1 /*
2 * Copyright (c) 2003, 2018, Oracle and/or its affiliates. All rights reserved.
3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
4 *
5 * This code is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License version 2 only, as
7 * published by the Free Software Foundation. Oracle designates this
8 * particular file as subject to the "Classpath" exception as provided
9 * by Oracle in the LICENSE file that accompanied this code.
10 *
11 * This code is distributed in the hope that it will be useful, but WITHOUT
12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * version 2 for more details (a copy is included in the LICENSE file that
15 * accompanied this code).
16 *
17 * You should have received a copy of the GNU General Public License version
18 * 2 along with this work; if not, write to the Free Software Foundation,
19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
20 *
21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
22 * or visit www.oracle.com if you need additional information or have any
23 * questions.
24 */
25
26 package sun.security.rsa;
27
28 import java.io.IOException;
29 import java.nio.ByteBuffer;
30
31 import java.security.*;
32 import java.security.interfaces.*;
33 import java.security.spec.AlgorithmParameterSpec;
34
35 import sun.security.rsa.RSAUtil.KeyType;
36 import sun.security.util.*;
37 import sun.security.x509.AlgorithmId;
38
39 /**
40 * PKCS#1 v1.5 RSA signatures with the various message digest algorithms.
41 * This file contains an abstract base class with all the logic plus
42 * a nested static class for each of the message digest algorithms
43 * (see end of the file). We support MD2, MD5, SHA-1, SHA-224, SHA-256,
44 * SHA-384, SHA-512, SHA-512/224, and SHA-512/256.
45 *
46 * @since 1.5
47 * @author Andreas Sterbenz
48 */
49 public abstract class RSASignature extends SignatureSpi {
50
51 // we sign an ASN.1 SEQUENCE of AlgorithmId and digest
52 // it has the form 30:xx:30:xx:[digestOID]:05:00:04:xx:[digest]
53 // this means the encoded length is (8 + digestOID.length + digest.length)
54 private static final int baseLength = 8;
55
56 // object identifier for the message digest algorithm used
57 private final ObjectIdentifier digestOID;
58
59 // length of the encoded signature blob
60 private final int encodedLength;
61
62 // message digest implementation we use
63 private final MessageDigest md;
64 // flag indicating whether the digest is reset
65 private boolean digestReset;
66
67 // private key, if initialized for signing
68 private RSAPrivateKey privateKey;
69 // public key, if initialized for verifying
70 private RSAPublicKey publicKey;
71
72 // padding to use, set when the initSign/initVerify is called
73 private RSAPadding padding;
74
75 /**
76 * Construct a new RSASignature. Used by subclasses.
77 */
78 RSASignature(String algorithm, ObjectIdentifier digestOID, int oidLength) {
79 this.digestOID = digestOID;
80 try {
81 md = MessageDigest.getInstance(algorithm);
82 } catch (NoSuchAlgorithmException e) {
83 throw new ProviderException(e);
84 }
85 digestReset = true;
86 encodedLength = baseLength + oidLength + md.getDigestLength();
87 }
88
89 // initialize for verification. See JCA doc
90 @Override
91 protected void engineInitVerify(PublicKey publicKey)
92 throws InvalidKeyException {
93 RSAPublicKey rsaKey = (RSAPublicKey)RSAKeyFactory.toRSAKey(publicKey);
94 this.privateKey = null;
95 this.publicKey = rsaKey;
96 initCommon(rsaKey, null);
97 }
98
99 // initialize for signing. See JCA doc
100 @Override
101 protected void engineInitSign(PrivateKey privateKey)
102 throws InvalidKeyException {
103 engineInitSign(privateKey, null);
104 }
105
106 // initialize for signing. See JCA doc
107 @Override
108 protected void engineInitSign(PrivateKey privateKey, SecureRandom random)
109 throws InvalidKeyException {
110 RSAPrivateKey rsaKey =
111 (RSAPrivateKey)RSAKeyFactory.toRSAKey(privateKey);
112 this.privateKey = rsaKey;
113 this.publicKey = null;
114 initCommon(rsaKey, random);
115 }
116
117 /**
118 * Init code common to sign and verify.
