1 /*
2 * Copyright (c) 2003, 2016, Oracle and/or its affiliates. All rights reserved.
3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
4 *
5 * This code is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License version 2 only, as
7 * published by the Free Software Foundation. Oracle designates this
8 * particular file as subject to the "Classpath" exception as provided
9 * by Oracle in the LICENSE file that accompanied this code.
10 *
11 * This code is distributed in the hope that it will be useful, but WITHOUT
12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * version 2 for more details (a copy is included in the LICENSE file that
15 * accompanied this code).
16 *
17 * You should have received a copy of the GNU General Public License version
18 * 2 along with this work; if not, write to the Free Software Foundation,
19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
20 *
21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
22 * or visit www.oracle.com if you need additional information or have any
23 * questions.
24 */
25
26 package sun.security.rsa;
27
28 import java.io.IOException;
29 import java.nio.ByteBuffer;
30
31 import java.security.*;
32 import java.security.interfaces.*;
33
34 import sun.security.util.*;
35 import sun.security.x509.AlgorithmId;
36
37 /**
38 * PKCS#1 RSA signatures with the various message digest algorithms.
39 * This file contains an abstract base class with all the logic plus
40 * a nested static class for each of the message digest algorithms
41 * (see end of the file). We support MD2, MD5, SHA-1, SHA-224, SHA-256,
42 * SHA-384, and SHA-512.
43 *
44 * @since 1.5
45 * @author Andreas Sterbenz
46 */
47 public abstract class RSASignature extends SignatureSpi {
48
49 // we sign an ASN.1 SEQUENCE of AlgorithmId and digest
50 // it has the form 30:xx:30:xx:[digestOID]:05:00:04:xx:[digest]
51 // this means the encoded length is (8 + digestOID.length + digest.length)
52 private static final int baseLength = 8;
53
54 // object identifier for the message digest algorithm used
55 private final ObjectIdentifier digestOID;
56
57 // length of the encoded signature blob
58 private final int encodedLength;
59
60 // message digest implementation we use
61 private final MessageDigest md;
62 // flag indicating whether the digest is reset
68 private RSAPublicKey publicKey;
69
70 // padding to use, set when the initSign/initVerify is called
71 private RSAPadding padding;
72
73 /**
74 * Construct a new RSASignature. Used by subclasses.
75 */
76 RSASignature(String algorithm, ObjectIdentifier digestOID, int oidLength) {
77 this.digestOID = digestOID;
78 try {
79 md = MessageDigest.getInstance(algorithm);
80 } catch (NoSuchAlgorithmException e) {
81 throw new ProviderException(e);
82 }
83 digestReset = true;
84 encodedLength = baseLength + oidLength + md.getDigestLength();
85 }
86
87 // initialize for verification. See JCA doc
88 protected void engineInitVerify(PublicKey publicKey)
89 throws InvalidKeyException {
90 RSAPublicKey rsaKey = (RSAPublicKey)RSAKeyFactory.toRSAKey(publicKey);
91 this.privateKey = null;
92 this.publicKey = rsaKey;
93 initCommon(rsaKey, null);
94 }
95
96 // initialize for signing. See JCA doc
97 protected void engineInitSign(PrivateKey privateKey)
98 throws InvalidKeyException {
99 engineInitSign(privateKey, null);
100 }
101
102 // initialize for signing. See JCA doc
103 protected void engineInitSign(PrivateKey privateKey, SecureRandom random)
104 throws InvalidKeyException {
105 RSAPrivateKey rsaKey =
106 (RSAPrivateKey)RSAKeyFactory.toRSAKey(privateKey);
107 this.privateKey = rsaKey;
108 this.publicKey = null;
109 initCommon(rsaKey, random);
110 }
111
112 /**
113 * Init code common to sign and verify.
114 */
115 private void initCommon(RSAKey rsaKey, SecureRandom random)
116 throws InvalidKeyException {
117 resetDigest();
118 int keySize = RSACore.getByteLength(rsaKey);
119 try {
120 padding = RSAPadding.getInstance
121 (RSAPadding.PAD_BLOCKTYPE_1, keySize, random);
122 } catch (InvalidAlgorithmParameterException iape) {
123 throw new InvalidKeyException(iape.getMessage());
124 }
125 int maxDataSize = padding.getMaxDataSize();
126 if (encodedLength > maxDataSize) {
127 throw new InvalidKeyException
128 ("Key is too short for this signature algorithm");
129 }
130 }
131
132 /**
133 * Reset the message digest if it is not already reset.
