/** * @license * Copyright 2016 Google Inc. All rights reserved. * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ // TODO(bleichen): // - add tests for SHA1WithDSA with wrong key // - add tests for "alternative" algorithm names // - convert tests for deterministic DSA variants. // Deterministic DSA has a few new drawbacks: // * implementations flaws that generate k incorrectly can leak // the key if multiple implementations (e.g. one correct one incorrect) // is used. // * timing attacks are more serious if the attacker can ask for the same // signature multiple times, since this allows to get more accurate timings. package com.google.security.wycheproof; import com.google.security.wycheproof.WycheproofRunner.ExcludedTest; import com.google.security.wycheproof.WycheproofRunner.ProviderType; import com.google.security.wycheproof.WycheproofRunner.SlowTest; // Android-removed: Android doesn't support JMX // import java.lang.management.ManagementFactory; // import java.lang.management.ThreadMXBean; import java.math.BigInteger; import java.security.GeneralSecurityException; import java.security.KeyFactory; import java.security.KeyPair; import java.security.KeyPairGenerator; import java.security.MessageDigest; import java.security.NoSuchAlgorithmException; import java.security.PublicKey; import java.security.Signature; import java.security.SignatureException; import java.security.interfaces.DSAParams; import java.security.interfaces.DSAPrivateKey; import java.security.interfaces.DSAPublicKey; import java.security.spec.DSAPrivateKeySpec; import java.security.spec.DSAPublicKeySpec; import java.util.Arrays; import javax.crypto.Cipher; import junit.framework.TestCase; /** * Tests DSA against invalid signatures. The motivation for this test is the DSA implementation in * gpg4browsers. This implementation accepts signatures with r=1 and s=0 as valid. * * @author bleichen@google.com (Daniel Bleichenbacher) */ public class DsaTest extends TestCase { static final String MESSAGE = "Hello"; static final DSAPrivateKeySpec privateKey1 = new DSAPrivateKeySpec( // x new BigInteger("15382583218386677486843706921635237927801862255437148328980464126979"), // p new BigInteger( "181118486631420055711787706248812146965913392568235070235446058914" + "1170708161715231951918020125044061516370042605439640379530343556" + "4101919053459832890139496933938670005799610981765220283775567361" + "4836626483403394052203488713085936276470766894079318754834062443" + "1033792580942743268186462355159813630244169054658542719322425431" + "4088256212718983105131138772434658820375111735710449331518776858" + "7867938758654181244292694091187568128410190746310049564097068770" + "8161261634790060655580211122402292101772553741704724263582994973" + "9109274666495826205002104010355456981211025738812433088757102520" + "562459649777989718122219159982614304359"), // q new BigInteger("19689526866605154788513693571065914024068069442724893395618704484701"), // g new BigInteger( "2859278237642201956931085611015389087970918161297522023542900348" + "0877180630984239764282523693409675060100542360520959501692726128" + "3149190229583566074777557293475747419473934711587072321756053067" + "2532404847508798651915566434553729839971841903983916294692452760" + "2490198571084091890169933809199002313226100830607842692992570749" + "0504363602970812128803790973955960534785317485341020833424202774" + "0275688698461842637641566056165699733710043802697192696426360843" + "1736206792141319514001488556117408586108219135730880594044593648" + "9237302749293603778933701187571075920849848690861126195402696457" + "4111219599568903257472567764789616958430")); static final DSAPublicKeySpec publicKey1 = new DSAPublicKeySpec( new BigInteger( "3846308446317351758462473207111709291533523711306097971550086650" + "2577333637930103311673872185522385807498738696446063139653693222" + "3528823234976869516765207838304932337200968476150071617737755913" + "3181601169463467065599372409821150709457431511200322947508290005" + "1780020974429072640276810306302799924668893998032630777409440831" + "4314588994475223696460940116068336991199969153649625334724122468" + "7497038281983541563359385775312520539189474547346202842754393945" + "8755803223951078082197762886933401284142487322057236814878262166" + "5072306622943221607031324846468109901964841479558565694763440972" + "5447389416166053148132419345627682740529"), privateKey1.getP(), privateKey1.getQ(), privateKey1.getG()); // Signatures for Key1. static final String[] VALID_SIGNATURES = { "303d021c1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9cd" + "021d00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe8786236", }; /** * The following test vectos are derived from a valid signature by * using alternative BER encoding as well as legacy formats. * Accepting such signatures is in many cases benign. Hence the tests * below will pass if such signatures are accepted as valid. * The test vectors could be used to check for signature malleability. * An example where this kind of signature malleability was a problem is * https://en.bitcoin.it/wiki/Transaction_Malleability */ static final String[] MODIFIED_SIGNATURES = { // BER:long form encoding of length "30813d021c1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9" + "cd021d00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe8786236", "303e02811c1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9" + "cd021d00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe8786236", "303e021c1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9cd" + "02811d00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe8786236", // BER:length contains leading 0 "3082003d021c1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8" + "c9cd021d00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe87862" + "36", "303f0282001c1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8" + "c9cd021d00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe87862" + "36", "303f021c1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9cd" + "0282001d00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe87862" + "36", // BER:prepending 0's to integer "303f021e00001e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8" + "c9cd021d00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe87862" + "36", "303f021c1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9cd" + "021f000000ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe87862" + "36", // The Sun provider accepts DSA signatures where a leading 00 has // been omitted in the ASN encoding. "303c021c1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9cd" + "021cade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe8786236", }; /** * The following test vectors are invalid DSA signatures. * According to {@link java.security.Signature#verify(byte[])} verifying an invalid * signature may either return false or throw a SignatureException. * We expect that a correct implementation of DSA signatures satisfies this contract. * Throwing a RuntimeException instead of a SignatureException could for example * result in a denial of service attack. * *

