1 /*
2 * Copyright (c) 1996, 2019, Oracle and/or its affiliates. All rights reserved.
3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
4 *
5 * This code is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License version 2 only, as
7 * published by the Free Software Foundation. Oracle designates this
8 * particular file as subject to the "Classpath" exception as provided
9 * by Oracle in the LICENSE file that accompanied this code.
10 *
11 * This code is distributed in the hope that it will be useful, but WITHOUT
12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * version 2 for more details (a copy is included in the LICENSE file that
15 * accompanied this code).
16 *
17 * You should have received a copy of the GNU General Public License version
18 * 2 along with this work; if not, write to the Free Software Foundation,
19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
20 *
21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
22 * or visit www.oracle.com if you need additional information or have any
23 * questions.
24 */
25
26 package sun.security.x509;
27
28 import java.io.*;
29 import java.security.spec.AlgorithmParameterSpec;
30 import java.security.spec.InvalidParameterSpecException;
31 import java.security.spec.MGF1ParameterSpec;
32 import java.security.spec.PSSParameterSpec;
33 import java.util.*;
34 import java.security.*;
35
36 import sun.security.rsa.PSSParameters;
37 import sun.security.util.*;
38
39
40 /**
41 * This class identifies algorithms, such as cryptographic transforms, each
42 * of which may be associated with parameters. Instances of this base class
43 * are used when this runtime environment has no special knowledge of the
44 * algorithm type, and may also be used in other cases. Equivalence is
45 * defined according to OID and (where relevant) parameters.
46 *
47 * <P>Subclasses may be used, for example when the algorithm ID has
48 * associated parameters which some code (e.g. code using public keys) needs
49 * to have parsed. Two examples of such algorithms are Diffie-Hellman key
50 * exchange, and the Digital Signature Standard Algorithm (DSS/DSA).
51 *
52 * <P>The OID constants defined in this class correspond to some widely
53 * used algorithms, for which conventional string names have been defined.
54 * This class is not a general repository for OIDs, or for such string names.
55 * Note that the mappings between algorithm IDs and algorithm names is
56 * not one-to-one.
57 *
58 *
59 * @author David Brownell
60 * @author Amit Kapoor
61 * @author Hemma Prafullchandra
62 */
63 public class AlgorithmId implements Serializable, DerEncoder {
64
65 /** use serialVersionUID from JDK 1.1. for interoperability */
66 private static final long serialVersionUID = 7205873507486557157L;
67
68 /**
69 * The object identitifer being used for this algorithm.
70 */
71 private ObjectIdentifier algid;
72
73 // The (parsed) parameters
74 private AlgorithmParameters algParams;
75 private boolean constructedFromDer = true;
76
77 /**
78 * Parameters for this algorithm. These are stored in unparsed
79 * DER-encoded form; subclasses can be made to automaticaly parse
80 * them so there is fast access to these parameters.
81 */
82 protected DerValue params;
83
84
85 /**
86 * Constructs an algorithm ID which will be initialized
87 * separately, for example by deserialization.
88 * @deprecated use one of the other constructors.
89 */
90 @Deprecated
91 public AlgorithmId() { }
92
93 /**
94 * Constructs a parameterless algorithm ID.
95 *
96 * @param oid the identifier for the algorithm
97 */
98 public AlgorithmId(ObjectIdentifier oid) {
99 algid = oid;
100 }
101
102 /**
103 * Constructs an algorithm ID with algorithm parameters.
104 *
105 * @param oid the identifier for the algorithm.
106 * @param algparams the associated algorithm parameters.
107 */
108 public AlgorithmId(ObjectIdentifier oid, AlgorithmParameters algparams) {
109 algid = oid;
110 algParams = algparams;
111 constructedFromDer = false;
112 }
113
114 private AlgorithmId(ObjectIdentifier oid, DerValue params)
115 throws IOException {
116 this.algid = oid;
117 this.params = params;
118 if (this.params != null) {
119 decodeParams();
120 }
121 }
122
123 protected void decodeParams() throws IOException {
124 String algidString = algid.toString();
125 try {
126 algParams = AlgorithmParameters.getInstance(algidString);
127 } catch (NoSuchAlgorithmException e) {
128 /*
129 * This algorithm parameter type is not supported, so we cannot
130 * parse the parameters.
131 */
132 algParams = null;
133 return;
134 }
135
136 // Decode (parse) the parameters
137 algParams.init(params.toByteArray());
138 }
139
140 /**
141 * Marshal a DER-encoded "AlgorithmID" sequence on the DER stream.
142 */
143 public final void encode(DerOutputStream out) throws IOException {
144 derEncode(out);
145 }
146
147 /**
148 * DER encode this object onto an output stream.
149 * Implements the <code>DerEncoder</code> interface.
150 *
151 * @param out
152 * the output stream on which to write the DER encoding.
153 *
154 * @exception IOException on encoding error.
155 */
156 public void derEncode (OutputStream out) throws IOException {
157 DerOutputStream bytes = new DerOutputStream();
158 DerOutputStream tmp = new DerOutputStream();
159
160 bytes.putOID(algid);
161 // Setup params from algParams since no DER encoding is given
162 if (constructedFromDer == false) {
163 if (algParams != null) {
164 params = new DerValue(algParams.getEncoded());
165 } else {
166 params = null;
167 }
168 }
169 if (params == null) {
170 // Changes backed out for compatibility with Solaris
171
172 // Several AlgorithmId should omit the whole parameter part when
173 // it's NULL. They are ---
174 // rfc3370 2.1: Implementations SHOULD generate SHA-1
175 // AlgorithmIdentifiers with absent parameters.
176 // rfc3447 C1: When id-sha1, id-sha224, id-sha256, id-sha384 and
177 // id-sha512 are used in an AlgorithmIdentifier the parameters
178 // (which are optional) SHOULD be omitted.
179 // rfc3279 2.3.2: The id-dsa algorithm syntax includes optional
180 // domain parameters... When omitted, the parameters component
181 // MUST be omitted entirely
182 // rfc3370 3.1: When the id-dsa-with-sha1 algorithm identifier
183 // is used, the AlgorithmIdentifier parameters field MUST be absent.
