merge from master

Author: Oren Novotny

crypto/crypto.csproj

@@ -568,6 +568,11 @@
                     SubType = "Code"
                     BuildAction = "Compile"
                 />
+                <File
+                    RelPath = "src\asn1\bsi\BsiObjectIdentifiers.cs"
+                    SubType = "Code"
+                    BuildAction = "Compile"
+                />
                 <File
                     RelPath = "src\asn1\cmp\CAKeyUpdAnnContent.cs"
                     SubType = "Code"
@@ -3098,6 +3103,11 @@
                     SubType = "Code"
                     BuildAction = "Compile"
                 />
+                <File
+                    RelPath = "src\crypto\IDsaExt.cs"
+                    SubType = "Code"
+                    BuildAction = "Compile"
+                />
                 <File
                     RelPath = "src\crypto\IEntropySource.cs"
                     SubType = "Code"
@@ -4783,6 +4793,11 @@
                     SubType = "Code"
                     BuildAction = "Compile"
                 />
+                <File
+                    RelPath = "src\crypto\signers\IDsaEncoding.cs"
+                    SubType = "Code"
+                    BuildAction = "Compile"
+                />
                 <File
                     RelPath = "src\crypto\signers\IDsaKCalculator.cs"
                     SubType = "Code"
@@ -4803,6 +4818,11 @@
                     SubType = "Code"
                     BuildAction = "Compile"
                 />
+                <File
+                    RelPath = "src\crypto\signers\PlainDsaEncoding.cs"
+                    SubType = "Code"
+                    BuildAction = "Compile"
+                />
                 <File
                     RelPath = "src\crypto\signers\PSSSigner.cs"
                     SubType = "Code"
@@ -4823,6 +4843,11 @@
                     SubType = "Code"
                     BuildAction = "Compile"
                 />
+                <File
+                    RelPath = "src\crypto\signers\StandardDsaEncoding.cs"
+                    SubType = "Code"
+                    BuildAction = "Compile"
+                />
                 <File
                     RelPath = "src\crypto\signers\X931Signer.cs"
                     SubType = "Code"