A list of problems that are caught by these signatures: *

  • CVE-2016-5546: OpenJDK8 throwed java.lang.ArrayIndexOutOfBoundsException for * some invalid DSA signatures. * */ static final String[] INVALID_SIGNATURES = { // wrong length "303e021c1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9cd" + "021d00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe8786236", "303c021c1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9cd" + "021d00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe8786236", "303d021d1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9cd" + "021d00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe8786236", "303d021b1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9cd" + "021d00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe8786236", "303d021c1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9cd" + "021e00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe8786236", "303d021c1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9cd" + "021c00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe8786236", // uint32 overflow in length "3085010000003d021c1e41b479ad576905b960fe14eadb91b0ccf34843dab916" + "173bb8c9cd021d00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813f" + "e8786236", "30420285010000001c1e41b479ad576905b960fe14eadb91b0ccf34843dab916" + "173bb8c9cd021d00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813f" + "e8786236", "3042021c1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9cd" + "0285010000001d00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813f" + "e8786236", // uint64 overflow in length "308901000000000000003d021c1e41b479ad576905b960fe14eadb91b0ccf348" + "43dab916173bb8c9cd021d00ade65988d237d30f9ef41dd424a4e1c8f16967cf" + "3365813fe8786236", "3046028901000000000000001c1e41b479ad576905b960fe14eadb91b0ccf348" + "43dab916173bb8c9cd021d00ade65988d237d30f9ef41dd424a4e1c8f16967cf" + "3365813fe8786236", "3046021c1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9cd" + "028901000000000000001d00ade65988d237d30f9ef41dd424a4e1c8f16967cf" + "3365813fe8786236", // length = 2**31 - 1 "30847fffffff021c1e41b479ad576905b960fe14eadb91b0ccf34843dab91617" + "3bb8c9cd021d00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe8" + "786236", "304102847fffffff1e41b479ad576905b960fe14eadb91b0ccf34843dab91617" + "3bb8c9cd021d00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe8" + "786236", "3041021c1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9cd" + "02847fffffff00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe8" + "786236", // length = 2**32 - 1 "3084ffffffff021c1e41b479ad576905b960fe14eadb91b0ccf34843dab91617" + "3bb8c9cd021d00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe8" + "786236", "30410284ffffffff1e41b479ad576905b960fe14eadb91b0ccf34843dab91617" + "3bb8c9cd021d00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe8" + "786236", "3041021c1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9cd" + "0284ffffffff00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe8" + "786236", // length = 2**64 - 1 "3088ffffffffffffffff021c1e41b479ad576905b960fe14eadb91b0ccf34843" + "dab916173bb8c9cd021d00ade65988d237d30f9ef41dd424a4e1c8f16967cf33" + "65813fe8786236", "30450288ffffffffffffffff1e41b479ad576905b960fe14eadb91b0ccf34843" + "dab916173bb8c9cd021d00ade65988d237d30f9ef41dd424a4e1c8f16967cf33" + "65813fe8786236", "3045021c1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9cd" + "0288ffffffffffffffff00ade65988d237d30f9ef41dd424a4e1c8f16967cf33" + "65813fe8786236", // removing sequence "", // appending 0's to sequence "303f021c1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9cd" + "021d00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe878623600" + "00", // prepending 0's to sequence "303f0000021c1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8" + "c9cd021d00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe87862" + "36", // appending unused 0's "303f021c1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9cd" + "0000021d00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe87862" + "36", // appending null value "303f021c1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9cd" + "021d00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe878623605" + "00", "303f021e1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9cd" + "0500021d00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe87862" + "36", "303f021c1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9cd" + "021f00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe878623605" + "00", // including garbage "3042498177303d021c1e41b479ad576905b960fe14eadb91b0ccf34843dab916" + "173bb8c9cd021d00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813f" + "e8786236", "30412500303d021c1e41b479ad576905b960fe14eadb91b0ccf34843dab91617" + "3bb8c9cd021d00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe8" + "786236", "303f303d021c1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8" + "c9cd021d00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe87862" + "360004deadbeef", "30422221498177021c1e41b479ad576905b960fe14eadb91b0ccf34843dab916" + "173bb8c9cd021d00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813f" + "e8786236", "304122202500021c1e41b479ad576905b960fe14eadb91b0ccf34843dab91617" + "3bb8c9cd021d00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe8" + "786236", "3045221e021c1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8" + "c9cd0004deadbeef021d00ade65988d237d30f9ef41dd424a4e1c8f16967cf33" + "65813fe8786236", "3042021c1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9cd" + "2222498177021d00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813f" + "e8786236", "3041021c1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9cd" + "22212500021d00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe8" + "786236", "3045021c1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9cd" + "221f021d00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe87862" + "360004deadbeef", // including undefined tags "3045aa00bb00cd00303d021c1e41b479ad576905b960fe14eadb91b0ccf34843" + "dab916173bb8c9cd021d00ade65988d237d30f9ef41dd424a4e1c8f16967cf33" + "65813fe8786236", "3043aa02aabb303d021c1e41b479ad576905b960fe14eadb91b0ccf34843dab9" + "16173bb8c9cd021d00ade65988d237d30f9ef41dd424a4e1c8f16967cf336581" + "3fe8786236", "30452224aa00bb00cd00021c1e41b479ad576905b960fe14eadb91b0ccf34843" + "dab916173bb8c9cd021d00ade65988d237d30f9ef41dd424a4e1c8f16967cf33" + "65813fe8786236", "30432222aa02aabb021c1e41b479ad576905b960fe14eadb91b0ccf34843dab9" + "16173bb8c9cd021d00ade65988d237d30f9ef41dd424a4e1c8f16967cf336581" + "3fe8786236", "3045021c1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9cd" + "2225aa00bb00cd00021d00ade65988d237d30f9ef41dd424a4e1c8f16967cf33" + "65813fe8786236", "3043021c1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9cd" + "2223aa02aabb021d00ade65988d237d30f9ef41dd424a4e1c8f16967cf336581" + "3fe8786236", // changing