184 /*if (
185 algid.equals((Object)SHA_oid) ||
186 algid.equals((Object)SHA224_oid) ||
187 algid.equals((Object)SHA256_oid) ||
188 algid.equals((Object)SHA384_oid) ||
189 algid.equals((Object)SHA512_oid) ||
190 algid.equals((Object)SHA512_224_oid) ||
191 algid.equals((Object)SHA512_256_oid) ||
192 algid.equals((Object)DSA_oid) ||
193 algid.equals((Object)sha1WithDSA_oid)) {
194 ; // no parameter part encoded
195 } else {
196 bytes.putNull();
197 }*/
198 if (algid.equals(RSASSA_PSS_oid)) {
199 // RFC 4055 3.3: when an RSASSA-PSS key does not require
200 // parameter validation, field is absent.
201 } else {
202 bytes.putNull();
203 }
204 } else {
205 bytes.putDerValue(params);
206 }
207 tmp.write(DerValue.tag_Sequence, bytes);
208 out.write(tmp.toByteArray());
209 }
210
211
212 /**
213 * Returns the DER-encoded X.509 AlgorithmId as a byte array.
214 */
215 public final byte[] encode() throws IOException {
216 DerOutputStream out = new DerOutputStream();
217 derEncode(out);
218 return out.toByteArray();
219 }
220
221 /**
222 * Returns the ISO OID for this algorithm. This is usually converted
223 * to a string and used as part of an algorithm name, for example
224 * "OID.1.3.14.3.2.13" style notation. Use the <code>getName</code>
225 * call when you do not need to ensure cross-system portability
226 * of algorithm names, or need a user friendly name.
227 */
228 public final ObjectIdentifier getOID () {
229 return algid;
230 }
231
232 /**
233 * Returns a name for the algorithm which may be more intelligible
234 * to humans than the algorithm's OID, but which won't necessarily
235 * be comprehensible on other systems. For example, this might
236 * return a name such as "MD5withRSA" for a signature algorithm on
237 * some systems. It also returns names like "OID.1.2.3.4", when
238 * no particular name for the algorithm is known.
239 */
240 public String getName() {
241 String algName = nameTable.get(algid);
242 if (algName != null) {
243 return algName;
244 }
245 if ((params != null) && algid.equals((Object)specifiedWithECDSA_oid)) {
246 try {
247 AlgorithmId paramsId =
248 AlgorithmId.parse(new DerValue(getEncodedParams()));
249 String paramsName = paramsId.getName();
250 algName = makeSigAlg(paramsName, "EC");
251 } catch (IOException e) {
252 // ignore
253 }
254 }
255 return (algName == null) ? algid.toString() : algName;
256 }
257
258 public AlgorithmParameters getParameters() {
259 return algParams;
260 }
261
262 /**
263 * Returns the DER encoded parameter, which can then be
264 * used to initialize java.security.AlgorithmParamters.
265 *
266 * @return DER encoded parameters, or null not present.
267 */
268 public byte[] getEncodedParams() throws IOException {
269 return (params == null) ? null : params.toByteArray();
270 }
271
272 /**
273 * Returns true iff the argument indicates the same algorithm
274 * with the same parameters.
275 */
276 public boolean equals(AlgorithmId other) {
277 boolean paramsEqual =
278 (params == null ? other.params == null : params.equals(other.params));
279 return (algid.equals((Object)other.algid) && paramsEqual);
280 }
281
282 /**
283 * Compares this AlgorithmID to another. If algorithm parameters are
284 * available, they are compared. Otherwise, just the object IDs
285 * for the algorithm are compared.
286 *
287 * @param other preferably an AlgorithmId, else an ObjectIdentifier
288 */
289 public boolean equals(Object other) {
290 if (this == other) {
291 return true;
292 }
293 if (other instanceof AlgorithmId) {
294 return equals((AlgorithmId) other);
295 } else if (other instanceof ObjectIdentifier) {
296 return equals((ObjectIdentifier) other);
297 } else {
298 return false;
299 }
300 }
301
302 /**
303 * Compares two algorithm IDs for equality. Returns true iff
304 * they are the same algorithm, ignoring algorithm parameters.
305 */
306 public final boolean equals(ObjectIdentifier id) {
307 return algid.equals((Object)id);
308 }
309
310 /**
311 * Returns a hashcode for this AlgorithmId.
312 *
313 * @return a hashcode for this AlgorithmId.
314 */
315 public int hashCode() {
316 StringBuilder sbuf = new StringBuilder();
317 sbuf.append(algid.toString());
318 sbuf.append(paramsToString());
319 return sbuf.toString().hashCode();
320 }
321
322 /**
323 * Provides a human-readable description of the algorithm parameters.
324 * This may be redefined by subclasses which parse those parameters.
325 */
326 protected String paramsToString() {
327 if (params == null) {
328 return "";
329 } else if (algParams != null) {
330 return algParams.toString();
331 } else {
332 return ", params unparsed";
333 }
334 }
335
336 /**
337 * Returns a string describing the algorithm and its parameters.
338 */
339 public String toString() {
340 return getName() + paramsToString();
341 }
342
343 /**
344 * Parse (unmarshal) an ID from a DER sequence input value. This form
345 * parsing might be used when expanding a value which has already been
346 * partially unmarshaled as a set or sequence member.
347 *
348 * @exception IOException on error.
349 * @param val the input value, which contains the algid and, if
350 * there are any parameters, those parameters.
351 * @return an ID for the algorithm. If the system is configured
352 * appropriately, this may be an instance of a class
353 * with some kind of special support for this algorithm.
354 * In that case, you may "narrow" the type of the ID.
355 */
356 public static AlgorithmId parse(DerValue val) throws IOException {
357 if (val.tag != DerValue.tag_Sequence) {
358 throw new IOException("algid parse error, not a sequence");
359 }
360
361 /*
362 * Get the algorithm ID and any parameters.
363 */
364 ObjectIdentifier algid;
365 DerValue params;
366 DerInputStream in = val.toDerInputStream();
367
368 algid = in.getOID();
369 if (in.available() == 0) {
370 params = null;
371 } else {
372 params = in.getDerValue();
373 if (params.tag == DerValue.tag_Null) {
374 if (params.length() != 0) {
375 throw new IOException("invalid NULL");
376 }
377 params = null;
378 }
379 if (in.available() != 0) {
380 throw new IOException("Invalid AlgorithmIdentifier: extra data");
381 }
382 }
383
384 return new AlgorithmId(algid, params);
385 }
386
387 /**
388 * Returns one of the algorithm IDs most commonly associated
389 * with this algorithm name.
