1 /* 2 * Copyright (c) 2003, 2018, Oracle and/or its affiliates. All rights reserved. 3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. 4 * 5 * This code is free software; you can redistribute it and/or modify it 6 * under the terms of the GNU General Public License version 2 only, as 7 * published by the Free Software Foundation. Oracle designates this 8 * particular file as subject to the "Classpath" exception as provided 9 * by Oracle in the LICENSE file that accompanied this code. 10 * 11 * This code is distributed in the hope that it will be useful, but WITHOUT 12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License 14 * version 2 for more details (a copy is included in the LICENSE file that 15 * accompanied this code). 16 * 17 * You should have received a copy of the GNU General Public License version 18 * 2 along with this work; if not, write to the Free Software Foundation, 19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. 20 * 21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA 22 * or visit www.oracle.com if you need additional information or have any 23 * questions. 24 */ 25 26 package sun.security.pkcs11; 27 28 import java.io.IOException; 29 import java.math.BigInteger; 30 import java.nio.ByteBuffer; 31 32 import java.security.*; 33 import java.security.interfaces.*; 34 import java.security.spec.AlgorithmParameterSpec; 35 import sun.nio.ch.DirectBuffer; 36 37 import sun.security.util.*; 38 import sun.security.x509.AlgorithmId; 39 40 import sun.security.rsa.RSASignature; 41 import sun.security.rsa.RSAPadding; 42 43 import sun.security.pkcs11.wrapper.*; 44 import static sun.security.pkcs11.wrapper.PKCS11Constants.*; 45 import sun.security.util.KeyUtil; 46 47 /** 48 * Signature implementation class. This class currently supports the 49 * following algorithms: 50 * 51 * . DSA 52 * . NONEwithDSA (RawDSA) 53 * . SHA1withDSA 54 * . NONEwithDSAinP1363Format (RawDSAinP1363Format) 55 * . SHA1withDSAinP1363Format 56 * . RSA: 57 * . MD2withRSA 58 * . MD5withRSA 59 * . SHA1withRSA 60 * . SHA224withRSA 61 * . SHA256withRSA 62 * . SHA384withRSA 63 * . SHA512withRSA 64 * . ECDSA 65 * . NONEwithECDSA 66 * . SHA1withECDSA 67 * . SHA224withECDSA 68 * . SHA256withECDSA 69 * . SHA384withECDSA 70 * . SHA512withECDSA 71 * . NONEwithECDSAinP1363Format 72 * . SHA1withECDSAinP1363Format 73 * . SHA224withECDSAinP1363Format 74 * . SHA256withECDSAinP1363Format 75 * . SHA384withECDSAinP1363Format 76 * . SHA512withECDSAinP1363Format 77 * 78 * Note that the underlying PKCS#11 token may support complete signature 79 * algorithm (e.g. CKM_DSA_SHA1, CKM_MD5_RSA_PKCS), or it may just 80 * implement the signature algorithm without hashing (e.g. CKM_DSA, CKM_PKCS), 81 * or it may only implement the raw public key operation (CKM_RSA_X_509). 82 * This class uses what is available and adds whatever extra processing 83 * is needed. 