alpcentaur
/
basabuuka_prototyp
1
0
Fork 0
Code Issues 0 Pull Requests 0 Projects 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
9 Commits
1 Branch
4.1 GiB
Tree: b919ddd513
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'b919ddd513'
${ noResults }
basabuuka_prototyp/venv/lib/python3.5/site-packages/ecdsa/util.py

247 lines
9.6 KiB
Raw Normal View History

initial commit
4 years ago
 
  1. from __future__ import division
  2. 

  3. import os
  4. import math
  5. import binascii
  6. from hashlib import sha256
  7. from . import der
  8. from .curves import orderlen
  9. from .six import PY3, int2byte, b, next
  10. 

  11. # RFC5480:
  12. #   The "unrestricted" algorithm identifier is:
  13. #     id-ecPublicKey OBJECT IDENTIFIER ::= {
  14. #       iso(1) member-body(2) us(840) ansi-X9-62(10045) keyType(2) 1 }
  15. 

  16. oid_ecPublicKey = (1, 2, 840, 10045, 2, 1)
  17. encoded_oid_ecPublicKey = der.encode_oid(*oid_ecPublicKey)
  18. 

  19. def randrange(order, entropy=None):
  20.     """Return a random integer k such that 1 <= k < order, uniformly

  21.     distributed across that range. For simplicity, this only behaves well if
  22.     'order' is fairly close (but below) a power of 256. The try-try-again
  23.     algorithm we use takes longer and longer time (on average) to complete as
  24.     'order' falls, rising to a maximum of avg=512 loops for the worst-case
  25.     (256**k)+1 . All of the standard curves behave well. There is a cutoff at
  26.     10k loops (which raises RuntimeError) to prevent an infinite loop when
  27.     something is really broken like the entropy function not working.
  28. 

  29.     Note that this function is not declared to be forwards-compatible: we may
  30.     change the behavior in future releases. The entropy= argument (which
  31.     should get a callable that behaves like os.urandom) can be used to
  32.     achieve stability within a given release (for repeatable unit tests), but
  33.     should not be used as a long-term-compatible key generation algorithm.
  34.     """

  35.     # we could handle arbitrary orders (even 256**k+1) better if we created
  36.     # candidates bit-wise instead of byte-wise, which would reduce the
  37.     # worst-case behavior to avg=2 loops, but that would be more complex. The
  38.     # change would be to round the order up to a power of 256, subtract one
  39.     # (to get 0xffff..), use that to get a byte-long mask for the top byte,
  40.     # generate the len-1 entropy bytes, generate one extra byte and mask off
  41.     # the top bits, then combine it with the rest. Requires jumping back and
  42.     # forth between strings and integers a lot.
  43. 

  44.     if entropy is None:
  45.         entropy = os.urandom
  46.     assert order > 1
  47.     bytes = orderlen(order)
  48.     dont_try_forever = 10000 # gives about 2**-60 failures for worst case
  49.     while dont_try_forever > 0:
  50.         dont_try_forever -= 1
  51.         candidate = string_to_number(entropy(bytes)) + 1
  52.         if 1 <= candidate < order:
  53.             return candidate
  54.         continue
  55.     raise RuntimeError("randrange() tried hard but gave up, either something"
  56.                        " is very wrong or you got realllly unlucky. Order was"
  57.                        " %x" % order)
  58. 

  59. class PRNG:
  60.     # this returns a callable which, when invoked with an integer N, will
  61.     # return N pseudorandom bytes. Note: this is a short-term PRNG, meant
  62.     # primarily for the needs of randrange_from_seed__trytryagain(), which
  63.     # only needs to run it a few times per seed. It does not provide
  64.     # protection against state compromise (forward security).
  65.     def __init__(self, seed):
  66.         self.generator = self.block_generator(seed)
  67. 

  68.     def __call__(self, numbytes):
  69.         a = [next(self.generator) for i in range(numbytes)]
  70. 

  71.         if PY3:
  72.             return bytes(a)
  73.         else:
  74.             return "".join(a)
  75. 

  76. 