390 *
391 * @param algname the name being used
392 * @deprecated use the short get form of this method.
393 * @exception NoSuchAlgorithmException on error.
394 */
395 @Deprecated
396 public static AlgorithmId getAlgorithmId(String algname)
397 throws NoSuchAlgorithmException {
398 return get(algname);
399 }
400
401 /**
402 * Returns one of the algorithm IDs most commonly associated
403 * with this algorithm name.
404 *
405 * @param algname the name being used
406 * @exception NoSuchAlgorithmException on error.
407 */
408 public static AlgorithmId get(String algname)
409 throws NoSuchAlgorithmException {
410 ObjectIdentifier oid;
411 try {
412 oid = algOID(algname);
413 } catch (IOException ioe) {
414 throw new NoSuchAlgorithmException
415 ("Invalid ObjectIdentifier " + algname);
416 }
417
418 if (oid == null) {
419 throw new NoSuchAlgorithmException
420 ("unrecognized algorithm name: " + algname);
421 }
422 return new AlgorithmId(oid);
423 }
424
425 /**
426 * Returns one of the algorithm IDs most commonly associated
427 * with this algorithm parameters.
428 *
429 * @param algparams the associated algorithm parameters.
430 * @exception NoSuchAlgorithmException on error.
431 */
432 public static AlgorithmId get(AlgorithmParameters algparams)
433 throws NoSuchAlgorithmException {
434 ObjectIdentifier oid;
435 String algname = algparams.getAlgorithm();
436 try {
437 oid = algOID(algname);
438 } catch (IOException ioe) {
439 throw new NoSuchAlgorithmException
440 ("Invalid ObjectIdentifier " + algname);
441 }
442 if (oid == null) {
443 throw new NoSuchAlgorithmException
444 ("unrecognized algorithm name: " + algname);
445 }
446 return new AlgorithmId(oid, algparams);
447 }
448
449 /*
450 * Translates from some common algorithm names to the
451 * OID with which they're usually associated ... this mapping
452 * is the reverse of the one below, except in those cases
453 * where synonyms are supported or where a given algorithm
454 * is commonly associated with multiple OIDs.
455 *
456 * XXX This method needs to be enhanced so that we can also pass the
457 * scope of the algorithm name to it, e.g., the algorithm name "DSA"
458 * may have a different OID when used as a "Signature" algorithm than when
459 * used as a "KeyPairGenerator" algorithm.
460 */
461 private static ObjectIdentifier algOID(String name) throws IOException {
462 // See if algname is in printable OID ("dot-dot") notation
463 if (name.indexOf('.') != -1) {
464 if (name.startsWith("OID.")) {
465 return new ObjectIdentifier(name.substring("OID.".length()));
466 } else {
467 return new ObjectIdentifier(name);
468 }
469 }
470
471 // Digesting algorithms
472 if (name.equalsIgnoreCase("MD5")) {
473 return AlgorithmId.MD5_oid;
474 }
475 if (name.equalsIgnoreCase("MD2")) {
476 return AlgorithmId.MD2_oid;
477 }
478 if (name.equalsIgnoreCase("SHA") || name.equalsIgnoreCase("SHA1")
479 || name.equalsIgnoreCase("SHA-1")) {
480 return AlgorithmId.SHA_oid;
481 }
482 if (name.equalsIgnoreCase("SHA-256") ||
483 name.equalsIgnoreCase("SHA256")) {
484 return AlgorithmId.SHA256_oid;
485 }
486 if (name.equalsIgnoreCase("SHA-384") ||
487 name.equalsIgnoreCase("SHA384")) {
488 return AlgorithmId.SHA384_oid;
489 }
490 if (name.equalsIgnoreCase("SHA-512") ||
491 name.equalsIgnoreCase("SHA512")) {
492 return AlgorithmId.SHA512_oid;
493 }
494 if (name.equalsIgnoreCase("SHA-224") ||
495 name.equalsIgnoreCase("SHA224")) {
496 return AlgorithmId.SHA224_oid;
497 }
498 if (name.equalsIgnoreCase("SHA-512/224") ||
499 name.equalsIgnoreCase("SHA512/224")) {
500 return AlgorithmId.SHA512_224_oid;
501 }
502 if (name.equalsIgnoreCase("SHA-512/256") ||
503 name.equalsIgnoreCase("SHA512/256")) {
504 return AlgorithmId.SHA512_256_oid;
505 }
506 // Various public key algorithms
507 if (name.equalsIgnoreCase("RSA")) {
508 return AlgorithmId.RSAEncryption_oid;
509 }
510 if (name.equalsIgnoreCase("RSASSA-PSS")) {
511 return AlgorithmId.RSASSA_PSS_oid;
512 }
513 if (name.equalsIgnoreCase("RSAES-OAEP")) {
514 return AlgorithmId.RSAES_OAEP_oid;
515 }
516 if (name.equalsIgnoreCase("Diffie-Hellman")
517 || name.equalsIgnoreCase("DH")) {
518 return AlgorithmId.DH_oid;
519 }
520 if (name.equalsIgnoreCase("DSA")) {
521 return AlgorithmId.DSA_oid;
522 }
523 if (name.equalsIgnoreCase("EC")) {
524 return EC_oid;
525 }
526 if (name.equalsIgnoreCase("ECDH")) {
