13440284808

Committed 20 Feb 2025 04:43PM UTC coverage: 99.572% (-0.01%) from 99.583%

Build # 13440284808

Build Type

Pull #351

github

Committed by

web-flow

Commit Message

Merge 098198aab into ea9666903

Pull Request Pull Request #351: update CI to make 3.7 continue to work

Run Details

2523 of 2534 branches covered (99.57%)

Branch coverage included in aggregate %.

6545 of 6573 relevant lines covered (99.57%)

19.16 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

87.91

/src/ecdsa/util.py

"""
This module includes some utility functions.

The methods most typically used are the sigencode and sigdecode functions
to be used with :func:`~ecdsa.keys.SigningKey.sign` and
:func:`~ecdsa.keys.VerifyingKey.verify`
respectively. See the :func:`sigencode_strings`, :func:`sigdecode_string`,
:func:`sigencode_der`, :func:`sigencode_strings_canonize`,
:func:`sigencode_string_canonize`, :func:`sigencode_der_canonize`,
:func:`sigdecode_strings`, :func:`sigdecode_string`, and
:func:`sigdecode_der` functions.
"""

from __future__ import division

import os
import math
import binascii
import sys
from hashlib import sha256
from six import PY2, int2byte, next
from . import der
from ._compat import normalise_bytes


# RFC5480:
#   The "unrestricted" algorithm identifier is:
#     id-ecPublicKey OBJECT IDENTIFIER ::= {
#       iso(1) member-body(2) us(840) ansi-X9-62(10045) keyType(2) 1 }

oid_ecPublicKey = (1, 2, 840, 10045, 2, 1)
encoded_oid_ecPublicKey = der.encode_oid(*oid_ecPublicKey)

# RFC5480:
# The ECDH algorithm uses the following object identifier:
#      id-ecDH OBJECT IDENTIFIER ::= {
#        iso(1) identified-organization(3) certicom(132) schemes(1)
#        ecdh(12) }

oid_ecDH = (1, 3, 132, 1, 12)

# RFC5480:
# The ECMQV algorithm uses the following object identifier:
#      id-ecMQV OBJECT IDENTIFIER ::= {
#        iso(1) identified-organization(3) certicom(132) schemes(1)
#        ecmqv(13) }

oid_ecMQV = (1, 3, 132, 1, 13)

if sys.version_info >= (3,):  # pragma: no branch

    def entropy_to_bits(ent_256):
        """Convert a bytestring to string of 0's and 1's"""
        return bin(int.from_bytes(ent_256, "big"))[2:].zfill(len(ent_256) * 8)

else:

    def entropy_to_bits(ent_256):
        """Convert a bytestring to string of 0's and 1's"""
        return "".join(bin(ord(x))[2:].zfill(8) for x in ent_256)


if sys.version_info < (2, 7):  # pragma: no branch
    # Can't add a method to a built-in type so we are stuck with this
    def bit_length(x):
        return len(bin(x)) - 2

else:

    def bit_length(x):
        return x.bit_length() or 1


def orderlen(order):
    return (1 + len("%x" % order)) // 2  # bytes


def randrange(order, entropy=None):
    """Return a random integer k such that 1 <= k < order, uniformly
    distributed across that range. Worst case should be a mean of 2 loops at
    (2**k)+2.

    Note that this function is not declared to be forwards-compatible: we may
    change the behavior in future releases. The entropy= argument (which
    should get a callable that behaves like os.urandom) can be used to
    achieve stability within a given release (for repeatable unit tests), but
    should not be used as a long-term-compatible key generation algorithm.
    """
    assert order > 1
    if entropy is None:
        entropy = os.urandom
    upper_2 = bit_length(order - 2)
    upper_256 = upper_2 // 8 + 1
    while True:  # I don't think this needs a counter with bit-wise randrange
        ent_256 = entropy(upper_256)
        ent_2 = entropy_to_bits(ent_256)
        rand_num = int(ent_2[:upper_2], base=2) + 1
        if 0 < rand_num < order:
            return rand_num


class PRNG:
    # this returns a callable which, when invoked with an integer N, will
    # return N pseudorandom bytes. Note: this is a short-term PRNG, meant
    # primarily for the needs of randrange_from_seed__trytryagain(), which
    # only needs to run it a few times per seed. It does not provide
    # protection against state compromise (forward security).
    def __init__(self, seed):
        self.generator = self.block_generator(seed)

    def __call__(self, numbytes):
        a = [next(self.generator) for i in range(numbytes)]

        if PY2:  # pragma: no branch
            return "".join(a)
        else:
            return bytes(a)

    def block_generator(self, seed):
        counter = 0
        while True:
            for byte in sha256(
                ("prng-%d-%s" % (counter, seed)).encode()
            ).digest():
                yield byte
            counter += 1