84 * 85 * @author Andreas Sterbenz 86 * @since 1.5 87 */ 88 final class P11Signature extends SignatureSpi { 89 90 // token instance 91 private final Token token; 92 93 // algorithm name 94 private final String algorithm; 95 96 // name of the key algorithm, currently either RSA or DSA 97 private final String keyAlgorithm; 98 99 // mechanism id 100 private final long mechanism; 101 102 // digest algorithm OID, if we encode RSA signature ourselves 103 private final ObjectIdentifier digestOID; 104 105 // type, one of T_* below 106 private final int type; 107 108 // key instance used, if init*() was called 109 private P11Key p11Key; 110 111 // message digest, if we do the digesting ourselves 112 private final MessageDigest md; 113 114 // associated session, if any 115 private Session session; 116 117 // mode, one of M_* below 118 private int mode; 119 120 // flag indicating whether an operation is initialized 121 private boolean initialized; 122 123 // buffer, for update(byte) or DSA 124 private final byte[] buffer; 125 126 // total number of bytes processed in current operation 127 private int bytesProcessed; 128 129 // The format, to be used for DSA and ECDSA signatures. 130 // If true, the IEEE P1363 format will be used, the concatenation of 131 // r and s. If false (default), the signature will be formatted as a 132 // DER-encoded ASN.1 sequence of r and s. 133 private boolean p1363Format = false; 134 135 // constant for signing mode 136 private final static int M_SIGN = 1; 137 // constant for verification mode 138 private final static int M_VERIFY = 2; 139 140 // constant for type digesting, we do the hashing ourselves 141 private final static int T_DIGEST = 1; 142 // constant for type update, token does everything 143 private final static int T_UPDATE = 2; 144 // constant for type raw, used with RawDSA and NONEwithECDSA only 145 private final static int T_RAW = 3; 146 147 // XXX PKCS#11 v2.20 says "should not be longer than 1024 bits", 148 // but this is a little arbitrary 149 private final static int RAW_ECDSA_MAX = 128; 150 151 P11Signature(Token token, String algorithm, long mechanism) 152 throws NoSuchAlgorithmException, PKCS11Exception { 153 super(); 154 this.token = token; 155 this.algorithm = algorithm; 156 this.mechanism = mechanism; 157 byte[] buffer = null; 158 ObjectIdentifier digestOID = null; 159 MessageDigest md = null; 160 switch ((int)mechanism) { 161 case (int)CKM_MD2_RSA_PKCS: 162 case (int)CKM_MD5_RSA_PKCS: 163 case (int)CKM_SHA1_RSA_PKCS: 164 case (int)CKM_SHA224_RSA_PKCS: 165 case (int)CKM_SHA256_RSA_PKCS: 166 case (int)CKM_SHA384_RSA_PKCS: 167 case (int)CKM_SHA512_RSA_PKCS: 168 keyAlgorithm = "RSA"; 169 type = T_UPDATE; 170 buffer = new byte[1]; 171 break; 172 case (int)CKM_DSA_SHA1: 173 keyAlgorithm = "DSA"; 174 type = T_UPDATE; 175 buffer = new byte[1]; 176 break; 177 case (int)CKM_ECDSA_SHA1: 178 keyAlgorithm = "EC"; 179 type = T_UPDATE; 180 buffer = new byte[1]; 181 break; 182 case (int)CKM_DSA: 183 keyAlgorithm = "DSA"; 184 if (algorithm.equals("DSA") || 185 algorithm.equals("DSAinP1363Format")) { 186 type = T_DIGEST; 187 md = MessageDigest.getInstance("SHA-1"); 188 } else if (algorithm.equals("RawDSA") || 189 algorithm.equals("RawDSAinP1363Format")) { 190 type = T_RAW; 191 buffer = new byte[20]; 192 } else { 193 throw new ProviderException(algorithm); 194 } 195 break; 196 case (int)CKM_ECDSA: 197 keyAlgorithm = "EC"; 198 if (algorithm.equals("NONEwithECDSA") || 199 algorithm.equals("NONEwithECDSAinP1363Format")) { 200 type = T_RAW; 201 buffer = new byte[RAW_ECDSA_MAX]; 202 } else { 203 String digestAlg; 204 if (algorithm.equals("SHA1withECDSA") || 205 algorithm.equals("SHA1withECDSAinP1363Format")) { 206 digestAlg = "SHA-1"; 