527 return AlgorithmId.ECDH_oid;
528 }
529
530 // Secret key algorithms
531 if (name.equalsIgnoreCase("AES")) {
532 return AlgorithmId.AES_oid;
533 }
534
535 // Common signature types
536 if (name.equalsIgnoreCase("MD5withRSA")
537 || name.equalsIgnoreCase("MD5/RSA")) {
538 return AlgorithmId.md5WithRSAEncryption_oid;
539 }
540 if (name.equalsIgnoreCase("MD2withRSA")
541 || name.equalsIgnoreCase("MD2/RSA")) {
542 return AlgorithmId.md2WithRSAEncryption_oid;
543 }
544 if (name.equalsIgnoreCase("SHAwithDSA")
545 || name.equalsIgnoreCase("SHA1withDSA")
546 || name.equalsIgnoreCase("SHA/DSA")
547 || name.equalsIgnoreCase("SHA1/DSA")
548 || name.equalsIgnoreCase("DSAWithSHA1")
549 || name.equalsIgnoreCase("DSS")
550 || name.equalsIgnoreCase("SHA-1/DSA")) {
551 return AlgorithmId.sha1WithDSA_oid;
552 }
553 if (name.equalsIgnoreCase("SHA224WithDSA")) {
554 return AlgorithmId.sha224WithDSA_oid;
555 }
556 if (name.equalsIgnoreCase("SHA256WithDSA")) {
557 return AlgorithmId.sha256WithDSA_oid;
558 }
559 if (name.equalsIgnoreCase("SHA1WithRSA")
560 || name.equalsIgnoreCase("SHA1/RSA")) {
561 return AlgorithmId.sha1WithRSAEncryption_oid;
562 }
563 if (name.equalsIgnoreCase("SHA1withECDSA")
564 || name.equalsIgnoreCase("ECDSA")) {
565 return AlgorithmId.sha1WithECDSA_oid;
566 }
567 if (name.equalsIgnoreCase("SHA224withECDSA")) {
568 return AlgorithmId.sha224WithECDSA_oid;
569 }
570 if (name.equalsIgnoreCase("SHA256withECDSA")) {
571 return AlgorithmId.sha256WithECDSA_oid;
572 }
573 if (name.equalsIgnoreCase("SHA384withECDSA")) {
574 return AlgorithmId.sha384WithECDSA_oid;
575 }
576 if (name.equalsIgnoreCase("SHA512withECDSA")) {
577 return AlgorithmId.sha512WithECDSA_oid;
578 }
579
580 return oidTable().get(name.toUpperCase(Locale.ENGLISH));
581 }
582
583 private static ObjectIdentifier oid(int ... values) {
584 return ObjectIdentifier.newInternal(values);
585 }
586
587 private static volatile Map<String,ObjectIdentifier> oidTable;
588 private static final Map<ObjectIdentifier,String> nameTable;
589
590 /** Returns the oidTable, lazily initializing it on first access. */
591 private static Map<String,ObjectIdentifier> oidTable()
592 throws IOException {
593 // Double checked locking; safe because oidTable is volatile
594 Map<String,ObjectIdentifier> tab;
595 if ((tab = oidTable) == null) {
596 synchronized (AlgorithmId.class) {
597 if ((tab = oidTable) == null)
598 oidTable = tab = computeOidTable();
599 }
600 }
601 return tab;
602 }
603
604 /** Collects the algorithm names from the installed providers. */
605 private static HashMap<String,ObjectIdentifier> computeOidTable()
606 throws IOException {
607 HashMap<String,ObjectIdentifier> tab = new HashMap<>();
608 for (Provider provider : Security.getProviders()) {
609 for (Object key : provider.keySet()) {
610 String alias = (String)key;
611 String upperCaseAlias = alias.toUpperCase(Locale.ENGLISH);
612 int index;
613 if (upperCaseAlias.startsWith("ALG.ALIAS") &&
614 (index=upperCaseAlias.indexOf("OID.", 0)) != -1) {
615 index += "OID.".length();
616 if (index == alias.length()) {
617 // invalid alias entry
618 break;
619 }
620 String oidString = alias.substring(index);
621 String stdAlgName = provider.getProperty(alias);
622 if (stdAlgName != null) {
623 stdAlgName = stdAlgName.toUpperCase(Locale.ENGLISH);
624 }
625 if (stdAlgName != null &&
626 tab.get(stdAlgName) == null) {
627 tab.put(stdAlgName, new ObjectIdentifier(oidString));
628 }
629 }
630 }
631 }
632 return tab;
633 }
634
635 /*****************************************************************/
636
637 /*
638 * HASHING ALGORITHMS
639 */
640
641 /**
642 * Algorithm ID for the MD2 Message Digest Algorthm, from RFC 1319.
643 * OID = 1.2.840.113549.2.2
644 */
645 public static final ObjectIdentifier MD2_oid =
646 ObjectIdentifier.newInternal(new int[] {1, 2, 840, 113549, 2, 2});
647
648 /**
649 * Algorithm ID for the MD5 Message Digest Algorthm, from RFC 1321.
650 * OID = 1.2.840.113549.2.5
651 */
652 public static final ObjectIdentifier MD5_oid =
653 ObjectIdentifier.newInternal(new int[] {1, 2, 840, 113549, 2, 5});
654
655 /**
656 * Algorithm ID for the SHA1 Message Digest Algorithm, from FIPS 180-1.
657 * This is sometimes called "SHA", though that is often confusing since
658 * many people refer to FIPS 180 (which has an error) as defining SHA.
659 * OID = 1.3.14.3.2.26. Old SHA-0 OID: 1.3.14.3.2.18.
