1 /* 2 * Copyright (c) 2003, 2018, Oracle and/or its affiliates. All rights reserved. 3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. 4 * 5 * This code is free software; you can redistribute it and/or modify it 6 * under the terms of the GNU General Public License version 2 only, as 7 * published by the Free Software Foundation. Oracle designates this 8 * particular file as subject to the "Classpath" exception as provided 9 * by Oracle in the LICENSE file that accompanied this code. 10 * 11 * This code is distributed in the hope that it will be useful, but WITHOUT 12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License 14 * version 2 for more details (a copy is included in the LICENSE file that 15 * accompanied this code). 16 * 17 * You should have received a copy of the GNU General Public License version 18 * 2 along with this work; if not, write to the Free Software Foundation, 19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. 20 * 21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA 22 * or visit www.oracle.com if you need additional information or have any 23 * questions. 24 */ 25 26 package sun.security.pkcs11; 27 28 import java.io.IOException; 29 import java.math.BigInteger; 30 import java.nio.ByteBuffer; 31 32 import java.security.*; 33 import java.security.interfaces.*; 34 import java.security.spec.AlgorithmParameterSpec; 35 import sun.nio.ch.DirectBuffer; 36 37 import sun.security.util.*; 38 import sun.security.x509.AlgorithmId; 39 40 import sun.security.rsa.RSASignature; 41 import sun.security.rsa.RSAPadding; 42 43 import sun.security.pkcs11.wrapper.*; 44 import static sun.security.pkcs11.wrapper.PKCS11Constants.*; 45 import sun.security.util.KeyUtil; 46 47 /** 48 * Signature implementation class. This class currently supports the 49 * following algorithms: 50 * 51 * . DSA 52 * . NONEwithDSA (RawDSA) 53 * . SHA1withDSA 54 * . NONEwithDSAinP1363Format (RawDSAinP1363Format) 55 * . SHA1withDSAinP1363Format 56 * . RSA: 57 * . MD2withRSA 58 * . MD5withRSA 59 * . SHA1withRSA 60 * . SHA224withRSA 61 * . SHA256withRSA 62 * . SHA384withRSA 63 * . SHA512withRSA 64 * . ECDSA 65 * . NONEwithECDSA 66 * . SHA1withECDSA 67 * . SHA224withECDSA 68 * . SHA256withECDSA 69 * . SHA384withECDSA 70 * . SHA512withECDSA 71 * . NONEwithECDSAinP1363Format 72 * . SHA1withECDSAinP1363Format 73 * . SHA224withECDSAinP1363Format 74 * . SHA256withECDSAinP1363Format 75 * . SHA384withECDSAinP1363Format 76 * . SHA512withECDSAinP1363Format 77 * 78 * Note that the underlying PKCS#11 token may support complete signature 79 * algorithm (e.g. CKM_DSA_SHA1, CKM_MD5_RSA_PKCS), or it may just 80 * implement the signature algorithm without hashing (e.g. CKM_DSA, CKM_PKCS), 81 * or it may only implement the raw public key operation (CKM_RSA_X_509). 82 * This class uses what is available and adds whatever extra processing 83 * is needed. 