crypto/src/asn1/bsi/BsiObjectIdentifiers.cs

@@ -0,0 +1,103 @@
+using System;
+
+namespace Org.BouncyCastle.Asn1.Bsi
+{
+    /// <remarks>See https://www.bsi.bund.de/cae/servlet/contentblob/471398/publicationFile/30615/BSI-TR-03111_pdf.pdf</remarks>
+    public abstract class BsiObjectIdentifiers
+    {
+        public static readonly DerObjectIdentifier bsi_de = new DerObjectIdentifier("0.4.0.127.0.7");
+
+        /* 0.4.0.127.0.7.1.1 */
+        public static readonly DerObjectIdentifier id_ecc = bsi_de.Branch("1.1");
+    
+        /* 0.4.0.127.0.7.1.1.4.1 */
+        public static readonly DerObjectIdentifier ecdsa_plain_signatures = id_ecc.Branch("4.1");
+    
+        /* 0.4.0.127.0.7.1.1.4.1.1 */
+        public static readonly DerObjectIdentifier ecdsa_plain_SHA1 = ecdsa_plain_signatures.Branch("1");
+
+        /* 0.4.0.127.0.7.1.1.4.1.2 */
+        public static readonly DerObjectIdentifier ecdsa_plain_SHA224 = ecdsa_plain_signatures.Branch("2");
+
+        /* 0.4.0.127.0.7.1.1.4.1.3 */
+        public static readonly DerObjectIdentifier ecdsa_plain_SHA256 = ecdsa_plain_signatures.Branch("3");
+
+        /* 0.4.0.127.0.7.1.1.4.1.4 */
+        public static readonly DerObjectIdentifier ecdsa_plain_SHA384 = ecdsa_plain_signatures.Branch("4");
+
+        /* 0.4.0.127.0.7.1.1.4.1.5 */
+        public static readonly DerObjectIdentifier ecdsa_plain_SHA512 = ecdsa_plain_signatures.Branch("5");
+
+        /* 0.4.0.127.0.7.1.1.4.1.6 */
+        public static readonly DerObjectIdentifier ecdsa_plain_RIPEMD160 = ecdsa_plain_signatures.Branch("6");
+
+	    /** 0.4.0.127.0.7.1 */
+	    public static readonly DerObjectIdentifier algorithm = bsi_de.Branch("1");
+
+	    public static readonly DerObjectIdentifier ecka_eg = id_ecc.Branch("5.1");
+
+	    /** ElGamal Elliptic Curve Key Agreement and Key Derivation according to X963 OID: 0.4.0.127.0.7.1.1.5.1.1 */
+	    public static readonly DerObjectIdentifier ecka_eg_X963kdf = ecka_eg.Branch("1");
+
+	    /** ElGamal Elliptic Curve Key Agreement and Key Derivation according to X963
+	     * with hash function SHA-1
+	     * OID: 0.4.0.127.0.7.1.1.5.1.1.1 */
+	    public static readonly DerObjectIdentifier ecka_eg_X963kdf_SHA1 = ecka_eg_X963kdf.Branch("1");
+
+	    /** ElGamal Elliptic Curve Key Agreement and Key Derivation according to X963
+	     * with hash function SHA224
+	     * OID: 0.4.0.127.0.7.1.1.5.1.1.2 */
+	    public static readonly DerObjectIdentifier ecka_eg_X963kdf_SHA224 = ecka_eg_X963kdf.Branch("2");
+
+	    /** ElGamal Elliptic Curve Key Agreement and Key Derivation according to X963
+	     * with hash function SHA256
+	     * OID: 0.4.0.127.0.7.1.1.5.1.1.3 */
+	    public static readonly DerObjectIdentifier ecka_eg_X963kdf_SHA256 = ecka_eg_X963kdf.Branch("3");
+
+	    /** ElGamal Elliptic Curve Key Agreement and Key Derivation according to X963
+	     * with hash function SHA384
+	     * OID: 0.4.0.127.0.7.1.1.5.1.1.4 */
+	    public static readonly DerObjectIdentifier ecka_eg_X963kdf_SHA384 = ecka_eg_X963kdf.Branch("4");
+
+	    /** ElGamal Elliptic Curve Key Agreement and Key Derivation according to X963
+	     * with hash function SHA512
+	     * OID: 0.4.0.127.0.7.1.1.5.1.1.5 */
+	    public static readonly DerObjectIdentifier ecka_eg_X963kdf_SHA512 = ecka_eg_X963kdf.Branch("5");
+
+	    /** ElGamal Elliptic Curve Key Agreement and Key Derivation according to X963
+	     * with hash function RIPEMD160
+	     * OID: 0.4.0.127.0.7.1.1.5.1.1.6 */
+	    public static readonly DerObjectIdentifier ecka_eg_X963kdf_RIPEMD160 = ecka_eg_X963kdf.Branch("6");
+
+	    /**
+	     * 	Key Derivation Function for Session Keys
+	     */
+	    public static readonly DerObjectIdentifier ecka_eg_SessionKDF = ecka_eg.Branch("2");
+
+	    public static readonly DerObjectIdentifier ecka_eg_SessionKDF_3DES    = ecka_eg_SessionKDF.Branch("1");
+	    public static readonly DerObjectIdentifier ecka_eg_SessionKDF_AES128  = ecka_eg_SessionKDF.Branch("2");
+	    public static readonly DerObjectIdentifier ecka_eg_SessionKDF_AES192  = ecka_eg_SessionKDF.Branch("3");
+	    public static readonly DerObjectIdentifier ecka_eg_SessionKDF_AES256  = ecka_eg_SessionKDF.Branch("4");
+
+	    /** AES encryption (CBC) and authentication (CMAC)
+	     * OID: 0.4.0.127.0.7.1.x */
+	    //TODO: replace "1" with correct OID
+	    //public static readonly DerObjectIdentifier aes_cbc_cmac = algorithm.Branch("1");
+
+	    /** AES encryption (CBC) and authentication (CMAC) with 128 bit
+	     * OID: 0.4.0.127.0.7.1.x.y1 */
+	    //TODO:  replace "1" with correct OID
+	    //public static readonly DerObjectIdentifier id_aes128_CBC_CMAC = aes_cbc_cmac.Branch("1");
+
+
+	    /** AES encryption (CBC) and authentication (CMAC) with 192 bit
+	     * OID: 0.4.0.127.0.7.1.x.y2 */
+	    //TODO:  replace "1" with correct OID
+	    //public static readonly DerObjectIdentifier id_aes192_CBC_CMAC = aes_cbc_cmac.Branch("1");
+
+	    /** AES encryption (CBC) and authentication (CMAC) with 256 bit
+	     * OID: 0.4.0.127.0.7.1.x.y3 */
+	    //TODO:  replace "1" with correct OID
+	    //public static readonly DerObjectIdentifier id_aes256_CBC_CMAC = aes_cbc_cmac.Branch("1");
+    }
+}

