrivateKey pk, SecureRandom rnd)185 	public static DSASignature generateSignature(byte[] message, DSAPrivateKey pk, SecureRandom rnd)
186 	{
187 		SHA1 md = new SHA1();
188 		md.update(message);
189 		byte[] sha_message = new byte[md.getDigestLength()];
190 		md.digest(sha_message);
191 
192 		BigInteger m = new BigInteger(1, sha_message);
193 		BigInteger k;
194 		int qBitLength = pk.getQ().bitLength();
195 
196 		do
197 		{
198 			k = new BigInteger(qBitLength, rnd);
199 		}
200 		while (k.compareTo(pk.getQ()) >= 0);
201 
202 		BigInteger r = pk.getG().modPow(k, pk.getP()).mod(pk.getQ());
203 
204 		k = k.modInverse(pk.getQ()).multiply(m.add((pk).getX().multiply(r)));
205 
206 		BigInteger s = k.mod(pk.getQ());
207 
208 		return new DSASignature(r, s);
209 	}
210 }
211