def randrange_from_seed__overshoot_modulo(seed, order):
    # hash the data, then turn the digest into a number in [1,order).
    #
    # We use David-Sarah Hopwood's suggestion: turn it into a number that's
    # sufficiently larger than the group order, then modulo it down to fit.
    # This should give adequate (but not perfect) uniformity, and simple
    # code. There are other choices: try-try-again is the main one.
    base = PRNG(seed)(2 * orderlen(order))
    number = (int(binascii.hexlify(base), 16) % (order - 1)) + 1
    assert 1 <= number < order, (1, number, order)
    return number


def lsb_of_ones(numbits):
    return (1 << numbits) - 1


def bits_and_bytes(order):
    bits = int(math.log(order - 1, 2) + 1)
    bytes = bits // 8
    extrabits = bits % 8
    return bits, bytes, extrabits


# the following randrange_from_seed__METHOD() functions take an
# arbitrarily-sized secret seed and turn it into a number that obeys the same
# range limits as randrange() above. They are meant for deriving consistent
# signing keys from a secret rather than generating them randomly, for
# example a protocol in which three signing keys are derived from a master
# secret. You should use a uniformly-distributed unguessable seed with about
# curve.baselen bytes of entropy. To use one, do this:
#   seed = os.urandom(curve.baselen) # or other starting point
#   secexp = ecdsa.util.randrange_from_seed__trytryagain(sed, curve.order)
#   sk = SigningKey.from_secret_exponent(secexp, curve)


def randrange_from_seed__truncate_bytes(seed, order, hashmod=sha256):
    # hash the seed, then turn the digest into a number in [1,order), but
    # don't worry about trying to uniformly fill the range. This will lose,
    # on average, four bits of entropy.
    bits, _bytes, extrabits = bits_and_bytes(order)
    if extrabits:
        _bytes += 1
    base = hashmod(seed).digest()[:_bytes]
    base = "\x00" * (_bytes - len(base)) + base
    number = 1 + int(binascii.hexlify(base), 16)
    assert 1 <= number < order
    return number


def randrange_from_seed__truncate_bits(seed, order, hashmod=sha256):
    # like string_to_randrange_truncate_bytes, but only lose an average of
    # half a bit
    bits = int(math.log(order - 1, 2) + 1)
    maxbytes = (bits + 7) // 8
    base = hashmod(seed).digest()[:maxbytes]
    base = "\x00" * (maxbytes - len(base)) + base
    topbits = 8 * maxbytes - bits
    if topbits:
        base = int2byte(ord(base[0]) & lsb_of_ones(topbits)) + base[1:]
    number = 1 + int(binascii.hexlify(base), 16)
    assert 1 <= number < order
    return number


def randrange_from_seed__trytryagain(seed, order):
    # figure out exactly how many bits we need (rounded up to the nearest
    # bit), so we can reduce the chance of looping to less than 0.5 . This is
    # specified to feed from a byte-oriented PRNG, and discards the
    # high-order bits of the first byte as necessary to get the right number
    # of bits. The average number of loops will range from 1.0 (when
    # order=2**k-1) to 2.0 (when order=2**k+1).
    assert order > 1
    bits, bytes, extrabits = bits_and_bytes(order)
    generate = PRNG(seed)
    while True:
        extrabyte = b""
        if extrabits:
            extrabyte = int2byte(ord(generate(1)) & lsb_of_ones(extrabits))
        guess = string_to_number(extrabyte + generate(bytes)) + 1
        if 1 <= guess < order:
            return guess


def number_to_string(num, order):
    l = orderlen(order)
    fmt_str = "%0" + str(2 * l) + "x"
    string = binascii.unhexlify((fmt_str % num).encode())
    assert len(string) == l, (len(string), l)
    return string


def number_to_string_crop(num, order):
    l = orderlen(order)
    fmt_str = "%0" + str(2 * l) + "x"
    string = binascii.unhexlify((fmt_str % num).encode())
    return string[:l]


def string_to_number(string):
    return int(binascii.hexlify(string), 16)


def string_to_number_fixedlen(string, order):
    l = orderlen(order)
    assert len(string) == l, (len(string), l)
    return int(binascii.hexlify(string), 16)


def sigencode_strings(r, s, order):
    """
    Encode the signature to a pair of strings in a tuple

    Encodes signature into raw encoding (:term:`raw encoding`) with the
    ``r`` and ``s`` parts of the signature encoded separately.

    It's expected that this function will be used as a ``sigencode=`` parameter
    in :func:`ecdsa.keys.SigningKey.sign` method.

    :param int r: first parameter of the signature
    :param int s: second parameter of the signature
    :param int order: the order of the curve over which the signature was
        computed

    :return: raw encoding of ECDSA signature
    :rtype: tuple(bytes, bytes)
    """
    r_str = number_to_string(r, order)
    s_str = number_to_string(s, order)
    return (r_str, s_str)


def sigencode_string(r, s, order):
    """
    Encode the signature to raw format (:term:`raw encoding`)

    It's expected that this function will be used as a ``sigencode=`` parameter
    in :func:`ecdsa.keys.SigningKey.sign` method.

