1 /* 2 * Copyright (c) 1996, 2019, Oracle and/or its affiliates. All rights reserved. 3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. 4 * 5 * This code is free software; you can redistribute it and/or modify it 6 * under the terms of the GNU General Public License version 2 only, as 7 * published by the Free Software Foundation. Oracle designates this 8 * particular file as subject to the "Classpath" exception as provided 9 * by Oracle in the LICENSE file that accompanied this code. 10 * 11 * This code is distributed in the hope that it will be useful, but WITHOUT 12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License 14 * version 2 for more details (a copy is included in the LICENSE file that 15 * accompanied this code). 16 * 17 * You should have received a copy of the GNU General Public License version 18 * 2 along with this work; if not, write to the Free Software Foundation, 19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. 20 * 21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA 22 * or visit www.oracle.com if you need additional information or have any 23 * questions. 24 */ 25 26 package sun.security.x509; 27 28 import java.io.*; 29 import java.security.spec.AlgorithmParameterSpec; 30 import java.security.spec.InvalidParameterSpecException; 31 import java.security.spec.MGF1ParameterSpec; 32 import java.security.spec.PSSParameterSpec; 33 import java.util.*; 34 import java.security.*; 35 36 import sun.security.rsa.PSSParameters; 37 import sun.security.util.*; 38 39 40 /** 41 * This class identifies algorithms, such as cryptographic transforms, each 42 * of which may be associated with parameters. Instances of this base class 43 * are used when this runtime environment has no special knowledge of the 44 * algorithm type, and may also be used in other cases. Equivalence is 45 * defined according to OID and (where relevant) parameters. 46 * 47 * <P>Subclasses may be used, for example when the algorithm ID has 48 * associated parameters which some code (e.g. code using public keys) needs 49 * to have parsed. Two examples of such algorithms are Diffie-Hellman key 50 * exchange, and the Digital Signature Standard Algorithm (DSS/DSA). 51 * 52 * <P>The OID constants defined in this class correspond to some widely 53 * used algorithms, for which conventional string names have been defined. 54 * This class is not a general repository for OIDs, or for such string names. 55 * Note that the mappings between algorithm IDs and algorithm names is 56 * not one-to-one. 57 * 58 * 59 * @author David Brownell 60 * @author Amit Kapoor 61 * @author Hemma Prafullchandra 62 */ 63 public class AlgorithmId implements Serializable, DerEncoder { 64 65 /** use serialVersionUID from JDK 1.1. for interoperability */ 66 private static final long serialVersionUID = 7205873507486557157L; 67 68 /** 69 * The object identitifer being used for this algorithm. 70 */ 71 private ObjectIdentifier algid; 72 73 // The (parsed) parameters 74 private AlgorithmParameters algParams; 75 private boolean constructedFromDer = true; 76 77 /** 78 * Parameters for this algorithm. These are stored in unparsed 79 * DER-encoded form; subclasses can be made to automaticaly parse 80 * them so there is fast access to these parameters. 81 */ 82 protected DerValue params; 83 84 85 /** 86 * Constructs an algorithm ID which will be initialized 87 * separately, for example by deserialization. 88 * @deprecated use one of the other constructors. 89 */ 90 @Deprecated 91 public AlgorithmId() { } 92 93 /** 94 * Constructs a parameterless algorithm ID. 95 * 96 * @param oid the identifier for the algorithm 97 */ 98 public AlgorithmId(ObjectIdentifier oid) { 99 algid = oid; 100 } 101 102 /** 103 * Constructs an algorithm ID with algorithm parameters. 104 * 105 * @param oid the identifier for the algorithm. 106 * @param algparams the associated algorithm parameters. 107 */ 108 public AlgorithmId(ObjectIdentifier oid, AlgorithmParameters algparams) { 109 algid = oid; 110 algParams = algparams; 111 constructedFromDer = false; 112 } 113 114 private AlgorithmId(ObjectIdentifier oid, DerValue params) 115 throws IOException { 116 this.algid = oid; 117 this.params = params; 118 if (this.params != null) { 119 decodeParams(); 120 } 121 } 122 123 protected void decodeParams() throws IOException { 124 String algidString = algid.toString(); 125 try { 126 algParams = AlgorithmParameters.getInstance(algidString); 127 } catch (NoSuchAlgorithmException e) { 128 /* 129 * This algorithm parameter type is not supported, so we cannot 130 * parse the parameters. 131 */ 132 algParams = null; 133 return; 134 } 135 136 // Decode (parse) the parameters 137 algParams.init(params.toByteArray()); 138 } 139 140 /** 141 * Marshal a DER-encoded "AlgorithmID" sequence on the DER stream. 142 */ 143 public final void encode(DerOutputStream out) throws IOException { 144 derEncode(out); 145 } 146 147 /** 148 * DER encode this object onto an output stream. 149 * Implements the <code>DerEncoder</code> interface. 150 * 151 * @param out 152 * the output stream on which to write the DER encoding. 153 * 154 * @exception IOException on encoding error. 