1 /* 2 * Copyright (c) 2003, 2018, Oracle and/or its affiliates. All rights reserved. 3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. 4 * 5 * This code is free software; you can redistribute it and/or modify it 6 * under the terms of the GNU General Public License version 2 only, as 7 * published by the Free Software Foundation. Oracle designates this 8 * particular file as subject to the "Classpath" exception as provided 9 * by Oracle in the LICENSE file that accompanied this code. 10 * 11 * This code is distributed in the hope that it will be useful, but WITHOUT 12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License 14 * version 2 for more details (a copy is included in the LICENSE file that 15 * accompanied this code). 16 * 17 * You should have received a copy of the GNU General Public License version 18 * 2 along with this work; if not, write to the Free Software Foundation, 19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. 20 * 21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA 22 * or visit www.oracle.com if you need additional information or have any 23 * questions. 24 */ 25 26 package sun.security.pkcs11; 27 28 import java.io.IOException; 29 import java.math.BigInteger; 30 import java.nio.ByteBuffer; 31 32 import java.security.*; 33 import java.security.interfaces.*; 34 import java.security.spec.AlgorithmParameterSpec; 35 import sun.nio.ch.DirectBuffer; 36 37 import sun.security.util.*; 38 import sun.security.x509.AlgorithmId; 39 40 import sun.security.rsa.RSASignature; 41 import sun.security.rsa.RSAPadding; 42 43 import sun.security.pkcs11.wrapper.*; 44 import static sun.security.pkcs11.wrapper.PKCS11Constants.*; 45 import sun.security.util.KeyUtil; 46 47 /** 48 * Signature implementation class. This class currently supports the 49 * following algorithms: 50 * 51 * . DSA 52 * . NONEwithDSA (RawDSA) 53 * . SHA1withDSA 54 * . NONEwithDSAinP1363Format (RawDSAinP1363Format) 55 * . SHA1withDSAinP1363Format 56 * . RSA: 57 * . MD2withRSA 58 * . MD5withRSA 59 * . SHA1withRSA 60 * . SHA224withRSA 61 * . SHA256withRSA 62 * . SHA384withRSA 63 * . SHA512withRSA 64 * . ECDSA 65 * . NONEwithECDSA 66 * . SHA1withECDSA 67 * . SHA224withECDSA 68 * . SHA256withECDSA 69 * . SHA384withECDSA 70 * . SHA512withECDSA 71 * . NONEwithECDSAinP1363Format 72 * . SHA1withECDSAinP1363Format 73 * . SHA224withECDSAinP1363Format 74 * . SHA256withECDSAinP1363Format 75 * . SHA384withECDSAinP1363Format 76 * . SHA512withECDSAinP1363Format 77 * 78 * Note that the underlying PKCS#11 token may support complete signature 79 * algorithm (e.g. CKM_DSA_SHA1, CKM_MD5_RSA_PKCS), or it may just 80 * implement the signature algorithm without hashing (e.g. CKM_DSA, CKM_PKCS), 81 * or it may only implement the raw public key operation (CKM_RSA_X_509). 82 * This class uses what is available and adds whatever extra processing 83 * is needed. 