"Finite Field Arithmetic." Chapter 20: "Litmus", a Peh-Powered Verifier for GPG Signatures.

This article is part of a series of hands-on tutorials introducing FFA, or the Finite Field Arithmetic library. FFA differs from the typical "Open Sores" abomination, in that -- rather than trusting the author blindly with their lives -- prospective users are expected to read and fully understand every single line. In exactly the same manner that you would understand and pack your own parachute. The reader will assemble and test a working FFA with his own hands, and at the same time grasp the purpose of each moving part therein.

You will need:

Add the above vpatches and seals to your V-set, and press to ffa_ch20_litmus.kv.vpatch.

As of Chapter 20, the versions of Peh and FFA are 250 and 253, respectively. FFA and Peh themselves have not changed from Chapter 19.

Compile Peh:

cd ffacalc
gprbuild

... and install it to a path visible in your shell (e.g. /usr/bin.)


The subject of this chapter is Litmus: a simple and practical demonstration program powered by Peh. It is expected to work on all reasonable Unix-like systems, so long as the required command-line utilities (see EXTERNALS) are present.

Litmus verifies traditional GPG public key signatures (presently, only of the "detached" type, with RSA and SHA512 hash -- the optimal knob settings available in GPG) and is suitable for use in e.g. Vtronics.

The source code of Litmus appears below in its entirety:


litmus.sh:

#!/bin/sh
 
############################################################################
# 'Litmus' Utility. Verifies traditional GPG RSA signatures using Peh.     #
#                                                                          #
# Usage: ./litmus.sh publickey.peh signature.sig datafile                  #
#                                                                          #
# Currently, supports only RSA 'detached' signatures that use SHA512 hash. #
# See instructions re: converting traditional GPG public keys for use with #
# this program.                                                            #
#                                                                          #
# Peh, xxd, hexdump, shasum, and a number of common utils (see EXTERNALS)  #
# must be present on your machine.                                         #
#                                                                          #
# (C) 2020 Stanislav Datskovskiy ( www.loper-os.org )                      #
# http://wot.deedbot.org/17215D118B7239507FAFED98B98228A001ABFFC7.html     #
#                                                                          #
# You do not have, nor can you ever acquire the right to use, copy or      #
# distribute this software ; Should you use this software for any purpose, #
# or copy and distribute it to anyone or in any manner, you are breaking   #
# the laws of whatever soi-disant jurisdiction, and you promise to         #
# continue doing so for the indefinite future. In any case, please         #
# always : read and understand any software ; verify any PGP signatures    #
# that you use - for any purpose.                                          #
############################################################################
 
# External programs that are required (if not found, will eggog) :
EXTERNALS="peh xxd hexdump base64 shasum cut tr sed wc grep printf"
 
 
# Return Codes:
 
# Signature is VALID for given Sig, Data File, and Public Key:
RET_VALID_SIG=0
 
# Signature is INVALID:
RET_BAD_SIG=1
 
# All Other Cases:
RET_EGGOG=-1
 
 
# Terminations:
 
# Success (Valid RSA signature) :
done_sig_valid() {
    echo "VALID $pubkey_algo signature from $pubkey_owner"
    exit $RET_VALID_SIG
}
 
# Failure (INVALID RSA signature) :
done_sig_bad() {
    echo "Signature is INVALID for this public key and input file!"
    exit $RET_BAD_SIG
}
 
# Failure in decoding 'GPG ASCII armour' :
eggog_sig_armour() {
    echo "$SIGFILE could not decode as a GPG ASCII-Armoured Signature!" >&2
    exit $RET_EGGOG
}
 
# Failure from corrupt signature :
eggog_sig_corrupt() {
    echo "$SIGFILE is corrupt!" >&2
    exit $RET_EGGOG
}
 
 
# Failure from bad Peh :
eggog_peh() {
    echo "EGGOG in executing Peh tape! Please check Public Key." >&2
    exit $RET_EGGOG
}
 
