1 /*
2 * Copyright (c) 2003, 2018, Oracle and/or its affiliates. All rights reserved.
3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
4 *
5 * This code is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License version 2 only, as
7 * published by the Free Software Foundation. Oracle designates this
8 * particular file as subject to the "Classpath" exception as provided
9 * by Oracle in the LICENSE file that accompanied this code.
10 *
11 * This code is distributed in the hope that it will be useful, but WITHOUT
12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * version 2 for more details (a copy is included in the LICENSE file that
15 * accompanied this code).
16 *
17 * You should have received a copy of the GNU General Public License version
18 * 2 along with this work; if not, write to the Free Software Foundation,
19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
20 *
21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
22 * or visit www.oracle.com if you need additional information or have any
23 * questions.
24 */
25
26 package sun.security.pkcs11;
27
28 import java.io.IOException;
29 import java.math.BigInteger;
30 import java.nio.ByteBuffer;
31
32 import java.security.*;
33 import java.security.interfaces.*;
34 import java.security.spec.AlgorithmParameterSpec;
35 import sun.nio.ch.DirectBuffer;
36
37 import sun.security.util.*;
38 import sun.security.x509.AlgorithmId;
39
40 import sun.security.rsa.RSASignature;
41 import sun.security.rsa.RSAPadding;
42
43 import sun.security.pkcs11.wrapper.*;
44 import static sun.security.pkcs11.wrapper.PKCS11Constants.*;
45 import sun.security.util.KeyUtil;
46
47 /**
48 * Signature implementation class. This class currently supports the
49 * following algorithms:
50 *
51 * . DSA
52 * . NONEwithDSA (RawDSA)
53 * . SHA1withDSA
54 * . NONEwithDSAinP1363Format (RawDSAinP1363Format)
55 * . SHA1withDSAinP1363Format
56 * . RSA:
57 * . MD2withRSA
58 * . MD5withRSA
59 * . SHA1withRSA
60 * . SHA224withRSA
61 * . SHA256withRSA
62 * . SHA384withRSA
63 * . SHA512withRSA
64 * . ECDSA
65 * . NONEwithECDSA
66 * . SHA1withECDSA
67 * . SHA224withECDSA
68 * . SHA256withECDSA
69 * . SHA384withECDSA
70 * . SHA512withECDSA
71 * . NONEwithECDSAinP1363Format
72 * . SHA1withECDSAinP1363Format
73 * . SHA224withECDSAinP1363Format
74 * . SHA256withECDSAinP1363Format
75 * . SHA384withECDSAinP1363Format
76 * . SHA512withECDSAinP1363Format
77 *
78 * Note that the underlying PKCS#11 token may support complete signature
79 * algorithm (e.g. CKM_DSA_SHA1, CKM_MD5_RSA_PKCS), or it may just
80 * implement the signature algorithm without hashing (e.g. CKM_DSA, CKM_PKCS),
81 * or it may only implement the raw public key operation (CKM_RSA_X_509).
82 * This class uses what is available and adds whatever extra processing
83 * is needed.
84 *
85 * @author Andreas Sterbenz
86 * @since 1.5
87 */
88 final class P11Signature extends SignatureSpi {
89
90 // token instance
91 private final Token token;
92
93 // algorithm name
94 private final String algorithm;
95
96 // name of the key algorithm, currently either RSA or DSA
97 private final String keyAlgorithm;
98
99 // mechanism id
100 private final long mechanism;
101
102 // digest algorithm OID, if we encode RSA signature ourselves
103 private final ObjectIdentifier digestOID;
104
105 // type, one of T_* below
106 private final int type;
107
108 // key instance used, if init*() was called
109 private P11Key p11Key;
110
111 // message digest, if we do the digesting ourselves
112 private final MessageDigest md;
113
114 // associated session, if any
115 private Session session;
116
117 // mode, one of M_* below
118 private int mode;
119
120 // flag indicating whether an operation is initialized
121 private boolean initialized;
122
123 // buffer, for update(byte) or DSA
124 private final byte[] buffer;
125
126 // total number of bytes processed in current operation
127 private int bytesProcessed;
128
129 // The format, to be used for DSA and ECDSA signatures.
130 // If true, the IEEE P1363 format will be used, the concatenation of
131 // r and s. If false (default), the signature will be formatted as a
132 // DER-encoded ASN.1 sequence of r and s.
