Implement recovery of DSA x

src/dsa.rs

@@ -22,6 +22,7 @@ pub struct DsaKeys {
 pub struct DsaSig {
     pub r: BigNum,
     pub s: BigNum,
+    pub k: BigNum,
 }
 
 impl DsaParameters {
@@ -65,7 +66,7 @@ impl DsaKeys {
         // In the unlikely case that s=0, crash.
         assert!(s != zero, "s is zero");
 
-        Ok(DsaSig { r, s })
+        Ok(DsaSig { r, s, k })
     }
 
     pub fn verify(
@@ -99,6 +100,14 @@ impl DsaKeys {
     }
 }
 
+pub fn recover_x(params: &DsaParameters, msg: &Bytes, sig: &DsaSig) -> Result<BigNum, ErrorStack> {
+    //      (s * k) - H(msg)
+    //  x = ----------------  mod q
+    //              r
+    let x = &(&rsa::invmod(&sig.r, &params.q)? * &(&(&sig.s * &sig.k) - &h(msg)?)) % &params.q;
+    Ok(x)
+}
+
 fn h(message: &Bytes) -> Result<BigNum, ErrorStack> {
     let mut s1 = sha1::Sha1::default();
     BigNum::from_slice(&(s1.hash(message).0))

src/set6.rs

@@ -101,9 +101,12 @@ pub fn challenge43() -> Option<()> {
     let msg = Bytes::from_utf8("hello, world!");
     let params = dsa::DsaParameters::new().ok()?;
     let keys = dsa::DsaKeys::new(&params).ok()?;
-    let s = keys.sign(&params, &msg).ok()?;
+    let sig = keys.sign(&params, &msg).ok()?;
-    let r = keys.verify(&params, &msg, &s).ok()?;
+    let result = keys.verify(&params, &msg, &sig).ok()?;
-    assert!(r, "verify failed unexpectedly");
+    assert!(result, "verify failed unexpectedly");
+
+    let recovered_x = dsa::recover_x(&params, &msg, &sig).ok()?;
+    assert_eq!(recovered_x, keys.x, "DSA recovery failed");
 
     Some(())
 }