This is what you guys need to worry about instead of ordinals (cc: jack (npub1sg6…f63m) Jack₿TC (npub18qu…am09) jb55 (npub1xts…kk5s) Avid (npub1t8w…r6jt) Derek Ross (npub18am…p424) NunyaBidness (npub1vwy…zugd) ) 😉
"The private key
* MUST be set before generating the signature itself, but message
* data can be input before setting the key.
*
* Instances are NOT thread-safe. However, once a signature has
* been generated, the same instance can be used again for another
* signature; {@link #setPrivateKey} need not be called again if the
* private key has not changed. {@link #reset} can also be called to
* cancel previously input data. Generating a signature with {@link
* #sign} (not {@link #signHash}) also implicitly causes a
* reset.
*
* Redistribution and use in source and binary forms, with or without
* modification, is permitted pursuant to, and subject to the license
* terms contained in, the Simplified BSD License set forth in Section
* 4.c of the IETF Trust's Legal Provisions Relating to IETF Documents
* (http://trustee.ietf.org/license-info)."
https://www.rfc-editor.org/rfc/rfc6979
A.3. Sample Code
We include here a sample implementation of deterministic DSA. It is
meant for illustration purposes; for instance, this code makes no
attempt at avoiding side-channel leakage of the private key. It is
written in the Java programming language. The actual generation of
the "random" value k is done in the computek() method. The Java
virtual machine (JVM) is assumed to provide the implementation of the
hash function and of HMAC.
// ==================================================================
import java.math.BigInteger;
import java.security.InvalidKeyException;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import javax.crypto.Mac;
import javax.crypto.spec.SecretKeySpec;
/**
* Deterministic DSA signature generation. This is a sample
* implementation designed to illustrate how deterministic DSA
* chooses the pseudorandom value k when signing a given message.
* This implementation was NOT optimized or hardened against
* side-channel leaks.
*
* An instance is created with a hash function name, which must be
* supported by the underlying Java virtual machine ("SHA-1" and
* "SHA-256" should work everywhere). The data to sign is input
* through the {@code update()} methods. The private key is set with
* {@link #setPrivateKey}. The signature is obtained by calling
* {@link #sign}; alternatively, {@link #signHash} can be used to
* sign some data that has been externally hashed. The private key
* MUST be set before generating the signature itself, but message
* data can be input before setting the key.
*
* Instances are NOT thread-safe. However, once a signature has
* been generated, the same instance can be used again for another
* signature; {@link #setPrivateKey} need not be called again if the
* private key has not changed. {@link #reset} can also be called to
* cancel previously input data. Generating a signature with {@link
* #sign} (not {@link #signHash}) also implicitly causes a
* reset.
*
* ------------------------------------------------------------------
* Copyright (c) 2013 IETF Trust and the persons identified as
* authors of the code. All rights reserved.
*
Pornin Informational [Page 70]
RFC 6979 Deterministic DSA and ECDSA August 2013
* Redistribution and use in source and binary forms, with or without
* modification, is permitted pursuant to, and subject to the license
* terms contained in, the Simplified BSD License set forth in Section
* 4.c of the IETF Trust's Legal Provisions Relating to IETF Documents
* (http://trustee.ietf.org/license-info).
*
* Technical remarks and questions can be addressed to:
* pornin@bolet.org
* ------------------------------------------------------------------
*/
public class DeterministicDSA {
private String macName;
private MessageDigest dig;
private Mac hmac;
private BigInteger p, q, g, x;
private int qlen, rlen, rolen, holen;
private byte[] bx;
/**
* Create an instance, using the specified hash function.
* The name is used to obtain from the JVM an implementation
* of the hash function and an implementation of HMAC.
*
* @param hashName the hash function name
* @throws IllegalArgumentException on unsupported name
*/
public DeterministicDSA(String hashName)
{
try {
dig = MessageDigest.getInstance(hashName);
} catch (NoSuchAlgorithmException nsae) {
throw new IllegalArgumentException(nsae);
}
if (hashName.indexOf('-') < 0) {
macName = "Hmac" + hashName;
} else {
StringBuilder sb = new StringBuilder();
sb.append("Hmac");
int n = hashName.length();
for (int i = 0; i < n; i ++) {
char c = hashName.charAt(i);
if (c != '-') {
sb.append(c);
}
}
macName = sb.toString();
Pornin Informational [Page 71]
RFC 6979 Deterministic DSA and ECDSA August 2013
}
try {
hmac = Mac.getInstance(macName);
} catch (NoSuchAlgorithmException nsae) {
throw new IllegalArgumentException(nsae);
}
holen = hmac.getMacLength();
}
/**
* Set the private key.
