public static byte[] Sign(byte[] input, Org.BouncyCastle.Math.BigInteger privateKey, ECDomainParameters EcParameters)
{
var signer = new ECDsaSigner();
var privateKeyParameters = new ECPrivateKeyParameters(privateKey, EcParameters);
signer.Init(true, privateKeyParameters);
var signatures = signer.GenerateSignature(input);
// What we get back from the signer are the two components of a signature, r and s. To get a flat byte stream
// of the type used by BitCoin we have to encode them using DER encoding, which is just a way to pack the two
// components into a structure.
using (var byteOutputStream = new MemoryStream())
{
var derSequenceGenerator = new DerSequenceGenerator(byteOutputStream);
derSequenceGenerator.AddObject(new DerInteger(signatures[0]));
derSequenceGenerator.AddObject(new DerInteger(signatures[1]));
derSequenceGenerator.Close();
return(byteOutputStream.ToArray());
}
}
public Byte[] signData(Byte[] data)
{
if (privKey == null)
{
throw new InvalidOperationException();
}
ECDsaSigner signer = new ECDsaSigner();
signer.Init(true, new ECPrivateKeyParameters(new BigInteger(1, privKey), ecParams));
BigInteger[] sig = signer.GenerateSignature(data);
using (MemoryStream ms = new MemoryStream())
using (Asn1OutputStream asn1stream = new Asn1OutputStream(ms))
{
DerSequenceGenerator seq = new DerSequenceGenerator(asn1stream);
seq.AddObject(new DerInteger(sig[0]));
seq.AddObject(new DerInteger(sig[1]));
seq.Close();
return(ms.ToArray());
}
}
public static bool VerifyHashed(byte[] signature, byte[] publicKey, byte[] data)
{
var(sigR, sigS, _) = GetRSV(signature);
try
{
X9ECParameters spec = ECNamedCurveTable.GetByName("secp256k1");
ECDomainParameters domain = new ECDomainParameters(spec.Curve, spec.G, spec.N);
ECPublicKeyParameters publicKeyParams =
new ECPublicKeyParameters(spec.Curve.DecodePoint(publicKey), domain);
ECDsaSigner signer = new ECDsaSigner();
signer.Init(false, publicKeyParams);
return(signer.VerifySignature(data, new BigInteger(1, sigR.ToByteArray()),
new BigInteger(1, sigS.ToByteArray())));
}
catch
{
return(false);
}
}
/// <summary>
/// Calculates an ECDSA signature in DER format for the given input hash. Note that the input is expected to be
/// 32 bytes long.
/// </summary>
public byte[] Sign(byte[] input)
{
var signer = new ECDsaSigner();
var privKey = new ECPrivateKeyParameters(_priv, _ecParams);
signer.Init(true, privKey);
var sigs = signer.GenerateSignature(input);
// What we get back from the signer are the two components of a signature, r and s. To get a flat byte stream
// of the type used by BitCoin we have to encode them using DER encoding, which is just a way to pack the two
// components into a structure.
using (var bos = new MemoryStream())
{
var seq = new DerSequenceGenerator(bos);
seq.AddObject(new DerInteger(sigs[0]));
seq.AddObject(new DerInteger(sigs[1]));
seq.Close();
return(bos.ToArray());
}
}
public virtual void Init(bool forSigning, ICipherParameters parameters)
{
SecureRandom providedRandom = null;
if (forSigning)
{
if (parameters is ParametersWithRandom rParam)
{
providedRandom = rParam.Random;
parameters = rParam.Parameters;
}
_privateKey = parameters as PksEcPrivateKey ??
throw new InvalidKeyException("EC private key required for signing");
}
else
{
_verifier = new ECDsaSigner();
_verifier.Init(false, parameters);
}
}
public Signature Sign(byte[] msg, byte[] prvKey)
{
var keyedHash = Blake2b.GetDigest(msg);
var curve = SecNamedCurves.GetByName("secp256k1");
var parameters = new ECDomainParameters(curve.Curve, curve.G, curve.N, curve.H, curve.GetSeed());
var key = new ECPrivateKeyParameters(new BigInteger(prvKey), parameters);
var signer = new ECDsaSigner(new HMacDsaKCalculator(new Blake2bDigest(256)));
signer.Init(true, parameters: key);
var rs = signer.GenerateSignature(keyedHash);
if (rs[1].CompareTo(_MaxS) > 0)
{
rs[1] = _Order.Subtract(rs[1]);
}
var r = rs[0].ToByteArrayUnsigned();
var s = rs[1].ToByteArrayUnsigned();
return(new Signature(r.Concat(s), _SignaturePrefix));
}
/// <param name="hash"></param>
/// <returns></returns>
private byte[] GetSignature(byte[] hash)
{
ECDsaSigner signer = new ECDsaSigner();
signer.Init(true, GetPrivateKey());
var result = signer.GenerateSignature(hash);
// Concated to create signature
var a = result[0].ToByteArrayUnsigned();
var b = result[1].ToByteArrayUnsigned();
// a,b are required to be exactly the same length of bytes
if (a.Length != b.Length)
{
var largestLength = Math.Max(a.Length, b.Length);
a = ByteArrayPadLeft(a, largestLength);
b = ByteArrayPadLeft(b, largestLength);
}
return(a.Concat(b).ToArray());
}
private byte[] SignEcDsa(IDigest digest, byte[] buffer, int length)