84 * 85 * @author Andreas Sterbenz 86 * @since 1.5 87 */ 88 final class P11Signature extends SignatureSpi { 89 90 // token instance 91 private final Token token; 92 93 // algorithm name 94 private final String algorithm; 95 96 // name of the key algorithm, currently either RSA or DSA 97 private final String keyAlgorithm; 98 99 // mechanism id 100 private final long mechanism; 101 102 // digest algorithm OID, if we encode RSA signature ourselves 103 private final ObjectIdentifier digestOID; 104 105 // type, one of T_* below 106 private final int type; 107 108 // key instance used, if init*() was called 109 private P11Key p11Key; 110 111 // message digest, if we do the digesting ourselves 112 private final MessageDigest md; 113 114 // associated session, if any 115 private Session session; 116 117 // mode, one of M_* below 118 private int mode; 119 120 // flag indicating whether an operation is initialized 121 private boolean initialized; 122 123 // buffer, for update(byte) or DSA 124 private final byte[] buffer; 125 126 // total number of bytes processed in current operation 127 private int bytesProcessed; 128 129 // The format, to be used for DSA and ECDSA signatures. 130 // If true, the IEEE P1363 format will be used, the concatenation of 131 // r and s. If false (default), the signature will be formatted as a 132 // DER-encoded ASN.1 sequence of r and s. 133 private boolean p1363Format = false; 134 135 // constant for signing mode 136 private final static int M_SIGN = 1; 137 // constant for verification mode 138 private final static int M_VERIFY = 2; 139 140 // constant for type digesting, we do the hashing ourselves 141 private final static int T_DIGEST = 1; 142 // constant for type update, token does everything 143 private final static int T_UPDATE = 2; 144 // constant for type raw, used with RawDSA and NONEwithECDSA only 145 private final static int T_RAW = 3; 146 147 // XXX PKCS#11 v2.20 says "should not be longer than 1024 bits", 148 // but this is a little arbitrary 149 private final static int RAW_ECDSA_MAX = 128; 150 151 P11Signature(Token token, String algorithm, long mechanism) 152 throws NoSuchAlgorithmException, PKCS11Exception { 153 super(); 154 this.token = token; 155 this.algorithm = algorithm; 156 this.mechanism = mechanism; 157 byte[] buffer = null; 158 ObjectIdentifier digestOID = null; 159 MessageDigest md = null; 160 switch ((int)mechanism) { 161 case (int)CKM_MD2_RSA_PKCS: 162 case (int)CKM_MD5_RSA_PKCS: 163 case (int)CKM_SHA1_RSA_PKCS: 164 case (int)CKM_SHA224_RSA_PKCS: 165 case (int)CKM_SHA256_RSA_PKCS: 166 case (int)CKM_SHA384_RSA_PKCS: 167 case (int)CKM_SHA512_RSA_PKCS: 168 keyAlgorithm = "RSA"; 169 type = T_UPDATE; 170 buffer = new byte[1]; 171 break; 172 case (int)CKM_DSA_SHA1: 173 keyAlgorithm = "DSA"; 174 type = T_UPDATE; 175 buffer = new byte[1]; 176 break; 177 case (int)CKM_ECDSA_SHA1: 178 keyAlgorithm = "EC"; 179 type = T_UPDATE; 180 buffer = new byte[1]; 181 break; 182 case (int)CKM_DSA: 183 keyAlgorithm = "DSA"; 184 if (algorithm.equals("DSA") || 185 algorithm.equals("DSAinP1363Format")) { 186 type = T_DIGEST; 187 md = MessageDigest.getInstance("SHA-1"); 188 } else if (algorithm.equals("RawDSA") || 189 algorithm.equals("RawDSAinP1363Format")) { 190 type = T_RAW; 191 buffer = new byte[20]; 192 } else { 193 throw new ProviderException(algorithm); 194 } 195 break; 196 case (int)CKM_ECDSA: 197 keyAlgorithm = "EC"; 198 if (algorithm.equals("NONEwithECDSA") || 199 algorithm.equals("NONEwithECDSAinP1363Format")) { 200 type = T_RAW; 201 buffer = new byte[RAW_ECDSA_MAX]; 202 } else { 203 String digestAlg; 204 if (algorithm.equals("SHA1withECDSA") || 205 algorithm.equals("SHA1withECDSAinP1363Format")) { 206 digestAlg = "SHA-1"; 207 } else if (algorithm.equals("SHA224withECDSA") || 208 algorithm.equals("SHA224withECDSAinP1363Format")) { 209 digestAlg = "SHA-224"; 210 } else if (algorithm.equals("SHA256withECDSA") || 211 algorithm.equals("SHA256withECDSAinP1363Format")) { 212 digestAlg = "SHA-256"; 213 } else if (algorithm.equals("SHA384withECDSA") || 214 algorithm.equals("SHA384withECDSAinP1363Format")) { 215 digestAlg = "SHA-384"; 216 } else if (algorithm.equals("SHA512withECDSA") || 217 algorithm.equals("SHA512withECDSAinP1363Format")) { 218 digestAlg = "SHA-512"; 219 } else { 220 throw new ProviderException(algorithm); 221 } 222 type = T_DIGEST; 223 md = MessageDigest.getInstance(digestAlg); 224 } 225 break; 226 case (int)CKM_RSA_PKCS: 227 case (int)CKM_RSA_X_509: 228 keyAlgorithm = "RSA"; 229 type = T_DIGEST; 230 if (algorithm.equals("MD5withRSA")) { 231 md = MessageDigest.getInstance("MD5"); 232 digestOID = AlgorithmId.MD5_oid; 233 } else if (algorithm.equals("SHA1withRSA")) { 234 md = MessageDigest.getInstance("SHA-1"); 235 digestOID = AlgorithmId.SHA_oid; 236 } else if (algorithm.equals("MD2withRSA")) { 237 md = MessageDigest.getInstance("MD2"); 238 digestOID = AlgorithmId.MD2_oid; 239 } else if (algorithm.equals("SHA224withRSA")) { 240 md = MessageDigest.getInstance("SHA-224"); 241 digestOID = AlgorithmId.SHA224_oid; 242 } else if (algorithm.equals("SHA256withRSA")) { 243 md = MessageDigest.getInstance("SHA-256"); 244 digestOID = AlgorithmId.SHA256_oid; 245 } else if (algorithm.equals("SHA384withRSA")) { 246 md = MessageDigest.getInstance("SHA-384"); 247 digestOID = AlgorithmId.SHA384_oid; 248 } else if (algorithm.equals("SHA512withRSA")) { 249 md = MessageDigest.getInstance("SHA-512"); 250 digestOID = AlgorithmId.SHA512_oid; 251 } else { 252 throw new ProviderException("Unknown signature: " + algorithm); 253 } 254 break; 255 default: 256 throw new ProviderException("Unknown mechanism: " + mechanism); 257 } 258 this.buffer = buffer; 259 this.digestOID = digestOID; 260 this.md = md; 261 if (algorithm.endsWith("inP1363Format")) { 262 this.p1363Format = true; 263 } 264 } 265 266 private void ensureInitialized() { 267 token.ensureValid(); 268 if (initialized == false) { 269 initialize(); 270 } 271 } 272 273 private void cancelOperation() { 274 token.ensureValid(); 275 if (initialized == false) { 276 return; 277 } 278 initialized = false; 279 if ((session == null) || (token.explicitCancel == false)) { 280 return; 281 } 282 if (session.hasObjects() == false) { 283 session = token.killSession(session); 284 return; 285 } 286 try { 287 // "cancel" operation by finishing it 288 // XXX make sure all this always works correctly 289 if (mode == M_SIGN) { 290 try { 291 if (type == T_UPDATE) { 292 token.p11.C_SignFinal(session.id(), 0); 293 } else { 294 byte[] digest; 295 if (type == T_DIGEST) { 296 digest = md.digest(); 297 } else { // T_RAW 298 digest = buffer; 299 } 300 token.p11.C_Sign(session.id(), digest); 301 } 302 } catch (PKCS11Exception e) { 303 throw new ProviderException("cancel failed", e); 304 } 305 } else { // M_VERIFY 306 try { 307 byte[] signature; 308 if (keyAlgorithm.equals("DSA")) { 309 signature = new byte[40]; 310 } else { 311 signature = new byte[(p11Key.length() + 7) >> 3]; 312 } 313 if (type == T_UPDATE) { 314 