108 lines
4.0 KiB
C#
108 lines
4.0 KiB
C#
#if !BESTHTTP_DISABLE_ALTERNATE_SSL && (!UNITY_WEBGL || UNITY_EDITOR)
|
|
#pragma warning disable
|
|
using System;
|
|
|
|
using BestHTTP.SecureProtocol.Org.BouncyCastle.Math;
|
|
|
|
namespace BestHTTP.SecureProtocol.Org.BouncyCastle.Crypto.Agreement.JPake
|
|
{
|
|
/// <summary>
|
|
/// A pre-computed prime order group for use during a J-PAKE exchange.
|
|
///
|
|
/// Typically a Schnorr group is used. In general, J-PAKE can use any prime order group
|
|
/// that is suitable for public key cryptography, including elliptic curve cryptography.
|
|
///
|
|
/// See JPakePrimeOrderGroups for convenient standard groups.
|
|
///
|
|
/// NIST <a href="http://csrc.nist.gov/groups/ST/toolkit/documents/Examples/DSA2_All.pdf">publishes</a>
|
|
/// many groups that can be used for the desired level of security.
|
|
/// </summary>
|
|
public class JPakePrimeOrderGroup
|
|
{
|
|
private readonly BigInteger p;
|
|
private readonly BigInteger q;
|
|
private readonly BigInteger g;
|
|
|
|
/// <summary>
|
|
/// Constructs a new JPakePrimeOrderGroup.
|
|
///
|
|
/// In general, you should use one of the pre-approved groups from
|
|
/// JPakePrimeOrderGroups, rather than manually constructing one.
|
|
///
|
|
/// The following basic checks are performed:
|
|
///
|
|
/// p-1 must be evenly divisible by q
|
|
/// g must be in [2, p-1]
|
|
/// g^q mod p must equal 1
|
|
/// p must be prime (within reasonably certainty)
|
|
/// q must be prime (within reasonably certainty)
|
|
///
|
|
/// The prime checks are performed using BigInteger#isProbablePrime(int),
|
|
/// and are therefore subject to the same probability guarantees.
|
|
///
|
|
/// These checks prevent trivial mistakes.
|
|
/// However, due to the small uncertainties if p and q are not prime,
|
|
/// advanced attacks are not prevented.
|
|
/// Use it at your own risk.
|
|
///
|
|
/// Throws NullReferenceException if any argument is null. Throws
|
|
/// InvalidOperationException is any of the above validations fail.
|
|
/// </summary>
|
|
public JPakePrimeOrderGroup(BigInteger p, BigInteger q, BigInteger g)
|
|
: this(p, q, g, false)
|
|
{
|
|
// Don't skip the checks on user-specified groups.
|
|
}
|
|
|
|
/// <summary>
|
|
/// Constructor used by the pre-approved groups in JPakePrimeOrderGroups.
|
|
/// These pre-approved groups can avoid the expensive checks.
|
|
/// User-specified groups should not use this constructor.
|
|
/// </summary>
|
|
public JPakePrimeOrderGroup(BigInteger p, BigInteger q, BigInteger g, bool skipChecks)
|
|
{
|
|
JPakeUtilities.ValidateNotNull(p, "p");
|
|
JPakeUtilities.ValidateNotNull(q, "q");
|
|
JPakeUtilities.ValidateNotNull(g, "g");
|
|
|
|
if (!skipChecks)
|
|
{
|
|
if (!p.Subtract(JPakeUtilities.One).Mod(q).Equals(JPakeUtilities.Zero))
|
|
throw new ArgumentException("p-1 must be evenly divisible by q");
|
|
if (g.CompareTo(BigInteger.Two) == -1 || g.CompareTo(p.Subtract(JPakeUtilities.One)) == 1)
|
|
throw new ArgumentException("g must be in [2, p-1]");
|
|
if (!g.ModPow(q, p).Equals(JPakeUtilities.One))
|
|
throw new ArgumentException("g^q mod p must equal 1");
|
|
|
|
// Note these checks do not guarantee that p and q are prime.
|
|
// We just have reasonable certainty that they are prime.
|
|
if (!p.IsProbablePrime(20))
|
|
throw new ArgumentException("p must be prime");
|
|
if (!q.IsProbablePrime(20))
|
|
throw new ArgumentException("q must be prime");
|
|
}
|
|
|
|
this.p = p;
|
|
this.q = q;
|
|
this.g = g;
|
|
}
|
|
|
|
public virtual BigInteger P
|
|
{
|
|
get { return p; }
|
|
}
|
|
|
|
public virtual BigInteger Q
|
|
{
|
|
get { return q; }
|
|
}
|
|
|
|
public virtual BigInteger G
|
|
{
|
|
get { return g; }
|
|
}
|
|
}
|
|
}
|
|
#pragma warning restore
|
|
#endif
|