84 * 85 * @author Andreas Sterbenz 86 * @since 1.5 87 */ 88 final class P11Signature extends SignatureSpi { 89 90 // token instance 91 private final Token token; 92 93 // algorithm name 94 private final String algorithm; 95 96 // name of the key algorithm, currently either RSA or DSA 97 private final String keyAlgorithm; 98 99 // mechanism id 100 private final long mechanism; 101 102 // digest algorithm OID, if we encode RSA signature ourselves 103 private final ObjectIdentifier digestOID; 104 105 // type, one of T_* below 106 private final int type; 107 108 // key instance used, if init*() was called 109 private P11Key p11Key; 110 111 // message digest, if we do the digesting ourselves 112 private final MessageDigest md; 113 114 // associated session, if any 115 private Session session; 116 117 // mode, one of M_* below 118 private int mode; 119 120 // flag indicating whether an operation is initialized 121 private boolean initialized; 122 123 // buffer, for update(byte) or DSA 124 private final byte[] buffer; 125 126 // total number of bytes processed in current operation 127 private int bytesProcessed; 128 129 // The format, to be used for DSA and ECDSA signatures. 130 // If true, the IEEE P1363 format will be used, the concatenation of 131 // r and s. If false (default), the signature will be formatted as a 132 // DER-encoded ASN.1 sequence of r and s. 133 private boolean p1363Format = false; 134 135 // constant for signing mode 136 private final static int M_SIGN = 1; 137 // constant for verification mode 138 private final static int M_VERIFY = 2; 139 140 // constant for type digesting, we do the hashing ourselves 141 private final static int T_DIGEST = 1; 142 // constant for type update, token does everything 143 private final static int T_UPDATE = 2; 144 // constant for type raw, used with RawDSA and NONEwithECDSA only 145 private final static int T_RAW = 3; 146 147 // XXX PKCS#11 v2.20 says "should not be longer than 1024 bits", 148 // but this is a little arbitrary 149 private final static int RAW_ECDSA_MAX = 128; 150 151 P11Signature(Token token, String algorithm, long mechanism) 152 throws NoSuchAlgorithmException, PKCS11Exception { 153 super(); 154 this.token = token; 155 this.algorithm = algorithm; 156 this.mechanism = mechanism; 157 byte[] buffer = null; 158 ObjectIdentifier digestOID = null; 159 MessageDigest md = null; 160 switch ((int)mechanism) { 161 case (int)CKM_MD2_RSA_PKCS: 162 case (int)CKM_MD5_RSA_PKCS: 163 case (int)CKM_SHA1_RSA_PKCS: 164 case (int)CKM_SHA224_RSA_PKCS: 165 case (int)CKM_SHA256_RSA_PKCS: 166 case (int)CKM_SHA384_RSA_PKCS: 167 case (int)CKM_SHA512_RSA_PKCS: 168 keyAlgorithm = "RSA"; 169 type = T_UPDATE; 170 buffer = new byte[1]; 171 break; 172 case (int)CKM_DSA_SHA1: 173 keyAlgorithm = "DSA"; 174 type = T_UPDATE; 175 buffer = new byte[1]; 176 break; 177 case (int)CKM_ECDSA_SHA1: 178 keyAlgorithm = "EC"; 179 type = T_UPDATE; 180 buffer = new byte[1]; 181 break; 182 case (int)CKM_DSA: 183 keyAlgorithm = "DSA"; 184 if (algorithm.equals("DSA") || 185 algorithm.equals("DSAinP1363Format")) { 186 type = T_DIGEST; 187 md = MessageDigest.getInstance("SHA-1"); 188 } else if (algorithm.equals("RawDSA") || 189 algorithm.equals("RawDSAinP1363Format")) { 190 type = T_RAW; 191 buffer = new byte[20]; 192 } else { 193 throw new ProviderException(algorithm); 194 } 195 break; 196 case (int)CKM_ECDSA: 197 keyAlgorithm = "EC"; 198 if (algorithm.equals("NONEwithECDSA") || 199 algorithm.equals("NONEwithECDSAinP1363Format")) { 200 type = T_RAW; 201 buffer = new byte[RAW_ECDSA_MAX]; 202 } else { 203 String digestAlg; 204 if (algorithm.equals("SHA1withECDSA") || 205 algorithm.equals("SHA1withECDSAinP1363Format")) { 