| author | wetmore |
| Wed, 22 Jan 2014 14:59:33 -0800 | |
| changeset 23911 | f93d74f7d6fe |
| parent 22309 | 1990211a42e5 |
| permissions | -rw-r--r-- |
| 2 | 1 |
/* |
| 22309 | 2 |
* Copyright (c) 2003, 2013, Oracle and/or its affiliates. All rights reserved. |
| 2 | 3 |
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. |
4 |
* |
|
5 |
* This code is free software; you can redistribute it and/or modify it |
|
6 |
* under the terms of the GNU General Public License version 2 only, as |
|
| 5506 | 7 |
* published by the Free Software Foundation. Oracle designates this |
| 2 | 8 |
* particular file as subject to the "Classpath" exception as provided |
| 5506 | 9 |
* by Oracle in the LICENSE file that accompanied this code. |
| 2 | 10 |
* |
11 |
* This code is distributed in the hope that it will be useful, but WITHOUT |
|
12 |
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or |
|
13 |
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License |
|
14 |
* version 2 for more details (a copy is included in the LICENSE file that |
|
15 |
* accompanied this code). |
|
16 |
* |
|
17 |
* You should have received a copy of the GNU General Public License version |
|
18 |
* 2 along with this work; if not, write to the Free Software Foundation, |
|
19 |
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. |
|
20 |
* |
|
| 5506 | 21 |
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA |
22 |
* or visit www.oracle.com if you need additional information or have any |
|
23 |
* questions. |
|
| 2 | 24 |
*/ |
25 |
||
26 |
package sun.security.rsa; |
|
27 |
||
28 |
import java.util.*; |
|
29 |
||
30 |
import java.security.*; |
|
31 |
import java.security.spec.*; |
|
32 |
||
33 |
import javax.crypto.BadPaddingException; |
|
34 |
import javax.crypto.spec.PSource; |
|
35 |
import javax.crypto.spec.OAEPParameterSpec; |
|
36 |
||
37 |
import sun.security.jca.JCAUtil; |
|
38 |
||
39 |
/** |
|
40 |
* RSA padding and unpadding. |
|
41 |
* |
|
| 23911 | 42 |
* The various PKCS#1 versions can be found in the EMC/RSA Labs |
43 |
* web site, which is currently: |
|
44 |
* |
|
45 |
* http://www.emc.com/emc-plus/rsa-labs/index.htm |
|
46 |
* |
|
47 |
* or in the IETF RFCs derived from the above PKCS#1 standards. |
|
48 |
* |
|
49 |
* RFC 2313: v1.5 |
|
50 |
* RFC 2437: v2.0 |
|
51 |
* RFC 3447: v2.1 |
|
52 |
* |
|
53 |
* The format of PKCS#1 v1.5 padding is: |
|
54 |
* |
|
| 2 | 55 |
* 0x00 | BT | PS...PS | 0x00 | data...data |
| 23911 | 56 |
* |
| 2 | 57 |
* where BT is the blocktype (1 or 2). The length of the entire string |
58 |
* must be the same as the size of the modulus (i.e. 128 byte for a 1024 bit |
|
59 |
* key). Per spec, the padding string must be at least 8 bytes long. That |
|
60 |
* leaves up to (length of key in bytes) - 11 bytes for the data. |
|
61 |
* |
|
| 23911 | 62 |
* OAEP padding was introduced in PKCS#1 v2.0 and is a bit more complicated |
63 |
* and has a number of options. We support: |
|
64 |
* |
|
| 2 | 65 |
* . arbitrary hash functions ('Hash' in the specification), MessageDigest
|
66 |
* implementation must be available |
|
67 |
* . MGF1 as the mask generation function |
|
68 |
* . the empty string as the default value for label L and whatever |
|
69 |
* specified in javax.crypto.spec.OAEPParameterSpec |
|
70 |
* |
|
| 23911 | 71 |
* The algorithms (representations) are forwards-compatible: that is, |
72 |
* the algorithm described in previous releases are in later releases. |
|
73 |
* However, additional comments/checks/clarifications were added to the |
|
74 |