207 } else if (algorithm.equals("SHA224withECDSA") || 208 algorithm.equals("SHA224withECDSAinP1363Format")) { 209 digestAlg = "SHA-224"; 210 } else if (algorithm.equals("SHA256withECDSA") || 211 algorithm.equals("SHA256withECDSAinP1363Format")) { 212 digestAlg = "SHA-256"; 213 } else if (algorithm.equals("SHA384withECDSA") || 214 algorithm.equals("SHA384withECDSAinP1363Format")) { 215 digestAlg = "SHA-384"; 216 } else if (algorithm.equals("SHA512withECDSA") || 217 algorithm.equals("SHA512withECDSAinP1363Format")) { 218 digestAlg = "SHA-512"; 219 } else { 220 throw new ProviderException(algorithm); 221 } 222 type = T_DIGEST; 223 md = MessageDigest.getInstance(digestAlg); 224 } 225 break; 226 case (int)CKM_RSA_PKCS: 227 case (int)CKM_RSA_X_509: 228 keyAlgorithm = "RSA"; 229 type = T_DIGEST; 230 if (algorithm.equals("MD5withRSA")) { 231 md = MessageDigest.getInstance("MD5"); 232 digestOID = AlgorithmId.MD5_oid; 233 } else if (algorithm.equals("SHA1withRSA")) { 234 md = MessageDigest.getInstance("SHA-1"); 235 digestOID = AlgorithmId.SHA_oid; 236 } else if (algorithm.equals("MD2withRSA")) { 237 md = MessageDigest.getInstance("MD2"); 238 digestOID = AlgorithmId.MD2_oid; 239 } else if (algorithm.equals("SHA224withRSA")) { 240 md = MessageDigest.getInstance("SHA-224"); 241 digestOID = AlgorithmId.SHA224_oid; 242 } else if (algorithm.equals("SHA256withRSA")) { 243 md = MessageDigest.getInstance("SHA-256"); 244 digestOID = AlgorithmId.SHA256_oid; 245 } else if (algorithm.equals("SHA384withRSA")) { 246 md = MessageDigest.getInstance("SHA-384"); 247 digestOID = AlgorithmId.SHA384_oid; 248 } else if (algorithm.equals("SHA512withRSA")) { 249 md = MessageDigest.getInstance("SHA-512"); 250 digestOID = AlgorithmId.SHA512_oid; 251 } else { 252 throw new ProviderException("Unknown signature: " + algorithm); 253 } 254 break; 255 default: 256 throw new ProviderException("Unknown mechanism: " + mechanism); 257 } 258 this.buffer = buffer; 259 this.digestOID = digestOID; 260 this.md = md; 261 if (algorithm.endsWith("inP1363Format")) { 262 this.p1363Format = true; 263 } 264 } 265 266 // reset the states to the pre-initialized values 267 private void reset(boolean doCancel) { 268 if (!initialized) { 269 return; 270 } 271 initialized = false; 272 try { 273 if (session == null) { 274 return; 275 } 276 if (doCancel && token.explicitCancel) { 277 cancelOperation(); 278 } 279 } finally { 280 p11Key.decNativeKeyRef(); 281 session = token.releaseSession(session); 282 } 283 } 284 285 private void cancelOperation() { 286 token.ensureValid(); 287 if (session.hasObjects() == false) { 288 session = token.killSession(session); 289 return; 290 } else { 291 // "cancel" operation by finishing it 292 // XXX make sure all this always works correctly 293 try { 294 if (mode == M_SIGN) { 295 if (type == T_UPDATE) { 296 token.p11.C_SignFinal(session.id(), 0); 297 } else { 298 byte[] digest; 299 if (type == T_DIGEST) { 300 digest = md.digest(); 301 } else { // T_RAW 302 digest = buffer; 303 } 304 token.p11.C_Sign(session.id(), digest); 305 } 306 } else { // M_VERIFY 307 byte[] signature; 308 if (keyAlgorithm.equals("DSA")) { 309 signature = new byte[40]; 310 } else { 311 signature = new byte[(p11Key.length() + 7) >> 3]; 312 } 313 if (type == T_UPDATE) { 314 