  77.     def block_generator(self, seed):
  78.         counter = 0
  79.         while True:
  80.             for byte in sha256(("prng-%d-%s" % (counter, seed)).encode()).digest():
  81.                 yield byte
  82.             counter += 1
  83. 

  84. def randrange_from_seed__overshoot_modulo(seed, order):
  85.     # hash the data, then turn the digest into a number in [1,order).
  86.     #
  87.     # We use David-Sarah Hopwood's suggestion: turn it into a number that's
  88.     # sufficiently larger than the group order, then modulo it down to fit.
  89.     # This should give adequate (but not perfect) uniformity, and simple
  90.     # code. There are other choices: try-try-again is the main one.
  91.     base = PRNG(seed)(2*orderlen(order))
  92.     number = (int(binascii.hexlify(base), 16) % (order-1)) + 1
  93.     assert 1 <= number < order, (1, number, order)
  94.     return number
  95. 

  96. def lsb_of_ones(numbits):
  97.     return (1 << numbits) - 1
  98. def bits_and_bytes(order):
  99.     bits = int(math.log(order-1, 2)+1)
  100.     bytes = bits // 8
  101.     extrabits = bits % 8
  102.     return bits, bytes, extrabits
  103. 

  104. # the following randrange_from_seed__METHOD() functions take an
  105. # arbitrarily-sized secret seed and turn it into a number that obeys the same
  106. # range limits as randrange() above. They are meant for deriving consistent
  107. # signing keys from a secret rather than generating them randomly, for
  108. # example a protocol in which three signing keys are derived from a master
  109. # secret. You should use a uniformly-distributed unguessable seed with about
  110. # curve.baselen bytes of entropy. To use one, do this:
  111. #   seed = os.urandom(curve.baselen) # or other starting point
  112. #   secexp = ecdsa.util.randrange_from_seed__trytryagain(sed, curve.order)
  113. #   sk = SigningKey.from_secret_exponent(secexp, curve)
  114. 

  115. def randrange_from_seed__truncate_bytes(seed, order, hashmod=sha256):
  116.     # hash the seed, then turn the digest into a number in [1,order), but
  117.     # don't worry about trying to uniformly fill the range. This will lose,
  118.     # on average, four bits of entropy.
  119.     bits, bytes, extrabits = bits_and_bytes(order)
  120.     if extrabits:
  121.         bytes += 1
  122.     base = hashmod(seed).digest()[:bytes]
  123.     base = "\x00"*(bytes-len(base)) + base
  124.     number = 1+int(binascii.hexlify(base), 16)
  125.     assert 1 <= number < order
  126.     return number
  127. 

  128. def randrange_from_seed__truncate_bits(seed, order, hashmod=sha256):
  129.     # like string_to_randrange_truncate_bytes, but only lose an average of
  130.     # half a bit
  131.     bits = int(math.log(order-1, 2)+1)
  132.     maxbytes = (bits+7) // 8
  133.     base = hashmod(seed).digest()[:maxbytes]
  134.     base = "\x00"*(maxbytes-len(base)) + base
  135.     topbits = 8*maxbytes - bits
  136.     if topbits:
  137.         base = int2byte(ord(base[0]) & lsb_of_ones(topbits)) + base[1:]
  138.     number = 1+int(binascii.hexlify(base), 16)
  139.     assert 1 <= number < order
  140.     return number
  141. 

  142. def randrange_from_seed__trytryagain(seed, order):
  143.     # figure out exactly how many bits we need (rounded up to the nearest
  144.     # bit), so we can reduce the chance of looping to less than 0.5 . This is
  145.     # specified to feed from a byte-oriented PRNG, and discards the
  146.     # high-order bits of the first byte as necessary to get the right number
  147.     # of bits. The average number of loops will range from 1.0 (when
  148.     # order=2**k-1) to 2.0 (when order=2**k+1).
  149.     assert order > 1
  150.     bits, bytes, extrabits = bits_and_bytes(order)
  151.     generate = PRNG(seed)
  152.     while True:
  153.         extrabyte = b("")
  154.         if extrabits:
  155.             extrabyte = int2byte(ord(generate(1)) & lsb_of_ones(extrabits))
  156.         guess = string_to_number(extrabyte + generate(bytes)) + 1
  157.         if 1 <= guess < order:
  158.             return guess
  159. 