* later versions based on real-world experience (e.g. stricter v1.5 |
|
75 |
* format checking.) |
|
76 |
* |
|
| 2 | 77 |
* Note: RSA keys should be at least 512 bits long |
78 |
* |
|
79 |
* @since 1.5 |
|
80 |
* @author Andreas Sterbenz |
|
81 |
*/ |
|
82 |
public final class RSAPadding {
|
|
83 |
||
84 |
// NOTE: the constants below are embedded in the JCE RSACipher class |
|
85 |
// file. Do not change without coordinating the update |
|
86 |
||
87 |
// PKCS#1 v1.5 padding, blocktype 1 (signing) |
|
88 |
public final static int PAD_BLOCKTYPE_1 = 1; |
|
89 |
// PKCS#1 v1.5 padding, blocktype 2 (encryption) |
|
90 |
public final static int PAD_BLOCKTYPE_2 = 2; |
|
91 |
// nopadding. Does not do anything, but allows simpler RSACipher code |
|
92 |
public final static int PAD_NONE = 3; |
|
93 |
// PKCS#1 v2.1 OAEP padding |
|
94 |
public final static int PAD_OAEP_MGF1 = 4; |
|
95 |
||
96 |
// type, one of PAD_* |
|
97 |
private final int type; |
|
98 |
||
99 |
// size of the padded block (i.e. size of the modulus) |
|
100 |
private final int paddedSize; |
|
101 |
||
102 |
// PRNG used to generate padding bytes (PAD_BLOCKTYPE_2, PAD_OAEP_MGF1) |
|
103 |
private SecureRandom random; |
|
104 |
||
105 |
// maximum size of the data |
|
106 |
private final int maxDataSize; |
|
107 |
||
108 |
// OAEP: main messagedigest |
|
109 |
private MessageDigest md; |
|
110 |
||
111 |
// OAEP: message digest for MGF1 |
|
112 |
private MessageDigest mgfMd; |
|
113 |
||
114 |
// OAEP: value of digest of data (user-supplied or zero-length) using md |
|
115 |
private byte[] lHash; |
|
116 |
||
117 |
/** |
|
118 |
* Get a RSAPadding instance of the specified type. |
|
119 |
* Keys used with this padding must be paddedSize bytes long. |
|
120 |
*/ |
|
121 |
public static RSAPadding getInstance(int type, int paddedSize) |
|
122 |
throws InvalidKeyException, InvalidAlgorithmParameterException {
|
|
123 |
return new RSAPadding(type, paddedSize, null, null); |
|
124 |
} |
|
125 |
||
126 |
/** |
|
127 |
* Get a RSAPadding instance of the specified type. |
|
128 |
* Keys used with this padding must be paddedSize bytes long. |
|
129 |
*/ |
|
130 |
public static RSAPadding getInstance(int type, int paddedSize, |
|
131 |
SecureRandom random) throws InvalidKeyException, |
|
132 |
InvalidAlgorithmParameterException {
|
|
133 |
return new RSAPadding(type, paddedSize, random, null); |
|
134 |
} |
|
135 |
||
136 |
/** |
|
137 |
* Get a RSAPadding instance of the specified type, which must be |
|
138 |
* OAEP. Keys used with this padding must be paddedSize bytes long. |
|
139 |
*/ |
|
140 |
public static RSAPadding getInstance(int type, int paddedSize, |
|
141 |
SecureRandom random, OAEPParameterSpec spec) |
|
142 |
throws InvalidKeyException, InvalidAlgorithmParameterException {
|
|
143 |
return new RSAPadding(type, paddedSize, random, spec); |
|
144 |
} |
|
145 |
||
146 |
// internal constructor |
|
147 |
private RSAPadding(int type, int paddedSize, SecureRandom random, |
|
148 |
OAEPParameterSpec spec) throws InvalidKeyException, |
|
149 |
InvalidAlgorithmParameterException {
|
|
150 |
this.type = type; |
|
151 |
this.paddedSize = paddedSize; |
|
152 |
this.random = random; |
|
153 |
if (paddedSize < 64) {
|
|
154 |
// sanity check, already verified in RSASignature/RSACipher |
|
155 |
throw new InvalidKeyException("Padded size must be at least 64");
|
|
156 |
} |
|
157 |
switch (type) {
|
|
158 |
case PAD_BLOCKTYPE_1: |
|
159 |
case PAD_BLOCKTYPE_2: |
|
160 |
maxDataSize = paddedSize - 11; |
|
161 |
break; |
|
162 |
case PAD_NONE: |
|
163 |