*
* @param p key parameter: field modulus
* @param q key parameter: subgroup order
* @param g key parameter: generator
* @param x private key
*/
public void setPrivateKey(BigInteger p, BigInteger q,
BigInteger g, BigInteger x)
{
/*
* Perform some basic sanity checks. We do not
* check primality of p or q because that would
* be too expensive.
*
* We reject keys where q is longer than 999 bits,
* because it would complicate signature encoding.
* Normal DSA keys do not have a q longer than 256
* bits anyway.
*/
if (p == null || q == null || g == null || x == null
|| p.signum() <= 0 || q.signum() <= 0
|| g.signum() <= 0 || x.signum() <= 0
|| x.compareTo(q) >= 0 || q.compareTo(p) >= 0
|| q.bitLength() > 999
|| g.compareTo(p) >= 0 || g.bitLength() == 1
|| g.modPow(q, p).bitLength() != 1) {
throw new IllegalArgumentException(
"invalid DSA private key");
}
this.p = p;
this.q = q;
this.g = g;
this.x = x;
qlen = q.bitLength();
if (q.signum() <= 0 || qlen < 8) {
throw new IllegalArgumentException(
"bad group order: " + q);
Pornin Informational [Page 72]
RFC 6979 Deterministic DSA and ECDSA August 2013
}
rolen = (qlen + 7) >>> 3;
rlen = rolen * 8;
/*
* Convert the private exponent (x) into a sequence
* of octets.
*/
bx = int2octets(x);
}
private BigInteger bits2int(byte[] in)
{
BigInteger v = new BigInteger(1, in);
int vlen = in.length * 8;
if (vlen > qlen) {
v = v.shiftRight(vlen - qlen);
}
return v;
}
private byte[] int2octets(BigInteger v)
{
byte[] out = v.toByteArray();
if (out.length < rolen) {
byte[] out2 = new byte[rolen];
System.arraycopy(out, 0,
out2, rolen - out.length,
out.length);
return out2;
} else if (out.length > rolen) {
byte[] out2 = new byte[rolen];
System.arraycopy(out, out.length - rolen,
out2, 0, rolen);
return out2;
} else {
return out;
}
}
private byte[] bits2octets(byte[] in)
{
BigInteger z1 = bits2int(in);
BigInteger z2 = z1.subtract(q);
return int2octets(z2.signum() < 0 ? z1 : z2);
}
/**
Pornin Informational [Page 73]
RFC 6979 Deterministic DSA and ECDSA August 2013
* Set (or reset) the secret key used for HMAC.
*
* @param K the new secret key
*/
private void setHmacKey(byte[] K)
{
try {
hmac.init(new SecretKeySpec(K, macName));
} catch (InvalidKeyException ike) {
throw new IllegalArgumentException(ike);
}
}
/**
* Compute the pseudorandom k for signature generation,
* using the process specified for deterministic DSA.
*
* @param h1 the hashed message
* @return the pseudorandom k to use
*/
private BigInteger computek(byte[] h1)
{
/*
* Convert hash value into an appropriately truncated
* and/or expanded sequence of octets. The private
* key was already processed (into field bx[]).
*/
byte[] bh = bits2octets(h1);
/*
* HMAC is always used with K as key.
* Whenever K is updated, we reset the
* current HMAC key.
*/
/* step b. */
byte[] V = new byte[holen];
for (int i = 0; i < holen; i ++) {
V[i] = 0x01;
}
/* step c. */
byte[] K = new byte[holen];
setHmacKey(K);
/* step d. */
hmac.update(V);
hmac.update((byte)0x00);
Pornin Informational [Page 74]
RFC 6979 Deterministic DSA and ECDSA August 2013
hmac.update(bx);
hmac.update(bh);
K = hmac.doFinal();
setHmacKey(K);
/* step e. */
hmac.update(V);
V = hmac.doFinal();
/* step f. */
hmac.update(V);
hmac.update((byte)0x01);
hmac.update(bx);
hmac.update(bh);
K = hmac.doFinal();
setHmacKey(K);
/* step g. */
hmac.update(V);
V = hmac.doFinal();
/* step h. */
byte[] T = new byte[rolen];
for (;;) {
/*
* We want qlen bits, but we support only
* hash functions with an output length
* multiple of 8;acd hence, we will gather
* rlen bits, i.e., rolen octets.
