1 // Copyright 2011 The Go Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style
3 // license that can be found in the LICENSE file.
5 // Package ecdsa implements the Elliptic Curve Digital Signature Algorithm, as
6 // defined in FIPS 186-3.
10 // [NSA]: Suite B implementer's guide to FIPS 186-3,
11 // http://www.nsa.gov/ia/_files/ecdsa.pdf
13 // http://www.secg.org/download/aid-780/sec1-v2.pdf
21 // PublicKey represents an ECDSA public key.
22 type PublicKey struct {
27 // PrivateKey represents a ECDSA private key.
28 type PrivateKey struct {
33 var one = new(big.Int).SetInt64(1)
35 // randFieldElement returns a random element of the field underlying the given
36 // curve using the procedure given in [NSA] A.2.1.
37 func randFieldElement(c elliptic.Curve, rand io.Reader) (k *big.Int, err error) {
39 b := make([]byte, params.BitSize/8+8)
40 _, err = io.ReadFull(rand, b)
45 k = new(big.Int).SetBytes(b)
46 n := new(big.Int).Sub(params.N, one)
52 // GenerateKey generates a public&private key pair.
53 func GenerateKey(c elliptic.Curve, rand io.Reader) (priv *PrivateKey, err error) {
54 k, err := randFieldElement(c, rand)
59 priv = new(PrivateKey)
60 priv.PublicKey.Curve = c
62 priv.PublicKey.X, priv.PublicKey.Y = c.ScalarBaseMult(k.Bytes())
66 // hashToInt converts a hash value to an integer. There is some disagreement
67 // about how this is done. [NSA] suggests that this is done in the obvious
68 // manner, but [SECG] truncates the hash to the bit-length of the curve order
69 // first. We follow [SECG] because that's what OpenSSL does. Additionally,
70 // OpenSSL right shifts excess bits from the number if the hash is too large
71 // and we mirror that too.
72 func hashToInt(hash []byte, c elliptic.Curve) *big.Int {
73 orderBits := c.Params().N.BitLen()
74 orderBytes := (orderBits + 7) / 8
75 if len(hash) > orderBytes {
76 hash = hash[:orderBytes]
79 ret := new(big.Int).SetBytes(hash)
80 excess := len(hash)*8 - orderBits
82 ret.Rsh(ret, uint(excess))
87 // Sign signs an arbitrary length hash (which should be the result of hashing a
88 // larger message) using the private key, priv. It returns the signature as a
89 // pair of integers. The security of the private key depends on the entropy of
91 func Sign(rand io.Reader, priv *PrivateKey, hash []byte) (r, s *big.Int, err error) {
93 c := priv.PublicKey.Curve
99 k, err = randFieldElement(c, rand)
105 kInv = new(big.Int).ModInverse(k, N)
106 r, _ = priv.Curve.ScalarBaseMult(k.Bytes())
113 e := hashToInt(hash, c)
114 s = new(big.Int).Mul(priv.D, r)
126 // Verify verifies the signature in r, s of hash using the public key, pub. It
127 // returns true iff the signature is valid.
128 func Verify(pub *PublicKey, hash []byte, r, s *big.Int) bool {
133 if r.Sign() == 0 || s.Sign() == 0 {
136 if r.Cmp(N) >= 0 || s.Cmp(N) >= 0 {
139 e := hashToInt(hash, c)
140 w := new(big.Int).ModInverse(s, N)
147 x1, y1 := c.ScalarBaseMult(u1.Bytes())
148 x2, y2 := c.ScalarMult(pub.X, pub.Y, u2.Bytes())
149 x, y := c.Add(x1, y1, x2, y2)
150 if x.Sign() == 0 && y.Sign() == 0 {