crypto/src/crypto/IDSA.cs

@@ -1,4 +1,5 @@
 using System;
+
 using Org.BouncyCastle.Math;
 
 namespace Org.BouncyCastle.Crypto

crypto/src/crypto/IDsaExt.cs

@@ -0,0 +1,17 @@
+using System;
+
+using Org.BouncyCastle.Math;
+
+namespace Org.BouncyCastle.Crypto
+{
+    /// <summary>
+    /// An "extended" interface for classes implementing DSA-style algorithms, that provides access
+    /// to the group order.
+    /// </summary>
+    public interface IDsaExt
+        : IDsa
+    {
+        /// <summary>The order of the group that the r, s values in signatures belong to.</summary>
+        BigInteger Order { get; }
+    }
+}

crypto/src/crypto/parameters/Ed25519PrivateKeyParameters.cs

@@ -19,7 +19,7 @@ public sealed class Ed25519PrivateKeyParameters
         public Ed25519PrivateKeyParameters(SecureRandom random)
             : base(true)
         {
-            random.NextBytes(data);
+            Ed25519.GeneratePrivateKey(random, data);
         }
 
         public Ed25519PrivateKeyParameters(byte[] buf, int off)

crypto/src/crypto/parameters/Ed448PrivateKeyParameters.cs

@@ -19,7 +19,7 @@ public sealed class Ed448PrivateKeyParameters
         public Ed448PrivateKeyParameters(SecureRandom random)
             : base(true)
         {
-            random.NextBytes(data);
+            Ed448.GeneratePrivateKey(random, data);
         }
 
         public Ed448PrivateKeyParameters(byte[] buf, int off)

crypto/src/crypto/parameters/X25519KeyGenerationParameters.cs

@@ -8,7 +8,7 @@ public class X25519KeyGenerationParameters
         : KeyGenerationParameters
     {
         public X25519KeyGenerationParameters(SecureRandom random)
-            : base(random, 256)
+            : base(random, 255)
         {
         }
     }

crypto/src/crypto/parameters/X25519PrivateKeyParameters.cs

@@ -19,7 +19,7 @@ public sealed class X25519PrivateKeyParameters
         public X25519PrivateKeyParameters(SecureRandom random)
             : base(true)
         {
-            random.NextBytes(data);
+            X25519.GeneratePrivateKey(random, data);
         }
 
         public X25519PrivateKeyParameters(byte[] buf, int off)

crypto/src/crypto/parameters/X448PrivateKeyParameters.cs

@@ -19,7 +19,7 @@ public sealed class X448PrivateKeyParameters
         public X448PrivateKeyParameters(SecureRandom random)
             : base(true)
         {
-            random.NextBytes(data);
+            X448.GeneratePrivateKey(random, data);
         }
 
         public X448PrivateKeyParameters(byte[] buf, int off)

crypto/src/crypto/signers/DsaDigestSigner.cs

@@ -1,10 +1,5 @@
 using System;
-using System.Collections;
-using System.IO;
-using System.Text;
 