tag value "2e3d021c1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9cd" + "021d00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe8786236", "323d021c1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9cd" + "021d00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe8786236", "ff3d021c1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9cd" + "021d00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe8786236", "303d001c1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9cd" + "021d00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe8786236", "303d041c1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9cd" + "021d00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe8786236", "303dff1c1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9cd" + "021d00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe8786236", "303d021c1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9cd" + "001d00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe8786236", "303d021c1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9cd" + "041d00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe8786236", "303d021c1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9cd" + "ff1d00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe8786236", // dropping value of sequence "3000", // using composition "3041300102303c1c1e41b479ad576905b960fe14eadb91b0ccf34843dab91617" + "3bb8c9cd021d00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe8" + "786236", "3041222002011e021b41b479ad576905b960fe14eadb91b0ccf34843dab91617" + "3bb8c9cd021d00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe8" + "786236", "3041021c1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9cd" + "2221020100021cade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe8" + "786236", // truncate sequence "303c021c1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9cd" + "021d00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe87862", "303c1c1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9cd02" + "1d00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe8786236", // indefinite length with no delimiter "3080021c1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9cd" + "021d00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe8786236", // prepend empty sequence "303f3000021c1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8" + "c9cd021d00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe87862" + "36", // append empty sequence "303f021c1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9cd" + "021d00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe878623630" + "00", // sequence of sequence "303f303d021c1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8" + "c9cd021d00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe87862" + "36", // truncated sequence "301e021c1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9cd", // repeat element in sequence "305c021c1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9cd" + "021d00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe878623602" + "1d00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe8786236", // removing integer "301f021d00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe8786236", // appending 0's to integer "303f021e1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9cd" + "0000021d00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe87862" + "36", "303f021c1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9cd" + "021f00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe878623600" + "00", // dropping value of integer "30210200021d00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe8786236", "3020021c1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9cd0200", // modify first byte of integer "303d021c1f41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9cd" + "021d00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe8786236", "303d021c1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9cd" + "021d01ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe8786236", // modify last byte of integer "303d021c1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9cc" + "021d00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe8786236", "303d021c1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9cd" + "021d00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe8786237", // truncate integer "303c021b1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c902" + "1d00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe8786236", "303c021b41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9cd02" + "1d00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe8786236", "303c021c1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9cd" + "021c00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe87862", // leading ff in integer "303e021dff1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9" + "cd021d00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe8786236", "303e021c1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9cd" + "021eff00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe8786236", // infinity "3022090180021d00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe8786236", "3021021c1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9cd090180", // Vectors where r or s have been modified e.g. by adding or subtracting the order of the // group and hence violate the range check for r and s required by DSA. "303d021c1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9cd" + "021d0168dcf02f57b0caef7ddc183bee1ca94ee09c1a02ee4b0200a54dcb93", "303c021c1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9cd" + "021cf2efc2e24cbedb2fc00c236c5b2d1a430236b59b7880007f2ba2f8d9", "303d021c1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9cd" + "021dff5219a6772dc82cf0610be22bdb5b1e370e969830cc9a7ec017879dca", "303d021c1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9cd" + "021d01ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe8786236", "303e021d00d9384b2032d060e59848f87cb4535936bc25fa77959e96d7f88e33" + "2a021d00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe8786236", "303e021d00d9384b2032d060e59848f87cb4535936bc25fa77959e96d7f88e33" + "2a021d0168dcf02f57b0caef7ddc183bee1ca94ee09c1a02ee4b0200a54dcb93", "303d021d00d9384b2032d060e59848f87cb4535936bc25fa77959e96d7f88e33" + "2a021cf2efc2e24cbedb2fc00c236c5b2d1a430236b59b7880007f2ba2f8d9", "303e021d00d9384b2032d060e59848f87cb4535936bc25fa77959e96d7f88e33" + "2a021dff5219a6772dc82cf0610be22bdb5b1e370e969830cc9a7ec017879dca", "303e021d00d9384b2032d060e59848f87cb4535936bc25fa77959e96d7f88e33" + "2a021d01ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe8786236", "303e021dff634b1dd327de7125da7903ad2163ca2addc096101fd395567ee360" + "70021d00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe8786236", "303e021dff634b1dd327de7125da7903ad2163ca2addc096101fd395567ee360" + "70021d0168dcf02f57b0caef7ddc183bee1ca94ee09c1a02ee4b0200a54dcb93", "303