o ev<@sdgZddlmZddlmZddlmZddlmZddl m Z ddl m Z Gdd d e ZGd d d eZGd d d eZGdddeZdddZdS)new) DerSequence) long_to_bytes)Integer)HMAC)EccKey)DsaKeyc@s@eZdZdZddZddZddZdd Zd d Zd d Z dS) DssSigSchemezoA (EC)DSA signature object. Do not instantiate directly. Use :func:`Cryptodome.Signature.DSS.new`. cCs6||_||_||_|j|_|jddd|_dS)zCreate a new Digital Signature Standard (DSS) object. Do not instantiate this object directly, use `Cryptodome.Signature.DSS.new` instead. N)_key _encoding_order size_in_bits _order_bits _order_bytes)selfkeyencodingorderr:/usr/lib/python3/dist-packages/Cryptodome/Signature/DSS.py__init__4s  zDssSigScheme.__init__cCs |jS)zRReturn ``True`` if this signature object can be used for signing messages.)r has_privaterrrrcan_signBs zDssSigScheme.can_signcCtdNzTo be provided by subclassesNotImplementedErrorrmsg_hashrrr_compute_nonceHzDssSigScheme._compute_noncecCrrrr rrr _valid_hashKr#zDssSigScheme._valid_hashcsx|s td|}t|dj}j||}j dkr4d fdd|D}|St | }|S)aProduce the DSA/ECDSA signature of a message. :parameter msg_hash: The hash that was carried out over the message. The object belongs to the :mod:`Cryptodome.Hash` package. Under mode *'fips-186-3'*, the hash must be a FIPS approved secure hash (SHA-1 or a member of the SHA-2 family), of cryptographic strength appropriate for the DSA key. For instance, a 3072/256 DSA key can only be used in combination with SHA-512. :type msg_hash: hash object :return: The signature as a *byte string* :raise ValueError: if the hash algorithm is incompatible to the (EC)DSA key :raise TypeError: if the (EC)DSA key has no private half Hash is not sufficiently strongNbinarycsg|]}t|jqSr)rr.0xrrr msz%DssSigScheme.sign..) r$ ValueErrorr"r from_bytesdigestrr _signr joinrencode)rr!noncezsig_pairoutputrrrsignNs    zDssSigScheme.signc CsH||s td|jdkr1t|d|jkrtddd|d|j||jdfD\}}n3z tj|dd }Wn ttfyHtd wt|dksS|sWtd t |d t |d }}d |kro|j krntdd |kr|j kstdtdt | d|j}|j |||f}|stddS)aCheck if a certain (EC)DSA signature is authentic. :parameter msg_hash: The hash that was carried out over the message. This is an object belonging to the :mod:`Cryptodome.Hash` module. Under mode *'fips-186-3'*, the hash must be a FIPS approved secure hash (SHA-1 or a member of the SHA-2 family), of cryptographic strength appropriate for the DSA key. For instance, a 3072/256 DSA key can only be used in combination with SHA-512. :type msg_hash: hash object :parameter signature: The signature that needs to be validated :type signature: byte string :raise ValueError: if the signature is not authentic r%r&z'The signature is not authentic (length)cSsg|]}t|qSr)rr-r(rrrr+sz'DssSigScheme.verify..NT)strictz$The signature is not authentic (DER)z,The signature is not authentic (DER content)rr z"The signature is not authentic (d)zThe signature is not authenticF)r$r,r lenrrdecode IndexError hasOnlyIntsrrr-r.r _verify)rr! signaturer_primes_primeder_seqr3resultrrrverify|s:     zDssSigScheme.verifyN) __name__ __module__ __qualname____doc__rrr"r$r6rCrrrrr .s .r csDeZdZfddZddZddZddZd d Zd d ZZ S) DeterministicDsaSigSchemectt||||||_dSN)superrHr _private_key)rrrr private_key __class__rrr z"DeterministicDsaSigScheme.__init__cCs8t|}|j}t|d}||kr|||L}|S)zSee 2.3.2 in RFC6979r )rr-rrr9)rbstrrBq_lenb_lenrrr _bits2ints    z#DeterministicDsaSigScheme._bits2intcCs*d|kr |jksJJt||jS)zSee 2.3.3 in RFC6979r)rrr)r int_mod_qrrr _int2octetss z%DeterministicDsaSigScheme._int2octetscCs.||}||jkr |}n||j}||S)zSee 2.3.4 in RFC6979)rTrrV)rrQz1z2rrr _bits2octetss    z&DeterministicDsaSigScheme._bits2octetscCs|}d|j}d|j}dD]!}t|||||j|||}t|||}qd}d|kr?|jksn|dkrXt||d|}t|||}d}t||j krut|||}||7}t||j ksa| |}d|kr|jkr@|Sq@|S)z!Generate k in a deterministic way)r[rZrr') r. digest_sizerrrVrLrYrr9rrT)rmhashh1mask_vnonce_kint_octr2mask_trrrr"sD     z(DeterministicDsaSigScheme._compute_noncecCsdS)NTrr rrrr$sz%DeterministicDsaSigScheme._valid_hash) rDrErFrrTrVrYr"r$ __classcell__rrrNrrHs   (rHcs0eZdZdZfddZddZddZZS)FipsDsaSigScheme))i))rg)i ricsRtt||||||_t|j}||jf|jvr'd||jf}t |dS)Nz+L/N (%d, %d) is not compliant to FIPS 186-3) rKrer _randfuncrprr_fips_186_3_L_Nr,)rrrrrandfuncLerrorrNrrrszFipsDsaSigScheme.