{
int digestSize = digest.GetDigestSize();
ECDsaSigner signer = new ECDsaSigner();
signer.Init(true, new ParametersWithRandom(PrivateKeyFactory.CreateKey(PrivateKey), _secureRandom));
digest.BlockUpdate(buffer, 0, length);
byte[] hash = new byte[digest.GetDigestSize()];
digest.DoFinal(hash, 0);
var signature = signer.GenerateSignature(hash);
byte[] res = new byte[digestSize * 2];
signature[0].ToByteArrayUnsigned().CopyTo(res, 0);
signature[1].ToByteArrayUnsigned().CopyTo(res, digestSize);
return(res);
}
internal static void Sign(IInvoice invoice, ECPrivateKeyParameters privateKey)
{
var digest = new KeccakDigest(256);
digest.BlockUpdate(invoice.TxBytes.ToArray(), 0, invoice.TxBytes.Length);
var hash = new byte[digest.GetByteLength()];
digest.DoFinal(hash, 0);
var signer = new ECDsaSigner(new HMacDsaKCalculator(new Sha256Digest()));
signer.Init(true, privateKey);
var components = signer.GenerateSignature(hash);
var encoded = new byte[64];
insert256Int(components[0], 0, encoded);
insert256Int(components[1], 32, encoded);
var publicKey = domain.G.Multiply(privateKey.D).GetEncoded(true);
var prefix = new ReadOnlyMemory <byte>(publicKey, 0, Math.Min(Math.Max(6, invoice.MinimumDesiredPrefixSize), publicKey.Length));
invoice.AddSignature(KeyType.ECDSASecp256K1, prefix, encoded);
}
public static byte[] BouncyCastleSign(byte[] hash, byte[] privateKey)
{
ECDsaSigner signer = new ECDsaSigner(new HMacDsaKCalculator(new Sha256Digest()));
signer.Init(true, new ECPrivateKeyParameters(new BigInteger(privateKey), domain));
BigInteger[] signature = signer.GenerateSignature(hash);
MemoryStream baos = new MemoryStream();
try
{
DerSequenceGenerator seq = new DerSequenceGenerator(baos);
seq.AddObject(new DerInteger(signature[0]));
seq.AddObject(new DerInteger(ToCanonicalS(signature[1])));
seq.Close();
return(baos.ToArray());
}
catch (IOException)
{
return(new byte[0]);
}
}
public void TestECDsaKeyGenTest()
{
var random = new SecureRandom();
var curve = new FPCurve(
new BigInteger("883423532389192164791648750360308885314476597252960362792450860609699839"), // q
new BigInteger("7fffffffffffffffffffffff7fffffffffff8000000000007ffffffffffc", 16), // a
new BigInteger("6b016c3bdcf18941d0d654921475ca71a9db2fb27d1d37796185c2942c0a", 16)); // b
var parameters = new ECDomainParameters(
curve,
curve.DecodePoint(Hex.Decode("020ffa963cdca8816ccc33b8642bedf905c3d358573d3f27fbbd3b3cb9aaaf")), // G
new BigInteger("883423532389192164791648750360308884807550341691627752275345424702807307")); // n
var pGen = new ECKeyPairGenerator();
var genParam = new ECKeyGenerationParameters(
parameters,
random);
pGen.Init(genParam);
IAsymmetricCipherKeyPair pair = pGen.GenerateKeyPair();
var param = new ParametersWithRandom(pair.Private, random);
var ecdsa = new ECDsaSigner();
ecdsa.Init(true, param);
byte[] message = new BigInteger("968236873715988614170569073515315707566766479517").ToByteArray();
IBigInteger[] sig = ecdsa.GenerateSignature(message);
ecdsa.Init(false, pair.Public);
if (!ecdsa.VerifySignature(message, sig[0], sig[1]))
{
Fail("signature fails");
}
}
public Byte[] signData(Byte[] data)
{
if (privKey == null)
{
throw new InvalidOperationException();
}
ECDsaSigner signer = new ECDsaSigner();
signer.Init(true, new ECPrivateKeyParameters(new BigInteger(1, privKey), ecParams));
BigInteger[] sig = signer.GenerateSignature(data);
using (MemoryStream ms = new MemoryStream())
using (Asn1OutputStream asn1stream = new Asn1OutputStream(ms))
{
DerSequenceGenerator seq = new DerSequenceGenerator(asn1stream);
seq.AddObject(new DerInteger(sig[0]));
BigInteger s = sig[1];
string hexUpper = "7FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF5D576E7357A4501DDFE92F46681B20A0";
BigInteger upper = new BigInteger(hexUpper, 16);
if (s.CompareTo(upper) > 0)
{
string hexOrder = "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEBAAEDCE6AF48A03BBFD25E8CD0364141";
BigInteger order = new BigInteger(hexOrder, 16);
s = order.Subtract(sig[1]);
Console.WriteLine("Converted to low-s");
Console.WriteLine(sig[1].ToString(16));
Console.WriteLine(s.ToString(16));
}
seq.AddObject(new DerInteger(s));
seq.Close();
return(ms.ToArray());
}
}
private void DoTestHMacDetECDsa(IHash digest, byte[] data, ECKey privKey, BigInteger r, BigInteger s)
{
var m = new byte[digest.OutputSize];
digest.BlockUpdate(data, 0, data.Length);
digest.DoFinal(m, 0);
var signer = new ECDsaSigner(true, privKey, null, new HmacDsaKCalculator(digest));
BigInteger rOut, sOut;
signer.GenerateSignature(m, out rOut, out sOut);
if (!r.Equals(rOut))
{
Assert.Fail("r value wrong");
}
if (!s.Equals(sOut))
{
Assert.Fail("s value wrong");
}
}