133 private boolean p1363Format = false;
134
135 // constant for signing mode
136 private final static int M_SIGN = 1;
137 // constant for verification mode
138 private final static int M_VERIFY = 2;
139
140 // constant for type digesting, we do the hashing ourselves
141 private final static int T_DIGEST = 1;
142 // constant for type update, token does everything
143 private final static int T_UPDATE = 2;
144 // constant for type raw, used with RawDSA and NONEwithECDSA only
145 private final static int T_RAW = 3;
146
147 // XXX PKCS#11 v2.20 says "should not be longer than 1024 bits",
148 // but this is a little arbitrary
149 private final static int RAW_ECDSA_MAX = 128;
150
151 P11Signature(Token token, String algorithm, long mechanism)
152 throws NoSuchAlgorithmException, PKCS11Exception {
153 super();
154 this.token = token;
155 this.algorithm = algorithm;
156 this.mechanism = mechanism;
157 byte[] buffer = null;
158 ObjectIdentifier digestOID = null;
159 MessageDigest md = null;
160 switch ((int)mechanism) {
161 case (int)CKM_MD2_RSA_PKCS:
162 case (int)CKM_MD5_RSA_PKCS:
163 case (int)CKM_SHA1_RSA_PKCS:
164 case (int)CKM_SHA224_RSA_PKCS:
165 case (int)CKM_SHA256_RSA_PKCS:
166 case (int)CKM_SHA384_RSA_PKCS:
167 case (int)CKM_SHA512_RSA_PKCS:
168 keyAlgorithm = "RSA";
169 type = T_UPDATE;
170 buffer = new byte[1];
171 break;
172 case (int)CKM_DSA_SHA1:
173 keyAlgorithm = "DSA";
174 type = T_UPDATE;
175 buffer = new byte[1];
176 break;
177 case (int)CKM_ECDSA_SHA1:
178 keyAlgorithm = "EC";
179 type = T_UPDATE;
180 buffer = new byte[1];
181 break;
182 case (int)CKM_DSA:
183 keyAlgorithm = "DSA";
184 if (algorithm.equals("DSA") ||
185 algorithm.equals("DSAinP1363Format")) {
186 type = T_DIGEST;
187 md = MessageDigest.getInstance("SHA-1");
188 } else if (algorithm.equals("RawDSA") ||
189 algorithm.equals("RawDSAinP1363Format")) {
190 type = T_RAW;
191 buffer = new byte[20];
192 } else {
193 throw new ProviderException(algorithm);
194 }
195 break;
196 case (int)CKM_ECDSA:
197 keyAlgorithm = "EC";
198 if (algorithm.equals("NONEwithECDSA") ||
199 algorithm.equals("NONEwithECDSAinP1363Format")) {
200 type = T_RAW;
201 buffer = new byte[RAW_ECDSA_MAX];
202 } else {
203 String digestAlg;
204 if (algorithm.equals("SHA1withECDSA") ||
205 algorithm.equals("SHA1withECDSAinP1363Format")) {
206 digestAlg = "SHA-1";
207 } else if (algorithm.equals("SHA224withECDSA") ||
208 algorithm.equals("SHA224withECDSAinP1363Format")) {
209 digestAlg = "SHA-224";
210 } else if (algorithm.equals("SHA256withECDSA") ||
211 algorithm.equals("SHA256withECDSAinP1363Format")) {
212 digestAlg = "SHA-256";
213 } else if (algorithm.equals("SHA384withECDSA") ||
214 algorithm.equals("SHA384withECDSAinP1363Format")) {
215 digestAlg = "SHA-384";
216 } else if (algorithm.equals("SHA512withECDSA") ||
217 algorithm.equals("SHA512withECDSAinP1363Format")) {
218 digestAlg = "SHA-512";
219 } else {
220 throw new ProviderException(algorithm);
221 }
222 type = T_DIGEST;
223 md = MessageDigest.getInstance(digestAlg);
224 }
225 break;
226 case (int)CKM_RSA_PKCS:
227 case (int)CKM_RSA_X_509:
228 keyAlgorithm = "RSA";
229 type = T_DIGEST;
230 if (algorithm.equals("MD5withRSA")) {
231 md = MessageDigest.getInstance("MD5");
232 digestOID = AlgorithmId.MD5_oid;
233 } else if (algorithm.equals("SHA1withRSA")) {
234 md = MessageDigest.getInstance("SHA-1");
235 digestOID = AlgorithmId.SHA_oid;
236 } else if (algorithm.equals("MD2withRSA")) {
237 md = MessageDigest.getInstance("MD2");
238 digestOID = AlgorithmId.MD2_oid;