token.p11.C_VerifyFinal(session.id(), signature); 315 } else { 316 byte[] digest; 317 if (type == T_DIGEST) { 318 digest = md.digest(); 319 } else { // T_RAW 320 digest = buffer; 321 } 322 token.p11.C_Verify(session.id(), digest, signature); 323 } 324 } 325 } catch (PKCS11Exception e) { 326 throw new ProviderException("cancel failed", e); 327 } 328 } 329 } 330 331 // assumes current state is initialized == false 332 private void ensureInitialized() { 333 if (initialized) { 334 return; 335 } 336 if (p11Key == null) { 337 throw new ProviderException( 338 "Operation cannot be performed without " + 339 "calling engineInit first"); 340 } 341 try { 342 token.ensureValid(); 343 p11Key.incNativeKeyRef(); 344 try { 345 if (session == null) { 346 session = token.getOpSession(); 347 } 348 if (mode == M_SIGN) { 349 token.p11.C_SignInit(session.id(), 350 new CK_MECHANISM(mechanism), p11Key.keyID); 351 } else { 352 token.p11.C_VerifyInit(session.id(), 353 new CK_MECHANISM(mechanism), p11Key.keyID); 354 } 355 } catch (Throwable t) { 356 p11Key.decNativeKeyRef(); 357 session = token.releaseSession(session); 358 throw t; 359 } 360 initialized = true; 361 if (bytesProcessed != 0 && md != null) { 362 md.reset(); 363 } 364 bytesProcessed = 0; 365 } catch (PKCS11Exception e) { 366 throw new ProviderException("Initialization failed", e); 367 } 368 } 369 370 private void checkKeySize(String keyAlgo, Key key) 371 throws InvalidKeyException { 372 CK_MECHANISM_INFO mechInfo = null; 373 try { 374 mechInfo = token.getMechanismInfo(mechanism); 375 } catch (PKCS11Exception e) { 376 // should not happen, ignore for now. 377 } 378 if (mechInfo == null) { 379 // skip the check if no native info available 380 return; 381 } 382 int minKeySize = (int) mechInfo.ulMinKeySize; 383 int maxKeySize = (int) mechInfo.ulMaxKeySize; 384 // need to override the MAX keysize for SHA1withDSA 385 if (md != null && mechanism == CKM_DSA && maxKeySize > 1024) { 386 maxKeySize = 1024; 387 } 388 int keySize = 0; 389 if (key instanceof P11Key) { 390 keySize = ((P11Key) key).length(); 391 } else { 392 try { 393 if (keyAlgo.equals("RSA")) { 394 keySize = ((RSAKey) key).getModulus().bitLength(); 395 } else if (keyAlgo.equals("DSA")) { 396 keySize = ((DSAKey) key).getParams().getP().bitLength(); 397 } else if (keyAlgo.equals("EC")) { 398 keySize = ((ECKey) key).getParams().getCurve().getField().getFieldSize(); 399 } else { 400 throw new ProviderException("Error: unsupported algo " + keyAlgo); 401 } 402 } catch (ClassCastException cce) { 403 throw new InvalidKeyException(keyAlgo + 404 " key must be the right type", cce); 405 } 406 } 407 if ((minKeySize != -1) && (keySize < minKeySize)) { 408 throw new InvalidKeyException(keyAlgo + 409 " key must be at least " + minKeySize + " bits"); 410 } 411 if ((maxKeySize != -1) && (keySize > maxKeySize)) { 412 throw new InvalidKeyException(keyAlgo + 413 " key must be at most " + maxKeySize + " bits"); 414 } 415 if (keyAlgo.equals("RSA")) { 416 checkRSAKeyLength(keySize); 417 } 418 } 419 420 private void checkRSAKeyLength(int len) throws InvalidKeyException { 421 RSAPadding padding; 422 try { 423 padding = RSAPadding.getInstance 424 (RSAPadding.PAD_BLOCKTYPE_1, (len + 7) >> 3); 425 } catch (InvalidAlgorithmParameterException iape) { 426 throw new InvalidKeyException(iape.getMessage()); 