add secp160r1; fix handling curves with order > p

tomato42 · tomato42 · commit 46bdd1eb3e47 · 2020-12-08T01:56:54.000+01:00
the secret multiplier is limited by the order of the base point, that
also informs the size of elements for the signature (as they are
calculated modulo order), but the public point is a point, so its
elements are modulo prime from the curve

for all curves up till now the size of order and size of the prime was
the same so it worked fine, but secp160r1 is different, so it showed the
bug

so fix this bug and add secp160r1 as the test coverage for it
diff --git a/src/ecdsa/__init__.py b/src/ecdsa/__init__.py
@@ -22,6 +22,7 @@
     SECP112r1,
     SECP112r2,
     SECP128r1,
+    SECP160r1,
 )
 from .ecdh import (
     ECDH,
@@ -78,5 +79,6 @@
     SECP112r1,
     SECP112r2,
     SECP128r1,
+    SECP160r1,
 ]
 del _hush_pyflakes
diff --git a/src/ecdsa/curves.py b/src/ecdsa/curves.py
@@ -13,6 +13,7 @@
     "SECP112r1",
     "SECP112r2",
     "SECP128r1",
+    "SECP160r1",
     "NIST192p",
     "NIST224p",
     "NIST256p",
@@ -43,7 +44,7 @@ def __init__(self, name, curve, generator, oid, openssl_name=None):
         self.generator = generator
         self.order = generator.order()
         self.baselen = orderlen(self.order)
-        self.verifying_key_length = 2 * self.baselen
+        self.verifying_key_length = 2 * orderlen(curve.p())
         self.signature_length = 2 * self.baselen
         self.oid = oid
         self.encoded_oid = der.encode_oid(*oid)
@@ -80,6 +81,15 @@ def __repr__(self):
 )
 
 
+SECP160r1 = Curve(
+    "SECP160r1",
+    ecdsa.curve_160r1,
+    ecdsa.generator_160r1,
+    (1, 3, 132, 0, 8),
+    "secp160r1",
+)
+
+
 # the NIST curves
 NIST192p = Curve(
     "NIST192p",
@@ -216,6 +226,7 @@ def __repr__(self):
     SECP112r1,
     SECP112r2,
     SECP128r1,
+    SECP160r1,
 ]
 
 
diff --git a/src/ecdsa/ecdsa.py b/src/ecdsa/ecdsa.py
@@ -339,6 +339,21 @@ def point_is_valid(generator, x, y):
 )
 
 
+# secp160r1
+_p = int(remove_whitespace("FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF 7FFFFFFF"), 16)
+# S = 1053CDE4 2C14D696 E6768756 1517533B F3F83345
+# _a = -3
+_b = int(remove_whitespace("1C97BEFC 54BD7A8B 65ACF89F 81D4D4AD C565FA45"), 16)
+_Gx = int(remove_whitespace("4A96B568 8EF57328 46646989 68C38BB9 13CBFC82"), 16)
+_Gy = int(remove_whitespace("23A62855 3168947D 59DCC912 04235137 7AC5FB32"), 16)
+_r = int(remove_whitespace("01 00000000 00000000 0001F4C8 F927AED3 CA752257"), 16)
+_h = 1
+curve_160r1 = ellipticcurve.CurveFp(_p, -3, _b, _h)
+generator_160r1 = ellipticcurve.PointJacobi(
+    curve_160r1, _Gx, _Gy, 1, _r, generator=True
+)
+
+
 # NIST Curve P-192:
 _p = 6277101735386680763835789423207666416083908700390324961279
 _r = 6277101735386680763835789423176059013767194773182842284081
diff --git a/src/ecdsa/keys.py b/src/ecdsa/keys.py
@@ -272,11 +272,11 @@ def _from_raw_encoding(string, curve):
         order = curve.order
         # real assert, from_string() should not call us with different length
         assert len(string) == curve.verifying_key_length
-        xs = string[: curve.baselen]
-        ys = string[curve.baselen :]
-        if len(xs) != curve.baselen:
+        xs = string[: curve.verifying_key_length // 2]
+        ys = string[curve.verifying_key_length // 2 :]
+        if len(xs) != curve.verifying_key_length // 2:
             raise MalformedPointError("Unexpected length of encoded x")
-        if len(ys) != curve.baselen:
+        if len(ys) != curve.verifying_key_length // 2:
             raise MalformedPointError("Unexpected length of encoded y")
         x = string_to_number(xs)
         y = string_to_number(ys)
@@ -371,7 +371,7 @@ def from_string(
                 raise MalformedPointError(
                     "Invalid X9.62 encoding of the public point"
                 )
-        elif sig_len == curve.baselen + 1:
+        elif sig_len == curve.verifying_key_length // 2 + 1:
             point = cls._from_compressed(string, curve)
         else:
             raise MalformedPointError(
@@ -572,14 +572,14 @@ def from_public_key_recovery_with_digest(
 