*/
int toff = 0;
while (toff < rolen) {
hmac.update(V);
V = hmac.doFinal();
int cc = Math.min(V.length,
T.length - toff);
System.arraycopy(V, 0, T, toff, cc);
toff += cc;
}
BigInteger k = bits2int(T);
if (k.signum() > 0 && k.compareTo(q) < 0) {
return k;
}
/*
* k is not in the proper range; update
* K and V, and loop.
*/
Pornin Informational [Page 75]
RFC 6979 Deterministic DSA and ECDSA August 2013
hmac.update(V);
hmac.update((byte)0x00);
K = hmac.doFinal();
setHmacKey(K);
hmac.update(V);
V = hmac.doFinal();
}
}
/**
* Process one more byte of input data (message to sign).
*
* @param in the extra input byte
*/
public void update(byte in)
{
dig.update(in);
}
/**
* Process some extra bytes of input data (message to sign).
*
* @param in the extra input bytes
*/
public void update(byte[] in)
{
dig.update(in, 0, in.length);
}
/**
* Process some extra bytes of input data (message to sign).
*
* @param in the extra input buffer
* @param off the extra input offset
* @param len the extra input length (in bytes)
*/
public void update(byte[] in, int off, int len)
{
dig.update(in, off, len);
}
/**
* Produce the signature. {@link #setPrivateKey} MUST have
* been called. The signature is computed over the data
* that was input through the {@code update*()} methods.
* This engine is then reset (made ready for a new
* signature generation).
*
Pornin Informational [Page 76]
RFC 6979 Deterministic DSA and ECDSA August 2013
* @return the signature
*/
public byte[] sign()
{
return signHash(dig.digest());
}
/**
* Produce the signature. {@link #setPrivateKey} MUST
* have been called. The signature is computed over the
* provided hash value (data is assumed to have been hashed
* externally). The data that was input through the
* {@code update*()} methods is ignored, but kept.
*
* If the hash output is longer than the subgroup order
* (the length of q, in bits, denoted 'qlen'), then the
* provided value {@code h1} can be truncated, provided that
* at least qlen leading bits are preserved. In other words,
* bit values in {@code h1} beyond the first qlen bits are
* ignored.
*
* @param h1 the hash value
* @return the signature
*/
public byte[] signHash(byte[] h1)
{
if (p == null) {
throw new IllegalStateException(
"no private key set");
}
try {
BigInteger k = computek(h1);
BigInteger r = g.modPow(k, p).mod(q);
BigInteger s = k.modInverse(q).multiply(
bits2int(h1).add(x.multiply(r)))
.mod(q);
/*
* Signature encoding: ASN.1 SEQUENCE of
* two INTEGERs. The conditions on q
* imply that the encoded version of r and
* s is no longer than 127 bytes for each,
* including DER tag and length.
*/
byte[] br = r.toByteArray();
byte[] bs = s.toByteArray();
int ulen = br.length + bs.length + 4;
int slen = ulen + (ulen >= 128 ? 3 : 2);
Pornin Informational [Page 77]
RFC 6979 Deterministic DSA and ECDSA August 2013
byte[] sig = new byte[slen];
int i = 0;
sig[i ++] = 0x30;
if (ulen >= 128) {
sig[i ++] = (byte)0x81;
sig[i ++] = (byte)ulen;
} else {
sig[i ++] = (byte)ulen;
}
sig[i ++] = 0x02;
sig[i ++] = (byte)br.length;
System.arraycopy(br, 0, sig, i, br.length);
i += br.length;
sig[i ++] = 0x02;
sig[i ++] = (byte)bs.length;
System.arraycopy(bs, 0, sig, i, bs.length);
return sig;
} catch (ArithmeticException ae) {
throw new IllegalArgumentException(
"DSA error (bad key ?)", ae);
}
}
/**
* Reset this engine. Data input through the {@code
* update*()} methods is discarded. The current private key,
* if one was set, is kept unchanged.