119 */
120 private void initCommon(RSAKey rsaKey, SecureRandom random)
121 throws InvalidKeyException {
122 try {
123 RSAUtil.checkParamsAgainstType(KeyType.RSA, rsaKey.getParams());
124 } catch (ProviderException e) {
125 throw new InvalidKeyException("Invalid key for RSA signatures", e);
126 }
127 resetDigest();
128 int keySize = RSACore.getByteLength(rsaKey);
129 try {
130 padding = RSAPadding.getInstance
131 (RSAPadding.PAD_BLOCKTYPE_1, keySize, random);
132 } catch (InvalidAlgorithmParameterException iape) {
133 throw new InvalidKeyException(iape.getMessage());
134 }
135 int maxDataSize = padding.getMaxDataSize();
136 if (encodedLength > maxDataSize) {
137 throw new InvalidKeyException
138 ("Key is too short for this signature algorithm");
139 }
140 }
141
142 /**
143 * Reset the message digest if it is not already reset.
144 */
145 private void resetDigest() {
146 if (digestReset == false) {
147 md.reset();
148 digestReset = true;
149 }
150 }
151
152 /**
153 * Return the message digest value.
154 */
155 private byte[] getDigestValue() {
156 digestReset = true;
157 return md.digest();
158 }
159
160 // update the signature with the plaintext data. See JCA doc
161 @Override
162 protected void engineUpdate(byte b) throws SignatureException {
163 md.update(b);
164 digestReset = false;
165 }
166
167 // update the signature with the plaintext data. See JCA doc
168 @Override
169 protected void engineUpdate(byte[] b, int off, int len)
170 throws SignatureException {
171 md.update(b, off, len);
172 digestReset = false;
173 }
174
175 // update the signature with the plaintext data. See JCA doc
176 @Override
177 protected void engineUpdate(ByteBuffer b) {
178 md.update(b);
179 digestReset = false;
180 }
181
182 // sign the data and return the signature. See JCA doc
183 @Override
184 protected byte[] engineSign() throws SignatureException {
185 if (privateKey == null) {
186 throw new SignatureException("Missing private key");
187 }
188 byte[] digest = getDigestValue();
189 try {
190 byte[] encoded = encodeSignature(digestOID, digest);
191 byte[] padded = padding.pad(encoded);
192 byte[] encrypted = RSACore.rsa(padded, privateKey, true);
193 return encrypted;
194 } catch (GeneralSecurityException e) {
195 throw new SignatureException("Could not sign data", e);
196 } catch (IOException e) {
197 throw new SignatureException("Could not encode data", e);
198 }
199 }
200
201 // verify the data and return the result. See JCA doc
202 // should be reset to the state after engineInitVerify call.
203 @Override
204 protected boolean engineVerify(byte[] sigBytes) throws SignatureException {
205 if (publicKey == null) {
206 throw new SignatureException("Missing public key");
207 }
208 try {
209 if (sigBytes.length != RSACore.getByteLength(publicKey)) {
210 throw new SignatureException("Signature length not correct: got " +
211 sigBytes.length + " but was expecting " +
212 RSACore.getByteLength(publicKey));
213 }
214 byte[] digest = getDigestValue();
215 byte[] decrypted = RSACore.rsa(sigBytes, publicKey);
216 byte[] unpadded = padding.unpad(decrypted);
217 byte[] decodedDigest = decodeSignature(digestOID, unpadded);
218 return MessageDigest.isEqual(digest, decodedDigest);
219 } catch (javax.crypto.BadPaddingException e) {
220 // occurs if the app has used the wrong RSA public key
221 // or if sigBytes is invalid
222 // return false rather than propagating the exception for
223 // compatibility/ease of use
224 return false;
225 } catch (IOException e) {
226 throw new SignatureException("Signature encoding error", e);
227 } finally {
228 resetDigest();
229 }
230 }
231
232 /**
233 * Encode the digest, return the to-be-signed data.
234 * Also used by the PKCS#11 provider.
235 */
236 public static byte[] encodeSignature(ObjectIdentifier oid, byte[] digest)
237 throws IOException {
238 DerOutputStream out = new DerOutputStream();
239 new AlgorithmId(oid).encode(out);
240 out.putOctetString(digest);
241 DerValue result =
242 new DerValue(DerValue.tag_Sequence, out.toByteArray());
243 return result.toByteArray();
244 }
245
246 /**
247 * Decode the signature data. Verify that the object identifier matches
248 * and return the message digest.