maxDataSize = paddedSize; |
|
164 |
break; |
|
165 |
case PAD_OAEP_MGF1: |
|
166 |
String mdName = "SHA-1"; |
|
167 |
String mgfMdName = "SHA-1"; |
|
168 |
byte[] digestInput = null; |
|
169 |
try {
|
|
170 |
if (spec != null) {
|
|
171 |
mdName = spec.getDigestAlgorithm(); |
|
172 |
String mgfName = spec.getMGFAlgorithm(); |
|
173 |
if (!mgfName.equalsIgnoreCase("MGF1")) {
|
|
174 |
throw new InvalidAlgorithmParameterException |
|
175 |
("Unsupported MGF algo: " + mgfName);
|
|
176 |
} |
|
| 23911 | 177 |
mgfMdName = ((MGF1ParameterSpec)spec.getMGFParameters()) |
178 |
.getDigestAlgorithm(); |
|
| 2 | 179 |
PSource pSrc = spec.getPSource(); |
180 |
String pSrcAlgo = pSrc.getAlgorithm(); |
|
181 |
if (!pSrcAlgo.equalsIgnoreCase("PSpecified")) {
|
|
182 |
throw new InvalidAlgorithmParameterException |
|
183 |
("Unsupported pSource algo: " + pSrcAlgo);
|
|
184 |
} |
|
185 |
digestInput = ((PSource.PSpecified) pSrc).getValue(); |
|
186 |
} |
|
187 |
md = MessageDigest.getInstance(mdName); |
|
188 |
mgfMd = MessageDigest.getInstance(mgfMdName); |
|
189 |
} catch (NoSuchAlgorithmException e) {
|
|
190 |
throw new InvalidKeyException |
|
191 |
("Digest " + mdName + " not available", e);
|
|
192 |
} |
|
193 |
lHash = getInitialHash(md, digestInput); |
|
194 |
int digestLen = lHash.length; |
|
195 |
maxDataSize = paddedSize - 2 - 2 * digestLen; |
|
196 |
if (maxDataSize <= 0) {
|
|
197 |
throw new InvalidKeyException |
|
198 |
("Key is too short for encryption using OAEPPadding" +
|
|
199 |
" with " + mdName + " and MGF1" + mgfMdName); |
|
200 |
} |
|
201 |
break; |
|
202 |
default: |
|
203 |
throw new InvalidKeyException("Invalid padding: " + type);
|
|
204 |
} |
|
205 |
} |
|
206 |
||
207 |
// cache of hashes of zero length data |
|
208 |
private static final Map<String,byte[]> emptyHashes = |
|
209 |
Collections.synchronizedMap(new HashMap<String,byte[]>()); |
|
210 |
||
211 |
/** |
|
212 |
* Return the value of the digest using the specified message digest |
|
213 |
* <code>md</code> and the digest input <code>digestInput</code>. |
|
214 |
* if <code>digestInput</code> is null or 0-length, zero length |
|
215 |
* is used to generate the initial digest. |
|
216 |
* Note: the md object must be in reset state |
|
217 |
*/ |
|
218 |
private static byte[] getInitialHash(MessageDigest md, |
|
219 |
byte[] digestInput) {
|
|
| 23911 | 220 |
byte[] result; |
| 2 | 221 |
if ((digestInput == null) || (digestInput.length == 0)) {
|
222 |
String digestName = md.getAlgorithm(); |
|
223 |
result = emptyHashes.get(digestName); |
|
224 |
if (result == null) {
|
|
225 |
result = md.digest(); |
|
226 |
emptyHashes.put(digestName, result); |
|
227 |
} |
|
228 |
} else {
|
|
229 |
result = md.digest(digestInput); |
|
230 |
} |
|
231 |
return result; |
|
232 |
} |
|
233 |
||
234 |
/** |
|
| 23911 | 235 |
* Return the maximum size of the plaintext data that can be processed |
236 |
* using this object. |
|
| 2 | 237 |
*/ |
238 |
public int getMaxDataSize() {
|
|
239 |
return maxDataSize; |
|
240 |
} |
|
241 |
||
242 |
/** |
|
243 |
* Pad the data and return the padded block. |
|
244 |
*/ |
|
245 |
public byte[] pad(byte[] data, int ofs, int len) |
|
246 |
throws BadPaddingException {
|
|
247 |
return pad(RSACore.convert(data, ofs, len)); |
|
248 |
} |
|
249 |
||
250 |
/** |
|
251 |
* Pad the data and return the padded block. |
|
252 |
*/ |
|
253 |
public byte[] pad(byte[] data) throws BadPaddingException {
|
|
254 |
if (data.length > maxDataSize) {
|
|
255 |
throw new BadPaddingException("Data must be shorter than "
|
|
256 |
