This repository has been archived by the owner on Feb 22, 2024. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 5
/
rfc6979.go
96 lines (78 loc) · 2.79 KB
/
rfc6979.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
package crypto
import (
"crypto/ecdsa"
"crypto/sha256"
"fmt"
"math/big"
"github.com/nspcc-dev/neofs-crypto/internal"
"github.com/nspcc-dev/rfc6979"
)
const (
// RFC6979SignatureSize contains r and s coordinates (32 bytes).
RFC6979SignatureSize = 64
// ErrWrongHashSize when passed signature to VerifyRFC6979 has wrong size.
ErrWrongHashSize = internal.Error("wrong hash size")
// ErrWrongSignature when passed signature to VerifyRFC6979 isn't valid.
ErrWrongSignature = internal.Error("wrong signature")
)
// hashBytesRFC6979 returns the sha256 sum.
func hashBytesRFC6979(data []byte) []byte {
sign := sha256.Sum256(data)
return sign[:]
}
// SignRFC6979 signs an arbitrary length hash (which should be the result of
// hashing a larger message) using the private key. It returns the
// signature as a pair of integers.
//
// Note that FIPS 186-3 section 4.6 specifies that the hash should be truncated
// to the byte-length of the subgroup. This function does not perform that.
func SignRFC6979(key *ecdsa.PrivateKey, msg []byte) ([]byte, error) {
return SignRFC6979Hash(key, hashBytesRFC6979(msg))
}
// SignRFC6979Hash signs sha256 hash of the message using the private key.
func SignRFC6979Hash(key *ecdsa.PrivateKey, msgHash []byte) ([]byte, error) {
if key == nil {
return nil, ErrEmptyPrivateKey
}
r, s := rfc6979.SignECDSA(key, msgHash, sha256.New)
rBytes, sBytes := r.Bytes(), s.Bytes()
signature := make([]byte, RFC6979SignatureSize)
// if `r` has less than 32 bytes, add leading zeros
ind := RFC6979SignatureSize/2 - len(rBytes)
copy(signature[ind:], rBytes)
// if `s` has less than 32 bytes, add leading zeros
ind = RFC6979SignatureSize - len(sBytes)
copy(signature[ind:], sBytes)
return signature, nil
}
func decodeSignature(sig []byte) (*big.Int, *big.Int, error) {
if ln := len(sig); ln != RFC6979SignatureSize {
return nil, nil, fmt.Errorf("%w: actual=%d, expect=%d",
ErrWrongHashSize, ln, RFC6979SignatureSize)
}
return new(big.Int).SetBytes(sig[:32]), new(big.Int).SetBytes(sig[32:]), nil
}
// VerifyRFC6979 verifies the signature of msg using the public key. It
// return nil only if signature is valid.
func VerifyRFC6979(key *ecdsa.PublicKey, msg, sig []byte) error {
if key == nil {
return ErrEmptyPublicKey
} else if r, s, err := decodeSignature(sig); err != nil {
return err
} else if !ecdsa.Verify(key, hashBytesRFC6979(msg), r, s) {
return ErrWrongSignature
}
return nil
}
// VerifyRFC6979 verifies the signature of msg using the public key. It
// return nil only if signature is valid.
func VerifyRFC6979Hash(key *ecdsa.PublicKey, msgHash, sig []byte) error {
if key == nil {
return ErrEmptyPublicKey
} else if r, s, err := decodeSignature(sig); err != nil {
return err
} else if !ecdsa.Verify(key, msgHash, r, s) {
return ErrWrongSignature
}
return nil
}