134 */
135 private void resetDigest() {
136 if (digestReset == false) {
137 md.reset();
138 digestReset = true;
139 }
140 }
141
142 /**
143 * Return the message digest value.
144 */
145 private byte[] getDigestValue() {
146 digestReset = true;
147 return md.digest();
148 }
149
150 // update the signature with the plaintext data. See JCA doc
151 protected void engineUpdate(byte b) throws SignatureException {
152 md.update(b);
153 digestReset = false;
154 }
155
156 // update the signature with the plaintext data. See JCA doc
157 protected void engineUpdate(byte[] b, int off, int len)
158 throws SignatureException {
159 md.update(b, off, len);
160 digestReset = false;
161 }
162
163 // update the signature with the plaintext data. See JCA doc
164 protected void engineUpdate(ByteBuffer b) {
165 md.update(b);
166 digestReset = false;
167 }
168
169 // sign the data and return the signature. See JCA doc
170 protected byte[] engineSign() throws SignatureException {
171 byte[] digest = getDigestValue();
172 try {
173 byte[] encoded = encodeSignature(digestOID, digest);
174 byte[] padded = padding.pad(encoded);
175 byte[] encrypted = RSACore.rsa(padded, privateKey, true);
176 return encrypted;
177 } catch (GeneralSecurityException e) {
178 throw new SignatureException("Could not sign data", e);
179 } catch (IOException e) {
180 throw new SignatureException("Could not encode data", e);
181 }
182 }
183
184 // verify the data and return the result. See JCA doc
185 // should be reset to the state after engineInitVerify call.
186 protected boolean engineVerify(byte[] sigBytes) throws SignatureException {
187 try {
188 if (sigBytes.length != RSACore.getByteLength(publicKey)) {
189 throw new SignatureException("Signature length not correct: got " +
190 sigBytes.length + " but was expecting " +
191 RSACore.getByteLength(publicKey));
192 }
193 byte[] digest = getDigestValue();
194 byte[] decrypted = RSACore.rsa(sigBytes, publicKey);
195 byte[] unpadded = padding.unpad(decrypted);
196 byte[] decodedDigest = decodeSignature(digestOID, unpadded);
197 return MessageDigest.isEqual(digest, decodedDigest);
198 } catch (javax.crypto.BadPaddingException e) {
199 // occurs if the app has used the wrong RSA public key
200 // or if sigBytes is invalid
201 // return false rather than propagating the exception for
202 // compatibility/ease of use
203 return false;
204 } catch (IOException e) {
205 throw new SignatureException("Signature encoding error", e);
206 } finally {
231 // Enforce strict DER checking for signatures
232 DerInputStream in = new DerInputStream(sig, 0, sig.length, false);
233 DerValue[] values = in.getSequence(2);
234 if ((values.length != 2) || (in.available() != 0)) {
235 throw new IOException("SEQUENCE length error");
236 }
237 AlgorithmId algId = AlgorithmId.parse(values[0]);
238 if (algId.getOID().equals(oid) == false) {
239 throw new IOException("ObjectIdentifier mismatch: "
240 + algId.getOID());
241 }
242 if (algId.getEncodedParams() != null) {
243 throw new IOException("Unexpected AlgorithmId parameters");
244 }
245 byte[] digest = values[1].getOctetString();
246 return digest;
247 }
248
249 // set parameter, not supported. See JCA doc
250 @Deprecated
251 protected void engineSetParameter(String param, Object value)
252 throws InvalidParameterException {
253 throw new UnsupportedOperationException("setParameter() not supported");
254 }
255
256 // get parameter, not supported. See JCA doc
257 @Deprecated
258 protected Object engineGetParameter(String param)
259 throws InvalidParameterException {
260 throw new UnsupportedOperationException("getParameter() not supported");
261 }
262
263 // Nested class for MD2withRSA signatures
264 public static final class MD2withRSA extends RSASignature {