private ECDSASignature doSign(byte[] input)
{
if (input.Length != 32)
{
throw new ArgumentException(
"Expected 32 byte input to " + "ECDSA signature, not " + input.Length);
}
if (PrivateKey == null)
{
throw new MissingPrivateKeyException();
}
var signer = new ECDsaSigner(new HMacDsaKCalculator(new Sha256Digest()));
var privKeyParams = new ECPrivateKeyParameters(PrivateKey.D, CURVE);
signer.Init(true, privKeyParams);
var components = signer.GenerateSignature(input);
return new ECDSASignature(components[0], components[1]).MakeCanonical();
}
public static string GetSignature(string privateKey, string messageBase64)
{
var curve = SecNamedCurves.GetByName("secp256k1");
var domain = new ECDomainParameters(curve.Curve, curve.G, curve.N, curve.H);
var keyParameters = new ECPrivateKeyParameters(new Org.BouncyCastle.Math.BigInteger(privateKey), domain);
ECDsaSigner signer = new ECDsaSigner();
signer.Init(true, keyParameters);
BigInteger[] sig = signer.GenerateSignature(System.Convert.FromBase64String(messageBase64));
ECDSASignature Signature = new ECDSASignature(sig[0], sig[1]);
using (MemoryStream ms = new MemoryStream())
using (Asn1OutputStream asn1stream = new Asn1OutputStream(ms))
{
DerSequenceGenerator seq = new DerSequenceGenerator(asn1stream);
seq.AddObject(new DerInteger(sig[0]));
seq.AddObject(new DerInteger(sig[1]));
seq.Close();
return(Convert.ToBase64String(ms.ToArray()));
}
}
public virtual Task <byte[]> Sign(byte[] data)
{
return(Task.Run(() =>
{
data = CryptoHelper.Sha256(data);
var ecdsa = new ECDsaSigner();
ecdsa.Init(true, PrivateKey);
var signature = ecdsa.GenerateSignature(data);
var r = signature[0].ToByteArray();
var s = signature[1].ToByteArray();
var buffer = new byte[r.Length + s.Length + 6];
buffer[0] = 0x30;
buffer[1] = (byte)(buffer.Length - 2);
buffer[2] = 0x02;
buffer[3] = (byte)r.Length;
Array.Copy(r, 0, buffer, 4, r.Length);
buffer[r.Length + 4] = 0x02;
buffer[r.Length + 4 + 1] = (byte)s.Length;
Array.Copy(s, 0, buffer, r.Length + 4 + 2, s.Length);
return buffer;
}));
}
public virtual ECSignature GetECSignature(ECPrivateKey privateKey, byte[] data, bool beDeterministic = false, bool enforceLowS = true)
{
var curve = SecNamedCurves.GetByName(CURVEALGO);
var domain = new ECDomainParameters(curve.Curve, curve.G, curve.N, curve.H);
IDsaKCalculator kCalculator;
if (beDeterministic)
{
kCalculator = new HMacDsaKCalculator(new Sha256Digest());
}
else
{
kCalculator = new RandomDsaKCalculator();
}
ECDsaSigner signer = new ECDsaSigner(kCalculator);
signer.Init(true, new ECPrivateKeyParameters(new BigInteger(1, privateKey.Base64Array), domain));
BigInteger[] components = signer.GenerateSignature(data);
BigInteger r = components[0];
BigInteger s = components[1];
BigInteger curveOrder = domain.N;
BigInteger halvCurveOrder = curveOrder.ShiftRight(1);
bool sIsLow = s.CompareTo(halvCurveOrder) <= 0;
if (enforceLowS && !sIsLow)
{
s = curveOrder.Subtract(s);
}
return(new ECSignature(r, s));
}
public static byte[] SignRFC6979(this ECDsa key, byte[] data)
{
var digest = new Sha256Digest();
var secp256r1 = SecNamedCurves.GetByName("secp256r1");
var ec_parameters = new ECDomainParameters(secp256r1.Curve, secp256r1.G, secp256r1.N);
var private_key = new ECPrivateKeyParameters(new BigInteger(1, key.PrivateKey()), ec_parameters);
var signer = new ECDsaSigner(new HMacDsaKCalculator(digest));
var hash = new byte[digest.GetDigestSize()];
digest.BlockUpdate(data, 0, data.Length);
digest.DoFinal(hash, 0);
signer.Init(true, private_key);
var rs = signer.GenerateSignature(hash);
var signature = new byte[RFC6979SignatureSize];
var rbytes = rs[0].ToByteArrayUnsigned();
var sbytes = rs[1].ToByteArrayUnsigned();
var index = RFC6979SignatureSize / 2 - rbytes.Length;
rbytes.CopyTo(signature, index);
index = RFC6979SignatureSize - sbytes.Length;
sbytes.CopyTo(signature, index);
return(signature);
}
/// <summary>
/// sign data with private key
/// </summary>
/// <param name="data">data to be signed</param>
/// <returns>signed data</returns>
public byte[] Sign(byte[] data)
{
byte[] hashed = Util.Blake2b(data);
ECDsaSigner signer = new ECDsaSigner();
var order = SecNamedCurves.GetByName("secp256k1").Curve.Order;
signer.Init(true, this.privateKey);
var rs = signer.GenerateSignature(hashed);
var r = rs[0];
var s = rs[1];
if (s.CompareTo(order.Divide(BigInteger.Two)) > 0)
{
s = order.Subtract(s);
}
var ms = new MemoryStream(72);
var generate = new DerSequenceGenerator(ms);
generate.AddObject(new DerInteger(r));
generate.AddObject(new DerInteger(s));
generate.Close();
return(ms.ToArray());
}
/// <summary>
/// Get Switcheo NEO Signature
/// </summary>
/// <param name="message">Message to sign</param>
