# Normal view

Before yesterdayNews from the Ada programming language world

# "Finite Field Arithmetic." Chapter 21A-Ter: Fix for a False Alarm in Ch.14; "Litmus" Errata.

4 December 2020 at 20:16

This article is part of a series of hands-on tutorials introducing FFA, or the Finite Field Arithmetic library. FFA differs from the typical "Open Sores" abomination, in that -- rather than trusting the author blindly with their lives -- prospective users are expected to read and fully understand every single line. In exactly the same manner that you would understand and pack your own parachute. The reader will assemble and test a working FFA with his own hands, and at the same time grasp the purpose of each moving part therein.

You will need:

Add the above vpatches and seals to your V-set, and press to ffa_ch21a_ter_ch14_ch20_errata.kv.vpatch.

You should end up with the same directory structure as previously.

As of Chapter 21A-Ter, the versions of Peh and FFA are 250 and 199, respectively.

Now compile Peh:

```cd ffacalc
gprbuild```

But do not run it quite yet.

This Chapter concerns fixes for several flaws recently reported by a careful Finnish reader known only as cgra. Thank you, cgra!

Let's begin with his first find: a false alarm bug in Chapter 14B's implementation of Barrett's Modular Reduction. (Note that the proofs given in Ch.14A and Ch.14A-Bis presently stand; the bug exists strictly in the Ada program.)

Recall Step 5 of the algorithm given in Ch.14A :

For each new input X, to compute the reduction R := X mod M:

1. Xs := X >> JM
2. Z  := Xs × BM
3. Zs := Z >> SM
4. Q  := Zs × M
5. R  := X - Q
6. R  := R - M, C := Borrow
7. R  := R + (M × C)
8. R  := R - M, C := Borrow
9. R  := R + (M × C)
10. R  := R - (R × DM)
11. R is now equal to X mod M.

 ←2WM→ Ignore X ←WM - L→ ←WM + L→ ←2WM→ - Ignore Q ←WM - L→ ←WM + L→ = R ←WM + L→

... and finally, its implementation in Chapter 14B :

```   -- Reduce X using the given precomputed Barrettoid.
procedure FZ_Barrett_Reduce(X          : in     FZ;
Bar        : in     Barretoid;
XReduced   : in out FZ) is

..............................

-- R is made one Word longer than Modulus (see proof re: why)
Rl      : constant Indices := Ml + 1;

..............................

-- Barring cosmic ray, no underflow can take place in (4) and (5)
NoCarry : WZeroOrDie := 0;

begin

..............................

-- (5) R  := X - Q (we only need Rl-sized segments of X and Q here)
FZ_Sub(X => X(1 .. Rl), Y => Q(1 .. Rl),
Difference => R, Underflow => NoCarry);

..............................```

Even though we had demonstrated that Q ≤ X, the prohibition of a nonzero subtraction borrow in (5) is fallacious.

To illustrate: this Tape, on a 256-bit run of Peh :

`  .1 .FF LS .1 .3 MX # QY`

... will not print the expected answer to the given modular exponentiation, i.e.:

`  0000000000000000000000000000000000000000000000000000000000000002`

... with a Verdict of Yes; but instead will print nothing, and yield a Verdict of EGGOG. Specifically, Peh will halt at (5) via a Constraint_Error (range check failed), when the range of NoCarry's WZeroOrDie type is violated by an assignment of 1.

This is because -- early in this modular exponentiation's sequence of Barrett reductions -- and immediately prior to (5) :

```X == 0x40000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

Q == 0x3FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF```

... but what will be actually computed in (5) is X(1 .. Rl) - Q(1 .. Rl), i.e.:

```  0x00000000000000000000000000000000000000000000000000000000000000000000000000000000 -
0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF

=

1 (Underflow == 1)```

... that is, the borrow bit is legitimately 1, in this and in a number of other readily-constructed cases. The constraints we have demonstrated for X, Q, and R do not imply that a borrow will never occur in the subtraction at (5). Therefore, the intended cosmic ray detector is strictly a source of false alarms, and we will remove it:

```   -- Reduce X using the given precomputed Barrettoid.
procedure FZ_Barrett_Reduce(X          : in     FZ;
Bar        : in     Barretoid;
XReduced   : in out FZ) is

..............................

-- Borrow from Subtraction in (5) is meaningless, and is discarded
IgnoreC : WBool;
pragma Unreferenced(IgnoreC);

begin

..............................

-- (5) R  := X - Q (we only need Rl-sized segments of X and Q here)
FZ_Sub(X => X(1 .. Rl), Y => Q(1 .. Rl),
Difference => R, Underflow => IgnoreC); -- Borrow is discarded

..............................```

... and that's it.

Cgra's second find concerned the Ch.20 demo script, Litmus. He had discovered that two mutually-canceling bugs exist in the program. Specifically, in :

```
..................

# Hashed Section Length
get_sig_bytes 2
turd+=\$r
hex_to_int
sig_hashed_len=\$r

# Hashed Section (typically: timestamp)
get_sig_bytes \$sig_hashed_len
turd+=\$r
sig_hashed=\$r

# Unhashed Section Length
get_sig_bytes 1
hex_to_int
sig_unhashed_len=\$r

get_sig_bytes \$sig_unhashed_len

..................
..................

# RSA Packet Length (how many bytes to read)
get_sig_bytes 1
hex_to_int
rsa_packet_len=\$r

# The RSA Packet itself
get_sig_bytes \$rsa_packet_len
rsa_packet=\$r

# Digest Prefix (2 bytes)
get_sig_bytes 2
digest_prefix=\$r

..................```

... the Unhashed Section Length is erroneously treated as a 1-byte field, whereas in reality the GPG format gives 2 bytes. The script only worked (on all inputs tested to date) on account of the presence of the superfluous routine (RSA Packet reader, which remained from an early version of the demo!); in all of the test cases to date, the second byte of the Unhashed Section Length (and the unhashed section in its entirety, for so long as it does not exceed 255 bytes in length -- which it appears to never do) are consumed by get_sig_bytes \$rsa_packet_len.

I am almost pleased that I had made this mistake; it is in fact a better illustration of programs which operate correctly despite erroneous logic -- as well as the unsuitability of shell script as a language for nontrivial tasks -- than anything I could readily unearth in the open literature.

And the fix is readily obvious :

```
..................

# Hashed Section Length
get_sig_bytes 2
turd+=\$r
hex_to_int
sig_hashed_len=\$r

# Hashed Section (typically: timestamp)
get_sig_bytes \$sig_hashed_len
turd+=\$r
sig_hashed=\$r

# Unhashed Section Length
get_sig_bytes 2
hex_to_int
sig_unhashed_len=\$r

get_sig_bytes \$sig_unhashed_len

..................
..................

# Digest Prefix (2 bytes)
get_sig_bytes 2
digest_prefix=\$r

..................```

I also incorporated cgra's earlier suggestion regarding error checking. Thank you again, cgra!

And that's it for Litmus, presently.

~ The next Chapter, 21B, will (yes!) continue the Extended-GCD sequence of Chapter 21A. ~
• 4 December 2020 at 20:16

# "Finite Field Arithmetic." Chapter 20D: "Litmus" Errata: Support for Nested Clearsigned Texts.

14 January 2020 at 18:48

This article is part of a series of hands-on tutorials introducing FFA, or the Finite Field Arithmetic library. FFA differs from the typical "Open Sores" abomination, in that -- rather than trusting the author blindly with their lives -- prospective users are expected to read and fully understand every single line. In exactly the same manner that you would understand and pack your own parachute. The reader will assemble and test a working FFA with his own hands, and at the same time grasp the purpose of each moving part therein.

You will need:

Add the above vpatches and seals to your V-set, and press to ffa_ch20d_litmus_nested_fix.kv.vpatch.

As of Chapter 20D, the versions of Peh and FFA are 250 and 253, respectively. FFA and Peh themselves have not changed from Chapter 19.

Compile Peh:

```cd ffacalc
gprbuild```

... and install it to a path visible in your shell (e.g. /usr/bin.)

