author | wetmore |
Fri, 11 May 2018 15:53:12 -0700 | |
branch | JDK-8145252-TLS13-branch |
changeset 56542 | 56aaa6cb3693 |
parent 47216 | 71c04702a3d5 |
child 56592 | b1902b22005e |
permissions | -rw-r--r-- |
2 | 1 |
/* |
56542 | 2 |
* Copyright (c) 2003, 2018, Oracle and/or its affiliates. All rights reserved. |
2 | 3 |
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. |
4 |
* |
|
5 |
* This code is free software; you can redistribute it and/or modify it |
|
6 |
* under the terms of the GNU General Public License version 2 only, as |
|
5506 | 7 |
* published by the Free Software Foundation. Oracle designates this |
2 | 8 |
* particular file as subject to the "Classpath" exception as provided |
5506 | 9 |
* by Oracle in the LICENSE file that accompanied this code. |
2 | 10 |
* |
11 |
* This code is distributed in the hope that it will be useful, but WITHOUT |
|
12 |
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or |
|
13 |
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License |
|
14 |
* version 2 for more details (a copy is included in the LICENSE file that |
|
15 |
* accompanied this code). |
|
16 |
* |
|
17 |
* You should have received a copy of the GNU General Public License version |
|
18 |
* 2 along with this work; if not, write to the Free Software Foundation, |
|
19 |
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. |
|
20 |
* |
|
5506 | 21 |
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA |
22 |
* or visit www.oracle.com if you need additional information or have any |
|
23 |
* questions. |
|
2 | 24 |
*/ |
25 |
||
26 |
package sun.security.rsa; |
|
27 |
||
28 |
import java.io.IOException; |
|
29 |
import java.nio.ByteBuffer; |
|
30 |
||
31 |
import java.security.*; |
|
32 |
import java.security.interfaces.*; |
|
56542 | 33 |
import java.security.spec.AlgorithmParameterSpec; |
2 | 34 |
|
56542 | 35 |
import sun.security.rsa.RSAUtil.KeyType; |
2 | 36 |
import sun.security.util.*; |
37 |
import sun.security.x509.AlgorithmId; |
|
38 |
||
39 |
/** |
|
56542 | 40 |
* PKCS#1 v1.5 RSA signatures with the various message digest algorithms. |
2 | 41 |
* This file contains an abstract base class with all the logic plus |
42 |
* a nested static class for each of the message digest algorithms |
|
12685 | 43 |
* (see end of the file). We support MD2, MD5, SHA-1, SHA-224, SHA-256, |
56542 | 44 |
* SHA-384, SHA-512, SHA-512/224, and SHA-512/256. |
2 | 45 |
* |
46 |
* @since 1.5 |
|
47 |
* @author Andreas Sterbenz |
|
48 |
*/ |
|
49 |
public abstract class RSASignature extends SignatureSpi { |
|
50 |
||
51 |
// we sign an ASN.1 SEQUENCE of AlgorithmId and digest |
|
7043 | 52 |
// it has the form 30:xx:30:xx:[digestOID]:05:00:04:xx:[digest] |
2 | 53 |
// this means the encoded length is (8 + digestOID.length + digest.length) |
54 |
private static final int baseLength = 8; |
|
55 |
||
56 |
// object identifier for the message digest algorithm used |
|
57 |
private final ObjectIdentifier digestOID; |
|
58 |
||
59 |
// length of the encoded signature blob |
|
60 |
private final int encodedLength; |
|
61 |
||
62 |
// message digest implementation we use |
|
63 |
private final MessageDigest md; |
|
64 |
// flag indicating whether the digest is reset |
|
65 |