155 */ 156 public void derEncode (OutputStream out) throws IOException { 157 DerOutputStream bytes = new DerOutputStream(); 158 DerOutputStream tmp = new DerOutputStream(); 159 160 bytes.putOID(algid); 161 // Setup params from algParams since no DER encoding is given 162 if (constructedFromDer == false) { 163 if (algParams != null) { 164 params = new DerValue(algParams.getEncoded()); 165 } else { 166 params = null; 167 } 168 } 169 if (params == null) { 170 // Changes backed out for compatibility with Solaris 171 172 // Several AlgorithmId should omit the whole parameter part when 173 // it's NULL. They are --- 174 // rfc3370 2.1: Implementations SHOULD generate SHA-1 175 // AlgorithmIdentifiers with absent parameters. 176 // rfc3447 C1: When id-sha1, id-sha224, id-sha256, id-sha384 and 177 // id-sha512 are used in an AlgorithmIdentifier the parameters 178 // (which are optional) SHOULD be omitted. 179 // rfc3279 2.3.2: The id-dsa algorithm syntax includes optional 180 // domain parameters... When omitted, the parameters component 181 // MUST be omitted entirely 182 // rfc3370 3.1: When the id-dsa-with-sha1 algorithm identifier 183 // is used, the AlgorithmIdentifier parameters field MUST be absent. 184 /*if ( 185 algid.equals((Object)SHA_oid) || 186 algid.equals((Object)SHA224_oid) || 187 algid.equals((Object)SHA256_oid) || 188 algid.equals((Object)SHA384_oid) || 189 algid.equals((Object)SHA512_oid) || 190 algid.equals((Object)SHA512_224_oid) || 191 algid.equals((Object)SHA512_256_oid) || 192 algid.equals((Object)DSA_oid) || 193 algid.equals((Object)sha1WithDSA_oid)) { 194 ; // no parameter part encoded 195 } else { 196 bytes.putNull(); 197 }*/ 198 if (algid.equals(RSASSA_PSS_oid)) { 199 // RFC 4055 3.3: when an RSASSA-PSS key does not require 200 // parameter validation, field is absent. 201 } else { 202 bytes.putNull(); 203 } 204 } else { 205 bytes.putDerValue(params); 206 } 207 tmp.write(DerValue.tag_Sequence, bytes); 208 out.write(tmp.toByteArray()); 209 } 210 211 212 /** 213 * Returns the DER-encoded X.509 AlgorithmId as a byte array. 214 */ 215 public final byte[] encode() throws IOException { 216 DerOutputStream out = new DerOutputStream(); 217 derEncode(out); 218 return out.toByteArray(); 219 } 220 221 /** 222 * Returns the ISO OID for this algorithm. This is usually converted 223 * to a string and used as part of an algorithm name, for example 224 * "OID.1.3.14.3.2.13" style notation. Use the <code>getName</code> 225 * call when you do not need to ensure cross-system portability 226 * of algorithm names, or need a user friendly name. 227 */ 228 public final ObjectIdentifier getOID () { 229 return algid; 230 } 231 232 /** 233 * Returns a name for the algorithm which may be more intelligible 234 * to humans than the algorithm's OID, but which won't necessarily 235 * be comprehensible on other systems. For example, this might 236 * return a name such as "MD5withRSA" for a signature algorithm on 237 * some systems. It also returns names like "OID.1.2.3.4", when 238 * no particular name for the algorithm is known. 239 */ 240 public String getName() { 241 String algName = nameTable.get(algid); 242 if (algName != null) { 243 return algName; 244 } 245 if ((params != null) && algid.equals((Object)specifiedWithECDSA_oid)) { 246 try { 247 AlgorithmId paramsId = 248 AlgorithmId.parse(new DerValue(getEncodedParams())); 249 String paramsName = paramsId.getName(); 250 algName = makeSigAlg(paramsName, "EC"); 251 } catch (IOException e) { 252 // ignore 253 } 254 } 255 return (algName == null) ? algid.toString() : algName; 256 } 257 258 public AlgorithmParameters getParameters() { 259 return algParams; 260 } 261 262 /** 263 * Returns the DER encoded parameter, which can then be 264 * used to initialize java.security.AlgorithmParamters. 265 * 266 * @return DER encoded parameters, or null not present. 267 */ 268 public byte[] getEncodedParams() throws IOException { 269 return (params == null) ? null : params.toByteArray(); 270 } 271 272 /** 273 * Returns true iff the argument indicates the same algorithm 274 * with the same parameters. 275 */ 276 public boolean equals(AlgorithmId other) { 277 boolean paramsEqual = 278 (params == null ? other.params == null : params.equals(other.params)); 279 return (algid.equals((Object)other.algid) && paramsEqual); 280 } 281 282 /** 283 * Compares this AlgorithmID to another. If algorithm parameters are 284 * available, they are compared. Otherwise, just the object IDs 285 * for the algorithm are compared. 286 * 287 * @param other preferably an AlgorithmId, else an ObjectIdentifier 288 */ 289 public boolean equals(Object other) { 290 if (this == other) { 291 return true; 292 } 293 if (other instanceof AlgorithmId) { 294 return equals((AlgorithmId) other); 295 } else if (other instanceof ObjectIdentifier) { 296 return equals((ObjectIdentifier) other); 297 } else { 298 return false; 299 } 300 } 301 302 /** 303 * Compares two algorithm IDs for equality. Returns true iff 304 * they are the same algorithm, ignoring algorithm parameters. 