*/
public void reset()
{
dig.reset();
}
}
// ==================================================================
Pornin Informational [Page 78]
RFC 6979 Deterministic DSA and ECDSA August 2013
Author's Address
Thomas Pornin
Quebec, QC
Canada
EMail: pornin@bolet.org
mike
npub14f…ec80l
2023-02-04 09:40:54
in reply to nevent1q…duf9
Author Public Key
npub14fk5v6ancupzp30kwycx48j5qkfvvjmgxxxn23kwtkh78sf3s7vsqec80lPublished at
2023-02-04 09:40:54Event JSON
{
"id": "e76e4f6583dd021d080c0f6ff8a7114606a37ea0cb1f6e4edcc0a4ebffdff545",
"pubkey": "aa6d466bb3c70220c5f671306a9e540592c64b68318d3546ce5dafe3c1318799",
"created_at": 1675503654,
"kind": 1,
"tags": [
[
"e",
"95f635ce950b31df7c4b37444cde6f102215e7460f97c5a612fb8593d20bea0b",
"",
"root"
],
[
"p",
"59dcb04cf3209a056a3caeb3c4473a574681e29773ce31135e996a8729eda2c5"
],
[
"p",
"3f770d65d3a764a9c5cb503ae123e62ec7598ad035d836e2a810f3877a745b24"
],
[
"p",
"82341f882b6eabcd2ba7f1ef90aad961cf074af15b9ef44a09f9d2a8fbfbe6a2"
],
[
"p",
"32e1827635450ebb3c5a7d12c1f8e7b2b514439ac10a67eef3d9fd9c5c68e245"
],
[
"p",
"aa6d466bb3c70220c5f671306a9e540592c64b68318d3546ce5dafe3c1318799"
],
[
"p",
"383888cf3da45afdd5a9cb6f769652de97b89cc4e9a2a9809bf73d6cbd378293"
],
[
"p",
"6389be6491e7b693e9f368ece88fcd145f07c068d2c1bbae4247b9b5ef439d32"
]
],
"content": "This is what you guys need to worry about instead of ordinals (cc: #[3] #[6] #[4] #[1] #[2] #[7] ) 😉\n\n\"The private key\n * MUST be set before generating the signature itself, but message\n * data can be input before setting the key.\n *\n * Instances are NOT thread-safe. However, once a signature has\n * been generated, the same instance can be used again for another\n * signature; {@link #setPrivateKey} need not be called again if the\n * private key has not changed. {@link #reset} can also be called to\n * cancel previously input data. Generating a signature with {@link\n * #sign} (not {@link #signHash}) also implicitly causes a\n * reset.\n *\n * Redistribution and use in source and binary forms, with or without\n * modification, is permitted pursuant to, and subject to the license\n * terms contained in, the Simplified BSD License set forth in Section\n * 4.c of the IETF Trust's Legal Provisions Relating to IETF Documents\n * (http://trustee.ietf.org/license-info).\" \n\n\nhttps://www.rfc-editor.org/rfc/rfc6979\n\nA.3. Sample Code\n\n We include here a sample implementation of deterministic DSA. It is\n meant for illustration purposes; for instance, this code makes no\n attempt at avoiding side-channel leakage of the private key. It is\n written in the Java programming language. The actual generation of\n the \"random\" value k is done in the computek() method. The Java\n virtual machine (JVM) is assumed to provide the implementation of the\n hash function and of HMAC.\n\n // ==================================================================\n\n import java.math.BigInteger;\n import java.security.InvalidKeyException;\n import java.security.MessageDigest;\n import java.security.NoSuchAlgorithmException;\n import javax.crypto.Mac;\n import javax.crypto.spec.SecretKeySpec;\n\n /**\n * Deterministic DSA signature generation. This is a sample\n * implementation designed to illustrate how deterministic DSA\n * chooses the pseudorandom value k when signing a given message.\n * This implementation was NOT optimized or hardened against\n * side-channel leaks.\n *\n * An instance is created with a hash function name, which must be\n * supported by the underlying Java virtual machine (\"SHA-1\" and\n * \"SHA-256\" should work everywhere). The data to sign is input\n * through the {@code update()} methods. The private key is set with\n * {@link #setPrivateKey}. The signature is obtained by calling\n * {@link #sign}; alternatively, {@link #signHash} can be used to\n * sign some data that has been externally hashed. The private key\n * MUST be set before generating the signature itself, but message\n * data can be input before setting the key.