239 } else if (algorithm.equals("SHA224withRSA")) {
240 md = MessageDigest.getInstance("SHA-224");
241 digestOID = AlgorithmId.SHA224_oid;
242 } else if (algorithm.equals("SHA256withRSA")) {
243 md = MessageDigest.getInstance("SHA-256");
244 digestOID = AlgorithmId.SHA256_oid;
245 } else if (algorithm.equals("SHA384withRSA")) {
246 md = MessageDigest.getInstance("SHA-384");
247 digestOID = AlgorithmId.SHA384_oid;
248 } else if (algorithm.equals("SHA512withRSA")) {
249 md = MessageDigest.getInstance("SHA-512");
250 digestOID = AlgorithmId.SHA512_oid;
251 } else {
252 throw new ProviderException("Unknown signature: " + algorithm);
253 }
254 break;
255 default:
256 throw new ProviderException("Unknown mechanism: " + mechanism);
257 }
258 this.buffer = buffer;
259 this.digestOID = digestOID;
260 this.md = md;
261 if (algorithm.endsWith("inP1363Format")) {
262 this.p1363Format = true;
263 }
264 }
265
266 private void ensureInitialized() {
267 token.ensureValid();
268 if (initialized == false) {
269 initialize();
270 }
271 }
272
273 private void cancelOperation() {
274 token.ensureValid();
275 if (initialized == false) {
276 return;
277 }
278 initialized = false;
279 if ((session == null) || (token.explicitCancel == false)) {
280 return;
281 }
282 if (session.hasObjects() == false) {
283 session = token.killSession(session);
284 return;
285 }
286 try {
287 // "cancel" operation by finishing it
288 // XXX make sure all this always works correctly
289 if (mode == M_SIGN) {
290 try {
291 if (type == T_UPDATE) {
292 token.p11.C_SignFinal(session.id(), 0);
293 } else {
294 byte[] digest;
295 if (type == T_DIGEST) {
296 digest = md.digest();
297 } else { // T_RAW
298 digest = buffer;
299 }
300 token.p11.C_Sign(session.id(), digest);
301 }
302 } catch (PKCS11Exception e) {
303 throw new ProviderException("cancel failed", e);
304 }
305 } else { // M_VERIFY
306 try {
307 byte[] signature;
308 if (keyAlgorithm.equals("DSA")) {
309 signature = new byte[40];
310 } else {
311 signature = new byte[(p11Key.length() + 7) >> 3];
312 }
313 if (type == T_UPDATE) {
314 token.p11.C_VerifyFinal(session.id(), signature);
315 } else {
316 byte[] digest;
317 if (type == T_DIGEST) {
318 digest = md.digest();
319 } else { // T_RAW
320 digest = buffer;
321 }
322 token.p11.C_Verify(session.id(), digest, signature);
323 }
324 } catch (PKCS11Exception e) {
325 // will fail since the signature is incorrect
326 // XXX check error code
327 }
328 }
329 } finally {
330 session = token.releaseSession(session);
331 }
332 }
333
334 // assumes current state is initialized == false
335 private void initialize() {
336 try {
337 if (session == null) {
338 session = token.getOpSession();
339 }
340 if (mode == M_SIGN) {
341 token.p11.C_SignInit(session.id(),
342 new CK_MECHANISM(mechanism), p11Key.keyID);
343 } else {
344 token.p11.C_VerifyInit(session.id(),
345 new CK_MECHANISM(mechanism), p11Key.keyID);
346 }
347 initialized = true;
348 } catch (PKCS11Exception e) {
349 // release session when initialization failed
350 session = token.releaseSession(session);
351 throw new ProviderException("Initialization failed", e);
352 }
353 if (bytesProcessed != 0) {
354 bytesProcessed = 0;
355 if (md != null) {
356 md.reset();
357 }
358 }
359 }
360
361 private void checkKeySize(String keyAlgo, Key key)
362 throws InvalidKeyException {
363 CK_MECHANISM_INFO mechInfo = null;
364 try {
365 mechInfo = token.getMechanismInfo(mechanism);
366 } catch (PKCS11Exception e) {
367 // should not happen, ignore for now.