265 public MD2withRSA() {
266 super("MD2", AlgorithmId.MD2_oid, 10);
267 }
268 }
269
270 // Nested class for MD5withRSA signatures
271 public static final class MD5withRSA extends RSASignature {
272 public MD5withRSA() {
273 super("MD5", AlgorithmId.MD5_oid, 10);
274 }
275 }
276
277 // Nested class for SHA1withRSA signatures
278 public static final class SHA1withRSA extends RSASignature {
279 public SHA1withRSA() {
280 super("SHA-1", AlgorithmId.SHA_oid, 7);
281 }
282 }
292 public static final class SHA256withRSA extends RSASignature {
293 public SHA256withRSA() {
294 super("SHA-256", AlgorithmId.SHA256_oid, 11);
295 }
296 }
297
298 // Nested class for SHA384withRSA signatures
299 public static final class SHA384withRSA extends RSASignature {
300 public SHA384withRSA() {
301 super("SHA-384", AlgorithmId.SHA384_oid, 11);
302 }
303 }
304
305 // Nested class for SHA512withRSA signatures
306 public static final class SHA512withRSA extends RSASignature {
307 public SHA512withRSA() {
308 super("SHA-512", AlgorithmId.SHA512_oid, 11);
309 }
310 }
311
312 }
|
1 /*
2 * Copyright (c) 2003, 2018, Oracle and/or its affiliates. All rights reserved.
3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
4 *
5 * This code is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License version 2 only, as
7 * published by the Free Software Foundation. Oracle designates this
8 * particular file as subject to the "Classpath" exception as provided
9 * by Oracle in the LICENSE file that accompanied this code.
10 *
11 * This code is distributed in the hope that it will be useful, but WITHOUT
12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * version 2 for more details (a copy is included in the LICENSE file that
15 * accompanied this code).
16 *
17 * You should have received a copy of the GNU General Public License version
18 * 2 along with this work; if not, write to the Free Software Foundation,
19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
20 *
21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
22 * or visit www.oracle.com if you need additional information or have any
23 * questions.
24 */
25
26 package sun.security.rsa;
27
28 import java.io.IOException;
29 import java.nio.ByteBuffer;
30
31 import java.security.*;
32 import java.security.interfaces.*;
33 import java.security.spec.AlgorithmParameterSpec;
34
35 import sun.security.rsa.RSAUtil.KeyType;
36 import sun.security.util.*;
37 import sun.security.x509.AlgorithmId;
38
39 /**
40 * PKCS#1 v1.5 RSA signatures with the various message digest algorithms.
41 * This file contains an abstract base class with all the logic plus
42 * a nested static class for each of the message digest algorithms
43 * (see end of the file). We support MD2, MD5, SHA-1, SHA-224, SHA-256,
44 * SHA-384, SHA-512, SHA-512/224, and SHA-512/256.
45 *
46 * @since 1.5
47 * @author Andreas Sterbenz
48 */
49 public abstract class RSASignature extends SignatureSpi {
50
51 // we sign an ASN.1 SEQUENCE of AlgorithmId and digest
52 // it has the form 30:xx:30:xx:[digestOID]:05:00:04:xx:[digest]
53 // this means the encoded length is (8 + digestOID.length + digest.length)
54 private static final int baseLength = 8;
55
56 // object identifier for the message digest algorithm used
57 private final ObjectIdentifier digestOID;
58
59 // length of the encoded signature blob
60 private final int encodedLength;
61
62 // message digest implementation we use
63 private final MessageDigest md;
64 // flag indicating whether the digest is reset
70 private RSAPublicKey publicKey;
71
72 // padding to use, set when the initSign/initVerify is called
73 private RSAPadding padding;
74
75 /**
76 * Construct a new RSASignature. Used by subclasses.