Litmus as given in the previous chapter would choke (failing safe, i.e. rejecting the signature) when fed "nested" clearsigned texts. This bug has been fixed:

```# 'ASCII-Armoured' PGP signatures have mandatory start and end markers:
START_MARKER="^\-\-\-\-\-BEGIN PGP SIGNATURE\-\-\-\-\-"
END_MARKER="^\-\-\-\-\-END PGP SIGNATURE\-\-\-\-\-"

.......

CLEAR_MARKER="^\-\-\-\-\-BEGIN PGP SIGNED MESSAGE\-\-\-\-\-"

.......```

To test, invoke Litmus with two arguments: the public key, followed by the input file:

```-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

This is a test-fire GPG 'clearsigned' document written for
FFA Chapter 20C.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQEcBAEBCgAGBQJeGimSAAoJELmCKKABq//HfgsH/1bg0zpL1PoApHE5BMNXmJ7U
7vWKQJ3ZCsGvkUSIgIZESTp6EpGDclBQqvBsdBZ9KVnBpGiIbmKbNjDNlZU5YcWt
MCZXkR6Lfd3rYKHcySOEvkoCMQ4ytbEQM4IBE57AqQIpmnI7Mo1033TnDgL2KdXd
PHLtedNyaKwzVJw08BtKjzole130GvElSMmxilrHZ0w+2J4uHRuBELyZbJ55vu+x
Bx+Q5OpMwz0ZG4vjz8ncZE/nCvK/sZv/RXsdNow95fETH5DKC9HfIP279kKlBRg=
=3ozu
- -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQEcBAEBCgAGBQJeHgg9AAoJELmCKKABq//HHywH/3cfUfV8SH2yuxHNBPmk3Yha
Nw/40YK52/DJ/H+RUY6Zei2X3tJPYe3vDN2P3iRqKBycpUPtNnCDaF3BAvg7cyRQ
PghpykoSeERxIQZaIQWTUyMQRBwoMF90wiQpcgCEXRH3xZo/p0M3M6zPrqKElXf4
essZmM3jsvfU9T8JGho0RPyK1J42fTBCiRb0Y++ZQGWVEwJugtVnQOL76fYmSUpW
vDBKgNJfvGOMNTCTLemqD2nn6DZzLN9TOrRlmLvfr0lbzu9rSGAMtRKqozhZeCXf
LiTWWVZkCUGr/SEk5olhbHQnfoYMH1V071qJnpv1/5QqIiZ1z2KbP65Ba/i3i0A=
=o/9T
-----END PGP SIGNATURE-----```

`./litmus.sh asciilifeform.peh asciilifeform-clearsigned-twice.txt`

... which will yield the output:

`VALID GPG RSA signature from asciilifeform <[email protected]>`

Naturally, no verification is performed on the embedded clearsigned text (just as in traditional GPG. If you want to operate on the embedded text, you must extract it.)

~To be continued!~

• 14 January 2020 at 18:48

# "Finite Field Arithmetic." Chapter 20B: Support for Selected Ancient Hash Algos in "Litmus."

7 January 2020 at 20:51

This article is part of a series of hands-on tutorials introducing FFA, or the Finite Field Arithmetic library. FFA differs from the typical "Open Sores" abomination, in that -- rather than trusting the author blindly with their lives -- prospective users are expected to read and fully understand every single line. In exactly the same manner that you would understand and pack your own parachute. The reader will assemble and test a working FFA with his own hands, and at the same time grasp the purpose of each moving part therein.

You will need:

Add the above vpatches and seals to your V-set, and press to ffa_ch20b_litmus_legacy_hashes.kv.vpatch.

As of Chapter 20B, the versions of Peh and FFA are 250 and 253, respectively. FFA and Peh themselves have not changed from Chapter 19.