d021dff634b1dd327de7125da7903ad2163ca2addc096101fd395567ee360" + "70021cf2efc2e24cbedb2fc00c236c5b2d1a430236b59b7880007f2ba2f8d9", "303e021dff634b1dd327de7125da7903ad2163ca2addc096101fd395567ee360" + "70021dff5219a6772dc82cf0610be22bdb5b1e370e969830cc9a7ec017879dca", "303e021dff634b1dd327de7125da7903ad2163ca2addc096101fd395567ee360" + "70021d01ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe8786236", "303d021ce1be4b8652a896fa469f01eb15246e4f330cb7bc2546e9e8c4473633" + "021d00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe8786236", "303d021ce1be4b8652a896fa469f01eb15246e4f330cb7bc2546e9e8c4473633" + "021d0168dcf02f57b0caef7ddc183bee1ca94ee09c1a02ee4b0200a54dcb93", "303c021ce1be4b8652a896fa469f01eb15246e4f330cb7bc2546e9e8c4473633" + "021cf2efc2e24cbedb2fc00c236c5b2d1a430236b59b7880007f2ba2f8d9", "303d021ce1be4b8652a896fa469f01eb15246e4f330cb7bc2546e9e8c4473633" + "021dff5219a6772dc82cf0610be22bdb5b1e370e969830cc9a7ec017879dca", "303d021ce1be4b8652a896fa469f01eb15246e4f330cb7bc2546e9e8c4473633" + "021d01ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe8786236", "303e021d011e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9" + "cd021d00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe8786236", "303e021d011e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9" + "cd021d0168dcf02f57b0caef7ddc183bee1ca94ee09c1a02ee4b0200a54dcb93", "303d021d011e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9" + "cd021cf2efc2e24cbedb2fc00c236c5b2d1a430236b59b7880007f2ba2f8d9", "303e021d011e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9" + "cd021dff5219a6772dc82cf0610be22bdb5b1e370e969830cc9a7ec017879dca", "303e021d011e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9" + "cd021d01ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe8786236", // Signatures with special case values for r and s. E.g. r=1, s=0 are values that can lead to // forgeries if the DSA implementation does not check boundaries and computes s^(-1) == 0. "3022020100021dff450969597a870820211805983688387a10cd4dcc451a7f3f432a96a3", "3006020100020101", "30060201000201ff", "3022020100021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695d", "3022020100021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695e", "3022020100021d0100000000000000000000000000000000000000000000000000000000", "3082010802010002820101008f7935d9b9aae9bfabed887acf4951b6f32ec59e" + "3baf3718e8eac4961f3efd3606e74351a9c4183339b809e7c2ae1c539ba7475b" + "85d011adb8b47987754984695cac0e8f14b3360828a22ffa27110a3d62a99345" + "3409a0fe696c4658f84bdd20819c3709a01057b195adcd00233dba5484b6291f" + "9d648ef883448677979cec04b434a6ac2e75e9985de23db0292fc1118c9ffa9d" + "8181e7338db792b730d7b9e349592f68099872153915ea3d6b8b4653c633458f" + "803b32a4c2e0f27290256e4e3f8a3b0838a1c450e4e18c1a29a37ddf5ea143de" + "4b66ff04903ed5cf1623e158d487c608e97f211cd81dca23cb6e380765f822e3" + "42be484c05763939601cd667", "3008020100090380fe01", "3022020101021dff450969597a870820211805983688387a10cd4dcc451a7f3f432a96a3", "3006020101020101", "30060201010201ff", "3022020101021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695d", "3022020101021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695e", "3022020101021d0100000000000000000000000000000000000000000000000000000000", "3082010802010102820101008f7935d9b9aae9bfabed887acf4951b6f32ec59e" + "3baf3718e8eac4961f3efd3606e74351a9c4183339b809e7c2ae1c539ba7475b" + "85d011adb8b47987754984695cac0e8f14b3360828a22ffa27110a3d62a99345" + "3409a0fe696c4658f84bdd20819c3709a01057b195adcd00233dba5484b6291f" + "9d648ef883448677979cec04b434a6ac2e75e9985de23db0292fc1118c9ffa9d" + "8181e7338db792b730d7b9e349592f68099872153915ea3d6b8b4653c633458f" + "803b32a4c2e0f27290256e4e3f8a3b0838a1c450e4e18c1a29a37ddf5ea143de" + "4b66ff04903ed5cf1623e158d487c608e97f211cd81dca23cb6e380765f822e3" + "42be484c05763939601cd667", "3008020101090380fe01", "30220201ff021dff450969597a870820211805983688387a10cd4dcc451a7f3f432a96a3", "30060201ff020101", "30060201ff0201ff", "30220201ff021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695d", "30220201ff021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695e", "30220201ff021d0100000000000000000000000000000000000000000000000000000000", "308201080201ff02820101008f7935d9b9aae9bfabed887acf4951b6f32ec59e" + "3baf3718e8eac4961f3efd3606e74351a9c4183339b809e7c2ae1c539ba7475b" + "85d011adb8b47987754984695cac0e8f14b3360828a22ffa27110a3d62a99345" + "3409a0fe696c4658f84bdd20819c3709a01057b195adcd00233dba5484b6291f" + "9d648ef883448677979cec04b434a6ac2e75e9985de23db0292fc1118c9ffa9d" + "8181e7338db792b730d7b9e349592f68099872153915ea3d6b8b4653c633458f" + "803b32a4c2e0f27290256e4e3f8a3b0838a1c450e4e18c1a29a37ddf5ea143de" + "4b66ff04903ed5cf1623e158d487c608e97f211cd81dca23cb6e380765f822e3" + "42be484c05763939601cd667", "30080201ff090380fe01", "303e021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd569" + "5d021dff450969597a870820211805983688387a10cd4dcc451a7f3f432a96a3", "3022021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695d020100", "3022021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695d020101", "3022021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695d0201ff", "303e021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd569" + "5d021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695d", "303e021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd569" + "5d021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695e", "303e021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd569" + "5d021d0100000000000000000000000000000000000000000000000000000000", "30820124021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bc" + "d5695d02820101008f7935d9b9aae9bfabed887acf4951b6f32ec59e3baf3718" + "e8eac4961f3efd3606e74351a9c4183339b809e7c2ae1c539ba7475b85d011ad" + "b8b47987754984695cac0e8f14b3360828a22ffa27110a3d62a993453409a0fe" + "696c4658f84bdd20819c3709a01057b195adcd00233dba5484b6291f9d648ef8" + "83448677979cec04b434a6ac2e75e9985de23db0292fc1118c9ffa9d8181e733" + "8db792b730d7b9e349592f68099872153915ea3d6b8b4653c633458f803b32a4" + "c2e0f27290256e4e3f8a3b0838a1c450e4e18c1a29a37ddf5ea143de4b66ff04" + "903ed5cf1623e158d487c608e97f211cd81dca23cb6e380765f822e342be484c" + "05763939601cd667", "3024021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695d090380fe01", "303e021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd569" + "5e021dff450969597a870820211805983688387a10cd4dcc451a7f3f432a96a3", "3022021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695e020100", "3022021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695e020101", "3022021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695e0201ff", "303e021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd569" + "5e021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695d", "303e021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd569" + "5e021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695e", "303e021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd569" + "5e021d0100000000000000000000000000