Merge pull request #645 from Kr0emer/fix/bug-001-sign_s_zero

kjur · web-flow · commit 0710e392ec35 · 2026-02-20T21:04:29.000+09:00
fix(dsa): retry signing when r or s is zero
diff --git a/src/dsa-2.0.js b/src/dsa-2.0.js
@@ -164,21 +164,24 @@ KJUR.crypto.DSA = function() {
 	var y = this.y; // public key (p q g y)
 	var x = this.x; // private key
 
-	// NIST FIPS 186-4 4.5 DSA Per-Message Secret Number (p18)
-	// 1. get random k where 0 < k < q
-	var k = KJUR.crypto.Util.getRandomBigIntegerMinToMax(BigInteger.ONE.add(BigInteger.ONE),
-							     q.subtract(BigInteger.ONE));
-
 	// NIST FIPS 186-4 4.6 DSA Signature Generation (p19)
 	// 2. get z where the left most min(N, outlen) bits of Hash(M)
 	var hZ = sHashHex.substr(0, q.bitLength() / 4);
 	var z = new BigInteger(hZ, 16);
 
-	// 3. get r where (g^k mod p) mod q, r != 0
-	var r = (g.modPow(k,p)).mod(q); 
+	var k, r, s;
+	do {
+	    // NIST FIPS 186-4 4.5 DSA Per-Message Secret Number (p18)
+	    // 1. get random k where 0 < k < q
+	    k = KJUR.crypto.Util.getRandomBigIntegerMinToMax(BigInteger.ONE.add(BigInteger.ONE),
+							 q.subtract(BigInteger.ONE));
+
+	    // 3. get r where (g^k mod p) mod q, r != 0
+	    r = (g.modPow(k,p)).mod(q); 
 
-	// 4. get s where k^-1 (z + xr) mod q, s != 0
-	var s = (k.modInverse(q).multiply(z.add(x.multiply(r)))).mod(q);
+	    // 4. get s where k^-1 (z + xr) mod q, s != 0
+	    s = (k.modInverse(q).multiply(z.add(x.multiply(r)))).mod(q);
+	} while (r.compareTo(BigInteger.ZERO) == 0 || s.compareTo(BigInteger.ZERO) == 0);
 
 	// 5. signature (r, s)
 	var result = KJUR.asn1.ASN1Util.jsonToASN1HEX({
diff --git a/test/qunit-do-dsa.html b/test/qunit-do-dsa.html
@@ -129,6 +129,41 @@
   ok(dsa2.verifyWithMessageHash(sHashHex, hSigVal), "");
 });
 
+test("signWithMessageHash retries when s is zero", function() {
+  var pSmall = new BigInteger("17", 16);
+  var qSmall = new BigInteger("0b", 16);
+  var gSmall = new BigInteger("04", 16);
+  var xSmall = new BigInteger("03", 16);
+  var ySmall = gSmall.modPow(xSmall, pSmall);
+  var dsaPrv = new KJUR.crypto.DSA();
+  dsaPrv.setPrivate(pSmall, qSmall, gSmall, null, xSmall);
+  var dsaPub = new KJUR.crypto.DSA();
+  dsaPub.setPublic(pSmall, qSmall, gSmall, ySmall);
+
+  var kList = [new BigInteger("2", 10), new BigInteger("3", 10)];
+  var kIdx = 0;
+  var fOrig = KJUR.crypto.Util.getRandomBigIntegerMinToMax;
+
+  var r0 = gSmall.modPow(kList[0], pSmall).mod(qSmall);
+  var z = qSmall.subtract(xSmall.multiply(r0).mod(qSmall)).mod(qSmall);
+  var sHashHex = z.toString(16);
+
+  KJUR.crypto.Util.getRandomBigIntegerMinToMax = function() {
+    return kList[kIdx++];
+  };
+
+  try {
+    var hSigVal = dsaPrv.signWithMessageHash(sHashHex);
+    var rs = dsaPrv.parseASN1Signature(hSigVal);
+    ok(kIdx >= 2, "retry with a new k");
+    ok(rs[0].compareTo(BigInteger.ZERO) != 0, "r != 0");
+    ok(rs[1].compareTo(BigInteger.ZERO) != 0, "s != 0");
+    ok(dsaPub.verifyWithMessageHash(sHashHex, hSigVal), "signature verifies");
+  } finally {
+    KJUR.crypto.Util.getRandomBigIntegerMinToMax = fOrig;
+  }
+});
+
 test("readPKCS5PrvKeyHex d1", function() {
   var key = new KJUR.crypto.DSA();
   key.readPKCS5PrvKeyHex(D1PRVP5HEX);
