@protontech/openpgp 4.10.5 → 5.3.1

package/src/crypto/ocb.js

@@ -1,274 +0,0 @@
-// OpenPGP.js - An OpenPGP implementation in javascript
-// Copyright (C) 2018 ProtonTech AG
-//
-// This library is free software; you can redistribute it and/or
-// modify it under the terms of the GNU Lesser General Public
-// License as published by the Free Software Foundation; either
-// version 3.0 of the License, or (at your option) any later version.
-//
-// This library is distributed in the hope that it will be useful,
-// but WITHOUT ANY WARRANTY; without even the implied warranty of
-// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
-// Lesser General Public License for more details.
-//
-// You should have received a copy of the GNU Lesser General Public
-// License along with this library; if not, write to the Free Software
-// Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
-
-/**
- * @fileoverview This module implements AES-OCB en/decryption.
- * @requires crypto/cipher
- * @requires util
- * @module crypto/ocb
- */
-
-import ciphers from './cipher';
-import util from '../util';
-
-
-const blockLength = 16;
-const ivLength = 15;
-
-// https://tools.ietf.org/html/draft-ietf-openpgp-rfc4880bis-04#section-5.16.2:
-// While OCB [RFC7253] allows the authentication tag length to be of any
-// number up to 128 bits long, this document requires a fixed
-// authentication tag length of 128 bits (16 octets) for simplicity.
-const tagLength = 16;
-
-
-function ntz(n) {
-  let ntz = 0;
-  for (let i = 1; (n & i) === 0; i <<= 1) {
-    ntz++;
-  }
-  return ntz;
-}
-
-function xorMut(S, T) {
-  for (let i = 0; i < S.length; i++) {
-    S[i] ^= T[i];
-  }
-  return S;
-}
-
-function xor(S, T) {
-  return xorMut(S.slice(), T);
-}
-
-const zeroBlock = new Uint8Array(blockLength);
-const one = new Uint8Array([1]);
-
-/**
- * Class to en/decrypt using OCB mode.
- * @param  {String}     cipher      The symmetric cipher algorithm to use e.g. 'aes128'
- * @param  {Uint8Array} key         The encryption key
- */
-async function OCB(cipher, key) {
-
-  let maxNtz = 0;
-  let encipher;
-  let decipher;
-  let mask;
-
-  constructKeyVariables(cipher, key);
-
-  function constructKeyVariables(cipher, key) {
-    const aes = new ciphers[cipher](key);
-    encipher = aes.encrypt.bind(aes);
-    decipher = aes.decrypt.bind(aes);
-
-    const mask_x = encipher(zeroBlock);
-    const mask_$ = util.double(mask_x);
-    mask = [];
-    mask[0] = util.double(mask_$);
-
-
-    mask.x = mask_x;
-    mask.$ = mask_$;
-  }
-
-  function extendKeyVariables(text, adata) {
-    const newMaxNtz = util.nbits(Math.max(text.length, adata.length) / blockLength | 0) - 1;
-    for (let i = maxNtz + 1; i <= newMaxNtz; i++) {
-      mask[i] = util.double(mask[i - 1]);
-    }
-    maxNtz = newMaxNtz;
-  }
-
-  function hash(adata) {
-    if (!adata.length) {
-      // Fast path
-      return zeroBlock;
-    }
-
-    //
-    // Consider A as a sequence of 128-bit blocks
-    //
-    const m = adata.length / blockLength | 0;
-
-    const offset = new Uint8Array(blockLength);
-    const sum = new Uint8Array(blockLength);
-    for (let i = 0; i < m; i++) {
-      xorMut(offset, mask[ntz(i + 1)]);
-      xorMut(sum, encipher(xor(offset, adata)));
-      adata = adata.subarray(blockLength);
-    }
-
-    //
-    // Process any final partial block; compute final hash value
-    //
-    if (adata.length) {
-      xorMut(offset, mask.x);
-
-      const cipherInput = new Uint8Array(blockLength);
-      cipherInput.set(adata, 0);
-      cipherInput[adata.length] = 0b10000000;
-      xorMut(cipherInput, offset);
-
-      xorMut(sum, encipher(cipherInput));
-    }
-
-    return sum;
-  }
-
-  /**
-   * Encrypt/decrypt data.