    :param int r: first parameter of the signature
    :param int s: second parameter of the signature
    :param int order: the order of the curve over which the signature was
        computed

    :return: raw encoding of ECDSA signature
    :rtype: bytes
    """
    # for any given curve, the size of the signature numbers is
    # fixed, so just use simple concatenation
    r_str, s_str = sigencode_strings(r, s, order)
    return r_str + s_str


def sigencode_der(r, s, order):
    """
    Encode the signature into the ECDSA-Sig-Value structure using :term:`DER`.

    Encodes the signature to the following :term:`ASN.1` structure::

        Ecdsa-Sig-Value ::= SEQUENCE {
            r       INTEGER,
            s       INTEGER
        }

    It's expected that this function will be used as a ``sigencode=`` parameter
    in :func:`ecdsa.keys.SigningKey.sign` method.

    :param int r: first parameter of the signature
    :param int s: second parameter of the signature
    :param int order: the order of the curve over which the signature was
        computed

    :return: DER encoding of ECDSA signature
    :rtype: bytes
    """
    return der.encode_sequence(der.encode_integer(r), der.encode_integer(s))


def sigencode_strings_canonize(r, s, order):
    """
    Encode the signature to a pair of strings in a tuple

    Encodes signature into raw encoding (:term:`raw encoding`) with the
    ``r`` and ``s`` parts of the signature encoded separately.

    Makes sure that the signature is encoded in the canonical format, where
    the ``s`` parameter is always smaller than ``order / 2``.
    Most commonly used in bitcoin.

    It's expected that this function will be used as a ``sigencode=`` parameter
    in :func:`ecdsa.keys.SigningKey.sign` method.

    :param int r: first parameter of the signature
    :param int s: second parameter of the signature
    :param int order: the order of the curve over which the signature was
        computed

    :return: raw encoding of ECDSA signature
    :rtype: tuple(bytes, bytes)
    """
    if s > order / 2:
        s = order - s
    return sigencode_strings(r, s, order)


def sigencode_string_canonize(r, s, order):
    """
    Encode the signature to raw format (:term:`raw encoding`)

    Makes sure that the signature is encoded in the canonical format, where
    the ``s`` parameter is always smaller than ``order / 2``.
    Most commonly used in bitcoin.

    It's expected that this function will be used as a ``sigencode=`` parameter
    in :func:`ecdsa.keys.SigningKey.sign` method.

    :param int r: first parameter of the signature
    :param int s: second parameter of the signature
    :param int order: the order of the curve over which the signature was
        computed

    :return: raw encoding of ECDSA signature
    :rtype: bytes
    """
    if s > order / 2:
        s = order - s
    return sigencode_string(r, s, order)


def sigencode_der_canonize(r, s, order):
    """
    Encode the signature into the ECDSA-Sig-Value structure using :term:`DER`.

    Makes sure that the signature is encoded in the canonical format, where
    the ``s`` parameter is always smaller than ``order / 2``.
    Most commonly used in bitcoin.

    Encodes the signature to the following :term:`ASN.1` structure::

        Ecdsa-Sig-Value ::= SEQUENCE {
            r       INTEGER,
            s       INTEGER
        }

    It's expected that this function will be used as a ``sigencode=`` parameter
    in :func:`ecdsa.keys.SigningKey.sign` method.

    :param int r: first parameter of the signature
    :param int s: second parameter of the signature
    :param int order: the order of the curve over which the signature was
        computed

    :return: DER encoding of ECDSA signature
    :rtype: bytes
    """
    if s > order / 2:
        s = order - s
    return sigencode_der(r, s, order)


class MalformedSignature(Exception):
    """
    Raised by decoding functions when the signature is malformed.

    Malformed in this context means that the relevant strings or integers
    do not match what a signature over provided curve would create. Either
    because the byte strings have incorrect lengths or because the encoded
    values are too large.
    """

    pass


def sigdecode_string(signature, order):
    """
    Decoder for :term:`raw encoding`  of ECDSA signatures.

    raw encoding is a simple concatenation of the two integers that comprise
    the signature, with each encoded using the same amount of bytes depending
    on curve size/order.

    It's expected that this function will be used as the ``sigdecode=``
    parameter to the :func:`ecdsa.keys.VerifyingKey.verify` method.