206 digestAlg = "SHA-1"; 207 } else if (algorithm.equals("SHA224withECDSA") || 208 algorithm.equals("SHA224withECDSAinP1363Format")) { 209 digestAlg = "SHA-224"; 210 } else if (algorithm.equals("SHA256withECDSA") || 211 algorithm.equals("SHA256withECDSAinP1363Format")) { 212 digestAlg = "SHA-256"; 213 } else if (algorithm.equals("SHA384withECDSA") || 214 algorithm.equals("SHA384withECDSAinP1363Format")) { 215 digestAlg = "SHA-384"; 216 } else if (algorithm.equals("SHA512withECDSA") || 217 algorithm.equals("SHA512withECDSAinP1363Format")) { 218 digestAlg = "SHA-512"; 219 } else { 220 throw new ProviderException(algorithm); 221 } 222 type = T_DIGEST; 223 md = MessageDigest.getInstance(digestAlg); 224 } 225 break; 226 case (int)CKM_RSA_PKCS: 227 case (int)CKM_RSA_X_509: 228 keyAlgorithm = "RSA"; 229 type = T_DIGEST; 230 if (algorithm.equals("MD5withRSA")) { 231 md = MessageDigest.getInstance("MD5"); 232 digestOID = AlgorithmId.MD5_oid; 233 } else if (algorithm.equals("SHA1withRSA")) { 234 md = MessageDigest.getInstance("SHA-1"); 235 digestOID = AlgorithmId.SHA_oid; 236 } else if (algorithm.equals("MD2withRSA")) { 237 md = MessageDigest.getInstance("MD2"); 238 digestOID = AlgorithmId.MD2_oid; 239 } else if (algorithm.equals("SHA224withRSA")) { 240 md = MessageDigest.getInstance("SHA-224"); 241 digestOID = AlgorithmId.SHA224_oid; 242 } else if (algorithm.equals("SHA256withRSA")) { 243 md = MessageDigest.getInstance("SHA-256"); 244 digestOID = AlgorithmId.SHA256_oid; 245 } else if (algorithm.equals("SHA384withRSA")) { 246 md = MessageDigest.getInstance("SHA-384"); 247 digestOID = AlgorithmId.SHA384_oid; 248 } else if (algorithm.equals("SHA512withRSA")) { 249 md = MessageDigest.getInstance("SHA-512"); 250 digestOID = AlgorithmId.SHA512_oid; 251 } else { 252 throw new ProviderException("Unknown signature: " + algorithm); 253 } 254 break; 255 default: 256 throw new ProviderException("Unknown mechanism: " + mechanism); 257 } 258 this.buffer = buffer; 259 this.digestOID = digestOID; 260 this.md = md; 261 if (algorithm.endsWith("inP1363Format")) { 262 this.p1363Format = true; 263 } 264 } 265 266 // reset the states to the pre-initialized values 267 private void reset(boolean doCancel) { 268 if (!initialized) { 269 return; 270 } 271 initialized = false; 272 try { 273 if (session == null) { 274 return; 275 } 276 if (doCancel && token.explicitCancel) { 277 cancelOperation(); 278 } 279 } finally { 280 p11Key.decNativeKeyRef(); 281 session = token.releaseSession(session); 282 } 283 } 284 285 private void cancelOperation() { 286 token.ensureValid(); 287 if (session.hasObjects() == false) { 288 session = token.killSession(session); 289 return; 290 } else { 291 // "cancel" operation by finishing it 292 // XXX make sure all this always works correctly 293 try { 294 if (mode == M_SIGN) { 295 if (type == T_UPDATE) { 296 token.p11.C_SignFinal(session.id(), 0); 297 } else { 298 byte[] digest; 299 if (type == T_DIGEST) { 300 digest = md.digest(); 301 } else { // T_RAW 302 digest = buffer; 303 } 304 token.p11.C_Sign(session.id(), digest); 305 } 306 } else { // M_VERIFY 307 byte[] signature; 308 if (keyAlgorithm.equals("DSA")) { 309 signature = new byte[40]; 310 } else { 311 signature = new byte[(p11Key.length() + 7) >> 3]; 312 } 