1 /**
2  * @license
3  * Copyright 2016 Google Inc. All rights reserved.
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  *   http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16 
17 // TODO(bleichen):
18 // - add tests for SHA1WithDSA with wrong key
19 // - add tests for "alternative" algorithm names
20 // - convert tests for deterministic DSA variants.
21 //   Deterministic DSA has a few new drawbacks:
22 //     * implementations flaws that generate k incorrectly can leak
23 //       the key if multiple implementations (e.g. one correct one incorrect)
24 //       is used.
25 //     * timing attacks are more serious if the attacker can ask for the same
26 //       signature multiple times, since this allows to get more accurate timings.
27 package com.google.security.wycheproof;
28 
29 import com.google.security.wycheproof.WycheproofRunner.ExcludedTest;
30 import com.google.security.wycheproof.WycheproofRunner.ProviderType;
31 import com.google.security.wycheproof.WycheproofRunner.SlowTest;
32 // Android-removed: Android doesn't support JMX
33 // import java.lang.management.ManagementFactory;
34 // import java.lang.management.ThreadMXBean;
35 import java.math.BigInteger;
36 import java.security.GeneralSecurityException;
37 import java.security.KeyFactory;
38 import java.security.KeyPair;
39 import java.security.KeyPairGenerator;
40 import java.security.MessageDigest;
41 import java.security.NoSuchAlgorithmException;
42 import java.security.PublicKey;
43 import java.security.Signature;
44 import java.security.SignatureException;
45 import java.security.interfaces.DSAParams;
46 import java.security.interfaces.DSAPrivateKey;
47 import java.security.interfaces.DSAPublicKey;
48 import java.security.spec.DSAPrivateKeySpec;
49 import java.security.spec.DSAPublicKeySpec;
50 import java.util.Arrays;
51 import javax.crypto.Cipher;
52 import junit.framework.TestCase;
53 
54 /**
55  * Tests DSA against invalid signatures. The motivation for this test is the DSA implementation in
56  * gpg4browsers. This implementation accepts signatures with r=1 and s=0 as valid.
57  *
58  * @author bleichen@google.com (Daniel Bleichenbacher)
59  */
60 public class DsaTest extends TestCase {
61   static final String MESSAGE = "Hello";
62 
63   static final DSAPrivateKeySpec privateKey1 =
64       new DSAPrivateKeySpec(
65           // x
66           new BigInteger("15382583218386677486843706921635237927801862255437148328980464126979"),
67           // p
68           new BigInteger(
69               "181118486631420055711787706248812146965913392568235070235446058914"
70                   + "1170708161715231951918020125044061516370042605439640379530343556"
71                   + "4101919053459832890139496933938670005799610981765220283775567361"
72                   + "4836626483403394052203488713085936276470766894079318754834062443"
73                   + "1033792580942743268186462355159813630244169054658542719322425431"
74                   + "4088256212718983105131138772434658820375111735710449331518776858"
75                   + "7867938758654181244292694091187568128410190746310049564097068770"
76                   + "8161261634790060655580211122402292101772553741704724263582994973"
77                   + "9109274666495826205002104010355456981211025738812433088757102520"
78                   + "562459649777989718122219159982614304359"),
79           // q
80           new BigInteger("19689526866605154788513693571065914024068069442724893395618704484701"),
81           // g
82           new BigInteger(
83               "2859278237642201956931085611015389087970918161297522023542900348"
84                   + "0877180630984239764282523693409675060100542360520959501692726128"
85                   + "3149190229583566074777557293475747419473934711587072321756053067"
86                   + "2532404847508798651915566434553729839971841903983916294692452760"
87                   + "2490198571084091890169933809199002313226100830607842692992570749"
88                   + "0504363602970812128803790973955960534785317485341020833424202774"
89                   + "0275688698461842637641566056165699733710043802697192696426360843"
90                   + "1736206792141319514001488556117408586108219135730880594044593648"
91                   + "9237302749293603778933701187571075920849848690861126195402696457"
92                   + "4111219599568903257472567764789616958430"));
93 
94   static final DSAPublicKeySpec publicKey1 =
95       new DSAPublicKeySpec(
96           new BigInteger(
97               "3846308446317351758462473207111709291533523711306097971550086650"
98                   + "2577333637930103311673872185522385807498738696446063139653693222"
99                   + "3528823234976869516765207838304932337200968476150071617737755913"
100                   + "3181601169463467065599372409821150709457431511200322947508290005"
101                   + "1780020974429072640276810306302799924668893998032630777409440831"
102                   + "4314588994475223696460940116068336991199969153649625334724122468"
103                   + "7497038281983541563359385775312520539189474547346202842754393945"
104                   + "8755803223951078082197762886933401284142487322057236814878262166"
105                   + "5072306622943221607031324846468109901964841479558565694763440972"
106                   + "5447389416166053148132419345627682740529"),
107           privateKey1.getP(),
108           privateKey1.getQ(),
109           privateKey1.getG());
110 
111   // Signatures for Key1.
112   static final String[] VALID_SIGNATURES = {
113     "303d021c1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9cd"
114         + "021d00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe8786236",
115   };
116 
117   /**
118    * The following test vectos are derived from a valid signature by
119    * using alternative BER encoding as well as legacy formats.
120    * Accepting such signatures is in many cases benign. Hence the tests
121    * below will pass if such signatures are accepted as valid.
122    * The test vectors could be used to check for signature malleability.
123    * An example where this kind of signature malleability was a problem is
124    * https://en.bitcoin.it/wiki/Transaction_Malleability
125    */
126   static final String[] MODIFIED_SIGNATURES = {
127     // BER:long form encoding of length
128     "30813d021c1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9"
129         + "cd021d00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe8786236",
130     "303e02811c1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9"
131         + "cd021d00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe8786236",
132     "303e021c1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9cd"
133         + "02811d00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe8786236",
134     // BER:length contains leading 0
135     "3082003d021c1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8"
136         + "c9cd021d00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe87862"
137         + "36",
138     "303f0282001c1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8"
139         + "c9cd021d00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe87862"
140         + "36",
141     "303f021c1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9cd"
142         + "0282001d00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe87862"
143         + "36",
144     // BER:prepending 0's to integer
145     "303f021e00001e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8"
146         + "c9cd021d00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe87862"
147         + "36",
148     "303f021c1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9cd"
149         + "021f000000ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe87862"
150         + "36",
151     // The Sun provider accepts DSA signatures where a leading 00 has
152     // been omitted in the ASN encoding.
153     "303c021c1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9cd"
154         + "021cade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe8786236",
155   };
156 
157   /**
158    * The following test vectors are invalid DSA signatures.
159    * According to {@link java.security.Signature#verify(byte[])} verifying an invalid
160    * signature may either return false or throw a SignatureException.
161    * We expect that a correct implementation of DSA signatures satisfies this contract.
162    * Throwing a RuntimeException instead of a SignatureException could for example
163    * result in a denial of service attack.
164    *
165    * <p>A list of problems that are caught by these signatures:
166    * <li> CVE-2016-5546: OpenJDK8 throwed java.lang.ArrayIndexOutOfBoundsException for
167    * some invalid DSA signatures.