Compile Peh:

```cd ffacalc
gprbuild```

... and install it to a path visible in your shell (e.g. /usr/bin.)

In the course of experimenting with the subject of the previous Chapter, I found that a number of current and past Vtronicists had misconfigured their GPG, and emit suboptimal signatures (i.e. not SHA-512, the strongest of the ancient hashes supported by that utility). And so I added support for these. (Litmus will emit a warning if such a signature is encountered.)

The following routine has been added to Litmus:

```# If Sig was made with an unsupported hash algo:
eggog_unsupported_hash() {
algo=\$1
echo "This sig uses an unsupported Digest Algo: \$1 !" >&2
exit \$RET_EGGOG
}

.......

# Warnings:
achtung() {
echo "WARNING: \$1" >&2
}

.......

# Digest Algo (only certain hash algos are supported)
get_sig_bytes 1
turd+=\$r
hex_to_int
sig_digest_algo=\$r

# If hash algo is supported, get ASN turd and MD_LEN; and if not, eggog:
case \$sig_digest_algo in
1)  ## MD5 -- NOT SUPPORTED ##
eggog_unsupported_hash "MD5"
;;

2)  ## SHA1 ##
achtung "This sig was made with SHA-1, which is cheaply breakable!"
HASHER="shasum -a 1 -b"
ASN="3021300906052b0e03021a05000414"
MD_LEN=20
;;

3)  ## RIPE-MD/160 -- NOT SUPPORTED ##
eggog_unsupported_hash "RIPE-MD/160"
;;

8)  ## SHA256 ##
achtung "This sig was made with SHA-256; GPG supports SHA-512."
HASHER="shasum -a 256 -b"
ASN="3031300d060960864801650304020105000420"
MD_LEN=32
;;

9)  ## SHA384 ##
achtung "This sig was made with SHA-384; GPG supports SHA-512."
HASHER="shasum -a 384 -b"
ASN="3041300d060960864801650304020205000430"
MD_LEN=48
;;

10) ## SHA512 ##
HASHER="shasum -a 512 -b"
ASN="3051300D060960864801650304020305000440"
MD_LEN=64 # 512 / 8 == 64 bytes
;;

11) ## SHA224 ##
achtung "This sig was made with SHA-224; GPG supports SHA-512."
HASHER="shasum -a 224 -b"
ASN="302D300d06096086480165030402040500041C"
MD_LEN=28
;;

*)  ## Unknown Digest Type ##
eggog_unsupported_hash "UNKNOWN (type \$sig_digest_algo)"
;;
esac

# Calculate length (bytes) of the ASN turd for the digest used in the sig:
ASN_LEN=\$((\${#ASN} / 2))

.......```

To test, for instance, verification of SHA-1 signatures (please stop using SHA-1, people! see e.g. here), download this Litmus-converted GPG public key of former contributor Diana Coman, and verify her signature of Chapter 1:

`./litmus.sh diana_coman.peh ffa_ch1_genesis.kv.vpatch.diana_coman.sig ffa_ch1_genesis.kv.vpatch`

... which will yield the output:

```WARNING: This sig was made with SHA-1, which is cheaply breakable!
VALID GPG RSA signature from Diana Coman <[email protected]>```

~To be continued!~

• 7 January 2020 at 20:51

# "Finite Field Arithmetic." Chapter 20: "Litmus", a Peh-Powered Verifier for GPG Signatures.

6 January 2020 at 20:54

This article is part of a series of hands-on tutorials introducing FFA, or the Finite Field Arithmetic library. FFA differs from the typical "Open Sores" abomination, in that -- rather than trusting the author blindly with their lives -- prospective users are expected to read and fully understand every single line. In exactly the same manner that you would understand and pack your own parachute. The reader will assemble and test a working FFA with his own hands, and at the same time grasp the purpose of each moving part therein.

You will need:

Add the above vpatches and seals to your V-set, and press to ffa_ch20_litmus.kv.vpatch.

As of Chapter 20, the versions of Peh and FFA are 250 and 253, respectively. FFA and Peh themselves have not changed from Chapter 19.

Compile Peh:

```cd ffacalc
gprbuild```

... and install it to a path visible in your shell (e.g. /usr/bin.)

The subject of this chapter is Litmus: a simple and practical demonstration program powered by Peh. It is expected to work on all reasonable Unix-like systems, so long as the required command-line utilities (see EXTERNALS) are present.