 
# Number of Arguments required by this program:
REQD_ARGS=3
 
# If invalid arg count, print usage and abort:
if [ "$#" -ne $REQD_ARGS ]; then
    echo "Usage: $0 publickey.peh signature.sig datafile"
    exit $RET_EGGOG
fi
 
 
# We only support SHA512. Parameters for it:
HASHER="shasum -a 512 -b"
 
# For 'PKCS' encoding, the ASN magic turd corresponding to SHA512:
ASN="3051300D060960864801650304020305000440"
ASN_LEN=$((${#ASN} / 2))
MD_LEN=64 # 512 / 8 == 64 bytes
 
 
# Minimal Peh Width (used for non-arithmetical ops, e.g. 'Owner')
MIN_PEH_WIDTH=256
 
 
# The given public key file (a Peh tape, see docs)
PUBFILE=$1
 
# The given Detached GPG Signature file to be verified
SIGFILE=$2
 
# The given Data file to be verified against the Signature
DATAFILE=$3
 
# Verify that each of the given input files exists:
FILES=($PUBFILE $SIGFILE $DATAFILE)
for f in ${FILES[@]}; do
    if ! [ -f $f ]; then
        echo "$f does not exist!" >&2
        exit $RET_EGGOG
    fi
done
 
# Calculate length of the pubkey file:
PUBFILE_LEN=$(wc -c $PUBFILE | cut -d ' ' -f1)
 
 
# Peh's Return Codes
PEH_YES=1
PEH_NO=0
PEH_MU=255
PEH_EGGOG=254
 
# Execute given Peh tape, with given FFA Width and Height,
# on top of the pubkey tape; returns output in $peh_res and $peh_code.
run_peh_tape() {
    # The tape itself
    tape=$1
 
    # FFA Width for the tape
    peh_width=$2
 
    # FFA Stack Height for the tape
    peh_height=$3
 
    # Compute the length of the given tape
    tape_len=${#tape}
 
    # Add the length of the Public Key tape to the above
    tape_len=$(($tape_len + $PUBFILE_LEN))
 
    # Max Peh Life for all such tapes
    peh_life=$(($tape_len * 2))
 
    # Execute the tape:
    peh_res=$((cat $PUBFILE; echo $tape) | \
        peh $peh_width $peh_height $tape_len $peh_life);
    peh_code=$?
 
    # # If Peh returned PEH_EGGOG:
    if [ $peh_code -eq $PEH_EGGOG ]
    then
        # Abort: likely, coarse error of pilotage in the public key tape.
        eggog_peh
    fi
}
 
# Ask the public key about the Owner:
run_peh_tape "@Algo!QY" $MIN_PEH_WIDTH 1
pubkey_algo=$peh_res
 
# Ask the public key about Algo Type:
run_peh_tape "@Owner!QY" $MIN_PEH_WIDTH 1
pubkey_owner=$peh_res
 
# The only supported algo is GPG RSA:
if [ "$pubkey_algo" != "GPG RSA" ]
then
    echo "This public key specifies algo '$pubkey_algo';" >&2
    echo "The only algo supported is 'GPG RSA' !" >&2
    exit $RET_EGGOG
fi
 
# Verify that all of the necessary external programs in fact exist:
for i in $EXTERNALS
do
    command -v $i >/dev/null && continue || \
        { echo "$i is required but was not found! Please install it."; \
        exit $RET_EGGOG; }
done
 
# 'ASCII-Armoured' PGP signatures have mandatory start and end markers:
START_MARKER="\-\-\-\-\-BEGIN PGP SIGNATURE\-\-\-\-\-"
END_MARKER="\-\-\-\-\-END PGP SIGNATURE\-\-\-\-\-"
 
# Determine start and end line positions for payload:
start_ln=$(grep -m 1 -n "$START_MARKER" $SIGFILE | cut -d ':' -f1)
end_ln=$(grep -m 1 -n "$END_MARKER" $SIGFILE | cut -d ':' -f1)
 
# Both start and end markers must exist :
if [ "$start_ln" == "" ] || [ "$end_ln" == "" ]
then
    echo "$SIGFILE does not contain ASCII-armoured PGP Signature!" >&2
    exit $RET_EGGOG
fi
 