    :param signature: encoded signature
    :type signature: bytes like object
    :param order: order of the curve over which the signature was computed
    :type order: int

    :raises MalformedSignature: when the encoding of the signature is invalid

    :return: tuple with decoded ``r`` and ``s`` values of signature
    :rtype: tuple of ints
    """
    signature = normalise_bytes(signature)
    l = orderlen(order)
    if not len(signature) == 2 * l:
        raise MalformedSignature(
            "Invalid length of signature, expected {0} bytes long, "
            "provided string is {1} bytes long".format(2 * l, len(signature))
        )
    r = string_to_number_fixedlen(signature[:l], order)
    s = string_to_number_fixedlen(signature[l:], order)
    return r, s


def sigdecode_strings(rs_strings, order):
    """
    Decode the signature from two strings.

    First string needs to be a big endian encoding of ``r``, second needs to
    be a big endian encoding of the ``s`` parameter of an ECDSA signature.

    It's expected that this function will be used as the ``sigdecode=``
    parameter to the :func:`ecdsa.keys.VerifyingKey.verify` method.

    :param list rs_strings: list of two bytes-like objects, each encoding one
        parameter of signature
    :param int order: order of the curve over which the signature was computed

    :raises MalformedSignature: when the encoding of the signature is invalid

    :return: tuple with decoded ``r`` and ``s`` values of signature
    :rtype: tuple of ints
    """
    if not len(rs_strings) == 2:
        raise MalformedSignature(
            "Invalid number of strings provided: {0}, expected 2".format(
                len(rs_strings)
            )
        )
    (r_str, s_str) = rs_strings
    r_str = normalise_bytes(r_str)
    s_str = normalise_bytes(s_str)
    l = orderlen(order)
    if not len(r_str) == l:
        raise MalformedSignature(
            "Invalid length of first string ('r' parameter), "
            "expected {0} bytes long, provided string is {1} "
            "bytes long".format(l, len(r_str))
        )
    if not len(s_str) == l:
        raise MalformedSignature(
            "Invalid length of second string ('s' parameter), "
            "expected {0} bytes long, provided string is {1} "
            "bytes long".format(l, len(s_str))
        )
    r = string_to_number_fixedlen(r_str, order)
    s = string_to_number_fixedlen(s_str, order)
    return r, s


def sigdecode_der(sig_der, order):
    """
    Decoder for DER format of ECDSA signatures.

    DER format of signature is one that uses the :term:`ASN.1` :term:`DER`
    rules to encode it as a sequence of two integers::

        Ecdsa-Sig-Value ::= SEQUENCE {
            r       INTEGER,
            s       INTEGER
        }

    It's expected that this function will be used as as the ``sigdecode=``
    parameter to the :func:`ecdsa.keys.VerifyingKey.verify` method.

    :param sig_der: encoded signature
    :type sig_der: bytes like object
    :param order: order of the curve over which the signature was computed
    :type order: int

    :raises UnexpectedDER: when the encoding of signature is invalid

    :return: tuple with decoded ``r`` and ``s`` values of signature
    :rtype: tuple of ints
    """
    sig_der = normalise_bytes(sig_der)
    # return der.encode_sequence(der.encode_integer(r), der.encode_integer(s))
    rs_strings, empty = der.remove_sequence(sig_der)
    if empty != b"":
        raise der.UnexpectedDER(
            "trailing junk after DER sig: %s" % binascii.hexlify(empty)
        )
    r, rest = der.remove_integer(rs_strings)
    s, empty = der.remove_integer(rest)
    if empty != b"":
        raise der.UnexpectedDER(
            "trailing junk after DER numbers: %s" % binascii.hexlify(empty)
        )
    return r, s