/// <param name="privateKey">Private key of wallet</param>
/// <returns>String of signed message</returns>
private string GetSwitcheoNeoSignature(byte[] message, byte[] privateKey)
{
var curve = SecNamedCurves.GetByName("secp256r1");
var domain = new ECDomainParameters(curve.Curve, curve.G, curve.N, curve.H);
var priv = new ECPrivateKeyParameters("ECDSA", (new Org.BouncyCastle.Math.BigInteger(1, privateKey)), domain);
var signer = new ECDsaSigner();
var hash = new Sha256Digest();
hash.BlockUpdate(message, 0, message.Length);
var result = new byte[32];
hash.DoFinal(result, 0);
message = result;
signer.Init(true, priv);
var signature = signer.GenerateSignature(message);
return(ProcessNeoSignature(signature));
}
/// <summary>
/// Creates a Signature
/// </summary>
/// <param name="data"></param>
/// <param name="privateKey"></param>
/// <param name="curveName"></param>
/// <returns></returns>
public byte[] CreateSignature(byte[] data, byte[] privateKey, string curveName)
{
//Get the curve type ec parameters
var ecp = TeleTrusTNamedCurves.GetByName(curveName);
if (ecp == null)
{
ecp = NistNamedCurves.GetByName(curveName);
}
var domainParameters = new ECDomainParameters(ecp.Curve, ecp.G, ecp.N, ecp.H, ecp.GetSeed());
var myPriKey = new ECPrivateKeyParameters(new BigInteger(1, privateKey), domainParameters);
//Create the signer and initialize with private key
var dsa = new ECDsaSigner();
dsa.Init(true, myPriKey);
//The signature halves must be equal in length
BigInteger[] signature;
do
{
signature = dsa.GenerateSignature(data);
}while (signature[0].ToByteArrayUnsigned().Length != signature[1].ToByteArrayUnsigned().Length);
//Save both halves in a list
var sign = new List <byte>();
foreach (var bigInt in signature)
{
foreach (var bite in bigInt.ToByteArrayUnsigned())
{
sign.Add(bite);
}
}
return(sign.ToArray());
}
public bool VerifySignature(ImmutableArray <byte> scriptPubKey, Transaction tx, byte[] sig, byte[] pubKey, int inputIndex, out byte hashType, out byte[] txSignature, out byte[] txSignatureHash, out BigIntegerBouncy x, out BigIntegerBouncy y, out BigIntegerBouncy r, out BigIntegerBouncy s)
{
// get the 1-byte hashType off the end of sig
hashType = sig[sig.Length - 1];
// get the DER encoded portion of sig, which is everything except the last byte (the last byte being hashType)
var sigDER = sig.Take(sig.Length - 1).ToArray();
// get the simplified/signing version of the transaction
txSignature = TxSignature(scriptPubKey, tx, inputIndex, hashType);
// get the hash of the simplified/signing version of the transaction
txSignatureHash = Crypto.DoubleSHA256(txSignature);
// load pubKey
ReadPubKey(pubKey, out x, out y);
var publicKeyPoint = curve.Curve.CreatePoint(x, y, withCompression: false);
var publicKeyParameters = new ECPublicKeyParameters(publicKeyPoint, domainParameters);
// load sig
ReadSigKey(sigDER, out r, out s);
// init signer
var signer = new ECDsaSigner();
signer.Init(forSigning: false, parameters: publicKeyParameters);
// verify that sig is a valid signature from pubKey for the simplified/signing transaction's hash
var txSignatureHash2 = txSignatureHash;
var r2 = r;
var s2 = s;
//TODO
var result = BypassVerifySignature || new MethodTimer(false).Time("ECDsa Verify", () => signer.VerifySignature(txSignatureHash2.ToArray(), r2, s2));
return(result);
}
/// <summary>
/// Verifies the signature
/// </summary>
/// <param name="data"></param>
/// <param name="signature"></param>
/// <param name="publicKey"></param>
/// <param name="curveName"></param>
/// <returns></returns>
public bool VerifiySignature(byte[] data, byte[] signature, byte[] publicKey, string curveName)
{
//Get curve type ec parameters
var ecp = TeleTrusTNamedCurves.GetByName(curveName);
if (ecp == null)
{
ecp = NistNamedCurves.GetByName(curveName);
}
var domainParameters = new ECDomainParameters(ecp.Curve, ecp.G, ecp.N, ecp.H, ecp.GetSeed());
var publicKeyParam = CreatePublicKeyParam(domainParameters, publicKey);
//Create the signer and initialize with public key
var dsa = new ECDsaSigner();
dsa.Init(false, publicKeyParam);
var r = new BigInteger(1, signature.Take(signature.Length / 2).ToArray());
var s = new BigInteger(1, signature.Skip(signature.Length / 2).ToArray());
var verified = dsa.VerifySignature(data, r, s);
return(verified);
}
public bool Verify(
HashDigest <T> messageHash,
byte[] signature,
PublicKey publicKey)
{
try
{
Asn1Sequence asn1Sequence = (Asn1Sequence)Asn1Object.FromByteArray(signature);
var rs = new[]
{
((DerInteger)asn1Sequence[0]).Value,
((DerInteger)asn1Sequence[1]).Value,
};
var verifier = new ECDsaSigner();
verifier.Init(false, publicKey.KeyParam);