77 */
78 RSASignature(String algorithm, ObjectIdentifier digestOID, int oidLength) {
79 this.digestOID = digestOID;
80 try {
81 md = MessageDigest.getInstance(algorithm);
82 } catch (NoSuchAlgorithmException e) {
83 throw new ProviderException(e);
84 }
85 digestReset = true;
86 encodedLength = baseLength + oidLength + md.getDigestLength();
87 }
88
89 // initialize for verification. See JCA doc
90 @Override
91 protected void engineInitVerify(PublicKey publicKey)
92 throws InvalidKeyException {
93 RSAPublicKey rsaKey = (RSAPublicKey)RSAKeyFactory.toRSAKey(publicKey);
94 this.privateKey = null;
95 this.publicKey = rsaKey;
96 initCommon(rsaKey, null);
97 }
98
99 // initialize for signing. See JCA doc
100 @Override
101 protected void engineInitSign(PrivateKey privateKey)
102 throws InvalidKeyException {
103 engineInitSign(privateKey, null);
104 }
105
106 // initialize for signing. See JCA doc
107 @Override
108 protected void engineInitSign(PrivateKey privateKey, SecureRandom random)
109 throws InvalidKeyException {
110 RSAPrivateKey rsaKey =
111 (RSAPrivateKey)RSAKeyFactory.toRSAKey(privateKey);
112 this.privateKey = rsaKey;
113 this.publicKey = null;
114 initCommon(rsaKey, random);
115 }
116
117 /**
118 * Init code common to sign and verify.
119 */
120 private void initCommon(RSAKey rsaKey, SecureRandom random)
121 throws InvalidKeyException {
122 try {
123 RSAUtil.checkParamsAgainstType(KeyType.RSA, rsaKey.getParams());
124 } catch (ProviderException e) {
125 throw new InvalidKeyException("Invalid key for RSA signatures", e);
126 }
127 resetDigest();
128 int keySize = RSACore.getByteLength(rsaKey);
129 try {
130 padding = RSAPadding.getInstance
131 (RSAPadding.PAD_BLOCKTYPE_1, keySize, random);
132 } catch (InvalidAlgorithmParameterException iape) {
133 throw new InvalidKeyException(iape.getMessage());
134 }
135 int maxDataSize = padding.getMaxDataSize();
136 if (encodedLength > maxDataSize) {
137 throw new InvalidKeyException
138 ("Key is too short for this signature algorithm");
139 }
140 }
141
142 /**
143 * Reset the message digest if it is not already reset.
144 */
145 private void resetDigest() {
146 if (digestReset == false) {
147 md.reset();
148 digestReset = true;
149 }
150 }
151
152 /**
153 * Return the message digest value.
154 */
155 private byte[] getDigestValue() {
156 digestReset = true;
157 return md.digest();
158 }
159
160 // update the signature with the plaintext data. See JCA doc
161 @Override
162 protected void engineUpdate(byte b) throws SignatureException {
163 md.update(b);
164 digestReset = false;
165 }
166
167 // update the signature with the plaintext data. See JCA doc
168 @Override
169 protected void engineUpdate(byte[] b, int off, int len)
170 throws SignatureException {
171 md.update(b, off, len);
172 digestReset = false;
173 }
174
175 // update the signature with the plaintext data. See JCA doc
176 @Override
177 protected void engineUpdate(ByteBuffer b) {
178 md.update(b);
179 digestReset = false;
180 }
181
182 // sign the data and return the signature. See JCA doc
183 @Override
184 protected byte[] engineSign() throws SignatureException {
185 if (privateKey == null) {
186 throw new SignatureException("Missing private key");
187 }
188 byte[] digest = getDigestValue();
189 try {
190 byte[] encoded = encodeSignature(digestOID, digest);
191 byte[] padded = padding.pad(encoded);
192 byte[] encrypted = RSACore.rsa(padded, privateKey, true);
193 return encrypted;
194 } catch (GeneralSecurityException e) {
195 throw new SignatureException("Could not sign data", e);
196 } catch (IOException e) {
197 throw new SignatureException("Could not encode data", e);
198 }
199 }
200
201 // verify the data and return the result. See JCA doc
202 // should be reset to the state after engineInitVerify call.