660 */
661 public static final ObjectIdentifier SHA_oid =
662 ObjectIdentifier.newInternal(new int[] {1, 3, 14, 3, 2, 26});
663
664 public static final ObjectIdentifier SHA224_oid =
665 ObjectIdentifier.newInternal(new int[] {2, 16, 840, 1, 101, 3, 4, 2, 4});
666
667 public static final ObjectIdentifier SHA256_oid =
668 ObjectIdentifier.newInternal(new int[] {2, 16, 840, 1, 101, 3, 4, 2, 1});
669
670 public static final ObjectIdentifier SHA384_oid =
671 ObjectIdentifier.newInternal(new int[] {2, 16, 840, 1, 101, 3, 4, 2, 2});
672
673 public static final ObjectIdentifier SHA512_oid =
674 ObjectIdentifier.newInternal(new int[] {2, 16, 840, 1, 101, 3, 4, 2, 3});
675
676 public static final ObjectIdentifier SHA512_224_oid =
677 ObjectIdentifier.newInternal(new int[] {2, 16, 840, 1, 101, 3, 4, 2, 5});
678
679 public static final ObjectIdentifier SHA512_256_oid =
680 ObjectIdentifier.newInternal(new int[] {2, 16, 840, 1, 101, 3, 4, 2, 6});
681
682 /*
683 * COMMON PUBLIC KEY TYPES
684 */
685 private static final int[] DH_data = { 1, 2, 840, 113549, 1, 3, 1 };
686 private static final int[] DH_PKIX_data = { 1, 2, 840, 10046, 2, 1 };
687 private static final int[] DSA_OIW_data = { 1, 3, 14, 3, 2, 12 };
688 private static final int[] DSA_PKIX_data = { 1, 2, 840, 10040, 4, 1 };
689 private static final int[] RSA_data = { 2, 5, 8, 1, 1 };
690
691 public static final ObjectIdentifier DH_oid;
692 public static final ObjectIdentifier DH_PKIX_oid;
693 public static final ObjectIdentifier DSA_oid;
694 public static final ObjectIdentifier DSA_OIW_oid;
695 public static final ObjectIdentifier EC_oid = oid(1, 2, 840, 10045, 2, 1);
696 public static final ObjectIdentifier ECDH_oid = oid(1, 3, 132, 1, 12);
697 public static final ObjectIdentifier RSA_oid;
698 public static final ObjectIdentifier RSAEncryption_oid =
699 oid(1, 2, 840, 113549, 1, 1, 1);
700 public static final ObjectIdentifier RSAES_OAEP_oid =
701 oid(1, 2, 840, 113549, 1, 1, 7);
702 public static final ObjectIdentifier mgf1_oid =
703 oid(1, 2, 840, 113549, 1, 1, 8);
704 public static final ObjectIdentifier RSASSA_PSS_oid =
705 oid(1, 2, 840, 113549, 1, 1, 10);
706
707 /*
708 * COMMON SECRET KEY TYPES
709 */
710 public static final ObjectIdentifier AES_oid =
711 oid(2, 16, 840, 1, 101, 3, 4, 1);
712
713 /*
714 * COMMON SIGNATURE ALGORITHMS
715 */
716 private static final int[] md2WithRSAEncryption_data =
717 { 1, 2, 840, 113549, 1, 1, 2 };
718 private static final int[] md5WithRSAEncryption_data =
719 { 1, 2, 840, 113549, 1, 1, 4 };
720 private static final int[] sha1WithRSAEncryption_data =
721 { 1, 2, 840, 113549, 1, 1, 5 };
722 private static final int[] sha1WithRSAEncryption_OIW_data =
723 { 1, 3, 14, 3, 2, 29 };
724 private static final int[] sha224WithRSAEncryption_data =
725 { 1, 2, 840, 113549, 1, 1, 14 };
726 private static final int[] sha256WithRSAEncryption_data =
727 { 1, 2, 840, 113549, 1, 1, 11 };
728 private static final int[] sha384WithRSAEncryption_data =
729 { 1, 2, 840, 113549, 1, 1, 12 };
730 private static final int[] sha512WithRSAEncryption_data =
731 { 1, 2, 840, 113549, 1, 1, 13 };
732
733 private static final int[] shaWithDSA_OIW_data =
734 { 1, 3, 14, 3, 2, 13 };
735 private static final int[] sha1WithDSA_OIW_data =
736 { 1, 3, 14, 3, 2, 27 };
737 private static final int[] dsaWithSHA1_PKIX_data =
738 { 1, 2, 840, 10040, 4, 3 };
739
740 public static final ObjectIdentifier md2WithRSAEncryption_oid;
741 public static final ObjectIdentifier md5WithRSAEncryption_oid;
742 public static final ObjectIdentifier sha1WithRSAEncryption_oid;
743 public static final ObjectIdentifier sha1WithRSAEncryption_OIW_oid;
744 public static final ObjectIdentifier sha224WithRSAEncryption_oid;
745 public static final ObjectIdentifier sha256WithRSAEncryption_oid;
746 public static final ObjectIdentifier sha384WithRSAEncryption_oid;
747 public static final ObjectIdentifier sha512WithRSAEncryption_oid;
748 public static final ObjectIdentifier sha512_224WithRSAEncryption_oid =
749 oid(1, 2, 840, 113549, 1, 1, 15);
750 public static final ObjectIdentifier sha512_256WithRSAEncryption_oid =
751 oid(1, 2, 840, 113549, 1, 1, 16);;
752
753 public static final ObjectIdentifier shaWithDSA_OIW_oid;
754 public static final ObjectIdentifier sha1WithDSA_OIW_oid;
755 public static final ObjectIdentifier sha1WithDSA_oid;
756 public static final ObjectIdentifier sha224WithDSA_oid =
757 oid(2, 16, 840, 1, 101, 3, 4, 3, 1);
758 public static final ObjectIdentifier sha256WithDSA_oid =
759 oid(2, 16, 840, 1, 101, 3, 4, 3, 2);
760
761 public static final ObjectIdentifier sha1WithECDSA_oid =
762 oid(1, 2, 840, 10045, 4, 1);
763 public static final ObjectIdentifier sha224WithECDSA_oid =
764 oid(1, 2, 840, 10045, 4, 3, 1);
765 public static final ObjectIdentifier sha256WithECDSA_oid =
766 oid(1, 2, 840, 10045, 4, 3, 2);
767 public static final ObjectIdentifier sha384WithECDSA_oid =
768 oid(1, 2, 840, 10045, 4, 3, 3);
769 public static final ObjectIdentifier sha512WithECDSA_oid =
770 oid(1, 2, 840, 10045, 4, 3, 4);
771 public static final ObjectIdentifier specifiedWithECDSA_oid =
772 oid(1, 2, 840, 10045, 4, 3);
773
774 /**
775 * Algorithm ID for the PBE encryption algorithms from PKCS#5 and
776 * PKCS#12.