168    * </ul>
169    */
170   static final String[] INVALID_SIGNATURES = {
171     // wrong length
172     "303e021c1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9cd"
173         + "021d00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe8786236",
174     "303c021c1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9cd"
175         + "021d00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe8786236",
176     "303d021d1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9cd"
177         + "021d00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe8786236",
178     "303d021b1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9cd"
179         + "021d00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe8786236",
180     "303d021c1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9cd"
181         + "021e00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe8786236",
182     "303d021c1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9cd"
183         + "021c00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe8786236",
184     // uint32 overflow in length
185     "3085010000003d021c1e41b479ad576905b960fe14eadb91b0ccf34843dab916"
186         + "173bb8c9cd021d00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813f"
187         + "e8786236",
188     "30420285010000001c1e41b479ad576905b960fe14eadb91b0ccf34843dab916"
189         + "173bb8c9cd021d00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813f"
190         + "e8786236",
191     "3042021c1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9cd"
192         + "0285010000001d00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813f"
193         + "e8786236",
194     // uint64 overflow in length
195     "308901000000000000003d021c1e41b479ad576905b960fe14eadb91b0ccf348"
196         + "43dab916173bb8c9cd021d00ade65988d237d30f9ef41dd424a4e1c8f16967cf"
197         + "3365813fe8786236",
198     "3046028901000000000000001c1e41b479ad576905b960fe14eadb91b0ccf348"
199         + "43dab916173bb8c9cd021d00ade65988d237d30f9ef41dd424a4e1c8f16967cf"
200         + "3365813fe8786236",
201     "3046021c1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9cd"
202         + "028901000000000000001d00ade65988d237d30f9ef41dd424a4e1c8f16967cf"
203         + "3365813fe8786236",
204     // length = 2**31 - 1
205     "30847fffffff021c1e41b479ad576905b960fe14eadb91b0ccf34843dab91617"
206         + "3bb8c9cd021d00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe8"
207         + "786236",
208     "304102847fffffff1e41b479ad576905b960fe14eadb91b0ccf34843dab91617"
209         + "3bb8c9cd021d00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe8"
210         + "786236",
211     "3041021c1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9cd"
212         + "02847fffffff00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe8"
213         + "786236",
214     // length = 2**32 - 1
215     "3084ffffffff021c1e41b479ad576905b960fe14eadb91b0ccf34843dab91617"
216         + "3bb8c9cd021d00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe8"
217         + "786236",
218     "30410284ffffffff1e41b479ad576905b960fe14eadb91b0ccf34843dab91617"
219         + "3bb8c9cd021d00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe8"
220         + "786236",
221     "3041021c1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9cd"
222         + "0284ffffffff00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe8"
223         + "786236",
224     // length = 2**64 - 1
225     "3088ffffffffffffffff021c1e41b479ad576905b960fe14eadb91b0ccf34843"
226         + "dab916173bb8c9cd021d00ade65988d237d30f9ef41dd424a4e1c8f16967cf33"
227         + "65813fe8786236",
228     "30450288ffffffffffffffff1e41b479ad576905b960fe14eadb91b0ccf34843"
229         + "dab916173bb8c9cd021d00ade65988d237d30f9ef41dd424a4e1c8f16967cf33"
230         + "65813fe8786236",
231     "3045021c1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9cd"
232         + "0288ffffffffffffffff00ade65988d237d30f9ef41dd424a4e1c8f16967cf33"
233         + "65813fe8786236",
234     // removing sequence
235     "",
236     // appending 0's to sequence
237     "303f021c1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9cd"
238         + "021d00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe878623600"
239         + "00",
240     // prepending 0's to sequence
241     "303f0000021c1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8"
242         + "c9cd021d00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe87862"
243         + "36",
244     // appending unused 0's
245     "303f021c1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9cd"
246         + "0000021d00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe87862"
247         + "36",
248     // appending null value
249     "303f021c1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9cd"
250         + "021d00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe878623605"
251         + "00",
252     "303f021e1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9cd"
253         + "0500021d00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe87862"
254         + "36",
255     "303f021c1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9cd"
256         + "021f00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe878623605"
257         + "00",
258     // including garbage
259     "3042498177303d021c1e41b479ad576905b960fe14eadb91b0ccf34843dab916"
260         + "173bb8c9cd021d00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813f"
261         + "e8786236",
262     "30412500303d021c1e41b479ad576905b960fe14eadb91b0ccf34843dab91617"
263         + "3bb8c9cd021d00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe8"
264         + "786236",
265     "303f303d021c1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8"
266         + "c9cd021d00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe87862"
267         + "360004deadbeef",
268     "30422221498177021c1e41b479ad576905b960fe14eadb91b0ccf34843dab916"
269         + "173bb8c9cd021d00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813f"
270         + "e8786236",
271     "304122202500021c1e41b479ad576905b960fe14eadb91b0ccf34843dab91617"
272         + "3bb8c9cd021d00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe8"
273         + "786236",
274     "3045221e021c1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8"
275         + "c9cd0004deadbeef021d00ade65988d237d30f9ef41dd424a4e1c8f16967cf33"
276         + "65813fe8786236",
277     "3042021c1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9cd"
278         + "2222498177021d00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813f"
279         + "e8786236",
280     "3041021c1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9cd"
281         + "22212500021d00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe8"
282         + "786236",
283     "3045021c1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9cd"
284         + "221f021d00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe87862"
285         + "360004deadbeef",
286     // including undefined tags
287     "3045aa00bb00cd00303d021c1e41b479ad576905b960fe14eadb91b0ccf34843"
288         + "dab916173bb8c9cd021d00ade65988d237d30f9ef41dd424a4e1c8f16967cf33"
289         + "65813fe8786236",
290     "3043aa02aabb303d021c1e41b479ad576905b960fe14eadb91b0ccf34843dab9"
291         + "16173bb8c9cd021d00ade65988d237d30f9ef41dd424a4e1c8f16967cf336581"
292         + "3fe8786236",
293     "30452224aa00bb00cd00021c1e41b479ad576905b960fe14eadb91b0ccf34843"
294         + "dab916173bb8c9cd021d00ade65988d237d30f9ef41dd424a4e1c8f16967cf33"
295         + "65813fe8786236",
296     "30432222aa02aabb021c1e41b479ad576905b960fe14eadb91b0ccf34843dab9"
297         + "16173bb8c9cd021d00ade65988d237d30f9ef41dd424a4e1c8f16967cf336581"
298         + "3fe8786236",
299     "3045021c1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9cd"
300         + "2225aa00bb00cd00021d00ade65988d237d30f9ef41dd424a4e1c8f16967cf33"
301         + "65813fe8786236",
302     "3043021c1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9cd"
303         + "2223aa02aabb021d00ade65988d237d30f9ef41dd424a4e1c8f16967cf336581"
304         + "3fe8786236",
305     // changing tag value
306     "2e3d021c1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9cd"
307         + "021d00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe8786236",
308     "323d021c1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9cd"
309         + "021d00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe8786236",
310     "ff3d021c1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9cd"
311         + "021d00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe8786236",
312     "303d001c1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9cd"
313         + "021d00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe8786236",
314     "303d041c1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9cd"
315         + "021d00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe8786236",
316     "303dff1c1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9cd"
317         + "021d00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe8786236",
318     "303d021c1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9cd"
319         + "001d00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe8786236",
320     "303d021c1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9cd"
321         + "041d00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe8786236",
322     "303d021c1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9cd"
323         + "ff1d00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe8786236",
324     // dropping value of sequence
325     "3000",
326     // using composition
327     "3041300102303c1c1e41b479ad576905b960fe14eadb91b0ccf34843dab91617"
328         + "3bb8c9cd021d00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe8"
329         + "786236",
330     "3041222002011e021b41b479ad576905b960fe14eadb91b0ccf34843dab91617"
331         + "3bb8c9cd021d00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe8"
332         + "786236",
333     "3041021c1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9cd"
334         + "2221020100021cade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe8"
335         + "786236",
336     // truncate sequence
337     "303c021c1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9cd"
338         + "021d00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe87862",
339     "303c1c1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9cd02"
340         + "1d00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe8786236",
341     // indefinite length with no delimiter
342     "3080021c1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9cd"
343         + "021d00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe8786236",
344     // prepend empty sequence
345     "303f3000021c1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8"
346         + "c9cd021d00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe87862"
347         + "36",
348     // append empty sequence
349     "303f021c1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9cd"
350         + "021d00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe878623630"
351         + "00",
352     // sequence of sequence
353     "303f303d021c1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8"
354         + "c9cd021d00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe87862"
355         + "36",
356     // truncated sequence
357     "301e021c1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9cd",
358     // repeat element in sequence
359     "305c021c1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9cd"
360         + "021d00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe878623602"
361         + "1d00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe8786236",
362     // removing integer
363     "301f021d00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe8786236",
364     // appending 0's to integer
365     "303f021e1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9cd"
366         + "0000021d00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe87862"
367         + "36",
368     "303f021c1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9cd"
369         + "021f00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe878623600"
370         + "00",
371     // dropping value of integer
372     "30210200021d00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe8786236",
373     "3020021c1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9cd0200",
374     // modify first byte of integer
375     "303d021c1f41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9cd"
376         + "021d00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe8786236",
377     "303d021c1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9cd"
378         + "021d01ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe8786236",
379     // modify last byte of integer
380     "303d021c1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9cc"
381         + "021d00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe8786236",
382     "303d021c1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9cd"
383         + "021d00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe8786237",
384     // truncate integer
385     "303c021b1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c902"
386         + "1d00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe8786236",
387     "303c021b41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9cd02"
388         + "1d00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe8786236",
389     "303c021c1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9cd"
390         + "021c00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe87862",
391     // leading ff in integer
392     "303e021dff1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9"
393         + "cd021d00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe8786236",
394     "303e021c1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9cd"
395         + "021eff00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe8786236",
396     // infinity
397     "3022090180021d00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe8786236",
398     "3021021c1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9cd090180",
399     // Vectors where r or s have been modified e.g. by adding or subtracting the order of the
400     // group and hence violate the range check for r and s required by DSA.
