1 /* 2 * Copyright (c) 2003, 2018, Oracle and/or its affiliates. All rights reserved. 3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. 4 * 5 * This code is free software; you can redistribute it and/or modify it 6 * under the terms of the GNU General Public License version 2 only, as 7 * published by the Free Software Foundation. Oracle designates this 8 * particular file as subject to the "Classpath" exception as provided 9 * by Oracle in the LICENSE file that accompanied this code. 10 * 11 * This code is distributed in the hope that it will be useful, but WITHOUT 12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License 14 * version 2 for more details (a copy is included in the LICENSE file that 15 * accompanied this code). 16 * 17 * You should have received a copy of the GNU General Public License version 18 * 2 along with this work; if not, write to the Free Software Foundation, 19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. 20 * 21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA 22 * or visit www.oracle.com if you need additional information or have any 23 * questions. 24 */ 25 26 package sun.security.pkcs11; 27 28 import java.io.IOException; 29 import java.math.BigInteger; 30 import java.nio.ByteBuffer; 31 32 import java.security.*; 33 import java.security.interfaces.*; 34 import java.security.spec.AlgorithmParameterSpec; 35 import sun.nio.ch.DirectBuffer; 36 37 import sun.security.util.*; 38 import sun.security.x509.AlgorithmId; 39 40 import sun.security.rsa.RSASignature; 41 import sun.security.rsa.RSAPadding; 42 43 import sun.security.pkcs11.wrapper.*; 44 import static sun.security.pkcs11.wrapper.PKCS11Constants.*; 45 import sun.security.util.KeyUtil; 46 47 /** 48 * Signature implementation class. This class currently supports the 49 * following algorithms: 50 * 51 * . DSA 52 * . NONEwithDSA (RawDSA) 53 * . SHA1withDSA 54 * . NONEwithDSAinP1363Format (RawDSAinP1363Format) 55 * . SHA1withDSAinP1363Format 56 * . RSA: 57 * . MD2withRSA 58 * . MD5withRSA 59 * . SHA1withRSA 60 * . SHA224withRSA 61 * . SHA256withRSA 62 * . SHA384withRSA 63 * . SHA512withRSA 64 * . ECDSA 65 * . NONEwithECDSA 66 * . SHA1withECDSA 67 * . SHA224withECDSA 68 * . SHA256withECDSA 69 * . SHA384withECDSA 70 * . SHA512withECDSA 71 * . NONEwithECDSAinP1363Format 72 * . SHA1withECDSAinP1363Format 73 * . SHA224withECDSAinP1363Format 74 * . SHA256withECDSAinP1363Format 75 * . SHA384withECDSAinP1363Format 76 * . SHA512withECDSAinP1363Format 77 * 78 * Note that the underlying PKCS#11 token may support complete signature 79 * algorithm (e.g. CKM_DSA_SHA1, CKM_MD5_RSA_PKCS), or it may just 80 * implement the signature algorithm without hashing (e.g. CKM_DSA, CKM_PKCS), 81 * or it may only implement the raw public key operation (CKM_RSA_X_509). 82 * This class uses what is available and adds whatever extra processing 83 * is needed. 84 * 85 * @author Andreas Sterbenz 86 * @since 1.5 87 */ 88 final class P11Signature extends SignatureSpi { 89 90 // token instance 91 private final Token token; 92 93 // algorithm name 94 private final String algorithm; 95 96 // name of the key algorithm, currently either RSA or DSA 97 private final String keyAlgorithm; 98 99 // mechanism id 100 private final long mechanism; 101 102 // digest algorithm OID, if we encode RSA signature ourselves 103 private final ObjectIdentifier digestOID; 104 105 // type, one of T_* below 106 private final int type; 107 108 // key instance used, if init*() was called 109 private P11Key p11Key; 110 111 // message digest, if we do the digesting ourselves 112 private final MessageDigest md; 113 114 // associated session, if any 115 private Session session; 116 117 // mode, one of M_* below 118 private int mode; 119 120 // flag indicating whether an operation is initialized 121 private boolean initialized; 122 123 // buffer, for update(byte) or DSA 124 private final byte[] buffer; 125 126 // total number of bytes processed in current operation 127 private int bytesProcessed; 128 129 // The format, to be used for DSA and ECDSA signatures. 