File Coverage

blib/lib/Net/DNS/SEC/ECDSA.pm

Criterion	Covered	Total	%
statement	52	52	100.0
branch	10	10	100.0
condition			n/a
subroutine	11	11	100.0
pod	2	2	100.0
total	75	75	100.0

line	stmt	bran	sub	pod	time	code
1						package Net::DNS::SEC::ECDSA;
2
3	12		12		8750	use strict;
	12				32
	12				346
4	12		12		59	use warnings;
	12				25
	12				750
5
6						our $VERSION = (qw$Id: ECDSA.pm 1853 2021-10-11 10:40:59Z willem $)[2];
7
8
9						=head1 NAME
10
11						Net::DNS::SEC::ECDSA - DNSSEC ECDSA digital signature algorithm
12
13
14						=head1 SYNOPSIS
15
16						require Net::DNS::SEC::ECDSA;
17
18						$signature = Net::DNS::SEC::ECDSA->sign( $sigdata, $private );
19
20						$validated = Net::DNS::SEC::ECDSA->verify( $sigdata, $keyrr, $sigbin );
21
22
23						=head1 DESCRIPTION
24
25						Implementation of ECDSA elliptic curve digital signature
26						generation and verification procedures.
27
28						=head2 sign
29
30						$signature = Net::DNS::SEC::ECDSA->sign( $sigdata, $private );
31
32						Generates the wire-format signature from the sigdata octet string
33						and the appropriate private key object.
34
35						=head2 verify
36
37						$validated = Net::DNS::SEC::ECDSA->verify( $sigdata, $keyrr, $sigbin );
38
39						Verifies the signature over the sigdata octet string using the specified
40						public key resource record.
41
42						=cut
43
44	12		12		77	use integer;
	12				25
	12				54
45	12		12		320	use MIME::Base64;
	12				29
	12				878
46
47	12		12		89	use constant ECDSA_configured => Net::DNS::SEC::libcrypto->can('EVP_PKEY_new_ECDSA');
	12				21
	12				885
48
49	12		12		7550	BEGIN { die 'ECDSA disabled or application has no "use Net::DNS::SEC"' unless ECDSA_configured }
50
51
52						my %parameters = (
53						13 => [415, 32, Net::DNS::SEC::libcrypto::EVP_sha256()],
54						14 => [715, 48, Net::DNS::SEC::libcrypto::EVP_sha384()],
55						);
56
57	12		12		170	sub _index { return keys %parameters }
58
59
60						sub sign {
61	3		3	1	1480	my ( $class, $sigdata, $private ) = @_;
62
63	3				12	my $algorithm = $private->algorithm;
64	3	100			6	my ( $nid, $keylen, $evpmd ) = @{$parameters{$algorithm} \|\| []};
	3				18
65	3	100			19	die 'private key not ECDSA' unless $nid;
66
67	2				25	my $rawkey = pack "a$keylen", decode_base64( $private->PrivateKey );
68	2				235	my $evpkey = Net::DNS::SEC::libcrypto::EVP_PKEY_new_ECDSA( $nid, $rawkey, '' );
69
70	2				1815	my $asn1 = Net::DNS::SEC::libcrypto::EVP_sign( $sigdata, $evpkey, $evpmd );
71	2				3859	return _ASN1decode( $asn1, $keylen );
72						}
73
74
75						sub verify {
76	6		6	1	2180	my ( $class, $sigdata, $keyrr, $sigbin ) = @_;
77
78	6				19	my $algorithm = $keyrr->algorithm;
79	6	100			46	my ( $nid, $keylen, $evpmd ) = @{$parameters{$algorithm} \|\| []};
	6				3855
80	6	100			26	die 'public key not ECDSA' unless $nid;
81
82	5	100			14	return unless $sigbin;
83
84	4				16	my ( $x, $y ) = unpack "a$keylen a$keylen", $keyrr->keybin;
85	4				2616	my $evpkey = Net::DNS::SEC::libcrypto::EVP_PKEY_new_ECDSA( $nid, $x, $y );
86
87	4				14	my $asn1 = _ASN1encode( $sigbin, $keylen );
88	4				3505	return Net::DNS::SEC::libcrypto::EVP_verify( $sigdata, $asn1, $evpkey, $evpmd );
89						}
90
91
92						########################################
93
94						sub _ASN1encode {
95	4		4		10	my ( $sig, $size ) = @_;
96	4				18	my @part = unpack "a$size a$size", $sig;
97	4				7	my $length;
98	4				9	foreach (@part) {
99	8				13	s/^[\000]+//;
100	8				17	s/^$/\000/;
101	8				27	s/^(?=[\200-\377])/\000/;
102	8				27	$_ = pack 'C2 a*', 2, length, $_;
103	8				16	$length += length;
104						}
105	4				16	return pack 'C2 a* a*', 0x30, $length, @part;
106						}
107
108						sub _ASN1decode {
109	2		2		9	my ( $asn1, $size ) = @_;
110	2				11	my $n = unpack 'x3 C', $asn1;
111	2				7	my $m = unpack "x5 x$n C", $asn1;
112	2				16	my @part = unpack "x4 a$n x2 a$m", $asn1;
113	2				4	return pack 'a* a', map { substr( pack( "x$size a", $_ ), -$size ) } @part;
	4				38
114						}
115
116
117						1;
118
119						__END__