+ (maxDataSize + 1) + " bytes"); |
|
257 |
} |
|
258 |
switch (type) {
|
|
259 |
case PAD_NONE: |
|
260 |
return data; |
|
261 |
case PAD_BLOCKTYPE_1: |
|
262 |
case PAD_BLOCKTYPE_2: |
|
263 |
return padV15(data); |
|
264 |
case PAD_OAEP_MGF1: |
|
265 |
return padOAEP(data); |
|
266 |
default: |
|
267 |
throw new AssertionError(); |
|
268 |
} |
|
269 |
} |
|
270 |
||
271 |
/** |
|
272 |
* Unpad the padded block and return the data. |
|
273 |
*/ |
|
274 |
public byte[] unpad(byte[] padded, int ofs, int len) |
|
275 |
throws BadPaddingException {
|
|
276 |
return unpad(RSACore.convert(padded, ofs, len)); |
|
277 |
} |
|
278 |
||
279 |
/** |
|
280 |
* Unpad the padded block and return the data. |
|
281 |
*/ |
|
282 |
public byte[] unpad(byte[] padded) throws BadPaddingException {
|
|
283 |
if (padded.length != paddedSize) {
|
|
| 23911 | 284 |
throw new BadPaddingException("Decryption error");
|
| 2 | 285 |
} |
286 |
switch (type) {
|
|
287 |
case PAD_NONE: |
|
288 |
return padded; |
|
289 |
case PAD_BLOCKTYPE_1: |
|
290 |
case PAD_BLOCKTYPE_2: |
|
291 |
return unpadV15(padded); |
|
292 |
case PAD_OAEP_MGF1: |
|
293 |
return unpadOAEP(padded); |
|
294 |
default: |
|
295 |
throw new AssertionError(); |
|
296 |
} |
|
297 |
} |
|
298 |
||
299 |
/** |
|
300 |
* PKCS#1 v1.5 padding (blocktype 1 and 2). |
|
301 |
*/ |
|
302 |
private byte[] padV15(byte[] data) throws BadPaddingException {
|
|
303 |
byte[] padded = new byte[paddedSize]; |
|
| 23911 | 304 |
System.arraycopy(data, 0, padded, paddedSize - data.length, |
305 |
data.length); |
|
| 2 | 306 |
int psSize = paddedSize - 3 - data.length; |
307 |
int k = 0; |
|
308 |
padded[k++] = 0; |
|
309 |
padded[k++] = (byte)type; |
|
310 |
if (type == PAD_BLOCKTYPE_1) {
|
|
311 |
// blocktype 1: all padding bytes are 0xff |
|
312 |
while (psSize-- > 0) {
|
|
313 |
padded[k++] = (byte)0xff; |
|
314 |
} |
|
315 |
} else {
|
|
316 |
// blocktype 2: padding bytes are random non-zero bytes |
|
317 |
if (random == null) {
|
|
318 |
random = JCAUtil.getSecureRandom(); |
|
319 |
} |
|
320 |
// generate non-zero padding bytes |
|
321 |
// use a buffer to reduce calls to SecureRandom |
|
322 |
byte[] r = new byte[64]; |
|
323 |
int i = -1; |
|
324 |
while (psSize-- > 0) {
|
|
325 |
int b; |
|
326 |
do {
|
|
327 |
if (i < 0) {
|
|
328 |
random.nextBytes(r); |
|
329 |
i = r.length - 1; |
|
330 |
} |
|
331 |
b = r[i--] & 0xff; |
|
332 |
} while (b == 0); |
|
333 |
padded[k++] = (byte)b; |
|
334 |
} |
|
335 |
} |
|
336 |
return padded; |
|
337 |
} |
|
338 |
||
339 |
/** |
|
| 23911 | 340 |
* PKCS#1 v1.5 unpadding (blocktype 1 (signature) and 2 (encryption)). |
| 22309 | 341 |
* |
342 |
* Note that we want to make it a constant-time operation |
|
| 2 | 343 |
*/ |
344 |
private byte[] unpadV15(byte[] padded) throws BadPaddingException {
|
|
345 |
int k = 0; |
|
| 23911 | 346 |
boolean bp = false; |
| 22309 | 347 |
|
| 2 | 348 |
if (padded[k++] != 0) {
|
| 23911 | 349 |
bp = true; |
| 2 | 350 |
} |
| 23911 | 351 |
if (padded[k++] != type) {
|
352 |
bp = true; |
|
| 2 | 353 |
} |
| 22309 | 354 |
int p = 0; |
355 |
while (k < padded.length) {
|
|
| 2 | 356 |
int b = padded[k++] & 0xff; |
| 23911 | 357 |
if ((b == 0) && (p == 0)) {
|
| 22309 | 358 |
p = k; |
| 2 | 359 |
} |
| 23911 | 360 |
if ((k == padded.length) && (p == 0)) {
|
361 |
bp = true; |
|
| 2 | 362 |
} |
| 22309 | 363 |
if ((type == PAD_BLOCKTYPE_1) && (b != 0xff) && |
| 23911 | 364 |
(p == 0)) {
|
365 |
bp = true; |
|
| 2 | 366 |
} |
367 |
} |
|
| 22309 | 368 |
int n = padded.length - p; |
| 23911 | 369 |
if (n > maxDataSize) {
