Author: toad
Date: 2007-02-09 19:45:11 +0000 (Fri, 09 Feb 2007)
New Revision: 11716
Modified:
trunk/freenet/src/freenet/crypt/DSA.java
Log:
If q is only 256 bits long, then limit m to 255 bits in order to be sure that m
< q
Modified: trunk/freenet/src/freenet/crypt/DSA.java
===================================================================
--- trunk/freenet/src/freenet/crypt/DSA.java 2007-02-09 19:38:39 UTC (rev
11715)
+++ trunk/freenet/src/freenet/crypt/DSA.java 2007-02-09 19:45:11 UTC (rev
11716)
@@ -15,17 +15,25 @@
*/
public class DSA {
+ // FIXME DSAgroupBigA is 256 bits long and therefore cannot accomodate
+ // all SHA-256 output's. Therefore we chop it down to 255 bits.
+
+ static final BigInteger SIGNATURE_MASK =
+ Util.TWO.pow(255).subtract(BigInteger.ONE);
+
/**
* Returns a DSA signature given a group, private key (x), a random
nonce
* (k), and the hash of the message (m).
*/
- public static DSASignature sign(DSAGroup g,
+ static DSASignature sign(DSAGroup g,
DSAPrivateKey x,
BigInteger k,
BigInteger m,
RandomSource random) {
if(k.signum() == -1) throw new IllegalArgumentException();
if(m.signum() == -1) throw new IllegalArgumentException();
+ if(g.getQ().bitLength() == 256)
+ m = m.and(SIGNATURE_MASK);
if(m.compareTo(g.getQ()) != -1)
throw new IllegalArgumentException();
BigInteger r=g.getG().modPow(k, g.getP()).mod(g.getQ());
@@ -61,7 +69,7 @@
* the precalculated values of r and k^-1, and the hash
* of the message (m)
*/
- public static DSASignature sign(DSAGroup g, DSAPrivateKey x,
+ static DSASignature sign(DSAGroup g, DSAPrivateKey x,
BigInteger r, BigInteger kInv,
BigInteger m, RandomSource random) {
BigInteger s1=m.add(x.getX().multiply(r)).mod(g.getQ());
@@ -89,6 +97,8 @@
DSASignature sig,
BigInteger m) {
if(m.signum() == -1) throw new IllegalArgumentException();
+ if(kp.getGroup().getQ().bitLength() == 256)
+ m = m.and(SIGNATURE_MASK);
try {
// 0<r<q has to be true
if((sig.getR().compareTo(BigInteger.ZERO) < 1) ||
(kp.getQ().compareTo(sig.getR()) < 1)) {