return(verifier.VerifySignature(messageHash.ToByteArray(), rs[0], rs[1]));
}
catch (IOException)
{
return(false);
}
}
public void TestECDsa239bitBinaryAndLargeDigest()
{
BigInteger r = new BigInteger("21596333210419611985018340039034612628818151486841789642455876922391552");
BigInteger s = new BigInteger("144940322424411242416373536877786566515839911620497068645600824084578597");
byte[] kData = BigIntegers.AsUnsignedByteArray(
new BigInteger("171278725565216523967285789236956265265265235675811949404040041670216363"));
SecureRandom k = FixedSecureRandom.From(kData);
F2mCurve curve = new F2mCurve(
239, // m
36, //k
new BigInteger("32010857077C5431123A46B808906756F543423E8D27877578125778AC76", 16), // a
new BigInteger("790408F2EEDAF392B012EDEFB3392F30F4327C0CA3F31FC383C422AA8C16", 16)); // b
ECDomainParameters parameters = new ECDomainParameters(
curve,
curve.DecodePoint(
Hex.Decode("0457927098FA932E7C0A96D3FD5B706EF7E5F5C156E16B7E7C86038552E91D61D8EE5077C33FECF6F1A16B268DE469C3C7744EA9A971649FC7A9616305")), // G
new BigInteger("220855883097298041197912187592864814557886993776713230936715041207411783"), // n
BigInteger.ValueOf(4)); // h
ECPrivateKeyParameters priKey = new ECPrivateKeyParameters(
"ECDSA",
new BigInteger("145642755521911534651321230007534120304391871461646461466464667494947990"), // d
parameters);
ECDsaSigner ecdsa = new ECDsaSigner();
ParametersWithRandom param = new ParametersWithRandom(priKey, k);
ecdsa.Init(true, param);
byte[] message = new BigInteger("968236873715988614170569073515315707566766479517968236873715988614170569073515315707566766479517968236873715988614170569073515315707566766479517").ToByteArray();
BigInteger[] sig = ecdsa.GenerateSignature(message);
if (!r.Equals(sig[0]))
{
Fail("r component wrong." + SimpleTest.NewLine
+ " expecting: " + r + SimpleTest.NewLine
+ " got : " + sig[0]);
}
if (!s.Equals(sig[1]))
{
Fail("s component wrong." + SimpleTest.NewLine
+ " expecting: " + s + SimpleTest.NewLine
+ " got : " + sig[1]);
}
// Verify the signature
ECPublicKeyParameters pubKey = new ECPublicKeyParameters(
"ECDSA",
curve.DecodePoint(
Hex.Decode("045894609CCECF9A92533F630DE713A958E96C97CCB8F5ABB5A688A238DEED6DC2D9D0C94EBFB7D526BA6A61764175B99CB6011E2047F9F067293F57F5")), // Q
parameters);
ecdsa.Init(false, pubKey);
if (!ecdsa.VerifySignature(message, sig[0], sig[1]))
{
Fail("signature fails");
}
}
public void TestECDsa192bitPrime()
{
BigInteger r = new BigInteger("3342403536405981729393488334694600415596881826869351677613");
BigInteger s = new BigInteger("5735822328888155254683894997897571951568553642892029982342");
byte[] kData = BigIntegers.AsUnsignedByteArray(new BigInteger("6140507067065001063065065565667405560006161556565665656654"));
SecureRandom k = FixedSecureRandom.From(kData);
BigInteger n = new BigInteger("6277101735386680763835789423176059013767194773182842284081");
FpCurve curve = new FpCurve(
new BigInteger("6277101735386680763835789423207666416083908700390324961279"), // q
new BigInteger("fffffffffffffffffffffffffffffffefffffffffffffffc", 16), // a
new BigInteger("64210519e59c80e70fa7e9ab72243049feb8deecc146b9b1", 16), // b
n, BigInteger.One);
ECDomainParameters parameters = new ECDomainParameters(
curve,
curve.DecodePoint(Hex.Decode("03188da80eb03090f67cbf20eb43a18800f4ff0afd82ff1012")), // G
n, BigInteger.One);
ECPrivateKeyParameters priKey = new ECPrivateKeyParameters(
"ECDSA",
new BigInteger("651056770906015076056810763456358567190100156695615665659"), // d
parameters);
ParametersWithRandom param = new ParametersWithRandom(priKey, k);
ECDsaSigner ecdsa = new ECDsaSigner();
ecdsa.Init(true, param);
byte[] message = new BigInteger("968236873715988614170569073515315707566766479517").ToByteArray();
BigInteger[] sig = ecdsa.GenerateSignature(message);
if (!r.Equals(sig[0]))
{
Fail("r component wrong." + SimpleTest.NewLine
+ " expecting: " + r + SimpleTest.NewLine
+ " got : " + sig[0]);
}
if (!s.Equals(sig[1]))
{
Fail("s component wrong." + SimpleTest.NewLine
+ " expecting: " + s + SimpleTest.NewLine
+ " got : " + sig[1]);
}
// Verify the signature
ECPublicKeyParameters pubKey = new ECPublicKeyParameters(
"ECDSA",
curve.DecodePoint(Hex.Decode("0262b12d60690cdcf330babab6e69763b471f994dd702d16a5")), // Q
parameters);
ecdsa.Init(false, pubKey);
if (!ecdsa.VerifySignature(message, sig[0], sig[1]))
{
Fail("verification fails");
}
}
public void TestECDsa239bitPrime()
{
BigInteger r = new BigInteger("308636143175167811492622547300668018854959378758531778147462058306432176");
BigInteger s = new BigInteger("323813553209797357708078776831250505931891051755007842781978505179448783");