401     "303d021c1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9cd"
402         + "021d0168dcf02f57b0caef7ddc183bee1ca94ee09c1a02ee4b0200a54dcb93",
403     "303c021c1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9cd"
404         + "021cf2efc2e24cbedb2fc00c236c5b2d1a430236b59b7880007f2ba2f8d9",
405     "303d021c1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9cd"
406         + "021dff5219a6772dc82cf0610be22bdb5b1e370e969830cc9a7ec017879dca",
407     "303d021c1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9cd"
408         + "021d01ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe8786236",
409     "303e021d00d9384b2032d060e59848f87cb4535936bc25fa77959e96d7f88e33"
410         + "2a021d00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe8786236",
411     "303e021d00d9384b2032d060e59848f87cb4535936bc25fa77959e96d7f88e33"
412         + "2a021d0168dcf02f57b0caef7ddc183bee1ca94ee09c1a02ee4b0200a54dcb93",
413     "303d021d00d9384b2032d060e59848f87cb4535936bc25fa77959e96d7f88e33"
414         + "2a021cf2efc2e24cbedb2fc00c236c5b2d1a430236b59b7880007f2ba2f8d9",
415     "303e021d00d9384b2032d060e59848f87cb4535936bc25fa77959e96d7f88e33"
416         + "2a021dff5219a6772dc82cf0610be22bdb5b1e370e969830cc9a7ec017879dca",
417     "303e021d00d9384b2032d060e59848f87cb4535936bc25fa77959e96d7f88e33"
418         + "2a021d01ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe8786236",
419     "303e021dff634b1dd327de7125da7903ad2163ca2addc096101fd395567ee360"
420         + "70021d00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe8786236",
421     "303e021dff634b1dd327de7125da7903ad2163ca2addc096101fd395567ee360"
422         + "70021d0168dcf02f57b0caef7ddc183bee1ca94ee09c1a02ee4b0200a54dcb93",
423     "303d021dff634b1dd327de7125da7903ad2163ca2addc096101fd395567ee360"
424         + "70021cf2efc2e24cbedb2fc00c236c5b2d1a430236b59b7880007f2ba2f8d9",
425     "303e021dff634b1dd327de7125da7903ad2163ca2addc096101fd395567ee360"
426         + "70021dff5219a6772dc82cf0610be22bdb5b1e370e969830cc9a7ec017879dca",
427     "303e021dff634b1dd327de7125da7903ad2163ca2addc096101fd395567ee360"
428         + "70021d01ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe8786236",
429     "303d021ce1be4b8652a896fa469f01eb15246e4f330cb7bc2546e9e8c4473633"
430         + "021d00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe8786236",
431     "303d021ce1be4b8652a896fa469f01eb15246e4f330cb7bc2546e9e8c4473633"
432         + "021d0168dcf02f57b0caef7ddc183bee1ca94ee09c1a02ee4b0200a54dcb93",
433     "303c021ce1be4b8652a896fa469f01eb15246e4f330cb7bc2546e9e8c4473633"
434         + "021cf2efc2e24cbedb2fc00c236c5b2d1a430236b59b7880007f2ba2f8d9",
435     "303d021ce1be4b8652a896fa469f01eb15246e4f330cb7bc2546e9e8c4473633"
436         + "021dff5219a6772dc82cf0610be22bdb5b1e370e969830cc9a7ec017879dca",
437     "303d021ce1be4b8652a896fa469f01eb15246e4f330cb7bc2546e9e8c4473633"
438         + "021d01ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe8786236",
439     "303e021d011e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9"
440         + "cd021d00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe8786236",
441     "303e021d011e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9"
442         + "cd021d0168dcf02f57b0caef7ddc183bee1ca94ee09c1a02ee4b0200a54dcb93",
443     "303d021d011e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9"
444         + "cd021cf2efc2e24cbedb2fc00c236c5b2d1a430236b59b7880007f2ba2f8d9",
445     "303e021d011e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9"
446         + "cd021dff5219a6772dc82cf0610be22bdb5b1e370e969830cc9a7ec017879dca",
447     "303e021d011e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9"
448         + "cd021d01ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe8786236",
449     // Signatures with special case values for r and s. E.g. r=1, s=0 are values that can lead to
450     // forgeries if the DSA implementation does not check boundaries and computes s^(-1) == 0.
451     "3022020100021dff450969597a870820211805983688387a10cd4dcc451a7f3f432a96a3",
452     "3006020100020101",
453     "30060201000201ff",
454     "3022020100021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695d",
455     "3022020100021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695e",
456     "3022020100021d0100000000000000000000000000000000000000000000000000000000",
457     "3082010802010002820101008f7935d9b9aae9bfabed887acf4951b6f32ec59e"
458         + "3baf3718e8eac4961f3efd3606e74351a9c4183339b809e7c2ae1c539ba7475b"
459         + "85d011adb8b47987754984695cac0e8f14b3360828a22ffa27110a3d62a99345"
460         + "3409a0fe696c4658f84bdd20819c3709a01057b195adcd00233dba5484b6291f"
461         + "9d648ef883448677979cec04b434a6ac2e75e9985de23db0292fc1118c9ffa9d"
462         + "8181e7338db792b730d7b9e349592f68099872153915ea3d6b8b4653c633458f"
463         + "803b32a4c2e0f27290256e4e3f8a3b0838a1c450e4e18c1a29a37ddf5ea143de"
464         + "4b66ff04903ed5cf1623e158d487c608e97f211cd81dca23cb6e380765f822e3"
465         + "42be484c05763939601cd667",
466     "3008020100090380fe01",
467     "3022020101021dff450969597a870820211805983688387a10cd4dcc451a7f3f432a96a3",
468     "3006020101020101",
469     "30060201010201ff",
470     "3022020101021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695d",
471     "3022020101021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695e",
472     "3022020101021d0100000000000000000000000000000000000000000000000000000000",
473     "3082010802010102820101008f7935d9b9aae9bfabed887acf4951b6f32ec59e"
474         + "3baf3718e8eac4961f3efd3606e74351a9c4183339b809e7c2ae1c539ba7475b"
475         + "85d011adb8b47987754984695cac0e8f14b3360828a22ffa27110a3d62a99345"
476         + "3409a0fe696c4658f84bdd20819c3709a01057b195adcd00233dba5484b6291f"
477         + "9d648ef883448677979cec04b434a6ac2e75e9985de23db0292fc1118c9ffa9d"
478         + "8181e7338db792b730d7b9e349592f68099872153915ea3d6b8b4653c633458f"
479         + "803b32a4c2e0f27290256e4e3f8a3b0838a1c450e4e18c1a29a37ddf5ea143de"
480         + "4b66ff04903ed5cf1623e158d487c608e97f211cd81dca23cb6e380765f822e3"
481         + "42be484c05763939601cd667",
482     "3008020101090380fe01",
483     "30220201ff021dff450969597a870820211805983688387a10cd4dcc451a7f3f432a96a3",
484     "30060201ff020101",
485     "30060201ff0201ff",
486     "30220201ff021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695d",
487     "30220201ff021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695e",
488     "30220201ff021d0100000000000000000000000000000000000000000000000000000000",
489     "308201080201ff02820101008f7935d9b9aae9bfabed887acf4951b6f32ec59e"
490         + "3baf3718e8eac4961f3efd3606e74351a9c4183339b809e7c2ae1c539ba7475b"
491         + "85d011adb8b47987754984695cac0e8f14b3360828a22ffa27110a3d62a99345"
492         + "3409a0fe696c4658f84bdd20819c3709a01057b195adcd00233dba5484b6291f"
493         + "9d648ef883448677979cec04b434a6ac2e75e9985de23db0292fc1118c9ffa9d"
494         + "8181e7338db792b730d7b9e349592f68099872153915ea3d6b8b4653c633458f"
495         + "803b32a4c2e0f27290256e4e3f8a3b0838a1c450e4e18c1a29a37ddf5ea143de"
496         + "4b66ff04903ed5cf1623e158d487c608e97f211cd81dca23cb6e380765f822e3"
497         + "42be484c05763939601cd667",
