Merge branch 'master' into fix/bug-004-modinverse-dos

Author: kjur

ext/jsbn.js

@@ -354,7 +354,7 @@ function bnpSquareTo(r) {
 // r != q, this != m.  q or r may be null.
 function bnpDivRemTo(m,q,r) {
   var pm = m.abs();
-  if(pm.t <= 0) return;
+  if(pm.t <= 0) throw "BigInteger divide by zero";
   var pt = this.abs();
   if(pt.t < pm.t) {
     if(q != null) q.fromInt(0);

ext/rsa.js

@@ -167,6 +167,15 @@ function RSASetPublic(N, E) {
     } else {
 	throw "Invalid RSA public key";
     }
+
+    if (this.n == null ||
+	typeof this.n.compareTo !== "function" ||
+	this.n.compareTo(BigInteger.ONE) <= 0 ||
+	this.e == null ||
+	isNaN(this.e) ||
+	this.e <= 0) {
+	throw "Invalid RSA public key";
+    }
 }
 
 // Perform raw public operation on "x": return x^e (mod n)

src/dsa-2.0.js

@@ -164,21 +164,24 @@ KJUR.crypto.DSA = function() {
 	var y = this.y; // public key (p q g y)
 	var x = this.x; // private key
 
-	// NIST FIPS 186-4 4.5 DSA Per-Message Secret Number (p18)
-	// 1. get random k where 0 < k < q
-	var k = KJUR.crypto.Util.getRandomBigIntegerMinToMax(BigInteger.ONE.add(BigInteger.ONE),
-							     q.subtract(BigInteger.ONE));
-
 	// NIST FIPS 186-4 4.6 DSA Signature Generation (p19)
 	// 2. get z where the left most min(N, outlen) bits of Hash(M)
 	var hZ = sHashHex.substr(0, q.bitLength() / 4);
 	var z = new BigInteger(hZ, 16);
 
-	// 3. get r where (g^k mod p) mod q, r != 0
-	var r = (g.modPow(k,p)).mod(q); 
+	var k, r, s;
+	do {
+	    // NIST FIPS 186-4 4.5 DSA Per-Message Secret Number (p18)
+	    // 1. get random k where 0 < k < q
+	    k = KJUR.crypto.Util.getRandomBigIntegerMinToMax(BigInteger.ONE.add(BigInteger.ONE),
+							 q.subtract(BigInteger.ONE));
+
+	    // 3. get r where (g^k mod p) mod q, r != 0
+	    r = (g.modPow(k,p)).mod(q); 
 
-	// 4. get s where k^-1 (z + xr) mod q, s != 0
-	var s = (k.modInverse(q).multiply(z.add(x.multiply(r)))).mod(q);
+	    // 4. get s where k^-1 (z + xr) mod q, s != 0
+	    s = (k.modInverse(q).multiply(z.add(x.multiply(r)))).mod(q);
+	} while (r.compareTo(BigInteger.ZERO) == 0 || s.compareTo(BigInteger.ZERO) == 0);
 
 	// 5. signature (r, s)
 	var result = KJUR.asn1.ASN1Util.jsonToASN1HEX({

test/qunit-do-crypto.html

@@ -232,6 +232,31 @@
   equal(n, 100, "100 times success:" + n0 + ":" + n1 + ":" + n2 + ":" + n3);
 });
 
+test("RSASetPublic rejects zero modulus", function() {
+  throws(function() {
+    var pub = new RSAKey();
+    pub.setPublic("00", "10001");
+  },
+  "Invalid RSA public key",
+  "reject zero modulus");
+});
+
+test("KEYUTIL.getKey rejects JWK with zero modulus", function() {
+  throws(function() {
+    KEYUTIL.getKey({kty: "RSA", n: "AA", e: "AQAB"});
+  },
+  "Invalid RSA public key",
+  "reject JWK n=0");
+});
+
+test("BigInteger.modPowInt throws when modulus is zero", function() {
+  throws(function() {
+    new BigInteger("deadbeef", 16).modPowInt(65537, BigInteger.ZERO);
+  },
+  "BigInteger divide by zero",
+  "reject mod(0)");
+});
+
 test("BigInteger.modInverse returns quickly for zero input", function() {
   var biM = new BigInteger("97", 10);
   var biR = new BigInteger("0", 10).modInverse(biM);
@@ -432,4 +457,3 @@ <h2 id="qunit-userAgent"></h2>
 </p>
 </body>
 </html>
-

test/qunit-do-dsa.html

@@ -129,6 +129,41 @@
   ok(dsa2.verifyWithMessageHash(sHashHex, hSigVal), "");
 });
 
+test("signWithMessageHash retries when s is zero", function() {
+  var pSmall = new BigInteger("17", 16);
+  var qSmall = new BigInteger("0b", 16);
+  var gSmall = new BigInteger("04", 16);
+  var xSmall = new BigInteger("03", 16);
+  var ySmall = gSmall.modPow(xSmall, pSmall);
+  var dsaPrv = new KJUR.crypto.DSA();
+  dsaPrv.setPrivate(pSmall, qSmall, gSmall, null, xSmall);
+  var dsaPub = new KJUR.crypto.DSA();
+  dsaPub.setPublic(pSmall, qSmall, gSmall, ySmall);
+
+  var kList = [new BigInteger("2", 10), new BigInteger("3", 10)];
+  var kIdx = 0;
+  var fOrig = KJUR.crypto.Util.getRandomBigIntegerMinToMax;
+
+  var r0 = gSmall.modPow(kList[0], pSmall).mod(qSmall);
+  var z = qSmall.subtract(xSmall.multiply(r0).mod(qSmall)).mod(qSmall);
+  var sHashHex = z.toString(16);
+
+  KJUR.crypto.Util.getRandomBigIntegerMinToMax = function() {
+    return kList[kIdx++];
+  };
+
+  try {
+    var hSigVal = dsaPrv.signWithMessageHash(sHashHex);
+    var rs = dsaPrv.parseASN1Signature(hSigVal);
+    ok(kIdx >= 2, "retry with a new k");
+    ok(rs[0].compareTo(BigInteger.ZERO) != 0, "r != 0");
+    ok(rs[1].compareTo(BigInteger.ZERO) != 0, "s != 0");
+    ok(dsaPub.verifyWithMessageHash(sHashHex, hSigVal), "signature verifies");
+  } finally {
+    KJUR.crypto.Util.getRandomBigIntegerMinToMax = fOrig;
+  }
+});
+
 test("readPKCS5PrvKeyHex d1", function() {
   var key = new KJUR.crypto.DSA();
   key.readPKCS5PrvKeyHex(D1PRVP5HEX);