|
2
|
1 |
/*
|
|
7043
|
2 |
* Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved.
|
|
2
|
3 |
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
|
|
4 |
*
|
|
|
5 |
* This code is free software; you can redistribute it and/or modify it
|
|
|
6 |
* under the terms of the GNU General Public License version 2 only, as
|
|
5506
|
7 |
* published by the Free Software Foundation. Oracle designates this
|
|
2
|
8 |
* particular file as subject to the "Classpath" exception as provided
|
|
5506
|
9 |
* by Oracle in the LICENSE file that accompanied this code.
|
|
2
|
10 |
*
|
|
|
11 |
* This code is distributed in the hope that it will be useful, but WITHOUT
|
|
|
12 |
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
|
|
|
13 |
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
|
|
|
14 |
* version 2 for more details (a copy is included in the LICENSE file that
|
|
|
15 |
* accompanied this code).
|
|
|
16 |
*
|
|
|
17 |
* You should have received a copy of the GNU General Public License version
|
|
|
18 |
* 2 along with this work; if not, write to the Free Software Foundation,
|
|
|
19 |
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
|
|
|
20 |
*
|
|
5506
|
21 |
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
|
|
|
22 |
* or visit www.oracle.com if you need additional information or have any
|
|
|
23 |
* questions.
|
|
2
|
24 |
*/
|
|
|
25 |
|
|
|
26 |
package sun.security.rsa;
|
|
|
27 |
|
|
|
28 |
import java.io.IOException;
|
|
|
29 |
import java.nio.ByteBuffer;
|
|
|
30 |
import java.math.BigInteger;
|
|
|
31 |
import java.util.Arrays;
|
|
|
32 |
|
|
|
33 |
import java.security.*;
|
|
|
34 |
import java.security.interfaces.*;
|
|
|
35 |
|
|
|
36 |
import sun.security.util.*;
|
|
|
37 |
import sun.security.x509.AlgorithmId;
|
|
|
38 |
|
|
|
39 |
/**
|
|
|
40 |
* PKCS#1 RSA signatures with the various message digest algorithms.
|
|
|
41 |
* This file contains an abstract base class with all the logic plus
|
|
|
42 |
* a nested static class for each of the message digest algorithms
|
|
|
43 |
* (see end of the file). We support MD2, MD5, SHA-1, SHA-256, SHA-384,
|
|
|
44 |
* and SHA-512.
|
|
|
45 |
*
|
|
|
46 |
* @since 1.5
|
|
|
47 |
* @author Andreas Sterbenz
|
|
|
48 |
*/
|
|
|
49 |
public abstract class RSASignature extends SignatureSpi {
|
|
|
50 |
|
|
|
51 |
// we sign an ASN.1 SEQUENCE of AlgorithmId and digest
|
|
7043
|
52 |
// it has the form 30:xx:30:xx:[digestOID]:05:00:04:xx:[digest]
|
|
2
|
53 |
// this means the encoded length is (8 + digestOID.length + digest.length)
|
|
|
54 |
private static final int baseLength = 8;
|
|
|
55 |
|
|
|
56 |
// object identifier for the message digest algorithm used
|
|
|
57 |
private final ObjectIdentifier digestOID;
|
|
|
58 |
|
|
|
59 |
// length of the encoded signature blob
|
|
|
60 |
private final int encodedLength;
|
|
|
61 |
|
|
|
62 |
// message digest implementation we use
|
|
|
63 |
private final MessageDigest md;
|
|
|
64 |
// flag indicating whether the digest is reset
|
|
|
65 |
private boolean digestReset;
|
|
|
66 |
|
|
|
67 |
// private key, if initialized for signing
|
|
|
68 |
private RSAPrivateKey privateKey;
|
|
|
69 |
// public key, if initialized for verifying
|
|
|
70 |
private RSAPublicKey publicKey;
|
|
|
71 |
|
|
|
72 |
// padding to use, set when the initSign/initVerify is called
|
|
|
73 |
private RSAPadding padding;
|
|
|
74 |
|
|
|
75 |
/**
|
|
|
76 |
* Construct a new RSASignature. Used by subclasses.