Litmus verifies traditional GPG public key signatures (presently, only of the "detached" type, with RSA and SHA512 hash -- the optimal knob settings available in GPG) and is suitable for use in e.g. Vtronics.

The source code of Litmus appears below in its entirety:

```#!/bin/sh

############################################################################
# 'Litmus' Utility. Verifies traditional GPG RSA signatures using Peh.     #
#                                                                          #
# Usage: ./litmus.sh publickey.peh signature.sig datafile                  #
#                                                                          #
# Currently, supports only RSA 'detached' signatures that use SHA512 hash. #
# See instructions re: converting traditional GPG public keys for use with #
# this program.                                                            #
#                                                                          #
# Peh, xxd, hexdump, shasum, and a number of common utils (see EXTERNALS)  #
# must be present on your machine.                                         #
#                                                                          #
# (C) 2020 Stanislav Datskovskiy ( www.loper-os.org )                      #
# http://wot.deedbot.org/17215D118B7239507FAFED98B98228A001ABFFC7.html     #
#                                                                          #
# You do not have, nor can you ever acquire the right to use, copy or      #
# distribute this software ; Should you use this software for any purpose, #
# or copy and distribute it to anyone or in any manner, you are breaking   #
# the laws of whatever soi-disant jurisdiction, and you promise to         #
# continue doing so for the indefinite future. In any case, please         #
# always : read and understand any software ; verify any PGP signatures    #
# that you use - for any purpose.                                          #
############################################################################

# External programs that are required (if not found, will eggog) :
EXTERNALS="peh xxd hexdump base64 shasum cut tr sed wc grep printf"

# Return Codes:

# Signature is VALID for given Sig, Data File, and Public Key:
RET_VALID_SIG=0

# Signature is INVALID:

# All Other Cases:
RET_EGGOG=-1

# Terminations:

# Success (Valid RSA signature) :
done_sig_valid() {
echo "VALID \$pubkey_algo signature from \$pubkey_owner"
exit \$RET_VALID_SIG
}

# Failure (INVALID RSA signature) :
echo "Signature is INVALID for this public key and input file!"
}

# Failure in decoding 'GPG ASCII armour' :
eggog_sig_armour() {
echo "\$SIGFILE could not decode as a GPG ASCII-Armoured Signature!" >&2
exit \$RET_EGGOG
}

# Failure from corrupt signature :
eggog_sig_corrupt() {
echo "\$SIGFILE is corrupt!" >&2
exit \$RET_EGGOG
}

# Failure from bad Peh :
eggog_peh() {
echo "EGGOG in executing Peh tape! Please check Public Key." >&2
exit \$RET_EGGOG
}

# Number of Arguments required by this program:
REQD_ARGS=3

# If invalid arg count, print usage and abort:
if [ "\$#" -ne \$REQD_ARGS ]; then
echo "Usage: \$0 publickey.peh signature.sig datafile"
exit \$RET_EGGOG
fi

# We only support SHA512. Parameters for it:
HASHER="shasum -a 512 -b"

# For 'PKCS' encoding, the ASN magic turd corresponding to SHA512:
ASN="3051300D060960864801650304020305000440"
ASN_LEN=\$((\${#ASN} / 2))
MD_LEN=64 # 512 / 8 == 64 bytes

# Minimal Peh Width (used for non-arithmetical ops, e.g. 'Owner')
MIN_PEH_WIDTH=256

# The given public key file (a Peh tape, see docs)
PUBFILE=\$1

# The given Detached GPG Signature file to be verified
SIGFILE=\$2

# The given Data file to be verified against the Signature
DATAFILE=\$3

# Verify that each of the given input files exists:
FILES=(\$PUBFILE \$SIGFILE \$DATAFILE)
for f in \${FILES[@]}; do
