Pass the test vector of ECCSISigner

Author: gefeili

core/src/main/java/org/bouncycastle/crypto/generators/ECCSIKeyPairGenerator.java

@@ -16,22 +16,14 @@
 import org.bouncycastle.crypto.params.ECCSIKeyGenerationParameters;
 import org.bouncycastle.crypto.params.ECCSIPrivateKeyParameters;
 import org.bouncycastle.crypto.params.ECCSIPublicKeyParameters;
-import org.bouncycastle.math.ec.ECCurve;
 import org.bouncycastle.math.ec.ECPoint;
 
 public class ECCSIKeyPairGenerator
     implements AsymmetricCipherKeyPairGenerator
 {
     // Initialize NIST P-256 curve
     private static final X9ECParameters params = CustomNamedCurves.getByName("secP256r1");
-    private static final ECCurve curve = params.getCurve();
-
-    private static final BigInteger q = ((ECCurve.Fp)curve).getQ();
-
-    //BigInteger p = ((ECCurve.Fp)curve).getOrder();
-
-    // The subgroup order is available as:
-    //BigInteger n = params.getN();
+    private static final BigInteger q = params.getCurve().getOrder();
 
     // And the base point (generator) is:
     private static final ECPoint G = params.getG();
@@ -73,6 +65,7 @@ public AsymmetricCipherKeyPair generateKeyPair()
 
         // 4) Compute SSK = ( KSAK + HS * v ) modulo q;
         BigInteger ssk = parameters.computeSSK(HS.multiply(v));
-        return new AsymmetricCipherKeyPair(new ECCSIPublicKeyParameters(pvt), new ECCSIPrivateKeyParameters(ssk));
+        ECCSIPublicKeyParameters pub = new ECCSIPublicKeyParameters(pvt);
+        return new AsymmetricCipherKeyPair(new ECCSIPublicKeyParameters(pvt), new ECCSIPrivateKeyParameters(ssk, pub));
     }
 }

core/src/main/java/org/bouncycastle/crypto/params/ECCSIKeyGenerationParameters.java

@@ -6,25 +6,22 @@
 import org.bouncycastle.asn1.x9.X9ECParameters;
 import org.bouncycastle.crypto.KeyGenerationParameters;
 import org.bouncycastle.crypto.ec.CustomNamedCurves;
-import org.bouncycastle.math.ec.ECCurve;
 import org.bouncycastle.math.ec.ECPoint;
 import org.bouncycastle.util.Arrays;
 
 public class ECCSIKeyGenerationParameters
     extends KeyGenerationParameters
 {
-    private static final X9ECParameters params = CustomNamedCurves.getByName("secP256r1");
-    private static final ECCurve curve = params.getCurve();
+    private static final BigInteger q;
+    private static final ECPoint G;
 
-    private static final BigInteger q = ((ECCurve.Fp)curve).getQ();
-
-    //BigInteger p = ((ECCurve.Fp)curve).getOrder();
-
-    // The subgroup order is available as:
-    //BigInteger n = params.getN();
+    static
+    {
+        X9ECParameters params = CustomNamedCurves.getByName("secP256r1");
+        q = params.getCurve().getOrder();
+        G = params.getG();
+    }
 
-    // And the base point (generator) is:
-    private static final ECPoint G = params.getG();
     private final byte[] id;
     private final BigInteger ksak;
     private final ECPoint kpak;

core/src/main/java/org/bouncycastle/crypto/params/ECCSIPrivateKeyParameters.java

@@ -6,9 +6,22 @@ public class ECCSIPrivateKeyParameters
     extends AsymmetricKeyParameter
 {
     private final BigInteger ssk;
-    public ECCSIPrivateKeyParameters(BigInteger ssk)
+    private final ECCSIPublicKeyParameters pub;
+
+    public ECCSIPrivateKeyParameters(BigInteger ssk, ECCSIPublicKeyParameters pub)
     {
         super(true);
         this.ssk = ssk;
+        this.pub = pub;
+    }
+
+    public ECCSIPublicKeyParameters getPublicKeyParameters()
+    {
+        return pub;
+    }
+
+    public BigInteger getSSK()
+    {
+        return ssk;
     }
 }

core/src/main/java/org/bouncycastle/crypto/params/ECCSIPublicKeyParameters.java

@@ -6,9 +6,15 @@ public class ECCSIPublicKeyParameters
     extends AsymmetricKeyParameter
 {
     private final ECPoint pvt;
+
     public ECCSIPublicKeyParameters(ECPoint pvt)
     {
         super(false);
         this.pvt = pvt;
     }
+
+    public final ECPoint getPVT()
+    {
+        return pvt;
+    }
 }