427 } 428 int maxDataSize = padding.getMaxDataSize(); 429 int encodedLength; 430 if (algorithm.equals("MD5withRSA") || 431 algorithm.equals("MD2withRSA")) { 432 encodedLength = 34; 433 } else if (algorithm.equals("SHA1withRSA")) { 434 encodedLength = 35; 435 } else if (algorithm.equals("SHA224withRSA")) { 436 encodedLength = 47; 437 } else if (algorithm.equals("SHA256withRSA")) { 438 encodedLength = 51; 439 } else if (algorithm.equals("SHA384withRSA")) { 440 encodedLength = 67; 441 } else if (algorithm.equals("SHA512withRSA")) { 442 encodedLength = 83; 443 } else { 444 throw new ProviderException("Unknown signature algo: " + algorithm); 445 } 446 if (encodedLength > maxDataSize) { 447 throw new InvalidKeyException 448 ("Key is too short for this signature algorithm"); 449 } 450 } 451 452 // see JCA spec 453 @Override 454 protected void engineInitVerify(PublicKey publicKey) 455 throws InvalidKeyException { 456 if (publicKey == null) { 457 throw new InvalidKeyException("Key must not be null"); 458 } 459 // Need to check key length whenever a new key is set 460 if (publicKey != p11Key) { 461 checkKeySize(keyAlgorithm, publicKey); 462 } 463 reset(true); 464 mode = M_VERIFY; 465 p11Key = P11KeyFactory.convertKey(token, publicKey, keyAlgorithm); 466 ensureInitialized(); 467 } 468 469 // see JCA spec 470 @Override 471 protected void engineInitSign(PrivateKey privateKey) 472 throws InvalidKeyException { 473 if (privateKey == null) { 474 throw new InvalidKeyException("Key must not be null"); 475 } 476 // Need to check RSA key length whenever a new key is set 477 if (privateKey != p11Key) { 478 checkKeySize(keyAlgorithm, privateKey); 479 } 480 reset(true); 481 mode = M_SIGN; 482 p11Key = P11KeyFactory.convertKey(token, privateKey, keyAlgorithm); 483 ensureInitialized(); 484 } 485 486 // see JCA spec 487 @Override 488 protected void engineUpdate(byte b) throws SignatureException { 489 ensureInitialized(); 490 switch (type) { 491 case T_UPDATE: 492 buffer[0] = b; 493 engineUpdate(buffer, 0, 1); 494 break; 495 case T_DIGEST: 496 md.update(b); 497 bytesProcessed++; 498 break; 499 case T_RAW: 500 if (bytesProcessed >= buffer.length) { 501 bytesProcessed = buffer.length + 1; 502 return; 503 } 504 buffer[bytesProcessed++] = b; 505 break; 506 default: 507 throw new ProviderException("Internal error"); 508 } 509 } 510 511 // see JCA spec 512 @Override 513 protected void engineUpdate(byte[] b, int ofs, int len) 514 throws SignatureException { 515 ensureInitialized(); 516 if (len == 0) { 517 return; 518 } 519 // check for overflow 520 if (len + bytesProcessed < 0) { 521 throw new ProviderException("Processed bytes limits exceeded."); 522 } 523 switch (type) { 524 case T_UPDATE: 525 try { 526 if (mode == M_SIGN) { 527 token.p11.C_SignUpdate(session.id(), 0, b, ofs, len); 528 } else { 529 token.p11.C_VerifyUpdate(session.id(), 0, b, ofs, len); 530 } 531 bytesProcessed += len; 532 } catch (PKCS11Exception e) { 533 reset(true); 534 throw new ProviderException(e); 535 } 536 break; 537 case T_DIGEST: 538 md.update(b, ofs, len); 539 bytesProcessed += len; 540 break; 541 case T_RAW: 542 if (bytesProcessed + len > buffer.length) { 543 bytesProcessed = buffer.length + 1; 544 return; 545 } 546 System.arraycopy(b, ofs, buffer, bytesProcessed, len); 547 bytesProcessed += len; 548 break; 549 default: 550 throw new ProviderException("Internal error"); 551 } 552 } 553 554 // see JCA spec 555 @Override 556 protected void engineUpdate(ByteBuffer byteBuffer) { 557 ensureInitialized(); 558 int len = byteBuffer.remaining(); 559 if (len <= 0) { 560 return; 561 } 562 switch (type) { 563 case T_UPDATE: 564 if (byteBuffer instanceof DirectBuffer == false) { 565 // cannot do better than default impl 566 super.engineUpdate(byteBuffer); 567 return; 568 } 569 long addr = ((DirectBuffer)byteBuffer).address(); 570 int ofs = byteBuffer.position(); 571 try { 572 if (mode == M_SIGN) { 573 token.p11.C_SignUpdate 574 (session.id(), addr + ofs, null, 0, len); 575 } else { 576 token.p11.C_VerifyUpdate 577 (session.id(), addr + ofs, null, 0, len); 578 } 579 bytesProcessed += len; 580 byteBuffer.position(ofs + len); 581 } catch (PKCS11Exception e) { 582 initialized = false; 583 session = token.releaseSession(session); 584 throw new ProviderException("Update failed", e); 585 } 586 break; 587 case T_DIGEST: 588 md.update(byteBuffer); 589 bytesProcessed += len; 590 break; 591 case T_RAW: 592 if (bytesProcessed + len > buffer.length) { 593 bytesProcessed = buffer.length + 1; 594 return; 595 } 596 byteBuffer.get(buffer, bytesProcessed, len); 597 bytesProcessed += len; 598 break; 599 default: 600 throw new ProviderException("Internal error"); 601 } 602 } 603 604 // see JCA spec 605 @Override 606 protected byte[] engineSign() throws SignatureException { 607 ensureInitialized(); 608 try { 609 byte[] signature; 610 if (type == T_UPDATE) { 611 int len = keyAlgorithm.equals("DSA") ? 40 : 0; 612 signature = token.p11.C_SignFinal(session.id(), len); 613 } else { 614 byte[] digest; 615 if (type == T_DIGEST) { 616 digest = md.digest(); 617 } else { // T_RAW 618 if (mechanism == CKM_DSA) { 619 if (bytesProcessed != buffer.length) { 620 throw new SignatureException 621 ("Data for RawDSA must be exactly 20 bytes long"); 622 } 623 digest = buffer; 624 } else { // CKM_ECDSA 625 if (bytesProcessed > buffer.length) { 626 throw new SignatureException("Data for NONEwithECDSA" 627 + " must be at most " + RAW_ECDSA_MAX + " bytes long"); 628 } 629 digest = new byte[bytesProcessed]; 630 System.arraycopy(buffer, 0, digest, 0, bytesProcessed); 631 } 632 } 633 if (keyAlgorithm.equals("RSA") == false) { 634 // DSA and ECDSA 635 signature = token.p11.C_Sign(session.id(), digest); 636 } else { // RSA 637 byte[] data = encodeSignature(digest); 638 if (mechanism == CKM_RSA_X_509) { 639 data = pkcs1Pad(data); 640 } 641 signature = token.p11.C_Sign(session.id(), data); 642 } 643 } 644 if (keyAlgorithm.equals("RSA")) { 645 return signature; 646 } else { 647 if (p1363Format) { 648 return signature; 649 } else { 650 return dsaToASN1(signature); 651 } 652 } 653 } catch (PKCS11Exception pe) { 654 throw new ProviderException(pe); 655 } catch (SignatureException | ProviderException e) { 656 reset(true); 657 throw e; 658 } finally { 659 reset(false); 660 } 661 } 662 663 // see JCA spec 664 @Override 665 protected boolean engineVerify(byte[] signature) throws SignatureException { 666 ensureInitialized(); 667 try { 668 if (!p1363Format) { 669 if (keyAlgorithm.equals("DSA")) { 670 signature = asn1ToDSA(signature); 671 } else if (keyAlgorithm.equals("EC")) { 672 signature = asn1ToECDSA(signature); 673 } 674 } 675 if (type == T_UPDATE) { 676 token.p11.C_VerifyFinal(session.id(), signature); 677 } else { 678 byte[] digest; 679 if (type == T_DIGEST) { 680 digest = md.digest(); 681 } else { // T_RAW 682 if (mechanism == CKM_DSA) { 683 if (bytesProcessed != buffer.length) { 684 throw new SignatureException 685 ("Data for RawDSA must be exactly 20 bytes long"); 686 } 687 digest = buffer; 688 } else { 689 if (bytesProcessed > buffer.length) { 690 throw new SignatureException("Data for NONEwithECDSA" 691 + " must be at most " + RAW_ECDSA_MAX + " bytes long"); 692 } 693 digest = new byte[bytesProcessed]; 694 System.arraycopy(buffer, 0, digest, 0, bytesProcessed); 695 } 696 } 697 if (keyAlgorithm.equals("RSA") == false) { 698 // DSA and ECDSA 699 token.p11.C_Verify(session.id(), digest, signature); 700 } else { // RSA 701 byte[] data = encodeSignature(digest); 702 if (mechanism == CKM_RSA_X_509) { 703 data = pkcs1Pad(data); 704 } 705 token.p11.C_Verify(session.id(), data, signature); 706 } 707 } 708 return true; 709 } catch (PKCS11Exception pe) { 710 long errorCode = pe.getErrorCode(); 711 if (errorCode == CKR_SIGNATURE_INVALID) { 712 return false; 713 } 714 if (errorCode == CKR_SIGNATURE_LEN_RANGE) { 715 // return false rather than throwing an exception 716 return false; 717 } 718 // ECF bug? 719 if (errorCode == CKR_DATA_LEN_RANGE) { 720 return false; 721 } 722 throw new ProviderException(pe); 723 } catch (SignatureException | ProviderException e) { 724 reset(true); 725 throw e; 726 } finally { 727 reset(false); 728 } 729 } 730 731 private byte[] pkcs1Pad(byte[] data) { 732 try { 733 int len = (p11Key.length() + 7) >> 3; 734 RSAPadding padding = RSAPadding.getInstance 735 (RSAPadding.PAD_BLOCKTYPE_1, len); 736 byte[] padded = padding.pad(data); 737 return padded; 738 } catch (GeneralSecurityException e) { 739 throw new ProviderException(e); 740 } 741 } 742 743 private byte[] encodeSignature(byte[] digest) throws SignatureException { 744 try { 745 return RSASignature.encodeSignature(digestOID, digest); 746 } catch (IOException e) { 747 throw new SignatureException("Invalid encoding", e); 748 } 749 } 750 751 // private static byte[] decodeSignature(byte[] signature) throws IOException { 752 // return RSASignature.decodeSignature(digestOID, signature); 753 // } 754 755 // For DSA and ECDSA signatures, PKCS#11 represents them as a simple 756 // byte array that contains the concatenation of r and s. 757 // For DSA, r and s are always exactly 20 bytes long. 758 // For ECDSA, r and s are of variable length, but we know that each 759 // occupies half of the array. 760 private static byte[] dsaToASN1(byte[] signature) { 761 int n = signature.length >> 1; 762 BigInteger r = new BigInteger(1, P11Util.subarray(signature, 0, n)); 763 BigInteger s = new BigInteger(1, P11Util.subarray(signature, n, n)); 764 try { 765 DerOutputStream outseq = new DerOutputStream(100); 766 outseq.putInteger(r); 767 outseq.putInteger(s); 768 DerValue result = new DerValue(DerValue.tag_Sequence, 769 outseq.toByteArray()); 770 return result.toByteArray(); 771 } catch (java.io.IOException e) { 772 throw new RuntimeException("Internal error", e); 773 } 774 } 775 776 private static byte[] asn1ToDSA(byte[] sig) throws SignatureException { 777 try { 778 // Enforce