313 if (type == T_UPDATE) { 314 token.p11.C_VerifyFinal(session.id(), signature); 315 } else { 316 byte[] digest; 317 if (type == T_DIGEST) { 318 digest = md.digest(); 319 } else { // T_RAW 320 digest = buffer; 321 } 322 token.p11.C_Verify(session.id(), digest, signature); 323 } 324 } 325 } catch (PKCS11Exception e) { 326 throw new ProviderException("cancel failed", e); 327 } 328 } 329 } 330 331 // assumes current state is initialized == false 332 private void ensureInitialized() { 333 if (initialized) { 334 return; 335 } 336 if (p11Key == null) { 337 throw new ProviderException( 338 "Operation cannot be performed without calling engineInit first"); 339 } 340 try { 341 token.ensureValid(); 342 p11Key.incNativeKeyRef(); 343 try { 344 if (session == null) { 345 session = token.getOpSession(); 346 } 347 if (mode == M_SIGN) { 348 token.p11.C_SignInit(session.id(), 349 new CK_MECHANISM(mechanism), p11Key.keyID); 350 } else { 351 token.p11.C_VerifyInit(session.id(), 352 new CK_MECHANISM(mechanism), p11Key.keyID); 353 } 354 } catch (Throwable t) { 355 p11Key.decNativeKeyRef(); 356 session = token.releaseSession(session); 357 throw t; 358 } 359 initialized = true; 360 if (bytesProcessed != 0 && md != null) { 361 md.reset(); 362 } 363 bytesProcessed = 0; 364 } catch (PKCS11Exception e) { 365 throw new ProviderException("Initialization failed", e); 366 } 367 } 368 369 private void checkKeySize(String keyAlgo, Key key) 370 throws InvalidKeyException { 371 CK_MECHANISM_INFO mechInfo = null; 372 try { 373 mechInfo = token.getMechanismInfo(mechanism); 374 } catch (PKCS11Exception e) { 375 // should not happen, ignore for now. 376 } 377 if (mechInfo == null) { 378 // skip the check if no native info available 379 return; 380 } 381 int minKeySize = (int) mechInfo.ulMinKeySize; 382 int maxKeySize = (int) mechInfo.ulMaxKeySize; 383 // need to override the MAX keysize for SHA1withDSA 384 if (md != null && mechanism == CKM_DSA && maxKeySize > 1024) { 385 maxKeySize = 1024; 386 } 387 int keySize = 0; 388 if (key instanceof P11Key) { 389 keySize = ((P11Key) key).length(); 390 } else { 391 try { 392 if (keyAlgo.equals("RSA")) { 393 keySize = ((RSAKey) key).getModulus().bitLength(); 394 } else if (keyAlgo.equals("DSA")) { 395 keySize = ((DSAKey) key).getParams().getP().bitLength(); 396 } else if (keyAlgo.equals("EC")) { 397 keySize = ((ECKey) key).getParams().getCurve().getField().getFieldSize(); 398 } else { 399 throw new ProviderException("Error: unsupported algo " + keyAlgo); 400 } 401 } catch (ClassCastException cce) { 402 throw new InvalidKeyException(keyAlgo + 403 " key must be the right type", cce); 404 } 405 } 406 if ((minKeySize != -1) && (keySize < minKeySize)) { 407 throw new InvalidKeyException(keyAlgo + 408 " key must be at least " + minKeySize + " bits"); 409 } 410 if ((maxKeySize != -1) && (keySize > maxKeySize)) { 411 throw new InvalidKeyException(keyAlgo + 412 " key must be at most " + maxKeySize + " bits"); 413 } 414 if (keyAlgo.equals("RSA")) { 415 checkRSAKeyLength(keySize); 416 } 417 } 418 419 private void checkRSAKeyLength(int len) throws InvalidKeyException { 420 RSAPadding padding; 421 try { 422 padding = RSAPadding.getInstance 423 (RSAPadding.PAD_BLOCKTYPE_1, (len + 7) >> 3); 424 } catch (InvalidAlgorithmParameterException