token.p11.C_VerifyFinal(session.id(), signature); 315 } else { 316 byte[] digest; 317 if (type == T_DIGEST) { 318 digest = md.digest(); 319 } else { // T_RAW 320 digest = buffer; 321 } 322 token.p11.C_Verify(session.id(), digest, signature); 323 } 324 } catch (PKCS11Exception e) { 325 // will fail since the signature is incorrect 326 // XXX check error code 327 } 328 } 329 } finally { 330 session = token.releaseSession(session); 331 } 332 } 333 334 // assumes current state is initialized == false 335 private void initialize() { 336 try { 337 if (session == null) { 338 session = token.getOpSession(); 339 } 340 if (mode == M_SIGN) { 341 token.p11.C_SignInit(session.id(), 342 new CK_MECHANISM(mechanism), p11Key.keyID); 343 } else { 344 token.p11.C_VerifyInit(session.id(), 345 new CK_MECHANISM(mechanism), p11Key.keyID); 346 } 347 initialized = true; 348 } catch (PKCS11Exception e) { 349 // release session when initialization failed 350 session = token.releaseSession(session); 351 throw new ProviderException("Initialization failed", e); 352 } 353 if (bytesProcessed != 0) { 354 bytesProcessed = 0; 355 if (md != null) { 356 md.reset(); 357 } 358 } 359 } 360 361 private void checkKeySize(String keyAlgo, Key key) 362 throws InvalidKeyException { 363 CK_MECHANISM_INFO mechInfo = null; 364 try { 365 mechInfo = token.getMechanismInfo(mechanism); 366 } catch (PKCS11Exception e) { 367 // should not happen, ignore for now. 368 } 369 if (mechInfo == null) { 370 // skip the check if no native info available 371 return; 372 } 373 int minKeySize = (int) mechInfo.ulMinKeySize; 374 int maxKeySize = (int) mechInfo.ulMaxKeySize; 375 // need to override the MAX keysize for SHA1withDSA 376 if (md != null && mechanism == CKM_DSA && maxKeySize > 1024) { 377 maxKeySize = 1024; 378 } 379 int keySize = 0; 380 if (key instanceof P11Key) { 381 keySize = ((P11Key) key).length(); 382 } else { 383 try { 384 if (keyAlgo.equals("RSA")) { 385 keySize = ((RSAKey) key).getModulus().bitLength(); 386 } else if (keyAlgo.equals("DSA")) { 387 keySize = ((DSAKey) key).getParams().getP().bitLength(); 388 } else if (keyAlgo.equals("EC")) { 389 keySize = ((ECKey) key).getParams().getCurve().getField().getFieldSize(); 390 } else { 391 throw new ProviderException("Error: unsupported algo " + keyAlgo); 392 } 393 } catch (ClassCastException cce) { 394 throw new InvalidKeyException(keyAlgo + 395 " key must be the right type", cce); 396 } 397 } 398 if ((minKeySize != -1) && (keySize < minKeySize)) { 399 throw new InvalidKeyException(keyAlgo + 400 " key must be at least " + minKeySize + " bits"); 401 } 402 if ((maxKeySize != -1) && (keySize > maxKeySize)) { 403 throw new InvalidKeyException(keyAlgo + 404 " key must be at most " + maxKeySize + " bits"); 405 } 406 if (keyAlgo.equals("RSA")) { 407 checkRSAKeyLength(keySize); 408 } 409 } 410 411 private void checkRSAKeyLength(int len) throws InvalidKeyException { 412 RSAPadding padding; 413 try { 414 padding = RSAPadding.getInstance 415 (RSAPadding.PAD_BLOCKTYPE_1, (len + 7) >> 3); 416 } catch (InvalidAlgorithmParameterException iape) { 417 throw new InvalidKeyException(iape.getMessage()); 418 } 419 int maxDataSize = padding.getMaxDataSize(); 420 int encodedLength; 421 if (algorithm.equals("MD5withRSA") || 422 algorithm.equals("MD2withRSA")) { 423 encodedLength = 