byte[] kData = BigIntegers.AsUnsignedByteArray(new BigInteger("700000017569056646655505781757157107570501575775705779575555657156756655"));
SecureRandom k = FixedSecureRandom.From(kData);
BigInteger n = new BigInteger("883423532389192164791648750360308884807550341691627752275345424702807307");
FpCurve curve = new FpCurve(
new BigInteger("883423532389192164791648750360308885314476597252960362792450860609699839"), // q
new BigInteger("7fffffffffffffffffffffff7fffffffffff8000000000007ffffffffffc", 16), // a
new BigInteger("6b016c3bdcf18941d0d654921475ca71a9db2fb27d1d37796185c2942c0a", 16), // b
n, BigInteger.One);
ECDomainParameters parameters = new ECDomainParameters(
curve,
curve.DecodePoint(Hex.Decode("020ffa963cdca8816ccc33b8642bedf905c3d358573d3f27fbbd3b3cb9aaaf")), // G
n, BigInteger.One);
ECPrivateKeyParameters priKey = new ECPrivateKeyParameters(
"ECDSA",
new BigInteger("876300101507107567501066130761671078357010671067781776716671676178726717"), // d
parameters);
ECDsaSigner ecdsa = new ECDsaSigner();
ParametersWithRandom param = new ParametersWithRandom(priKey, k);
ecdsa.Init(true, param);
byte[] message = new BigInteger("968236873715988614170569073515315707566766479517").ToByteArray();
BigInteger[] sig = ecdsa.GenerateSignature(message);
if (!r.Equals(sig[0]))
{
Fail("r component wrong." + SimpleTest.NewLine
+ " expecting: " + r + SimpleTest.NewLine
+ " got : " + sig[0]);
}
if (!s.Equals(sig[1]))
{
Fail("s component wrong." + SimpleTest.NewLine
+ " expecting: " + s + SimpleTest.NewLine
+ " got : " + sig[1]);
}
// Verify the signature
ECPublicKeyParameters pubKey = new ECPublicKeyParameters(
"ECDSA",
curve.DecodePoint(Hex.Decode("025b6dc53bc61a2548ffb0f671472de6c9521a9d2d2534e65abfcbd5fe0c70")), // Q
parameters);
ecdsa.Init(false, pubKey);
if (!ecdsa.VerifySignature(message, sig[0], sig[1]))
{
Fail("signature fails");
}
}
public void Verify(Key key, SignMessage msg)
{
string alg = FindAttr("alg", msg).AsString();
IDigest digest;
IDigest digest2;
switch (alg)
{
case "RS256":
case "ES256":
case "PS256":
case "HS256":
digest = new Sha256Digest();
digest2 = new Sha256Digest();
break;
case "RS384":
case "ES384":
case "PS384":
case "HS384":
digest = new Sha384Digest();
digest2 = new Sha384Digest();
break;
case "RS512":
case "ES512":
case "PS512":
case "HS512":
digest = new Sha512Digest();
digest2 = new Sha512Digest();
break;
case "EdDSA":
digest = null;
digest2 = null;
break;
default:
throw new JOSE_Exception("Unknown signature algorithm");
}
switch (alg)
{
case "RS256":
case "RS384":
case "RS512": {
if (key.AsString("kty") != "RSA")
{
throw new JOSE_Exception("Wrong Key");
}
RsaDigestSigner signer = new RsaDigestSigner(digest);
RsaKeyParameters pub = new RsaKeyParameters(false, key.AsBigInteger("n"), key.AsBigInteger("e"));
signer.Init(false, pub);
signer.BlockUpdate(protectedB64, 0, protectedB64.Length);
signer.BlockUpdate(rgbDot, 0, 1);
signer.BlockUpdate(msg.payloadB64, 0, msg.payloadB64.Length);
if (!signer.VerifySignature(signature))
{
throw new JOSE_Exception("Message failed to verify");
}
}
break;
case "PS256":
case "PS384":
case "PS512": {
PssSigner signer = new PssSigner(new RsaEngine(), digest, digest2, digest.GetDigestSize());
RsaKeyParameters pub = new RsaKeyParameters(false, key.AsBigInteger("n"), key.AsBigInteger("e"));
signer.Init(false, pub);
signer.BlockUpdate(protectedB64, 0, protectedB64.Length);
signer.BlockUpdate(rgbDot, 0, 1);
signer.BlockUpdate(msg.payloadB64, 0, msg.payloadB64.Length);
if (!signer.VerifySignature(signature))
{
throw new JOSE_Exception("Message failed to verify");
}
}
break;
case "ES256":
case "ES384":
case "ES512": {
if (key.AsString("kty") != "EC")
{
throw new JOSE_Exception("Wrong Key Type");
}
X9ECParameters p = NistNamedCurves.GetByName(key.AsString("crv"));
ECDomainParameters parameters = new ECDomainParameters(p.Curve, p.G, p.N, p.H);
ECPoint point = p.Curve.CreatePoint(key.AsBigInteger("x"
), key.AsBigInteger("y"));
ECPublicKeyParameters pubKey = new ECPublicKeyParameters(point, parameters);
ECDsaSigner ecdsa = new ECDsaSigner();
ecdsa.Init(false, pubKey);
digest.BlockUpdate(protectedB64, 0, protectedB64.Length);
digest.BlockUpdate(rgbDot, 0, rgbDot.Length);
digest.BlockUpdate(msg.payloadB64, 0, msg.payloadB64.Length);
byte[] o1 = new byte[digest.GetDigestSize()];
digest.DoFinal(o1, 0);
BigInteger r = new BigInteger(1, signature, 0, signature.Length / 2);
BigInteger s = new BigInteger(1, signature, signature.Length / 2, signature.Length / 2);
if (!ecdsa.VerifySignature(o1, r, s))
{
throw new JOSE_Exception("Signature did not validate");
}
}
break;
case "HS256":
case "HS384":
case "HS512": {
HMac hmac = new HMac(digest);