# Discard the markers:
start_ln=$(($start_ln + 1))
end_ln=$(($end_ln - 1))
 
# If there is no payload, or the markers are misplaced, abort:
if [ $start_ln -ge $end_ln ]
then
    eggog_sig_armour
fi
 
# Extract sig payload:
sig_payload=$(sed -n "$start_ln,$end_ln p" < $SIGFILE | \
    sed -n "/^Version/!p" | sed -n "/^=/!p" | tr -d " \t\n\r")
 
# If eggog -- abort:
if [ $? -ne 0 ]
then
    eggog_sig_armour
fi
 
# Obtain the sig bytes:
sig_bytes=($(echo $sig_payload | base64 -d | hexdump -ve '1/1 "%.2x "'))
 
# If eggog -- abort:
if [ $? -ne 0 ]
then
    eggog_sig_armour
fi
 
# Number of bytes in the sig file
sig_len=${#sig_bytes[@]}
 
 
# Test that certain fields in the Sig have their mandatory value
sig_field_mandatory() {
    f_name=$1
    f_value=$2
    f_mandate=$3
    if [ "$f_value" != "$f_mandate" ]
    then
        reason="$f_name must equal $f_mandate; instead is $f_value."
        echo "$SIGFILE is UNSUPPORTED : $reason" >&2
        echo "Only RSA and SHA512 hash are supported !" >&2
        exit $RET_EGGOG
    fi
}
 
 
# Starting Position for get_sig_bytes()
sig_pos=0
 
# Extract given # of sig bytes from the current sig_pos; advance sig_pos.
get_sig_bytes() {
    # Number of bytes requested
    count=$1
 
    # Result: $count bytes from current $sig_pos (contiguous hex string)
    r=$(echo ${sig_bytes[@]:$sig_pos:$count} | sed "s/ //g" | tr 'a-z' 'A-Z')
 
    # Advance $sig_pos by $count:
    sig_pos=$(($sig_pos + $count))
 
    # If more bytes were requested than were available in sig_bytes:
    if [ $sig_pos -gt $sig_len ]
    then
        # Abort. The signature was mutilated somehow.
        eggog_sig_corrupt
    fi
}
 
# Convert the current sig component to integer
hex_to_int() {
    r=$((16#$r))
}
 
# Turd to be composed of certain values from the sig, per RFC4880.
# Final hash will run on the concatenation of DATAFILE and this turd.
turd=""
 
## Parse all of the necessary fields in the GPG Signature:
 
# CTB (must equal 0x89)
get_sig_bytes 1
sig_ctb=$r
sig_field_mandatory "Version" $sig_ctb 89
 
# Length
get_sig_bytes 2
hex_to_int
sig_length=$r
 
# Version (only Version 4 -- what GPG 1.4.x outputs -- is supported)
get_sig_bytes 1
turd+=$r
sig_version=$r
sig_field_mandatory "Version" $sig_version 04
 
# Class (only class 0 is supported)
get_sig_bytes 1
turd+=$r
sig_class=$r
sig_field_mandatory "Class" $sig_class 00
 
# Public Key Algo (only RSA is supported)
get_sig_bytes 1
turd+=$r
sig_pk_algo=$r
sig_field_mandatory "Public Key Algo" $sig_pk_algo 01
 
# Digest Algo (only SHA512 is supported)
get_sig_bytes 1
turd+=$r
sig_digest_algo=$r
sig_field_mandatory "Digest Algo" $sig_digest_algo 0A
 
# Hashed Section Length
get_sig_bytes 2
turd+=$r
hex_to_int
sig_hashed_len=$r
 
# Hashed Section (typically: timestamp)
get_sig_bytes $sig_hashed_len
turd+=$r
sig_hashed=$r
 
# Unhashed Section Length
get_sig_bytes 1
hex_to_int
sig_unhashed_len=$r
 
# Unhashed Section (discard)
get_sig_bytes $sig_unhashed_len
 
# Compute Byte Length of Hashed Header (for last field)
hashed_header_len=$((${#turd} / 2))
 
# Final section of the hashed turd (not counted in hashed_header_len)
turd+=$sig_version
turd+="FF"
turd+=$(printf "%08x" $hashed_header_len)
 