core/src/main/java/org/bouncycastle/crypto/params/SAKKEPublicKeyParameters.java

@@ -77,7 +77,7 @@ public class SAKKEPublicKeyParameters
      * Pairing result g = <P,P> computed using the Tate-Lichtenbaum pairing
      * (RFC 6508, Section 3.2). Value from RFC 6509 Appendix A.
      */
-    private static final BigInteger g = new BigInteger(Hex.decode("66FC2A43 2B6EA392 148F1586 7D623068\n" +
+    private static final BigInteger g = new BigInteger(1, Hex.decode("66FC2A43 2B6EA392 148F1586 7D623068\n" +
         "               C6A87BD1 FB94C41E 27FABE65 8E015A87\n" +
         "               371E9474 4C96FEDA 449AE956 3F8BC446\n" +
         "               CBFDA85D 5D00EF57 7072DA8F 541721BE\n" +

core/src/main/java/org/bouncycastle/crypto/signers/ECCSISigner.java

@@ -1,5 +1,6 @@
 package org.bouncycastle.crypto.signers;
 
+import java.io.ByteArrayOutputStream;
 import java.math.BigInteger;
 import java.security.SecureRandom;
 
@@ -12,92 +13,173 @@
 import org.bouncycastle.crypto.digests.SHA256Digest;
 import org.bouncycastle.crypto.ec.CustomNamedCurves;
 import org.bouncycastle.crypto.params.ECCSIPrivateKeyParameters;
+import org.bouncycastle.crypto.params.ECCSIPublicKeyParameters;
 import org.bouncycastle.crypto.params.ParametersWithRandom;
-import org.bouncycastle.math.ec.ECCurve;
 import org.bouncycastle.math.ec.ECPoint;
+import org.bouncycastle.util.Arrays;
 import org.bouncycastle.util.BigIntegers;
 
 public class ECCSISigner
     implements Signer
 {
-    private static final X9ECParameters params = CustomNamedCurves.getByName("secP256r1");
-    private static final ECCurve curve = params.getCurve();
+    private static final BigInteger q;
+    private static final ECPoint G;
 
-    private static final BigInteger q = ((ECCurve.Fp)curve).getQ();
-
-    //BigInteger p = ((ECCurve.Fp)curve).getOrder();
-
-    // The subgroup order is available as:
-    //BigInteger n = params.getN();
+    static
+    {
+        X9ECParameters params = CustomNamedCurves.getByName("secP256r1");
+        q = params.getCurve().getOrder();
+        G = params.getG();
+    }
 
-    // And the base point (generator) is:
-    private static final ECPoint G = params.getG();
     private final Digest digest = new SHA256Digest();
-    BigInteger j;
-    ECPoint J;
-    BigInteger r;
-
-    public ECCSISigner()
+    private BigInteger j;
+    private BigInteger r;
+    private ECPoint Y;
+    private final ECPoint kpak;
+    private final byte[] id;
+    private CipherParameters param;
+    private ByteArrayOutputStream stream;
+    private boolean forSigning;
+
+    public ECCSISigner(ECPoint kpak, byte[] id)
     {
-
+        this.kpak = kpak;
+        this.id = id;
     }
 
     @Override
     public void init(boolean forSigning, CipherParameters param)
     {
+        this.forSigning = forSigning;
+        this.param = param;
         SecureRandom random = null;
         if (param instanceof ParametersWithRandom)
         {
             random = ((ParametersWithRandom)param).getRandom();
             param = ((ParametersWithRandom)param).getParameters();
         }
-
+        ECPoint kpak_computed = null;
+        ECPoint pvt;
         if (forSigning)
         {
             ECCSIPrivateKeyParameters parameters = (ECCSIPrivateKeyParameters)param;
 
             j = new BigInteger(256, random).mod(q);
-            J = G.multiply(j).normalize();
+            ECPoint J = G.multiply(j).normalize();
             r = J.getAffineXCoord().toBigInteger();
-            byte[] rBytes = BigIntegers.asUnsignedByteArray(256, r);
-//            BigInteger kpak = parameters
-            byte[] tmp = G.getEncoded(false);
-            digest.update(tmp, 0, tmp.length);
-//            tmp = kpak.getEncoded(false);
-//            digest.update(tmp, 0, tmp.length);
-//            digest.update(id, 0, id.length);
-//            tmp = pvt.getEncoded(false);
-//            digest.update(tmp, 0, tmp.length);
-            tmp = new byte[digest.getDigestSize()];
-            digest.doFinal(tmp, 0);
-            BigInteger HS = new BigInteger(1, tmp).mod(q);
+            pvt = parameters.getPublicKeyParameters().getPVT();
+            kpak_computed = G.multiply(parameters.getSSK());
+        }
+        else
+        {
+            ECCSIPublicKeyParameters parameters = (ECCSIPublicKeyParameters)param;
+            pvt = parameters.getPVT();
+            stream = new ByteArrayOutputStream();
         }
 