305 */ 306 public final boolean equals(ObjectIdentifier id) { 307 return algid.equals((Object)id); 308 } 309 310 /** 311 * Returns a hashcode for this AlgorithmId. 312 * 313 * @return a hashcode for this AlgorithmId. 314 */ 315 public int hashCode() { 316 StringBuilder sbuf = new StringBuilder(); 317 sbuf.append(algid.toString()); 318 sbuf.append(paramsToString()); 319 return sbuf.toString().hashCode(); 320 } 321 322 /** 323 * Provides a human-readable description of the algorithm parameters. 324 * This may be redefined by subclasses which parse those parameters. 325 */ 326 protected String paramsToString() { 327 if (params == null) { 328 return ""; 329 } else if (algParams != null) { 330 return algParams.toString(); 331 } else { 332 return ", params unparsed"; 333 } 334 } 335 336 /** 337 * Returns a string describing the algorithm and its parameters. 338 */ 339 public String toString() { 340 return getName() + paramsToString(); 341 } 342 343 /** 344 * Parse (unmarshal) an ID from a DER sequence input value. This form 345 * parsing might be used when expanding a value which has already been 346 * partially unmarshaled as a set or sequence member. 347 * 348 * @exception IOException on error. 349 * @param val the input value, which contains the algid and, if 350 * there are any parameters, those parameters. 351 * @return an ID for the algorithm. If the system is configured 352 * appropriately, this may be an instance of a class 353 * with some kind of special support for this algorithm. 354 * In that case, you may "narrow" the type of the ID. 355 */ 356 public static AlgorithmId parse(DerValue val) throws IOException { 357 if (val.tag != DerValue.tag_Sequence) { 358 throw new IOException("algid parse error, not a sequence"); 359 } 360 361 /* 362 * Get the algorithm ID and any parameters. 363 */ 364 ObjectIdentifier algid; 365 DerValue params; 366 DerInputStream in = val.toDerInputStream(); 367 368 algid = in.getOID(); 369 if (in.available() == 0) { 370 params = null; 371 } else { 372 params = in.getDerValue(); 373 if (params.tag == DerValue.tag_Null) { 374 if (params.length() != 0) { 375 throw new IOException("invalid NULL"); 376 } 377 params = null; 378 } 379 if (in.available() != 0) { 380 throw new IOException("Invalid AlgorithmIdentifier: extra data"); 381 } 382 } 383 384 return new AlgorithmId(algid, params); 385 } 386 387 /** 388 * Returns one of the algorithm IDs most commonly associated 389 * with this algorithm name. 390 * 391 * @param algname the name being used 392 * @deprecated use the short get form of this method. 393 * @exception NoSuchAlgorithmException on error. 394 */ 395 @Deprecated 396 public static AlgorithmId getAlgorithmId(String algname) 397 throws NoSuchAlgorithmException { 398 return get(algname); 399 } 400 401 /** 402 * Returns one of the algorithm IDs most commonly associated 403 * with this algorithm name. 404 * 405 * @param algname the name being used 406 * @exception NoSuchAlgorithmException on error. 407 */ 408 public static AlgorithmId get(String algname) 409 throws NoSuchAlgorithmException { 410 ObjectIdentifier oid; 411 try { 412 oid = algOID(algname); 413 } catch (IOException ioe) { 414 throw new NoSuchAlgorithmException 415 ("Invalid ObjectIdentifier " + algname); 416 } 417 418 if (oid == null) { 419 throw new NoSuchAlgorithmException 420 ("unrecognized algorithm name: " + algname); 421 } 422 return new AlgorithmId(oid); 423 } 424 425 /** 426 * Returns one of the algorithm IDs most commonly associated 427 * with this algorithm parameters. 428 * 429 * @param algparams the associated algorithm parameters. 430 * @exception NoSuchAlgorithmException on error. 431 */ 432 public static AlgorithmId get(AlgorithmParameters algparams) 433 throws NoSuchAlgorithmException { 434 ObjectIdentifier oid; 435 String algname = algparams.getAlgorithm(); 436 try { 437 oid = algOID(algname); 438 } catch (IOException ioe) { 439 throw new NoSuchAlgorithmException 440 ("Invalid ObjectIdentifier " + algname); 441 } 442 if (oid == null) { 443 throw new NoSuchAlgorithmException 444 ("unrecognized algorithm name: " + algname); 445 } 446 return new AlgorithmId(oid, algparams); 447 } 448 449 /* 450 * Translates from some common algorithm names to the 451 * OID with which they're usually associated ... this mapping 452 * is the reverse of the one below, except in those cases 453 * where synonyms are supported or where a given algorithm 454 * is commonly associated with multiple OIDs. 455 * 456 * XXX This method needs to be enhanced so that we can also pass the 457 * scope of the algorithm name to it, e.g., the algorithm name "DSA" 458 * may have a different OID when used as a "Signature" algorithm than when 459 * used as a "KeyPairGenerator" algorithm. 