  160. 

  161. def number_to_string(num, order):
  162.     l = orderlen(order)
  163.     fmt_str = "%0" + str(2*l) + "x"
  164.     string = binascii.unhexlify((fmt_str % num).encode())
  165.     assert len(string) == l, (len(string), l)
  166.     return string
  167. 

  168. def number_to_string_crop(num, order):
  169.     l = orderlen(order)
  170.     fmt_str = "%0" + str(2*l) + "x"
  171.     string = binascii.unhexlify((fmt_str % num).encode())
  172.     return string[:l]
  173. 

  174. def string_to_number(string):
  175.     return int(binascii.hexlify(string), 16)
  176. 

  177. def string_to_number_fixedlen(string, order):
  178.     l = orderlen(order)
  179.     assert len(string) == l, (len(string), l)
  180.     return int(binascii.hexlify(string), 16)
  181. 

  182. # these methods are useful for the sigencode= argument to SK.sign() and the
  183. # sigdecode= argument to VK.verify(), and control how the signature is packed
  184. # or unpacked.
  185. 

  186. def sigencode_strings(r, s, order):
  187.     r_str = number_to_string(r, order)
  188.     s_str = number_to_string(s, order)
  189.     return (r_str, s_str)
  190. 

  191. def sigencode_string(r, s, order):
  192.     # for any given curve, the size of the signature numbers is
  193.     # fixed, so just use simple concatenation
  194.     r_str, s_str = sigencode_strings(r, s, order)
  195.     return r_str + s_str
  196. 

  197. def sigencode_der(r, s, order):
  198.     return der.encode_sequence(der.encode_integer(r), der.encode_integer(s))
  199. 

  200. # canonical versions of sigencode methods
  201. # these enforce low S values, by negating the value (modulo the order) if above order/2
  202. # see CECKey::Sign() https://github.com/bitcoin/bitcoin/blob/master/src/key.cpp#L214
  203. def sigencode_strings_canonize(r, s, order):
  204.     if s > order / 2:
  205.         s = order - s
  206.     return sigencode_strings(r, s, order)
  207. 

  208. def sigencode_string_canonize(r, s, order):
  209.     if s > order / 2:
  210.         s = order - s
  211.     return sigencode_string(r, s, order)
  212. 

  213. def sigencode_der_canonize(r, s, order):
  214.     if s > order / 2:
  215.         s = order - s
  216.     return sigencode_der(r, s, order)
  217. 

  218. 

  219. def sigdecode_string(signature, order):
  220.     l = orderlen(order)
  221.     assert len(signature) == 2*l, (len(signature), 2*l)
  222.     r = string_to_number_fixedlen(signature[:l], order)
  223.     s = string_to_number_fixedlen(signature[l:], order)
  224.     return r, s
  225. 

  226. def sigdecode_strings(rs_strings, order):
  227.     (r_str, s_str) = rs_strings
  228.     l = orderlen(order)
  229.     assert len(r_str) == l, (len(r_str), l)
  230.     assert len(s_str) == l, (len(s_str), l)
  231.     r = string_to_number_fixedlen(r_str, order)
  232.     s = string_to_number_fixedlen(s_str, order)
  233.     return r, s
  234. 

  235. def sigdecode_der(sig_der, order):
  236.     #return der.encode_sequence(der.encode_integer(r), der.encode_integer(s))
  237.     rs_strings, empty = der.remove_sequence(sig_der)
  238.     if empty != b(""):
  239.         raise der.UnexpectedDER("trailing junk after DER sig: %s" %
  240.                                 binascii.hexlify(empty))
  241.     r, rest = der.remove_integer(rs_strings)
  242.     s, empty = der.remove_integer(rest)
  243.     if empty != b(""):
  244.         raise der.UnexpectedDER("trailing junk after DER numbers: %s" %
  245.                                 binascii.hexlify(empty))
  246.     return r, s
  247.