1	"""
2	This module includes some utility functions.
3
4	The methods most typically used are the sigencode and sigdecode functions
5	to be used with :func:`~ecdsa.keys.SigningKey.sign` and
6	:func:`~ecdsa.keys.VerifyingKey.verify`
7	respectively. See the :func:`sigencode_strings`, :func:`sigdecode_string`,
8	:func:`sigencode_der`, :func:`sigencode_strings_canonize`,
9	:func:`sigencode_string_canonize`, :func:`sigencode_der_canonize`,
10	:func:`sigdecode_strings`, :func:`sigdecode_string`, and
11	:func:`sigdecode_der` functions.
12	"""
13
14	from __future__ import division	20✔
15
16	import os	20✔
17	import math	20✔
18	import binascii	20✔
19	import sys	20✔
20	from hashlib import sha256	20✔
21	from six import PY2, int2byte, next	20✔
22	from . import der	20✔
23	from ._compat import normalise_bytes	20✔
24
25
26	# RFC5480:
27	# The "unrestricted" algorithm identifier is:
28	# id-ecPublicKey OBJECT IDENTIFIER ::= {
29	# iso(1) member-body(2) us(840) ansi-X9-62(10045) keyType(2) 1 }
30
31	oid_ecPublicKey = (1, 2, 840, 10045, 2, 1)	20✔
32	encoded_oid_ecPublicKey = der.encode_oid(*oid_ecPublicKey)	20✔
33
34	# RFC5480:
35	# The ECDH algorithm uses the following object identifier:
36	# id-ecDH OBJECT IDENTIFIER ::= {
37	# iso(1) identified-organization(3) certicom(132) schemes(1)
38	# ecdh(12) }
39
40	oid_ecDH = (1, 3, 132, 1, 12)	20✔
41
42	# RFC5480:
43	# The ECMQV algorithm uses the following object identifier:
44	# id-ecMQV OBJECT IDENTIFIER ::= {
45	# iso(1) identified-organization(3) certicom(132) schemes(1)
46	# ecmqv(13) }
47
48	oid_ecMQV = (1, 3, 132, 1, 13)	20✔
49
50	if sys.version_info >= (3,): # pragma: no branch	20✔
51
52	def entropy_to_bits(ent_256):	12✔
53	"""Convert a bytestring to string of 0's and 1's"""
54	return bin(int.from_bytes(ent_256, "big"))[2:].zfill(len(ent_256) * 8)	12✔
55
56	else:
57
58	def entropy_to_bits(ent_256):	8✔
59	"""Convert a bytestring to string of 0's and 1's"""
60	return "".join(bin(ord(x))[2:].zfill(8) for x in ent_256)	8✔
61
62
63	if sys.version_info < (2, 7): # pragma: no branch	20✔
64	# Can't add a method to a built-in type so we are stuck with this
65	def bit_length(x):	1✔
66	return len(bin(x)) - 2	1✔
67
68	else:
69
70	def bit_length(x):	19✔
71	return x.bit_length() or 1	19✔
72
73
74	def orderlen(order):	20✔
75	return (1 + len("%x" % order)) // 2 # bytes	20✔
76
77
78	def randrange(order, entropy=None):	20✔
79	"""Return a random integer k such that 1 <= k < order, uniformly
80	distributed across that range. Worst case should be a mean of 2 loops at
81	(2**k)+2.
82
83	Note that this function is not declared to be forwards-compatible: we may
84	change the behavior in future releases. The entropy= argument (which
85	should get a callable that behaves like os.urandom) can be used to
86	achieve stability within a given release (for repeatable unit tests), but
87	should not be used as a long-term-compatible key generation algorithm.
88	"""
89	assert order > 1	20✔
90	if entropy is None:	20✔
91	entropy = os.urandom	20✔
92	upper_2 = bit_length(order - 2)	20✔
93	upper_256 = upper_2 // 8 + 1	20✔
94	while True: # I don't think this needs a counter with bit-wise randrange	18✔
95	ent_256 = entropy(upper_256)	20✔
96	ent_2 = entropy_to_bits(ent_256)	20✔
97	rand_num = int(ent_2[:upper_2], base=2) + 1	20✔
98	if 0 < rand_num < order:	20✔
99	return rand_num	20✔
100
101
102	class PRNG:	20✔
103	# this returns a callable which, when invoked with an integer N, will
104	# return N pseudorandom bytes. Note: this is a short-term PRNG, meant
105	# primarily for the needs of randrange_from_seed__trytryagain(), which
106	# only needs to run it a few times per seed. It does not provide
107	# protection against state compromise (forward security).
108	def __init__(self, seed):	20✔
109	self.generator = self.block_generator(seed)	20✔
110
111	def __call__(self, numbytes):	20✔
112	a = [next(self.generator) for i in range(numbytes)]	20✔
113
114	if PY2: # pragma: no branch	20✔
115	return "".join(a)	8✔
116	else:
117	return bytes(a)	12✔
118
119	def block_generator(self, seed):	20✔
120	counter = 0	20✔
121	while True:	18✔
122	for byte in sha256(	20✔
123	("prng-%d-%s" % (counter, seed)).encode()
124	).digest():
125	yield byte	20✔
126	counter += 1	20✔
127
128
129	def randrange_from_seed__overshoot_modulo(seed, order):	20✔
130	# hash the data, then turn the digest into a number in [1,order).
131	#
132	# We use David-Sarah Hopwood's suggestion: turn it into a number that's
133	# sufficiently larger than the group order, then modulo it down to fit.
134	# This should give adequate (but not perfect) uniformity, and simple