460 */ 461 private static ObjectIdentifier algOID(String name) throws IOException { 462 // See if algname is in printable OID ("dot-dot") notation 463 if (name.indexOf('.') != -1) { 464 if (name.startsWith("OID.")) { 465 return new ObjectIdentifier(name.substring("OID.".length())); 466 } else { 467 return new ObjectIdentifier(name); 468 } 469 } 470 471 // Digesting algorithms 472 if (name.equalsIgnoreCase("MD5")) { 473 return AlgorithmId.MD5_oid; 474 } 475 if (name.equalsIgnoreCase("MD2")) { 476 return AlgorithmId.MD2_oid; 477 } 478 if (name.equalsIgnoreCase("SHA") || name.equalsIgnoreCase("SHA1") 479 || name.equalsIgnoreCase("SHA-1")) { 480 return AlgorithmId.SHA_oid; 481 } 482 if (name.equalsIgnoreCase("SHA-256") || 483 name.equalsIgnoreCase("SHA256")) { 484 return AlgorithmId.SHA256_oid; 485 } 486 if (name.equalsIgnoreCase("SHA-384") || 487 name.equalsIgnoreCase("SHA384")) { 488 return AlgorithmId.SHA384_oid; 489 } 490 if (name.equalsIgnoreCase("SHA-512") || 491 name.equalsIgnoreCase("SHA512")) { 492 return AlgorithmId.SHA512_oid; 493 } 494 if (name.equalsIgnoreCase("SHA-224") || 495 name.equalsIgnoreCase("SHA224")) { 496 return AlgorithmId.SHA224_oid; 497 } 498 if (name.equalsIgnoreCase("SHA-512/224") || 499 name.equalsIgnoreCase("SHA512/224")) { 500 return AlgorithmId.SHA512_224_oid; 501 } 502 if (name.equalsIgnoreCase("SHA-512/256") || 503 name.equalsIgnoreCase("SHA512/256")) { 504 return AlgorithmId.SHA512_256_oid; 505 } 506 // Various public key algorithms 507 if (name.equalsIgnoreCase("RSA")) { 508 return AlgorithmId.RSAEncryption_oid; 509 } 510 if (name.equalsIgnoreCase("RSASSA-PSS")) { 511 return AlgorithmId.RSASSA_PSS_oid; 512 } 513 if (name.equalsIgnoreCase("RSAES-OAEP")) { 514 return AlgorithmId.RSAES_OAEP_oid; 515 } 516 if (name.equalsIgnoreCase("Diffie-Hellman") 517 || name.equalsIgnoreCase("DH")) { 518 return AlgorithmId.DH_oid; 519 } 520 if (name.equalsIgnoreCase("DSA")) { 521 return AlgorithmId.DSA_oid; 522 } 523 if (name.equalsIgnoreCase("EC")) { 524 return EC_oid; 525 } 526 if (name.equalsIgnoreCase("ECDH")) { 527 return AlgorithmId.ECDH_oid; 528 } 529 530 // Secret key algorithms 531 if (name.equalsIgnoreCase("AES")) { 532 return AlgorithmId.AES_oid; 533 } 534 535 // Common signature types 536 if (name.equalsIgnoreCase("MD5withRSA") 537 || name.equalsIgnoreCase("MD5/RSA")) { 538 return AlgorithmId.md5WithRSAEncryption_oid; 539 } 540 if (name.equalsIgnoreCase("MD2withRSA") 541 || name.equalsIgnoreCase("MD2/RSA")) { 542 return AlgorithmId.md2WithRSAEncryption_oid; 543 } 544 if (name.equalsIgnoreCase("SHAwithDSA") 545 || name.equalsIgnoreCase("SHA1withDSA") 546 || name.equalsIgnoreCase("SHA/DSA") 547 || name.equalsIgnoreCase("SHA1/DSA") 548 || name.equalsIgnoreCase("DSAWithSHA1") 549 || name.equalsIgnoreCase("DSS") 550 || name.equalsIgnoreCase("SHA-1/DSA")) { 551 return AlgorithmId.sha1WithDSA_oid; 552 } 553 if (name.equalsIgnoreCase("SHA224WithDSA")) { 554 return AlgorithmId.sha224WithDSA_oid; 555 } 556 if (name.equalsIgnoreCase("SHA256WithDSA")) { 557 return AlgorithmId.sha256WithDSA_oid; 558 } 559 if (name.equalsIgnoreCase("SHA1WithRSA") 560 || name.equalsIgnoreCase("SHA1/RSA")) { 561 return AlgorithmId.sha1WithRSAEncryption_oid; 562 } 563 if (name.equalsIgnoreCase("SHA1withECDSA") 564 || name.equalsIgnoreCase("ECDSA")) { 565 return AlgorithmId.sha1WithECDSA_oid; 566 } 567 if (name.equalsIgnoreCase("SHA224withECDSA")) { 568 return AlgorithmId.sha224WithECDSA_oid; 569 } 570 if (name.equalsIgnoreCase("SHA256withECDSA")) { 571 return AlgorithmId.sha256WithECDSA_oid; 572 } 573 if (name.equalsIgnoreCase("SHA384withECDSA")) { 574 return AlgorithmId.sha384WithECDSA_oid; 575 } 576 if (name.equalsIgnoreCase("SHA512withECDSA")) { 577 return AlgorithmId.sha512WithECDSA_oid; 578 } 579 580 return oidTable().get(name.toUpperCase(Locale.ENGLISH)); 581 } 582 583 private static ObjectIdentifier oid(int ... values) { 584 return ObjectIdentifier.newInternal(values); 585 } 586 587 private static volatile Map<String,ObjectIdentifier> oidTable; 588 private static final Map<ObjectIdentifier,String> nameTable; 589 590 /** Returns the oidTable, lazily initializing it on first access. */ 591 private static Map<String,ObjectIdentifier> oidTable() 592 throws IOException { 593 // Double checked locking; safe because oidTable is volatile 594 Map<String,ObjectIdentifier> tab; 595 if ((tab = oidTable) == null) { 596 synchronized (AlgorithmId.class) { 597 if ((tab = oidTable) == null) 598 oidTable = tab = computeOidTable(); 599 } 600 } 601 return tab; 602 } 603 604 /** Collects the algorithm names from the installed providers. */ 605 private static HashMap<String,ObjectIdentifier> computeOidTable() 606 throws IOException { 607 HashMap<String,ObjectIdentifier> tab = new HashMap<>(); 608 for (Provider provider : Security.getProviders()) { 609 for (Object key : provider.keySet()) { 610 String alias = (String)key; 611 String upperCaseAlias = alias.toUpperCase(Locale.ENGLISH); 612 int index; 613 if (upperCaseAlias.startsWith("ALG.ALIAS") && 614 (index=upperCaseAlias.indexOf("OID.", 0)) != -1) { 615 index += "OID.".length(); 616 if (index == alias.length()) { 617 // invalid alias entry 618 break; 619 } 620 String oidString = alias.substring(index); 621 String stdAlgName = provider.getProperty(alias); 622 if (stdAlgName != null) { 623 stdAlgName = stdAlgName.toUpperCase(Locale.ENGLISH); 624 } 625 if (stdAlgName != null && 626 tab.get(stdAlgName) == null) { 627 tab.put(stdAlgName, new ObjectIdentifier(oidString)); 628 } 629 } 630 } 631 } 632 return tab; 633 } 634 635 /*****************************************************************/ 636 637 /* 638 * HASHING ALGORITHMS 639 */ 640 641 /** 642 * Algorithm ID for the MD2 Message Digest Algorthm, from RFC 1319. 