o n~b;@sddlmZddlmZddlmZddlmZddlm Z ddl m Z ddgZ Gd dde ZGd d d eZGd d d eZGdddeZdddZdS)) DerSequence) long_to_bytes)Integer)HMAC)EccKey)DsaKey DssSigSchemenewc@s@eZdZdZddZddZddZdd Zd d Zd d Z dS)rzoA (EC)DSA signature object. Do not instantiate directly. Use :func:`Cryptodome.Signature.DSS.new`. cCs6||_||_||_|j|_|jddd|_dS)zCreate a new Digital Signature Standard (DSS) object. Do not instantiate this object directly, use `Cryptodome.Signature.DSS.new` instead. N)_key _encoding_order size_in_bits _order_bits _order_bytes)selfkeyencodingorderrC/usr/local/lib/python3.10/dist-packages/Cryptodome/Signature/DSS.py__init__3s  zDssSigScheme.__init__cCs |jS)zRReturn ``True`` if this signature object can be used for signing messages.)r has_privaterrrrcan_signAs zDssSigScheme.can_signcCtdNzTo be provided by subclassesNotImplementedErrorrmsg_hashrrr_compute_nonceGzDssSigScheme._compute_noncecCrrrr rrr _valid_hashJr#zDssSigScheme._valid_hashcsjs td|std|}t|dj }j ||}j dkr=d fdd|D}|St |}|S)aCompute the DSA/ECDSA signature of a message. Args: msg_hash (hash object): The hash that was carried out over the message. The object belongs to the :mod:`Cryptodome.Hash` package. Under mode ``'fips-186-3'``, the hash must be a FIPS approved secure hash (SHA-2 or SHA-3). :return: The signature as ``bytes`` :raise ValueError: if the hash algorithm is incompatible to the (EC)DSA key :raise TypeError: if the (EC)DSA key has no private half zPrivate key is needed to signHash is not sufficiently strongNbinarycsg|]}t|jqSr)rr.0xrrr ksz%DssSigScheme.sign..)r r TypeErrorr$ ValueErrorr"r from_bytesdigestrZ_signr joinrencode)rr!noncezZsig_pairoutputrrrsignMs     zDssSigScheme.signc CsH||s td|jdkr1t|d|jkrtddd|d|j||jdfD\}}n3z tj|dd }Wn ttfyHtd wt|dksS|sWtd t |d t |d }}d |kro|j krntdd |kr|j kstdtdt | d|j}|j |||f}|stddS)aCheck if a certain (EC)DSA signature is authentic. Args: msg_hash (hash object): The hash that was carried out over the message. This is an object belonging to the :mod:`Cryptodome.Hash` module. Under mode ``'fips-186-3'``, the hash must be a FIPS approved secure hash (SHA-2 or SHA-3). signature (``bytes``): The signature that needs to be validated. :raise ValueError: if the signature is not authentic r%r&z'The signature is not authentic (length)cSsg|]}t|qSr)rr.r(rrrr+sz'DssSigScheme.verify..NT)strictz$The signature is not authentic (DER)z,The signature is not authentic (DER content)rr z"The signature is not authentic (d)zThe signature is not authenticF)r$r-r lenrrdecode IndexErrorZ hasOnlyIntsrrr.r/r Z_verify)rr! signatureZr_primeZs_primeZder_seqr3resultrrrverifyzs:     zDssSigScheme.verifyN) __name__ __module__ __qualname____doc__rrr"r$r5r=rrrrr-s -csDeZdZfddZddZddZddZd d Zd d ZZ S) DeterministicDsaSigSchemectt||||||_dSN)superrBr _private_key)rrrr private_key __class__rrr z"DeterministicDsaSigScheme.__init__cCs8t|}|j}t|d}||kr|||L}|S)zSee 2.3.2 in RFC6979r )rr.rrr8)rbstrr<Zq_lenZb_lenrrr _bits2ints    z#DeterministicDsaSigScheme._bits2intcCs*d|kr |jksJJt||jS)zSee 2.3.3 in RFC6979r)rrr)rZ int_mod_qrrr _int2octetss z%DeterministicDsaSigScheme._int2octetscCs.||}||jkr |}n||j}||S)zSee 2.3.4 in RFC6979)rLrrM)rrKZz1Zz2rrr _bits2octetss    z&DeterministicDsaSigScheme._bits2octetscCs|}d|j}d|j}dD]!}t|||||j|||}t|||}qd}d|kr?|jksn|dkrXt||d|}t|||}d}t||j krut|||}||7}t||j ksa| |}d|kr|jkr@|Sq@|S)z!Generate k in a deterministic way)rPrOrr') r/ digest_sizerr rMrFrNrr8rrL)rZmhashh1Zmask_vZnonce_kZint_octr2Zmask_trrrr"sD     z(DeterministicDsaSigScheme._compute_noncecCsdS)NTrr rrrr$sz%DeterministicDsaSigScheme._valid_hash) r>r?r@rrLrMrNr"r$ __classcell__rrrHrrBs   (rBcs0eZdZdZfddZddZddZZS)FipsDsaSigScheme))i))rW)i rYcsRtt||||||_t|j}||jf|jvr'd||jf}t |dS)Nz+L/N (%d, %d) is not compliant to FIPS 186-3) rErUr _randfuncrprr_fips_186_3_L_Nr-)rrrrrandfuncLerrorrHrrrszFipsDsaSigScheme.