34; 424 } else if (algorithm.equals("SHA1withRSA")) { 425 encodedLength = 35; 426 } else if (algorithm.equals("SHA224withRSA")) { 427 encodedLength = 47; 428 } else if (algorithm.equals("SHA256withRSA")) { 429 encodedLength = 51; 430 } else if (algorithm.equals("SHA384withRSA")) { 431 encodedLength = 67; 432 } else if (algorithm.equals("SHA512withRSA")) { 433 encodedLength = 83; 434 } else { 435 throw new ProviderException("Unknown signature algo: " + algorithm); 436 } 437 if (encodedLength > maxDataSize) { 438 throw new InvalidKeyException 439 ("Key is too short for this signature algorithm"); 440 } 441 } 442 443 // see JCA spec 444 @Override 445 protected void engineInitVerify(PublicKey publicKey) 446 throws InvalidKeyException { 447 if (publicKey == null) { 448 throw new InvalidKeyException("Key must not be null"); 449 } 450 // Need to check key length whenever a new key is set 451 if (publicKey != p11Key) { 452 checkKeySize(keyAlgorithm, publicKey); 453 } 454 cancelOperation(); 455 mode = M_VERIFY; 456 p11Key = P11KeyFactory.convertKey(token, publicKey, keyAlgorithm); 457 initialize(); 458 } 459 460 // see JCA spec 461 @Override 462 protected void engineInitSign(PrivateKey privateKey) 463 throws InvalidKeyException { 464 if (privateKey == null) { 465 throw new InvalidKeyException("Key must not be null"); 466 } 467 // Need to check RSA key length whenever a new key is set 468 if (privateKey != p11Key) { 469 checkKeySize(keyAlgorithm, privateKey); 470 } 471 cancelOperation(); 472 mode = M_SIGN; 473 p11Key = P11KeyFactory.convertKey(token, privateKey, keyAlgorithm); 474 initialize(); 475 } 476 477 // see JCA spec 478 @Override 479 protected void engineUpdate(byte b) throws SignatureException { 480 ensureInitialized(); 481 switch (type) { 482 case T_UPDATE: 483 buffer[0] = b; 484 engineUpdate(buffer, 0, 1); 485 break; 486 case T_DIGEST: 487 md.update(b); 488 bytesProcessed++; 489 break; 490 case T_RAW: 491 if (bytesProcessed >= buffer.length) { 492 bytesProcessed = buffer.length + 1; 493 return; 494 } 495 buffer[bytesProcessed++] = b; 496 break; 497 default: 498 throw new ProviderException("Internal error"); 499 } 500 } 501 502 // see JCA spec 503 @Override 504 protected void engineUpdate(byte[] b, int ofs, int len) 505 throws SignatureException { 506 ensureInitialized(); 507 if (len == 0) { 508 return; 509 } 510 // check for overflow 511 if (len + bytesProcessed < 0) { 512 throw new ProviderException("Processed bytes limits exceeded."); 513 } 514 switch (type) { 515 case T_UPDATE: 516 try { 517 if (mode == M_SIGN) { 518 token.p11.C_SignUpdate(session.id(), 0, b, ofs, len); 519 } else { 520 token.p11.C_VerifyUpdate(session.id(), 0, b, ofs, len); 521 } 522 bytesProcessed += len; 523 } catch (PKCS11Exception e) { 524 initialized = false; 525 session = token.releaseSession(session); 526 throw new ProviderException(e); 527 } 528 break; 529 case T_DIGEST: 530 md.update(b, ofs, len); 531 bytesProcessed += len; 532 break; 533 case T_RAW: 534 if (bytesProcessed + len > buffer.length) { 535 bytesProcessed = buffer.length + 1; 536 return; 537 } 538 System.arraycopy(b, ofs, buffer, bytesProcessed, len); 539 bytesProcessed += len; 540 break; 541 default: 542 throw new ProviderException("Internal error"); 543 } 544 } 545 546 // see JCA spec 547 @Override 548 protected void engineUpdate(ByteBuffer byteBuffer) { 549 ensureInitialized(); 550 int len = byteBuffer.remaining(); 551 if (len <= 0) { 552 return; 553 } 554 switch (type) { 555 case T_UPDATE: 556 if (byteBuffer instanceof DirectBuffer == false) { 557 // cannot do better than default impl 558 super.engineUpdate(byteBuffer); 559 return; 560 } 561 long addr = ((DirectBuffer)byteBuffer).address(); 562 int ofs = byteBuffer.position(); 563 try { 564 if (mode == M_SIGN) { 565 token.p11.C_SignUpdate 566 (session.id(), addr + ofs, null, 0, len); 567 } else { 568 token.p11.C_VerifyUpdate 569 (session.id(), addr + ofs, null, 0, len); 570 } 571 bytesProcessed += len; 572 byteBuffer.position(ofs + len); 573 } catch (PKCS11Exception e) { 574 initialized = false; 575 session = token.releaseSession(session); 576 throw new ProviderException("Update failed", e); 577 } 578 break; 579 case T_DIGEST: 580 md.update(byteBuffer); 581 bytesProcessed += len; 582 break; 583 case T_RAW: 584 if (bytesProcessed + len > buffer.length) { 585 bytesProcessed = buffer.length + 1; 586 return; 587 } 588 byteBuffer.get(buffer, bytesProcessed, len); 589 bytesProcessed += len; 590 break; 591 default: 592 throw new ProviderException("Internal error"); 593 } 594 } 595 596 // see JCA spec 597 @Override 598 protected byte[] engineSign() throws SignatureException { 599 ensureInitialized(); 600 try { 601 byte[] signature; 602 if (type == T_UPDATE) { 603 int len = keyAlgorithm.equals("DSA") ? 40 : 0; 604 signature = token.p11.C_SignFinal(session.id(), len); 605 } else { 606 byte[] digest; 607 if (type == T_DIGEST) { 608 digest = md.digest(); 609 } else { // T_RAW 610 if (mechanism == CKM_DSA) { 611 if (bytesProcessed != buffer.length) { 612 throw new SignatureException 613 ("Data for RawDSA must be exactly 20 bytes long"); 614 } 615 digest = buffer; 616 } else { // CKM_ECDSA 617 if (bytesProcessed > buffer.length) { 618 throw new SignatureException("Data for NONEwithECDSA" 619 + " must be at most " + RAW_ECDSA_MAX + " bytes long"); 620 } 621 digest = new byte[bytesProcessed]; 622 System.arraycopy(buffer, 0, digest, 0, bytesProcessed); 623 } 624 } 625 if (keyAlgorithm.equals("RSA") == false) { 626 // DSA and ECDSA 627 signature = token.p11.C_Sign(session.id(), digest); 628 } else { // RSA 629 byte[] data = encodeSignature(digest); 630 if (mechanism == CKM_RSA_X_509) { 631 data = pkcs1Pad(data); 632 } 633 signature = token.p11.C_Sign(session.id(), data); 634 } 635 } 636 if (keyAlgorithm.equals("RSA")) { 637 return signature; 638 } else { 639 if (p1363Format) { 640 return signature; 641 } else { 642 return dsaToASN1(signature); 643 } 644 } 645 } catch (PKCS11Exception pe) { 646 throw new ProviderException(pe); 647 } catch (SignatureException | ProviderException e) { 648 cancelOperation(); 649 throw e; 650 } finally { 651 initialized = false; 652 session = token.releaseSession(session); 653 } 654 } 655 656 // see JCA spec 657 @Override 658 protected boolean engineVerify(byte[] signature) throws SignatureException { 659 ensureInitialized(); 660 try { 661 if (!p1363Format) { 662 if (keyAlgorithm.equals("DSA")) { 663 signature = asn1ToDSA(signature); 664 } else if (keyAlgorithm.equals("EC")) { 665 signature = asn1ToECDSA(signature); 666 } 667 } 668 if (type == T_UPDATE) { 669 