/*

 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.

 *

 * This code is free software; you can redistribute it and/or modify it

 * under the terms of the GNU General Public License version 2 only, as

 * published by the Free Software Foundation.  Oracle designates this

 * particular file as subject to the "Classpath" exception as provided

 * by Oracle in the LICENSE file that accompanied this code.

 *

 * This code is distributed in the hope that it will be useful, but WITHOUT

 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or

 * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License

 * version 2 for more details (a copy is included in the LICENSE file that

 * accompanied this code).

 *

 * You should have received a copy of the GNU General Public License version

 * 2 along with this work; if not, write to the Free Software Foundation,

 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.

 *

 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA

 * or visit www.oracle.com if you need additional information or have any

 * questions.

 */

package sun.security.rsa;

import java.util.*;

import java.security.*;

import java.security.spec.*;

import javax.crypto.BadPaddingException;

import javax.crypto.spec.PSource;

import javax.crypto.spec.OAEPParameterSpec;

import sun.security.jca.JCAUtil;

/**

 * RSA padding and unpadding.

 *

 *

 *

 * The format of PKCS#1 v1.5 padding is:

 *

 *   0x00 | BT | PS...PS | 0x00 | data...data

 *

 * where BT is the blocktype (1 or 2). The length of the entire string

 * must be the same as the size of the modulus (i.e. 128 byte for a 1024 bit

 * key). Per spec, the padding string must be at least 8 bytes long. That

 * leaves up to (length of key in bytes) - 11 bytes for the data.

 *

 * OAEP padding was introduced in PKCS#1 v2.0 and is a bit more complicated

 * and has a number of options. We support:

 *

 *   . arbitrary hash functions ('Hash' in the specification), MessageDigest

 *     implementation must be available

 *   . MGF1 as the mask generation function

 *   . the empty string as the default value for label L and whatever

 *     specified in javax.crypto.spec.OAEPParameterSpec

 *

 * The algorithms (representations) are forwards-compatible: that is,

 * the algorithm described in previous releases are in later releases.

 * However, additional comments/checks/clarifications were added to the

 * later versions based on real-world experience (e.g. stricter v1.5

 * format checking.)

 *

 * Note: RSA keys should be at least 512 bits long

 *

 * @since   1.5

 * @author  Andreas Sterbenz

 */

public final class RSAPadding {

    // NOTE: the constants below are embedded in the JCE RSACipher class

    // file. Do not change without coordinating the update

    // PKCS#1 v1.5 padding, blocktype 1 (signing)

    public static final int PAD_BLOCKTYPE_1    = 1;

    // PKCS#1 v1.5 padding, blocktype 2 (encryption)

    public static final int PAD_BLOCKTYPE_2    = 2;

    // nopadding. Does not do anything, but allows simpler RSACipher code

    public static final int PAD_NONE           = 3;

    // PKCS#1 v2.1 OAEP padding

    public static final int PAD_OAEP_MGF1 = 4;

    // type, one of PAD_*

    private final int type;

    // size of the padded block (i.e. size of the modulus)

    private final int paddedSize;

    // PRNG used to generate padding bytes (PAD_BLOCKTYPE_2, PAD_OAEP_MGF1)

    private SecureRandom random;

    // maximum size of the data

    private final int maxDataSize;

    private MessageDigest md;

    // OAEP: value of digest of data (user-supplied or zero-length) using md

    private byte[] lHash;

    /**

     * Get a RSAPadding instance of the specified type.

     * Keys used with this padding must be paddedSize bytes long.

     */

    public static RSAPadding getInstance(int type, int paddedSize)

            throws InvalidKeyException, InvalidAlgorithmParameterException {

        return new RSAPadding(type, paddedSize, null, null);

    }

    /**

     * Get a RSAPadding instance of the specified type.

     * Keys used with this padding must be paddedSize bytes long.

     */

    public static RSAPadding getInstance(int type, int paddedSize,

            SecureRandom random) throws InvalidKeyException,

            InvalidAlgorithmParameterException {

        return new RSAPadding(type, paddedSize, random, null);

    }

    /**

     * Get a RSAPadding instance of the specified type, which must be

     * OAEP. Keys used with this padding must be paddedSize bytes long.

     */

    public static RSAPadding getInstance(int type, int paddedSize,

            SecureRandom random, OAEPParameterSpec spec)

        throws InvalidKeyException, InvalidAlgorithmParameterException {

        return new RSAPadding(type, paddedSize, random, spec);

    }

    // internal constructor

    private RSAPadding(int type, int paddedSize, SecureRandom random,

            OAEPParameterSpec spec) throws InvalidKeyException,

            InvalidAlgorithmParameterException {

        this.type = type;

        this.paddedSize = paddedSize;

        this.random = random;

        if (paddedSize < 64) {

            // sanity check, already verified in RSASignature/RSACipher

            throw new InvalidKeyException("Padded size must be at least 64");