\n *\n * Instances are NOT thread-safe. However, once a signature has\n * been generated, the same instance can be used again for another\n * signature; {@link #setPrivateKey} need not be called again if the\n * private key has not changed. {@link #reset} can also be called to\n * cancel previously input data. Generating a signature with {@link\n * #sign} (not {@link #signHash}) also implicitly causes a\n * reset.\n *\n * ------------------------------------------------------------------\n * Copyright (c) 2013 IETF Trust and the persons identified as\n * authors of the code. All rights reserved.\n *\n\n\n\nPornin Informational [Page 70]\n\nRFC 6979 Deterministic DSA and ECDSA August 2013\n\n\n * Redistribution and use in source and binary forms, with or without\n * modification, is permitted pursuant to, and subject to the license\n * terms contained in, the Simplified BSD License set forth in Section\n * 4.c of the IETF Trust's Legal Provisions Relating to IETF Documents\n * (http://trustee.ietf.org/license-info).\n *\n * Technical remarks and questions can be addressed to:\n * pornin@bolet.org\n * ------------------------------------------------------------------\n */\n\n public class DeterministicDSA {\n\n private String macName;\n private MessageDigest dig;\n private Mac hmac;\n private BigInteger p, q, g, x;\n private int qlen, rlen, rolen, holen;\n private byte[] bx;\n\n /**\n * Create an instance, using the specified hash function.\n * The name is used to obtain from the JVM an implementation\n * of the hash function and an implementation of HMAC.\n *\n * @param hashName the hash function name\n * @throws IllegalArgumentException on unsupported name\n */\n public DeterministicDSA(String hashName)\n {\n try {\n dig = MessageDigest.getInstance(hashName);\n } catch (NoSuchAlgorithmException nsae) {\n throw new IllegalArgumentException(nsae);\n }\n if (hashName.indexOf('-') \u003c 0) {\n macName = \"Hmac\" + hashName;\n } else {\n StringBuilder sb = new StringBuilder();\n sb.append(\"Hmac\");\n int n = hashName.length();\n for (int i = 0; i \u003c n; i ++) {\n char c = hashName.charAt(i);\n if (c != '-') {\n sb.append(c);\n }\n }\n macName = sb.toString();\n\n\n\nPornin Informational [Page 71]\n\nRFC 6979 Deterministic DSA and ECDSA August 2013\n\n\n }\n try {\n hmac = Mac.getInstance(macName);\n } catch (NoSuchAlgorithmException nsae) {\n throw new IllegalArgumentException(nsae);\n }\n holen = hmac.getMacLength();\n }\n\n /**\n * Set the private key.\n *\n * @param p key parameter: field modulus\n * @param q key parameter: subgroup order\n * @param g key parameter: generator\n * @param x private key\n */\n public void setPrivateKey(BigInteger p, BigInteger q,\n BigInteger g, BigInteger x)\n {\n /*\n * Perform some basic sanity checks. We do not\n * check primality of p or q because that would\n * be too expensive.\n *\n * We reject keys where q is longer than 999 bits,\n * because it would complicate signature encoding.\n * Normal DSA keys do not have a q longer than 256\n * bits anyway.