368 }
369 if (mechInfo == null) {
370 // skip the check if no native info available
371 return;
372 }
373 int minKeySize = (int) mechInfo.ulMinKeySize;
374 int maxKeySize = (int) mechInfo.ulMaxKeySize;
375 // need to override the MAX keysize for SHA1withDSA
376 if (md != null && mechanism == CKM_DSA && maxKeySize > 1024) {
377 maxKeySize = 1024;
378 }
379 int keySize = 0;
380 if (key instanceof P11Key) {
381 keySize = ((P11Key) key).length();
382 } else {
383 try {
384 if (keyAlgo.equals("RSA")) {
385 keySize = ((RSAKey) key).getModulus().bitLength();
386 } else if (keyAlgo.equals("DSA")) {
387 keySize = ((DSAKey) key).getParams().getP().bitLength();
388 } else if (keyAlgo.equals("EC")) {
389 keySize = ((ECKey) key).getParams().getCurve().getField().getFieldSize();
390 } else {
391 throw new ProviderException("Error: unsupported algo " + keyAlgo);
392 }
393 } catch (ClassCastException cce) {
394 throw new InvalidKeyException(keyAlgo +
395 " key must be the right type", cce);
396 }
397 }
398 if ((minKeySize != -1) && (keySize < minKeySize)) {
399 throw new InvalidKeyException(keyAlgo +
400 " key must be at least " + minKeySize + " bits");
401 }
402 if ((maxKeySize != -1) && (keySize > maxKeySize)) {
403 throw new InvalidKeyException(keyAlgo +
404 " key must be at most " + maxKeySize + " bits");
405 }
406 if (keyAlgo.equals("RSA")) {
407 checkRSAKeyLength(keySize);
408 }
409 }
410
411 private void checkRSAKeyLength(int len) throws InvalidKeyException {
412 RSAPadding padding;
413 try {
414 padding = RSAPadding.getInstance
415 (RSAPadding.PAD_BLOCKTYPE_1, (len + 7) >> 3);
416 } catch (InvalidAlgorithmParameterException iape) {
417 throw new InvalidKeyException(iape.getMessage());
418 }
419 int maxDataSize = padding.getMaxDataSize();
420 int encodedLength;
421 if (algorithm.equals("MD5withRSA") ||
422 algorithm.equals("MD2withRSA")) {
423 encodedLength = 34;
424 } else if (algorithm.equals("SHA1withRSA")) {
425 encodedLength = 35;
426 } else if (algorithm.equals("SHA224withRSA")) {
427 encodedLength = 47;
428 } else if (algorithm.equals("SHA256withRSA")) {
429 encodedLength = 51;
430 } else if (algorithm.equals("SHA384withRSA")) {
431 encodedLength = 67;
432 } else if (algorithm.equals("SHA512withRSA")) {
433 encodedLength = 83;
434 } else {
435 throw new ProviderException("Unknown signature algo: " + algorithm);
436 }
437 if (encodedLength > maxDataSize) {
438 throw new InvalidKeyException
439 ("Key is too short for this signature algorithm");
440 }
441 }
442
443 // see JCA spec
444 @Override
445 protected void engineInitVerify(PublicKey publicKey)
446 throws InvalidKeyException {
447 if (publicKey == null) {
448 throw new InvalidKeyException("Key must not be null");
449 }
450 // Need to check key length whenever a new key is set
451 if (publicKey != p11Key) {
452 checkKeySize(keyAlgorithm, publicKey);
453 }
454 cancelOperation();
455 mode = M_VERIFY;
456 p11Key = P11KeyFactory.convertKey(token, publicKey, keyAlgorithm);
457 initialize();
458 }
459
460 // see JCA spec
461 @Override
462 protected void engineInitSign(PrivateKey privateKey)
463 throws InvalidKeyException {
464 if (privateKey == null) {
465 throw new InvalidKeyException("Key must not be null");
466 }
467 // Need to check RSA key length whenever a new key is set
468 if (privateKey != p11Key) {
469 checkKeySize(keyAlgorithm, privateKey);
470 }
471 cancelOperation();
472 mode = M_SIGN;
473 p11Key = P11KeyFactory.convertKey(token, privateKey, keyAlgorithm);
474 initialize();
475 }
476
477 // see JCA spec
478 @Override
479 protected void engineUpdate(byte b) throws SignatureException {
480 ensureInitialized();
481 switch (type) {