private boolean digestReset; |
|
66 |
||
67 |
// private key, if initialized for signing |
|
68 |
private RSAPrivateKey privateKey; |
|
69 |
// public key, if initialized for verifying |
|
70 |
private RSAPublicKey publicKey; |
|
71 |
||
72 |
// padding to use, set when the initSign/initVerify is called |
|
73 |
private RSAPadding padding; |
|
74 |
||
75 |
/** |
|
76 |
* Construct a new RSASignature. Used by subclasses. |
|
77 |
*/ |
|
78 |
RSASignature(String algorithm, ObjectIdentifier digestOID, int oidLength) { |
|
79 |
this.digestOID = digestOID; |
|
80 |
try { |
|
81 |
md = MessageDigest.getInstance(algorithm); |
|
82 |
} catch (NoSuchAlgorithmException e) { |
|
83 |
throw new ProviderException(e); |
|
84 |
} |
|
85 |
digestReset = true; |
|
86 |
encodedLength = baseLength + oidLength + md.getDigestLength(); |
|
87 |
} |
|
88 |
||
89 |
// initialize for verification. See JCA doc |
|
56542 | 90 |
@Override |
2 | 91 |
protected void engineInitVerify(PublicKey publicKey) |
92 |
throws InvalidKeyException { |
|
93 |
RSAPublicKey rsaKey = (RSAPublicKey)RSAKeyFactory.toRSAKey(publicKey); |
|
94 |
this.privateKey = null; |
|
95 |
this.publicKey = rsaKey; |
|
96 |
initCommon(rsaKey, null); |
|
97 |
} |
|
98 |
||
99 |
// initialize for signing. See JCA doc |
|
56542 | 100 |
@Override |
2 | 101 |
protected void engineInitSign(PrivateKey privateKey) |
102 |
throws InvalidKeyException { |
|
103 |
engineInitSign(privateKey, null); |
|
104 |
} |
|
105 |
||
106 |
// initialize for signing. See JCA doc |
|
56542 | 107 |
@Override |
2 | 108 |
protected void engineInitSign(PrivateKey privateKey, SecureRandom random) |
109 |
throws InvalidKeyException { |
|
7043 | 110 |
RSAPrivateKey rsaKey = |
111 |
(RSAPrivateKey)RSAKeyFactory.toRSAKey(privateKey); |
|
2 | 112 |
this.privateKey = rsaKey; |
113 |
this.publicKey = null; |
|
114 |
initCommon(rsaKey, random); |
|
115 |
} |
|
116 |
||
117 |
/** |
|
118 |
* Init code common to sign and verify. |
|
119 |
*/ |
|
120 |
private void initCommon(RSAKey rsaKey, SecureRandom random) |
|
121 |
throws InvalidKeyException { |
|
56542 | 122 |
try { |
123 |
RSAUtil.checkParamsAgainstType(KeyType.RSA, rsaKey.getParams()); |
|
124 |
} catch (ProviderException e) { |
|
125 |
throw new InvalidKeyException("Invalid key for RSA signatures", e); |
|
126 |
} |
|
2 | 127 |
resetDigest(); |
128 |
int keySize = RSACore.getByteLength(rsaKey); |
|
129 |
try { |
|
130 |
padding = RSAPadding.getInstance |
|
131 |
(RSAPadding.PAD_BLOCKTYPE_1, keySize, random); |
|
132 |
} catch (InvalidAlgorithmParameterException iape) { |
|
133 |
throw new InvalidKeyException(iape.getMessage()); |
|
134 |
} |
|
135 |
int maxDataSize = padding.getMaxDataSize(); |
|
136 |
if (encodedLength > maxDataSize) { |
|
137 |
throw new InvalidKeyException |
|
138 |
("Key is too short for this signature algorithm"); |
|
139 |
} |
|
140 |
} |
|
141 |
||
142 |
/** |
|
143 |
* Reset the message digest if it is not already reset. |
|
144 |
*/ |
|
145 |
private void resetDigest() { |
|
146 |
if (digestReset == false) { |
|
147 |
md.reset(); |
|
148 |
digestReset = true; |
|
149 |
} |
|
150 |
} |
|
151 |
||
152 |
/** |
|
153 |
* Return the message digest value. |
|
154 |
*/ |
|
155 |
private byte[] getDigestValue() { |
|