iape) { 425 throw new InvalidKeyException(iape.getMessage()); 426 } 427 int maxDataSize = padding.getMaxDataSize(); 428 int encodedLength; 429 if (algorithm.equals("MD5withRSA") || 430 algorithm.equals("MD2withRSA")) { 431 encodedLength = 34; 432 } else if (algorithm.equals("SHA1withRSA")) { 433 encodedLength = 35; 434 } else if (algorithm.equals("SHA224withRSA")) { 435 encodedLength = 47; 436 } else if (algorithm.equals("SHA256withRSA")) { 437 encodedLength = 51; 438 } else if (algorithm.equals("SHA384withRSA")) { 439 encodedLength = 67; 440 } else if (algorithm.equals("SHA512withRSA")) { 441 encodedLength = 83; 442 } else { 443 throw new ProviderException("Unknown signature algo: " + algorithm); 444 } 445 if (encodedLength > maxDataSize) { 446 throw new InvalidKeyException 447 ("Key is too short for this signature algorithm"); 448 } 449 } 450 451 // see JCA spec 452 @Override 453 protected void engineInitVerify(PublicKey publicKey) 454 throws InvalidKeyException { 455 if (publicKey == null) { 456 throw new InvalidKeyException("Key must not be null"); 457 } 458 // Need to check key length whenever a new key is set 459 if (publicKey != p11Key) { 460 checkKeySize(keyAlgorithm, publicKey); 461 } 462 reset(true); 463 mode = M_VERIFY; 464 p11Key = P11KeyFactory.convertKey(token, publicKey, keyAlgorithm); 465 ensureInitialized(); 466 } 467 468 // see JCA spec 469 @Override 470 protected void engineInitSign(PrivateKey privateKey) 471 throws InvalidKeyException { 472 if (privateKey == null) { 473 throw new InvalidKeyException("Key must not be null"); 474 } 475 // Need to check RSA key length whenever a new key is set 476 if (privateKey != p11Key) { 477 checkKeySize(keyAlgorithm, privateKey); 478 } 479 reset(true); 480 mode = M_SIGN; 481 p11Key = P11KeyFactory.convertKey(token, privateKey, keyAlgorithm); 482 ensureInitialized(); 483 } 484 485 // see JCA spec 486 @Override 487 protected void engineUpdate(byte b) throws SignatureException { 488 ensureInitialized(); 489 switch (type) { 490 case T_UPDATE: 491 buffer[0] = b; 492 engineUpdate(buffer, 0, 1); 493 break; 494 case T_DIGEST: 495 md.update(b); 496 bytesProcessed++; 497 break; 498 case T_RAW: 499 if (bytesProcessed >= buffer.length) { 500 bytesProcessed = buffer.length + 1; 501 return; 502 } 503 buffer[bytesProcessed++] = b; 504 break; 505 default: 506 throw new ProviderException("Internal error"); 507 } 508 } 509 510 // see JCA spec 511 @Override 512 protected void engineUpdate(byte[] b, int ofs, int len) 513 throws SignatureException { 514 ensureInitialized(); 515 if (len == 0) { 516 return; 517 } 518 switch (type) { 519 case T_UPDATE: 520 try { 521 if (mode == M_SIGN) { 522 token.p11.C_SignUpdate(session.id(), 0, b, ofs, len); 523 } else { 524 token.p11.C_VerifyUpdate(session.id(), 0, b, ofs, len); 525 } 526 bytesProcessed += len; 527 } catch (PKCS11Exception e) { 528 reset(true); 529 throw new ProviderException(e); 530 } 531 break; 532 case T_DIGEST: 533 md.update(b, ofs, len); 534 bytesProcessed += len; 535 break; 536 case T_RAW: 537 if (bytesProcessed + len > buffer.length) { 538 bytesProcessed = buffer.length + 1; 539 return; 540 } 541 System.arraycopy(b, ofs, buffer, bytesProcessed, len); 542 bytesProcessed += len; 543 break; 544 default: 545 throw new