130 // If true, the IEEE P1363 format will be used, the concatenation of 131 // r and s. If false (default), the signature will be formatted as a 132 // DER-encoded ASN.1 sequence of r and s. 133 private boolean p1363Format = false; 134 135 // constant for signing mode 136 private final static int M_SIGN = 1; 137 // constant for verification mode 138 private final static int M_VERIFY = 2; 139 140 // constant for type digesting, we do the hashing ourselves 141 private final static int T_DIGEST = 1; 142 // constant for type update, token does everything 143 private final static int T_UPDATE = 2; 144 // constant for type raw, used with RawDSA and NONEwithECDSA only 145 private final static int T_RAW = 3; 146 147 // XXX PKCS#11 v2.20 says "should not be longer than 1024 bits", 148 // but this is a little arbitrary 149 private final static int RAW_ECDSA_MAX = 128; 150 151 P11Signature(Token token, String algorithm, long mechanism) 152 throws NoSuchAlgorithmException, PKCS11Exception { 153 super(); 154 this.token = token; 155 this.algorithm = algorithm; 156 this.mechanism = mechanism; 157 byte[] buffer = null; 158 ObjectIdentifier digestOID = null; 159 MessageDigest md = null; 160 switch ((int)mechanism) { 161 case (int)CKM_MD2_RSA_PKCS: 162 case (int)CKM_MD5_RSA_PKCS: 163 case (int)CKM_SHA1_RSA_PKCS: 164 case (int)CKM_SHA224_RSA_PKCS: 165 case (int)CKM_SHA256_RSA_PKCS: 166 case (int)CKM_SHA384_RSA_PKCS: 167 case (int)CKM_SHA512_RSA_PKCS: 168 keyAlgorithm = "RSA"; 169 type = T_UPDATE; 170 buffer = new byte[1]; 171 break; 172 case (int)CKM_DSA_SHA1: 173 keyAlgorithm = "DSA"; 174 type = T_UPDATE; 175 buffer = new byte[1]; 176 break; 177 case (int)CKM_ECDSA_SHA1: 178 keyAlgorithm = "EC"; 179 type = T_UPDATE; 180 buffer = new byte[1]; 181 break; 182 case (int)CKM_DSA: 183 keyAlgorithm = "DSA"; 184 if (algorithm.equals("DSA") || 185 algorithm.equals("DSAinP1363Format")) { 186 type = T_DIGEST; 187 md = MessageDigest.getInstance("SHA-1"); 188 } else if (algorithm.equals("RawDSA") || 189 algorithm.equals("RawDSAinP1363Format")) { 190 type = T_RAW; 191 buffer = new byte[20]; 192 } else { 193 throw new ProviderException(algorithm); 194 } 195 break; 196 case (int)CKM_ECDSA: 197 keyAlgorithm = "EC"; 198 if (algorithm.equals("NONEwithECDSA") || 199 algorithm.equals("NONEwithECDSAinP1363Format")) { 200 type = T_RAW; 201 buffer = new byte[RAW_ECDSA_MAX]; 202 } else { 203 String digestAlg; 204 if (algorithm.equals("SHA1withECDSA") || 205 algorithm.equals("SHA1withECDSAinP1363Format")) { 206 digestAlg = "SHA-1"; 207 } else if (algorithm.equals("SHA224withECDSA") || 208 algorithm.equals("SHA224withECDSAinP1363Format")) { 209 digestAlg = "SHA-224"; 210 } else if (algorithm.equals("SHA256withECDSA") || 211 algorithm.equals("SHA256withECDSAinP1363Format")) { 212 digestAlg = "SHA-256"; 213 } else if (algorithm.equals("SHA384withECDSA") || 214 algorithm.equals("SHA384withECDSAinP1363Format")) { 215 digestAlg = "SHA-384"; 216 } else if (algorithm.equals("SHA512withECDSA") || 217 algorithm.equals("SHA512withECDSAinP1363Format")) { 218 digestAlg = "SHA-512"; 219 } else { 220 throw new ProviderException(algorithm); 221 } 222 type = T_DIGEST; 223 md = MessageDigest.getInstance(digestAlg); 224 } 225 break; 226 case (int)CKM_RSA_PKCS: 227 case (int)CKM_RSA_X_509: 228 keyAlgorithm = "RSA"; 229 type = T_DIGEST; 230 if (algorithm.equals("MD5withRSA")) { 231 md = MessageDigest.getInstance("MD5"); 232 digestOID = AlgorithmId.MD5_oid; 233 } else if (algorithm.equals("SHA1withRSA")) { 234 md = MessageDigest.getInstance("SHA-1"); 235 digestOID = AlgorithmId.SHA_oid; 236 } else if (algorithm.equals("MD2withRSA")) { 237 md = MessageDigest.getInstance("MD2"); 238 digestOID = AlgorithmId.MD2_oid; 239 } else if (algorithm.equals("SHA224withRSA")) { 240 md = MessageDigest.getInstance("SHA-224"); 241 digestOID = AlgorithmId.SHA224_oid; 242 } else if (algorithm.equals("SHA256withRSA")) { 243 md = MessageDigest.getInstance("SHA-256"); 244 digestOID = AlgorithmId.SHA256_oid; 245 } else if (algorithm.equals("SHA384withRSA")) { 246 md = MessageDigest.getInstance("SHA-384"); 247 digestOID = AlgorithmId.SHA384_oid; 248 } else if (algorithm.equals("SHA512withRSA")) { 249 md = MessageDigest.getInstance("SHA-512"); 250 digestOID = AlgorithmId.SHA512_oid; 251 } else { 252 throw new ProviderException("Unknown signature: " + algorithm); 253 } 254 break; 255 default: 256 throw new ProviderException("Unknown mechanism: " + mechanism); 257 } 258 this.buffer = buffer; 259 this.digestOID = digestOID; 260 this.md = md; 261 if (algorithm.endsWith("inP1363Format")) { 262 this.p1363Format = true; 263 } 264 } 265 266 private void ensureInitialized() { 267 token.ensureValid(); 268 if (initialized == false) { 269 initialize(); 270 } 271 } 272 273 private void cancelOperation() { 274 token.ensureValid(); 275 if (initialized == false) { 276 return; 277 } 278 initialized = false; 279 if ((session == null) || (token.explicitCancel == false)) { 280 return; 281 } 282 if (session.hasObjects() == false) { 283 session = token.killSession(session); 284 return; 285 } 286 // "cancel" operation by finishing it 287 // XXX make sure all this always works correctly 288 if (mode == M_SIGN) { 289 try { 290 if (type == T_UPDATE) { 291 token.p11.C_SignFinal(session.id(), 0); 292 } else { 293 byte[] digest; 294 if (type == T_DIGEST) { 295 digest = md.digest(); 296 } else { // T_RAW 297 digest = buffer; 298 } 299 token.p11.C_Sign(session.id(), digest); 300 } 301 } catch (PKCS11Exception e) { 302 throw new ProviderException("cancel failed", e); 303 } 304 } else { // M_VERIFY 305 try { 306 byte[] signature; 307 if (keyAlgorithm.equals("DSA")) { 308 signature = new byte[40]; 309 } else { 310 signature = new byte[(p11Key.length() + 7) >> 3]; 311 } 312 if (type == T_UPDATE) { 313 token.p11.C_VerifyFinal(session.id(), signature); 314 } else { 315 byte[] digest; 316 if (type == T_DIGEST) { 317 digest = md.digest(); 318 } else { // T_RAW 319 digest = buffer; 320 } 321 token.p11.C_Verify(session.id(), digest, signature); 322 } 323 } catch (PKCS11Exception e) { 324 // will fail since the signature is incorrect 325 // XXX check error code 326 } 327 } 328 } 329 330 // assumes current state is initialized == false 331 private void initialize() { 332 try { 333 if (session == null) { 334 session = token.getOpSession(); 335 } 336 if (mode == M_SIGN) { 337 token.p11.C_SignInit(session.id(), 338 new CK_MECHANISM(mechanism), p11Key.keyID); 339 } else { 340 token.p11.C_VerifyInit(session.id(), 341 new CK_MECHANISM(mechanism), p11Key.keyID); 342 } 343 initialized = true; 344 } catch (PKCS11Exception e) { 345 throw new ProviderException("Initialization failed", e); 346 } 347 if (bytesProcessed != 0) { 348 bytesProcessed = 0; 349 if (md != null) { 350 md.reset(); 