643 * OID = 1.2.840.113549.2.2 644 */ 645 public static final ObjectIdentifier MD2_oid = 646 ObjectIdentifier.newInternal(new int[] {1, 2, 840, 113549, 2, 2}); 647 648 /** 649 * Algorithm ID for the MD5 Message Digest Algorthm, from RFC 1321. 650 * OID = 1.2.840.113549.2.5 651 */ 652 public static final ObjectIdentifier MD5_oid = 653 ObjectIdentifier.newInternal(new int[] {1, 2, 840, 113549, 2, 5}); 654 655 /** 656 * Algorithm ID for the SHA1 Message Digest Algorithm, from FIPS 180-1. 657 * This is sometimes called "SHA", though that is often confusing since 658 * many people refer to FIPS 180 (which has an error) as defining SHA. 659 * OID = 1.3.14.3.2.26. Old SHA-0 OID: 1.3.14.3.2.18. 660 */ 661 public static final ObjectIdentifier SHA_oid = 662 ObjectIdentifier.newInternal(new int[] {1, 3, 14, 3, 2, 26}); 663 664 public static final ObjectIdentifier SHA224_oid = 665 ObjectIdentifier.newInternal(new int[] {2, 16, 840, 1, 101, 3, 4, 2, 4}); 666 667 public static final ObjectIdentifier SHA256_oid = 668 ObjectIdentifier.newInternal(new int[] {2, 16, 840, 1, 101, 3, 4, 2, 1}); 669 670 public static final ObjectIdentifier SHA384_oid = 671 ObjectIdentifier.newInternal(new int[] {2, 16, 840, 1, 101, 3, 4, 2, 2}); 672 673 public static final ObjectIdentifier SHA512_oid = 674 ObjectIdentifier.newInternal(new int[] {2, 16, 840, 1, 101, 3, 4, 2, 3}); 675 676 public static final ObjectIdentifier SHA512_224_oid = 677 ObjectIdentifier.newInternal(new int[] {2, 16, 840, 1, 101, 3, 4, 2, 5}); 678 679 public static final ObjectIdentifier SHA512_256_oid = 680 ObjectIdentifier.newInternal(new int[] {2, 16, 840, 1, 101, 3, 4, 2, 6}); 681 682 /* 683 * COMMON PUBLIC KEY TYPES 684 */ 685 private static final int[] DH_data = { 1, 2, 840, 113549, 1, 3, 1 }; 686 private static final int[] DH_PKIX_data = { 1, 2, 840, 10046, 2, 1 }; 687 private static final int[] DSA_OIW_data = { 1, 3, 14, 3, 2, 12 }; 688 private static final int[] DSA_PKIX_data = { 1, 2, 840, 10040, 4, 1 }; 689 private static final int[] RSA_data = { 2, 5, 8, 1, 1 }; 690 691 public static final ObjectIdentifier DH_oid; 692 public static final ObjectIdentifier DH_PKIX_oid; 693 public static final ObjectIdentifier DSA_oid; 694 public static final ObjectIdentifier DSA_OIW_oid; 695 public static final ObjectIdentifier EC_oid = oid(1, 2, 840, 10045, 2, 1); 696 public static final ObjectIdentifier ECDH_oid = oid(1, 3, 132, 1, 12); 697 public static final ObjectIdentifier RSA_oid; 698 public static final ObjectIdentifier RSAEncryption_oid = 699 oid(1, 2, 840, 113549, 1, 1, 1); 700 public static final ObjectIdentifier RSAES_OAEP_oid = 701 oid(1, 2, 840, 113549, 1, 1, 7); 702 public static final ObjectIdentifier mgf1_oid = 703 oid(1, 2, 840, 113549, 1, 1, 8); 704 public static final ObjectIdentifier RSASSA_PSS_oid = 705 oid(1, 2, 840, 113549, 1, 1, 10); 706 707 /* 708 * COMMON SECRET KEY TYPES 709 */ 710 public static final ObjectIdentifier AES_oid = 711 oid(2, 16, 840, 1, 101, 3, 4, 1); 712 713 /* 714 * COMMON SIGNATURE ALGORITHMS 715 */ 716 private static final int[] md2WithRSAEncryption_data = 717 { 1, 2, 840, 113549, 1, 1, 2 }; 718 private static final int[] md5WithRSAEncryption_data = 719 { 1, 2, 840, 113549, 1, 1, 4 }; 720 private static final int[] sha1WithRSAEncryption_data = 721 { 1, 2, 840, 113549, 1, 1, 5 }; 722 private static final int[] sha1WithRSAEncryption_OIW_data = 723 { 1, 3, 14, 3, 2, 29 }; 724 private static final int[] sha224WithRSAEncryption_data = 725 { 1, 2, 840, 113549, 1, 1, 14 }; 726 private static final int[] sha256WithRSAEncryption_data = 727 { 1, 2, 840, 113549, 1, 1, 11 }; 728 private static final int[] sha384WithRSAEncryption_data = 729 { 1, 2, 840, 113549, 1, 1, 12 }; 730 private static final int[] sha512WithRSAEncryption_data = 731 { 1, 2, 840, 113549, 1, 1, 13 }; 732 733 private static final int[] shaWithDSA_OIW_data = 734 { 1, 3, 14, 3, 2, 13 }; 735 private static final int[] sha1WithDSA_OIW_data = 736 { 1, 3, 14, 3, 2, 27 }; 737 private static final int[] dsaWithSHA1_PKIX_data = 738 { 1, 2, 840, 10040, 4, 3 }; 739 740 public static final ObjectIdentifier md2WithRSAEncryption_oid; 741 public static final ObjectIdentifier md5WithRSAEncryption_oid; 742 public static final ObjectIdentifier sha1WithRSAEncryption_oid; 743 public static final ObjectIdentifier sha1WithRSAEncryption_OIW_oid; 744 public static final ObjectIdentifier sha224WithRSAEncryption_oid; 745 public static final ObjectIdentifier sha256WithRSAEncryption_oid; 746 public static final ObjectIdentifier sha384WithRSAEncryption_oid; 747 public static final ObjectIdentifier sha512WithRSAEncryption_oid; 748 public static final ObjectIdentifier sha512_224WithRSAEncryption_oid = 749 oid(1, 2, 840, 113549, 1, 1, 15); 750 public static final ObjectIdentifier sha512_256WithRSAEncryption_oid = 751 oid(1, 2, 840, 113549, 1, 1, 16);; 752 753 public static final ObjectIdentifier shaWithDSA_OIW_oid; 754 public static final ObjectIdentifier sha1WithDSA_OIW_oid; 755 public static final