-   * @param  {encipher|decipher} fn   Encryption/decryption block cipher function
-   * @param  {Uint8Array} text        The cleartext or ciphertext (without tag) input
-   * @param  {Uint8Array} nonce       The nonce (15 bytes)
-   * @param  {Uint8Array} adata       Associated data to sign
-   * @returns {Promise<Uint8Array>}    The ciphertext or plaintext output, with tag appended in both cases
-   */
-  function crypt(fn, text, nonce, adata) {
-    //
-    // Consider P as a sequence of 128-bit blocks
-    //
-    const m = text.length / blockLength | 0;
-
-    //
-    // Key-dependent variables
-    //
-    extendKeyVariables(text, adata);
-
-    //
-    // Nonce-dependent and per-encryption variables
-    //
-    //    Nonce = num2str(TAGLEN mod 128,7) || zeros(120-bitlen(N)) || 1 || N
-    // Note: We assume here that tagLength mod 16 == 0.
-    const paddedNonce = util.concatUint8Array([zeroBlock.subarray(0, ivLength - nonce.length), one, nonce]);
-    //    bottom = str2num(Nonce[123..128])
-    const bottom = paddedNonce[blockLength - 1] & 0b111111;
-    //    Ktop = ENCIPHER(K, Nonce[1..122] || zeros(6))
-    paddedNonce[blockLength - 1] &= 0b11000000;
-    const kTop = encipher(paddedNonce);
-    //    Stretch = Ktop || (Ktop[1..64] xor Ktop[9..72])
-    const stretched = util.concatUint8Array([kTop, xor(kTop.subarray(0, 8), kTop.subarray(1, 9))]);
-    //    Offset_0 = Stretch[1+bottom..128+bottom]
-    const offset = util.shiftRight(stretched.subarray(0 + (bottom >> 3), 17 + (bottom >> 3)), 8 - (bottom & 7)).subarray(1);
-    //    Checksum_0 = zeros(128)
-    const checksum = new Uint8Array(blockLength);
-
-    const ct = new Uint8Array(text.length + tagLength);
-
-    //
-    // Process any whole blocks
-    //
-    let i;
-    let pos = 0;
-    for (i = 0; i < m; i++) {
-      // Offset_i = Offset_{i-1} xor L_{ntz(i)}
-      xorMut(offset, mask[ntz(i + 1)]);
-      // C_i = Offset_i xor ENCIPHER(K, P_i xor Offset_i)
-      // P_i = Offset_i xor DECIPHER(K, C_i xor Offset_i)
-      ct.set(xorMut(fn(xor(offset, text)), offset), pos);
-      // Checksum_i = Checksum_{i-1} xor P_i
-      xorMut(checksum, fn === encipher ? text : ct.subarray(pos));
-
-      text = text.subarray(blockLength);
-      pos += blockLength;
-    }
-
-    //
-    // Process any final partial block and compute raw tag
-    //
-    if (text.length) {
-      // Offset_* = Offset_m xor L_*
-      xorMut(offset, mask.x);
-      // Pad = ENCIPHER(K, Offset_*)
-      const padding = encipher(offset);
-      // C_* = P_* xor Pad[1..bitlen(P_*)]
-      ct.set(xor(text, padding), pos);
-
-      // Checksum_* = Checksum_m xor (P_* || 1 || new Uint8Array(127-bitlen(P_*)))
-      const xorInput = new Uint8Array(blockLength);
-      xorInput.set(fn === encipher ? text : ct.subarray(pos, -tagLength), 0);
-      xorInput[text.length] = 0b10000000;
-      xorMut(checksum, xorInput);
-      pos += text.length;
-    }
-    // Tag = ENCIPHER(K, Checksum_* xor Offset_* xor L_$) xor HASH(K,A)
-    const tag = xorMut(encipher(xorMut(xorMut(checksum, offset), mask.$)), hash(adata));
-
-    //
-    // Assemble ciphertext
-    //
-    // C = C_1 || C_2 || ... || C_m || C_* || Tag[1..TAGLEN]
-    ct.set(tag, pos);
-    return ct;
-  }
-
-
-  return {
-    /**
-     * Encrypt plaintext input.
-     * @param  {Uint8Array} plaintext   The cleartext input to be encrypted
-     * @param  {Uint8Array} nonce       The nonce (15 bytes)
-     * @param  {Uint8Array} adata       Associated data to sign
-     * @returns {Promise<Uint8Array>}    The ciphertext output
-     */
-    encrypt: async function(plaintext, nonce, adata) {
-      return crypt(encipher, plaintext, nonce, adata);
-    },
-
-    /**
-     * Decrypt ciphertext input.