156 |
digestReset = true; |
|
157 |
return md.digest(); |
|
158 |
} |
|
159 |
||
160 |
// update the signature with the plaintext data. See JCA doc |
|
56542 | 161 |
@Override |
2 | 162 |
protected void engineUpdate(byte b) throws SignatureException { |
163 |
md.update(b); |
|
164 |
digestReset = false; |
|
165 |
} |
|
166 |
||
167 |
// update the signature with the plaintext data. See JCA doc |
|
56542 | 168 |
@Override |
2 | 169 |
protected void engineUpdate(byte[] b, int off, int len) |
170 |
throws SignatureException { |
|
171 |
md.update(b, off, len); |
|
172 |
digestReset = false; |
|
173 |
} |
|
174 |
||
175 |
// update the signature with the plaintext data. See JCA doc |
|
56542 | 176 |
@Override |
2 | 177 |
protected void engineUpdate(ByteBuffer b) { |
178 |
md.update(b); |
|
179 |
digestReset = false; |
|
180 |
} |
|
181 |
||
182 |
// sign the data and return the signature. See JCA doc |
|
56542 | 183 |
@Override |
2 | 184 |
protected byte[] engineSign() throws SignatureException { |
56542 | 185 |
if (privateKey == null) { |
186 |
throw new SignatureException("Missing private key"); |
|
187 |
} |
|
2 | 188 |
byte[] digest = getDigestValue(); |
189 |
try { |
|
190 |
byte[] encoded = encodeSignature(digestOID, digest); |
|
191 |
byte[] padded = padding.pad(encoded); |
|
29915 | 192 |
byte[] encrypted = RSACore.rsa(padded, privateKey, true); |
2 | 193 |
return encrypted; |
194 |
} catch (GeneralSecurityException e) { |
|
195 |
throw new SignatureException("Could not sign data", e); |
|
196 |
} catch (IOException e) { |
|
197 |
throw new SignatureException("Could not encode data", e); |
|
198 |
} |
|
199 |
} |
|
200 |
||
201 |
// verify the data and return the result. See JCA doc |
|
41205
2867bb7f5b53
8149802: Signature.verify() doesn't reset the signature object on exception
valeriep
parents:
31695
diff
changeset
|
202 |
// should be reset to the state after engineInitVerify call. |
56542 | 203 |
@Override |
2 | 204 |
protected boolean engineVerify(byte[] sigBytes) throws SignatureException { |
56542 | 205 |
if (publicKey == null) { |
206 |
throw new SignatureException("Missing public key"); |
|
207 |
} |
|
41205
2867bb7f5b53
8149802: Signature.verify() doesn't reset the signature object on exception
valeriep
parents:
31695
diff
changeset
|
208 |
try { |
2867bb7f5b53
8149802: Signature.verify() doesn't reset the signature object on exception
valeriep
parents:
31695
diff
changeset
|
209 |
if (sigBytes.length != RSACore.getByteLength(publicKey)) { |
2867bb7f5b53
8149802: Signature.verify() doesn't reset the signature object on exception
valeriep
parents:
31695
diff
changeset
|
210 |
throw new SignatureException("Signature length not correct: got " + |
7526
78a87adede1e
6896700: Validation of signatures succeed when it should fail
weijun
parents:
7043
diff
changeset
|
211 |
sigBytes.length + " but was expecting " + |
78a87adede1e
6896700: Validation of signatures succeed when it should fail
weijun
parents:
7043
diff
changeset
|
212 |
RSACore.getByteLength(publicKey)); |
41205
2867bb7f5b53
8149802: Signature.verify() doesn't reset the signature object on exception
valeriep
parents:
31695
diff
changeset
|
213 |
} |
2867bb7f5b53
8149802: Signature.verify() doesn't reset the signature object on exception