if ! [ -f \$f ]; then
echo "\$f does not exist!" >&2
exit \$RET_EGGOG
fi
done

# Calculate length of the pubkey file:
PUBFILE_LEN=\$(wc -c \$PUBFILE | cut -d ' ' -f1)

# Peh's Return Codes
PEH_YES=1
PEH_NO=0
PEH_MU=255
PEH_EGGOG=254

# Execute given Peh tape, with given FFA Width and Height,
# on top of the pubkey tape; returns output in \$peh_res and \$peh_code.
run_peh_tape() {
# The tape itself
tape=\$1

# FFA Width for the tape
peh_width=\$2

# FFA Stack Height for the tape
peh_height=\$3

# Compute the length of the given tape
tape_len=\${#tape}

# Add the length of the Public Key tape to the above
tape_len=\$((\$tape_len + \$PUBFILE_LEN))

# Max Peh Life for all such tapes
peh_life=\$((\$tape_len * 2))

# Execute the tape:
peh_res=\$((cat \$PUBFILE; echo \$tape) |
peh \$peh_width \$peh_height \$tape_len \$peh_life);
peh_code=\$?

# # If Peh returned PEH_EGGOG:
if [ \$peh_code -eq \$PEH_EGGOG ]
then
# Abort: likely, coarse error of pilotage in the public key tape.
eggog_peh
fi
}

run_peh_tape "@Algo!QY" \$MIN_PEH_WIDTH 1
pubkey_algo=\$peh_res

run_peh_tape "@Owner!QY" \$MIN_PEH_WIDTH 1
pubkey_owner=\$peh_res

# The only supported algo is GPG RSA:
if [ "\$pubkey_algo" != "GPG RSA" ]
then
echo "This public key specifies algo '\$pubkey_algo';" >&2
echo "The only algo supported is 'GPG RSA' !" >&2
exit \$RET_EGGOG
fi

# Verify that all of the necessary external programs in fact exist:
for i in \$EXTERNALS
do
command -v \$i >/dev/null && continue ||
exit \$RET_EGGOG; }
done

# 'ASCII-Armoured' PGP signatures have mandatory start and end markers:
START_MARKER="-----BEGIN PGP SIGNATURE-----"
END_MARKER="-----END PGP SIGNATURE-----"

# Determine start and end line positions for payload:
start_ln=\$(grep -m 1 -n "\$START_MARKER" \$SIGFILE | cut -d ':' -f1)
end_ln=\$(grep -m 1 -n "\$END_MARKER" \$SIGFILE | cut -d ':' -f1)

# Both start and end markers must exist :
if [ "\$start_ln" == "" ] || [ "\$end_ln" == "" ]
then
echo "\$SIGFILE does not contain ASCII-armoured PGP Signature!" >&2
exit \$RET_EGGOG
fi

start_ln=\$((\$start_ln + 1))
end_ln=\$((\$end_ln - 1))

# If there is no payload, or the markers are misplaced, abort:
if [ \$start_ln -ge \$end_ln ]
then
eggog_sig_armour
fi

sig_payload=\$(sed -n "\$start_ln,\$end_ln p" < \$SIGFILE |
sed -n "/^Version/!p" | sed -n "/^=/!p" | tr -d " tnr")

# If eggog -- abort:
if [ \$? -ne 0 ]
then
eggog_sig_armour
fi

# Obtain the sig bytes:
sig_bytes=(\$(echo \$sig_payload | base64 -d | hexdump -ve '1/1 "%.2x "'))

# If eggog -- abort:
if [ \$? -ne 0 ]
then
eggog_sig_armour
fi

# Number of bytes in the sig file
sig_len=\${#sig_bytes[@]}

# Test that certain fields in the Sig have their mandatory value
sig_field_mandatory() {
f_name=\$1
f_value=\$2
f_mandate=\$3
if [ "\$f_value" != "\$f_mandate" ]
then
reason="\$f_name must equal \$f_mandate; instead is \$f_value."
echo "\$SIGFILE is UNSUPPORTED : \$reason" >&2
echo "Only RSA and SHA512 hash are supported !" >&2
exit \$RET_EGGOG
fi
}

# Starting Position for get_sig_bytes()
sig_pos=0

# Extract given # of sig bytes from the current sig_pos; advance sig_pos.
get_sig_bytes() {
# Number of bytes requested
count=\$1

# Result: \$count bytes from current \$sig_pos (contiguous hex string)
r=\$(echo \${sig_bytes[@]:\$sig_pos:\$count} | sed "s/ //g" | tr 'a-z' 'A-Z')

sig_pos=\$((\$sig_pos + \$count))

# If more bytes were requested than were available in sig_bytes:
if [ \$sig_pos -gt \$sig_len ]
then
# Abort. The signature was mutilated somehow.
eggog_sig_corrupt
fi
}

# Convert the current sig component to integer
hex_to_int() {
r=\$((16#\$r))
}

# Turd to be composed of certain values from the sig, per RFC4880.
# Final hash will run on the concatenation of DATAFILE and this turd.
turd=""

## Parse all of the necessary fields in the GPG Signature:

# CTB (must equal 0x89)
get_sig_bytes 1
sig_ctb=\$r
sig_field_mandatory "Version" \$sig_ctb 89

