/**
* return true if the value r and s represent a DSA signature for
* the passed in message for standard DSA the message should be a
* SHA-1 hash of the real message to be verified.
*/
public virtual bool VerifySignature(byte[] message, BigInteger r, BigInteger s)
{
DsaParameters parameters = key.Parameters;
BigInteger q = parameters.Q;
BigInteger m = CalculateE(q, message);
if (r.SignValue <= 0 || q.CompareTo(r) <= 0)
{
return(false);
}
if (s.SignValue <= 0 || q.CompareTo(s) <= 0)
{
return(false);
}
BigInteger w = BigIntegers.ModOddInverseVar(q, s);
BigInteger u1 = m.Multiply(w).Mod(q);
BigInteger u2 = r.Multiply(w).Mod(q);
BigInteger p = parameters.P;
u1 = parameters.G.ModPow(u1, p);
u2 = ((DsaPublicKeyParameters)key).Y.ModPow(u2, p);
BigInteger v = u1.Multiply(u2).Mod(p).Mod(q);
return(v.Equals(r));
}
/**
* return true if the value r and s represent a GOST3410 signature for
* the passed in message (for standard GOST3410 the message should be
* a GOST3411 hash of the real message to be verified).
*/
public virtual bool VerifySignature(
byte[] message,
BigInteger r,
BigInteger s)
{
if (forSigning)
{
throw new InvalidOperationException("not initialized for verification");
}
byte[] mRev = Arrays.Reverse(message); // conversion is little-endian
BigInteger e = new BigInteger(1, mRev);
BigInteger n = key.Parameters.N;
// r in the range [1,n-1]
if (r.CompareTo(BigInteger.One) < 0 || r.CompareTo(n) >= 0)
{
return(false);
}
// s in the range [1,n-1]
if (s.CompareTo(BigInteger.One) < 0 || s.CompareTo(n) >= 0)
{
return(false);
}
BigInteger v = BigIntegers.ModOddInverseVar(n, e);
BigInteger z1 = s.Multiply(v).Mod(n);
BigInteger z2 = (n.Subtract(r)).Multiply(v).Mod(n);
ECPoint G = key.Parameters.G; // P
ECPoint Q = ((ECPublicKeyParameters)key).Q;
ECPoint point = ECAlgorithms.SumOfTwoMultiplies(G, z1, Q, z2).Normalize();
if (point.IsInfinity)
{
return(false);
}
BigInteger R = point.AffineXCoord.ToBigInteger().Mod(n);
return(R.Equals(r));
}
// 5.4 pg 29
/**
* return true if the value r and s represent a DSA signature for
* the passed in message (for standard DSA the message should be
* a SHA-1 hash of the real message to be verified).
*/
public virtual bool VerifySignature(byte[] message, BigInteger r, BigInteger s)
{
BigInteger n = key.Parameters.N;
// r and s should both in the range [1,n-1]
if (r.SignValue < 1 || s.SignValue < 1 ||
r.CompareTo(n) >= 0 || s.CompareTo(n) >= 0)
{
return(false);
}
BigInteger e = CalculateE(n, message);
BigInteger c = BigIntegers.ModOddInverseVar(n, s);
BigInteger u1 = e.Multiply(c).Mod(n);
BigInteger u2 = r.Multiply(c).Mod(n);
ECPoint G = key.Parameters.G;
ECPoint Q = ((ECPublicKeyParameters)key).Q;
ECPoint point = ECAlgorithms.SumOfTwoMultiplies(G, u1, Q, u2);
if (point.IsInfinity)
{
return(false);
}
/*
* If possible, avoid normalizing the point (to save a modular inversion in the curve field).
*
* There are ~cofactor elements of the curve field that reduce (modulo the group order) to 'r'.
* If the cofactor is known and small, we generate those possible field values and project each
* of them to the same "denominator" (depending on the particular projective coordinates in use)
* as the calculated point.X. If any of the projected values matches point.X, then we have:
* (point.X / Denominator mod p) mod n == r
* as required, and verification succeeds.
*
* Based on an original idea by Gregory Maxwell (https://github.com/gmaxwell), as implemented in
* the libsecp256k1 project (https://github.com/bitcoin/secp256k1).
*/
ECCurve curve = point.Curve;
if (curve != null)
{
BigInteger cofactor = curve.Cofactor;
if (cofactor != null && cofactor.CompareTo(Eight) <= 0)
{
ECFieldElement D = GetDenominator(curve.CoordinateSystem, point);
if (D != null && !D.IsZero)
{
ECFieldElement X = point.XCoord;
while (curve.IsValidFieldElement(r))
{
ECFieldElement R = curve.FromBigInteger(r).Multiply(D);
if (R.Equals(X))
{
return(true);
}
r = r.Add(n);
}
return(false);
}
}
}
BigInteger v = point.Normalize().AffineXCoord.ToBigInteger().Mod(n);
return(v.Equals(r));
}