482 case T_UPDATE:
483 buffer[0] = b;
484 engineUpdate(buffer, 0, 1);
485 break;
486 case T_DIGEST:
487 md.update(b);
488 bytesProcessed++;
489 break;
490 case T_RAW:
491 if (bytesProcessed >= buffer.length) {
492 bytesProcessed = buffer.length + 1;
493 return;
494 }
495 buffer[bytesProcessed++] = b;
496 break;
497 default:
498 throw new ProviderException("Internal error");
499 }
500 }
501
502 // see JCA spec
503 @Override
504 protected void engineUpdate(byte[] b, int ofs, int len)
505 throws SignatureException {
506 ensureInitialized();
507 if (len == 0) {
508 return;
509 }
510 switch (type) {
511 case T_UPDATE:
512 try {
513 if (mode == M_SIGN) {
514 token.p11.C_SignUpdate(session.id(), 0, b, ofs, len);
515 } else {
516 token.p11.C_VerifyUpdate(session.id(), 0, b, ofs, len);
517 }
518 bytesProcessed += len;
519 } catch (PKCS11Exception e) {
520 initialized = false;
521 session = token.releaseSession(session);
522 throw new ProviderException(e);
523 }
524 break;
525 case T_DIGEST:
526 md.update(b, ofs, len);
527 bytesProcessed += len;
528 break;
529 case T_RAW:
530 if (bytesProcessed + len > buffer.length) {
531 bytesProcessed = buffer.length + 1;
532 return;
533 }
534 System.arraycopy(b, ofs, buffer, bytesProcessed, len);
535 bytesProcessed += len;
536 break;
537 default:
538 throw new ProviderException("Internal error");
539 }
540 }
541
542 // see JCA spec
543 @Override
544 protected void engineUpdate(ByteBuffer byteBuffer) {
545 ensureInitialized();
546 int len = byteBuffer.remaining();
547 if (len <= 0) {
548 return;
549 }
550 switch (type) {
551 case T_UPDATE:
552 if (byteBuffer instanceof DirectBuffer == false) {
553 // cannot do better than default impl
554 super.engineUpdate(byteBuffer);
555 return;
556 }
557 long addr = ((DirectBuffer)byteBuffer).address();
558 int ofs = byteBuffer.position();
559 try {
560 if (mode == M_SIGN) {
561 token.p11.C_SignUpdate
562 (session.id(), addr + ofs, null, 0, len);
563 } else {
564 token.p11.C_VerifyUpdate
565 (session.id(), addr + ofs, null, 0, len);
566 }
567 bytesProcessed += len;
568 byteBuffer.position(ofs + len);
569 } catch (PKCS11Exception e) {
570 initialized = false;
571 session = token.releaseSession(session);
572 throw new ProviderException("Update failed", e);
573 }
574 break;
575 case T_DIGEST:
576 md.update(byteBuffer);
577 bytesProcessed += len;
578 break;
579 case T_RAW:
580 if (bytesProcessed + len > buffer.length) {
581 bytesProcessed = buffer.length + 1;
582 return;
583 }
584 byteBuffer.get(buffer, bytesProcessed, len);
585 bytesProcessed += len;
586 break;
587 default:
588 throw new ProviderException("Internal error");
589 }
590 }
591
592 // see JCA spec
593 @Override
594 protected byte[] engineSign() throws SignatureException {
595 ensureInitialized();
596 try {
597 byte[] signature;
598 if (type == T_UPDATE) {
599 int len = keyAlgorithm.equals("DSA") ? 40 : 0;
600 signature = token.p11.C_SignFinal(session.id(), len);
601 } else {
602 byte[] digest;
603 if (type == T_DIGEST) {
604 digest = md.digest();
605 } else { // T_RAW
606 if (mechanism == CKM_DSA) {
607 if (bytesProcessed != buffer.length) {
608 throw new SignatureException
609 ("Data for RawDSA must be exactly 20 bytes long");
610 }
611 digest = buffer;
612 } else { // CKM_ECDSA
613 if (bytesProcessed > buffer.length) {
614 throw new SignatureException("Data for NONEwithECDSA"
615 + " must be at most " + RAW_ECDSA_MAX + " bytes long");
616 }
617 digest = new byte[bytesProcessed];
618 System.arraycopy(buffer, 0, digest, 0, bytesProcessed);
619 }
620 }
621 if (keyAlgorithm.equals("RSA") == false) {
622 // DSA and ECDSA
623 signature = token.p11.C_Sign(session.id(), digest);