|
370 |
bp = true; |
|
| 2 | 371 |
} |
| 22309 | 372 |
|
373 |
// copy useless padding array for a constant-time method |
|
374 |
byte[] padding = new byte[p]; |
|
375 |
System.arraycopy(padded, 0, padding, 0, p); |
|
376 |
||
| 2 | 377 |
byte[] data = new byte[n]; |
| 22309 | 378 |
System.arraycopy(padded, p, data, 0, n); |
379 |
||
| 23911 | 380 |
BadPaddingException bpe = new BadPaddingException("Decryption error");
|
381 |
||
382 |
if (bp) {
|
|
| 22309 | 383 |
throw bpe; |
| 23911 | 384 |
} else {
|
385 |
return data; |
|
| 22309 | 386 |
} |
| 2 | 387 |
} |
388 |
||
389 |
/** |
|
390 |
* PKCS#1 v2.0 OAEP padding (MGF1). |
|
391 |
* Paragraph references refer to PKCS#1 v2.1 (June 14, 2002) |
|
392 |
*/ |
|
393 |
private byte[] padOAEP(byte[] M) throws BadPaddingException {
|
|
394 |
if (random == null) {
|
|
395 |
random = JCAUtil.getSecureRandom(); |
|
396 |
} |
|
397 |
int hLen = lHash.length; |
|
398 |
||
399 |
// 2.d: generate a random octet string seed of length hLen |
|
400 |
// if necessary |
|
401 |
byte[] seed = new byte[hLen]; |
|
402 |
random.nextBytes(seed); |
|
403 |
||
404 |
// buffer for encoded message EM |
|
405 |
byte[] EM = new byte[paddedSize]; |
|
406 |
||
407 |
// start and length of seed (as index into EM) |
|
408 |
int seedStart = 1; |
|
409 |
int seedLen = hLen; |
|
410 |
||
411 |
// copy seed into EM |
|
412 |
System.arraycopy(seed, 0, EM, seedStart, seedLen); |
|
413 |
||
414 |
// start and length of data block DB in EM |
|
415 |
// we place it inside of EM to reduce copying |
|
416 |
int dbStart = hLen + 1; |
|
417 |
int dbLen = EM.length - dbStart; |
|
418 |
||
419 |
// start of message M in EM |
|
420 |
int mStart = paddedSize - M.length; |
|
421 |
||
422 |
// build DB |
|
423 |
// 2.b: Concatenate lHash, PS, a single octet with hexadecimal value |
|
424 |
// 0x01, and the message M to form a data block DB of length |
|
425 |
// k - hLen -1 octets as DB = lHash || PS || 0x01 || M |
|
426 |
// (note that PS is all zeros) |
|
427 |
System.arraycopy(lHash, 0, EM, dbStart, hLen); |
|
428 |
EM[mStart - 1] = 1; |
|
429 |
System.arraycopy(M, 0, EM, mStart, M.length); |
|
430 |
||
431 |
// produce maskedDB |
|
432 |
mgf1(EM, seedStart, seedLen, EM, dbStart, dbLen); |
|
433 |
||
434 |
// produce maskSeed |
|
435 |
mgf1(EM, dbStart, dbLen, EM, seedStart, seedLen); |
|
436 |
||
437 |
return EM; |
|
438 |
} |
|
439 |
||
440 |
/** |
|
441 |
* PKCS#1 v2.1 OAEP unpadding (MGF1). |
|
442 |
*/ |
|
443 |
private byte[] unpadOAEP(byte[] padded) throws BadPaddingException {
|
|
444 |
byte[] EM = padded; |
|
| 23911 | 445 |
boolean bp = false; |
| 2 | 446 |
int hLen = lHash.length; |
447 |
||
448 |
if (EM[0] != 0) {
|
|
| 23911 | 449 |
bp = true; |
| 2 | 450 |
} |
451 |
||
452 |
int seedStart = 1; |
|
453 |
int seedLen = hLen; |
|
454 |
||
455 |
int dbStart = hLen + 1; |
|
456 |
int dbLen = EM.length - dbStart; |
|
457 |
||
458 |
mgf1(EM, dbStart, dbLen, EM, seedStart, seedLen); |
|
459 |
mgf1(EM, seedStart, seedLen, EM, dbStart, dbLen); |
|
460 |
||
461 |
// verify lHash == lHash' |
|
462 |
for (int i = 0; i < hLen; i++) {
|
|
463 |
if (lHash[i] != EM[dbStart + i]) {
|
|
| 23911 | 464 |
bp = true; |
465 |
} |
|
466 |
} |
|
467 |
||
468 |
int padStart = dbStart + hLen; |
|
469 |
int onePos = -1; |
|
470 |
||
471 |
for (int i = padStart; i < EM.length; i++) {
|
|
472 |
int value = EM[i]; |
|
473 |
if (onePos == -1) {
|
|
474 |
if (value == 0x00) {
|
|
475 |
// continue; |
|
476 |
} else if (value == 0x01) {
|
|
477 |
onePos = i; |
|
478 |
} else { // Anything other than {0,1} is bad.