        }

        switch (type) {

        case PAD_BLOCKTYPE_1:

        case PAD_BLOCKTYPE_2:

            maxDataSize = paddedSize - 11;

            break;

        case PAD_NONE:

            maxDataSize = paddedSize;

            break;

        case PAD_OAEP_MGF1:

            String mdName = "SHA-1";

            byte[] digestInput = null;

            try {

                if (spec != null) {

                    mdName = spec.getDigestAlgorithm();

                    String mgfName = spec.getMGFAlgorithm();

                    if (!mgfName.equalsIgnoreCase("MGF1")) {

                        throw new InvalidAlgorithmParameterException

                            ("Unsupported MGF algo: " + mgfName);

                    }

                    mgfMdName = ((MGF1ParameterSpec)spec.getMGFParameters())

                            .getDigestAlgorithm();

                    PSource pSrc = spec.getPSource();

                    String pSrcAlgo = pSrc.getAlgorithm();

                    if (!pSrcAlgo.equalsIgnoreCase("PSpecified")) {

                        throw new InvalidAlgorithmParameterException

                            ("Unsupported pSource algo: " + pSrcAlgo);

                    }

                    digestInput = ((PSource.PSpecified) pSrc).getValue();

                }

                md = MessageDigest.getInstance(mdName);

            } catch (NoSuchAlgorithmException e) {

            }

            lHash = getInitialHash(md, digestInput);

            int digestLen = lHash.length;

            maxDataSize = paddedSize - 2 - 2 * digestLen;

            if (maxDataSize <= 0) {

                throw new InvalidKeyException

                        ("Key is too short for encryption using OAEPPadding" +

            }

            break;

        default:

            throw new InvalidKeyException("Invalid padding: " + type);

        }

    }

    // cache of hashes of zero length data

    private static final Map<String,byte[]> emptyHashes =

        Collections.synchronizedMap(new HashMap<String,byte[]>());

    /**

     * Return the value of the digest using the specified message digest

     * <code>md</code> and the digest input <code>digestInput</code>.

     * if <code>digestInput</code> is null or 0-length, zero length

     * is used to generate the initial digest.

     * Note: the md object must be in reset state

     */

    private static byte[] getInitialHash(MessageDigest md,

        byte[] digestInput) {

        byte[] result;

        if ((digestInput == null) || (digestInput.length == 0)) {

            String digestName = md.getAlgorithm();

            result = emptyHashes.get(digestName);

            if (result == null) {

                result = md.digest();

                emptyHashes.put(digestName, result);

            }

        } else {

            result = md.digest(digestInput);

        }

        return result;

    }

    /**

     * Return the maximum size of the plaintext data that can be processed

     * using this object.

     */

    public int getMaxDataSize() {

        return maxDataSize;

    }

    /**

     * Pad the data and return the padded block.

     */

    public byte[] pad(byte[] data, int ofs, int len)

            throws BadPaddingException {

        return pad(RSACore.convert(data, ofs, len));

    }

    /**

     * Pad the data and return the padded block.

     */

    public byte[] pad(byte[] data) throws BadPaddingException {

        if (data.length > maxDataSize) {

            throw new BadPaddingException("Data must be shorter than "

                + (maxDataSize + 1) + " bytes but received "

                + data.length + " bytes.");

        }

        switch (type) {

        case PAD_NONE:

            return data;

        case PAD_BLOCKTYPE_1:

        case PAD_BLOCKTYPE_2:

            return padV15(data);

        case PAD_OAEP_MGF1:

            return padOAEP(data);

        default:

            throw new AssertionError();

        }

    }

    /**

     * Unpad the padded block and return the data.

     */

    public byte[] unpad(byte[] padded, int ofs, int len)

            throws BadPaddingException {

        return unpad(RSACore.convert(padded, ofs, len));

    }

    /**

     * Unpad the padded block and return the data.

     */

    public byte[] unpad(byte[] padded) throws BadPaddingException {

        if (padded.length != paddedSize) {

            throw new BadPaddingException("Decryption error." +

                "The padded array length (" + padded.length +

                ") is not the specified padded size (" + paddedSize + ")");

        }

        switch (type) {

        case PAD_NONE:

            return padded;

        case PAD_BLOCKTYPE_1:

        case PAD_BLOCKTYPE_2:

            return unpadV15(padded);

        case PAD_OAEP_MGF1:

            return unpadOAEP(padded);

        default:

            throw new AssertionError();

        }

    }

    /**

     * PKCS#1 v1.5 padding (blocktype 1 and 2).