token.p11.C_VerifyFinal(session.id(), signature); 670 } else { 671 byte[] digest; 672 if (type == T_DIGEST) { 673 digest = md.digest(); 674 } else { // T_RAW 675 if (mechanism == CKM_DSA) { 676 if (bytesProcessed != buffer.length) { 677 throw new SignatureException 678 ("Data for RawDSA must be exactly 20 bytes long"); 679 } 680 digest = buffer; 681 } else { 682 if (bytesProcessed > buffer.length) { 683 throw new SignatureException("Data for NONEwithECDSA" 684 + " must be at most " + RAW_ECDSA_MAX + " bytes long"); 685 } 686 digest = new byte[bytesProcessed]; 687 System.arraycopy(buffer, 0, digest, 0, bytesProcessed); 688 } 689 } 690 if (keyAlgorithm.equals("RSA") == false) { 691 // DSA and ECDSA 692 token.p11.C_Verify(session.id(), digest, signature); 693 } else { // RSA 694 byte[] data = encodeSignature(digest); 695 if (mechanism == CKM_RSA_X_509) { 696 data = pkcs1Pad(data); 697 } 698 token.p11.C_Verify(session.id(), data, signature); 699 } 700 } 701 return true; 702 } catch (PKCS11Exception pe) { 703 long errorCode = pe.getErrorCode(); 704 if (errorCode == CKR_SIGNATURE_INVALID) { 705 return false; 706 } 707 if (errorCode == CKR_SIGNATURE_LEN_RANGE) { 708 // return false rather than throwing an exception 709 return false; 710 } 711 // ECF bug? 712 if (errorCode == CKR_DATA_LEN_RANGE) { 713 return false; 714 } 715 throw new ProviderException(pe); 716 } catch (SignatureException | ProviderException e) { 717 cancelOperation(); 718 throw e; 719 } finally { 720 initialized = false; 721 session = token.releaseSession(session); 722 } 723 } 724 725 private byte[] pkcs1Pad(byte[] data) { 726 try { 727 int len = (p11Key.length() + 7) >> 3; 728 RSAPadding padding = RSAPadding.getInstance 729 (RSAPadding.PAD_BLOCKTYPE_1, len); 730 byte[] padded = padding.pad(data); 731 return padded; 732 } catch (GeneralSecurityException e) { 733 throw new ProviderException(e); 734 } 735 } 736 737 private byte[] encodeSignature(byte[] digest) throws SignatureException { 738 try { 739 return RSASignature.encodeSignature(digestOID, digest); 740 } catch (IOException e) { 741 throw new SignatureException("Invalid encoding", e); 742 } 743 } 744 745 // private static byte[] decodeSignature(byte[] signature) throws IOException { 746 // return RSASignature.decodeSignature(digestOID, signature); 747 // } 748 749 // For DSA and ECDSA signatures, PKCS#11 represents them as a simple 750 // byte array that contains the concatenation of r and s. 751 // For DSA, r and s are always exactly 20 bytes long. 752 // For ECDSA, r and s are of variable length, but we know that each 753 // occupies half of the array. 754 private static byte[] dsaToASN1(byte[] signature) { 755 int n = signature.length >> 1; 756 BigInteger r = new BigInteger(1, P11Util.subarray(signature, 0, n)); 757 BigInteger s = new BigInteger(1, P11Util.subarray(signature, n, n)); 758 try { 759 DerOutputStream outseq = new DerOutputStream(100); 760 outseq.putInteger(r); 761 outseq.putInteger(s); 762 DerValue result = new DerValue(DerValue.tag_Sequence, 763 outseq.toByteArray()); 764 return result.toByteArray(); 765 } catch (java.io.IOException e) { 766 throw new RuntimeException("Internal error", e); 767 } 768 } 769 770 private static byte[] asn1ToDSA(byte[] sig) throws SignatureException { 771 try { 772 // Enforce