-     * @param  {Uint8Array} ciphertext  The ciphertext input to be decrypted
-     * @param  {Uint8Array} nonce       The nonce (15 bytes)
-     * @param  {Uint8Array} adata       Associated data to sign
-     * @returns {Promise<Uint8Array>}    The ciphertext output
-     */
-    decrypt: async function(ciphertext, nonce, adata) {
-      if (ciphertext.length < tagLength) throw new Error('Invalid OCB ciphertext');
-
-      const tag = ciphertext.subarray(-tagLength);
-      ciphertext = ciphertext.subarray(0, -tagLength);
-
-      const crypted = crypt(decipher, ciphertext, nonce, adata);
-      // if (Tag[1..TAGLEN] == T)
-      if (util.equalsUint8Array(tag, crypted.subarray(-tagLength))) {
-        return crypted.subarray(0, -tagLength);
-      }
-      throw new Error('Authentication tag mismatch');
-    }
-  };
-}
-
-
-/**
- * Get OCB nonce as defined by {@link https://tools.ietf.org/html/draft-ietf-openpgp-rfc4880bis-04#section-5.16.2|RFC4880bis-04, section 5.16.2}.
- * @param  {Uint8Array} iv           The initialization vector (15 bytes)
- * @param  {Uint8Array} chunkIndex   The chunk index (8 bytes)
- */
-OCB.getNonce = function(iv, chunkIndex) {
-  const nonce = iv.slice();
-  for (let i = 0; i < chunkIndex.length; i++) {
-    nonce[7 + i] ^= chunkIndex[i];
-  }
-  return nonce;
-};
-
-OCB.blockLength = blockLength;
-OCB.ivLength = ivLength;
-OCB.tagLength = tagLength;
-
-export default OCB;

package/src/crypto/pkcs1.js

@@ -1,170 +0,0 @@
-// GPG4Browsers - An OpenPGP implementation in javascript
-// Copyright (C) 2011 Recurity Labs GmbH
-//
-// This library is free software; you can redistribute it and/or
-// modify it under the terms of the GNU Lesser General Public
-// License as published by the Free Software Foundation; either
-// version 3.0 of the License, or (at your option) any later version.
-//
-// This library is distributed in the hope that it will be useful,
-// but WITHOUT ANY WARRANTY; without even the implied warranty of
-// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
-// Lesser General Public License for more details.
-//
-// You should have received a copy of the GNU Lesser General Public
-// License along with this library; if not, write to the Free Software
-// Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
-
-/**
- * @fileoverview Provides EME-PKCS1-v1_5 encoding and decoding and EMSA-PKCS1-v1_5 encoding function
- * @see module:crypto/public_key/rsa
- * @see module:crypto/public_key/elliptic/ecdh
- * @see module:packet.PublicKeyEncryptedSessionKey
- * @requires crypto/random
- * @requires crypto/hash
- * @requires util
- * @module crypto/pkcs1
- */
-
-import random from './random';
-import hash from './hash';
-import util from '../util';
-
-/** @namespace */
-const eme = {};
-/** @namespace */
-const emsa = {};
-
-/**
- * ASN1 object identifiers for hashes
- * @see {@link https://tools.ietf.org/html/rfc4880#section-5.2.2}
- */
-const hash_headers = [];
-hash_headers[1] = [0x30, 0x20, 0x30, 0x0c, 0x06, 0x08, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x02, 0x05, 0x05, 0x00, 0x04,
-  0x10];
-hash_headers[2] = [0x30, 0x21, 0x30, 0x09, 0x06, 0x05, 0x2b, 0x0e, 0x03, 0x02, 0x1a, 0x05, 0x00, 0x04, 0x14];
-hash_headers[3] = [0x30, 0x21, 0x30, 0x09, 0x06, 0x05, 0x2B, 0x24, 0x03, 0x02, 0x01, 0x05, 0x00, 0x04, 0x14];
-hash_headers[8] = [0x30, 0x31, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05, 0x00,
-  0x04, 0x20];
-hash_headers[9] = [0x30, 0x41, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x02, 0x05, 0x00,
-  0x04, 0x30];
-hash_headers[10] = [0x30, 0x51, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03, 0x05,
-  0x00, 0x04, 0x40];