KeyParameter K = new KeyParameter(Message.base64urldecode(key.AsString("k")));
hmac.Init(K);
hmac.BlockUpdate(protectedB64, 0, protectedB64.Length);
hmac.BlockUpdate(rgbDot, 0, rgbDot.Length);
hmac.BlockUpdate(msg.payloadB64, 0, msg.payloadB64.Length);
byte[] resBuf = new byte[hmac.GetMacSize()];
hmac.DoFinal(resBuf, 0);
bool fVerify = true;
for (int i = 0; i < resBuf.Length; i++)
{
if (resBuf[i] != signature[i])
{
fVerify = false;
}
}
if (!fVerify)
{
throw new JOSE_Exception("Signature did not validte");
}
}
break;
case "EdDSA": {
ISigner eddsa;
if (key.AsString("kty") != "OKP")
{
throw new JOSE_Exception("Wrong Key Type");
}
switch (key.AsString("crv"))
{
case "Ed25519": {
Ed25519PublicKeyParameters privKey =
new Ed25519PublicKeyParameters(key.AsBytes("X"), 0);
eddsa = new Ed25519Signer();
eddsa.Init(false, privKey);
byte[] toVerify = new byte[protectedB64.Length + rgbDot.Length + msg.payloadB64.Length];
Array.Copy(protectedB64, 0, toVerify, 0, protectedB64.Length);
Array.Copy(rgbDot, 0, toVerify, protectedB64.Length, rgbDot.Length);
Array.Copy(msg.payloadB64, 0, toVerify, protectedB64.Length + rgbDot.Length, msg.payloadB64.Length);
eddsa.BlockUpdate(toVerify, 0, toVerify.Length);
if (!eddsa.VerifySignature(signature))
{
throw new JOSE_Exception("Signature did not validate");
}
break;
}
default:
throw new JOSE_Exception("Unknown algorithm");
}
break;
}
default:
throw new JOSE_Exception("Unknown algorithm");
}
}
private byte[] Sign(byte[] bytesToBeSigned)
{
string alg = null; // Get the set algorithm or infer one
try {
alg = FindAttribute("alg").AsString();
}
catch (Exception) {
;
}
if (alg == null)
{
switch (keyToSign.AsString("kty"))
{
case "RSA":
alg = "PS256";
break;
case "EC":
switch (keyToSign.AsString("crv"))
{
case "P-256":
alg = "ES256";
break;
case "P-384":
alg = "ES384";
break;
case "P-521":
alg = "ES512";
break;
default:
throw new JOSE_Exception("Unknown curve");
}
break;
default:
throw new JOSE_Exception("Unknown or unsupported key type " + keyToSign.AsString("kty"));
}
objUnprotected.Add("alg", alg);
}
IDigest digest;
IDigest digest2;
switch (alg)
{
case "RS256":
case "ES256":
case "PS256":
case "HS256":
digest = new Sha256Digest();
digest2 = new Sha256Digest();
break;
case "RS384":
case "ES384":
case "PS384":
case "HS384":
digest = new Sha384Digest();
digest2 = new Sha384Digest();
break;
case "RS512":
case "ES512":
case "PS512":
case "HS512":
digest = new Sha512Digest();
digest2 = new Sha512Digest();
break;
case "EdDSA":
digest = null;
digest2 = null;
break;
default:
throw new JOSE_Exception("Unknown signature algorithm");
}
switch (alg)
{
case "RS256":
case "RS384":
case "RS512": {
RsaDigestSigner signer = new RsaDigestSigner(digest);
RsaKeyParameters prv = new RsaPrivateCrtKeyParameters(ConvertBigNum(keyToSign.AsBytes("n")),
ConvertBigNum(keyToSign.AsBytes("e")),
ConvertBigNum(keyToSign.AsBytes("d")),
ConvertBigNum(keyToSign.AsBytes("p")),
ConvertBigNum(keyToSign.AsBytes("q")),
ConvertBigNum(keyToSign.AsBytes("dp")),
ConvertBigNum(keyToSign.AsBytes("dq")),
ConvertBigNum(keyToSign.AsBytes("qi")));
signer.Init(true, prv);
signer.BlockUpdate(bytesToBeSigned, 0, bytesToBeSigned.Length);
return(signer.GenerateSignature());
}
case "PS256":
case "PS384":
case "PS512": {
PssSigner signer = new PssSigner(new RsaEngine(), digest, digest2, digest.GetDigestSize());
RsaKeyParameters prv = new RsaPrivateCrtKeyParameters(ConvertBigNum(keyToSign.AsBytes("n")),
ConvertBigNum(keyToSign.AsBytes("e")),
ConvertBigNum(keyToSign.AsBytes("d")),
ConvertBigNum(keyToSign.AsBytes("p")),
ConvertBigNum(keyToSign.AsBytes("q")),
ConvertBigNum(keyToSign.AsBytes("dp")),
ConvertBigNum(keyToSign.AsBytes("dq")),
ConvertBigNum(keyToSign.AsBytes("qi")));
ParametersWithRandom rnd = new ParametersWithRandom(prv, Message.s_PRNG);
signer.Init(true, rnd);
signer.BlockUpdate(bytesToBeSigned, 0, bytesToBeSigned.Length);
return(signer.GenerateSignature());
}
case "ES256":
case "ES384":
case "ES512": {
X9ECParameters p = NistNamedCurves.GetByName(keyToSign.AsString("crv"));
ECDomainParameters parameters = new ECDomainParameters(p.Curve, p.G, p.N, p.H);
ECPrivateKeyParameters privKey =
new ECPrivateKeyParameters("ECDSA", ConvertBigNum(keyToSign.AsBytes("d")), parameters);
ParametersWithRandom param = new ParametersWithRandom(privKey, Message.s_PRNG);
ECDsaSigner ecdsa = new ECDsaSigner(new HMacDsaKCalculator(new Sha256Digest()));
ecdsa.Init(true, param);
BigInteger[] sig = ecdsa.GenerateSignature(bytesToBeSigned);
byte[] r = sig[0].ToByteArrayUnsigned();
byte[] s = sig[1].ToByteArrayUnsigned();
byte[] sigs = new byte[r.Length + s.Length];
Array.Copy(r, sigs, r.Length);
Array.Copy(s, 0, sigs, r.Length, s.Length);
return(sigs);
