File Coverage

blib/lib/Net/DNS/SEC/ECDSA.pm

Criterion	Covered	Total	%
statement	52	52	100.0
branch	10	10	100.0
condition			n/a
subroutine	11	11	100.0
pod	2	2	100.0
total	75	75	100.0

line	stmt	bran	sub	pod	time	code
1						package Net::DNS::SEC::ECDSA;
2
3	12		12		9220	use strict;
	12				32
	12				358
4	12		12		65	use warnings;
	12				25
	12				758
5
6						our $VERSION = (qw$Id: ECDSA.pm 1937 2023-09-11 09:27:16Z willem $)[2];
7
8
9						=head1 NAME
10
11						Net::DNS::SEC::ECDSA - DNSSEC ECDSA digital signature algorithm
12
13
14						=head1 SYNOPSIS
15
16						require Net::DNS::SEC::ECDSA;
17
18						$signature = Net::DNS::SEC::ECDSA->sign( $sigdata, $private );
19
20						$validated = Net::DNS::SEC::ECDSA->verify( $sigdata, $keyrr, $sigbin );
21
22
23						=head1 DESCRIPTION
24
25						Implementation of ECDSA elliptic curve digital signature
26						generation and verification procedures.
27
28						=head2 sign
29
30						$signature = Net::DNS::SEC::ECDSA->sign( $sigdata, $private );
31
32						Generates the wire-format signature from the sigdata octet string
33						and the appropriate private key object.
34
35						=head2 verify
36
37						$validated = Net::DNS::SEC::ECDSA->verify( $sigdata, $keyrr, $sigbin );
38
39						Verifies the signature over the sigdata octet string using the specified
40						public key resource record.
41
42						=cut
43
44	12		12		85	use integer;
	12				30
	12				70
45	12		12		324	use MIME::Base64;
	12				43
	12				886
46
47	12		12		83	use constant ECDSA_configured => Net::DNS::SEC::libcrypto->can('EVP_PKEY_new_ECDSA');
	12				28
	12				891
48
49	12		12		7891	BEGIN { die 'ECDSA disabled or application has no "use Net::DNS::SEC"' unless ECDSA_configured }
50
51
52						my %parameters = (
53						13 => ['P-256', 32, Net::DNS::SEC::libcrypto::EVP_sha256()],
54						14 => ['P-384', 48, Net::DNS::SEC::libcrypto::EVP_sha384()],
55						);
56
57	12		12		184	sub _index { return keys %parameters }
58
59
60						sub sign {
61	3		3	1	20073	my ( $class, $sigdata, $private ) = @_;
62
63	3				12	my $algorithm = $private->algorithm;
64	3	100			7	my ( $curve, $keylen, $evpmd ) = @{$parameters{$algorithm} \|\| []};
	3				27
65	3	100			22	die 'private key not ECDSA' unless $curve;
66
67	2				3786	my $rawkey = pack "a$keylen", decode_base64( $private->PrivateKey );
68	2				289	my $evpkey = Net::DNS::SEC::libcrypto::EVP_PKEY_new_ECDSA( $curve, $rawkey, '' );
69
70	2				1867	my $asn1 = Net::DNS::SEC::libcrypto::EVP_sign( $sigdata, $evpkey, $evpmd );
71	2				12	return _ASN1decode( $asn1, $keylen );
72						}
73
74
75						sub verify {
76	6		6	1	2329	my ( $class, $sigdata, $keyrr, $sigbin ) = @_;
77
78	6				20	my $algorithm = $keyrr->algorithm;
79	6	100			44	my ( $curve, $keylen, $evpmd ) = @{$parameters{$algorithm} \|\| []};
	6				29
80	6	100			34	die 'public key not ECDSA' unless $curve;
81
82	5	100			15	return unless $sigbin;
83
84	4				14	my ( $x, $y ) = unpack "a$keylen a$keylen", $keyrr->keybin;
85	4				2583	my $evpkey = Net::DNS::SEC::libcrypto::EVP_PKEY_new_ECDSA( $curve, $x, $y );
86
87	4				13	my $asn1 = _ASN1encode( $sigbin, $keylen );
88	4				3445	return Net::DNS::SEC::libcrypto::EVP_verify( $sigdata, $asn1, $evpkey, $evpmd );
89						}
90
91
92						########################################
93
94						sub _ASN1encode {
95	4		4		11	my ( $sig, $size ) = @_;
96	4				14	my @part = unpack "a$size a$size", $sig;
97	4				7	my $length;
98	4				8	foreach (@part) {
99	8				18	s/^[\000]+//;
100	8				16	s/^$/\000/;
101	8				27	s/^(?=[\200-\377])/\000/;
102	8				24	$_ = pack 'C2 a*', 2, length, $_;
103	8				16	$length += length;
104						}
105	4				14	return pack 'C2 a* a*', 0x30, $length, @part;
106						}
107
108						sub _ASN1decode {
109	2		2		7	my ( $asn1, $size ) = @_;
110	2				9	my $n = unpack 'x3 C', $asn1;
111	2				10	my $m = unpack "x5 x$n C", $asn1;
112	2				11	my @part = unpack "x4 a$n x2 a$m", $asn1;
113	2				7	return pack 'a* a', map { substr( pack( "x$size a", $_ ), -$size ) } @part;
	4				41
114						}
115
116
117						1;
118
119						__END__