# Compute the hash of data file and the hashed appendix from sig :
hash=$((cat $DATAFILE; xxd -r -p < << $turd) | $HASHER | cut -d ' ' -f1)
# Convert to upper case
hash=$(echo $hash | tr 'a-z' 'A-Z')
 
# Parse the RSA Signature portion of the Sig file:
 
# RSA Packet Length (how many bytes to read)
get_sig_bytes 1
hex_to_int
rsa_packet_len=$r
 
# The RSA Packet itself
get_sig_bytes $rsa_packet_len
rsa_packet=$r
 
# Digest Prefix (2 bytes)
get_sig_bytes 2
digest_prefix=$r
 
# See whether it matches the first two bytes of the actual computed hash :
computed_prefix=$(printf "%.4s" $hash)
 
if [ "$digest_prefix" != "$computed_prefix" ]
then
    # It didn't match, so we can return 'bad signature' immediately:
    done_sig_bad
fi
 
# If prefix matched, we will proceed to do the actual RSA operation.
 
# RSA Bitness given in Sig
get_sig_bytes 2
hex_to_int
rsa_bitness=$r
 
# Compute RSA Byteness from the above
rsa_byteness=$((($rsa_bitness + 7) / 8))
 
# RSA Bitness for use in determining required Peh width:
rsa_width=$(($rsa_byteness * 8))
 
# Only traditional GPG RSA widths are supported:
if [ $rsa_width != 2048 ] && [ $rsa_width != 4096 ] && [ $rsa_width != 8192 ]
then
    reason="Only 2048, 4096, and 8192-bit RSA are supported."
    echo "$SIGFILE is UNSUPPORTED : $reason" >&2
    exit $RET_EGGOG
fi
 
# RSA Signature per se (final item read from sig file)
get_sig_bytes $rsa_byteness
rsa_sig=$r
 
# Per RFC4880, 'PKCS' encoding of hash is as follows:
# 0 1 [PAD] 0 [ASN] [MD]
 
# First two bytes of PKCS-encoded hash will always be 00 01 :
pkcs="0001"
 
# Compute necessary number of padding FF bytes :
pkcs_pad_bytes=$(($rsa_byteness - $MD_LEN - $ASN_LEN - 3))
 
# Attach the padding bytes:
for ((x=1; x< =$pkcs_pad_bytes; x++)); do
    pkcs+="FF"
done
 
# Attach the 00 separator between the padding and the ASN:
pkcs+="00"
 
# Attach the ASN ('magic' corresponding to the hash algo) :
pkcs+=$ASN
 
# Finally, attach the computed (from Data file) hash itself :
pkcs+=$hash
 
# Generate a Peh tape which will attempt to verify $rsa_sig against the pubkey,
# computing the expression $rsa_sig ^ PUB_E mod PUB_M and comparing to $pkcs.
# Outputs 'Valid' and returns Yes_Code (1) if and only if signature is valid.
tape=".$rsa_sig@Public-Op!.$pkcs={[Valid]QY}{[Invalid]QN}_"
 
# Execute the tape:
run_peh_tape $tape $rsa_width 3
 
# 'Belt and suspenders' -- test both output and return code:
# If verification succeeded, return code will be 1, and output 'Valid':
if [ $peh_code -eq $PEH_YES ] && [ "$peh_res" == "Valid" ]
then
    # Valid RSA signature:
    done_sig_valid
else
    # Signature was not valid:
    done_sig_bad
fi
# The end.