000000000000000000000000000000", "30820124021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bc" + "d5695e02820101008f7935d9b9aae9bfabed887acf4951b6f32ec59e3baf3718" + "e8eac4961f3efd3606e74351a9c4183339b809e7c2ae1c539ba7475b85d011ad" + "b8b47987754984695cac0e8f14b3360828a22ffa27110a3d62a993453409a0fe" + "696c4658f84bdd20819c3709a01057b195adcd00233dba5484b6291f9d648ef8" + "83448677979cec04b434a6ac2e75e9985de23db0292fc1118c9ffa9d8181e733" + "8db792b730d7b9e349592f68099872153915ea3d6b8b4653c633458f803b32a4" + "c2e0f27290256e4e3f8a3b0838a1c450e4e18c1a29a37ddf5ea143de4b66ff04" + "903ed5cf1623e158d487c608e97f211cd81dca23cb6e380765f822e342be484c" + "05763939601cd667", "3024021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695e090380fe01", "303e021d01000000000000000000000000000000000000000000000000000000" + "00021dff450969597a870820211805983688387a10cd4dcc451a7f3f432a96a3", "3022021d0100000000000000000000000000000000000000000000000000000000020100", "3022021d0100000000000000000000000000000000000000000000000000000000020101", "3022021d01000000000000000000000000000000000000000000000000000000000201ff", "303e021d01000000000000000000000000000000000000000000000000000000" + "00021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695d", "303e021d01000000000000000000000000000000000000000000000000000000" + "00021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695e", "303e021d01000000000000000000000000000000000000000000000000000000" + "00021d0100000000000000000000000000000000000000000000000000000000", "30820124021d0100000000000000000000000000000000000000000000000000" + "00000002820101008f7935d9b9aae9bfabed887acf4951b6f32ec59e3baf3718" + "e8eac4961f3efd3606e74351a9c4183339b809e7c2ae1c539ba7475b85d011ad" + "b8b47987754984695cac0e8f14b3360828a22ffa27110a3d62a993453409a0fe" + "696c4658f84bdd20819c3709a01057b195adcd00233dba5484b6291f9d648ef8" + "83448677979cec04b434a6ac2e75e9985de23db0292fc1118c9ffa9d8181e733" + "8db792b730d7b9e349592f68099872153915ea3d6b8b4653c633458f803b32a4" + "c2e0f27290256e4e3f8a3b0838a1c450e4e18c1a29a37ddf5ea143de4b66ff04" + "903ed5cf1623e158d487c608e97f211cd81dca23cb6e380765f822e342be484c" + "05763939601cd667", "3024021d0100000000000000000000000000000000000000000000000000000000090380fe01", "3082012402820101008f7935d9b9aae9bfabed887acf4951b6f32ec59e3baf37" + "18e8eac4961f3efd3606e74351a9c4183339b809e7c2ae1c539ba7475b85d011" + "adb8b47987754984695cac0e8f14b3360828a22ffa27110a3d62a993453409a0" + "fe696c4658f84bdd20819c3709a01057b195adcd00233dba5484b6291f9d648e" + "f883448677979cec04b434a6ac2e75e9985de23db0292fc1118c9ffa9d8181e7" + "338db792b730d7b9e349592f68099872153915ea3d6b8b4653c633458f803b32" + "a4c2e0f27290256e4e3f8a3b0838a1c450e4e18c1a29a37ddf5ea143de4b66ff" + "04903ed5cf1623e158d487c608e97f211cd81dca23cb6e380765f822e342be48" + "4c05763939601cd667021dff450969597a870820211805983688387a10cd4dcc" + "451a7f3f432a96a3", "3082010802820101008f7935d9b9aae9bfabed887acf4951b6f32ec59e3baf37" + "18e8eac4961f3efd3606e74351a9c4183339b809e7c2ae1c539ba7475b85d011" + "adb8b47987754984695cac0e8f14b3360828a22ffa27110a3d62a993453409a0" + "fe696c4658f84bdd20819c3709a01057b195adcd00233dba5484b6291f9d648e" + "f883448677979cec04b434a6ac2e75e9985de23db0292fc1118c9ffa9d8181e7" + "338db792b730d7b9e349592f68099872153915ea3d6b8b4653c633458f803b32" + "a4c2e0f27290256e4e3f8a3b0838a1c450e4e18c1a29a37ddf5ea143de4b66ff" + "04903ed5cf1623e158d487c608e97f211cd81dca23cb6e380765f822e342be48" + "4c05763939601cd667020100", "3082010802820101008f7935d9b9aae9bfabed887acf4951b6f32ec59e3baf37" + "18e8eac4961f3efd3606e74351a9c4183339b809e7c2ae1c539ba7475b85d011" + "adb8b47987754984695cac0e8f14b3360828a22ffa27110a3d62a993453409a0" + "fe696c4658f84bdd20819c3709a01057b195adcd00233dba5484b6291f9d648e" + "f883448677979cec04b434a6ac2e75e9985de23db0292fc1118c9ffa9d8181e7" + "338db792b730d7b9e349592f68099872153915ea3d6b8b4653c633458f803b32" + "a4c2e0f27290256e4e3f8a3b0838a1c450e4e18c1a29a37ddf5ea143de4b66ff" + "04903ed5cf1623e158d487c608e97f211cd81dca23cb6e380765f822e342be48" + "4c05763939601cd667020101", "3082010802820101008f7935d9b9aae9bfabed887acf4951b6f32ec59e3baf37" + "18e8eac4961f3efd3606e74351a9c4183339b809e7c2ae1c539ba7475b85d011" + "adb8b47987754984695cac0e8f14b3360828a22ffa27110a3d62a993453409a0" + "fe696c4658f84bdd20819c3709a01057b195adcd00233dba5484b6291f9d648e" + "f883448677979cec04b434a6ac2e75e9985de23db0292fc1118c9ffa9d8181e7" + "338db792b730d7b9e349592f68099872153915ea3d6b8b4653c633458f803b32" + "a4c2e0f27290256e4e3f8a3b0838a1c450e4e18c1a29a37ddf5ea143de4b66ff" + "04903ed5cf1623e158d487c608e97f211cd81dca23cb6e380765f822e342be48" + "4c05763939601cd6670201ff", "3082012402820101008f7935d9b9aae9bfabed887acf4951b6f32ec59e3baf37" + "18e8eac4961f3efd3606e74351a9c4183339b809e7c2ae1c539ba7475b85d011" + "adb8b47987754984695cac0e8f14b3360828a22ffa27110a3d62a993453409a0" + "fe696c4658f84bdd20819c3709a01057b195adcd00233dba5484b6291f9d648e" + "f883448677979cec04b434a6ac2e75e9985de23db0292fc1118c9ffa9d8181e7" + "338db792b730d7b9e349592f68099872153915ea3d6b8b4653c633458f803b32" + "a4c2e0f27290256e4e3f8a3b0838a1c450e4e18c1a29a37ddf5ea143de4b66ff" + "04903ed5cf1623e158d487c608e97f211cd81dca23cb6e380765f822e342be48" + "4c05763939601cd667021d00baf696a68578f7dfdee7fa67c977c785ef32b233" + "bae580c0bcd5695d", "3082012402820101008f7935d9b9aae9bfabed887acf4951b6f32ec59e3baf37" + "18e8eac4961f3efd3606e74351a9c4183339b809e7c2ae1c539ba7475b85d011" + "adb8b47987754984695cac0e8f14b3360828a22ffa27110a3d62a993453409a0" + "fe696c4658f84bdd20819c3709a01057b195adcd00233dba5484b6291f9d648e" + "f883448677979cec04b434a6ac2e75e9985de23db0292fc1118c9ffa9d8181e7" + "338db792b730d7b9e349592f68099872153915ea3d6b8b4653c633458f803b32" + "a4c2e0f27290256e4e3f8a3b0838a1c450e4e18c1a29a37ddf5ea143de4b66ff" + "04903ed5cf1623e158d487c608e97f211cd81dca23cb6e380765f822e342be48" + "4c05763939601cd667021d00baf696a68578f7dfdee7fa67c977c785ef32b233" + "bae580c0bcd5695e", "3082012402820101008f7935d9b9aae9bfabed887acf4951b6f32ec59e3baf37" + "18e8eac4961f3efd3606e74351a9c4183339b809e7c2ae1c539ba7475b85d011" + "adb8b47987754984695cac0e8f14b3360828a22ffa27110a3d62a993453409a0" + "fe696c4658f84bdd20819c3709a01057b195adcd00233dba5484b6291f9d648e" + "f883448677979cec04b434a6ac2e75e9985de23db0292fc1118c9ffa9d8181e7" + "338db792b730d7b9e349592f68099872153915ea3d6b8b4653c633458f803b32" + "a4c2e0f27290256e4e3f8a3b0838a1c450e4e18c1a29a37ddf5ea143de4b66ff" + "04903ed5cf1623e158d487c608e97f211cd81dca23cb6e380765f822e342be48" + "4c05763939601cd667021d010000000000000000000000000000000000000000" + "0000000000000000", "3082020a02820101008f7935d9b9aae9bfabed887acf4951b6f32ec59e3baf37" + "18e8eac4961f3efd3606e74351a9c4183339b809e7c2ae1c539ba7475b85d011" + "adb8b47987754984695cac0e8f14b3360828a22ffa27110a3d62a993453409a0" + "fe696c4658f84bdd20819c3709a01057b195adcd00233dba5484b6291f9d648e" + "f883448677979cec04b434a6ac2e75e9985de23db0292fc1118c9ffa9d8181e7" + "338db792b730d7b9e349592f68099872153915ea3d6b8b4653c633458f803b32" + "a4c2e0f27290256e4e3f8a3b0838a1c450e4e18c1a29a37ddf5ea143de4b66ff" + "04903ed5cf1623e158d487c608e97f211cd81dca23cb6e380765f822e342be48" + "4c05763939601cd66702820101008f7935d9b9aae9bfabed887acf4951b6f32e" + "c59e3baf3718e8eac4961f3efd3606e74351a9c4183339b809e7c2ae1c539ba7" + "475b85d011adb8b47987754984695cac0e8f14b3360828a22ffa27110a3d62a9" + "93453409a0fe696c4658f84bdd20819c3709a01057b195adcd00233dba5484b6" + "291f9d648ef883448677979cec04b434a6ac2e75e9985de23db0292fc1118c9f" + "fa9d8181e7338db792b730d7b9e349592f68099872153915ea3d6b8b4653c633" + "458f803b32a4c2e0f27290256e4e3f8a3b0838a1c450e4e18c1a29a37ddf5ea1" + "43de4b66ff04903ed5cf1623e158d487c608e97f211cd81dca23cb6e380765f8" + "22e342be484c05763939601cd667", "3082010a02820101008f7935d9b9aae9bfabed887acf4951b6f32ec59e3baf37" + "18e8eac4961f3efd3606e74351a9c4183339b809e7c2ae1c539ba7475b85d011" + "adb8b47987754984695cac0e8f14b3360828a22ffa27110a3d62a993453409a0" + "fe696c4658f84bdd20819c3709a01057b195adcd00233dba5484b6291f9d648e" + "f883448677979cec04b434a6ac2e75e9985de23db0292fc1118c9ffa9d8181e7" + "338db792b730d7b9e349592f68099872153915ea3d6b8b4653c633458f803b32" + "a4c2e0f27290256e4e3f8a3b0838a1c450e4e18c1a29a37ddf5ea143de4b66ff" + "04903ed5cf1623e158d487c608e97f211cd81dca23cb6e380765f822e342be48" + "4c05763939601cd667090380fe01", "3024090380fe01021dff450969597a870820211805983688387a10cd4dcc451a7f3f432a96a3", "3008090380fe01020100", "3008090380fe01020101", "3008090380fe010201ff", "3024090380fe01021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695d", "3024090380fe01021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695e", "3024090380fe01021d0100000000000000000000000000000000000000000000000000000000", "3082010a090380fe0102820101008f7935d9b9aae9bfabed887acf4951b6f32e" + "c59e3baf3718e8eac4961f3efd3606e74351a9c4183339b809e7c2ae1c539ba7" + "475b85d011adb8b47987754984695cac0e8f14b3360828a22ffa27110a3d62a9" + "93453409a0fe696c4658f84bdd20819c3709a01057b195adcd00233dba5484b6" + "291f9d648ef883448677979cec04b434a6ac2e75e9985de23db0292fc1118c9f" + "fa9d8181e7338db792b730d7b9e349592f68099872153915ea3d6b8b4653c633" + "458f803b32a4c2e0f27290256e4e3f8a3b0838a1c450e4e18c1a29a37ddf5ea1" + "43de4b66ff04903ed5cf1623e158d487c608e97f211cd81dca23cb6e380765f8" + "22e342be484c05763939601cd667", "300a090380fe01090380fe01", }; @SuppressWarnings("InsecureCryptoUsage") public void testVectors( String[] signatures, DSAPublicKeySpec key, String message, String algorithm, String signatureType, boolean isValidDER, boolean isValidBER) throws Exception { byte[] messageBytes = message.getBytes("UTF-8"); Signature verifier = Signature.getInstance(algorithm); KeyFactory kf = KeyFactory.getInstance("DSA"); PublicKey pub = kf.generatePublic(key); int errors = 0; for (String signature : signatures) { byte[] signatureBytes = TestUtil.hexToBytes(signature); verifier.initVerify(pub); verifier.update(messageBytes); boolean verified = false; try { verified = verifier.verify(signatureBytes); } catch (SignatureException ex) { // verify can throw SignatureExceptions if the signature is malformed. // We don't flag these cases and simply consider the signature as invalid. verified = false; } catch (Exception ex) { // Other exceptions indicate some internal error, e.g. careless ASN parsing. // We count these as errors. System.out.println(signatureType + ":" + signature + " throws:" + ex.toString()); errors++; continue; } if (isValidDER && !verified) { System.out.println(signatureType + " was not verified:" + signature); errors++; } else if (!isValidBER && verified) { System.out.println(signatureType + " was verified:" + signature); errors++; } } assertEquals(0, errors); } public void testValidSignatures() throws Exception { testVectors( VALID_SIGNATURES, publicKey1, "Hello", "SHA224WithDSA", "Valid DSA signature", true, true); } public void testModifiedSignatures() throws Exception { testVectors( MODIFIED_SIGNATURES, publicKey1, "Hello", "SHA224WithDSA", "Modified DSA signature", false, true); } public void testInvalidSignatures() throws Exception { testVectors( INVALID_SIGNATURES, publicKey1, "Hello", "SHA224WithDSA", "Invalid DSA signature", false, false); } // Extract the integer r from a DSA signature. // This method implicitely assumes that the DSA signature is DER encoded. BigInteger extractR(byte[] signature) throws Exception { int lengthR = signature[3]; return new BigInteger(Arrays.copyOfRange(signature, 4, 4 + lengthR)); } BigInteger extractS(byte[] signature) throws Exception { int lengthR = signature[3]; int startS = 4 + lengthR; int lengthS = signature[startS + 1]; return new BigInteger(Arrays.copyOfRange(signature, startS + 2, startS + 2 + lengthS)); } /** Extract the k that was used to sign the signature. Validates the k if check == true. */ BigInteger extractK(byte[] signature, BigInteger h, DSAPrivateKey priv, boolean check) throws Exception { BigInteger x = priv.getX(); BigInteger q = priv.getParams().getQ(); BigInteger r = extractR(signature); BigInteger s = extractS(signature); BigInteger k = x.multiply(r).add(h).multiply(s.modInverse(q)).mod(q); if (check) { BigInteger p = priv.getParams().getP(); BigInteger g = priv.getParams().getG(); BigInteger r2 = g.modPow(k, p).mod(q); assertEquals(r.toString(), r2.toString()); } return k; } /** * Providers that implement SHA1WithDSA but not at least SHA256WithDSA are outdated and should be * avoided even if DSA is currently not used in a project. Such providers promote using a weak * signature scheme. It can also "inspire" developers to use invalid schemes such as SHA1WithDSA * together with 2048-bit key. Such invalid use cases are often untested and can have serious * flaws. For example the SUN provider leaked the private keys with 3 to 5 signatures in such * instances. */ public void testOutdatedProvider() throws Exception { try { Signature sig = Signature.getInstance("SHA1WithDSA"); try { Signature.getInstance("SHA256WithDSA"); } catch (NoSuchAlgorithmException ex) { fail("Provider " + sig.getProvider().getName() + " is outdated and should not be used."); } } catch (NoSuchAlgorithmException ex) { System.out.println("SHA1WithDSA is not supported"); } } /** * This is just a test for basic functionality of DSA. The test generates a public and private * key, generates a signature, verifies it and prints the whole thing out. This test is useful * when an implementation is seriously broken. */ @SlowTest(providers = {ProviderType.BOUNCY_CASTLE, ProviderType.SPONGY_CASTLE}) @SuppressWarnings("InsecureCryptoUsage") public void testBasic() throws Exception { int keySize = 2048; String algorithm = "SHA256WithDSA"; String hashAlgorithm = "SHA-256"; String message = "Hello"; byte[] messageBytes = message.getBytes("UTF-8"); KeyPairGenerator generator = java.security.KeyPairGenerator.getInstance("DSA"); generator.initialize(keySize); KeyPair keyPair = generator.generateKeyPair(); DSAPublicKey pub = (DSAPublicKey) keyPair.getPublic(); DSAPrivateKey priv = (DSAPrivateKey) keyPair.getPrivate(); Signature signer = Signature.getInstance(algorithm); Signature verifier = Signature.getInstance(algorithm); signer.initSign(priv); signer.update(messageBytes); byte[] signature = signer.sign(); verifier.initVerify(pub); verifier.update(messageBytes); assertTrue(verifier.verify(signature)); // Extract some parameters. byte[] rawHash = MessageDigest.getInstance(hashAlgorithm).digest(messageBytes); DSAParams params = priv.getParams(); // Print keys and signature, so that it can be used to generate new test vectors. System.out.println("Message:" + message); System.out.println("Hash:" + TestUtil.bytesToHex(rawHash)); System.out.println("Params:"); System.out.println("p:" + params.getP().toString()); System.out.println("q:" + params.getQ().toString()); System.out.println("g:" + params.getG().toString()); System.out.println("Private key:"); System.out.println("X:" + priv.getX().toString()); System.out.println("encoded:" + TestUtil.bytesToHex(priv.getEncoded())); System.out.println("Public key:"); System.out.println("Y:" + pub.getY().toString()); System.out.println("encoded:" + TestUtil.bytesToHex(pub.getEncoded())); System.out.println("Signature:" + TestUtil.bytesToHex(signature)); System.out.println("r:" + extractR(signature).toString()); System.out.println("s:" + extractS(signature).toString()); } @SuppressWarnings("InsecureCryptoUsage") public void testKeyGeneration(int keysize) throws Exception { KeyPairGenerator generator = KeyPairGenerator.getInstance("DSA"); generator.initialize(keysize); KeyPair keyPair = generator.generateKeyPair(); DSAPrivateKey priv = (DSAPrivateKey) keyPair.getPrivate(); DSAParams params = priv.getParams(); assertEquals(keysize, params.getP().bitLength()); // The NIST standard does not fully specify the size of q that // must be used for a given key size. Hence there are differences. // For example if keysize = 2048, then OpenSSL uses 256 bit q's by default, // but the SUN provider uses 224 bits. Both are acceptable sizes. // The tests below simply asserts that the size of q does not decrease the // overall security of the DSA. int qsize = params.getQ().bitLength(); switch (keysize) { case 1024: assertTrue("Invalid qsize for 1024 bit key:" + qsize, qsize >= 160); break; case 2048: assertTrue("Invalid qsize for 2048 bit key:" + qsize, qsize >= 224); break; case 3072: assertTrue("Invalid qsize for 3072 bit key:" + qsize, qsize >= 256); break; default: fail("Invalid key size:" + keysize); } // Check the length of the private key. // For example GPG4Browsers or the KJUR library derived from it use // q.bitCount() instead of q.bitLength() to determine the size of the private key // and hence would generate keys that are much too small. assertTrue(priv.getX().bitLength() >= qsize - 32); } /** * Tests the key generation for DSA. * *

    Problems found: *

    */ @SlowTest(providers = {ProviderType.BOUNCY_CASTLE, ProviderType.SPONGY_CASTLE}) public void testKeyGenerationAll() throws Exception { testKeyGeneration(1024); testKeyGeneration(2048); } /** * Checks whether the one time key k in DSA is biased. For example the SUN provider fell for this * test until April 2016. */ @SuppressWarnings("InsecureCryptoUsage") @ExcludedTest( providers = {ProviderType.BOUNCY_CASTLE}, comment = "Signature.SHA1WithDSA is removed") public void testDsaBias() throws Exception { // q is close to 2/3 * 2^160. BigInteger q = new BigInteger("974317976835659416858874959372334979171063697271"); BigInteger p = new BigInteger( "1106803511314772711673172950296693567629309594518393175860816428" + "6658764043763662129010863568011543182924292444458455864283745070" + "9908516713302345161980412667892373845670780253725557376379049862" + "4062950082444499320797079243439689601679418602390654466821968220" + "32212146727497041502702331623782703855119908989712161"); BigInteger g = new BigInteger( "1057342118316953575810387190942009018497979302261477972033090351" + "7561815639397594841480480197745063606756857212792356354588585967" + "3837265237205154744016475608524531648654928648461175919672511710" + "4878976887505840764543501512668232945506391524642105449699321960" + "32410302985148400531470153936516167243072120845392903"); BigInteger x = new BigInteger("13706102843888006547723575730792302382646994436"); KeyFactory kf = KeyFactory.getInstance("DSA"); DSAPrivateKey priv = (DSAPrivateKey) kf.generatePrivate(new DSAPrivateKeySpec(x, p, q, g)); // If we make TESTS tests with a fair coin then the probability that // either heads or tails appears less than MINCOUNT times is less than // 2^{-32}. // I.e. 2*sum(binomial(tests,i) for i in range(mincount))*2**32 < 2**tests // Therefore the test below is not expected to fail unless the generation // of the one time keys is indeed biased. final int tests = 1024; final int mincount = 410; String hashAlgorithm = "SHA"; String message = "Hello"; byte[] messageBytes = message.getBytes("UTF-8"); byte[] digest = MessageDigest.getInstance(hashAlgorithm).digest(messageBytes); BigInteger h = new BigInteger(1, digest); final BigInteger qHalf = q.shiftRight(1); Signature signer = Signature.getInstance("SHA1WithDSA"); signer.initSign(priv); int countLsb = 0; // count the number of k's with msb set int countMsb = 0; // count the number of k's with lsb set for (int i = 0; i < tests; i++) { signer.update(messageBytes); byte[] signature = signer.sign(); BigInteger k = extractK(signature, h, priv, i < 10); if (k.testBit(0)) { countLsb++; } if (k.compareTo(qHalf) == 1) { countMsb++; } } if (countLsb < mincount || countLsb > tests - mincount) { fail("Bias detected in the least significant bit of k:" + countLsb); } if (countMsb < mincount || countMsb > tests - mincount) { fail("Bias detected in the most significant bit of k:" + countMsb); } } /** * Checks whether CVE-2016-0695 has been fixed. Before the April 2016 security update, the SUN * provider had a serious flaw that leaked the private key with about 3-5 signatures. In * particular, "Sha1WithDSA" always generated 160 bit k's independently of q. Unfortunately, it is * easily possible to use 2048 and 3072 bit DSA keys together with SHA1WithDSA. All a user has to * do is to use the algorithm name "DSA" instead of "SHA256WithDSA" rsp. "SHA224WithDSA". * *

    An algorithm to extract the key from the signatures has been described for example in the * paper Lattice Attacks on * Digital Signature Schemes by N.A. Howgrave-Graham, N.P. Smart. * *