135	# code. There are other choices: try-try-again is the main one.
136	base = PRNG(seed)(2 * orderlen(order))	×
137	number = (int(binascii.hexlify(base), 16) % (order - 1)) + 1	×
138	assert 1 <= number < order, (1, number, order)	×
139	return number	×
140
141
142	def lsb_of_ones(numbits):	20✔
143	return (1 << numbits) - 1	20✔
144
145
146	def bits_and_bytes(order):	20✔
147	bits = int(math.log(order - 1, 2) + 1)	20✔
148	bytes = bits // 8	20✔
149	extrabits = bits % 8	20✔
150	return bits, bytes, extrabits	20✔
151
152
153	# the following randrange_from_seed__METHOD() functions take an
154	# arbitrarily-sized secret seed and turn it into a number that obeys the same
155	# range limits as randrange() above. They are meant for deriving consistent
156	# signing keys from a secret rather than generating them randomly, for
157	# example a protocol in which three signing keys are derived from a master
158	# secret. You should use a uniformly-distributed unguessable seed with about
159	# curve.baselen bytes of entropy. To use one, do this:
160	# seed = os.urandom(curve.baselen) # or other starting point
161	# secexp = ecdsa.util.randrange_from_seed__trytryagain(sed, curve.order)
162	# sk = SigningKey.from_secret_exponent(secexp, curve)
163
164
165	def randrange_from_seed__truncate_bytes(seed, order, hashmod=sha256):	20✔
166	# hash the seed, then turn the digest into a number in [1,order), but
167	# don't worry about trying to uniformly fill the range. This will lose,
168	# on average, four bits of entropy.
169	bits, _bytes, extrabits = bits_and_bytes(order)	×
170	if extrabits:	×
171	_bytes += 1	×
172	base = hashmod(seed).digest()[:_bytes]	×
173	base = "\x00" * (_bytes - len(base)) + base	×
174	number = 1 + int(binascii.hexlify(base), 16)	×
175	assert 1 <= number < order	×
176	return number	×
177
178
179	def randrange_from_seed__truncate_bits(seed, order, hashmod=sha256):	20✔
180	# like string_to_randrange_truncate_bytes, but only lose an average of
181	# half a bit
182	bits = int(math.log(order - 1, 2) + 1)	×
183	maxbytes = (bits + 7) // 8	×
184	base = hashmod(seed).digest()[:maxbytes]	×
185	base = "\x00" * (maxbytes - len(base)) + base	×
186	topbits = 8 * maxbytes - bits	×
187	if topbits:	×
188	base = int2byte(ord(base[0]) & lsb_of_ones(topbits)) + base[1:]	×
189	number = 1 + int(binascii.hexlify(base), 16)	×
190	assert 1 <= number < order	×
191	return number	×
192
193
194	def randrange_from_seed__trytryagain(seed, order):	20✔
195	# figure out exactly how many bits we need (rounded up to the nearest
196	# bit), so we can reduce the chance of looping to less than 0.5 . This is
197	# specified to feed from a byte-oriented PRNG, and discards the
198	# high-order bits of the first byte as necessary to get the right number
199	# of bits. The average number of loops will range from 1.0 (when
200	# order=2k-1) to 2.0 (when order=2k+1).
201	assert order > 1	20✔
202	bits, bytes, extrabits = bits_and_bytes(order)	20✔
203	generate = PRNG(seed)	20✔
204	while True:	18✔
205	extrabyte = b""	20✔
206	if extrabits:	20✔
207	extrabyte = int2byte(ord(generate(1)) & lsb_of_ones(extrabits))	20✔
208	guess = string_to_number(extrabyte + generate(bytes)) + 1	20✔
209	if 1 <= guess < order:	20✔
210	return guess	20✔
211
212
213	def number_to_string(num, order):	20✔
214	l = orderlen(order)	20✔
215	fmt_str = "%0" + str(2 * l) + "x"	20✔
216	string = binascii.unhexlify((fmt_str % num).encode())	20✔
217	assert len(string) == l, (len(string), l)	20✔
218	return string	20✔
219
220
221	def number_to_string_crop(num, order):	20✔
222	l = orderlen(order)	20✔
223	fmt_str = "%0" + str(2 * l) + "x"	20✔
224	string = binascii.unhexlify((fmt_str % num).encode())	20✔
225	return string[:l]	20✔
226
227
228	def string_to_number(string):	20✔
229	return int(binascii.hexlify(string), 16)	20✔
230
231
232	def string_to_number_fixedlen(string, order):	20✔
233	l = orderlen(order)	20✔
234	assert len(string) == l, (len(string), l)	20✔
235	return int(binascii.hexlify(string), 16)	20✔
236
237
238	def sigencode_strings(r, s, order):	20✔
239	"""
240	Encode the signature to a pair of strings in a tuple
241
242	Encodes signature into raw encoding (:term:`raw encoding`) with the
243	``r`` and ``s`` parts of the signature encoded separately.
244
245	It's expected that this function will be used as a ``sigencode=`` parameter
246	in :func:`ecdsa.keys.SigningKey.sign` method.
247
248	:param int r: first parameter of the signature
249	:param int s: second parameter of the signature
250	:param int order: the order of the curve over which the signature was
251	computed
252
253	:return: raw encoding of ECDSA signature
