public static int SignRaw(ECPrivateKey sk, IDigest rfc6979Hash,
byte[] hash, int hashOff, int hashLen,
byte[] outBuf, int outOff)
{
byte[] sig = SignRaw(sk, rfc6979Hash, hash, hashOff, hashLen);
Array.Copy(sig, 0, outBuf, outOff, sig.Length);
return(sig.Length);
}
public static byte[] SignRaw(ECPrivateKey sk, IDigest rfc6979Hash,
byte[] hash, int hashOff, int hashLen)
{
ECCurve curve = sk.Curve;
byte[] q = curve.SubgroupOrder;
RFC6979 rf = new RFC6979(rfc6979Hash, q, sk.X,
hash, hashOff, hashLen, rfc6979Hash != null);
ModInt mh = rf.GetHashMod();
ModInt mx = mh.Dup();
mx.Decode(sk.X);
/*
* Compute DSA signature. We use a loop to enumerate
* candidates for k until a proper one is found (it
* is VERY improbable that we may have to loop).
*/
ModInt mr = mh.Dup();
ModInt ms = mh.Dup();
ModInt mk = mh.Dup();
byte[] k = new byte[q.Length];
for (;;)
{
rf.NextK(k);
MutableECPoint G = curve.MakeGenerator();
if (G.MulSpecCT(k) == 0)
{
/*
* We may get an error here only if the
* curve is invalid (generator does not
* produce the expected subgroup).
*/
throw new CryptoException(
"Invalid EC private key / curve");
}
mr.DecodeReduce(G.X);
if (mr.IsZero)
{
continue;
}
ms.Set(mx);
ms.ToMonty();
ms.MontyMul(mr);
ms.Add(mh);
mk.Decode(k);
mk.Invert();
ms.ToMonty();
ms.MontyMul(mk);
byte[] sig = new byte[q.Length << 1];
mr.Encode(sig, 0, q.Length);
ms.Encode(sig, q.Length, q.Length);
return(sig);
}
}
/*
* Compute an ECDSA signature (raw format). On error (e.g. due
* to an invalid private key), an exception is thrown.
*
* Internally, the process described in RFC 6979 is used to
* compute the per-signature random value 'k'. If 'rfc6979Hash'
* is not null, then a clone of that function is used for that
* process, and signatures are fully deterministic and should
* match RFC 6979 test vectors; if 'rfc6979Hash' is null, then
* the engine uses SHA-256 with additional randomness, resulting
* in randomized signatures. The systematic use of RFC 6979 in
* both cases ensures the safety of the private key even if the
* system RNG is predictible.
*
* The signature returned by these methods always has length
* exactly twice that of the encoded subgroup order (they are
* not minimalized). Use SigRawMinimalize() to reduce the
* signature size to its minimum length.
*
* There are four methods, depending on the source operands.
*/
public static byte[] SignRaw(ECPrivateKey sk, IDigest rfc6979Hash,
byte[] hash)
{
return(SignRaw(sk, rfc6979Hash, hash, 0, hash.Length));
}
public static int SignRaw(ECPrivateKey sk, IDigest rfc6979Hash,
byte[] hash, byte[] outBuf, int outOff)
{
return(SignRaw(sk, rfc6979Hash,
hash, 0, hash.Length, outBuf, outOff));
}
public static byte[] Sign(ECPrivateKey sk, IDigest rfc6979Hash,
byte[] hash, int hashOff, int hashLen)
{
return(SigRawToAsn1(SignRaw(sk, rfc6979Hash,
hash, hashOff, hashLen)));
}