777 */
778 public static final ObjectIdentifier pbeWithMD5AndDES_oid =
779 ObjectIdentifier.newInternal(new int[]{1, 2, 840, 113549, 1, 5, 3});
780 public static final ObjectIdentifier pbeWithMD5AndRC2_oid =
781 ObjectIdentifier.newInternal(new int[] {1, 2, 840, 113549, 1, 5, 6});
782 public static final ObjectIdentifier pbeWithSHA1AndDES_oid =
783 ObjectIdentifier.newInternal(new int[] {1, 2, 840, 113549, 1, 5, 10});
784 public static final ObjectIdentifier pbeWithSHA1AndRC2_oid =
785 ObjectIdentifier.newInternal(new int[] {1, 2, 840, 113549, 1, 5, 11});
786 public static ObjectIdentifier pbeWithSHA1AndDESede_oid =
787 ObjectIdentifier.newInternal(new int[] {1, 2, 840, 113549, 1, 12, 1, 3});
788 public static ObjectIdentifier pbeWithSHA1AndRC2_40_oid =
789 ObjectIdentifier.newInternal(new int[] {1, 2, 840, 113549, 1, 12, 1, 6});
790
791 static {
792 /*
793 * Note the preferred OIDs are named simply with no "OIW" or
794 * "PKIX" in them, even though they may point to data from these
795 * specs; e.g. SHA_oid, DH_oid, DSA_oid, SHA1WithDSA_oid...
796 */
797 /**
798 * Algorithm ID for Diffie Hellman Key agreement, from PKCS #3.
799 * Parameters include public values P and G, and may optionally specify
800 * the length of the private key X. Alternatively, algorithm parameters
801 * may be derived from another source such as a Certificate Authority's
802 * certificate.
803 * OID = 1.2.840.113549.1.3.1
804 */
805 DH_oid = ObjectIdentifier.newInternal(DH_data);
806
807 /**
808 * Algorithm ID for the Diffie Hellman Key Agreement (DH), from RFC 3279.
809 * Parameters may include public values P and G.
810 * OID = 1.2.840.10046.2.1
811 */
812 DH_PKIX_oid = ObjectIdentifier.newInternal(DH_PKIX_data);
813
814 /**
815 * Algorithm ID for the Digital Signing Algorithm (DSA), from the
816 * NIST OIW Stable Agreements part 12.
817 * Parameters may include public values P, Q, and G; or these may be
818 * derived from
819 * another source such as a Certificate Authority's certificate.
820 * OID = 1.3.14.3.2.12
821 */
822 DSA_OIW_oid = ObjectIdentifier.newInternal(DSA_OIW_data);
823
824 /**
825 * Algorithm ID for the Digital Signing Algorithm (DSA), from RFC 3279.
826 * Parameters may include public values P, Q, and G; or these may be
827 * derived from another source such as a Certificate Authority's
828 * certificate.
829 * OID = 1.2.840.10040.4.1
830 */
831 DSA_oid = ObjectIdentifier.newInternal(DSA_PKIX_data);
832
833 /**
834 * Algorithm ID for RSA keys used for any purpose, as defined in X.509.
835 * The algorithm parameter is a single value, the number of bits in the
836 * public modulus.
837 * OID = 2.5.8.1.1
838 */
839 RSA_oid = ObjectIdentifier.newInternal(RSA_data);
840
841 /**
842 * Identifies a signing algorithm where an MD2 digest is encrypted
843 * using an RSA private key; defined in PKCS #1. Use of this
844 * signing algorithm is discouraged due to MD2 vulnerabilities.
845 * OID = 1.2.840.113549.1.1.2
846 */
847 md2WithRSAEncryption_oid =
848 ObjectIdentifier.newInternal(md2WithRSAEncryption_data);
849
850 /**
851 * Identifies a signing algorithm where an MD5 digest is
852 * encrypted using an RSA private key; defined in PKCS #1.
853 * OID = 1.2.840.113549.1.1.4
854 */
855 md5WithRSAEncryption_oid =
856 ObjectIdentifier.newInternal(md5WithRSAEncryption_data);
857
858 /**
859 * Identifies a signing algorithm where a SHA1 digest is
860 * encrypted using an RSA private key; defined by RSA DSI.
861 * OID = 1.2.840.113549.1.1.5
862 */
863 sha1WithRSAEncryption_oid =
864 ObjectIdentifier.newInternal(sha1WithRSAEncryption_data);
865
866 /**
867 * Identifies a signing algorithm where a SHA1 digest is
868 * encrypted using an RSA private key; defined in NIST OIW.
869 * OID = 1.3.14.3.2.29
870 */
871 sha1WithRSAEncryption_OIW_oid =
872 ObjectIdentifier.newInternal(sha1WithRSAEncryption_OIW_data);
873
874 /**
875 * Identifies a signing algorithm where a SHA224 digest is
876 * encrypted using an RSA private key; defined by PKCS #1.
877 * OID = 1.2.840.113549.1.1.14
878 */
879 sha224WithRSAEncryption_oid =
880 ObjectIdentifier.newInternal(sha224WithRSAEncryption_data);
881
882 /**
883 * Identifies a signing algorithm where a SHA256 digest is
884 * encrypted using an RSA private key; defined by PKCS #1.
885 * OID = 1.2.840.113549.1.1.11
886 */
887 sha256WithRSAEncryption_oid =
888 ObjectIdentifier.newInternal(sha256WithRSAEncryption_data);
889
890 /**
891 * Identifies a signing algorithm where a SHA384 digest is
892 * encrypted using an RSA private key; defined by PKCS #1.
893 * OID = 1.2.840.113549.1.1.12
894 */
895 sha384WithRSAEncryption_oid =
896 ObjectIdentifier.newInternal(sha384WithRSAEncryption_data);
897
898 /**
899 * Identifies a signing algorithm where a SHA512 digest is
900 * encrypted using an RSA private key; defined by PKCS #1.
901 * OID = 1.2.840.113549.1.1.13
902 */
903 sha512WithRSAEncryption_oid =
904 ObjectIdentifier.newInternal(sha512WithRSAEncryption_data);
905
906 /**
907 * Identifies the FIPS 186 "Digital Signature Standard" (DSS), where a
908 * SHA digest is signed using the Digital Signing Algorithm (DSA).
909 * This should not be used.
910 * OID = 1.3.14.3.2.13
911 */
912 shaWithDSA_OIW_oid = ObjectIdentifier.newInternal(shaWithDSA_OIW_data);
913
914 /**
915 * Identifies the FIPS 186 "Digital Signature Standard" (DSS), where a
916 * SHA1 digest is signed using the Digital Signing Algorithm (DSA).
