2 * Copyright (c) 2017 Thomas Pornin <pornin@bolet.org>
4 * Permission is hereby granted, free of charge, to any person obtaining
5 * a copy of this software and associated documentation files (the
6 * "Software"), to deal in the Software without restriction, including
7 * without limitation the rights to use, copy, modify, merge, publish,
8 * distribute, sublicense, and/or sell copies of the Software, and to
9 * permit persons to whom the Software is furnished to do so, subject to
10 * the following conditions:
12 * The above copyright notice and this permission notice shall be
13 * included in all copies or substantial portions of the Software.
15 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
16 * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
17 * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
18 * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
19 * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
20 * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
21 * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
30 * This class contains some utility methods used for DSA and ECDSA.
33 public class DSAUtils {
36 * Convert an ASN.1 DSA signature to "raw" format. A "raw" signature
37 * is the concatenation of two unsigned big-endian integers of
38 * the same length. An ASN.1 signature is a DER-encoded SEQUENCE
39 * of two INTEGER values. The returned signature will have the
40 * minimum length that can hold the two signature elements; use
41 * SigRawNormalize() to adjust that length.
43 * If the source signature is syntaxically invalid (not valid DER),
44 * then null is returned.
46 public static byte[] SigAsn1ToRaw(byte[] sig)
48 return SigAsn1ToRaw(sig, 0, sig.Length);
51 public static byte[] SigAsn1ToRaw(byte[] sig, int off, int len)
54 if (len <= 2 || sig[off ++] != 0x30) {
57 int tlen = DecodeLength(sig, ref off, lim);
58 if (tlen != (lim - off)) {
63 if (!DecodeInteger(sig, ref off, lim, out roff, out rlen)) {
66 if (!DecodeInteger(sig, ref off, lim, out soff, out slen)) {
72 int ulen = Math.Max(rlen, slen);
73 byte[] raw = new byte[ulen << 1];
74 Array.Copy(sig, roff, raw, ulen - rlen, rlen);
75 Array.Copy(sig, soff, raw, (ulen << 1) - slen, slen);
79 static int DecodeLength(byte[] buf, ref int off, int lim)
100 acc = (acc << 8) + buf[off ++];
105 static bool DecodeInteger(byte[] buf, ref int off, int lim,
106 out int voff, out int vlen)
110 if (off >= lim || buf[off ++] != 0x02) {
113 int len = DecodeLength(buf, ref off, lim);
114 if (len <= 0 || len > (lim - off)) {
120 while (vlen > 1 && buf[voff] == 0x00) {
128 * Reduce a "raw" signature to its minimal length. The minimal
129 * length depends on the values of the inner elements; normally,
130 * that length is equal to twice the length of the encoded
131 * subgroup order, but it can be shorter by a few bytes
132 * (occasionally by two bytes; shorter signatures are very
135 * If the source signature is null or has an odd length, then
136 * null is returned. If the source signature already has
137 * minimal length, then it is returned as is. Otherwise,
138 * a new array is created with the minimal length, filled,
141 public static byte[] SigRawMinimalize(byte[] sigRaw)
143 int minLen = GetMinRawLength(sigRaw);
147 if (minLen == sigRaw.Length) {
150 int m = sigRaw.Length >> 1;
151 int lh = minLen >> 1;
152 byte[] sig = new byte[lh + lh];
153 Array.Copy(sigRaw, m - lh, sig, 0, lh);
154 Array.Copy(sigRaw, m + m - lh, sig, lh, lh);
159 * Normalize a "raw" signature to the specified length. If
160 * the source array already has the right length, then it is
161 * returned as is. Otherwise, a new array is created with the
162 * requested length, and filled with the signature elements.
164 * If the source signature is null, or has an odd length, then
165 * null is returned. If the requested length is not valid (odd
166 * length) or cannot be achieved (because the signature elements
167 * are too large), then null is returned.
169 public static byte[] SigRawNormalize(byte[] sigRaw, int len)
171 int minLen = GetMinRawLength(sigRaw);
175 if ((len & 1) != 0) {
179 if (sigRaw.Length == len) {
182 int m = sigRaw.Length >> 1;
183 int lh = minLen >> 1;
184 byte[] sig = new byte[len];
185 Array.Copy(sigRaw, m - lh, sig, hlen - lh, lh);
186 Array.Copy(sigRaw, m + m - lh, sig, len - lh, lh);
190 static int GetMinRawLength(byte[] sig)
192 if (sig == null || (sig.Length & 1) != 0) {
195 int m = sig.Length << 1;
197 for (lr = m; lr > 0; lr --) {
198 if (sig[m - lr] != 0) {
202 for (ls = m; ls > 0; ls --) {
203 if (sig[m + m - ls] != 0) {
207 return Math.Max(lr, ls) << 1;
211 * Convert a "raw" DSA signature to ASN.1. A "raw" signature
212 * is the concatenation of two unsigned big-endian integers of
213 * the same length. An ASN.1 signature is a DER-encoded SEQUENCE
214 * of two INTEGER values.
216 * If the source signature is syntaxically invalid (zero length,
217 * or odd length), then null is returned.
219 public static byte[] SigRawToAsn1(byte[] sig)
221 return SigRawToAsn1(sig, 0, sig.Length);
224 public static byte[] SigRawToAsn1(byte[] sig, int off, int len)
226 if (len <= 0 || (len & 1) != 0) {
230 int rlen = LengthOfInteger(sig, off, tlen);
231 int slen = LengthOfInteger(sig, off + tlen, tlen);
232 int ulen = 1 + LengthOfLength(rlen) + rlen
233 + 1 + LengthOfLength(slen) + slen;
234 byte[] s = new byte[1 + LengthOfLength(ulen) + ulen];
237 k += EncodeLength(ulen, s, k);
238 k += EncodeInteger(sig, off, tlen, s, k);
239 k += EncodeInteger(sig, off + tlen, tlen, s, k);
242 throw new Exception("DSA internal error");
248 * Get the length of the value of an INTEGER containing a
249 * specified value. Returned length includes the leading 0x00
250 * byte (if applicable) but not the tag or length fields.
252 static int LengthOfInteger(byte[] x, int off, int len)
254 while (len > 0 && x[off] == 0) {
261 return (x[off] >= 0x80) ? len + 1 : len;
264 static int LengthOfLength(int len)
268 } else if (len < 0x100) {
270 } else if (len < 0x10000) {
272 } else if (len < 0x1000000) {
279 static int EncodeLength(int len, byte[] dst, int off)
282 dst[off] = (byte)len;
286 for (int z = len; z != 0; z >>= 8) {
289 dst[off] = (byte)(0x80 + k);
290 for (int i = 0; i < k; i ++) {
291 dst[off + k - i] = (byte)(len >> (i << 3));
296 static int EncodeInteger(byte[] x, int off, int len,
297 byte[] dst, int dstOff)
300 dst[dstOff ++] = 0x02;
301 while (len > 0 && x[off] == 0) {
306 dst[dstOff ++] = 0x01;
307 dst[dstOff ++] = 0x00;
308 return dstOff - orig;
310 if (x[off] >= 0x80) {
311 dstOff += EncodeLength(len + 1, dst, dstOff);
312 dst[dstOff ++] = 0x00;
314 dstOff += EncodeLength(len, dst, dstOff);
316 Array.Copy(x, off, dst, dstOff, len);
318 return dstOff - orig;