U +MbZ;@sddlmZddlmZddlmZddlmZddlm Z ddl m Z ddgZ Gd dde ZGd d d eZGd d d eZGdddeZdddZdS)) DerSequence) long_to_bytes)Integer)HMAC)EccKey)DsaKey DssSigSchemenewc@s@eZdZdZddZddZddZdd Zd d Zd d Z dS)rzkA (EC)DSA signature object. Do not instantiate directly. Use :func:`Crypto.Signature.DSS.new`. cCs6||_||_||_|j|_|jddd|_dS)zCreate a new Digital Signature Standard (DSS) object. Do not instantiate this object directly, use `Crypto.Signature.DSS.new` instead. N)_key _encoding_order size_in_bits _order_bits _order_bytes)selfkeyencodingorderr;/tmp/pip-target-t616c12r/lib/python/Crypto/Signature/DSS.py__init__3s  zDssSigScheme.__init__cCs |jS)zRReturn ``True`` if this signature object can be used for signing messages.)r has_privaterrrrcan_signAszDssSigScheme.can_signcCs tddSNzTo be provided by subclassesNotImplementedErrorrmsg_hashrrr_compute_nonceGszDssSigScheme._compute_noncecCs tddSrrrrrr _valid_hashJszDssSigScheme._valid_hashcsjstd|s$td|}t|dj }j ||}j dkrxd fdd|D}n t |}|S)aCompute the DSA/ECDSA signature of a message. Args: msg_hash (hash object): The hash that was carried out over the message. The object belongs to the :mod:`Crypto.Hash` package. Under mode ``'fips-186-3'``, the hash must be a FIPS approved secure hash (SHA-2 or SHA-3). :return: The signature as ``bytes`` :raise ValueError: if the hash algorithm is incompatible to the (EC)DSA key :raise TypeError: if the (EC)DSA key has no private half zPrivate key is needed to signHash is not sufficiently strongNbinarycsg|]}t|jqSr)rr.0xrrr ksz%DssSigScheme.sign..)r r TypeErrorr" ValueErrorr!r from_bytesdigestrZ_signr joinrencode)rr noncezZsig_pairoutputrrrsignMs     zDssSigScheme.signc CsJ||std|jdkrbt|d|jkr6tddd|d|j||jdfD\}}nlztj|dd }Wn ttfk rtd YnXt|dks|std t |d t |d }}d |kr|j krnnd |kr|j ksntdt | d|j}|j |||f}|sFtddS)aCheck if a certain (EC)DSA signature is authentic. Args: msg_hash (hash object): The hash that was carried out over the message. This is an object belonging to the :mod:`Crypto.Hash` module. Under mode ``'fips-186-3'``, the hash must be a FIPS approved secure hash (SHA-2 or SHA-3). signature (``bytes``): The signature that needs to be validated. :raise ValueError: if the signature is not authentic r#r$z'The signature is not authentic (length)cSsg|]}t|qSr)rr,r&rrrr)sz'DssSigScheme.verify..NT)strictz$The signature is not authentic (DER)z,The signature is not authentic (DER content)rr z"The signature is not authentic (d)zThe signature is not authenticF)r"r+r lenrrdecode IndexErrorZ hasOnlyIntsrrr,r-r Z_verify)rr signatureZr_primeZs_primeZder_seqr1resultrrrverifyzs0     8zDssSigScheme.verifyN) __name__ __module__ __qualname____doc__rrr!r"r3r;rrrrr-s-csDeZdZfddZddZddZddZd d Zd d ZZ S) DeterministicDsaSigSchemecstt||||||_dSN)superr@r _private_key)rrrr private_key __class__rrrsz"DeterministicDsaSigScheme.__init__cCs8t|}|j}t|d}||kr4|||L}|S)zSee 2.3.2 in RFC6979r )rr,rrr6)rbstrr:Zq_lenZb_lenrrr _bits2ints     z#DeterministicDsaSigScheme._bits2intcCs(d|kr|jksntt||jS)zSee 2.3.3 in RFC6979r)rAssertionErrorrr)rZ int_mod_qrrr _int2octetssz%DeterministicDsaSigScheme._int2octetscCs.||}||jkr|}n ||j}||S)zSee 2.3.4 in RFC6979)rHrrJ)rrGZz1Zz2rrr _bits2octetss    z&DeterministicDsaSigScheme._bits2octetscCs|}d|j}d|j}dD]B}t|||||j|||}t|||}q d}d|kr~|jksn|dkrt||d|}t|||}d}t||j krt|||}||7}q| |}qh|S)z!Generate k in a deterministic way)rMrLrr%) r- digest_sizerr rJrCrKrr6rrH)rZmhashh1Zmask_vZnonce_kZint_octr0Zmask_trrrr!s4      z(DeterministicDsaSigScheme._compute_noncecCsdS)NTrrrrrr"sz%DeterministicDsaSigScheme._valid_hash) r<r=r>rrHrJrKr!r" __classcell__rrrErr@s    (r@cs0eZdZdZfddZddZddZZS)FipsDsaSigScheme))i))rT)i rVcsRtt||||||_t|j}||jf|jkrNd||jf}t |dS)Nz+L/N (%d, %d) is not compliant to FIPS 186-3) rBrRr _randfuncrprr_fips_186_3_L_Nr+)rrrrrandfuncLerrorrErrrszFipsDsaSigScheme.