351 } 352 } 353 } 354 355 private void checkKeySize(String keyAlgo, Key key) 356 throws InvalidKeyException { 357 CK_MECHANISM_INFO mechInfo = null; 358 try { 359 mechInfo = token.getMechanismInfo(mechanism); 360 } catch (PKCS11Exception e) { 361 // should not happen, ignore for now. 362 } 363 if (mechInfo == null) { 364 // skip the check if no native info available 365 return; 366 } 367 int minKeySize = (int) mechInfo.ulMinKeySize; 368 int maxKeySize = (int) mechInfo.ulMaxKeySize; 369 // need to override the MAX keysize for SHA1withDSA 370 if (md != null && mechanism == CKM_DSA && maxKeySize > 1024) { 371 maxKeySize = 1024; 372 } 373 int keySize = 0; 374 if (key instanceof P11Key) { 375 keySize = ((P11Key) key).length(); 376 } else { 377 try { 378 if (keyAlgo.equals("RSA")) { 379 keySize = ((RSAKey) key).getModulus().bitLength(); 380 } else if (keyAlgo.equals("DSA")) { 381 keySize = ((DSAKey) key).getParams().getP().bitLength(); 382 } else if (keyAlgo.equals("EC")) { 383 keySize = ((ECKey) key).getParams().getCurve().getField().getFieldSize(); 384 } else { 385 throw new ProviderException("Error: unsupported algo " + keyAlgo); 386 } 387 } catch (ClassCastException cce) { 388 throw new InvalidKeyException(keyAlgo + 389 " key must be the right type", cce); 390 } 391 } 392 if ((minKeySize != -1) && (keySize < minKeySize)) { 393 throw new InvalidKeyException(keyAlgo + 394 " key must be at least " + minKeySize + " bits"); 395 } 396 if ((maxKeySize != -1) && (keySize > maxKeySize)) { 397 throw new InvalidKeyException(keyAlgo + 398 " key must be at most " + maxKeySize + " bits"); 399 } 400 if (keyAlgo.equals("RSA")) { 401 checkRSAKeyLength(keySize); 402 } 403 } 404 405 private void checkRSAKeyLength(int len) throws InvalidKeyException { 406 RSAPadding padding; 407 try { 408 padding = RSAPadding.getInstance 409 (RSAPadding.PAD_BLOCKTYPE_1, (len + 7) >> 3); 410 } catch (InvalidAlgorithmParameterException iape) { 411 throw new InvalidKeyException(iape.getMessage()); 412 } 413 int maxDataSize = padding.getMaxDataSize(); 414 int encodedLength; 415 if (algorithm.equals("MD5withRSA") || 416 algorithm.equals("MD2withRSA")) { 417 encodedLength = 34; 418 } else if (algorithm.equals("SHA1withRSA")) { 419 encodedLength = 35; 420 } else if (algorithm.equals("SHA224withRSA")) { 421 encodedLength = 47; 422 } else if (algorithm.equals("SHA256withRSA")) { 423 encodedLength = 51; 424 } else if (algorithm.equals("SHA384withRSA")) { 425 encodedLength = 67; 426 } else if (algorithm.equals("SHA512withRSA")) { 427 encodedLength = 83; 428 } else { 429 throw new ProviderException("Unknown signature algo: " + algorithm); 430 } 431 if (encodedLength > maxDataSize) { 432 throw new InvalidKeyException 433 ("Key is too short for this signature algorithm"); 434 } 435 } 436 437 // see JCA spec 438 @Override 439 protected void engineInitVerify(PublicKey publicKey) 440 throws InvalidKeyException { 441 if (publicKey == null) { 442 throw new InvalidKeyException("Key must not be null"); 443 } 444 // Need to check key length whenever a new key is set 445 if (publicKey != p11Key) { 446 checkKeySize(keyAlgorithm, publicKey); 447 } 448 cancelOperation(); 449 mode = M_VERIFY; 450 p11Key = P11KeyFactory.convertKey(token, publicKey, keyAlgorithm); 451 initialize(); 452 } 453 454 // see JCA spec 455 @Override 456 protected void engineInitSign(PrivateKey privateKey) 457 throws InvalidKeyException { 458 if (privateKey == null) { 459 throw new InvalidKeyException("Key must not be null"); 460 } 461 // Need to check RSA key length whenever a new key is set 462 if (privateKey != p11Key) { 463 