     */

    private byte[] padV15(byte[] data) throws BadPaddingException {

        byte[] padded = new byte[paddedSize];

        System.arraycopy(data, 0, padded, paddedSize - data.length,

            data.length);

        int psSize = paddedSize - 3 - data.length;

        int k = 0;

        padded[k++] = 0;

        padded[k++] = (byte)type;

        if (type == PAD_BLOCKTYPE_1) {

            // blocktype 1: all padding bytes are 0xff

            while (psSize-- > 0) {

                padded[k++] = (byte)0xff;

            }

        } else {

            // blocktype 2: padding bytes are random non-zero bytes

            if (random == null) {

                random = JCAUtil.getSecureRandom();

            }

            // generate non-zero padding bytes

            // use a buffer to reduce calls to SecureRandom

            while (psSize > 0) {

                // extra bytes to avoid zero bytes,

                // number of zero bytes <= 4 in 98% cases

                byte[] r = new byte[psSize + 4];

                random.nextBytes(r);

                for (int i = 0; i < r.length && psSize > 0; i++) {

                    if (r[i] != 0) {

                        padded[k++] = r[i];

                        psSize--;

                    }

                }

            }

        }

        return padded;

    }

    /**

     * PKCS#1 v1.5 unpadding (blocktype 1 (signature) and 2 (encryption)).

     *

     * Note that we want to make it a constant-time operation

     */

    private byte[] unpadV15(byte[] padded) throws BadPaddingException {

        int k = 0;

        boolean bp = false;

        if (padded[k++] != 0) {

            bp = true;

        }

        if (padded[k++] != type) {

            bp = true;

        }

        int p = 0;

        while (k < padded.length) {

            int b = padded[k++] & 0xff;

            if ((b == 0) && (p == 0)) {

                p = k;

            }

            if ((k == padded.length) && (p == 0)) {

                bp = true;

            }

            if ((type == PAD_BLOCKTYPE_1) && (b != 0xff) &&

                    (p == 0)) {

                bp = true;

            }

        }

        int n = padded.length - p;

        if (n > maxDataSize) {

            bp = true;

        }

        // copy useless padding array for a constant-time method

        byte[] padding = new byte[p];

        System.arraycopy(padded, 0, padding, 0, p);

        byte[] data = new byte[n];

        System.arraycopy(padded, p, data, 0, n);

        BadPaddingException bpe = new BadPaddingException("Decryption error");

        if (bp) {

            throw bpe;

        } else {

            return data;

        }

    }

    /**

     * PKCS#1 v2.0 OAEP padding (MGF1).

     * Paragraph references refer to PKCS#1 v2.1 (June 14, 2002)

     */

    private byte[] padOAEP(byte[] M) throws BadPaddingException {

        if (random == null) {

            random = JCAUtil.getSecureRandom();

        }

        int hLen = lHash.length;

        // 2.d: generate a random octet string seed of length hLen

        // if necessary

        byte[] seed = new byte[hLen];

        random.nextBytes(seed);

        // buffer for encoded message EM

        byte[] EM = new byte[paddedSize];

        // start and length of seed (as index into EM)

        int seedStart = 1;

        int seedLen = hLen;

        // copy seed into EM

        System.arraycopy(seed, 0, EM, seedStart, seedLen);

        // start and length of data block DB in EM

        // we place it inside of EM to reduce copying

        int dbStart = hLen + 1;

        int dbLen = EM.length - dbStart;

        // start of message M in EM

        int mStart = paddedSize - M.length;

        // build DB

        // 2.b: Concatenate lHash, PS, a single octet with hexadecimal value

        // 0x01, and the message M to form a data block DB of length

        // k - hLen -1 octets as DB = lHash || PS || 0x01 || M

        // (note that PS is all zeros)

        System.arraycopy(lHash, 0, EM, dbStart, hLen);

        EM[mStart - 1] = 1;

        System.arraycopy(M, 0, EM, mStart, M.length);

        // produce maskedDB

        // produce maskSeed

        return EM;

    }

    /**

     * PKCS#1 v2.1 OAEP unpadding (MGF1).

     */

    private byte[] unpadOAEP(byte[] padded) throws BadPaddingException {

        byte[] EM = padded;

        boolean bp = false;

        int hLen = lHash.length;

        if (EM[0] != 0) {

            bp = true;

        }

        int seedStart = 1;

        int seedLen = hLen;

        int dbStart = hLen + 1;

        int dbLen = EM.length - dbStart;

        // verify lHash == lHash'

        for (int i = 0; i < hLen; i++) {

            if (lHash[i] != EM[dbStart + i]) {

                bp = true;

            }

        }

        int padStart = dbStart + hLen;

        int onePos = -1;

        for (int i = padStart; i < EM.length; i++) {

            int value = EM[i];

            if (onePos == -1) {

                if (value == 0x00) {

                    // continue;

                } else if (value == 0x01) {

                    onePos = i;

                } else {  // Anything other than {0,1} is bad.

                    bp = true;

                }

            }

        }

        // We either ran off the rails or found something other than 0/1.

        if (onePos == -1) {

            bp = true;

            onePos = EM.length - 1;  // Don't inadvertently return any data.

        }

        int mStart = onePos + 1;

        // copy useless padding array for a constant-time method

        byte [] tmp = new byte[mStart - padStart];

        System.arraycopy(EM, padStart, tmp, 0, tmp.length);

        byte [] m = new byte[EM.length - mStart];

        System.arraycopy(EM, mStart, m, 0, m.length);

        BadPaddingException bpe = new BadPaddingException("Decryption error");

        if (bp) {

            throw bpe;

        } else {

            return m;

        }

    }

}