__init__cCstjd|j|jdSNr )Z min_inclusiveZ max_exclusiverZ)r random_rangerrWrrrrr! szFipsDsaSigScheme._compute_noncecCs|jdkp|jdS)z*Verify that SHA-1, SHA-2 or SHA-3 are usedz 1.3.14.3.2.26z2.16.840.1.101.3.4.2.)oid startswithrrrrr"s  zFipsDsaSigScheme._valid_hash)r<r=r>rYrr!r"rQrrrErrRs rRcs,eZdZfddZddZddZZS)FipsEcDsaSigSchemecstt||||||_dSrA)rBrarrW)rrrrrZrErrrszFipsEcDsaSigScheme.__init__cCstjd|jjj|jdSr])rr^r _curverrWrrrrr!sz!FipsEcDsaSigScheme._compute_noncec CsX|jj}d}d}d}d}||||}z|j|k}Wntk rRd}YnX|S)zxVerify that the strength of the hash matches or exceeds the strength of the EC. We fail if the hash is too weak.)z2.16.840.1.101.3.4.2.4z2.16.840.1.101.3.4.2.7z2.16.840.1.101.3.4.2.5)z2.16.840.1.101.3.4.2.1z2.16.840.1.101.3.4.2.8z2.16.840.1.101.3.4.2.6)z2.16.840.1.101.3.4.2.2z2.16.840.1.101.3.4.2.9)z2.16.840.1.101.3.4.2.3z2.16.840.1.101.3.4.2.10F)r ZpointQrr_AttributeError) rr Z modulus_bitssha224sha256sha384sha512Zshsr:rrrr""s  zFipsEcDsaSigScheme._valid_hash)r<r=r>rr!r"rQrrrErras rar$NcCs|dkrtd|t|tr,|jj}d}n.t|trFt|j}d}ntdtt || rnt ||}nd}|dkrt ||||S|dkrt|trt ||||St||||Sn td |dS) a Create a signature object :class:`DssSigScheme` that can perform (EC)DSA signature or verification. .. note:: Refer to `NIST SP 800 Part 1 Rev 4`_ (or newer release) for an overview of the recommended key lengths. Args: key (:class:`Crypto.PublicKey.DSA` or :class:`Crypto.PublicKey.ECC`): The key to use for computing the signature (*private* keys only) or for verifying one. For DSA keys, let ``L`` and ``N`` be the bit lengths of the modulus ``p`` and of ``q``: the pair ``(L,N)`` must appear in the following list, in compliance to section 4.2 of `FIPS 186-4`_: - (1024, 160) *legacy only; do not create new signatures with this* - (2048, 224) *deprecated; do not create new signatures with this* - (2048, 256) - (3072, 256) For ECC, only keys over P-224, P-256, P-384, and P-521 are accepted. mode (string): The parameter can take these values: - ``'fips-186-3'``. The signature generation is randomized and carried out according to `FIPS 186-3`_: the nonce ``k`` is taken from the RNG. - ``'deterministic-rfc6979'``. The signature generation is not randomized. See RFC6979_. encoding (string): How the signature is encoded. This value determines the output of :meth:`sign` and the input to :meth:`verify`. The following values are accepted: - ``'binary'`` (default), the signature is the raw concatenation of ``r`` and ``s``. It is defined in the IEEE P.1363 standard. For DSA, the size in bytes of the signature is ``N/4`` bytes (e.g. 64 for ``N=256``). For ECDSA, the signature is always twice the length of a point coordinate (e.g. 64 bytes for P-256). - ``'der'``, the signature is a ASN.1 DER SEQUENCE with two INTEGERs (``r`` and ``s``). It is defined in RFC3279_. The size of the signature is variable. randfunc (callable): A function that returns random ``bytes``, of a given length. If omitted, the internal RNG is used. Only applicable for the *'fips-186-3'* mode. .. _FIPS 186-3: http://csrc.nist.gov/publications/fips/fips186-3/fips_186-3.pdf .. _FIPS 186-4: http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf .. _NIST SP 800 Part 1 Rev 4: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r4.pdf .. _RFC6979: http://tools.ietf.org/html/rfc6979 .. _RFC3279: https://tools.ietf.org/html/rfc3279#section-2.2.2 )r$ZderzUnknown encoding '%s'dr(zUnsupported key type Nzdeterministic-rfc6979z fips-186-3zUnknown DSS mode '%s')r+ isinstancerrbrrrqstrtypergetattrr@rarR)rmoderrZrZprivate_key_attrrDrrrr 6s&B      )r$N)ZCrypto.Util.asn1rZCrypto.Util.numberrZCrypto.Math.NumbersrZ Crypto.HashrZCrypto.PublicKey.ECCrZCrypto.PublicKey.DSAr__all__objectrr@rRrar rrrr"s      zN"