示例#1
0
 public static int SignRaw(ECPrivateKey sk, IDigest rfc6979Hash,
                           byte[] hash, int hashOff, int hashLen,
                           byte[] outBuf, int outOff)
 {
     byte[] sig = SignRaw(sk, rfc6979Hash, hash, hashOff, hashLen);
     Array.Copy(sig, 0, outBuf, outOff, sig.Length);
     return(sig.Length);
 }
示例#2
0
        public static byte[] SignRaw(ECPrivateKey sk, IDigest rfc6979Hash,
                                     byte[] hash, int hashOff, int hashLen)
        {
            ECCurve curve = sk.Curve;

            byte[]  q  = curve.SubgroupOrder;
            RFC6979 rf = new RFC6979(rfc6979Hash, q, sk.X,
                                     hash, hashOff, hashLen, rfc6979Hash != null);
            ModInt mh = rf.GetHashMod();
            ModInt mx = mh.Dup();

            mx.Decode(sk.X);

            /*
             * Compute DSA signature. We use a loop to enumerate
             * candidates for k until a proper one is found (it
             * is VERY improbable that we may have to loop).
             */
            ModInt mr = mh.Dup();
            ModInt ms = mh.Dup();
            ModInt mk = mh.Dup();

            byte[] k = new byte[q.Length];
            for (;;)
            {
                rf.NextK(k);
                MutableECPoint G = curve.MakeGenerator();
                if (G.MulSpecCT(k) == 0)
                {
                    /*
                     * We may get an error here only if the
                     * curve is invalid (generator does not
                     * produce the expected subgroup).
                     */
                    throw new CryptoException(
                              "Invalid EC private key / curve");
                }
                mr.DecodeReduce(G.X);
                if (mr.IsZero)
                {
                    continue;
                }
                ms.Set(mx);
                ms.ToMonty();
                ms.MontyMul(mr);
                ms.Add(mh);
                mk.Decode(k);
                mk.Invert();
                ms.ToMonty();
                ms.MontyMul(mk);

                byte[] sig = new byte[q.Length << 1];
                mr.Encode(sig, 0, q.Length);
                ms.Encode(sig, q.Length, q.Length);
                return(sig);
            }
        }
示例#3
0
        /*
         * Compute an ECDSA signature (raw format). On error (e.g. due
         * to an invalid private key), an exception is thrown.
         *
         * Internally, the process described in RFC 6979 is used to
         * compute the per-signature random value 'k'. If 'rfc6979Hash'
         * is not null, then a clone of that function is used for that
         * process, and signatures are fully deterministic and should
         * match RFC 6979 test vectors; if 'rfc6979Hash' is null, then
         * the engine uses SHA-256 with additional randomness, resulting
         * in randomized signatures. The systematic use of RFC 6979 in
         * both cases ensures the safety of the private key even if the
         * system RNG is predictible.
         *
         * The signature returned by these methods always has length
         * exactly twice that of the encoded subgroup order (they are
         * not minimalized). Use SigRawMinimalize() to reduce the
         * signature size to its minimum length.
         *
         * There are four methods, depending on the source operands.
         */

        public static byte[] SignRaw(ECPrivateKey sk, IDigest rfc6979Hash,
                                     byte[] hash)
        {
            return(SignRaw(sk, rfc6979Hash, hash, 0, hash.Length));
        }
示例#4
0
 public static int SignRaw(ECPrivateKey sk, IDigest rfc6979Hash,
                           byte[] hash, byte[] outBuf, int outOff)
 {
     return(SignRaw(sk, rfc6979Hash,
                    hash, 0, hash.Length, outBuf, outOff));
 }
示例#5
0
 public static byte[] Sign(ECPrivateKey sk, IDigest rfc6979Hash,
                           byte[] hash, int hashOff, int hashLen)
 {
     return(SigRawToAsn1(SignRaw(sk, rfc6979Hash,
                                 hash, hashOff, hashLen)));
 }