1 // Copyright 2011 The Go Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style
3 // license that can be found in the LICENSE file.
5 // Package dsa implements the Digital Signature Algorithm, as defined in FIPS 186-3.
7 // The DSA operations in this package are not implemented using constant-time algorithms.
9 // Deprecated: DSA is a legacy algorithm, and modern alternatives such as
10 // Ed25519 (implemented by package crypto/ed25519) should be used instead. Keys
11 // with 1024-bit moduli (L1024N160 parameters) are cryptographically weak, while
12 // bigger keys are not widely supported. Note that FIPS 186-5 no longer approves
13 // DSA for signature generation.
21 "crypto/internal/randutil"
24 // Parameters represents the domain parameters for a key. These parameters can
25 // be shared across many keys. The bit length of Q must be a multiple of 8.
26 type Parameters
struct {
30 // PublicKey represents a DSA public key.
31 type PublicKey
struct {
36 // PrivateKey represents a DSA private key.
37 type PrivateKey
struct {
42 // ErrInvalidPublicKey results when a public key is not usable by this code.
43 // FIPS is quite strict about the format of DSA keys, but other code may be
44 // less so. Thus, when using keys which may have been generated by other code,
45 // this error must be handled.
46 var ErrInvalidPublicKey
= errors
.New("crypto/dsa: invalid public key")
48 // ParameterSizes is an enumeration of the acceptable bit lengths of the primes
49 // in a set of DSA parameters. See FIPS 186-3, section 4.2.
50 type ParameterSizes
int
53 L1024N160 ParameterSizes
= iota
59 // numMRTests is the number of Miller-Rabin primality tests that we perform. We
60 // pick the largest recommended number from table C.1 of FIPS 186-3.
63 // GenerateParameters puts a random, valid set of DSA parameters into params.
64 // This function can take many seconds, even on fast machines.
65 func GenerateParameters(params
*Parameters
, rand io
.Reader
, sizes ParameterSizes
) error
{
66 // This function doesn't follow FIPS 186-3 exactly in that it doesn't
67 // use a verification seed to generate the primes. The verification
68 // seed doesn't appear to be exported or used by other code and
69 // omitting it makes the code cleaner.
86 return errors
.New("crypto/dsa: invalid ParameterSizes")
89 qBytes
:= make([]byte, N
/8)
90 pBytes
:= make([]byte, L
/8)
100 if _
, err
:= io
.ReadFull(rand
, qBytes
); err
!= nil {
104 qBytes
[len(qBytes
)-1] |
= 1
108 if !q
.ProbablyPrime(numMRTests
) {
112 for i
:= 0; i
< 4*L
; i
++ {
113 if _
, err
:= io
.ReadFull(rand
, pBytes
); err
!= nil {
117 pBytes
[len(pBytes
)-1] |
= 1
128 if !p
.ProbablyPrime(numMRTests
) {
142 pm1
:= new(big
.Int
).Sub(p
, one
)
143 e
:= new(big
.Int
).Div(pm1
, q
)
157 // GenerateKey generates a public&private key pair. The Parameters of the
158 // PrivateKey must already be valid (see GenerateParameters).
159 func GenerateKey(priv
*PrivateKey
, rand io
.Reader
) error
{
160 if priv
.P
== nil || priv
.Q
== nil || priv
.G
== nil {
161 return errors
.New("crypto/dsa: parameters not set up before generating key")
165 xBytes
:= make([]byte, priv
.Q
.BitLen()/8)
168 _
, err
:= io
.ReadFull(rand
, xBytes
)
173 if x
.Sign() != 0 && x
.Cmp(priv
.Q
) < 0 {
179 priv
.Y
= new(big
.Int
)
180 priv
.Y
.Exp(priv
.G
, x
, priv
.P
)
184 // fermatInverse calculates the inverse of k in GF(P) using Fermat's method.
185 // This has better constant-time properties than Euclid's method (implemented
186 // in math/big.Int.ModInverse) although math/big itself isn't strictly
187 // constant-time so it's not perfect.
188 func fermatInverse(k
, P
*big
.Int
) *big
.Int
{
190 pMinus2
:= new(big
.Int
).Sub(P
, two
)
191 return new(big
.Int
).Exp(k
, pMinus2
, P
)
194 // Sign signs an arbitrary length hash (which should be the result of hashing a
195 // larger message) using the private key, priv. It returns the signature as a
196 // pair of integers. The security of the private key depends on the entropy of
199 // Note that FIPS 186-3 section 4.6 specifies that the hash should be truncated
200 // to the byte-length of the subgroup. This function does not perform that
201 // truncation itself.
203 // Be aware that calling Sign with an attacker-controlled PrivateKey may
204 // require an arbitrary amount of CPU.
205 func Sign(rand io
.Reader
, priv
*PrivateKey
, hash
[]byte) (r
, s
*big
.Int
, err error
) {
206 randutil
.MaybeReadByte(rand
)
208 // FIPS 186-3, section 4.6
211 if priv
.Q
.Sign() <= 0 || priv
.P
.Sign() <= 0 || priv
.G
.Sign() <= 0 || priv
.X
.Sign() <= 0 || n%8
!= 0 {
212 err
= ErrInvalidPublicKey
218 for attempts
= 10; attempts
> 0; attempts
-- {
220 buf
:= make([]byte, n
)
222 _
, err
= io
.ReadFull(rand
, buf
)
227 // priv.Q must be >= 128 because the test above
228 // requires it to be > 0 and that
229 // ceil(log_2(Q)) mod 8 = 0
230 // Thus this loop will quickly terminate.
231 if k
.Sign() > 0 && k
.Cmp(priv
.Q
) < 0 {
236 kInv
:= fermatInverse(k
, priv
.Q
)
238 r
= new(big
.Int
).Exp(priv
.G
, k
, priv
.P
)
245 z
:= k
.SetBytes(hash
)
247 s
= new(big
.Int
).Mul(priv
.X
, r
)
258 // Only degenerate private keys will require more than a handful of
261 return nil, nil, ErrInvalidPublicKey
267 // Verify verifies the signature in r, s of hash using the public key, pub. It
268 // reports whether the signature is valid.
270 // Note that FIPS 186-3 section 4.6 specifies that the hash should be truncated
271 // to the byte-length of the subgroup. This function does not perform that
272 // truncation itself.
273 func Verify(pub
*PublicKey
, hash
[]byte, r
, s
*big
.Int
) bool {
274 // FIPS 186-3, section 4.7
276 if pub
.P
.Sign() == 0 {
280 if r
.Sign() < 1 || r
.Cmp(pub
.Q
) >= 0 {
283 if s
.Sign() < 1 || s
.Cmp(pub
.Q
) >= 0 {
287 w
:= new(big
.Int
).ModInverse(s
, pub
.Q
)
296 z
:= new(big
.Int
).SetBytes(hash
)
298 u1
:= new(big
.Int
).Mul(z
, w
)
302 v
:= u1
.Exp(pub
.G
, u1
, pub
.P
)
303 u2
.Exp(pub
.Y
, u2
, pub
.P
)