624 } else { // RSA
625 byte[] data = encodeSignature(digest);
626 if (mechanism == CKM_RSA_X_509) {
627 data = pkcs1Pad(data);
628 }
629 signature = token.p11.C_Sign(session.id(), data);
630 }
631 }
632 if (keyAlgorithm.equals("RSA")) {
633 return signature;
634 } else {
635 if (p1363Format) {
636 return signature;
637 } else {
638 return dsaToASN1(signature);
639 }
640 }
641 } catch (PKCS11Exception pe) {
642 throw new ProviderException(pe);
643 } catch (SignatureException | ProviderException e) {
644 cancelOperation();
645 throw e;
646 } finally {
647 initialized = false;
648 session = token.releaseSession(session);
649 }
650 }
651
652 // see JCA spec
653 @Override
654 protected boolean engineVerify(byte[] signature) throws SignatureException {
655 ensureInitialized();
656 try {
657 if (!p1363Format) {
658 if (keyAlgorithm.equals("DSA")) {
659 signature = asn1ToDSA(signature);
660 } else if (keyAlgorithm.equals("EC")) {
661 signature = asn1ToECDSA(signature);
662 }
663 }
664 if (type == T_UPDATE) {
665 token.p11.C_VerifyFinal(session.id(), signature);
666 } else {
667 byte[] digest;
668 if (type == T_DIGEST) {
669 digest = md.digest();
670 } else { // T_RAW
671 if (mechanism == CKM_DSA) {
672 if (bytesProcessed != buffer.length) {
673 throw new SignatureException
674 ("Data for RawDSA must be exactly 20 bytes long");
675 }
676 digest = buffer;
677 } else {
678 if (bytesProcessed > buffer.length) {
679 throw new SignatureException("Data for NONEwithECDSA"
680 + " must be at most " + RAW_ECDSA_MAX + " bytes long");
681 }
682 digest = new byte[bytesProcessed];
683 System.arraycopy(buffer, 0, digest, 0, bytesProcessed);
684 }
685 }
686 if (keyAlgorithm.equals("RSA") == false) {
687 // DSA and ECDSA
688 token.p11.C_Verify(session.id(), digest, signature);
689 } else { // RSA
690 byte[] data = encodeSignature(digest);
691 if (mechanism == CKM_RSA_X_509) {
692 data = pkcs1Pad(data);
693 }
694 token.p11.C_Verify(session.id(), data, signature);
695 }
696 }
697 return true;
698 } catch (PKCS11Exception pe) {
699 long errorCode = pe.getErrorCode();
700 if (errorCode == CKR_SIGNATURE_INVALID) {
701 return false;
702 }
703 if (errorCode == CKR_SIGNATURE_LEN_RANGE) {
704 // return false rather than throwing an exception
705 return false;
706 }
707 // ECF bug?
708 if (errorCode == CKR_DATA_LEN_RANGE) {
709 return false;
710 }
711 throw new ProviderException(pe);
712 } catch (SignatureException | ProviderException e) {
713 cancelOperation();
714 throw e;
715 } finally {
716 initialized = false;
717 session = token.releaseSession(session);
718 }
719 }
720
721 private byte[] pkcs1Pad(byte[] data) {
722 try {
723 int len = (p11Key.length() + 7) >> 3;
724 RSAPadding padding = RSAPadding.getInstance
725 (RSAPadding.PAD_BLOCKTYPE_1, len);
726 byte[] padded = padding.pad(data);
727 return padded;
728 } catch (GeneralSecurityException e) {
729 throw new ProviderException(e);
730 }
731 }
732
733 private byte[] encodeSignature(byte[] digest) throws SignatureException {
734 try {
735 return RSASignature.encodeSignature(digestOID, digest);
736 } catch (IOException e) {
737 throw new SignatureException("Invalid encoding", e);
738 }
739 }
740
741 // private static byte[] decodeSignature(byte[] signature) throws IOException {
742 // return RSASignature.decodeSignature(digestOID, signature);
743 // }
744
745 // For DSA and ECDSA signatures, PKCS#11 represents them as a simple
746 // byte array that contains the concatenation of r and s.
747 // For DSA, r and s are always exactly 20 bytes long.
748 // For ECDSA, r and s are of variable length, but we know that each
749 // occupies half of the array.