ProviderException("Internal error"); 546 } 547 } 548 549 // see JCA spec 550 @Override 551 protected void engineUpdate(ByteBuffer byteBuffer) { 552 ensureInitialized(); 553 int len = byteBuffer.remaining(); 554 if (len <= 0) { 555 return; 556 } 557 switch (type) { 558 case T_UPDATE: 559 if (byteBuffer instanceof DirectBuffer == false) { 560 // cannot do better than default impl 561 super.engineUpdate(byteBuffer); 562 return; 563 } 564 long addr = ((DirectBuffer)byteBuffer).address(); 565 int ofs = byteBuffer.position(); 566 try { 567 if (mode == M_SIGN) { 568 token.p11.C_SignUpdate 569 (session.id(), addr + ofs, null, 0, len); 570 } else { 571 token.p11.C_VerifyUpdate 572 (session.id(), addr + ofs, null, 0, len); 573 } 574 bytesProcessed += len; 575 byteBuffer.position(ofs + len); 576 } catch (PKCS11Exception e) { 577 initialized = false; 578 session = token.releaseSession(session); 579 throw new ProviderException("Update failed", e); 580 } 581 break; 582 case T_DIGEST: 583 md.update(byteBuffer); 584 bytesProcessed += len; 585 break; 586 case T_RAW: 587 if (bytesProcessed + len > buffer.length) { 588 bytesProcessed = buffer.length + 1; 589 return; 590 } 591 byteBuffer.get(buffer, bytesProcessed, len); 592 bytesProcessed += len; 593 break; 594 default: 595 throw new ProviderException("Internal error"); 596 } 597 } 598 599 // see JCA spec 600 @Override 601 protected byte[] engineSign() throws SignatureException { 602 ensureInitialized(); 603 try { 604 byte[] signature; 605 if (type == T_UPDATE) { 606 int len = keyAlgorithm.equals("DSA") ? 40 : 0; 607 signature = token.p11.C_SignFinal(session.id(), len); 608 } else { 609 byte[] digest; 610 if (type == T_DIGEST) { 611 digest = md.digest(); 612 } else { // T_RAW 613 if (mechanism == CKM_DSA) { 614 if (bytesProcessed != buffer.length) { 615 throw new SignatureException 616 ("Data for RawDSA must be exactly 20 bytes long"); 617 } 618 digest = buffer; 619 } else { // CKM_ECDSA 620 if (bytesProcessed > buffer.length) { 621 throw new SignatureException("Data for NONEwithECDSA" 622 + " must be at most " + RAW_ECDSA_MAX + " bytes long"); 623 } 624 digest = new byte[bytesProcessed]; 625 System.arraycopy(buffer, 0, digest, 0, bytesProcessed); 626 } 627 } 628 if (keyAlgorithm.equals("RSA") == false) { 629 // DSA and ECDSA 630 signature = token.p11.C_Sign(session.id(), digest); 631 } else { // RSA 632 byte[] data = encodeSignature(digest); 633 if (mechanism == CKM_RSA_X_509) { 634 data = pkcs1Pad(data); 635 } 636 signature = token.p11.C_Sign(session.id(), data); 637 } 638 } 639 if (keyAlgorithm.equals("RSA")) { 640 return signature; 641 } else { 642 if (p1363Format) { 643 return signature; 644 } else { 645 return dsaToASN1(signature); 646 } 647 } 648 } catch (PKCS11Exception pe) { 649 throw new ProviderException(pe); 650 } catch (SignatureException | ProviderException e) { 651 reset(true); 652 throw e; 653 } finally { 654 reset(false); 655 } 656 } 657 658 // see JCA spec 659 @Override 660 protected boolean engineVerify(byte[] signature) throws SignatureException { 661 ensureInitialized(); 662 try { 663 if (!p1363Format) { 664 if (keyAlgorithm.equals("DSA")) { 665 signature = asn1ToDSA(signature); 666 } else if (keyAlgorithm.equals("EC")) { 667 signature = asn1ToECDSA(signature); 668 } 669 } 670 if (type == T_UPDATE) { 671 token.p11.C_VerifyFinal(session.id(), signature); 672 } else { 673 byte[] digest; 674 if (type == T_DIGEST) { 675 digest = md.digest(); 676 } else { // T_RAW 677 if (mechanism == CKM_DSA) { 678 if (bytesProcessed != buffer.length) { 679 throw new SignatureException 680 ("Data for RawDSA must be exactly 20 bytes long"); 681 } 682 digest = buffer; 683 } else { 684 if (bytesProcessed > buffer.length) { 685 throw new SignatureException("Data for NONEwithECDSA" 686 + " must be at most " + RAW_ECDSA_MAX + " bytes long"); 687 } 688 digest = new byte[bytesProcessed]; 689 System.arraycopy(buffer, 0, digest, 0, bytesProcessed); 690 } 691 } 692 if (keyAlgorithm.equals("RSA") == false) { 693 // DSA and ECDSA 694 token.p11.C_Verify(session.id(), digest, signature); 695 } else { // RSA 696 byte[] data = encodeSignature(digest); 697 if (mechanism == CKM_RSA_X_509) { 698 data = pkcs1Pad(data); 699 } 700 token.p11.C_Verify(session.id(), data, signature); 701 } 702 } 703 return true; 704 } catch (PKCS11Exception pe) { 705 long errorCode = pe.getErrorCode(); 706 if (errorCode == CKR_SIGNATURE_INVALID) { 707 return false; 708 } 709 if (errorCode == CKR_SIGNATURE_LEN_RANGE) { 710 // return false rather than throwing an exception 711 return false; 712 } 713 // ECF bug? 714 if (errorCode == CKR_DATA_LEN_RANGE) { 715 return false; 716 } 717 throw new ProviderException(pe); 718 } catch (SignatureException | ProviderException e) { 719 reset(true); 720 throw e; 721 } finally { 722 reset(false); 723 } 724 } 725 726 private byte[] pkcs1Pad(byte[] data) { 727 try { 728 int len = (p11Key.length() + 7) >> 3; 729 RSAPadding padding = RSAPadding.getInstance 730 (RSAPadding.PAD_BLOCKTYPE_1, len); 731 byte[] padded = padding.pad(data); 732 return padded; 733 } catch (GeneralSecurityException e) { 734 throw new ProviderException(e); 735 } 736 } 737 738 private byte[] encodeSignature(byte[] digest) throws SignatureException { 739 try { 740 return RSASignature.encodeSignature(digestOID, digest); 741 } catch (IOException e) { 742 throw new SignatureException("Invalid encoding", e); 743 } 744 } 745 746 // private static byte[] decodeSignature(byte[] signature) throws IOException { 747 // return RSASignature.decodeSignature(digestOID, signature); 748 // } 749 750 // For DSA and ECDSA signatures, PKCS#11 represents them as a simple 751 // byte array that contains the concatenation of r and s. 752 // For DSA, r and s are always exactly 20 bytes long. 753 // For ECDSA, r and s are of variable length, but we know that each 754 // occupies half of the array. 755 private static byte[] dsaToASN1(byte[] signature) { 756 int n = signature.length >> 1; 757 BigInteger r = new BigInteger(1, P11Util.subarray(signature, 0, n)); 758 BigInteger s = new BigInteger(1, P11Util.subarray(signature, n, n)); 759 try { 760 DerOutputStream outseq = new DerOutputStream(100); 761 outseq.putInteger(r); 762 outseq.putInteger(s); 763 DerValue result = new DerValue(DerValue.tag_Sequence, 764 outseq.toByteArray()); 765 return result.toByteArray(); 766 } catch (java.io.IOException e) { 767 throw new RuntimeException("Internal error", e); 768 } 769 } 770 771 private static byte[] asn1ToDSA(byte[] sig) throws SignatureException { 772 try { 773 // Enforce strict DER checking