strict DER checking for signatures 773 DerInputStream in = new DerInputStream(sig, 0, sig.length, false); 774 DerValue[] values = in.getSequence(2); 775 776 // check number of components in the read sequence 777 // and trailing data 778 if ((values.length != 2) || (in.available() != 0)) { 779 throw new IOException("Invalid encoding for signature"); 780 } 781 782 BigInteger r = values[0].getPositiveBigInteger(); 783 BigInteger s = values[1].getPositiveBigInteger(); 784 785 byte[] br = toByteArray(r, 20); 786 byte[] bs = toByteArray(s, 20); 787 if ((br == null) || (bs == null)) { 788 throw new SignatureException("Out of range value for R or S"); 789 } 790 return P11Util.concat(br, bs); 791 } catch (SignatureException e) { 792 throw e; 793 } catch (Exception e) { 794 throw new SignatureException("Invalid encoding for signature", e); 795 } 796 } 797 798 private byte[] asn1ToECDSA(byte[] sig) throws SignatureException { 799 try { 800 // Enforce strict DER checking for signatures 801 DerInputStream in = new DerInputStream(sig, 0, sig.length, false); 802 DerValue[] values = in.getSequence(2); 803 804 // check number of components in the read sequence 805 // and trailing data 806 if ((values.length != 2) || (in.available() != 0)) { 807 throw new IOException("Invalid encoding for signature"); 808 } 809 810 BigInteger r = values[0].getPositiveBigInteger(); 811 BigInteger s = values[1].getPositiveBigInteger(); 812 813 // trim leading zeroes 814 byte[] br = KeyUtil.trimZeroes(r.toByteArray()); 815 byte[] bs = KeyUtil.trimZeroes(s.toByteArray()); 816 int k = Math.max(br.length, bs.length); 817 // r and s each occupy half the array 818 byte[] res = new byte[k << 1]; 819 System.arraycopy(br, 0, res, k - br.length, br.length); 820 System.arraycopy(bs, 0, res, res.length - bs.length, bs.length); 821 return res; 822 } catch (Exception e) { 823 throw new SignatureException("Invalid encoding for signature", e); 824 } 825 } 826 827 private static byte[] toByteArray(BigInteger bi, int len) { 828 byte[] b = bi.toByteArray(); 829 int n = b.length; 830 if (n == len) { 831 return b; 832 } 833 if ((n == len + 1) && (b[0] == 0)) { 834 byte[] t = new byte[len]; 835 System.arraycopy(b, 1, t, 0, len); 836 return t; 837 } 838 if (n > len) { 839 return null; 840 } 841 // must be smaller 842 byte[] t = new byte[len]; 843 System.arraycopy(b, 0, t, (len - n), n); 844 return t; 845 } 846 847 // see JCA spec 848 @SuppressWarnings("deprecation") 849 @Override 850 protected void engineSetParameter(String param, Object value) 851 throws InvalidParameterException { 852 throw new UnsupportedOperationException("setParameter() not supported"); 853 } 854 855 // see JCA spec 856 @Override 857 protected void engineSetParameter(AlgorithmParameterSpec params) 858 throws InvalidAlgorithmParameterException { 859 if (params != null) { 860 throw new InvalidAlgorithmParameterException("No parameter accepted"); 861 } 862 } 863 864 // see JCA spec 865 @SuppressWarnings("deprecation") 866 @Override 867 protected Object engineGetParameter(String param) 868 throws InvalidParameterException { 869 throw new UnsupportedOperationException("getParameter() not supported"); 870 } 871 872 // see JCA spec 873 @Override 874 protected AlgorithmParameters engineGetParameters() { 875 return null; 876 } 877 }