917 * OID = 1.3.14.3.2.27
918 */
919 sha1WithDSA_OIW_oid = ObjectIdentifier.newInternal(sha1WithDSA_OIW_data);
920
921 /**
922 * Identifies the FIPS 186 "Digital Signature Standard" (DSS), where a
923 * SHA1 digest is signed using the Digital Signing Algorithm (DSA).
924 * OID = 1.2.840.10040.4.3
925 */
926 sha1WithDSA_oid = ObjectIdentifier.newInternal(dsaWithSHA1_PKIX_data);
927
928 nameTable = new HashMap<>();
929 nameTable.put(MD5_oid, "MD5");
930 nameTable.put(MD2_oid, "MD2");
931 nameTable.put(SHA_oid, "SHA-1");
932 nameTable.put(SHA224_oid, "SHA-224");
933 nameTable.put(SHA256_oid, "SHA-256");
934 nameTable.put(SHA384_oid, "SHA-384");
935 nameTable.put(SHA512_oid, "SHA-512");
936 nameTable.put(SHA512_224_oid, "SHA-512/224");
937 nameTable.put(SHA512_256_oid, "SHA-512/256");
938 nameTable.put(RSAEncryption_oid, "RSA");
939 nameTable.put(RSA_oid, "RSA");
940 nameTable.put(DH_oid, "Diffie-Hellman");
941 nameTable.put(DH_PKIX_oid, "Diffie-Hellman");
942 nameTable.put(DSA_oid, "DSA");
943 nameTable.put(DSA_OIW_oid, "DSA");
944 nameTable.put(EC_oid, "EC");
945 nameTable.put(ECDH_oid, "ECDH");
946
947 nameTable.put(AES_oid, "AES");
948
949 nameTable.put(sha1WithECDSA_oid, "SHA1withECDSA");
950 nameTable.put(sha224WithECDSA_oid, "SHA224withECDSA");
951 nameTable.put(sha256WithECDSA_oid, "SHA256withECDSA");
952 nameTable.put(sha384WithECDSA_oid, "SHA384withECDSA");
953 nameTable.put(sha512WithECDSA_oid, "SHA512withECDSA");
954 nameTable.put(md5WithRSAEncryption_oid, "MD5withRSA");
955 nameTable.put(md2WithRSAEncryption_oid, "MD2withRSA");
956 nameTable.put(sha1WithDSA_oid, "SHA1withDSA");
957 nameTable.put(sha1WithDSA_OIW_oid, "SHA1withDSA");
958 nameTable.put(shaWithDSA_OIW_oid, "SHA1withDSA");
959 nameTable.put(sha224WithDSA_oid, "SHA224withDSA");
960 nameTable.put(sha256WithDSA_oid, "SHA256withDSA");
961 nameTable.put(sha1WithRSAEncryption_oid, "SHA1withRSA");
962 nameTable.put(sha1WithRSAEncryption_OIW_oid, "SHA1withRSA");
963 nameTable.put(sha224WithRSAEncryption_oid, "SHA224withRSA");
964 nameTable.put(sha256WithRSAEncryption_oid, "SHA256withRSA");
965 nameTable.put(sha384WithRSAEncryption_oid, "SHA384withRSA");
966 nameTable.put(sha512WithRSAEncryption_oid, "SHA512withRSA");
967 nameTable.put(sha512_224WithRSAEncryption_oid, "SHA512/224withRSA");
968 nameTable.put(sha512_256WithRSAEncryption_oid, "SHA512/256withRSA");
969 nameTable.put(RSASSA_PSS_oid, "RSASSA-PSS");
970 nameTable.put(RSAES_OAEP_oid, "RSAES-OAEP");
971
972 nameTable.put(pbeWithMD5AndDES_oid, "PBEWithMD5AndDES");
973 nameTable.put(pbeWithMD5AndRC2_oid, "PBEWithMD5AndRC2");
974 nameTable.put(pbeWithSHA1AndDES_oid, "PBEWithSHA1AndDES");
975 nameTable.put(pbeWithSHA1AndRC2_oid, "PBEWithSHA1AndRC2");
976 nameTable.put(pbeWithSHA1AndDESede_oid, "PBEWithSHA1AndDESede");
977 nameTable.put(pbeWithSHA1AndRC2_40_oid, "PBEWithSHA1AndRC2_40");
978 }
979
980 /**
981 * Creates a signature algorithm name from a digest algorithm
982 * name and a encryption algorithm name.
983 */
984 public static String makeSigAlg(String digAlg, String encAlg) {
985 digAlg = digAlg.replace("-", "");
986 if (encAlg.equalsIgnoreCase("EC")) encAlg = "ECDSA";
987
988 return digAlg + "with" + encAlg;
989 }
990
991 /**
992 * Extracts the encryption algorithm name from a signature
993 * algorithm name.
994 */
995 public static String getEncAlgFromSigAlg(String signatureAlgorithm) {
996 signatureAlgorithm = signatureAlgorithm.toUpperCase(Locale.ENGLISH);
997 int with = signatureAlgorithm.indexOf("WITH");
998 String keyAlgorithm = null;
999 if (with > 0) {
1000 int and = signatureAlgorithm.indexOf("AND", with + 4);
1001 if (and > 0) {
1002 keyAlgorithm = signatureAlgorithm.substring(with + 4, and);
1003 } else {
1004 keyAlgorithm = signatureAlgorithm.substring(with + 4);
1005 }
1006 if (keyAlgorithm.equalsIgnoreCase("ECDSA")) {
1007 keyAlgorithm = "EC";
1008 }
1009 }
1010 return keyAlgorithm;
1011 }
1012
1013 /**
1014 * Extracts the digest algorithm name from a signature
1015 * algorithm name.
1016 */
1017 public static String getDigAlgFromSigAlg(String signatureAlgorithm) {
1018 signatureAlgorithm = signatureAlgorithm.toUpperCase(Locale.ENGLISH);
1019 int with = signatureAlgorithm.indexOf("WITH");
1020 if (with > 0) {
1021 return signatureAlgorithm.substring(0, with);
1022 }
1023 return null;
1024 }
1025
1026 /**
1027 * Checks if a signature algorithm matches a key algorithm, i.e. a
1028 * signature can be initialized with a key.