-using Org.BouncyCastle.Asn1;
-using Org.BouncyCastle.Crypto.Signers;
 using Org.BouncyCastle.Crypto.Parameters;
 using Org.BouncyCastle.Math;
 using Org.BouncyCastle.Security;
@@ -14,26 +9,38 @@ namespace Org.BouncyCastle.Crypto.Signers
 	public class DsaDigestSigner
 		: ISigner
 	{
-		private readonly IDigest digest;
-		private readonly IDsa dsaSigner;
-		private bool forSigning;
+        private readonly IDsa dsa;
+        private readonly IDigest digest;
+        private readonly IDsaEncoding encoding;
+        private bool forSigning;
 
 		public DsaDigestSigner(
-			IDsa	signer,
+			IDsa	dsa,
 			IDigest	digest)
 		{
-			this.digest = digest;
-			this.dsaSigner = signer;
+            this.dsa = dsa;
+            this.digest = digest;
+            this.encoding = StandardDsaEncoding.Instance;
 		}
 
+        public DsaDigestSigner(
+            IDsaExt dsa,
+            IDigest digest,
+            IDsaEncoding encoding)
+        {
+            this.dsa = dsa;
+            this.digest = digest;
+            this.encoding = encoding;
+        }
+
 		public virtual string AlgorithmName
 		{
-			get { return digest.AlgorithmName + "with" + dsaSigner.AlgorithmName; }
+			get { return digest.AlgorithmName + "with" + dsa.AlgorithmName; }
 		}
 
         public virtual void Init(
-			bool							forSigning,
-			ICipherParameters	parameters)
+			bool forSigning,
+			ICipherParameters parameters)
 		{
 			this.forSigning = forSigning;
 
@@ -56,7 +63,7 @@ public virtual void Init(
 
 			Reset();
 
-			dsaSigner.Init(forSigning, parameters);
+			dsa.Init(forSigning, parameters);
 		}
 
 		/**
@@ -91,9 +98,16 @@ public virtual byte[] GenerateSignature()
 			byte[] hash = new byte[digest.GetDigestSize()];
 			digest.DoFinal(hash, 0);
 
-			BigInteger[] sig = dsaSigner.GenerateSignature(hash);
+            BigInteger[] sig = dsa.GenerateSignature(hash);
 
-			return DerEncode(sig[0], sig[1]);
+            try
+            {
+                return encoding.Encode(GetOrder(), sig[0], sig[1]);
+            }
+            catch (Exception)
+            {
+                throw new InvalidOperationException("unable to encode signature");
+            }
 		}
 
 		/// <returns>true if the internal state represents the signature described in the passed in array.</returns>
@@ -106,15 +120,16 @@ public virtual bool VerifySignature(
 			byte[] hash = new byte[digest.GetDigestSize()];
 			digest.DoFinal(hash, 0);
 
-			try
-			{
-				BigInteger[] sig = DerDecode(signature);
-				return dsaSigner.VerifySignature(hash, sig[0], sig[1]);
-			}
-			catch (IOException)
-			{
-				return false;
-			}
+            try
+            {
+                BigInteger[] sig = encoding.Decode(GetOrder(), signature);
+
+                return dsa.VerifySignature(hash, sig[0], sig[1]);
+            }
+            catch (Exception e)
+            {
+                return false;
+            }
 		}
 
 		/// <summary>Reset the internal state</summary>
@@ -123,23 +138,9 @@ public virtual void Reset()
 			digest.Reset();
 		}
 
-		private byte[] DerEncode(
-			BigInteger	r,
-			BigInteger	s)
-		{
-			return new DerSequence(new DerInteger(r), new DerInteger(s)).GetDerEncoded();
-		}
-
-		private BigInteger[] DerDecode(
-			byte[] encoding)
-		{
-			Asn1Sequence s = (Asn1Sequence) Asn1Object.FromByteArray(encoding);
-
-			return new BigInteger[]
-			{
-				((DerInteger) s[0]).Value,
-				((DerInteger) s[1]).Value
-			};
-		}
+        protected virtual BigInteger GetOrder()
+        {
+            return dsa is IDsaExt ? ((IDsaExt)dsa).Order : null;
+        }
 	}
 }