for signatures 774 DerInputStream in = new DerInputStream(sig, 0, sig.length, false); 775 DerValue[] values = in.getSequence(2); 776 777 // check number of components in the read sequence 778 // and trailing data 779 if ((values.length != 2) || (in.available() != 0)) { 780 throw new IOException("Invalid encoding for signature"); 781 } 782 783 BigInteger r = values[0].getPositiveBigInteger(); 784 BigInteger s = values[1].getPositiveBigInteger(); 785 786 byte[] br = toByteArray(r, 20); 787 byte[] bs = toByteArray(s, 20); 788 if ((br == null) || (bs == null)) { 789 throw new SignatureException("Out of range value for R or S"); 790 } 791 return P11Util.concat(br, bs); 792 } catch (SignatureException e) { 793 throw e; 794 } catch (Exception e) { 795 throw new SignatureException("Invalid encoding for signature", e); 796 } 797 } 798 799 private byte[] asn1ToECDSA(byte[] sig) throws SignatureException { 800 try { 801 // Enforce strict DER checking for signatures 802 DerInputStream in = new DerInputStream(sig, 0, sig.length, false); 803 DerValue[] values = in.getSequence(2); 804 805 // check number of components in the read sequence 806 // and trailing data 807 if ((values.length != 2) || (in.available() != 0)) { 808 throw new IOException("Invalid encoding for signature"); 809 } 810 811 BigInteger r = values[0].getPositiveBigInteger(); 812 BigInteger s = values[1].getPositiveBigInteger(); 813 814 // trim leading zeroes 815 byte[] br = KeyUtil.trimZeroes(r.toByteArray()); 816 byte[] bs = KeyUtil.trimZeroes(s.toByteArray()); 817 int k = Math.max(br.length, bs.length); 818 // r and s each occupy half the array 819 byte[] res = new byte[k << 1]; 820 System.arraycopy(br, 0, res, k - br.length, br.length); 821 System.arraycopy(bs, 0, res, res.length - bs.length, bs.length); 822 return res; 823 } catch (Exception e) { 824 throw new SignatureException("Invalid encoding for signature", e); 825 } 826 } 827 828 private static byte[] toByteArray(BigInteger bi, int len) { 829 byte[] b = bi.toByteArray(); 830 int n = b.length; 831 if (n == len) { 832 return b; 833 } 834 if ((n == len + 1) && (b[0] == 0)) { 835 byte[] t = new byte[len]; 836 System.arraycopy(b, 1, t, 0, len); 837 return t; 838 } 839 if (n > len) { 840 return null; 841 } 842 // must be smaller 843 byte[] t = new byte[len]; 844 System.arraycopy(b, 0, t, (len - n), n); 845 return t; 846 } 847 848 // see JCA spec 849 @SuppressWarnings("deprecation") 850 @Override 851 protected void engineSetParameter(String param, Object value) 852 throws InvalidParameterException { 853 throw new UnsupportedOperationException("setParameter() not supported"); 854 } 855 856 // see JCA spec 857 @Override 858 protected void engineSetParameter(AlgorithmParameterSpec params) 859 throws InvalidAlgorithmParameterException { 860 if (params != null) { 861 throw new InvalidAlgorithmParameterException("No parameter accepted"); 862 } 863 } 864 865 // see JCA spec 866 @SuppressWarnings("deprecation") 867 @Override 868 protected Object engineGetParameter(String param) 869 throws InvalidParameterException { 870 throw new UnsupportedOperationException("getParameter() not supported"); 871 } 872 873 // see JCA spec 874 @Override 875 protected AlgorithmParameters engineGetParameters() { 876 return null; 877 } 878 }