ObjectIdentifier sha1WithDSA_oid; 756 public static final ObjectIdentifier sha224WithDSA_oid = 757 oid(2, 16, 840, 1, 101, 3, 4, 3, 1); 758 public static final ObjectIdentifier sha256WithDSA_oid = 759 oid(2, 16, 840, 1, 101, 3, 4, 3, 2); 760 761 public static final ObjectIdentifier sha1WithECDSA_oid = 762 oid(1, 2, 840, 10045, 4, 1); 763 public static final ObjectIdentifier sha224WithECDSA_oid = 764 oid(1, 2, 840, 10045, 4, 3, 1); 765 public static final ObjectIdentifier sha256WithECDSA_oid = 766 oid(1, 2, 840, 10045, 4, 3, 2); 767 public static final ObjectIdentifier sha384WithECDSA_oid = 768 oid(1, 2, 840, 10045, 4, 3, 3); 769 public static final ObjectIdentifier sha512WithECDSA_oid = 770 oid(1, 2, 840, 10045, 4, 3, 4); 771 public static final ObjectIdentifier specifiedWithECDSA_oid = 772 oid(1, 2, 840, 10045, 4, 3); 773 774 /** 775 * Algorithm ID for the PBE encryption algorithms from PKCS#5 and 776 * PKCS#12. 777 */ 778 public static final ObjectIdentifier pbeWithMD5AndDES_oid = 779 ObjectIdentifier.newInternal(new int[]{1, 2, 840, 113549, 1, 5, 3}); 780 public static final ObjectIdentifier pbeWithMD5AndRC2_oid = 781 ObjectIdentifier.newInternal(new int[] {1, 2, 840, 113549, 1, 5, 6}); 782 public static final ObjectIdentifier pbeWithSHA1AndDES_oid = 783 ObjectIdentifier.newInternal(new int[] {1, 2, 840, 113549, 1, 5, 10}); 784 public static final ObjectIdentifier pbeWithSHA1AndRC2_oid = 785 ObjectIdentifier.newInternal(new int[] {1, 2, 840, 113549, 1, 5, 11}); 786 public static ObjectIdentifier pbeWithSHA1AndDESede_oid = 787 ObjectIdentifier.newInternal(new int[] {1, 2, 840, 113549, 1, 12, 1, 3}); 788 public static ObjectIdentifier pbeWithSHA1AndRC2_40_oid = 789 ObjectIdentifier.newInternal(new int[] {1, 2, 840, 113549, 1, 12, 1, 6}); 790 791 static { 792 /* 793 * Note the preferred OIDs are named simply with no "OIW" or 794 * "PKIX" in them, even though they may point to data from these 795 * specs; e.g. SHA_oid, DH_oid, DSA_oid, SHA1WithDSA_oid... 796 */ 797 /** 798 * Algorithm ID for Diffie Hellman Key agreement, from PKCS #3. 799 * Parameters include public values P and G, and may optionally specify 800 * the length of the private key X. Alternatively, algorithm parameters 801 * may be derived from another source such as a Certificate Authority's 802 * certificate. 803 * OID = 1.2.840.113549.1.3.1 804 */ 805 DH_oid = ObjectIdentifier.newInternal(DH_data); 806 807 /** 808 * Algorithm ID for the Diffie Hellman Key Agreement (DH), from RFC 3279. 809 * Parameters may include public values P and G. 810 * OID = 1.2.840.10046.2.1 811 */ 812 DH_PKIX_oid = ObjectIdentifier.newInternal(DH_PKIX_data); 813 814 /** 815 * Algorithm ID for the Digital Signing Algorithm (DSA), from the 816 * NIST OIW Stable Agreements part 12. 817 * Parameters may include public values P, Q, and G; or these may be 818 * derived from 819 * another source such as a Certificate Authority's certificate. 820 * OID = 1.3.14.3.2.12 821 */ 822 DSA_OIW_oid = ObjectIdentifier.newInternal(DSA_OIW_data); 823 824 /** 825 * Algorithm ID for the Digital Signing Algorithm (DSA), from RFC 3279. 826 * Parameters may include public values P, Q, and G; or these may be 827 * derived from another source such as a Certificate Authority's 828 * certificate. 829 * OID = 1.2.840.10040.4.1 830 */ 831 DSA_oid = ObjectIdentifier.newInternal(DSA_PKIX_data); 832 833 /** 834 * Algorithm ID for RSA keys used for any purpose, as defined in X.509. 835 * The algorithm parameter is a single value, the number of bits in the 836 * public modulus. 837 * OID = 2.5.8.1.1 838 */ 839 RSA_oid = ObjectIdentifier.newInternal(RSA_data); 840 841 /** 842 * Identifies a signing algorithm where an MD2 digest is encrypted 843 * using an RSA private key; defined in PKCS #1. Use of this 844 * signing algorithm is discouraged due to MD2 vulnerabilities. 845 * OID = 1.2.840.113549.1.1.2 846 */ 847 md2WithRSAEncryption_oid = 848 ObjectIdentifier.newInternal(md2WithRSAEncryption_data); 849 850 /** 851 * Identifies a signing algorithm where an MD5 digest is 852 * encrypted using an RSA private key; defined in PKCS #1. 853 * OID = 1.2.840.113549.1.1.4 854 */ 855 md5WithRSAEncryption_oid = 856 ObjectIdentifier.newInternal(md5WithRSAEncryption_data); 857 858 /** 859 * Identifies a signing algorithm where a SHA1 digest is 860 * encrypted using an RSA private key; defined by RSA DSI. 861 * OID = 1.2.840.113549.1.1.5 862 */ 863 sha1WithRSAEncryption_oid = 864 ObjectIdentifier.newInternal(sha1WithRSAEncryption_data); 865 866 /** 867 * Identifies a signing algorithm where a SHA1 digest is 868 * encrypted using an RSA private key; defined in NIST OIW. 869 * OID = 1.3.14.3.2.29 870 */ 871 sha1WithRSAEncryption_OIW_oid = 872 ObjectIdentifier.newInternal(sha1WithRSAEncryption_OIW_data); 873 874 /** 875 * Identifies a signing algorithm where a SHA224 digest is 876 * encrypted using an RSA private key; defined by PKCS #1. 877 * OID = 1.2.840.113549.1.1.14 878 */ 879 sha224WithRSAEncryption_oid = 880 ObjectIdentifier.newInternal(sha224WithRSAEncryption_data); 881 882 /** 883 * Identifies a signing algorithm where a SHA256 digest is 884 * encrypted using an RSA private key; defined by PKCS #1. 