|
|
|
77 |
*/
|
|
|
78 |
RSASignature(String algorithm, ObjectIdentifier digestOID, int oidLength) {
|
|
|
79 |
this.digestOID = digestOID;
|
|
|
80 |
try {
|
|
|
81 |
md = MessageDigest.getInstance(algorithm);
|
|
|
82 |
} catch (NoSuchAlgorithmException e) {
|
|
|
83 |
throw new ProviderException(e);
|
|
|
84 |
}
|
|
|
85 |
digestReset = true;
|
|
|
86 |
encodedLength = baseLength + oidLength + md.getDigestLength();
|
|
|
87 |
}
|
|
|
88 |
|
|
|
89 |
// initialize for verification. See JCA doc
|
|
|
90 |
protected void engineInitVerify(PublicKey publicKey)
|
|
|
91 |
throws InvalidKeyException {
|
|
|
92 |
RSAPublicKey rsaKey = (RSAPublicKey)RSAKeyFactory.toRSAKey(publicKey);
|
|
|
93 |
this.privateKey = null;
|
|
|
94 |
this.publicKey = rsaKey;
|
|
|
95 |
initCommon(rsaKey, null);
|
|
|
96 |
}
|
|
|
97 |
|
|
|
98 |
// initialize for signing. See JCA doc
|
|
|
99 |
protected void engineInitSign(PrivateKey privateKey)
|
|
|
100 |
throws InvalidKeyException {
|
|
|
101 |
engineInitSign(privateKey, null);
|
|
|
102 |
}
|
|
|
103 |
|
|
|
104 |
// initialize for signing. See JCA doc
|
|
|
105 |
protected void engineInitSign(PrivateKey privateKey, SecureRandom random)
|
|
|
106 |
throws InvalidKeyException {
|
|
7043
|
107 |
RSAPrivateKey rsaKey =
|
|
|
108 |
(RSAPrivateKey)RSAKeyFactory.toRSAKey(privateKey);
|
|
2
|
109 |
this.privateKey = rsaKey;
|
|
|
110 |
this.publicKey = null;
|
|
|
111 |
initCommon(rsaKey, random);
|
|
|
112 |
}
|
|
|
113 |
|
|
|
114 |
/**
|
|
|
115 |
* Init code common to sign and verify.
|
|
|
116 |
*/
|
|
|
117 |
private void initCommon(RSAKey rsaKey, SecureRandom random)
|
|
|
118 |
throws InvalidKeyException {
|
|
|
119 |
resetDigest();
|
|
|
120 |
int keySize = RSACore.getByteLength(rsaKey);
|
|
|
121 |
try {
|
|
|
122 |
padding = RSAPadding.getInstance
|
|
|
123 |
(RSAPadding.PAD_BLOCKTYPE_1, keySize, random);
|
|
|
124 |
} catch (InvalidAlgorithmParameterException iape) {
|
|
|
125 |
throw new InvalidKeyException(iape.getMessage());
|
|
|
126 |
}
|
|
|
127 |
int maxDataSize = padding.getMaxDataSize();
|
|
|
128 |
if (encodedLength > maxDataSize) {
|
|
|
129 |
throw new InvalidKeyException
|
|
|
130 |
("Key is too short for this signature algorithm");
|
|
|
131 |
}
|
|
|
132 |
}
|
|
|
133 |
|
|
|
134 |
/**
|
|
|
135 |
* Reset the message digest if it is not already reset.
|
|
|
136 |
*/
|
|
|
137 |
private void resetDigest() {
|
|
|
138 |
if (digestReset == false) {
|
|
|
139 |
md.reset();
|
|
|
140 |
digestReset = true;
|
|
|
141 |
}
|
|
|
142 |
}
|
|
|
143 |
|
|
|
144 |
/**
|
|
|
145 |
* Return the message digest value.