strict DER checking for signatures 779 DerInputStream in = new DerInputStream(sig, 0, sig.length, false); 780 DerValue[] values = in.getSequence(2); 781 782 // check number of components in the read sequence 783 // and trailing data 784 if ((values.length != 2) || (in.available() != 0)) { 785 throw new IOException("Invalid encoding for signature"); 786 } 787 788 BigInteger r = values[0].getPositiveBigInteger(); 789 BigInteger s = values[1].getPositiveBigInteger(); 790 791 byte[] br = toByteArray(r, 20); 792 byte[] bs = toByteArray(s, 20); 793 if ((br == null) || (bs == null)) { 794 throw new SignatureException("Out of range value for R or S"); 795 } 796 return P11Util.concat(br, bs); 797 } catch (SignatureException e) { 798 throw e; 799 } catch (Exception e) { 800 throw new SignatureException("Invalid encoding for signature", e); 801 } 802 } 803 804 private byte[] asn1ToECDSA(byte[] sig) throws SignatureException { 805 try { 806 // Enforce strict DER checking for signatures 807 DerInputStream in = new DerInputStream(sig, 0, sig.length, false); 808 DerValue[] values = in.getSequence(2); 809 810 // check number of components in the read sequence 811 // and trailing data 812 if ((values.length != 2) || (in.available() != 0)) { 813 throw new IOException("Invalid encoding for signature"); 814 } 815 816 BigInteger r = values[0].getPositiveBigInteger(); 817 BigInteger s = values[1].getPositiveBigInteger(); 818 819 // trim leading zeroes 820 byte[] br = KeyUtil.trimZeroes(r.toByteArray()); 821 byte[] bs = KeyUtil.trimZeroes(s.toByteArray()); 822 int k = Math.max(br.length, bs.length); 823 // r and s each occupy half the array 824 byte[] res = new byte[k << 1]; 825 System.arraycopy(br, 0, res, k - br.length, br.length); 826 System.arraycopy(bs, 0, res, res.length - bs.length, bs.length); 827 return res; 828 } catch (Exception e) { 829 throw new SignatureException("Invalid encoding for signature", e); 830 } 831 } 832 833 private static byte[] toByteArray(BigInteger bi, int len) { 834 byte[] b = bi.toByteArray(); 835 int n = b.length; 836 if (n == len) { 837 return b; 838 } 839 if ((n == len + 1) && (b[0] == 0)) { 840 byte[] t = new byte[len]; 841 System.arraycopy(b, 1, t, 0, len); 842 return t; 843 } 844 if (n > len) { 845 return null; 846 } 847 // must be smaller 848 byte[] t = new byte[len]; 849 System.arraycopy(b, 0, t, (len - n), n); 850 return t; 851 } 852 853 // see JCA spec 854 @SuppressWarnings("deprecation") 855 @Override 856 protected void engineSetParameter(String param, Object value) 857 throws InvalidParameterException { 858 throw new UnsupportedOperationException("setParameter() not supported"); 859 } 860 861 // see JCA spec 862 @Override 863 protected void engineSetParameter(AlgorithmParameterSpec params) 864 throws InvalidAlgorithmParameterException { 865 if (params != null) { 866 throw new InvalidAlgorithmParameterException("No parameter accepted"); 867 } 868 } 869 870 // see JCA spec 871 @SuppressWarnings("deprecation") 872 @Override 873 protected Object engineGetParameter(String param) 874 throws InvalidParameterException { 875 throw new UnsupportedOperationException("getParameter() not supported"); 876 } 877 878 // see JCA spec 879 @Override 880 protected AlgorithmParameters engineGetParameters() { 881 return null; 882 } 883 }