885 * OID = 1.2.840.113549.1.1.11 886 */ 887 sha256WithRSAEncryption_oid = 888 ObjectIdentifier.newInternal(sha256WithRSAEncryption_data); 889 890 /** 891 * Identifies a signing algorithm where a SHA384 digest is 892 * encrypted using an RSA private key; defined by PKCS #1. 893 * OID = 1.2.840.113549.1.1.12 894 */ 895 sha384WithRSAEncryption_oid = 896 ObjectIdentifier.newInternal(sha384WithRSAEncryption_data); 897 898 /** 899 * Identifies a signing algorithm where a SHA512 digest is 900 * encrypted using an RSA private key; defined by PKCS #1. 901 * OID = 1.2.840.113549.1.1.13 902 */ 903 sha512WithRSAEncryption_oid = 904 ObjectIdentifier.newInternal(sha512WithRSAEncryption_data); 905 906 /** 907 * Identifies the FIPS 186 "Digital Signature Standard" (DSS), where a 908 * SHA digest is signed using the Digital Signing Algorithm (DSA). 909 * This should not be used. 910 * OID = 1.3.14.3.2.13 911 */ 912 shaWithDSA_OIW_oid = ObjectIdentifier.newInternal(shaWithDSA_OIW_data); 913 914 /** 915 * Identifies the FIPS 186 "Digital Signature Standard" (DSS), where a 916 * SHA1 digest is signed using the Digital Signing Algorithm (DSA). 917 * OID = 1.3.14.3.2.27 918 */ 919 sha1WithDSA_OIW_oid = ObjectIdentifier.newInternal(sha1WithDSA_OIW_data); 920 921 /** 922 * Identifies the FIPS 186 "Digital Signature Standard" (DSS), where a 923 * SHA1 digest is signed using the Digital Signing Algorithm (DSA). 924 * OID = 1.2.840.10040.4.3 925 */ 926 sha1WithDSA_oid = ObjectIdentifier.newInternal(dsaWithSHA1_PKIX_data); 927 928 nameTable = new HashMap<>(); 929 nameTable.put(MD5_oid, "MD5"); 930 nameTable.put(MD2_oid, "MD2"); 931 nameTable.put(SHA_oid, "SHA-1"); 932 nameTable.put(SHA224_oid, "SHA-224"); 933 nameTable.put(SHA256_oid, "SHA-256"); 934 nameTable.put(SHA384_oid, "SHA-384"); 935 nameTable.put(SHA512_oid, "SHA-512"); 936 nameTable.put(SHA512_224_oid, "SHA-512/224"); 937 nameTable.put(SHA512_256_oid, "SHA-512/256"); 938 nameTable.put(RSAEncryption_oid, "RSA"); 939 nameTable.put(RSA_oid, "RSA"); 940 nameTable.put(DH_oid, "Diffie-Hellman"); 941 nameTable.put(DH_PKIX_oid, "Diffie-Hellman"); 942 nameTable.put(DSA_oid, "DSA"); 943 nameTable.put(DSA_OIW_oid, "DSA"); 944 nameTable.put(EC_oid, "EC"); 945 nameTable.put(ECDH_oid, "ECDH"); 946 947 nameTable.put(AES_oid, "AES"); 948 949 nameTable.put(sha1WithECDSA_oid, "SHA1withECDSA"); 950 nameTable.put(sha224WithECDSA_oid, "SHA224withECDSA"); 951 nameTable.put(sha256WithECDSA_oid, "SHA256withECDSA"); 952 nameTable.put(sha384WithECDSA_oid, "SHA384withECDSA"); 953 nameTable.put(sha512WithECDSA_oid, "SHA512withECDSA"); 954 nameTable.put(md5WithRSAEncryption_oid, "MD5withRSA"); 955 nameTable.put(md2WithRSAEncryption_oid, "MD2withRSA"); 956 nameTable.put(sha1WithDSA_oid, "SHA1withDSA"); 957 nameTable.put(sha1WithDSA_OIW_oid, "SHA1withDSA"); 958 nameTable.put(shaWithDSA_OIW_oid, "SHA1withDSA"); 959 nameTable.put(sha224WithDSA_oid, "SHA224withDSA"); 960 nameTable.put(sha256WithDSA_oid, "SHA256withDSA"); 961 nameTable.put(sha1WithRSAEncryption_oid, "SHA1withRSA"); 962 nameTable.put(sha1WithRSAEncryption_OIW_oid, "SHA1withRSA"); 963 nameTable.put(sha224WithRSAEncryption_oid, "SHA224withRSA"); 964 nameTable.put(sha256WithRSAEncryption_oid, "SHA256withRSA"); 965 nameTable.put(sha384WithRSAEncryption_oid, "SHA384withRSA"); 966 nameTable.put(sha512WithRSAEncryption_oid, "SHA512withRSA"); 967 nameTable.put(sha512_224WithRSAEncryption_oid, "SHA512/224withRSA"); 968 nameTable.put(sha512_256WithRSAEncryption_oid, "SHA512/256withRSA"); 969 nameTable.put(RSASSA_PSS_oid, "RSASSA-PSS"); 970 nameTable.put(RSAES_OAEP_oid, "RSAES-OAEP"); 971 972 nameTable.put(pbeWithMD5AndDES_oid, "PBEWithMD5AndDES"); 973 nameTable.put(pbeWithMD5AndRC2_oid, "PBEWithMD5AndRC2"); 974 nameTable.put(pbeWithSHA1AndDES_oid, "PBEWithSHA1AndDES"); 975 nameTable.put(pbeWithSHA1AndRC2_oid, "PBEWithSHA1AndRC2"); 976 nameTable.put(pbeWithSHA1AndDESede_oid, "PBEWithSHA1AndDESede"); 977 nameTable.put(pbeWithSHA1AndRC2_40_oid, "PBEWithSHA1AndRC2_40"); 978 } 979 980 /** 981 * Creates a signature algorithm name from a digest algorithm 982 * name and a encryption algorithm name. 983 */ 984 public static String makeSigAlg(String digAlg, String encAlg) { 985 digAlg = digAlg.replace("-", ""); 986 if (encAlg.equalsIgnoreCase("EC")) encAlg = "ECDSA"; 987 988 return digAlg + "with" + encAlg; 989 } 990 991 /** 992 * Extracts the encryption algorithm name from a signature 993 * algorithm name. 994 */ 995 public static String getEncAlgFromSigAlg(String signatureAlgorithm) { 996 signatureAlgorithm = signatureAlgorithm.toUpperCase(Locale.ENGLISH); 997 int with = signatureAlgorithm.indexOf("WITH"); 998 String keyAlgorithm = null; 999 if (with > 0) { 1000 int and = signatureAlgorithm.indexOf("AND", with + 4); 1001 if (and > 0) { 1002 keyAlgorithm = signatureAlgorithm.substring(with + 4, and); 1003 } else { 1004 keyAlgorithm = signatureAlgorithm.substring(with + 4); 1005 } 1006 if (keyAlgorithm.equalsIgnoreCase("ECDSA")) { 1007 keyAlgorithm = "EC"; 1008 } 1009 } 1010 return keyAlgorithm; 1011 } 1012 1013 /** 1014 * Extracts the digest