|
|
|
146 |
*/
|
|
|
147 |
private byte[] getDigestValue() {
|
|
|
148 |
digestReset = true;
|
|
|
149 |
return md.digest();
|
|
|
150 |
}
|
|
|
151 |
|
|
|
152 |
// update the signature with the plaintext data. See JCA doc
|
|
|
153 |
protected void engineUpdate(byte b) throws SignatureException {
|
|
|
154 |
md.update(b);
|
|
|
155 |
digestReset = false;
|
|
|
156 |
}
|
|
|
157 |
|
|
|
158 |
// update the signature with the plaintext data. See JCA doc
|
|
|
159 |
protected void engineUpdate(byte[] b, int off, int len)
|
|
|
160 |
throws SignatureException {
|
|
|
161 |
md.update(b, off, len);
|
|
|
162 |
digestReset = false;
|
|
|
163 |
}
|
|
|
164 |
|
|
|
165 |
// update the signature with the plaintext data. See JCA doc
|
|
|
166 |
protected void engineUpdate(ByteBuffer b) {
|
|
|
167 |
md.update(b);
|
|
|
168 |
digestReset = false;
|
|
|
169 |
}
|
|
|
170 |
|
|
|
171 |
// sign the data and return the signature. See JCA doc
|
|
|
172 |
protected byte[] engineSign() throws SignatureException {
|
|
|
173 |
byte[] digest = getDigestValue();
|
|
|
174 |
try {
|
|
|
175 |
byte[] encoded = encodeSignature(digestOID, digest);
|
|
|
176 |
byte[] padded = padding.pad(encoded);
|
|
|
177 |
byte[] encrypted = RSACore.rsa(padded, privateKey);
|
|
|
178 |
return encrypted;
|
|
|
179 |
} catch (GeneralSecurityException e) {
|
|
|
180 |
throw new SignatureException("Could not sign data", e);
|
|
|
181 |
} catch (IOException e) {
|
|
|
182 |
throw new SignatureException("Could not encode data", e);
|
|
|
183 |
}
|
|
|
184 |
}
|
|
|
185 |
|
|
|
186 |
// verify the data and return the result. See JCA doc
|
|
|
187 |
protected boolean engineVerify(byte[] sigBytes) throws SignatureException {
|
|
|
188 |
byte[] digest = getDigestValue();
|
|
|
189 |
try {
|
|
|
190 |
byte[] decrypted = RSACore.rsa(sigBytes, publicKey);
|
|
|
191 |
byte[] unpadded = padding.unpad(decrypted);
|
|
|
192 |
byte[] decodedDigest = decodeSignature(digestOID, unpadded);
|
|
|
193 |
return Arrays.equals(digest, decodedDigest);
|
|
|
194 |
} catch (javax.crypto.BadPaddingException e) {
|
|
|
195 |
// occurs if the app has used the wrong RSA public key
|
|
|
196 |
// or if sigBytes is invalid
|
|
|
197 |
// return false rather than propagating the exception for
|
|
|
198 |
// compatibility/ease of use
|
|
|
199 |
return false;
|
|
|
200 |
} catch (GeneralSecurityException e) {
|
|
|
201 |
throw new SignatureException("Signature verification failed", e);
|
|
|
202 |
} catch (IOException e) {
|
|
|
203 |
throw new SignatureException("Signature encoding error", e);
|
|
|
204 |
}
|
|
|
205 |
}
|
|
|
206 |
|
|
|
207 |
/**
|
|
|
208 |
* Encode the digest, return the to-be-signed data.
|
|
|
209 |
* Also used by the PKCS#11 provider.
|
|
|
210 |
*/
|
|
|
211 |
public static byte[] encodeSignature(ObjectIdentifier oid, byte[] digest)
|
|
|
212 |
throws IOException {
|
|
|
213 |
DerOutputStream out = new DerOutputStream();
|
|
|
214 |
new AlgorithmId(oid).encode(out);
|
|
|
215 |
out.putOctetString(digest);
|
|
7043
|
216 |
DerValue result =
|
|
|
217 |
new DerValue(DerValue.tag_Sequence, out.toByteArray());
|
|
2
|
218 |
return result.toByteArray();
|
|
|
219 |
}
|
|
|
220 |
|
|
|
221 |
/**
|
|
|
222 |
* Decode the signature data. Verify that the object identifier matches
|
|
|
223 |
* and return the message digest.