Public keys for use with Litmus are Peh tapes, and their format is illustrated here. Mine (converted from my GPG public key using, for the time being, PGPDump and a few minutes of elbow grease) appears below:


asciilifeform.peh:

(----------------------------------------------------------------------------)
( Public key converted from GPG key 17215D118B7239507FAFED98B98228A001ABFFC7 )
(----------------------------------------------------------------------------)
@RSA-Public-Modulus@
        .
        CDD49A674BAF76D3B73E25BC6DF66EF3ABEDDCA461D3CCB6416793E3437C7806562694
        73C2212D5FD5EED17AA067FEC001D8E76EC901EDEDF960304F891BD3CAD7F9A335D1A2
        EC37EABEFF3FBE6D3C726DC68E599EBFE5456EF19813398CD7D548D746A30AA47D4293
        968BFBAFCBF65A90DFFC87816FEE2A01E1DC699F4DDABB84965514C0D909D54FDA7062
        A2037B50B771C153D5429BA4BA335EAB840F9551E9CD9DF8BB4A6DC3ED1318FF3969F7
        B99D9FB90CAB968813F8AD4F9A069C9639A74D70A659C69C29692567CE863B88E191CC
        9535B91B417D0AF14BE09C78B53AF9C5F494BCF2C60349FFA93C81E817AC682F0055A6
        07BB56D6A281C1A04CEFE1
;
(----------------------------------------------------------------------------)
@RSA-Public-Exponent@
        .
        10001
;
LC
(----------------------------------------------------------------------------)
@Public-Op@
        (N is on stack) @RSA-Public-Exponent! @RSA-Public-Modulus! MX
;
(----------------------------------------------------------------------------)
@Algo@[GPG RSA];
(----------------------------------------------------------------------------)
@Owner@[asciilifeform <stas@loper-os.org>];
(----------------------------------------------------------------------------)
RC


Now verify the vpatch of this chapter and its signature using Litmus:

./litmus.sh asciilifeform.peh ffa_ch20_litmus.kv.vpatch.asciilifeform.sig ffa_ch20_litmus.kv.vpatch

... which should yield the output:

VALID GPG RSA signature from asciilifeform <stas@loper-os.org>

If you find that Litmus balks on your GPG signatures, ensure that SHA512 (the longest hash supported by old rotten GPG) is selected in your config (typically ~/.gnupg/gpg.conf) :

personal-digest-preferences SHA512
cert-digest-algo SHA512


In Chapter 21, we will discuss the astonishing ugliness of the GPG data format, and construct a means for semi-automatic conversion of traditional GPG public keys into the format used by Litmus.


~To be continued!~

This entry was written by Stanislav , posted on Monday January 06 2020 , filed under Ada, Bitcoin, Cold Air, Computation, Cryptography, FFA, Friends, Mathematics, SoftwareSucks . Bookmark the permalink . Post a comment below or leave a trackback: Trackback URL.

5 Responses to “"Finite Field Arithmetic." Chapter 20: "Litmus", a Peh-Powered Verifier for GPG Signatures.”

  • shinohai says:

    As requested in the logs earlier:

    (----------------------------------------------------------------------------)
    ( Public key converted from GPG key 260FA57BCE677A5C04BF60BA4A75883CC1B1D34C )
    (----------------------------------------------------------------------------)
    @RSA-Public-Modulus@
            .
    	CF091B05A7D56DC34BE591E868DAFF2520F6E554D35E5B8DC72CD5DE106BE09FE81A2B
    	9B16F47E666E9E992C48DB744AFBCDCDDEBBB88B16E770F4874908B29872A917581A40
    	405EC917A978275F283902B54DFCDC4325398D6B8071CF83B3C4445BDD57FCDF407BF4
    	05F9DB51CAEBF520B14A67CF06DB36BF4DD574E8FB8D7728B7A93943E473D585DE58AD
    	9C98EC6546D604E2ED6B63EAD38D1A38D001147A4F52C3B8DEF9426A03BF0DE6EBC539
    	427A0408683804501D3EB9C5C58A530A5E92C95F40B027F34F03F698890B2998BB5FFC
    	12B9BB786FE9E13CCB85799FFA5C509F1C20F8984710B9DC970728BB160017997F943D
    	2D6216D6971BC5091CCE05AB693915C8DD2D75B6B3490A93DD795D5104F50E18C16429
    	4E89EBF45C204FE6926D5ED45FC8A136134249002FD519C822DF2DF619DCCED7D90FB8
    	3F14C8F815F67C1A42348269F70E589296CC0165BAF5ACDD074E2B40CD828D52C8A29C
    	8C702027E3F72453710F7617430BFB3C1007950E5E3109ADAF83DED1A3C9508D28EF78
    	D2B6E3BE3FD002F6A4A0D05D0A76DA64329FDBA1DCD2AA5C9F70EF19E8B440B149DA09
    	B31272B5756E247ED70913CA6289BBEADF9104A6DAA40E208C948D04ABCD7DBED241BA
    	617765206331E101D483DF4AF0C6D4EA145D74B44C6C021ACB63313450D52D83F1F0DB
    	D04341ADB761C965D9550173C62FD833090D1ACC03A1
     