203 @Override
204 protected boolean engineVerify(byte[] sigBytes) throws SignatureException {
205 if (publicKey == null) {
206 throw new SignatureException("Missing public key");
207 }
208 try {
209 if (sigBytes.length != RSACore.getByteLength(publicKey)) {
210 throw new SignatureException("Signature length not correct: got " +
211 sigBytes.length + " but was expecting " +
212 RSACore.getByteLength(publicKey));
213 }
214 byte[] digest = getDigestValue();
215 byte[] decrypted = RSACore.rsa(sigBytes, publicKey);
216 byte[] unpadded = padding.unpad(decrypted);
217 byte[] decodedDigest = decodeSignature(digestOID, unpadded);
218 return MessageDigest.isEqual(digest, decodedDigest);
219 } catch (javax.crypto.BadPaddingException e) {
220 // occurs if the app has used the wrong RSA public key
221 // or if sigBytes is invalid
222 // return false rather than propagating the exception for
223 // compatibility/ease of use
224 return false;
225 } catch (IOException e) {
226 throw new SignatureException("Signature encoding error", e);
227 } finally {
252 // Enforce strict DER checking for signatures
253 DerInputStream in = new DerInputStream(sig, 0, sig.length, false);
254 DerValue[] values = in.getSequence(2);
255 if ((values.length != 2) || (in.available() != 0)) {
256 throw new IOException("SEQUENCE length error");
257 }
258 AlgorithmId algId = AlgorithmId.parse(values[0]);
259 if (algId.getOID().equals(oid) == false) {
260 throw new IOException("ObjectIdentifier mismatch: "
261 + algId.getOID());
262 }
263 if (algId.getEncodedParams() != null) {
264 throw new IOException("Unexpected AlgorithmId parameters");
265 }
266 byte[] digest = values[1].getOctetString();
267 return digest;
268 }
269
270 // set parameter, not supported. See JCA doc
271 @Deprecated
272 @Override
273 protected void engineSetParameter(String param, Object value)
274 throws InvalidParameterException {
275 throw new UnsupportedOperationException("setParameter() not supported");
276 }
277
278 // See JCA doc
279 @Override
280 protected void engineSetParameter(AlgorithmParameterSpec params)
281 throws InvalidAlgorithmParameterException {
282 if (params != null) {
283 throw new InvalidAlgorithmParameterException("No parameters accepted");
284 }
285 }
286
287 // get parameter, not supported. See JCA doc
288 @Deprecated
289 @Override
290 protected Object engineGetParameter(String param)
291 throws InvalidParameterException {
292 throw new UnsupportedOperationException("getParameter() not supported");
293 }
294
295 // See JCA doc
296 @Override
297 protected AlgorithmParameters engineGetParameters() {
298 return null;
299 }
300
301 // Nested class for MD2withRSA signatures
302 public static final class MD2withRSA extends RSASignature {
303 public MD2withRSA() {
304 super("MD2", AlgorithmId.MD2_oid, 10);
305 }
306 }
307
308 // Nested class for MD5withRSA signatures
309 public static final class MD5withRSA extends RSASignature {
310 public MD5withRSA() {
311 super("MD5", AlgorithmId.MD5_oid, 10);
312 }
313 }
314
315 // Nested class for SHA1withRSA signatures
316 public static final class SHA1withRSA extends RSASignature {
317 public SHA1withRSA() {
318 super("SHA-1", AlgorithmId.SHA_oid, 7);
319 }
320 }
330 public static final class SHA256withRSA extends RSASignature {
331 public SHA256withRSA() {
332 super("SHA-256", AlgorithmId.SHA256_oid, 11);
333 }
334 }
335
336 // Nested class for SHA384withRSA signatures
337 public static final class SHA384withRSA extends RSASignature {
338 public SHA384withRSA() {
339 super("SHA-384", AlgorithmId.SHA384_oid, 11);
340 }
341 }
342
343 // Nested class for SHA512withRSA signatures
344 public static final class SHA512withRSA extends RSASignature {
345 public SHA512withRSA() {
346 super("SHA-512", AlgorithmId.SHA512_oid, 11);
347 }
348 }
349
350 // Nested class for SHA512/224withRSA signatures
351 public static final class SHA512_224withRSA extends RSASignature {
352 public SHA512_224withRSA() {
353 super("SHA-512/224", AlgorithmId.SHA512_224_oid, 11);
354 }
355 }
356
357 // Nested class for SHA512/256withRSA signatures
358 public static final class SHA512_256withRSA extends RSASignature {
359 public SHA512_256withRSA() {
360 super("SHA-512/256", AlgorithmId.SHA512_256_oid, 11);
361 }
362 }
363 }
|