SignerFilter

From Crypto++ Wiki
Jump to navigation Jump to search
SignerFilter
Documentation
#include <cryptopp/filters.h>

SignerFilter is used to create a signature over a message using Crypto++ pipelines. The counterpart to a SignerFilter is a SignatureVerificationFilter.

The SignerFilter takes a pointer to a BufferedTransformation. Because a pointer is taken, the SignerFilter owns the attached transformation, and therefore will destroy it. See ownership for more details.

Sources, filters and sinks are discussed at Pipelining. The pipeline article explains the design and shows you how to use them.

Construction

SignerFilter(RandomNumberGenerator &rng,
             const PK_Signer &signer,
             BufferedTransformation *attachment=NULL,
             bool putMessage=false)

rng is a cryptographically secure random number generator. Some signature schemes, such as the Digital Signature Algorithm, require a random, per message value. If the scheme in use does not require a random source, use the NullRng() declared in cryptlib.h. See the cryptlib.h File Reference.

signer is a PK_Signer-derived object. Each signature scheme supplies its own signer which implements the signing algorithm.

attachment is a BufferedTransformation, such as another filter or sink. If attachment is NULL, then the SignerFilter object will internally accumulate the output byte stream.

putMessage controls whether the message is placed in the attached BufferedTransormation (which is usually a Sink). If putMessage = false, the message is not part of the signature. When verification occurs, message+signature would be presented to the verifier (most likely a SignatureVerificationFilter). If putMessage = true, the signature is prepended to the message. In this case, only signature would be presented to the verifier since signature is actually a concatenation of the message and signature.

When using a signature scheme with recovery, such as PSSR, putMessage should be specified as true. If putMessage is left at its default value for a recovery scheme, the message will not be interleaved into the signature using its redundancy function. See, for example, Signature with recovery problem.

Sample Program

The following code loads a private key and then signs a message. The byte array representing the pair { message, signature } would be sent for verification. The party performing the verification must have the public key associated with the private key.

In the DSA example below, only the signature on the message will be placed in signature since putMessage = false.

////////////////////////////////////////////////////
// Generate or Load keys
DSA::PrivateKey privateKey = ...;

string message="Digital Signature", signature;

DSA::Signer signer(privateKey);
StringSource ss(message, true, 
    new SignerFilter(rng, signer,
        new StringSink(signature)
    ) // SignerFilter
); // StringSource

The example below is from RSA Signature Schemes. The sample demonstrates signing and recovery with putMessage = true. signature will include both the message and the signature.

////////////////////////////////////////////////////
// Generate or Load keys
RSA::PrivateKey privateKey = ...;
RSA::PublicKey publicKey = ...; 

////////////////////////////////////////////////////
// Setup
string message = "RSA-PSSR Test";
string signature, recovered;    

////////////////////////////////////////////////////
// Sign and Encode
RSASS<PSSR, SHA1>::Signer signer(privateKey);

StringSource ss1(message, true, 
    new SignerFilter(rng, signer,
        new StringSink(signature),
        true // putMessage for recovery
   ) // SignerFilter
); // StringSource

////////////////////////////////////////////////////
// Verify and Recover
RSASS<PSSR, SHA1>::Verifier verifier(publicKey);

StringSource ss2(signature, true,
    new SignatureVerificationFilter(
        verifier,
        new StringSink(recovered),
        THROW_EXCEPTION | PUT_MESSAGE
   ) // SignatureVerificationFilter
); // StringSource

////////////////////////////////////////////////////
// The SignatureVerificationFilter did not
// throw an exception. Use recovered as expected.
cout << "Verified signature on message" << endl;

Bouncy Castle

If you are using Bouncy Castle and need to recover the signature under a PSSR scheme, then see Iso9796d2PssSigner class in the Org.BouncyCastle.Crypto.Signers namespace. Also see BouncyCastle RSA Probabilistic Signature Scheme with Recovery on Stack Overflow.

Downloads

DSA-Test.zip Crypto++ DSA sample program - 5KB

RSA-SSA-Filter-Test.zip - Demonstrates RSA-SSA (Appendix) using SignerFilter - 5KB

RSA-PSSR-Filter-Test.zip - Demonstrates RSA-PSSR (Recovery) using SignerFilter - 5KB