750 private static byte[] dsaToASN1(byte[] signature) {
751 int n = signature.length >> 1;
752 BigInteger r = new BigInteger(1, P11Util.subarray(signature, 0, n));
753 BigInteger s = new BigInteger(1, P11Util.subarray(signature, n, n));
754 try {
755 DerOutputStream outseq = new DerOutputStream(100);
756 outseq.putInteger(r);
757 outseq.putInteger(s);
758 DerValue result = new DerValue(DerValue.tag_Sequence,
759 outseq.toByteArray());
760 return result.toByteArray();
761 } catch (java.io.IOException e) {
762 throw new RuntimeException("Internal error", e);
763 }
764 }
765
766 private static byte[] asn1ToDSA(byte[] sig) throws SignatureException {
767 try {
768 // Enforce strict DER checking for signatures
769 DerInputStream in = new DerInputStream(sig, 0, sig.length, false);
770 DerValue[] values = in.getSequence(2);
771
772 // check number of components in the read sequence
773 // and trailing data
774 if ((values.length != 2) || (in.available() != 0)) {
775 throw new IOException("Invalid encoding for signature");
776 }
777
778 BigInteger r = values[0].getPositiveBigInteger();
779 BigInteger s = values[1].getPositiveBigInteger();
780
781 byte[] br = toByteArray(r, 20);
782 byte[] bs = toByteArray(s, 20);
783 if ((br == null) || (bs == null)) {
784 throw new SignatureException("Out of range value for R or S");
785 }
786 return P11Util.concat(br, bs);
787 } catch (SignatureException e) {
788 throw e;
789 } catch (Exception e) {
790 throw new SignatureException("Invalid encoding for signature", e);
791 }
792 }
793
794 private byte[] asn1ToECDSA(byte[] sig) throws SignatureException {
795 try {
796 // Enforce strict DER checking for signatures
797 DerInputStream in = new DerInputStream(sig, 0, sig.length, false);
798 DerValue[] values = in.getSequence(2);
799
800 // check number of components in the read sequence
801 // and trailing data
802 if ((values.length != 2) || (in.available() != 0)) {
803 throw new IOException("Invalid encoding for signature");
804 }
805
806 BigInteger r = values[0].getPositiveBigInteger();
807 BigInteger s = values[1].getPositiveBigInteger();
808
809 // trim leading zeroes
810 byte[] br = KeyUtil.trimZeroes(r.toByteArray());
811 byte[] bs = KeyUtil.trimZeroes(s.toByteArray());
812 int k = Math.max(br.length, bs.length);
813 // r and s each occupy half the array
814 byte[] res = new byte[k << 1];
815 System.arraycopy(br, 0, res, k - br.length, br.length);
816 System.arraycopy(bs, 0, res, res.length - bs.length, bs.length);
817 return res;
818 } catch (Exception e) {
819 throw new SignatureException("Invalid encoding for signature", e);
820 }
821 }
822
823 private static byte[] toByteArray(BigInteger bi, int len) {
824 byte[] b = bi.toByteArray();
825 int n = b.length;
826 if (n == len) {
827 return b;
828 }
829 if ((n == len + 1) && (b[0] == 0)) {
830 byte[] t = new byte[len];
831 System.arraycopy(b, 1, t, 0, len);
832 return t;
833 }
834 if (n > len) {
835 return null;
836 }
837 // must be smaller
838 byte[] t = new byte[len];
839 System.arraycopy(b, 0, t, (len - n), n);
840 return t;
841 }
842
843 // see JCA spec
844 @SuppressWarnings("deprecation")
845 @Override
846 protected void engineSetParameter(String param, Object value)
847 throws InvalidParameterException {
848 throw new UnsupportedOperationException("setParameter() not supported");
849 }
850
851 // see JCA spec
852 @Override
853 protected void engineSetParameter(AlgorithmParameterSpec params)
854 throws InvalidAlgorithmParameterException {
855 if (params != null) {
856 throw new InvalidAlgorithmParameterException("No parameter accepted");
857 }
858 }
859
860 // see JCA spec
861 @SuppressWarnings("deprecation")
862 @Override
863 protected Object engineGetParameter(String param)
864 throws InvalidParameterException {
865 throw new UnsupportedOperationException("getParameter() not supported");
866 }
867
868 // see JCA spec
869 @Override
870 protected AlgorithmParameters engineGetParameters() {
871 return null;
872 }
873 }