valeriep
parents:
31695
diff
changeset
|
214 |
byte[] digest = getDigestValue(); |
2 | 215 |
byte[] decrypted = RSACore.rsa(sigBytes, publicKey); |
216 |
byte[] unpadded = padding.unpad(decrypted); |
|
217 |
byte[] decodedDigest = decodeSignature(digestOID, unpadded); |
|
31695 | 218 |
return MessageDigest.isEqual(digest, decodedDigest); |
2 | 219 |
} catch (javax.crypto.BadPaddingException e) { |
220 |
// occurs if the app has used the wrong RSA public key |
|
221 |
// or if sigBytes is invalid |
|
222 |
// return false rather than propagating the exception for |
|
223 |
// compatibility/ease of use |
|
224 |
return false; |
|
225 |
} catch (IOException e) { |
|
226 |
throw new SignatureException("Signature encoding error", e); |
|
41205
2867bb7f5b53
8149802: Signature.verify() doesn't reset the signature object on exception
valeriep
parents:
31695
diff
changeset
|
227 |
} finally { |
2867bb7f5b53
8149802: Signature.verify() doesn't reset the signature object on exception
valeriep
parents:
31695
diff
changeset
|
228 |
resetDigest(); |
2 | 229 |
} |
230 |
} |
|
231 |
||
232 |
/** |
|
233 |
* Encode the digest, return the to-be-signed data. |
|
234 |
* Also used by the PKCS#11 provider. |
|
235 |
*/ |
|
236 |
public static byte[] encodeSignature(ObjectIdentifier oid, byte[] digest) |
|
237 |
throws IOException { |
|
238 |
DerOutputStream out = new DerOutputStream(); |
|
239 |
new AlgorithmId(oid).encode(out); |
|
240 |
out.putOctetString(digest); |
|
7043 | 241 |
DerValue result = |
242 |
new DerValue(DerValue.tag_Sequence, out.toByteArray()); |
|
2 | 243 |
return result.toByteArray(); |
244 |
} |
|
245 |
||
246 |
/** |
|
247 |
* Decode the signature data. Verify that the object identifier matches |
|
248 |
* and return the message digest. |
|
249 |
*/ |
|
43214 | 250 |
public static byte[] decodeSignature(ObjectIdentifier oid, byte[] sig) |
2 | 251 |
throws IOException { |
43214 | 252 |
// Enforce strict DER checking for signatures |
253 |
DerInputStream in = new DerInputStream(sig, 0, sig.length, false); |
|
2 | 254 |
DerValue[] values = in.getSequence(2); |
255 |
if ((values.length != 2) || (in.available() != 0)) { |
|
256 |
throw new IOException("SEQUENCE length error"); |
|
257 |
} |
|
258 |
AlgorithmId algId = AlgorithmId.parse(values[0]); |
|
31426
9cd672654f97
8022444: Remove sun.security.util.ObjectIdentifier.equals(ObjectIdentifier other) method
juh
parents:
29915
diff
changeset
|
259 |
if (algId.getOID().equals(oid) == false) { |
7043 | 260 |
throw new IOException("ObjectIdentifier mismatch: " |
261 |
+ algId.getOID()); |
|
2 | 262 |
} |
263 |
if (algId.getEncodedParams() != null) { |
|
264 |
throw new IOException("Unexpected AlgorithmId parameters"); |
|
265 |
} |
|
266 |
byte[] digest = values[1].getOctetString(); |
|
267 |
return digest; |
|
268 |
} |
|
269 |
||
270 |
// set parameter, not supported. See JCA doc |
|
19375
cdfdb9c0590e
8022461: Fix lint warnings in sun.security.{provider,rsa,x509}
juh
parents:
12685
diff
changeset
|
271 |
@Deprecated |
56542 | 272 |
@Override |
2 | 273 |
protected void engineSetParameter(String param, Object value) |
274 |
throws InvalidParameterException { |
|
275 |
throw new UnsupportedOperationException("setParameter() not supported"); |
