UNPKG

tenvoy

Version:

PGP, NaCl, and PBKDF2 in node.js and the browser (hashing, random, encryption, decryption, signatures, conversions), used by TogaTech.org

github.com/TogaTech/tEnvoy

TogaTech/tEnvoy

189 lines (176 loc) 5.87 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
// GPG4Browsers - An OpenPGP implementation in javascript // Copyright (C) 2011 Recurity Labs GmbH // // This library is free software; you can redistribute it and/or // modify it under the terms of the GNU Lesser General Public // License as published by the Free Software Foundation; either // version 3.0 of the License, or (at your option) any later version. // // This library is distributed in the hope that it will be useful, // but WITHOUT ANY WARRANTY; without even the implied warranty of // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU // Lesser General Public License for more details. // // You should have received a copy of the GNU Lesser General Public // License along with this library; if not, write to the Free Software // Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA /** * @fileoverview A Digital signature algorithm implementation * @requires bn.js * @requires crypto/random * @requires util * @module crypto/public_key/dsa */ import BN from 'bn.js'; import random from '../random'; import util from '../../util'; import prime from './prime'; const one = new BN(1); const zero = new BN(0); /* TODO regarding the hash function, read: https://tools.ietf.org/html/rfc4880#section-13.6 https://tools.ietf.org/html/rfc4880#section-14 */ export default { /** * DSA Sign function * @param {Integer} hash_algo * @param {Uint8Array} hashed * @param {BN} g * @param {BN} p * @param {BN} q * @param {BN} x * @returns {{ r: BN, s: BN }} * @async */ sign: async function(hash_algo, hashed, g, p, q, x) { let k; let r; let s; let t; const redp = new BN.red(p); const redq = new BN.red(q); const gred = g.toRed(redp); const xred = x.toRed(redq); // If the output size of the chosen hash is larger than the number of // bits of q, the hash result is truncated to fit by taking the number // of leftmost bits equal to the number of bits of q. This (possibly // truncated) hash function result is treated as a number and used // directly in the DSA signature algorithm. const h = new BN(hashed.subarray(0, q.byteLength())).toRed(redq); // FIPS-186-4, section 4.6: // The values of r and s shall be checked to determine if r = 0 or s = 0. // If either r = 0 or s = 0, a new value of k shall be generated, and the // signature shall be recalculated. It is extremely unlikely that r = 0 // or s = 0 if signatures are generated properly. while (true) { // See Appendix B here: https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf k = await random.getRandomBN(one, q); // returns in [1, q-1] r = gred.redPow(k).fromRed().toRed(redq); // (g**k mod p) mod q if (zero.cmp(r) === 0) { continue; } t = h.redAdd(xred.redMul(r)); // H(m) + x*r mod q s = k.toRed(redq).redInvm().redMul(t); // k**-1 * (H(m) + x*r) mod q if (zero.cmp(s) === 0) { continue; } break; } return { r: r.toArrayLike(Uint8Array, 'be', q.byteLength()), s: s.toArrayLike(Uint8Array, 'be', q.byteLength()) }; }, /** * DSA Verify function * @param {Integer} hash_algo * @param {BN} r * @param {BN} s * @param {Uint8Array} hashed * @param {BN} g * @param {BN} p * @param {BN} q * @param {BN} y * @returns {boolean} * @async */ verify: async function(hash_algo, r, s, hashed, g, p, q, y) { if (zero.ucmp(r) >= 0 || r.ucmp(q) >= 0 || zero.ucmp(s) >= 0 || s.ucmp(q) >= 0) { util.print_debug("invalid DSA Signature"); return null; } const redp = new BN.red(p); const redq = new BN.red(q); const h = new BN(hashed.subarray(0, q.byteLength())); const w = s.toRed(redq).redInvm(); // s**-1 mod q if (zero.cmp(w) === 0) { util.print_debug("invalid DSA Signature"); return null; } const u1 = h.toRed(redq).redMul(w); // H(m) * w mod q const u2 = r.toRed(redq).redMul(w); // r * w mod q const t1 = g.toRed(redp).redPow(u1.fromRed()); // g**u1 mod p const t2 = y.toRed(redp).redPow(u2.fromRed()); // y**u2 mod p const v = t1.redMul(t2).fromRed().mod(q); // (g**u1 * y**u2 mod p) mod q return v.cmp(r) === 0; }, /** * Validate DSA parameters * @param {Uint8Array} p DSA prime * @param {Uint8Array} q DSA group order * @param {Uint8Array} g DSA sub-group generator * @param {Uint8Array} y DSA public key * @param {Uint8Array} x DSA private key * @returns {Promise<Boolean>} whether params are valid * @async */ validateParams: async function (p, q, g, y, x) { p = new BN(p); q = new BN(q); g = new BN(g); y = new BN(y); const one = new BN(1); // Check that 1 < g < p if (g.lte(one) || g.gte(p)) { return false; } /** * Check that subgroup order q divides p-1 */ if (!p.sub(one).mod(q).isZero()) { return false; } const pred = new BN.red(p); const gModP = g.toRed(pred); /** * g has order q * Check that g ** q = 1 mod p */ if (!gModP.redPow(q).eq(one)) { return false; } /** * Check q is large and probably prime (we mainly want to avoid small factors) */ const qSize = q.bitLength(); if (qSize < 150 || !(await prime.isProbablePrime(q, null, 32))) { return false; } /** * Re-derive public key y' = g ** x mod p * Expect y == y' * * Blinded exponentiation computes g**{rq + x} to compare to y */ x = new BN(x); const r = await random.getRandomBN(new BN(2).shln(qSize - 1), new BN(2).shln(qSize)); // draw r of same size as q const rqx = q.mul(r).add(x); if (!y.eq(gModP.redPow(rqx))) { return false; } return true; } };