fix from_public_key_recovery() and sign() for large hashes

the public key recovery needs to truncate large hashes just like
the signature verification and creation, so reuse the code that does
that

Author: tomato42

src/ecdsa/keys.py

@@ -124,6 +124,38 @@ class MalformedPointError(AssertionError):
     pass
 
 
+def _truncate_and_convert_digest(digest, curve, allow_truncate):
+    """Truncates and converts digest to an integer."""
+    if not allow_truncate:
+        if len(digest) > curve.baselen:
+            raise BadDigestError(
+                "this curve ({0}) is too short "
+                "for the length of your digest ({1})".format(
+                    curve.name, 8 * len(digest)
+                )
+            )
+    else:
+        digest = digest[: curve.baselen]
+    number = string_to_number(digest)
+    if allow_truncate:
+        max_length = bit_length(curve.order)
+        # we don't use bit_length(number) as that truncates leading zeros
+        length = len(digest) * 8
+
+        # See NIST FIPS 186-4:
+        #
+        # When the length of the output of the hash function is greater
+        # than N (i.e., the bit length of q), then the leftmost N bits of
+        # the hash function output block shall be used in any calculation
+        # using the hash function output during the generation or
+        # verification of a digital signature.
+        #
+        # as such, we need to shift-out the low-order bits:
+        number >>= max(0, length - max_length)
+
+    return number
+
+
 class VerifyingKey(object):
     """
     Class for handling keys that can verify signatures (public keys).
@@ -435,7 +467,13 @@ def from_der(cls, string, hashfunc=sha1):
 
     @classmethod
     def from_public_key_recovery(
-        cls, signature, data, curve, hashfunc=sha1, sigdecode=sigdecode_string
+        cls,
+        signature,
+        data,
+        curve,
+        hashfunc=sha1,
+        sigdecode=sigdecode_string,
+        allow_truncate=True,
     ):
         """
         Return keys that can be used as verifiers of the provided signature.
@@ -458,6 +496,9 @@ def from_public_key_recovery(
             a tuple with two integers, "r" as the first one and "s" as the
             second one. See :func:`ecdsa.util.sigdecode_string` and
             :func:`ecdsa.util.sigdecode_der` for examples.
+        :param bool allow_truncate: if True, the provided hashfunc can generate
+            values larger than the bit size of the order of the curve, the
+            extra bits (at the end of the digest) will be truncated.
         :type sigdecode: callable
 
         :return: Initialised VerifyingKey objects
@@ -466,7 +507,12 @@ def from_public_key_recovery(
         data = normalise_bytes(data)
         digest = hashfunc(data).digest()
         return cls.from_public_key_recovery_with_digest(
-            signature, digest, curve, hashfunc=hashfunc, sigdecode=sigdecode
+            signature,
+            digest,
+            curve,
+            hashfunc=hashfunc,
+            sigdecode=sigdecode,
+            allow_truncate=allow_truncate,
         )
 
     @classmethod
@@ -477,6 +523,7 @@ def from_public_key_recovery_with_digest(
         curve,
         hashfunc=sha1,
         sigdecode=sigdecode_string,
+        allow_truncate=False,
     ):
         """
         Return keys that can be used as verifiers of the provided signature.
@@ -500,7 +547,10 @@ def from_public_key_recovery_with_digest(
             second one. See :func:`ecdsa.util.sigdecode_string` and
             :func:`ecdsa.util.sigdecode_der` for examples.
         :type sigdecode: callable
-
+        :param bool allow_truncate: if True, the provided hashfunc can generate
+            values larger than the bit size of the order of the curve (and
+            the length of provided `digest`), the extra bits (at the end of the
+            digest) will be truncated.
 
         :return: Initialised VerifyingKey object
         :rtype: VerifyingKey
@@ -510,7 +560,9 @@ def from_public_key_recovery_with_digest(
         sig = ecdsa.Signature(r, s)
 
         digest = normalise_bytes(digest)
-        digest_as_number = string_to_number(digest)
+        digest_as_number = _truncate_and_convert_digest(
+            digest, curve, allow_truncate
+        )
         pks = sig.recover_public_keys(digest_as_number, generator)
 