|
276 |
} |
|
277 |
||
56542 | 278 |
// See JCA doc |
279 |
@Override |
|
280 |
protected void engineSetParameter(AlgorithmParameterSpec params) |
|
281 |
throws InvalidAlgorithmParameterException { |
|
282 |
if (params != null) { |
|
283 |
throw new InvalidAlgorithmParameterException("No parameters accepted"); |
|
284 |
} |
|
285 |
} |
|
286 |
||
2 | 287 |
// get parameter, not supported. See JCA doc |
19375
cdfdb9c0590e
8022461: Fix lint warnings in sun.security.{provider,rsa,x509}
juh
parents:
12685
diff
changeset
|
288 |
@Deprecated |
56542 | 289 |
@Override |
2 | 290 |
protected Object engineGetParameter(String param) |
291 |
throws InvalidParameterException { |
|
292 |
throw new UnsupportedOperationException("getParameter() not supported"); |
|
293 |
} |
|
294 |
||
56542 | 295 |
// See JCA doc |
296 |
@Override |
|
297 |
protected AlgorithmParameters engineGetParameters() { |
|
298 |
return null; |
|
299 |
} |
|
300 |
||
2 | 301 |
// Nested class for MD2withRSA signatures |
302 |
public static final class MD2withRSA extends RSASignature { |
|
303 |
public MD2withRSA() { |
|
304 |
super("MD2", AlgorithmId.MD2_oid, 10); |
|
305 |
} |
|
306 |
} |
|
307 |
||
308 |
// Nested class for MD5withRSA signatures |
|
309 |
public static final class MD5withRSA extends RSASignature { |
|
310 |
public MD5withRSA() { |
|
311 |
super("MD5", AlgorithmId.MD5_oid, 10); |
|
312 |
} |
|
313 |
} |
|
314 |
||
315 |
// Nested class for SHA1withRSA signatures |
|
316 |
public static final class SHA1withRSA extends RSASignature { |
|
317 |
public SHA1withRSA() { |
|
318 |
super("SHA-1", AlgorithmId.SHA_oid, 7); |
|
319 |
} |
|
320 |
} |
|
321 |
||
12685 | 322 |
// Nested class for SHA224withRSA signatures |
323 |
public static final class SHA224withRSA extends RSASignature { |
|
324 |
public SHA224withRSA() { |
|
325 |
super("SHA-224", AlgorithmId.SHA224_oid, 11); |
|
326 |
} |
|
327 |
} |
|
328 |
||
2 | 329 |
// Nested class for SHA256withRSA signatures |
330 |
public static final class SHA256withRSA extends RSASignature { |
|
331 |
public SHA256withRSA() { |
|
332 |
super("SHA-256", AlgorithmId.SHA256_oid, 11); |
|
333 |
} |
|
334 |
} |
|
335 |
||
336 |
// Nested class for SHA384withRSA signatures |
|
337 |
public static final class SHA384withRSA extends RSASignature { |
|
338 |
public SHA384withRSA() { |
|
339 |
super("SHA-384", AlgorithmId.SHA384_oid, 11); |
|
340 |
} |
|
341 |
} |
|
342 |
||
343 |
// Nested class for SHA512withRSA signatures |
|
344 |
public static final class SHA512withRSA extends RSASignature { |
|
345 |
public SHA512withRSA() { |
|
346 |
super("SHA-512", AlgorithmId.SHA512_oid, 11); |
|
347 |
} |
|
348 |
} |
|
349 |
||
56542 | 350 |
// Nested class for SHA512/224withRSA signatures |
351 |
public static final class SHA512_224withRSA extends RSASignature { |
|
352 |
public SHA512_224withRSA() { |
|
353 |
super("SHA-512/224", AlgorithmId.SHA512_224_oid, 11); |
|
354 |
} |
|
355 |
} |
|
356 |
||
357 |
// Nested class for SHA512/256withRSA signatures |
|
358 |
public static final class SHA512_256withRSA extends RSASignature { |
|
359 |
public SHA512_256withRSA() { |
|
360 |
super("SHA-512/256", AlgorithmId.SHA512_256_oid, 11); |
|
361 |
} |
|
362 |
} |
|
2 | 363 |
} |