1029 *
1030 * @param kAlg must not be null
1031 * @param sAlg must not be null
1032 * @throws IllegalArgumentException if they do not match
1033 */
1034 public static void checkKeyAndSigAlgMatch(String kAlg, String sAlg) {
1035 String sAlgUp = sAlg.toUpperCase(Locale.US);
1036 if ((sAlgUp.endsWith("WITHRSA") && !kAlg.equalsIgnoreCase("RSA")) ||
1037 (sAlgUp.endsWith("WITHECDSA") && !kAlg.equalsIgnoreCase("EC")) ||
1038 (sAlgUp.endsWith("WITHDSA") && !kAlg.equalsIgnoreCase("DSA"))) {
1039 throw new IllegalArgumentException(
1040 "key algorithm not compatible with signature algorithm");
1041 }
1042 }
1043
1044 /**
1045 * Returns the default signature algorithm for a private key. The digest
1046 * part might evolve with time. Remember to update the spec of
1047 * {@link jdk.security.jarsigner.JarSigner.Builder#getDefaultSignatureAlgorithm(PrivateKey)}
1048 * if updated.
1049 *
1050 * @param k cannot be null
1051 * @return the default alg, might be null if unsupported
1052 */
1053 public static String getDefaultSigAlgForKey(PrivateKey k) {
1054 switch (k.getAlgorithm().toUpperCase(Locale.ENGLISH)) {
1055 case "EC":
1056 return ecStrength(KeyUtil.getKeySize(k))
1057 + "withECDSA";
1058 case "DSA":
1059 return ifcFfcStrength(KeyUtil.getKeySize(k))
1060 + "withDSA";
1061 case "RSA":
1062 return ifcFfcStrength(KeyUtil.getKeySize(k))
1063 + "withRSA";
1064 default:
1065 return null;
1066 }
1067 }
1068
1069 // Most commonly used PSSParameterSpec and AlgorithmId
1070 private static class PSSParamsHolder {
1071
1072 final static PSSParameterSpec PSS_256_SPEC = new PSSParameterSpec(
1073 "SHA-256", "MGF1",
1074 new MGF1ParameterSpec("SHA-256"),
1075 32, PSSParameterSpec.TRAILER_FIELD_BC);
1076 final static PSSParameterSpec PSS_384_SPEC = new PSSParameterSpec(
1077 "SHA-384", "MGF1",
1078 new MGF1ParameterSpec("SHA-384"),
1079 48, PSSParameterSpec.TRAILER_FIELD_BC);
1080 final static PSSParameterSpec PSS_512_SPEC = new PSSParameterSpec(
1081 "SHA-512", "MGF1",
1082 new MGF1ParameterSpec("SHA-512"),
1083 64, PSSParameterSpec.TRAILER_FIELD_BC);
1084
1085 final static AlgorithmId PSS_256_ID;
1086 final static AlgorithmId PSS_384_ID;
1087 final static AlgorithmId PSS_512_ID;
1088
1089 static {
1090 try {
1091 PSS_256_ID = new AlgorithmId(RSASSA_PSS_oid,
1092 new DerValue(PSSParameters.getEncoded(PSS_256_SPEC)));
1093 PSS_384_ID = new AlgorithmId(RSASSA_PSS_oid,
1094 new DerValue(PSSParameters.getEncoded(PSS_384_SPEC)));
1095 PSS_512_ID = new AlgorithmId(RSASSA_PSS_oid,
1096 new DerValue(PSSParameters.getEncoded(PSS_512_SPEC)));
1097 } catch (IOException e) {
1098 throw new AssertionError("Should not happen", e);
1099 }
1100 }
1101 }
1102
1103 public static AlgorithmId getWithParameterSpec(String algName,
1104 AlgorithmParameterSpec spec) throws NoSuchAlgorithmException {
1105
1106 if (spec == null) {
1107 return AlgorithmId.get(algName);
1108 } else if (spec == PSSParamsHolder.PSS_256_SPEC) {
1109 return PSSParamsHolder.PSS_256_ID;
1110 } else if (spec == PSSParamsHolder.PSS_384_SPEC) {
1111 return PSSParamsHolder.PSS_384_ID;
1112 } else if (spec == PSSParamsHolder.PSS_512_SPEC) {
1113 return PSSParamsHolder.PSS_512_ID;
1114 } else {
1115 try {
1116 AlgorithmParameters result =
1117 AlgorithmParameters.getInstance(algName);
1118 result.init(spec);
1119 return get(result);
1120 } catch (InvalidParameterSpecException | NoSuchAlgorithmException e) {
1121 throw new ProviderException(e);
1122 }
1123 }
1124 }
1125
1126 public static PSSParameterSpec getDefaultAlgorithmParameterSpec(
1127 String sigAlg, PrivateKey k) {
1128 if (sigAlg.equalsIgnoreCase("RSASSA-PSS")) {
1129 switch (ifcFfcStrength(KeyUtil.getKeySize(k))) {
1130 case "SHA256":
1131 return PSSParamsHolder.PSS_256_SPEC;
1132 case "SHA384":
1133 return PSSParamsHolder.PSS_384_SPEC;
1134 case "SHA512":
1135 return PSSParamsHolder.PSS_512_SPEC;
1136 default:
1137 throw new AssertionError("Should not happen");
1138 }
1139 } else {
1140 return null;
1141 }
1142 }
1143
1144 // Values from SP800-57 part 1 rev 4 tables 2 and 3
1145 private static String ecStrength (int bitLength) {
1146 if (bitLength >= 512) { // 256 bits of strength
1147 return "SHA512";
1148 } else if (bitLength >= 384) { // 192 bits of strength
1149 return "SHA384";
1150 } else { // 128 bits of strength and less
1151 return "SHA256";
1152 }
1153 }
1154
1155 // Same values for RSA and DSA
1156 private static String ifcFfcStrength (int bitLength) {
1157 if (bitLength > 7680) { // 256 bits
1158 return "SHA512";
1159 } else if (bitLength > 3072) { // 192 bits
1160 return "SHA384";
1161 } else { // 128 bits and less
1162 return "SHA256";
1163 }
1164 }
1165 }