ECNRSigner.cs :  » PDF » iTextSharp » Org » BouncyCastle » Crypto » Signers » C# / CSharp Open Source

using System;

using Org.BouncyCastle.Crypto;
using Org.BouncyCastle.Crypto.Generators;
using Org.BouncyCastle.Crypto.Parameters;
using Org.BouncyCastle.Math;
using Org.BouncyCastle.Math.EC;
using Org.BouncyCastle.Security;

namespace Org.BouncyCastle.Crypto.Signers{
  /**
   * EC-NR as described in IEEE 1363-2000
   */
  public class ECNRSigner
    : IDsa
  {
    private bool      forSigning;
    private ECKeyParameters  key;
    private SecureRandom  random;

    public string AlgorithmName
    {
      get { return "ECNR"; }
    }

    public void Init(
      bool        forSigning,
      ICipherParameters  parameters)
    {
      this.forSigning = forSigning;

      if (forSigning)
      {
        if (parameters is ParametersWithRandom)
        {
          ParametersWithRandom rParam = (ParametersWithRandom) parameters;

          this.random = rParam.Random;
          parameters = rParam.Parameters;
        }
        else
        {
          this.random = new SecureRandom();
        }

        if (!(parameters is ECPrivateKeyParameters))
          throw new InvalidKeyException("EC private key required for signing");

        this.key = (ECPrivateKeyParameters) parameters;
      }
      else
      {
        if (!(parameters is ECPublicKeyParameters))
          throw new InvalidKeyException("EC public key required for verification");

        this.key = (ECPublicKeyParameters) parameters;
      }
    }

    // Section 7.2.5 ECSP-NR, pg 34
    /**
     * generate a signature for the given message using the key we were
     * initialised with.  Generally, the order of the curve should be at
     * least as long as the hash of the message of interest, and with
     * ECNR it *must* be at least as long.
     *
     * @param digest  the digest to be signed.
     * @exception DataLengthException if the digest is longer than the key allows
     */
    public BigInteger[] GenerateSignature(
      byte[] message)
    {
      if (!this.forSigning)
      {
        // not properly initilaized... deal with it
        throw new InvalidOperationException("not initialised for signing");
      }

      BigInteger n = ((ECPrivateKeyParameters) this.key).Parameters.N;
      int nBitLength = n.BitLength;

      BigInteger e = new BigInteger(1, message);
      int eBitLength = e.BitLength;

      ECPrivateKeyParameters  privKey = (ECPrivateKeyParameters)key;

      if (eBitLength > nBitLength)
      {
        throw new DataLengthException("input too large for ECNR key.");
      }

      BigInteger r = null;
      BigInteger s = null;

      AsymmetricCipherKeyPair tempPair;
      do // generate r
      {
        // generate another, but very temporary, key pair using
        // the same EC parameters
        ECKeyPairGenerator keyGen = new ECKeyPairGenerator();

        keyGen.Init(new ECKeyGenerationParameters(privKey.Parameters, this.random));

        tempPair = keyGen.GenerateKeyPair();

        //    BigInteger Vx = tempPair.getPublic().getW().getAffineX();
        ECPublicKeyParameters V = (ECPublicKeyParameters) tempPair.Public; // get temp's public key
        BigInteger Vx = V.Q.X.ToBigInteger(); // get the point's x coordinate

        r = Vx.Add(e).Mod(n);
      }
      while (r.SignValue == 0);

      // generate s
      BigInteger x = privKey.D;                // private key value
      BigInteger u = ((ECPrivateKeyParameters) tempPair.Private).D; // temp's private key value
      s = u.Subtract(r.Multiply(x)).Mod(n);

      return new BigInteger[]{ r, s };
    }

    // Section 7.2.6 ECVP-NR, pg 35
    /**
     * return true if the value r and s represent a signature for the
     * message passed in. Generally, the order of the curve should be at
     * least as long as the hash of the message of interest, and with
     * ECNR, it *must* be at least as long.  But just in case the signer
     * applied mod(n) to the longer digest, this implementation will
     * apply mod(n) during verification.
     *
     * @param digest  the digest to be verified.
     * @param r       the r value of the signature.
     * @param s       the s value of the signature.
     * @exception DataLengthException if the digest is longer than the key allows
     */
    public bool VerifySignature(
      byte[]    message,
      BigInteger  r,
      BigInteger  s)
    {
      if (this.forSigning)
      {
        // not properly initilaized... deal with it
        throw new InvalidOperationException("not initialised for verifying");
      }

      ECPublicKeyParameters pubKey = (ECPublicKeyParameters)key;
      BigInteger n = pubKey.Parameters.N;
      int nBitLength = n.BitLength;

      BigInteger e = new BigInteger(1, message);
      int eBitLength = e.BitLength;

      if (eBitLength > nBitLength)
      {
        throw new DataLengthException("input too large for ECNR key.");
      }

      // r in the range [1,n-1]
      if (r.CompareTo(BigInteger.One) < 0 || r.CompareTo(n) >= 0)
      {
        return false;
      }

      // TODO So why is this different from the spec?
      // s in the range [0,n-1]           NB: ECNR spec says 0
      if (s.CompareTo(BigInteger.Zero) < 0 || s.CompareTo(n) >= 0)
      {
        return false;
      }

      // compute P = sG + rW

      ECPoint G = pubKey.Parameters.G;
      ECPoint W = pubKey.Q;
      // calculate P using Bouncy math
      ECPoint P = ECAlgorithms.SumOfTwoMultiplies(G, s, W, r);

      BigInteger x = P.X.ToBigInteger();
      BigInteger t = r.Subtract(x).Mod(n);

      return t.Equals(e);
    }
  }
}