__init__cCstjd|j|jdSNr )Z min_inclusiveZ max_exclusiver])r random_rangerrZr rrrr" szFipsDsaSigScheme._compute_noncecCs|jdkp |jdS)z*Verify that SHA-1, SHA-2 or SHA-3 are usedz 1.3.14.3.2.26z2.16.840.1.101.3.4.2.)oid startswithr rrrr$s  zFipsDsaSigScheme._valid_hash)r>r?r@r\rr"r$rTrrrHrrUs   rUcs,eZdZfddZddZddZZS)FipsEcDsaSigSchemecrCrD)rErdrrZ)rrrrr]rHrrrrJzFipsEcDsaSigScheme.__init__cCstjd|jjj|jdSr`)rrar _curverrZr rrrr"sz!FipsEcDsaSigScheme._compute_noncec CsV|jj}d}d}d}d}||||}z|j|v}W|Sty*d}Y|Sw)zxVerify that the strength of the hash matches or exceeds the strength of the EC. We fail if the hash is too weak.)z2.16.840.1.101.3.4.2.4z2.16.840.1.101.3.4.2.7z2.16.840.1.101.3.4.2.5)z2.16.840.1.101.3.4.2.1z2.16.840.1.101.3.4.2.8z2.16.840.1.101.3.4.2.6)z2.16.840.1.101.3.4.2.2z2.16.840.1.101.3.4.2.9)z2.16.840.1.101.3.4.2.3z2.16.840.1.101.3.4.2.10F)r ZpointQrrbAttributeError) rr!Z modulus_bitssha224sha256sha384sha512Zshsr<rrrr$"s   zFipsEcDsaSigScheme._valid_hash)r>r?r@rr"r$rTrrrHrrds rdr&NcCs|dvr td|t|tr|jj}d}nt|tr#t|j}d}n tdtt || r7t ||}nd}|dkrDt ||||S|dkr[t|trTt ||||St||||Std |) a Create a signature object :class:`DssSigScheme` that can perform (EC)DSA signature or verification. .. note:: Refer to `NIST SP 800 Part 1 Rev 4`_ (or newer release) for an overview of the recommended key lengths. Args: key (:class:`Cryptodome.PublicKey.DSA` or :class:`Cryptodome.PublicKey.ECC`): The key to use for computing the signature (*private* keys only) or for verifying one. For DSA keys, let ``L`` and ``N`` be the bit lengths of the modulus ``p`` and of ``q``: the pair ``(L,N)`` must appear in the following list, in compliance to section 4.2 of `FIPS 186-4`_: - (1024, 160) *legacy only; do not create new signatures with this* - (2048, 224) *deprecated; do not create new signatures with this* - (2048, 256) - (3072, 256) For ECC, only keys over P-224, P-256, P-384, and P-521 are accepted. mode (string): The parameter can take these values: - ``'fips-186-3'``. The signature generation is randomized and carried out according to `FIPS 186-3`_: the nonce ``k`` is taken from the RNG. - ``'deterministic-rfc6979'``. The signature generation is not randomized. See RFC6979_. encoding (string): How the signature is encoded. This value determines the output of :meth:`sign` and the input to :meth:`verify`. The following values are accepted: - ``'binary'`` (default), the signature is the raw concatenation of ``r`` and ``s``. It is defined in the IEEE P.1363 standard. For DSA, the size in bytes of the signature is ``N/4`` bytes (e.g. 64 for ``N=256``). For ECDSA, the signature is always twice the length of a point coordinate (e.g. 64 bytes for P-256). - ``'der'``, the signature is a ASN.1 DER SEQUENCE with two INTEGERs (``r`` and ``s``). It is defined in RFC3279_. The size of the signature is variable. randfunc (callable): A function that returns random ``bytes``, of a given length. If omitted, the internal RNG is used. Only applicable for the *'fips-186-3'* mode. .. _FIPS 186-3: http://csrc.nist.gov/publications/fips/fips186-3/fips_186-3.pdf .. _FIPS 186-4: http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf .. _NIST SP 800 Part 1 Rev 4: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r4.pdf .. _RFC6979: http://tools.ietf.org/html/rfc6979 .. _RFC3279: https://tools.ietf.org/html/rfc3279#section-2.2.2 )r&ZderzUnknown encoding '%s'dr*zUnsupported key type Nzdeterministic-rfc6979z fips-186-3zUnknown DSS mode '%s')r- isinstancerrerrrqstrtypergetattrrBrdrU)rmoderr]rZprivate_key_attrrGrrrr 6s&B       )r&N)ZCryptodome.Util.asn1rZCryptodome.Util.numberrZCryptodome.Math.NumbersrZCryptodome.HashrZCryptodome.PublicKey.ECCrZCryptodome.PublicKey.DSAr__all__objectrrBrUrdr rrrrs !     zN"