-hash_headers[11] = [0x30, 0x2d, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x04, 0x05,
-  0x00, 0x04, 0x1C];
-
-/**
- * Create padding with secure random data
- * @private
- * @param  {Integer} length Length of the padding in bytes
- * @returns {String}        Padding as string
- * @async
- */
-async function getPkcs1Padding(length) {
-  let result = '';
-  while (result.length < length) {
-    const randomBytes = await random.getRandomBytes(length - result.length);
-    for (let i = 0; i < randomBytes.length; i++) {
-      if (randomBytes[i] !== 0) {
-        result += String.fromCharCode(randomBytes[i]);
-      }
-    }
-  }
-  return result;
-}
-
-/**
- * Create a EME-PKCS1-v1_5 padded message
- * @see {@link https://tools.ietf.org/html/rfc4880#section-13.1.1|RFC 4880 13.1.1}
- * @param {String} M message to be encoded
- * @param {Integer} k the length in octets of the key modulus
- * @returns {Promise<String>} EME-PKCS1 padded message
- * @async
- */
-eme.encode = async function(M, k) {
-  const mLen = M.length;
-  // length checking
-  if (mLen > k - 11) {
-    throw new Error('Message too long');
-  }
-  // Generate an octet string PS of length k - mLen - 3 consisting of
-  // pseudo-randomly generated nonzero octets
-  const PS = await getPkcs1Padding(k - mLen - 3);
-  // Concatenate PS, the message M, and other padding to form an
-  // encoded message EM of length k octets as EM = 0x00 || 0x02 || PS || 0x00 || M.
-  return String.fromCharCode(0) +
-    String.fromCharCode(2) +
-    PS +
-    String.fromCharCode(0) +
-    M;
-};
-
-/**
- * Decode a EME-PKCS1-v1_5 padded message
- * @see {@link https://tools.ietf.org/html/rfc4880#section-13.1.2|RFC 4880 13.1.2}
- * @param {String} EM encoded message, an octet string
- * @returns {String} message, an octet string
- */
-eme.decode = function(EM) {
-  // leading zeros truncated by bn.js
-  if (EM.charCodeAt(0) !== 0) {
-    EM = String.fromCharCode(0) + EM;
-  }
-  const firstOct = EM.charCodeAt(0);
-  const secondOct = EM.charCodeAt(1);
-  let i = 2;
-  while (EM.charCodeAt(i) !== 0 && i < EM.length) {
-    i++;
-  }
-  const psLen = i - 2;
-  const separator = EM.charCodeAt(i++);
-  if (firstOct === 0 && secondOct === 2 && psLen >= 8 && separator === 0) {
-    return EM.substr(i);
-  }
-  throw new Error('Decryption error');
-};
-
-/**
- * Create a EMSA-PKCS1-v1_5 padded message
- * @see {@link https://tools.ietf.org/html/rfc4880#section-13.1.3|RFC 4880 13.1.3}
- * @param {Integer} algo Hash algorithm type used
- * @param {Uint8Array} hashed message to be encoded
- * @param {Integer} emLen intended length in octets of the encoded message
- * @returns {String} encoded message
- */
-emsa.encode = async function(algo, hashed, emLen) {
-  let i;
-  const H = util.Uint8Array_to_str(hashed);
-  if (H.length !== hash.getHashByteLength(algo)) {
-    throw new Error('Invalid hash length');
-  }
-  // produce an ASN.1 DER value for the hash function used.
-  // Let T be the full hash prefix
-  let T = '';
-  for (i = 0; i < hash_headers[algo].length; i++) {
-    T += String.fromCharCode(hash_headers[algo][i]);
-  }
-  // add hash value to prefix
-  T += H;
-  // and let tLen be the length in octets of T
-  const tLen = T.length;
-  if (emLen < tLen + 11) {
-    throw new Error('Intended encoded message length too short');
-  }
-  // an octet string PS consisting of emLen - tLen - 3 octets with hexadecimal value 0xFF
-  // The length of PS will be at least 8 octets
-  let PS = '';
-  for (i = 0; i < (emLen - tLen - 3); i++) {
-    PS += String.fromCharCode(0xff);
-  }
-  // Concatenate PS, the hash prefix T, and other padding to form the
-  // encoded message EM as EM = 0x00 || 0x01 || PS || 0x00 || T.