# Length
get_sig_bytes 2
hex_to_int
sig_length=\$r

# Version (only Version 4 -- what GPG 1.4.x outputs -- is supported)
get_sig_bytes 1
turd+=\$r
sig_version=\$r
sig_field_mandatory "Version" \$sig_version 04

# Class (only class 0 is supported)
get_sig_bytes 1
turd+=\$r
sig_class=\$r
sig_field_mandatory "Class" \$sig_class 00

# Public Key Algo (only RSA is supported)
get_sig_bytes 1
turd+=\$r
sig_pk_algo=\$r
sig_field_mandatory "Public Key Algo" \$sig_pk_algo 01

# Digest Algo (only SHA512 is supported)
get_sig_bytes 1
turd+=\$r
sig_digest_algo=\$r
sig_field_mandatory "Digest Algo" \$sig_digest_algo 0A

# Hashed Section Length
get_sig_bytes 2
turd+=\$r
hex_to_int
sig_hashed_len=\$r

# Hashed Section (typically: timestamp)
get_sig_bytes \$sig_hashed_len
turd+=\$r
sig_hashed=\$r

# Unhashed Section Length
get_sig_bytes 1
hex_to_int
sig_unhashed_len=\$r

get_sig_bytes \$sig_unhashed_len

# Compute Byte Length of Hashed Header (for last field)

# Final section of the hashed turd (not counted in hashed_header_len)
turd+=\$sig_version
turd+="FF"

# Compute the hash of data file and the hashed appendix from sig :
hash=\$((cat \$DATAFILE; xxd -r -p < << \$turd) | \$HASHER | cut -d ' ' -f1)
# Convert to upper case
hash=\$(echo \$hash | tr 'a-z' 'A-Z')

# Parse the RSA Signature portion of the Sig file:

# RSA Packet Length (how many bytes to read)
get_sig_bytes 1
hex_to_int
rsa_packet_len=\$r

# The RSA Packet itself
get_sig_bytes \$rsa_packet_len
rsa_packet=\$r

# Digest Prefix (2 bytes)
get_sig_bytes 2
digest_prefix=\$r

# See whether it matches the first two bytes of the actual computed hash :
computed_prefix=\$(printf "%.4s" \$hash)

if [ "\$digest_prefix" != "\$computed_prefix" ]
then
# It didn't match, so we can return 'bad signature' immediately:
fi

# If prefix matched, we will proceed to do the actual RSA operation.

# RSA Bitness given in Sig
get_sig_bytes 2
hex_to_int
rsa_bitness=\$r

# Compute RSA Byteness from the above
rsa_byteness=\$(((\$rsa_bitness + 7) / 8))

# RSA Bitness for use in determining required Peh width:
rsa_width=\$((\$rsa_byteness * 8))

# Only traditional GPG RSA widths are supported:
if [ \$rsa_width != 2048 ] && [ \$rsa_width != 4096 ] && [ \$rsa_width != 8192 ]
then
reason="Only 2048, 4096, and 8192-bit RSA are supported."
echo "\$SIGFILE is UNSUPPORTED : \$reason" >&2
exit \$RET_EGGOG
fi

# RSA Signature per se (final item read from sig file)
get_sig_bytes \$rsa_byteness
rsa_sig=\$r

# Per RFC4880, 'PKCS' encoding of hash is as follows:
# 0 1 [PAD] 0 [ASN] [MD]

# First two bytes of PKCS-encoded hash will always be 00 01 :
pkcs="0001"

# Compute necessary number of padding FF bytes :
pkcs_pad_bytes=\$((\$rsa_byteness - \$MD_LEN - \$ASN_LEN - 3))

for ((x=1; x< =\$pkcs_pad_bytes; x++)); do
pkcs+="FF"
done

# Attach the 00 separator between the padding and the ASN:
pkcs+="00"

# Attach the ASN ('magic' corresponding to the hash algo) :
pkcs+=\$ASN

# Finally, attach the computed (from Data file) hash itself :
pkcs+=\$hash

# Generate a Peh tape which will attempt to verify \$rsa_sig against the pubkey,
# computing the expression \$rsa_sig ^ PUB_E mod PUB_M and comparing to \$pkcs.
# Outputs 'Valid' and returns Yes_Code (1) if and only if signature is valid.
tape=".\$rsa_sig@Public-Op!.\$pkcs={[Valid]QY}{[Invalid]QN}_"

# Execute the tape:
run_peh_tape \$tape \$rsa_width 3

# 'Belt and suspenders' -- test both output and return code:
# If verification succeeded, return code will be 1, and output 'Valid':
if [ \$peh_code -eq \$PEH_YES ] && [ "\$peh_res" == "Valid" ]
then
# Valid RSA signature:
done_sig_valid
else
# Signature was not valid:
fi
# The end.```

Public keys for use with Litmus are Peh tapes, and their format is illustrated here. Mine (converted from my GPG public key using, for the time being, PGPDump and a few minutes of elbow grease) appears below:

```(----------------------------------------------------------------------------)
( Public key converted from GPG key 17215D118B7239507FAFED98B98228A001ABFFC7 )
(----------------------------------------------------------------------------)
@RSA-Public-Modulus@
.
CDD49A674BAF76D3B73E25BC6DF66EF3ABEDDCA461D3CCB6416793E3437C7806562694
EC37EABEFF3FBE6D3C726DC68E599EBFE5456EF19813398CD7D548D746A30AA47D4293
968BFBAFCBF65A90DFFC87816FEE2A01E1DC699F4DDABB84965514C0D909D54FDA7062
A2037B50B771C153D5429BA4BA335EAB840F9551E9CD9DF8BB4A6DC3ED1318FF3969F7
9535B91B417D0AF14BE09C78B53AF9C5F494BCF2C60349FFA93C81E817AC682F0055A6
07BB56D6A281C1A04CEFE1
;
(----------------------------------------------------------------------------)
@RSA-Public-Exponent@
.
10001
;
LC
(----------------------------------------------------------------------------)
@Public-Op@
(N is on stack) @RSA-Public-Exponent! @RSA-Public-Modulus! MX
;
(----------------------------------------------------------------------------)
@Algo@[GPG RSA];
(----------------------------------------------------------------------------)
@Owner@[asciilifeform <[email protected]>];
(----------------------------------------------------------------------------)
RC```

Now verify the vpatch of this chapter and its signature using Litmus:

`./litmus.sh asciilifeform.peh ffa_ch20_litmus.kv.vpatch.asciilifeform.sig ffa_ch20_litmus.kv.vpatch`

... which should yield the output:

`VALID GPG RSA signature from asciilifeform <[email protected]>`

If you find that Litmus balks on your GPG signatures, ensure that SHA512 (the longest hash supported by old rotten GPG) is selected in your config (typically ~/.gnupg/gpg.conf) :

```personal-digest-preferences SHA512
cert-digest-algo SHA512```

In Chapter 21, we will discuss the astonishing ugliness of the GPG data format, and construct a means for semi-automatic conversion of traditional GPG public keys into the format used by Litmus.

~To be continued!~

• 6 January 2020 at 20:54