    This bug is the same as US-CERT: VU # 940388: GnuPG generated ElGamal signatures that leaked * the private key. */ @SlowTest(providers = {ProviderType.BOUNCY_CASTLE, ProviderType.SPONGY_CASTLE}) @SuppressWarnings("InsecureCryptoUsage") public void testBiasSha1WithDSA() throws Exception { String hashAlgorithm = "SHA"; String message = "Hello"; byte[] messageBytes = message.getBytes("UTF-8"); byte[] digest = MessageDigest.getInstance(hashAlgorithm).digest(messageBytes); BigInteger h = new BigInteger(1, digest); KeyPairGenerator generator = java.security.KeyPairGenerator.getInstance("DSA"); generator.initialize(2048); KeyPair keyPair = generator.generateKeyPair(); DSAPrivateKey priv = (DSAPrivateKey) keyPair.getPrivate(); Signature signer = Signature.getInstance("DSA"); try { // Private key and selected algorithm by signer do not match. // Hence throwing an exception at this point would be the reasonable. signer.initSign(priv); signer.update(messageBytes); byte[] signature = signer.sign(); BigInteger q = priv.getParams().getQ(); BigInteger k = extractK(signature, h, priv, true); // Now check if k is heavily biased. int lengthDiff = q.bitLength() - k.bitLength(); if (lengthDiff > 32) { fail( "Severly biased DSA signature:" + " len(q)=" + q.bitLength() + " len(k)=" + k.bitLength()); } } catch (GeneralSecurityException ex) { // The key is invalid, hence getting here is reasonable. return; } } /** * This test checks for potential of a timing attack. The test generates a number of signatures, * selects a fraction of them with a small timing and then compares the values k for the selected * signatures with a normal distribution. The test fails if these ks are much smaller than * expected. An implementation flaw that can lead to a test failure is to compute the signature * with a modular exponentiation with a runtime that depend on the length of the exponent. * *

    A failing test simply means that the timing can be used to get information about k. Further * analysis is necessary to determine if the bias is exploitable and how many timings are * necessary for an attack. A passing test does not mean that the implementation is secure against * timing attacks. The test only catches relatively big timing differences. It requires high * confidence to fail. Noise on the test machine can prevent that a relation between timing and k * can be detected. * *

    Claims of what is exploitable: http://www.hpl.hp.com/techreports/1999/HPL-1999-90.pdf 30 * signatures are sufficient to find the private key if the attacker knows 8 bits of each k. * http://eprint.iacr.org/2004/277.pdf 27 signatures are sufficient if 8 bits of each k is known. * Our own old experiments (using 1GB memory on a Pentium-4? CPU): 2^11 signatures are sufficient * with a 3 bit leakage. 2^15 signatures are sufficient with a 2 bit leakage. 2^24 signatures are * sufficient with a 1 bit leakage. Estimate for biased generation in the NIST standard: e.g. 2^22 * signatures, 2^40 memory, 2^64 time * *

    Sample output for the SUN provider: * count:50000 cutoff:4629300 relative average:0.9992225872624547 sigmas:0.3010906585642381 * count:25000 cutoff:733961 relative average:0.976146066585879 sigmas:6.532668708070148 * count:12500 cutoff:688305 relative average:0.9070352192339134 sigmas:18.00255238454385 * count:6251 cutoff:673971 relative average:0.7747148791368986 sigmas:30.850903417893825 * count:3125 cutoff:667045 relative average:0.5901994097874541 sigmas:39.67877152897901 * count:1563 cutoff:662088 relative average:0.4060286694971057 sigmas:40.67294313795137 * count:782 cutoff:657921 relative average:0.2577955312387898 sigmas:35.94906247333319 * count:391 cutoff:653608 relative average:0.1453438859272699 sigmas:29.271192100879457 * count:196 cutoff:649280 relative average:0.08035497211567771 sigmas:22.300206785132406 * count:98 cutoff:645122 relative average:0.05063589092661368 sigmas:16.27820353139225 * count:49 cutoff:641582 relative average:0.018255560447883384 sigmas:11.903018745467488 * count:25 cutoff:638235 relative average:0.009082660721102722 sigmas:8.581595888660086 * count:13 cutoff:633975 relative average:0.0067892346039088326 sigmas:6.20259924188633 * * *

    What this shows: The first line uses all 50'000 signatures. The average k of these * signatures is close to the expected value q/2. Being more selective gives us signatures with a * more biased k. For example, the 196 signatures with the fastest timing have about a 3-bit bias. * From this we expect that 2^19 signatures and timings are sufficient to find the private key. * *

    A list of problems caught by this test: *

    */ @SlowTest(providers = {ProviderType.BOUNCY_CASTLE, ProviderType.OPENJDK, ProviderType.SPONGY_CASTLE}) @SuppressWarnings("InsecureCryptoUsage") public void testTiming() throws Exception { // BEGIN Android-removed: Android doesn't support JMX /* ThreadMXBean bean = ManagementFactory.getThreadMXBean(); if (!bean.isCurrentThreadCpuTimeSupported()) { System.out.println("getCurrentThreadCpuTime is not supported. Skipping"); return; } String hashAlgorithm = "SHA-1"; String message = "Hello"; byte[] messageBytes = message.getBytes("UTF-8"); byte[] digest = MessageDigest.getInstance(hashAlgorithm).digest(messageBytes); BigInteger h = new BigInteger(1, digest); KeyPairGenerator generator = java.security.KeyPairGenerator.getInstance("DSA"); generator.initialize(1024); KeyPair keyPair = generator.generateKeyPair(); DSAPrivateKey priv = (DSAPrivateKey) keyPair.getPrivate(); Signature signer = Signature.getInstance("SHA1WITHDSA"); signer.initSign(priv); // The timings below are quite noisy. Thus we need a large number of samples. int samples = 50000; long[] timing = new long[samples]; BigInteger[] k = new BigInteger[samples]; for (int i = 0; i < samples; i++) { long start = bean.getCurrentThreadCpuTime(); signer.update(messageBytes); byte[] signature = signer.sign(); timing[i] = bean.getCurrentThreadCpuTime() - start; k[i] = extractK(signature, h, priv, false); } long[] sorted = Arrays.copyOf(timing, timing.length); Arrays.sort(sorted); // Here we are only interested in roughly the 8 most significant bits of the ks. // Hence, using double is sufficiently precise. double q = priv.getParams().getQ().doubleValue(); double expectedAverage = q / 2; double maxSigmas = 0; System.out.println("testTiming: SHA1WITHDSA"); for (int idx = samples - 1; idx > 10; idx /= 2) { long cutoff = sorted[idx]; int count = 0; double total = 0; for (int i = 0; i < samples; i++) { if (timing[i] <= cutoff) { total += k[i].doubleValue(); count += 1; } } double expectedStdDev = q / Math.sqrt(12 * count); double average = total / count; // Number of standard deviations that the average is away from // the expected value: double sigmas = (expectedAverage - average) / expectedStdDev; if (sigmas > maxSigmas) { maxSigmas = sigmas; } System.out.println( "count:" + count + " cutoff:" + cutoff + " relative average:" + (average / expectedAverage) + " sigmas:" + sigmas); } // Checks if the signatures with a small timing have a biased k. // We use 7 standard deviations, so that the probability of a false positive is smaller // than 10^{-10}. if (maxSigmas >= 7) { fail("Signatures with short timing have a biased k"); } */ // END Android-removed: Android doesn't support JMX } /** * DSA does not allow encryption. This test verifies that a provider does not implement an ad hoc * scheme that attempts to turn DSA into a public key encryption scheme. */ @SuppressWarnings("InsecureCryptoUsage") public void testEncryptionWithDsa() throws Exception { try { Cipher cipher = Cipher.getInstance("DSA"); fail("DSA must not be used as a cipher:" + cipher.getProvider().toString()); } catch (NoSuchAlgorithmException ex) { // This is expected } } }