498     "30080201ff090380fe01",
499     "303e021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd569"
500         + "5d021dff450969597a870820211805983688387a10cd4dcc451a7f3f432a96a3",
501     "3022021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695d020100",
502     "3022021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695d020101",
503     "3022021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695d0201ff",
504     "303e021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd569"
505         + "5d021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695d",
506     "303e021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd569"
507         + "5d021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695e",
508     "303e021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd569"
509         + "5d021d0100000000000000000000000000000000000000000000000000000000",
510     "30820124021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bc"
511         + "d5695d02820101008f7935d9b9aae9bfabed887acf4951b6f32ec59e3baf3718"
512         + "e8eac4961f3efd3606e74351a9c4183339b809e7c2ae1c539ba7475b85d011ad"
513         + "b8b47987754984695cac0e8f14b3360828a22ffa27110a3d62a993453409a0fe"
514         + "696c4658f84bdd20819c3709a01057b195adcd00233dba5484b6291f9d648ef8"
515         + "83448677979cec04b434a6ac2e75e9985de23db0292fc1118c9ffa9d8181e733"
516         + "8db792b730d7b9e349592f68099872153915ea3d6b8b4653c633458f803b32a4"
517         + "c2e0f27290256e4e3f8a3b0838a1c450e4e18c1a29a37ddf5ea143de4b66ff04"
518         + "903ed5cf1623e158d487c608e97f211cd81dca23cb6e380765f822e342be484c"
519         + "05763939601cd667",
520     "3024021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695d090380fe01",
521     "303e021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd569"
522         + "5e021dff450969597a870820211805983688387a10cd4dcc451a7f3f432a96a3",
523     "3022021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695e020100",
524     "3022021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695e020101",
525     "3022021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695e0201ff",
526     "303e021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd569"
527         + "5e021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695d",
528     "303e021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd569"
529         + "5e021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695e",
530     "303e021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd569"
531         + "5e021d0100000000000000000000000000000000000000000000000000000000",
532     "30820124021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bc"
533         + "d5695e02820101008f7935d9b9aae9bfabed887acf4951b6f32ec59e3baf3718"
534         + "e8eac4961f3efd3606e74351a9c4183339b809e7c2ae1c539ba7475b85d011ad"
535         + "b8b47987754984695cac0e8f14b3360828a22ffa27110a3d62a993453409a0fe"
536         + "696c4658f84bdd20819c3709a01057b195adcd00233dba5484b6291f9d648ef8"
537         + "83448677979cec04b434a6ac2e75e9985de23db0292fc1118c9ffa9d8181e733"
538         + "8db792b730d7b9e349592f68099872153915ea3d6b8b4653c633458f803b32a4"
539         + "c2e0f27290256e4e3f8a3b0838a1c450e4e18c1a29a37ddf5ea143de4b66ff04"
540         + "903ed5cf1623e158d487c608e97f211cd81dca23cb6e380765f822e342be484c"
541         + "05763939601cd667",
542     "3024021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695e090380fe01",
543     "303e021d01000000000000000000000000000000000000000000000000000000"
544         + "00021dff450969597a870820211805983688387a10cd4dcc451a7f3f432a96a3",
545     "3022021d0100000000000000000000000000000000000000000000000000000000020100",
546     "3022021d0100000000000000000000000000000000000000000000000000000000020101",
547     "3022021d01000000000000000000000000000000000000000000000000000000000201ff",
548     "303e021d01000000000000000000000000000000000000000000000000000000"
549         + "00021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695d",
550     "303e021d01000000000000000000000000000000000000000000000000000000"
551         + "00021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695e",
552     "303e021d01000000000000000000000000000000000000000000000000000000"
553         + "00021d0100000000000000000000000000000000000000000000000000000000",
554     "30820124021d0100000000000000000000000000000000000000000000000000"
555         + "00000002820101008f7935d9b9aae9bfabed887acf4951b6f32ec59e3baf3718"
556         + "e8eac4961f3efd3606e74351a9c4183339b809e7c2ae1c539ba7475b85d011ad"
557         + "b8b47987754984695cac0e8f14b3360828a22ffa27110a3d62a993453409a0fe"
558         + "696c4658f84bdd20819c3709a01057b195adcd00233dba5484b6291f9d648ef8"
559         + "83448677979cec04b434a6ac2e75e9985de23db0292fc1118c9ffa9d8181e733"
560         + "8db792b730d7b9e349592f68099872153915ea3d6b8b4653c633458f803b32a4"
561         + "c2e0f27290256e4e3f8a3b0838a1c450e4e18c1a29a37ddf5ea143de4b66ff04"
562         + "903ed5cf1623e158d487c608e97f211cd81dca23cb6e380765f822e342be484c"
563         + "05763939601cd667",
564     "3024021d0100000000000000000000000000000000000000000000000000000000090380fe01",
565     "3082012402820101008f7935d9b9aae9bfabed887acf4951b6f32ec59e3baf37"
566         + "18e8eac4961f3efd3606e74351a9c4183339b809e7c2ae1c539ba7475b85d011"
567         + "adb8b47987754984695cac0e8f14b3360828a22ffa27110a3d62a993453409a0"
568         + "fe696c4658f84bdd20819c3709a01057b195adcd00233dba5484b6291f9d648e"
569         + "f883448677979cec04b434a6ac2e75e9985de23db0292fc1118c9ffa9d8181e7"
570         + "338db792b730d7b9e349592f68099872153915ea3d6b8b4653c633458f803b32"
571         + "a4c2e0f27290256e4e3f8a3b0838a1c450e4e18c1a29a37ddf5ea143de4b66ff"
572         + "04903ed5cf1623e158d487c608e97f211cd81dca23cb6e380765f822e342be48"
573         + "4c05763939601cd667021dff450969597a870820211805983688387a10cd4dcc"
574         + "451a7f3f432a96a3",
575     "3082010802820101008f7935d9b9aae9bfabed887acf4951b6f32ec59e3baf37"
576         + "18e8eac4961f3efd3606e74351a9c4183339b809e7c2ae1c539ba7475b85d011"
577         + "adb8b47987754984695cac0e8f14b3360828a22ffa27110a3d62a993453409a0"
578         + "fe696c4658f84bdd20819c3709a01057b195adcd00233dba5484b6291f9d648e"
579         + "f883448677979cec04b434a6ac2e75e9985de23db0292fc1118c9ffa9d8181e7"
580         + "338db792b730d7b9e349592f68099872153915ea3d6b8b4653c633458f803b32"
581         + "a4c2e0f27290256e4e3f8a3b0838a1c450e4e18c1a29a37ddf5ea143de4b66ff"
582         + "04903ed5cf1623e158d487c608e97f211cd81dca23cb6e380765f822e342be48"
583         + "4c05763939601cd667020100",
584     "3082010802820101008f7935d9b9aae9bfabed887acf4951b6f32ec59e3baf37"
585         + "18e8eac4961f3efd3606e74351a9c4183339b809e7c2ae1c539ba7475b85d011"
586         + "adb8b47987754984695cac0e8f14b3360828a22ffa27110a3d62a993453409a0"
587         + "fe696c4658f84bdd20819c3709a01057b195adcd00233dba5484b6291f9d648e"
588         + "f883448677979cec04b434a6ac2e75e9985de23db0292fc1118c9ffa9d8181e7"
589         + "338db792b730d7b9e349592f68099872153915ea3d6b8b4653c633458f803b32"
590         + "a4c2e0f27290256e4e3f8a3b0838a1c450e4e18c1a29a37ddf5ea143de4b66ff"
591         + "04903ed5cf1623e158d487c608e97f211cd81dca23cb6e380765f822e342be48"
592         + "4c05763939601cd667020101",