-  const EM = String.fromCharCode(0x00) +
-        String.fromCharCode(0x01) +
-        PS +
-        String.fromCharCode(0x00) +
-        T;
-  return util.str_to_hex(EM);
-};
-
-export default { eme, emsa };

package/src/crypto/pkcs5.js

@@ -1,55 +0,0 @@
-// OpenPGP.js - An OpenPGP implementation in javascript
-// Copyright (C) 2015-2016 Decentral
-//
-// This library is free software; you can redistribute it and/or
-// modify it under the terms of the GNU Lesser General Public
-// License as published by the Free Software Foundation; either
-// version 3.0 of the License, or (at your option) any later version.
-//
-// This library is distributed in the hope that it will be useful,
-// but WITHOUT ANY WARRANTY; without even the implied warranty of
-// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
-// Lesser General Public License for more details.
-//
-// You should have received a copy of the GNU Lesser General Public
-// License along with this library; if not, write to the Free Software
-// Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
-
-/**
- * @fileoverview Functions to add and remove PKCS5 padding
- * @see module:packet.PublicKeyEncryptedSessionKey
- * @module crypto/pkcs5
- */
-
-/**
- * Add pkcs5 padding to a text.
- * @param  {String}  msg  Text to add padding
- * @returns {String}       Text with padding added
- */
-function encode(msg) {
-  const c = 8 - (msg.length % 8);
-  const padding = String.fromCharCode(c).repeat(c);
-  return msg + padding;
-}
-
-/**
- * Remove pkcs5 padding from a string.
- * @param  {String}  msg  Text to remove padding from
- * @returns {String}       Text with padding removed
- */
-function decode(msg) {
-  const len = msg.length;
-  if (len > 0) {
-    const c = msg.charCodeAt(len - 1);
-    if (c >= 1) {
-      const provided = msg.substr(len - c);
-      const computed = String.fromCharCode(c).repeat(c);
-      if (provided === computed) {
-        return msg.substr(0, len - c);
-      }
-    }
-  }
-  throw new Error('Invalid padding');
-}
-
-export default { encode, decode };

package/src/crypto/public_key/dsa.js

@@ -1,188 +0,0 @@
-// GPG4Browsers - An OpenPGP implementation in javascript
-// Copyright (C) 2011 Recurity Labs GmbH
-//
-// This library is free software; you can redistribute it and/or
-// modify it under the terms of the GNU Lesser General Public
-// License as published by the Free Software Foundation; either
-// version 3.0 of the License, or (at your option) any later version.
-//
-// This library is distributed in the hope that it will be useful,
-// but WITHOUT ANY WARRANTY; without even the implied warranty of
-// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
-// Lesser General Public License for more details.
-//
-// You should have received a copy of the GNU Lesser General Public
-// License along with this library; if not, write to the Free Software
-// Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
-
-/**
- * @fileoverview A Digital signature algorithm implementation
- * @requires bn.js
- * @requires crypto/random
- * @requires util
- * @module crypto/public_key/dsa
- */
-
-import BN from 'bn.js';
-import random from '../random';
-import util from '../../util';
-import prime from './prime';
-
-const one = new BN(1);
-const zero = new BN(0);
-
-/*
-  TODO regarding the hash function, read:
-   https://tools.ietf.org/html/rfc4880#section-13.6
-   https://tools.ietf.org/html/rfc4880#section-14
-*/
-
-export default {
-  /**
-   * DSA Sign function
-   * @param {Integer} hash_algo
-   * @param {Uint8Array} hashed
-   * @param {BN} g
-   * @param {BN} p
-   * @param {BN} q
-   * @param {BN} x
-   * @returns {{ r: BN, s: BN }}
-   * @async
-   */
-  sign: async function(hash_algo, hashed, g, p, q, x) {
-    let k;
-    let r;
-    let s;
-    let t;
-    const redp = new BN.red(p);
-    const redq = new BN.red(q);
-    const gred = g.toRed(redp);
-    const xred = x.toRed(redq);
-    // If the output size of the chosen hash is larger than the number of
-    // bits of q, the hash result is truncated to fit by taking the number
-    // of leftmost bits equal to the number of bits of q.  This (possibly
-    // truncated) hash function result is treated as a number and used
-    // directly in the DSA signature algorithm.
-    const h = new BN(hashed.subarray(0, q.byteLength())).toRed(redq);
-    // FIPS-186-4, section 4.6:
-    // The values of r and s shall be checked to determine if r = 0 or s = 0.