}
case "HS256":
case "HS384":
case "HS512": {
HMac hmac = new HMac(digest);
KeyParameter key = new KeyParameter(keyToSign.AsBytes("k"));
byte[] resBuf = new byte[hmac.GetMacSize()];
hmac.Init(key);
hmac.BlockUpdate(bytesToBeSigned, 0, bytesToBeSigned.Length);
hmac.DoFinal(resBuf, 0);
return(resBuf);
}
case "EdDSA":
switch (keyToSign.AsString("crv"))
{
case "Ed25519": {
ISigner eddsa;
Ed25519PrivateKeyParameters privKey =
new Ed25519PrivateKeyParameters(keyToSign.AsBytes("d"), 0);
eddsa = new Ed25519Signer();
eddsa.Init(true, privKey);
eddsa.BlockUpdate(bytesToBeSigned, 0, bytesToBeSigned.Length);
return(eddsa.GenerateSignature());
}
}
break;
}
return(null);
}
public bool Validate(byte[] content, byte[] msgAttributes)
{
CBORObject alg = null; // Get the set algorithm or infer one
byte[] bytesToBeSigned = toBeSigned(content, msgAttributes);
alg = FindAttribute(HeaderKeys.Algorithm);
if (alg == null)
{
throw new Exception("No Signature algorithm known");
}
IDigest digest;
IDigest digest2;
if (alg.Type == CBORType.TextString)
{
switch (alg.AsString())
{
case "PS384":
digest = new Sha384Digest();
digest2 = new Sha384Digest();
break;
default:
throw new Exception("Unknown signature algorithm");
}
}
else if (alg.Type == CBORType.Number)
{
switch ((AlgorithmValuesInt)alg.AsInt32())
{
case AlgorithmValuesInt.ECDSA_256:
case AlgorithmValuesInt.RSA_PSS_256:
digest = new Sha256Digest();
digest2 = new Sha256Digest();
break;
case AlgorithmValuesInt.ECDSA_384:
case AlgorithmValuesInt.RSA_PSS_384:
digest = new Sha384Digest();
digest2 = new Sha384Digest();
break;
case AlgorithmValuesInt.ECDSA_512:
case AlgorithmValuesInt.RSA_PSS_512:
digest = new Sha512Digest();
digest2 = new Sha512Digest();
break;
default:
throw new CoseException("Unknown signature algorith");
}
}
else
{
throw new CoseException("Algorthm incorrectly encoded");
}
if (alg.Type == CBORType.TextString)
{
switch (alg.AsString())
{
case "PS384": {
PssSigner signer = new PssSigner(new RsaEngine(), digest, digest2, digest.GetByteLength());
RsaKeyParameters prv = new RsaPrivateCrtKeyParameters(keyToSign.AsBigInteger(CoseKeyParameterKeys.RSA_n), keyToSign.AsBigInteger(CoseKeyParameterKeys.RSA_e), keyToSign.AsBigInteger(CoseKeyParameterKeys.RSA_d), keyToSign.AsBigInteger(CoseKeyParameterKeys.RSA_p), keyToSign.AsBigInteger(CoseKeyParameterKeys.RSA_q), keyToSign.AsBigInteger(CoseKeyParameterKeys.RSA_dP), keyToSign.AsBigInteger(CoseKeyParameterKeys.RSA_dQ), keyToSign.AsBigInteger(CoseKeyParameterKeys.RSA_qInv));
ParametersWithRandom param = new ParametersWithRandom(prv, Message.GetPRNG());
signer.Init(true, param);
signer.BlockUpdate(bytesToBeSigned, 0, bytesToBeSigned.Length);
return(signer.VerifySignature(rgbSignature));
}
default:
throw new CoseException("Unknown Algorithm");
}
}
else if (alg.Type == CBORType.Number)
{
switch ((AlgorithmValuesInt)alg.AsInt32())
{
case AlgorithmValuesInt.RSA_PSS_256:
case AlgorithmValuesInt.RSA_PSS_512: {
PssSigner signer = new PssSigner(new RsaEngine(), digest, digest2, digest.GetByteLength());
RsaKeyParameters prv = new RsaPrivateCrtKeyParameters(keyToSign.AsBigInteger(CoseKeyParameterKeys.RSA_n), keyToSign.AsBigInteger(CoseKeyParameterKeys.RSA_e), keyToSign.AsBigInteger(CoseKeyParameterKeys.RSA_d), keyToSign.AsBigInteger(CoseKeyParameterKeys.RSA_p), keyToSign.AsBigInteger(CoseKeyParameterKeys.RSA_q), keyToSign.AsBigInteger(CoseKeyParameterKeys.RSA_dP), keyToSign.AsBigInteger(CoseKeyParameterKeys.RSA_dQ), keyToSign.AsBigInteger(CoseKeyParameterKeys.RSA_qInv));
ParametersWithRandom param = new ParametersWithRandom(prv, Message.GetPRNG());
signer.Init(true, param);
signer.BlockUpdate(bytesToBeSigned, 0, bytesToBeSigned.Length);
return(signer.VerifySignature(rgbSignature));
}
case AlgorithmValuesInt.ECDSA_256:
case AlgorithmValuesInt.ECDSA_384:
case AlgorithmValuesInt.ECDSA_512: {
digest.BlockUpdate(bytesToBeSigned, 0, bytesToBeSigned.Length);
byte[] digestedMessage = new byte[digest.GetDigestSize()];
digest.DoFinal(digestedMessage, 0);
X9ECParameters p = keyToSign.GetCurve();
ECDomainParameters parameters = new ECDomainParameters(p.Curve, p.G, p.N, p.H);
ECPoint point = keyToSign.GetPoint();
ECPublicKeyParameters param = new ECPublicKeyParameters(point, parameters);
ECDsaSigner ecdsa = new ECDsaSigner();
ecdsa.Init(false, param);
BigInteger r = new BigInteger(1, rgbSignature, 0, rgbSignature.Length / 2);
BigInteger s = new BigInteger(1, rgbSignature, rgbSignature.Length / 2, rgbSignature.Length / 2);
return(ecdsa.VerifySignature(digestedMessage, r, s));
}
default:
throw new CoseException("Unknown Algorithm");
}
}
else
{
throw new CoseException("Algorithm incorrectly encoded");
}
}