593     "3082010802820101008f7935d9b9aae9bfabed887acf4951b6f32ec59e3baf37"
594         + "18e8eac4961f3efd3606e74351a9c4183339b809e7c2ae1c539ba7475b85d011"
595         + "adb8b47987754984695cac0e8f14b3360828a22ffa27110a3d62a993453409a0"
596         + "fe696c4658f84bdd20819c3709a01057b195adcd00233dba5484b6291f9d648e"
597         + "f883448677979cec04b434a6ac2e75e9985de23db0292fc1118c9ffa9d8181e7"
598         + "338db792b730d7b9e349592f68099872153915ea3d6b8b4653c633458f803b32"
599         + "a4c2e0f27290256e4e3f8a3b0838a1c450e4e18c1a29a37ddf5ea143de4b66ff"
600         + "04903ed5cf1623e158d487c608e97f211cd81dca23cb6e380765f822e342be48"
601         + "4c05763939601cd6670201ff",
602     "3082012402820101008f7935d9b9aae9bfabed887acf4951b6f32ec59e3baf37"
603         + "18e8eac4961f3efd3606e74351a9c4183339b809e7c2ae1c539ba7475b85d011"
604         + "adb8b47987754984695cac0e8f14b3360828a22ffa27110a3d62a993453409a0"
605         + "fe696c4658f84bdd20819c3709a01057b195adcd00233dba5484b6291f9d648e"
606         + "f883448677979cec04b434a6ac2e75e9985de23db0292fc1118c9ffa9d8181e7"
607         + "338db792b730d7b9e349592f68099872153915ea3d6b8b4653c633458f803b32"
608         + "a4c2e0f27290256e4e3f8a3b0838a1c450e4e18c1a29a37ddf5ea143de4b66ff"
609         + "04903ed5cf1623e158d487c608e97f211cd81dca23cb6e380765f822e342be48"
610         + "4c05763939601cd667021d00baf696a68578f7dfdee7fa67c977c785ef32b233"
611         + "bae580c0bcd5695d",
612     "3082012402820101008f7935d9b9aae9bfabed887acf4951b6f32ec59e3baf37"
613         + "18e8eac4961f3efd3606e74351a9c4183339b809e7c2ae1c539ba7475b85d011"
614         + "adb8b47987754984695cac0e8f14b3360828a22ffa27110a3d62a993453409a0"
615         + "fe696c4658f84bdd20819c3709a01057b195adcd00233dba5484b6291f9d648e"
616         + "f883448677979cec04b434a6ac2e75e9985de23db0292fc1118c9ffa9d8181e7"
617         + "338db792b730d7b9e349592f68099872153915ea3d6b8b4653c633458f803b32"
618         + "a4c2e0f27290256e4e3f8a3b0838a1c450e4e18c1a29a37ddf5ea143de4b66ff"
619         + "04903ed5cf1623e158d487c608e97f211cd81dca23cb6e380765f822e342be48"
620         + "4c05763939601cd667021d00baf696a68578f7dfdee7fa67c977c785ef32b233"
621         + "bae580c0bcd5695e",
622     "3082012402820101008f7935d9b9aae9bfabed887acf4951b6f32ec59e3baf37"
623         + "18e8eac4961f3efd3606e74351a9c4183339b809e7c2ae1c539ba7475b85d011"
624         + "adb8b47987754984695cac0e8f14b3360828a22ffa27110a3d62a993453409a0"
625         + "fe696c4658f84bdd20819c3709a01057b195adcd00233dba5484b6291f9d648e"
626         + "f883448677979cec04b434a6ac2e75e9985de23db0292fc1118c9ffa9d8181e7"
627         + "338db792b730d7b9e349592f68099872153915ea3d6b8b4653c633458f803b32"
628         + "a4c2e0f27290256e4e3f8a3b0838a1c450e4e18c1a29a37ddf5ea143de4b66ff"
629         + "04903ed5cf1623e158d487c608e97f211cd81dca23cb6e380765f822e342be48"
630         + "4c05763939601cd667021d010000000000000000000000000000000000000000"
631         + "0000000000000000",
632     "3082020a02820101008f7935d9b9aae9bfabed887acf4951b6f32ec59e3baf37"
633         + "18e8eac4961f3efd3606e74351a9c4183339b809e7c2ae1c539ba7475b85d011"
634         + "adb8b47987754984695cac0e8f14b3360828a22ffa27110a3d62a993453409a0"
635         + "fe696c4658f84bdd20819c3709a01057b195adcd00233dba5484b6291f9d648e"
636         + "f883448677979cec04b434a6ac2e75e9985de23db0292fc1118c9ffa9d8181e7"
637         + "338db792b730d7b9e349592f68099872153915ea3d6b8b4653c633458f803b32"
638         + "a4c2e0f27290256e4e3f8a3b0838a1c450e4e18c1a29a37ddf5ea143de4b66ff"
639         + "04903ed5cf1623e158d487c608e97f211cd81dca23cb6e380765f822e342be48"
640         + "4c05763939601cd66702820101008f7935d9b9aae9bfabed887acf4951b6f32e"
641         + "c59e3baf3718e8eac4961f3efd3606e74351a9c4183339b809e7c2ae1c539ba7"
642         + "475b85d011adb8b47987754984695cac0e8f14b3360828a22ffa27110a3d62a9"
643         + "93453409a0fe696c4658f84bdd20819c3709a01057b195adcd00233dba5484b6"
644         + "291f9d648ef883448677979cec04b434a6ac2e75e9985de23db0292fc1118c9f"
645         + "fa9d8181e7338db792b730d7b9e349592f68099872153915ea3d6b8b4653c633"
646         + "458f803b32a4c2e0f27290256e4e3f8a3b0838a1c450e4e18c1a29a37ddf5ea1"
647         + "43de4b66ff04903ed5cf1623e158d487c608e97f211cd81dca23cb6e380765f8"
648         + "22e342be484c05763939601cd667",
649     "3082010a02820101008f7935d9b9aae9bfabed887acf4951b6f32ec59e3baf37"
650         + "18e8eac4961f3efd3606e74351a9c4183339b809e7c2ae1c539ba7475b85d011"
651         + "adb8b47987754984695cac0e8f14b3360828a22ffa27110a3d62a993453409a0"
652         + "fe696c4658f84bdd20819c3709a01057b195adcd00233dba5484b6291f9d648e"
653         + "f883448677979cec04b434a6ac2e75e9985de23db0292fc1118c9ffa9d8181e7"
654         + "338db792b730d7b9e349592f68099872153915ea3d6b8b4653c633458f803b32"
655         + "a4c2e0f27290256e4e3f8a3b0838a1c450e4e18c1a29a37ddf5ea143de4b66ff"
656         + "04903ed5cf1623e158d487c608e97f211cd81dca23cb6e380765f822e342be48"
657         + "4c05763939601cd667090380fe01",
658     "3024090380fe01021dff450969597a870820211805983688387a10cd4dcc451a7f3f432a96a3",
659     "3008090380fe01020100",
660     "3008090380fe01020101",
661     "3008090380fe010201ff",
662     "3024090380fe01021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695d",
663     "3024090380fe01021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695e",
664     "3024090380fe01021d0100000000000000000000000000000000000000000000000000000000",
665     "3082010a090380fe0102820101008f7935d9b9aae9bfabed887acf4951b6f32e"
666         + "c59e3baf3718e8eac4961f3efd3606e74351a9c4183339b809e7c2ae1c539ba7"
667         + "475b85d011adb8b47987754984695cac0e8f14b3360828a22ffa27110a3d62a9"
668         + "93453409a0fe696c4658f84bdd20819c3709a01057b195adcd00233dba5484b6"
669         + "291f9d648ef883448677979cec04b434a6ac2e75e9985de23db0292fc1118c9f"
670         + "fa9d8181e7338db792b730d7b9e349592f68099872153915ea3d6b8b4653c633"
671         + "458f803b32a4c2e0f27290256e4e3f8a3b0838a1c450e4e18c1a29a37ddf5ea1"
672         + "43de4b66ff04903ed5cf1623e158d487c608e97f211cd81dca23cb6e380765f8"
673         + "22e342be484c05763939601cd667",
674     "300a090380fe01090380fe01",
675   };
676 
677   @SuppressWarnings("InsecureCryptoUsage")
testVectors( String[] signatures, DSAPublicKeySpec key, String message, String algorithm, String signatureType, boolean isValidDER, boolean isValidBER)678   public void testVectors(
679       String[] signatures,
680       DSAPublicKeySpec key,
681       String message,
682       String algorithm,
683       String signatureType,
684       boolean isValidDER,
685       boolean isValidBER)
686       throws Exception {
687     byte[] messageBytes = message.getBytes("UTF-8");
688     Signature verifier = Signature.getInstance(algorithm);
689     KeyFactory kf = KeyFactory.getInstance("DSA");
690     PublicKey pub = kf.generatePublic(key);
691     int errors = 0;
692     for (String signature : signatures) {
693       byte[] signatureBytes = TestUtil.hexToBytes(signature);
694       verifier.initVerify(pub);
695       verifier.update(messageBytes);
696       boolean verified = false;
697       try {
698         verified = verifier.verify(signatureBytes);
699       } catch (SignatureException ex) {
700         // verify can throw SignatureExceptions if the signature is malformed.