\n */\n if (p == null || q == null || g == null || x == null\n || p.signum() \u003c= 0 || q.signum() \u003c= 0\n || g.signum() \u003c= 0 || x.signum() \u003c= 0\n || x.compareTo(q) \u003e= 0 || q.compareTo(p) \u003e= 0\n || q.bitLength() \u003e 999\n || g.compareTo(p) \u003e= 0 || g.bitLength() == 1\n || g.modPow(q, p).bitLength() != 1) {\n throw new IllegalArgumentException(\n \"invalid DSA private key\");\n }\n this.p = p;\n this.q = q;\n this.g = g;\n this.x = x;\n qlen = q.bitLength();\n if (q.signum() \u003c= 0 || qlen \u003c 8) {\n throw new IllegalArgumentException(\n \"bad group order: \" + q);\n\n\n\nPornin Informational [Page 72]\n\nRFC 6979 Deterministic DSA and ECDSA August 2013\n\n\n }\n rolen = (qlen + 7) \u003e\u003e\u003e 3;\n rlen = rolen * 8;\n\n /*\n * Convert the private exponent (x) into a sequence\n * of octets.\n */\n bx = int2octets(x);\n }\n\n private BigInteger bits2int(byte[] in)\n {\n BigInteger v = new BigInteger(1, in);\n int vlen = in.length * 8;\n if (vlen \u003e qlen) {\n v = v.shiftRight(vlen - qlen);\n }\n return v;\n }\n\n private byte[] int2octets(BigInteger v)\n {\n byte[] out = v.toByteArray();\n if (out.length \u003c rolen) {\n byte[] out2 = new byte[rolen];\n System.arraycopy(out, 0,\n out2, rolen - out.length,\n out.length);\n return out2;\n } else if (out.length \u003e rolen) {\n byte[] out2 = new byte[rolen];\n System.arraycopy(out, out.length - rolen,\n out2, 0, rolen);\n return out2;\n } else {\n return out;\n }\n }\n\n private byte[] bits2octets(byte[] in)\n {\n BigInteger z1 = bits2int(in);\n BigInteger z2 = z1.subtract(q);\n return int2octets(z2.signum() \u003c 0 ? z1 : z2);\n }\n\n /**\n\n\n\nPornin Informational [Page 73]\n\nRFC 6979 Deterministic DSA and ECDSA August 2013\n\n\n * Set (or reset) the secret key used for HMAC.\n *\n * @param K the new secret key\n */\n private void setHmacKey(byte[] K)\n {\n try {\n hmac.init(new SecretKeySpec(K, macName));\n } catch (InvalidKeyException ike) {\n throw new IllegalArgumentException(ike);\n }\n }\n\n /**\n * Compute the pseudorandom k for signature generation,\n * using the process specified for deterministic DSA.\n *\n * @param h1 the hashed message\n * @return the pseudorandom k to use\n */\n private BigInteger computek(byte[] h1)\n {\n /*\n * Convert hash value into an appropriately truncated\n * and/or expanded sequence of octets. The private\n * key was already processed (into field bx[]).\n */\n byte[] bh = bits2octets(h1);\n\n /*\n * HMAC is always used with K as key.\n * Whenever K is updated, we reset the\n * current HMAC key.\n */\n\n /* step b. */\n byte[] V = new byte[holen];\n for (int i = 0; i \u003c holen; i ++) {\n V[i] = 0x01;\n }\n\n /* step c. */\n byte[] K = new byte[holen];\n setHmacKey(K);\n\n /* step d. */\n hmac.update(V);\n hmac.update((byte)0x00);\n\n\n\nPornin Informational [Page 74]\n\nRFC 6979 Deterministic DSA and ECDSA August 2013\n\n\n hmac.update(bx);\n hmac.update(bh);\n K = hmac.doFinal();\n setHmacKey(K);\n\n /* step e. */\n hmac.update(V);\n V = hmac.doFinal();\n\n /* step f. */\n hmac.update(V);\n hmac.update((byte)0x01);\n hmac.update(bx);\n hmac.update(bh);\n K = hmac.doFinal();\n setHmacKey(K);\n\n /* step g. */\n hmac.update(V);\n V = hmac.doFinal();\n\n /* step h. */\n byte[] T = new byte[rolen];\n for (;;) {\n /*\n * We want qlen bits, but we support only\n * hash functions with an output length\n * multiple of 8;acd hence, we will gather\n * rlen bits, i.e., rolen octets.\n */\n int toff = 0;\n while (toff \u003c rolen) {\n hmac.update(V);\n V = hmac.doFinal();\n int cc = Math.min(V.length,\n T.length - toff);\n System.arraycopy(V, 0, T, toff, cc);\n toff += cc;\n }\n BigInteger k = bits2int(T);\n if (k.signum() \u003e 0 \u0026\u0026 k.compareTo(q) \u003c 0) {\n return k;\n }\n\n /*\n * k is not in the proper range; update\n * K and V, and loop.\n */\n\n\n\nPornin Informational [Page 75]\n\nRFC 6979 Deterministic DSA and ECDSA August 2013\n\n\n hmac.update(V);\n hmac.update((byte)0x00);\n K = hmac.doFinal();\n setHmacKey(K);\n hmac.update(V);\n V = hmac.doFinal();\n }\n }\n\n /**\n * Process one more byte of input data (message to sign).