algorithm name from a signature 1015 * algorithm name. 1016 */ 1017 public static String getDigAlgFromSigAlg(String signatureAlgorithm) { 1018 signatureAlgorithm = signatureAlgorithm.toUpperCase(Locale.ENGLISH); 1019 int with = signatureAlgorithm.indexOf("WITH"); 1020 if (with > 0) { 1021 return signatureAlgorithm.substring(0, with); 1022 } 1023 return null; 1024 } 1025 1026 /** 1027 * Checks if a signature algorithm matches a key algorithm, i.e. a 1028 * signature can be initialized with a key. 1029 * 1030 * @param kAlg must not be null 1031 * @param sAlg must not be null 1032 * @throws IllegalArgumentException if they do not match 1033 */ 1034 public static void checkKeyAndSigAlgMatch(String kAlg, String sAlg) { 1035 String sAlgUp = sAlg.toUpperCase(Locale.US); 1036 if ((sAlgUp.endsWith("WITHRSA") && !kAlg.equalsIgnoreCase("RSA")) || 1037 (sAlgUp.endsWith("WITHECDSA") && !kAlg.equalsIgnoreCase("EC")) || 1038 (sAlgUp.endsWith("WITHDSA") && !kAlg.equalsIgnoreCase("DSA"))) { 1039 throw new IllegalArgumentException( 1040 "key algorithm not compatible with signature algorithm"); 1041 } 1042 } 1043 1044 /** 1045 * Returns the default signature algorithm for a private key. The digest 1046 * part might evolve with time. Remember to update the spec of 1047 * {@link jdk.security.jarsigner.JarSigner.Builder#getDefaultSignatureAlgorithm(PrivateKey)} 1048 * if updated. 1049 * 1050 * @param k cannot be null 1051 * @return the default alg, might be null if unsupported 1052 */ 1053 public static String getDefaultSigAlgForKey(PrivateKey k) { 1054 switch (k.getAlgorithm().toUpperCase(Locale.ENGLISH)) { 1055 case "EC": 1056 return ecStrength(KeyUtil.getKeySize(k)) 1057 + "withECDSA"; 1058 case "DSA": 1059 return ifcFfcStrength(KeyUtil.getKeySize(k)) 1060 + "withDSA"; 1061 case "RSA": 1062 return ifcFfcStrength(KeyUtil.getKeySize(k)) 1063 + "withRSA"; 1064 default: 1065 return null; 1066 } 1067 } 1068 1069 // Most commonly used PSSParameterSpec and AlgorithmId 1070 private static class PSSParamsHolder { 1071 1072 final static PSSParameterSpec PSS_256_SPEC = new PSSParameterSpec( 1073 "SHA-256", "MGF1", 1074 new MGF1ParameterSpec("SHA-256"), 1075 32, PSSParameterSpec.TRAILER_FIELD_BC); 1076 final static PSSParameterSpec PSS_384_SPEC = new PSSParameterSpec( 1077 "SHA-384", "MGF1", 1078 new MGF1ParameterSpec("SHA-384"), 1079 48, PSSParameterSpec.TRAILER_FIELD_BC); 1080 final static PSSParameterSpec PSS_512_SPEC = new PSSParameterSpec( 1081 "SHA-512", "MGF1", 1082 new MGF1ParameterSpec("SHA-512"), 1083 64, PSSParameterSpec.TRAILER_FIELD_BC); 1084 1085 final static AlgorithmId PSS_256_ID; 1086 final static AlgorithmId PSS_384_ID; 1087 final static AlgorithmId PSS_512_ID; 1088 1089 static { 1090 try { 1091 PSS_256_ID = new AlgorithmId(RSASSA_PSS_oid, 1092 new DerValue(PSSParameters.getEncoded(PSS_256_SPEC))); 1093 PSS_384_ID = new AlgorithmId(RSASSA_PSS_oid, 1094 new DerValue(PSSParameters.getEncoded(PSS_384_SPEC))); 1095 PSS_512_ID = new AlgorithmId(RSASSA_PSS_oid, 1096 new DerValue(PSSParameters.getEncoded(PSS_512_SPEC))); 1097 } catch (IOException e) { 1098 throw new AssertionError("Should not happen", e); 1099 } 1100 } 1101 } 1102 1103 public static AlgorithmId getWithParameterSpec(String algName, 1104 AlgorithmParameterSpec spec) throws NoSuchAlgorithmException { 1105 1106 if (spec == null) { 1107 return AlgorithmId.get(algName); 1108 } else if (spec == PSSParamsHolder.PSS_256_SPEC) { 1109 return PSSParamsHolder.PSS_256_ID; 1110 } else if (spec == PSSParamsHolder.PSS_384_SPEC) { 1111 return PSSParamsHolder.PSS_384_ID; 1112 } else if (spec == PSSParamsHolder.PSS_512_SPEC) { 1113 return PSSParamsHolder.PSS_512_ID; 1114 } else { 1115 try { 1116 AlgorithmParameters result = 1117 AlgorithmParameters.getInstance(algName); 1118 result.init(spec); 1119 return get(result); 1120 } catch (InvalidParameterSpecException | NoSuchAlgorithmException e) { 1121 throw new ProviderException(e); 1122 } 1123 } 1124 } 1125 1126 public static PSSParameterSpec getDefaultAlgorithmParameterSpec( 1127 String sigAlg, PrivateKey k) { 1128 if (sigAlg.equalsIgnoreCase("RSASSA-PSS")) { 1129 switch (ifcFfcStrength(KeyUtil.getKeySize(k))) { 1130 case "SHA256": 1131 return PSSParamsHolder.PSS_256_SPEC; 1132 case "SHA384": 1133 return PSSParamsHolder.PSS_384_SPEC; 1134 case "SHA512": 1135 return PSSParamsHolder.PSS_512_SPEC; 1136 default: 1137 throw new AssertionError("Should not happen"); 1138 } 1139 } else { 1140 return null; 1141 } 1142 } 1143 1144 // Values from SP800-57 part 1 rev 4 tables 2 and 3 1145 private static String ecStrength (int bitLength) { 1146 if (bitLength >= 512) { // 256 bits of strength 1147 return "SHA512"; 1148 } else if (bitLength >= 384) { // 192 bits of strength 1149 return "SHA384"; 1150 } else { // 128 bits of strength and less 1151 return "SHA256"; 1152 } 1153 } 1154 1155 // Same values for RSA and DSA 1156 private static String ifcFfcStrength (int bitLength) { 1157 if (bitLength > 7680) { // 256 bits 1158 return "SHA512"; 1159 } else if (bitLength > 3072) { // 192 bits 1160 return "SHA384"; 1161 } else { // 128 bits and less 1162 return "SHA256"; 1163 } 1164 } 1165 }