701         // We don't flag these cases and simply consider the signature as invalid.
702         verified = false;
703       } catch (Exception ex) {
704         // Other exceptions indicate some internal error, e.g. careless ASN parsing.
705         // We count these as errors.
706         System.out.println(signatureType + ":" + signature + " throws:" + ex.toString());
707         errors++;
708         continue;
709       }
710       if (isValidDER && !verified) {
711         System.out.println(signatureType + " was not verified:" + signature);
712         errors++;
713       } else if (!isValidBER && verified) {
714         System.out.println(signatureType + " was verified:" + signature);
715         errors++;
716       }
717     }
718     assertEquals(0, errors);
719   }
720 
testValidSignatures()721   public void testValidSignatures() throws Exception {
722     testVectors(
723         VALID_SIGNATURES, publicKey1, "Hello", "SHA224WithDSA", "Valid DSA signature", true, true);
724   }
725 
testModifiedSignatures()726   public void testModifiedSignatures() throws Exception {
727     testVectors(
728         MODIFIED_SIGNATURES, publicKey1, "Hello", "SHA224WithDSA", "Modified DSA signature",
729         false, true);
730   }
731 
testInvalidSignatures()732   public void testInvalidSignatures() throws Exception {
733     testVectors(
734         INVALID_SIGNATURES, publicKey1, "Hello", "SHA224WithDSA", "Invalid DSA signature",
735         false, false);
736   }
737 
738   // Extract the integer r from a DSA signature.
739   // This method implicitely assumes that the DSA signature is DER encoded.
extractR(byte[] signature)740   BigInteger extractR(byte[] signature) throws Exception {
741     int lengthR = signature[3];
742     return new BigInteger(Arrays.copyOfRange(signature, 4, 4 + lengthR));
743   }
744 
extractS(byte[] signature)745   BigInteger extractS(byte[] signature) throws Exception {
746     int lengthR = signature[3];
747     int startS = 4 + lengthR;
748     int lengthS = signature[startS + 1];
749     return new BigInteger(Arrays.copyOfRange(signature, startS + 2, startS + 2 + lengthS));
750   }
751 
752   /** Extract the k that was used to sign the signature. Validates the k if check == true. */
extractK(byte[] signature, BigInteger h, DSAPrivateKey priv, boolean check)753   BigInteger extractK(byte[] signature, BigInteger h, DSAPrivateKey priv, boolean check)
754       throws Exception {
755     BigInteger x = priv.getX();
756     BigInteger q = priv.getParams().getQ();
757     BigInteger r = extractR(signature);
758     BigInteger s = extractS(signature);
759     BigInteger k = x.multiply(r).add(h).multiply(s.modInverse(q)).mod(q);
760     if (check) {
761       BigInteger p = priv.getParams().getP();
762       BigInteger g = priv.getParams().getG();
763       BigInteger r2 = g.modPow(k, p).mod(q);
764       assertEquals(r.toString(), r2.toString());
765     }
766     return k;
767   }
768 
769   /**
770    * Providers that implement SHA1WithDSA but not at least SHA256WithDSA are outdated and should be
771    * avoided even if DSA is currently not used in a project. Such providers promote using a weak
772    * signature scheme. It can also "inspire" developers to use invalid schemes such as SHA1WithDSA
773    * together with 2048-bit key. Such invalid use cases are often untested and can have serious
774    * flaws. For example the SUN provider leaked the private keys with 3 to 5 signatures in such
775    * instances.
776    */
testOutdatedProvider()777   public void testOutdatedProvider() throws Exception {
778     try {
779       Signature sig = Signature.getInstance("SHA1WithDSA");
780       try {
781         Signature.getInstance("SHA256WithDSA");
782       } catch (NoSuchAlgorithmException ex) {
783         fail("Provider " + sig.getProvider().getName() + " is outdated and should not be used.");
784       }
785     } catch (NoSuchAlgorithmException ex) {
786       System.out.println("SHA1WithDSA is not supported");
787     }
788   }
789 
790   /**
791    * This is just a test for basic functionality of DSA. The test generates a public and private
792    * key, generates a signature, verifies it and prints the whole thing out. This test is useful
793    * when an implementation is seriously broken.
794    */
795   @SlowTest(providers = {ProviderType.BOUNCY_CASTLE, ProviderType.SPONGY_CASTLE})
796   @SuppressWarnings("InsecureCryptoUsage")
testBasic()797   public void testBasic() throws Exception {
798     int keySize = 2048;
799     String algorithm = "SHA256WithDSA";
800     String hashAlgorithm = "SHA-256";
801     String message = "Hello";
802 
803     byte[] messageBytes = message.getBytes("UTF-8");
804     KeyPairGenerator generator = java.security.KeyPairGenerator.getInstance("DSA");
805     generator.initialize(keySize);
806     KeyPair keyPair = generator.generateKeyPair();
807     DSAPublicKey pub = (DSAPublicKey) keyPair.getPublic();
808     DSAPrivateKey priv = (DSAPrivateKey) keyPair.getPrivate();
809     Signature signer = Signature.getInstance(algorithm);
810     Signature verifier = Signature.getInstance(algorithm);
811     signer.initSign(priv);
812     signer.update(messageBytes);
813     byte[] signature = signer.sign();
814     verifier.initVerify(pub);
815     verifier.update(messageBytes);
816     assertTrue(verifier.verify(signature));
817 
818     // Extract some parameters.
819     byte[] rawHash = MessageDigest.getInstance(hashAlgorithm).digest(messageBytes);
820     DSAParams params = priv.getParams();
821 
822     // Print keys and signature, so that it can be used to generate new test vectors.
823     System.out.println("Message:" + message);
824     System.out.println("Hash:" + TestUtil.bytesToHex(rawHash));
825     System.out.println("Params:");
826     System.out.println("p:" + params.getP().toString());
827     System.out.println("q:" + params.getQ().toString());
828     System.out.println("g:" + params.getG().toString());
829     System.out.println("Private key:");
830     System.out.println("X:" + priv.getX().toString());
831     System.out.println("encoded:" + TestUtil.bytesToHex(priv.getEncoded()));
832     System.out.println("Public key:");
833     System.out.println("Y:" + pub.getY().toString());
834     System.out.println("encoded:" + TestUtil.bytesToHex(pub.getEncoded()));
835     System.out.println("Signature:" + TestUtil.bytesToHex(signature));
836     System.out.println("r:" + extractR(signature).toString());
837     System.out.println("s:" + extractS(signature).toString());
838   }
839 
840   @SuppressWarnings("InsecureCryptoUsage")
testKeyGeneration(int keysize)841   public void testKeyGeneration(int keysize) throws Exception {
842     KeyPairGenerator generator = KeyPairGenerator.getInstance("DSA");
843     generator.initialize(keysize);
844     KeyPair keyPair = generator.generateKeyPair();
845     DSAPrivateKey priv = (DSAPrivateKey) keyPair.getPrivate();
846     DSAParams params = priv.getParams();
847     assertEquals(keysize, params.getP().bitLength());
848     // The NIST standard does not fully specify the size of q that
849     // must be used for a given key size. Hence there are differences.