\n *\n * @param in the extra input byte\n */\n public void update(byte in)\n {\n dig.update(in);\n }\n\n /**\n * Process some extra bytes of input data (message to sign).\n *\n * @param in the extra input bytes\n */\n public void update(byte[] in)\n {\n dig.update(in, 0, in.length);\n }\n\n /**\n * Process some extra bytes of input data (message to sign).\n *\n * @param in the extra input buffer\n * @param off the extra input offset\n * @param len the extra input length (in bytes)\n */\n public void update(byte[] in, int off, int len)\n {\n dig.update(in, off, len);\n }\n\n /**\n * Produce the signature. {@link #setPrivateKey} MUST have\n * been called. The signature is computed over the data\n * that was input through the {@code update*()} methods.\n * This engine is then reset (made ready for a new\n * signature generation).\n *\n\n\n\nPornin Informational [Page 76]\n\nRFC 6979 Deterministic DSA and ECDSA August 2013\n\n\n * @return the signature\n */\n public byte[] sign()\n {\n return signHash(dig.digest());\n }\n\n /**\n * Produce the signature. {@link #setPrivateKey} MUST\n * have been called. The signature is computed over the\n * provided hash value (data is assumed to have been hashed\n * externally). The data that was input through the\n * {@code update*()} methods is ignored, but kept.\n *\n * If the hash output is longer than the subgroup order\n * (the length of q, in bits, denoted 'qlen'), then the\n * provided value {@code h1} can be truncated, provided that\n * at least qlen leading bits are preserved. In other words,\n * bit values in {@code h1} beyond the first qlen bits are\n * ignored.\n *\n * @param h1 the hash value\n * @return the signature\n */\n public byte[] signHash(byte[] h1)\n {\n if (p == null) {\n throw new IllegalStateException(\n \"no private key set\");\n }\n try {\n BigInteger k = computek(h1);\n BigInteger r = g.modPow(k, p).mod(q);\n BigInteger s = k.modInverse(q).multiply(\n bits2int(h1).add(x.multiply(r)))\n .mod(q);\n\n /*\n * Signature encoding: ASN.1 SEQUENCE of\n * two INTEGERs. The conditions on q\n * imply that the encoded version of r and\n * s is no longer than 127 bytes for each,\n * including DER tag and length.\n */\n byte[] br = r.toByteArray();\n byte[] bs = s.toByteArray();\n int ulen = br.length + bs.length + 4;\n int slen = ulen + (ulen \u003e= 128 ? 3 : 2);\n\n\n\nPornin Informational [Page 77]\n\nRFC 6979 Deterministic DSA and ECDSA August 2013\n\n\n byte[] sig = new byte[slen];\n int i = 0;\n sig[i ++] = 0x30;\n if (ulen \u003e= 128) {\n sig[i ++] = (byte)0x81;\n sig[i ++] = (byte)ulen;\n } else {\n sig[i ++] = (byte)ulen;\n }\n sig[i ++] = 0x02;\n sig[i ++] = (byte)br.length;\n System.arraycopy(br, 0, sig, i, br.length);\n i += br.length;\n sig[i ++] = 0x02;\n sig[i ++] = (byte)bs.length;\n System.arraycopy(bs, 0, sig, i, bs.length);\n return sig;\n\n } catch (ArithmeticException ae) {\n throw new IllegalArgumentException(\n \"DSA error (bad key ?)\", ae);\n }\n }\n\n /**\n * Reset this engine. Data input through the {@code\n * update*()} methods is discarded. The current private key,\n * if one was set, is kept unchanged.\n */\n public void reset()\n {\n dig.reset();\n }\n }\n\n // ==================================================================\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\nPornin Informational [Page 78]\n\nRFC 6979 Deterministic DSA and ECDSA August 2013\n\n\nAuthor's Address\n\n Thomas Pornin\n Quebec, QC\n Canada\n\n EMail: pornin@bolet.org\n\n",
"sig": "c92f7d471c2f26565ebb3de14ebf45b0e66a4424862cbbd2fdfe26c22ee5182500e7d8f48ba5ff97c9a53f2460c5b4ef7dd0cc9c4e616bd000069d226a778246"
}