     def _raw_encode(self):
         """Convert the public key to the :term:`raw encoding`."""
-        order = self.pubkey.order
+        order = self.curve.curve.p()
         x_str = number_to_string(self.pubkey.point.x(), order)
         y_str = number_to_string(self.pubkey.point.y(), order)
         return x_str + y_str
 
     def _compressed_encode(self):
         """Encode the public point into the compressed form."""
-        order = self.pubkey.order
+        order = self.curve.curve.p()
         x_str = number_to_string(self.pubkey.point.x(), order)
         if self.pubkey.point.y() & 1:
             return b("\x03") + x_str
diff --git a/src/ecdsa/test_pyecdsa.py b/src/ecdsa/test_pyecdsa.py
@@ -29,6 +29,7 @@
     SECP112r1,
     SECP112r2,
     SECP128r1,
+    SECP160r1,
     NIST192p,
     NIST224p,
     NIST256p,
@@ -313,8 +314,13 @@ class FakeGenerator:
             def order(self):
                 return 123456789
 
+        class FakeCurveFp:
+            def p(self):
+                return int("6525534529039240705020950546962731340"
+                           "4541085228058844382513856749047873406763")
+
         badcurve = Curve(
-            "unknown", None, FakeGenerator(), (1, 2, 3, 4, 5, 6), None
+            "unknown", FakeCurveFp(), FakeGenerator(), (1, 2, 3, 4, 5, 6), None
         )
         badpub.curve = badcurve
         badder = badpub.to_der()
@@ -890,7 +896,13 @@ def test_from_openssl_secp112r2(self):
     def test_from_openssl_secp128r1(self):
         return self.do_test_from_openssl(SECP128r1)
 
-    @pytest.mark.slow
+    @pytest.mark.skipif(
+        "secp160r1" not in OPENSSL_SUPPORTED_CURVES,
+        reason="system openssl does not support secp160r1",
+    )
+    def test_from_openssl_secp160r1(self):
+        return self.do_test_from_openssl(SECP160r1)
+
     @pytest.mark.skipif(
         "prime192v1" not in OPENSSL_SUPPORTED_CURVES,
         reason="system openssl does not support prime192v1",
@@ -1076,7 +1088,13 @@ def test_to_openssl_secp112r2(self):
     def test_to_openssl_secp128r1(self):
         self.do_test_to_openssl(SECP128r1)
 
-    @pytest.mark.slow
+    @pytest.mark.skipif(
+        "secp160r1" not in OPENSSL_SUPPORTED_CURVES,
+        reason="system openssl does not support secp160r1",
+    )
+    def test_to_openssl_secp160r1(self):
+        self.do_test_to_openssl(SECP160r1)
+
     @pytest.mark.skipif(
         "prime192v1" not in OPENSSL_SUPPORTED_CURVES,
         reason="system openssl does not support prime192v1",

Original file line number	Diff line number	Diff line change
`@@ -22,6 +22,7 @@`
`22`	`22`	`SECP112r1,`
`23`	`23`	`SECP112r2,`
`24`	`24`	`SECP128r1,`
	`25`	`+ SECP160r1,`
`25`	`26`	`)`
`26`	`27`	`from .ecdh import (`
`27`	`28`	`ECDH,`
`@@ -78,5 +79,6 @@`
`78`	`79`	`SECP112r1,`
`79`	`80`	`SECP112r2,`
`80`	`81`	`SECP128r1,`
	`82`	`+ SECP160r1,`
`81`	`83`	`]`
`82`	`84`	`del _hush_pyflakes`