254	:rtype: tuple(bytes, bytes)
255	"""
256	r_str = number_to_string(r, order)	20✔
257	s_str = number_to_string(s, order)	20✔
258	return (r_str, s_str)	20✔
259
260
261	def sigencode_string(r, s, order):	20✔
262	"""
263	Encode the signature to raw format (:term:`raw encoding`)
264
265	It's expected that this function will be used as a ``sigencode=`` parameter
266	in :func:`ecdsa.keys.SigningKey.sign` method.
267
268	:param int r: first parameter of the signature
269	:param int s: second parameter of the signature
270	:param int order: the order of the curve over which the signature was
271	computed
272
273	:return: raw encoding of ECDSA signature
274	:rtype: bytes
275	"""
276	# for any given curve, the size of the signature numbers is
277	# fixed, so just use simple concatenation
278	r_str, s_str = sigencode_strings(r, s, order)	20✔
279	return r_str + s_str	20✔
280
281
282	def sigencode_der(r, s, order):	20✔
283	"""
284	Encode the signature into the ECDSA-Sig-Value structure using :term:`DER`.
285
286	Encodes the signature to the following :term:`ASN.1` structure::
287
288	Ecdsa-Sig-Value ::= SEQUENCE {
289	r INTEGER,
290	s INTEGER
291	}
292
293	It's expected that this function will be used as a ``sigencode=`` parameter
294	in :func:`ecdsa.keys.SigningKey.sign` method.
295
296	:param int r: first parameter of the signature
297	:param int s: second parameter of the signature
298	:param int order: the order of the curve over which the signature was
299	computed
300
301	:return: DER encoding of ECDSA signature
302	:rtype: bytes
303	"""
304	return der.encode_sequence(der.encode_integer(r), der.encode_integer(s))	20✔
305
306
307	def sigencode_strings_canonize(r, s, order):	20✔
308	"""
309	Encode the signature to a pair of strings in a tuple
310
311	Encodes signature into raw encoding (:term:`raw encoding`) with the
312	``r`` and ``s`` parts of the signature encoded separately.
313
314	Makes sure that the signature is encoded in the canonical format, where
315	the ``s`` parameter is always smaller than ``order / 2``.
316	Most commonly used in bitcoin.
317
318	It's expected that this function will be used as a ``sigencode=`` parameter
319	in :func:`ecdsa.keys.SigningKey.sign` method.
320
321	:param int r: first parameter of the signature
322	:param int s: second parameter of the signature
323	:param int order: the order of the curve over which the signature was
324	computed
325
326	:return: raw encoding of ECDSA signature
327	:rtype: tuple(bytes, bytes)
328	"""
329	if s > order / 2:	20✔
330	s = order - s	20✔
331	return sigencode_strings(r, s, order)	20✔
332
333
334	def sigencode_string_canonize(r, s, order):	20✔
335	"""
336	Encode the signature to raw format (:term:`raw encoding`)
337
338	Makes sure that the signature is encoded in the canonical format, where
339	the ``s`` parameter is always smaller than ``order / 2``.
340	Most commonly used in bitcoin.
341
342	It's expected that this function will be used as a ``sigencode=`` parameter
343	in :func:`ecdsa.keys.SigningKey.sign` method.
344
345	:param int r: first parameter of the signature
346	:param int s: second parameter of the signature
347	:param int order: the order of the curve over which the signature was
348	computed
349
350	:return: raw encoding of ECDSA signature
351	:rtype: bytes
352	"""
353	if s > order / 2:	20✔
354	s = order - s	20✔
355	return sigencode_string(r, s, order)	20✔
356
357
358	def sigencode_der_canonize(r, s, order):	20✔
359	"""
360	Encode the signature into the ECDSA-Sig-Value structure using :term:`DER`.
361
362	Makes sure that the signature is encoded in the canonical format, where
363	the ``s`` parameter is always smaller than ``order / 2``.
364	Most commonly used in bitcoin.
365
366	Encodes the signature to the following :term:`ASN.1` structure::
367
368	Ecdsa-Sig-Value ::= SEQUENCE {
369	r INTEGER,
370	s INTEGER
371	}
372
373	It's expected that this function will be used as a ``sigencode=`` parameter
374	in :func:`ecdsa.keys.SigningKey.sign` method.
375
376	:param int r: first parameter of the signature
377	:param int s: second parameter of the signature
378	:param int order: the order of the curve over which the signature was
379	computed
380
381	:return: DER encoding of ECDSA signature
382	:rtype: bytes
383	"""
384	if s > order / 2:	20✔
385	s = order - s	20✔
386	return sigencode_der(r, s, order)	20✔
387
388
389	class MalformedSignature(Exception):	20✔
390	"""
391	Raised by decoding functions when the signature is malformed.
392
393	Malformed in this context means that the relevant strings or integers