         # Transforms the ecdsa.Public_key object into a VerifyingKey
@@ -717,27 +769,9 @@ def verify_digest(
         # signature doesn't have to be a bytes-like-object so don't normalise
         # it, the decoders will do that
         digest = normalise_bytes(digest)
-        if not allow_truncate and len(digest) > self.curve.baselen:
-            raise BadDigestError(
-                "this curve (%s) is too short "
-                "for your digest (%d)" % (self.curve.name, 8 * len(digest))
-            )
-        number = string_to_number(digest)
-        if allow_truncate:
-            max_length = bit_length(self.curve.order)
-            # we don't use bit_length(number) as that truncates leading zeros
-            length = len(digest) * 8
-
-            # See NIST FIPS 186-4:
-            #
-            # When the length of the output of the hash function is greater
-            # than N (i.e., the bit length of q), then the leftmost N bits of
-            # the hash function output block shall be used in any calculation
-            # using the hash function output during the generation or
-            # verification of a digital signature.
-            #
-            # as such, we need to shift-out the low-order bits:
-            number >>= max(0, length - max_length)
+        number = _truncate_and_convert_digest(
+            digest, self.curve, allow_truncate,
+        )
 
         try:
             r, s = sigdecode(signature, self.pubkey.order)
@@ -1409,14 +1443,9 @@ def sign_digest(
         :rtype: bytes or sigencode function dependant type
         """
         digest = normalise_bytes(digest)
-        if allow_truncate:
-            digest = digest[: self.curve.baselen]
-        if len(digest) > self.curve.baselen:
-            raise BadDigestError(
-                "this curve (%s) is too short "
-                "for your digest (%d)" % (self.curve.name, 8 * len(digest))
-            )
-        number = string_to_number(digest)
+        number = _truncate_and_convert_digest(
+            digest, self.curve, allow_truncate,
+        )
         r, s = self.sign_number(number, entropy, k)
         return sigencode(r, s, self.privkey.order)
 

src/ecdsa/test_jacobi.py

@@ -210,7 +210,8 @@ def test_multiplications(self, mul):
     @example(0)
     @example(int(generator_brainpoolp160r1.order()))
     def test_precompute(self, mul):
-        precomp = PointJacobi.from_affine(generator_brainpoolp160r1, True)
+        precomp = generator_brainpoolp160r1
+        self.assertTrue(precomp._PointJacobi__precompute)
         pj = PointJacobi.from_affine(generator_brainpoolp160r1)
 
         a = precomp * mul
@@ -383,15 +384,15 @@ def test_mul_add_same(self):
         self.assertEqual(j_g * 2, j_g.mul_add(1, j_g, 1))
 
     def test_mul_add_precompute(self):
-        j_g = PointJacobi.from_affine(generator_256, True)
+        j_g = PointJacobi.from_affine(generator_brainpoolp160r1, True)
         b = PointJacobi.from_affine(j_g * 255, True)
 
         self.assertEqual(j_g * 256, j_g + b)
         self.assertEqual(j_g * (5 + 255 * 7), j_g * 5 + b * 7)
         self.assertEqual(j_g * (5 + 255 * 7), j_g.mul_add(5, b, 7))
 
     def test_mul_add_precompute_large(self):
-        j_g = PointJacobi.from_affine(generator_256, True)
+        j_g = PointJacobi.from_affine(generator_brainpoolp160r1, True)
         b = PointJacobi.from_affine(j_g * 255, True)
 
         self.assertEqual(j_g * 256, j_g + b)

src/ecdsa/test_pyecdsa.py

@@ -616,7 +616,7 @@ def test_hashfunc(self):
 
     def test_public_key_recovery(self):
         # Create keys
-        curve = NIST256p
+        curve = BRAINPOOLP160r1
 
         sk = SigningKey.generate(curve=curve)
         vk = sk.get_verifying_key()
@@ -649,7 +649,7 @@ def test_public_key_recovery(self):
 
     def test_public_key_recovery_with_custom_hash(self):
         # Create keys
-        curve = NIST256p
+        curve = BRAINPOOLP160r1
 
         sk = SigningKey.generate(curve=curve, hashfunc=sha256)
         vk = sk.get_verifying_key()
@@ -660,7 +660,7 @@ def test_public_key_recovery_with_custom_hash(self):
 
         # Recover verifying keys
         recovered_vks = VerifyingKey.from_public_key_recovery(
-            signature, data, curve, hashfunc=sha256
+            signature, data, curve, hashfunc=sha256, allow_truncate=True
         )
 
         # Test if each pk is valid
@@ -829,6 +829,7 @@ def test_VerifyingKey_encode_decode(curve, encoding):
     assert vk.pubkey.point == from_enc.pubkey.point
 
 
+
 class OpenSSL(unittest.TestCase):
     # test interoperability with OpenSSL tools. Note that openssl's ECDSA
     # sign/verify arguments changed between 0.9.8 and 1.0.0: the early