    ;
    (----------------------------------------------------------------------------)
    @RSA-Public-Exponent@
            .
            010001
    ;
    LC
    (----------------------------------------------------------------------------)
    @Public-Op@
            (N is on stack) @RSA-Public-Exponent! @RSA-Public-Modulus! MX
    ;
    (----------------------------------------------------------------------------)
    @Algo@[GPG RSA];
    (----------------------------------------------------------------------------)
    @Owner@[shinohai <btcinfo@sdf.org>];
    (----------------------------------------------------------------------------)
    RC
  • shinohai says:
    My signature for ffa_ch20_litmus.kv.vpatch

    -----BEGIN PGP SIGNATURE-----

    iQIzBAABCgAdFiEEJg+le85nelwEv2C6SnWIPMGx00wFAl4XIKsACgkQSnWIPMGx
    00wXFQ//XTakWVvJx//m1dFoecITkO70yLig9H7XLk+f/Kaqp668IBN9T3RE6CBI
    S3SLZt2KjaYd1lSLA1e6KKsI9DSmb5vOeuy/HldOtBgJ+c0QItwWwbce+Fif9VwB
    hwjJW8+IZaVt1vH4a4uhb6+Fi9kTpKVTibmI6XB9FbPQKLdQXIPsq8u8ZBzXBp2Q
    4/C7UtjjxcRFjF0vtHU0UWNqdAlfDTRhvcRDdqF0ULbeIjqkyFoZsV0SodyZYNjC
    kem9dlGdv0sPD4XAk9C5trASS//0vgXE0Pi8JJCqCd4Rn8TFkCooCZ7u1hjCfHHo
    wlIskAXz5sGQKiKect5Ue0aKd5MZJpOjSeClxwnprzYCClfprpZBvUbwBKeNlMgi
    KxNZ3UbvZow8+RnZRYvo0u7gkrBMmQnHwWrp0EASKJriJL3zBuoVvvb24gzJu+3K
    ZsAFNHSQc7E3MH/jMPDfuF7vNOTXxJXechwBNp13LbXPHFDvmkSxikQiwK29kqe5
    5Njd6LAvT9lTpv9MQaQBJIeXLa16nVWrsq8jjTX5mHfG6gkDmw5G74zCA1S0iOFz
    8FvLuFZryED3RsHgU0TZ57NhVIsmhSf208VmuNAk8n/zcDuy/pUjTPobfogc9r6h
    r5To4cBf5/OP5/Adpt7IVvG2MKuB3d/msuILweqOcJb2h4jFYBc=
    =hw95
    -----END PGP SIGNATURE-----
  • photm says:


    # Ask the public key about the Owner:
    run_peh_tape "@Algo!QY" $MIN_PEH_WIDTH 1
    pubkey_algo=$peh_res

    # Ask the public key about Algo Type:
    run_peh_tape "@Owner!QY" $MIN_PEH_WIDTH 1
    pubkey_owner=$peh_res

    Should the comments be swapped?

Leave a Reply to Stanislav

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong> <pre lang="" line="" escaped="" highlight="">


Please prove that you are human:

61 xor 11 = ?

What is the serial baud rate of the FG device ?

// Script to allow anchoring of user-selected content on html pages. // Original idea deployed by http://archive.today // Packaged for WordPress on http://trilema.com/2015/that-spiffy-selection-thing/