+        // compute HS
+        byte[] tmp = G.getEncoded(false);
+        digest.update(tmp, 0, tmp.length);
+        tmp = kpak.getEncoded(false);
+        digest.update(tmp, 0, tmp.length);
+        digest.update(id, 0, id.length);
+        tmp = pvt.getEncoded(false);
+        digest.update(tmp, 0, tmp.length);
+        tmp = new byte[digest.getDigestSize()];
+        digest.doFinal(tmp, 0);
+        BigInteger HS = new BigInteger(1, tmp).mod(q);
+
+        //HE = hash( HS || r || M );
+        digest.update(tmp, 0, tmp.length);
+        if (forSigning)
+        {
+            kpak_computed = kpak_computed.subtract(pvt.multiply(HS)).normalize();
+            if (!kpak_computed.equals(kpak))
+            {
+                throw new IllegalArgumentException("Invalid KPAK");
+            }
+            byte[] rBytes = BigIntegers.asUnsignedByteArray(32, r);
+            digest.update(rBytes, 0, rBytes.length);
+        }
+        else
+        {
+            // Compute Y = HS*PVT + KPAK
+            Y = pvt.multiply(HS).add(kpak).normalize();
+        }
     }
 
     @Override
     public void update(byte b)
     {
-
+        if (forSigning)
+        {
+            digest.update(b);
+        }
+        else
+        {
+            stream.write(b);
+        }
     }
 
     @Override
     public void update(byte[] in, int off, int len)
     {
-
+        if (forSigning)
+        {
+            digest.update(in, off, len);
+        }
+        else
+        {
+            stream.write(in, off, len);
+        }
     }
 
     @Override
     public byte[] generateSignature()
         throws CryptoException, DataLengthException
     {
-        return new byte[0];
+        byte[] heBytes = new byte[digest.getDigestSize()];
+        digest.doFinal(heBytes, 0);
+
+        //Compute s' = ( (( HE + r * SSK )^-1) * j ) modulo q
+        ECCSIPrivateKeyParameters params = (ECCSIPrivateKeyParameters)(((ParametersWithRandom)param).getParameters());
+        BigInteger ssk = params.getSSK();
+        BigInteger denominator = new BigInteger(1, heBytes).add(r.multiply(ssk)).mod(q);
+        if (denominator.equals(BigInteger.ZERO))
+        {
+            throw new IllegalArgumentException("Invalid j, retry");
+        }
+
+        BigInteger sPrime = denominator.modInverse(q).multiply(j).mod(q);
+
+        return Arrays.concatenate(BigIntegers.asUnsignedByteArray(32, r), BigIntegers.asUnsignedByteArray(32, sPrime),
+            params.getPublicKeyParameters().getPVT().getEncoded(false));
     }
 
     @Override
     public boolean verifySignature(byte[] signature)
     {
-        return false;
+        byte[] bytes = Arrays.copyOf(signature, 32);
+        BigInteger s = new BigInteger(1, Arrays.copyOfRange(signature, 32, 64));
+        r = new BigInteger(1, bytes).mod(q);
+        digest.update(bytes, 0, 32);
+        bytes = stream.toByteArray();
+        digest.update(bytes, 0, bytes.length);
+        bytes = new byte[digest.getDigestSize()];
+        digest.doFinal(bytes, 0);
+
+        BigInteger HE = new BigInteger(1, bytes).mod(q);
+
+        // Compute J = s*(HE*G + r*Y)
+        ECPoint HE_G = G.multiply(HE).normalize();
+        ECPoint rY = Y.multiply(r).normalize();
+        ECPoint sum = HE_G.add(rY).normalize();
+        ECPoint J = sum.multiply(s).normalize();
+
+        BigInteger rComputed = J.getAffineXCoord().toBigInteger();
+
+        return rComputed.mod(q).equals(r.mod(q));
     }
 
     @Override