850     // For example if keysize = 2048, then OpenSSL uses 256 bit q's by default,
851     // but the SUN provider uses 224 bits. Both are acceptable sizes.
852     // The tests below simply asserts that the size of q does not decrease the
853     // overall security of the DSA.
854     int qsize = params.getQ().bitLength();
855     switch (keysize) {
856       case 1024:
857         assertTrue("Invalid qsize for 1024 bit key:" + qsize, qsize >= 160);
858         break;
859       case 2048:
860         assertTrue("Invalid qsize for 2048 bit key:" + qsize, qsize >= 224);
861         break;
862       case 3072:
863         assertTrue("Invalid qsize for 3072 bit key:" + qsize, qsize >= 256);
864         break;
865       default:
866         fail("Invalid key size:" + keysize);
867     }
868     // Check the length of the private key.
869     // For example GPG4Browsers or the KJUR library derived from it use
870     // q.bitCount() instead of q.bitLength() to determine the size of the private key
871     // and hence would generate keys that are much too small.
872     assertTrue(priv.getX().bitLength() >= qsize - 32);
873   }
874 
875   /**
876    * Tests the key generation for DSA.
877    *
878    * <p>Problems found:
879    * <ul>
880    * <li> CVE-2016-1000343 BouncyCastle before v.1.56 always generated DSA keys with
881    * a 160-bit q.
882    * </ul>
883    */
884   @SlowTest(providers = {ProviderType.BOUNCY_CASTLE, ProviderType.SPONGY_CASTLE})
testKeyGenerationAll()885   public void testKeyGenerationAll() throws Exception {
886     testKeyGeneration(1024);
887     testKeyGeneration(2048);
888   }
889 
890   /**
891    * Checks whether the one time key k in DSA is biased. For example the SUN provider fell for this
892    * test until April 2016.
893    */
894   @SuppressWarnings("InsecureCryptoUsage")
895   @ExcludedTest(
896       providers = {ProviderType.BOUNCY_CASTLE},
897       comment = "Signature.SHA1WithDSA is removed")
testDsaBias()898   public void testDsaBias() throws Exception {
899     // q is close to 2/3 * 2^160.
900     BigInteger q = new BigInteger("974317976835659416858874959372334979171063697271");
901     BigInteger p =
902         new BigInteger(
903             "1106803511314772711673172950296693567629309594518393175860816428"
904                 + "6658764043763662129010863568011543182924292444458455864283745070"
905                 + "9908516713302345161980412667892373845670780253725557376379049862"
906                 + "4062950082444499320797079243439689601679418602390654466821968220"
907                 + "32212146727497041502702331623782703855119908989712161");
908     BigInteger g =
909         new BigInteger(
910             "1057342118316953575810387190942009018497979302261477972033090351"
911                 + "7561815639397594841480480197745063606756857212792356354588585967"
912                 + "3837265237205154744016475608524531648654928648461175919672511710"
913                 + "4878976887505840764543501512668232945506391524642105449699321960"
914                 + "32410302985148400531470153936516167243072120845392903");
915     BigInteger x = new BigInteger("13706102843888006547723575730792302382646994436");
916 
917     KeyFactory kf = KeyFactory.getInstance("DSA");
918     DSAPrivateKey priv = (DSAPrivateKey) kf.generatePrivate(new DSAPrivateKeySpec(x, p, q, g));
919 
920     // If we make TESTS tests with a fair coin then the probability that
921     // either heads or tails appears less than MINCOUNT times is less than
922     // 2^{-32}.
923     // I.e. 2*sum(binomial(tests,i) for i in range(mincount))*2**32 < 2**tests
924     // Therefore the test below is not expected to fail unless the generation
925     // of the one time keys is indeed biased.
926     final int tests = 1024;
927     final int mincount = 410;
928 
929     String hashAlgorithm = "SHA";
930     String message = "Hello";
931     byte[] messageBytes = message.getBytes("UTF-8");
932     byte[] digest = MessageDigest.getInstance(hashAlgorithm).digest(messageBytes);
933     BigInteger h = new BigInteger(1, digest);
934 
935     final BigInteger qHalf = q.shiftRight(1);
936     Signature signer = Signature.getInstance("SHA1WithDSA");
937     signer.initSign(priv);
938     int countLsb = 0; // count the number of k's with msb set
939     int countMsb = 0; // count the number of k's with lsb set
940     for (int i = 0; i < tests; i++) {
941       signer.update(messageBytes);
942       byte[] signature = signer.sign();
943       BigInteger k = extractK(signature, h, priv, i < 10);
944       if (k.testBit(0)) {
945         countLsb++;
946       }
947       if (k.compareTo(qHalf) == 1) {
948         countMsb++;
949       }
950     }
951     if (countLsb < mincount || countLsb > tests - mincount) {
952       fail("Bias detected in the least significant bit of k:" + countLsb);
953     }
954     if (countMsb < mincount || countMsb > tests - mincount) {
955       fail("Bias detected in the most significant bit of k:" + countMsb);
956     }
957   }
958 
959   /**
960    * Checks whether CVE-2016-0695 has been fixed. Before the April 2016 security update, the SUN
961    * provider had a serious flaw that leaked the private key with about 3-5 signatures. In
962    * particular, "Sha1WithDSA" always generated 160 bit k's independently of q. Unfortunately, it is
963    * easily possible to use 2048 and 3072 bit DSA keys together with SHA1WithDSA. All a user has to
964    * do is to use the algorithm name "DSA" instead of "SHA256WithDSA" rsp. "SHA224WithDSA".
965    *
966    * <p>An algorithm to extract the key from the signatures has been described for example in the
967    * paper <a href="http://www.hpl.hp.com/techreports/1999/HPL-1999-90.pdf">Lattice Attacks on
968    * Digital Signature Schemes</a> by N.A. Howgrave-Graham, N.P. Smart.
969    *
970    * <p>This bug is the same as US-CERT: VU # 940388: GnuPG generated ElGamal signatures that leaked
971    * the private key.
972    */
973   @SlowTest(providers = {ProviderType.BOUNCY_CASTLE, ProviderType.SPONGY_CASTLE})
974   @SuppressWarnings("InsecureCryptoUsage")
testBiasSha1WithDSA()975   public void testBiasSha1WithDSA() throws Exception {
976     String hashAlgorithm = "SHA";
977     String message = "Hello";
978     byte[] messageBytes = message.getBytes("UTF-8");
979     byte[] digest = MessageDigest.getInstance(hashAlgorithm).digest(messageBytes);
980     BigInteger h = new BigInteger(1, digest);
981 
982     KeyPairGenerator generator = java.security.KeyPairGenerator.getInstance("DSA");
983     generator.initialize(2048);
984     KeyPair keyPair = generator.generateKeyPair();
985     DSAPrivateKey priv = (DSAPrivateKey) keyPair.getPrivate();
986     Signature signer = Signature.getInstance("DSA");
987     try {
988       // Private key and selected algorithm by signer do not match.
989       // Hence throwing an exception at this point would be the reasonable.
990       signer.initSign(priv);
991       signer.update(messageBytes);
992       byte[] signature = signer.sign();
993       BigInteger q = priv.getParams().getQ();
994       BigInteger k = extractK(signature, h, priv, true);
995 
996       // Now check if k is heavily biased.
997       int lengthDiff = q.bitLength() - k.bitLength();
998       if (lengthDiff > 32) {
999         fail(
1000             "Severly biased DSA signature:"
1001                 + " len(q)="
1002                 + q.bitLength()
1003                 + " len(k)="
1004                 + k.bitLength());
1005       }
1006     } catch (GeneralSecurityException ex) {
1007       // The key is invalid, hence getting here is reasonable.