__init__cCstjd|j|jdSNr ) min_inclusive max_exclusiverm)r random_rangerrjr rrrr"szFipsDsaSigScheme._compute_noncecCs|jdkp |jdS)z*Verify that SHA-1, SHA-2 or SHA-3 are usedz 1.3.14.3.2.26z2.16.840.1.101.3.4.2.)oid startswithr rrrr$s  zFipsDsaSigScheme._valid_hash)rDrErFrlrr"r$rdrrrNrres   recs,eZdZfddZddZddZZS)FipsEcDsaSigSchemecrIrJ)rKrvrrj)rrrrrmrNrrr rPzFipsEcDsaSigScheme.__init__cCstjd|jjj|jdSrp)rrsr _curverrjr rrrr"$sz!FipsEcDsaSigScheme._compute_noncecCsF|jj}d}d}d}|j|vr|dkS|j|vr|dkS|j|vS)zVerify that SHA-[23] (256|384|512) bits are used to match the security of P-256 (128 bits), P-384 (192 bits) or P-521 (256 bits))z2.16.840.1.101.3.4.2.1z2.16.840.1.101.3.4.2.8)z2.16.840.1.101.3.4.2.2z2.16.840.1.101.3.4.2.9)z2.16.840.1.101.3.4.2.3z2.16.840.1.101.3.4.2.10rii)r pointQrrt)rr! modulus_bitssha256sha384sha512rrrr$)s    zFipsEcDsaSigScheme._valid_hash)rDrErFrr"r$rdrrrNrrvs rvr&NcCs|dvr td|t|tr|jj}d}nt|tr#t|j}d}n tdtt || r7t ||}nd}|dkrDt ||||S|dkr[t|trTt ||||St||||Std |) a Create a signature object :class:`DSS_SigScheme` that can perform (EC)DSA signature or verification. .. note:: Refer to `NIST SP 800 Part 1 Rev 4`_ (or newer release) for an overview of the recommended key lengths. :parameter key: The key to use for computing the signature (*private* keys only) or verifying one: it must be either :class:`Cryptodome.PublicKey.DSA` or :class:`Cryptodome.PublicKey.ECC`. For DSA keys, let ``L`` and ``N`` be the bit lengths of the modulus ``p`` and of ``q``: the pair ``(L,N)`` must appear in the following list, in compliance to section 4.2 of `FIPS 186-4`_: - (1024, 160) *legacy only; do not create new signatures with this* - (2048, 224) *deprecated; do not create new signatures with this* - (2048, 256) - (3072, 256) For ECC, only keys over P-256, P384, and P-521 are accepted. :type key: a key object :parameter mode: The parameter can take these values: - *'fips-186-3'*. The signature generation is randomized and carried out according to `FIPS 186-3`_: the nonce ``k`` is taken from the RNG. - *'deterministic-rfc6979'*. The signature generation is not randomized. See RFC6979_. :type mode: string :parameter encoding: How the signature is encoded. This value determines the output of :meth:`sign` and the input to :meth:`verify`. The following values are accepted: - *'binary'* (default), the signature is the raw concatenation of ``r`` and ``s``. It is defined in the IEEE P.1363 standard. For DSA, the size in bytes of the signature is ``N/4`` bytes (e.g. 64 for ``N=256``). For ECDSA, the signature is always twice the length of a point coordinate (e.g. 64 bytes for P-256). - *'der'*, the signature is a ASN.1 DER SEQUENCE with two INTEGERs (``r`` and ``s``). It is defined in RFC3279_. The size of the signature is variable. :type encoding: string :parameter randfunc: A function that returns random *byte strings*, of a given length. If omitted, the internal RNG is used. Only applicable for the *'fips-186-3'* mode. :type randfunc: callable .. _FIPS 186-3: http://csrc.nist.gov/publications/fips/fips186-3/fips_186-3.pdf .. _FIPS 186-4: http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf .. _NIST SP 800 Part 1 Rev 4: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r4.pdf .. _RFC6979: http://tools.ietf.org/html/rfc6979 .. _RFC3279: https://tools.ietf.org/html/rfc3279#section-2.2.2 )r&derzUnknown encoding '%s'dr*zUnsupported key type Nzdeterministic-rfc6979z fips-186-3zUnknown DSS mode '%s')r, isinstancerrwrrrqstrtypergetattrrHrvre)rmoderrmrprivate_key_attrrMrrrr<s&K       )r&N)__all__Cryptodome.Util.asn1rCryptodome.Util.numberrCryptodome.Math.NumbersrCryptodome.HashrCryptodome.PublicKey.ECCrCryptodome.PublicKey.DSArobjectr rHrervrrrrrs!      N"