249 */
250 public static byte[] decodeSignature(ObjectIdentifier oid, byte[] sig)
251 throws IOException {
252 // Enforce strict DER checking for signatures
253 DerInputStream in = new DerInputStream(sig, 0, sig.length, false);
254 DerValue[] values = in.getSequence(2);
255 if ((values.length != 2) || (in.available() != 0)) {
256 throw new IOException("SEQUENCE length error");
257 }
258 AlgorithmId algId = AlgorithmId.parse(values[0]);
259 if (algId.getOID().equals(oid) == false) {
260 throw new IOException("ObjectIdentifier mismatch: "
261 + algId.getOID());
262 }
263 if (algId.getEncodedParams() != null) {
264 throw new IOException("Unexpected AlgorithmId parameters");
265 }
266 byte[] digest = values[1].getOctetString();
267 return digest;
268 }
269
270 // set parameter, not supported. See JCA doc
271 @Deprecated
272 @Override
273 protected void engineSetParameter(String param, Object value)
274 throws InvalidParameterException {
275 throw new UnsupportedOperationException("setParameter() not supported");
276 }
277
278 // See JCA doc
279 @Override
280 protected void engineSetParameter(AlgorithmParameterSpec params)
281 throws InvalidAlgorithmParameterException {
282 if (params != null) {
283 throw new InvalidAlgorithmParameterException("No parameters accepted");
284 }
285 }
286
287 // get parameter, not supported. See JCA doc
288 @Deprecated
289 @Override
290 protected Object engineGetParameter(String param)
291 throws InvalidParameterException {
292 throw new UnsupportedOperationException("getParameter() not supported");
293 }
294
295 // See JCA doc
296 @Override
297 protected AlgorithmParameters engineGetParameters() {
298 return null;
299 }
300
301 // Nested class for MD2withRSA signatures
302 public static final class MD2withRSA extends RSASignature {
303 public MD2withRSA() {
304 super("MD2", AlgorithmId.MD2_oid, 10);
305 }
306 }
307
308 // Nested class for MD5withRSA signatures
309 public static final class MD5withRSA extends RSASignature {
310 public MD5withRSA() {
311 super("MD5", AlgorithmId.MD5_oid, 10);
312 }
313 }
314
315 // Nested class for SHA1withRSA signatures
316 public static final class SHA1withRSA extends RSASignature {
317 public SHA1withRSA() {
318 super("SHA-1", AlgorithmId.SHA_oid, 7);
319 }
320 }
321
322 // Nested class for SHA224withRSA signatures
323 public static final class SHA224withRSA extends RSASignature {
324 public SHA224withRSA() {
325 super("SHA-224", AlgorithmId.SHA224_oid, 11);
326 }
327 }
328
329 // Nested class for SHA256withRSA signatures
330 public static final class SHA256withRSA extends RSASignature {
331 public SHA256withRSA() {
332 super("SHA-256", AlgorithmId.SHA256_oid, 11);
333 }
334 }
335
336 // Nested class for SHA384withRSA signatures
337 public static final class SHA384withRSA extends RSASignature {
338 public SHA384withRSA() {
339 super("SHA-384", AlgorithmId.SHA384_oid, 11);
340 }
341 }
342
343 // Nested class for SHA512withRSA signatures
344 public static final class SHA512withRSA extends RSASignature {
345 public SHA512withRSA() {
346 super("SHA-512", AlgorithmId.SHA512_oid, 11);
347 }
348 }
349
350 // Nested class for SHA512/224withRSA signatures
351 public static final class SHA512_224withRSA extends RSASignature {
352 public SHA512_224withRSA() {
353 super("SHA-512/224", AlgorithmId.SHA512_224_oid, 11);
354 }
355 }
356
357 // Nested class for SHA512/256withRSA signatures
358 public static final class SHA512_256withRSA extends RSASignature {
359 public SHA512_256withRSA() {
360 super("SHA-512/256", AlgorithmId.SHA512_256_oid, 11);
361 }
362 }
363 }