1008       return;
1009     }
1010   }
1011 
1012   /**
1013    * This test checks for potential of a timing attack. The test generates a number of signatures,
1014    * selects a fraction of them with a small timing and then compares the values k for the selected
1015    * signatures with a normal distribution. The test fails if these ks are much smaller than
1016    * expected. An implementation flaw that can lead to a test failure is to compute the signature
1017    * with a modular exponentiation with a runtime that depend on the length of the exponent.
1018    *
1019    * <p>A failing test simply means that the timing can be used to get information about k. Further
1020    * analysis is necessary to determine if the bias is exploitable and how many timings are
1021    * necessary for an attack. A passing test does not mean that the implementation is secure against
1022    * timing attacks. The test only catches relatively big timing differences. It requires high
1023    * confidence to fail. Noise on the test machine can prevent that a relation between timing and k
1024    * can be detected.
1025    *
1026    * <p>Claims of what is exploitable: http://www.hpl.hp.com/techreports/1999/HPL-1999-90.pdf 30
1027    * signatures are sufficient to find the private key if the attacker knows 8 bits of each k.
1028    * http://eprint.iacr.org/2004/277.pdf 27 signatures are sufficient if 8 bits of each k is known.
1029    * Our own old experiments (using 1GB memory on a Pentium-4? CPU): 2^11 signatures are sufficient
1030    * with a 3 bit leakage. 2^15 signatures are sufficient with a 2 bit leakage. 2^24 signatures are
1031    * sufficient with a 1 bit leakage. Estimate for biased generation in the NIST standard: e.g. 2^22
1032    * signatures, 2^40 memory, 2^64 time
1033    *
1034    * <p><b>Sample output for the SUN provider:</b> <code>
1035    * count:50000 cutoff:4629300 relative average:0.9992225872624547 sigmas:0.3010906585642381
1036    * count:25000 cutoff:733961 relative average:0.976146066585879 sigmas:6.532668708070148
1037    * count:12500 cutoff:688305 relative average:0.9070352192339134 sigmas:18.00255238454385
1038    * count:6251 cutoff:673971 relative average:0.7747148791368986 sigmas:30.850903417893825
1039    * count:3125 cutoff:667045 relative average:0.5901994097874541 sigmas:39.67877152897901
1040    * count:1563 cutoff:662088 relative average:0.4060286694971057 sigmas:40.67294313795137
1041    * count:782 cutoff:657921 relative average:0.2577955312387898 sigmas:35.94906247333319
1042    * count:391 cutoff:653608 relative average:0.1453438859272699 sigmas:29.271192100879457
1043    * count:196 cutoff:649280 relative average:0.08035497211567771 sigmas:22.300206785132406
1044    * count:98 cutoff:645122 relative average:0.05063589092661368 sigmas:16.27820353139225
1045    * count:49 cutoff:641582 relative average:0.018255560447883384 sigmas:11.903018745467488
1046    * count:25 cutoff:638235 relative average:0.009082660721102722 sigmas:8.581595888660086
1047    * count:13 cutoff:633975 relative average:0.0067892346039088326 sigmas:6.20259924188633
1048    * </code>
1049    *
1050    * <p><b>What this shows:</b> The first line uses all 50'000 signatures. The average k of these
1051    * signatures is close to the expected value q/2. Being more selective gives us signatures with a
1052    * more biased k. For example, the 196 signatures with the fastest timing have about a 3-bit bias.
1053    * From this we expect that 2^19 signatures and timings are sufficient to find the private key.
1054    *
1055    * <p>A list of problems caught by this test:
1056    * <ul>
1057    * <li> CVE-2016-5548 OpenJDK8's DSA is vulnerable to timing attacks.
1058    * <li> CVE-2016-1000341 BouncyCastle before v 1.56 is vulnernerable to timing attacks.
1059    * </ul>
1060    */
1061   @SlowTest(providers = {ProviderType.BOUNCY_CASTLE, ProviderType.OPENJDK,
1062     ProviderType.SPONGY_CASTLE})
1063   @SuppressWarnings("InsecureCryptoUsage")
testTiming()1064   public void testTiming() throws Exception {
1065     // BEGIN Android-removed: Android doesn't support JMX
1066     /*
1067     ThreadMXBean bean = ManagementFactory.getThreadMXBean();
1068     if (!bean.isCurrentThreadCpuTimeSupported()) {
1069       System.out.println("getCurrentThreadCpuTime is not supported. Skipping");
1070       return;
1071     }
1072     String hashAlgorithm = "SHA-1";
1073     String message = "Hello";
1074     byte[] messageBytes = message.getBytes("UTF-8");
1075     byte[] digest = MessageDigest.getInstance(hashAlgorithm).digest(messageBytes);
1076     BigInteger h = new BigInteger(1, digest);
1077     KeyPairGenerator generator = java.security.KeyPairGenerator.getInstance("DSA");
1078     generator.initialize(1024);
1079     KeyPair keyPair = generator.generateKeyPair();
1080     DSAPrivateKey priv = (DSAPrivateKey) keyPair.getPrivate();
1081     Signature signer = Signature.getInstance("SHA1WITHDSA");
1082     signer.initSign(priv);
1083     // The timings below are quite noisy. Thus we need a large number of samples.
1084     int samples = 50000;
1085     long[] timing = new long[samples];
1086     BigInteger[] k = new BigInteger[samples];
1087     for (int i = 0; i < samples; i++) {
1088       long start = bean.getCurrentThreadCpuTime();
1089       signer.update(messageBytes);
1090       byte[] signature = signer.sign();
1091       timing[i] = bean.getCurrentThreadCpuTime() - start;
1092       k[i] = extractK(signature, h, priv, false);
1093     }
1094     long[] sorted = Arrays.copyOf(timing, timing.length);
1095     Arrays.sort(sorted);
1096     // Here we are only interested in roughly the 8 most significant bits of the ks.
1097     // Hence, using double is sufficiently precise.
1098     double q = priv.getParams().getQ().doubleValue();
1099     double expectedAverage = q / 2;
1100     double maxSigmas = 0;
1101     System.out.println("testTiming: SHA1WITHDSA");
1102     for (int idx = samples - 1; idx > 10; idx /= 2) {
1103       long cutoff = sorted[idx];
1104       int count = 0;
1105       double total = 0;
1106       for (int i = 0; i < samples; i++) {
1107         if (timing[i] <= cutoff) {
1108           total += k[i].doubleValue();
1109           count += 1;
1110         }
1111       }
1112       double expectedStdDev = q / Math.sqrt(12 * count);
1113       double average = total / count;
1114       // Number of standard deviations that the average is away from
1115       // the expected value:
1116       double sigmas = (expectedAverage - average) / expectedStdDev;
1117       if (sigmas > maxSigmas) {
1118         maxSigmas = sigmas;
1119       }
1120       System.out.println(
1121           "count:"
1122               + count
1123               + " cutoff:"
1124               + cutoff
1125               + " relative average:"
1126               + (average / expectedAverage)
1127               + " sigmas:"
1128               + sigmas);
1129     }
1130     // Checks if the signatures with a small timing have a biased k.
1131     // We use 7 standard deviations, so that the probability of a false positive is smaller
1132     // than 10^{-10}.
1133     if (maxSigmas >= 7) {
1134       fail("Signatures with short timing have a biased k");
1135     }
1136     */
1137     // END Android-removed: Android doesn't support JMX
1138   }
1139 
1140   /**
1141    * DSA does not allow encryption. This test verifies that a provider does not implement an ad hoc
1142    * scheme that attempts to turn DSA into a public key encryption scheme.
1143    */
1144   @SuppressWarnings("InsecureCryptoUsage")
testEncryptionWithDsa()1145   public void testEncryptionWithDsa() throws Exception {
1146     try {
1147       Cipher cipher = Cipher.getInstance("DSA");
1148       fail("DSA must not be used as a cipher:" + cipher.getProvider().toString());
1149     } catch (NoSuchAlgorithmException ex) {
1150       // This is expected
1151     }
1152   }
1153 }
1154