|
|
479 |
bp = true; |
|
480 |
} |
|
| 2 | 481 |
} |
482 |
} |
|
483 |
||
| 23911 | 484 |
// We either ran off the rails or found something other than 0/1. |
485 |
if (onePos == -1) {
|
|
486 |
bp = true; |
|
487 |
onePos = EM.length - 1; // Don't inadvertently return any data. |
|
| 2 | 488 |
} |
489 |
||
| 23911 | 490 |
int mStart = onePos + 1; |
491 |
||
492 |
// copy useless padding array for a constant-time method |
|
493 |
byte [] tmp = new byte[mStart - padStart]; |
|
494 |
System.arraycopy(EM, padStart, tmp, 0, tmp.length); |
|
| 2 | 495 |
|
| 23911 | 496 |
byte [] m = new byte[EM.length - mStart]; |
497 |
System.arraycopy(EM, mStart, m, 0, m.length); |
|
498 |
||
499 |
BadPaddingException bpe = new BadPaddingException("Decryption error");
|
|
| 2 | 500 |
|
| 23911 | 501 |
if (bp) {
|
502 |
throw bpe; |
|
503 |
} else {
|
|
504 |
return m; |
|
505 |
} |
|
| 2 | 506 |
} |
507 |
||
508 |
/** |
|
509 |
* Compute MGF1 using mgfMD as the message digest. |
|
510 |
* Note that we combine MGF1 with the XOR operation to reduce data |
|
511 |
* copying. |
|
512 |
* |
|
513 |
* We generate maskLen bytes of MGF1 from the seed and XOR it into |
|
514 |
* out[] starting at outOfs; |
|
515 |
*/ |
|
516 |
private void mgf1(byte[] seed, int seedOfs, int seedLen, |
|
517 |
byte[] out, int outOfs, int maskLen) throws BadPaddingException {
|
|
518 |
byte[] C = new byte[4]; // 32 bit counter |
|
|
19436
cfc7d402795c
8022669: OAEPParameterSpec does not work if MGF1ParameterSpec is set to SHA2 algorithms
ascarpino
parents:
5506
diff
changeset
|
519 |
byte[] digest = new byte[mgfMd.getDigestLength()]; |
| 2 | 520 |
while (maskLen > 0) {
|
521 |
mgfMd.update(seed, seedOfs, seedLen); |
|
522 |
mgfMd.update(C); |
|
523 |
try {
|
|
524 |
mgfMd.digest(digest, 0, digest.length); |
|
525 |
} catch (DigestException e) {
|
|
526 |
// should never happen |
|
527 |
throw new BadPaddingException(e.toString()); |
|
528 |
} |
|
529 |
for (int i = 0; (i < digest.length) && (maskLen > 0); maskLen--) {
|
|
530 |
out[outOfs++] ^= digest[i++]; |
|
531 |
} |
|
532 |
if (maskLen > 0) {
|
|
533 |
// increment counter |
|
534 |
for (int i = C.length - 1; (++C[i] == 0) && (i > 0); i--) {
|
|
535 |
// empty |
|
536 |
} |
|
537 |
} |
|
538 |
} |
|
539 |
} |
|
540 |
} |