-    // If either r = 0 or s = 0, a new value of k shall be generated, and the
-    // signature shall be recalculated. It is extremely unlikely that r = 0
-    // or s = 0 if signatures are generated properly.
-    while (true) {
-      // See Appendix B here: https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf
-      k = await random.getRandomBN(one, q); // returns in [1, q-1]
-      r = gred.redPow(k).fromRed().toRed(redq); // (g**k mod p) mod q
-      if (zero.cmp(r) === 0) {
-        continue;
-      }
-      t = h.redAdd(xred.redMul(r)); // H(m) + x*r mod q
-      s = k.toRed(redq).redInvm().redMul(t); // k**-1 * (H(m) + x*r) mod q
-      if (zero.cmp(s) === 0) {
-        continue;
-      }
-      break;
-    }
-    return {
-      r: r.toArrayLike(Uint8Array, 'be', q.byteLength()),
-      s: s.toArrayLike(Uint8Array, 'be', q.byteLength())
-    };
-  },
-
-  /**
-   * DSA Verify function
-   * @param {Integer} hash_algo
-   * @param {BN} r
-   * @param {BN} s
-   * @param {Uint8Array} hashed
-   * @param {BN} g
-   * @param {BN} p
-   * @param {BN} q
-   * @param {BN} y
-   * @returns {boolean}
-   * @async
-   */
-  verify: async function(hash_algo, r, s, hashed, g, p, q, y) {
-    if (zero.ucmp(r) >= 0 || r.ucmp(q) >= 0 ||
-        zero.ucmp(s) >= 0 || s.ucmp(q) >= 0) {
-      util.print_debug("invalid DSA Signature");
-      return null;
-    }
-    const redp = new BN.red(p);
-    const redq = new BN.red(q);
-    const h = new BN(hashed.subarray(0, q.byteLength()));
-    const w = s.toRed(redq).redInvm(); // s**-1 mod q
-    if (zero.cmp(w) === 0) {
-      util.print_debug("invalid DSA Signature");
-      return null;
-    }
-    const u1 = h.toRed(redq).redMul(w); // H(m) * w mod q
-    const u2 = r.toRed(redq).redMul(w); // r * w mod q
-    const t1 = g.toRed(redp).redPow(u1.fromRed()); // g**u1 mod p
-    const t2 = y.toRed(redp).redPow(u2.fromRed()); // y**u2 mod p
-    const v = t1.redMul(t2).fromRed().mod(q); // (g**u1 * y**u2 mod p) mod q
-    return v.cmp(r) === 0;
-  },
-
-  /**
-   * Validate DSA parameters
-   * @param {Uint8Array}         p DSA prime
-   * @param {Uint8Array}         q DSA group order
-   * @param {Uint8Array}         g DSA sub-group generator
-   * @param {Uint8Array}         y DSA public key
-   * @param {Uint8Array}         x DSA private key
-   * @returns {Promise<Boolean>} whether params are valid
-   * @async
-   */
-  validateParams: async function (p, q, g, y, x) {
-    p = new BN(p);
-    q = new BN(q);
-    g = new BN(g);
-    y = new BN(y);
-    const one = new BN(1);
-    // Check that 1 < g < p
-    if (g.lte(one) || g.gte(p)) {
-      return false;
-    }
-
-    /**
-     * Check that subgroup order q divides p-1
-     */
-    if (!p.sub(one).mod(q).isZero()) {
-      return false;
-    }
-
-    const pred = new BN.red(p);
-    const gModP = g.toRed(pred);
-    /**
-     * g has order q
-     * Check that g ** q = 1 mod p
-     */
-    if (!gModP.redPow(q).eq(one)) {
-      return false;
-    }
-
-    /**
-     * Check q is large and probably prime (we mainly want to avoid small factors)
-     */
-    const qSize = q.bitLength();
-    if (qSize < 150 || !(await prime.isProbablePrime(q, null, 32))) {
-      return false;
-    }
-
-    /**
-     * Re-derive public key y' = g ** x mod p
-     * Expect y == y'
-     *
-     * Blinded exponentiation computes g**{rq + x} to compare to y
-     */
-    x = new BN(x);
-    const r = await random.getRandomBN(new BN(2).shln(qSize - 1), new BN(2).shln(qSize)); // draw r of same size as q
-    const rqx = q.mul(r).add(x);
-    if (!y.eq(gModP.redPow(rqx))) {
-      return false;
-    }
-
-    return true;
-  }
-};