|
|
|
224 |
*/
|
|
|
225 |
public static byte[] decodeSignature(ObjectIdentifier oid, byte[] signature)
|
|
|
226 |
throws IOException {
|
|
|
227 |
DerInputStream in = new DerInputStream(signature);
|
|
|
228 |
DerValue[] values = in.getSequence(2);
|
|
|
229 |
if ((values.length != 2) || (in.available() != 0)) {
|
|
|
230 |
throw new IOException("SEQUENCE length error");
|
|
|
231 |
}
|
|
|
232 |
AlgorithmId algId = AlgorithmId.parse(values[0]);
|
|
|
233 |
if (algId.getOID().equals(oid) == false) {
|
|
7043
|
234 |
throw new IOException("ObjectIdentifier mismatch: "
|
|
|
235 |
+ algId.getOID());
|
|
2
|
236 |
}
|
|
|
237 |
if (algId.getEncodedParams() != null) {
|
|
|
238 |
throw new IOException("Unexpected AlgorithmId parameters");
|
|
|
239 |
}
|
|
|
240 |
byte[] digest = values[1].getOctetString();
|
|
|
241 |
return digest;
|
|
|
242 |
}
|
|
|
243 |
|
|
|
244 |
// set parameter, not supported. See JCA doc
|
|
|
245 |
protected void engineSetParameter(String param, Object value)
|
|
|
246 |
throws InvalidParameterException {
|
|
|
247 |
throw new UnsupportedOperationException("setParameter() not supported");
|
|
|
248 |
}
|
|
|
249 |
|
|
|
250 |
// get parameter, not supported. See JCA doc
|
|
|
251 |
protected Object engineGetParameter(String param)
|
|
|
252 |
throws InvalidParameterException {
|
|
|
253 |
throw new UnsupportedOperationException("getParameter() not supported");
|
|
|
254 |
}
|
|
|
255 |
|
|
|
256 |
// Nested class for MD2withRSA signatures
|
|
|
257 |
public static final class MD2withRSA extends RSASignature {
|
|
|
258 |
public MD2withRSA() {
|
|
|
259 |
super("MD2", AlgorithmId.MD2_oid, 10);
|
|
|
260 |
}
|
|
|
261 |
}
|
|
|
262 |
|
|
|
263 |
// Nested class for MD5withRSA signatures
|
|
|
264 |
public static final class MD5withRSA extends RSASignature {
|
|
|
265 |
public MD5withRSA() {
|
|
|
266 |
super("MD5", AlgorithmId.MD5_oid, 10);
|
|
|
267 |
}
|
|
|
268 |
}
|
|
|
269 |
|
|
|
270 |
// Nested class for SHA1withRSA signatures
|
|
|
271 |
public static final class SHA1withRSA extends RSASignature {
|
|
|
272 |
public SHA1withRSA() {
|
|
|
273 |
super("SHA-1", AlgorithmId.SHA_oid, 7);
|
|
|
274 |
}
|
|
|
275 |
}
|
|
|
276 |
|
|
|
277 |
// Nested class for SHA256withRSA signatures
|
|
|
278 |
public static final class SHA256withRSA extends RSASignature {
|
|
|
279 |
public SHA256withRSA() {
|
|
|
280 |
super("SHA-256", AlgorithmId.SHA256_oid, 11);
|
|
|
281 |
}
|
|
|
282 |
}
|
|
|
283 |
|
|
|
284 |
// Nested class for SHA384withRSA signatures
|
|
|
285 |
public static final class SHA384withRSA extends RSASignature {
|
|
|
286 |
public SHA384withRSA() {
|
|
|
287 |
super("SHA-384", AlgorithmId.SHA384_oid, 11);
|
|
|
288 |
}
|
|
|
289 |
}
|
|
|
290 |
|
|
|
291 |
// Nested class for SHA512withRSA signatures
|
|
|
292 |
public static final class SHA512withRSA extends RSASignature {
|
|
|
293 |
public SHA512withRSA() {
|
|
|
294 |
super("SHA-512", AlgorithmId.SHA512_oid, 11);
|
|
|
295 |
}
|
|
|
296 |
}
|
|
|
297 |
|
|
|
298 |
}
|