394	do not match what a signature over provided curve would create. Either
395	because the byte strings have incorrect lengths or because the encoded
396	values are too large.
397	"""
398
399	pass	20✔
400
401
402	def sigdecode_string(signature, order):	20✔
403	"""
404	Decoder for :term:`raw encoding` of ECDSA signatures.
405
406	raw encoding is a simple concatenation of the two integers that comprise
407	the signature, with each encoded using the same amount of bytes depending
408	on curve size/order.
409
410	It's expected that this function will be used as the ``sigdecode=``
411	parameter to the :func:`ecdsa.keys.VerifyingKey.verify` method.
412
413	:param signature: encoded signature
414	:type signature: bytes like object
415	:param order: order of the curve over which the signature was computed
416	:type order: int
417
418	:raises MalformedSignature: when the encoding of the signature is invalid
419
420	:return: tuple with decoded ``r`` and ``s`` values of signature
421	:rtype: tuple of ints
422	"""
423	signature = normalise_bytes(signature)	20✔
424	l = orderlen(order)	20✔
425	if not len(signature) == 2 * l:	20✔
426	raise MalformedSignature(	20✔
427	"Invalid length of signature, expected {0} bytes long, "
428	"provided string is {1} bytes long".format(2 * l, len(signature))
429	)
430	r = string_to_number_fixedlen(signature[:l], order)	20✔
431	s = string_to_number_fixedlen(signature[l:], order)	20✔
432	return r, s	20✔
433
434
435	def sigdecode_strings(rs_strings, order):	20✔
436	"""
437	Decode the signature from two strings.
438
439	First string needs to be a big endian encoding of ``r``, second needs to
440	be a big endian encoding of the ``s`` parameter of an ECDSA signature.
441
442	It's expected that this function will be used as the ``sigdecode=``
443	parameter to the :func:`ecdsa.keys.VerifyingKey.verify` method.
444
445	:param list rs_strings: list of two bytes-like objects, each encoding one
446	parameter of signature
447	:param int order: order of the curve over which the signature was computed
448
449	:raises MalformedSignature: when the encoding of the signature is invalid
450
451	:return: tuple with decoded ``r`` and ``s`` values of signature
452	:rtype: tuple of ints
453	"""
454	if not len(rs_strings) == 2:	20✔
455	raise MalformedSignature(	20✔
456	"Invalid number of strings provided: {0}, expected 2".format(
457	len(rs_strings)
458	)
459	)
460	(r_str, s_str) = rs_strings	20✔
461	r_str = normalise_bytes(r_str)	20✔
462	s_str = normalise_bytes(s_str)	20✔
463	l = orderlen(order)	20✔
464	if not len(r_str) == l:	20✔
465	raise MalformedSignature(	20✔
466	"Invalid length of first string ('r' parameter), "
467	"expected {0} bytes long, provided string is {1} "
468	"bytes long".format(l, len(r_str))
469	)
470	if not len(s_str) == l:	20✔
471	raise MalformedSignature(	20✔
472	"Invalid length of second string ('s' parameter), "
473	"expected {0} bytes long, provided string is {1} "
474	"bytes long".format(l, len(s_str))
475	)
476	r = string_to_number_fixedlen(r_str, order)	20✔
477	s = string_to_number_fixedlen(s_str, order)	20✔
478	return r, s	20✔
479
480
481	def sigdecode_der(sig_der, order):	20✔
482	"""
483	Decoder for DER format of ECDSA signatures.
484
485	DER format of signature is one that uses the :term:`ASN.1` :term:`DER`
486	rules to encode it as a sequence of two integers::
487
488	Ecdsa-Sig-Value ::= SEQUENCE {
489	r INTEGER,
490	s INTEGER
491	}
492
493	It's expected that this function will be used as as the ``sigdecode=``
494	parameter to the :func:`ecdsa.keys.VerifyingKey.verify` method.
495
496	:param sig_der: encoded signature
497	:type sig_der: bytes like object
498	:param order: order of the curve over which the signature was computed
499	:type order: int
500
501	:raises UnexpectedDER: when the encoding of signature is invalid
502
503	:return: tuple with decoded ``r`` and ``s`` values of signature
504	:rtype: tuple of ints
505	"""
506	sig_der = normalise_bytes(sig_der)	20✔
507	# return der.encode_sequence(der.encode_integer(r), der.encode_integer(s))
508	rs_strings, empty = der.remove_sequence(sig_der)	20✔
509	if empty != b"":	20✔
510	raise der.UnexpectedDER(	20✔
511	"trailing junk after DER sig: %s" % binascii.hexlify(empty)
512	)
513	r, rest = der.remove_integer(rs_strings)	20✔
514	s, empty = der.remove_integer(rest)	20✔
515	if empty != b"":	20✔
516	raise der.UnexpectedDER(	20✔
517	"trailing junk after DER numbers: %s" % binascii.hexlify(empty)
518	)
519	return r, s	20✔

tlsfuzzer / python-ecdsa / 13440284808

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source File
Press 'n' to go to next uncovered line, 'b' for previous