checkKeySize(keyAlgorithm, privateKey); 464 } 465 cancelOperation(); 466 mode = M_SIGN; 467 p11Key = P11KeyFactory.convertKey(token, privateKey, keyAlgorithm); 468 initialize(); 469 } 470 471 // see JCA spec 472 @Override 473 protected void engineUpdate(byte b) throws SignatureException { 474 ensureInitialized(); 475 switch (type) { 476 case T_UPDATE: 477 buffer[0] = b; 478 engineUpdate(buffer, 0, 1); 479 break; 480 case T_DIGEST: 481 md.update(b); 482 bytesProcessed++; 483 break; 484 case T_RAW: 485 if (bytesProcessed >= buffer.length) { 486 bytesProcessed = buffer.length + 1; 487 return; 488 } 489 buffer[bytesProcessed++] = b; 490 break; 491 default: 492 throw new ProviderException("Internal error"); 493 } 494 } 495 496 // see JCA spec 497 @Override 498 protected void engineUpdate(byte[] b, int ofs, int len) 499 throws SignatureException { 500 ensureInitialized(); 501 if (len == 0) { 502 return; 503 } 504 switch (type) { 505 case T_UPDATE: 506 try { 507 if (mode == M_SIGN) { 508 token.p11.C_SignUpdate(session.id(), 0, b, ofs, len); 509 } else { 510 token.p11.C_VerifyUpdate(session.id(), 0, b, ofs, len); 511 } 512 bytesProcessed += len; 513 } catch (PKCS11Exception e) { 514 throw new ProviderException(e); 515 } 516 break; 517 case T_DIGEST: 518 md.update(b, ofs, len); 519 bytesProcessed += len; 520 break; 521 case T_RAW: 522 if (bytesProcessed + len > buffer.length) { 523 bytesProcessed = buffer.length + 1; 524 return; 525 } 526 System.arraycopy(b, ofs, buffer, bytesProcessed, len); 527 bytesProcessed += len; 528 break; 529 default: 530 throw new ProviderException("Internal error"); 531 } 532 } 533 534 // see JCA spec 535 @Override 536 protected void engineUpdate(ByteBuffer byteBuffer) { 537 ensureInitialized(); 538 int len = byteBuffer.remaining(); 539 if (len <= 0) { 540 return; 541 } 542 switch (type) { 543 case T_UPDATE: 544 if (byteBuffer instanceof DirectBuffer == false) { 545 // cannot do better than default impl 546 super.engineUpdate(byteBuffer); 547 return; 548 } 549 long addr = ((DirectBuffer)byteBuffer).address(); 550 int ofs = byteBuffer.position(); 551 try { 552 if (mode == M_SIGN) { 553 token.p11.C_SignUpdate 554 (session.id(), addr + ofs, null, 0, len); 555 } else { 556 token.p11.C_VerifyUpdate 557 (session.id(), addr + ofs, null, 0, len); 558 } 559 bytesProcessed += len; 560 byteBuffer.position(ofs + len); 561 } catch (PKCS11Exception e) { 562 throw new ProviderException("Update failed", e); 563 } 564 break; 565 case T_DIGEST: 566 md.update(byteBuffer); 567 bytesProcessed += len; 568 break; 569 case T_RAW: 570 if (bytesProcessed + len > buffer.length) { 571 bytesProcessed = buffer.length + 1; 572 return; 573 } 574 byteBuffer.get(buffer, bytesProcessed, len); 575 bytesProcessed += len; 576 break; 577 default: 578 throw new ProviderException("Internal error"); 579 } 580 } 581 582 // see JCA spec 583 @Override 584 protected byte[] engineSign() throws SignatureException { 585 ensureInitialized(); 586 try { 587 byte[] signature; 588 if (type == T_UPDATE) { 589 int len = keyAlgorithm.equals("DSA") ? 40 : 0; 590 signature = token.p11.C_SignFinal(session.id(), len); 591 } else { 592 byte[] digest; 593 if (type == T_DIGEST) { 594 digest = md.digest(); 595 } else { // T_RAW 596 if (mechanism == CKM_DSA) { 597 if (bytesProcessed != buffer.length) { 598 throw new SignatureException 599 ("Data for RawDSA must be exactly 20 bytes long"); 600 } 601 digest = buffer; 602 } else { // CKM_ECDSA 603 if (bytesProcessed > buffer.length) { 604 throw new SignatureException("Data for NONEwithECDSA" 605 + " must be at most " + RAW_ECDSA_MAX + " bytes long"); 606 } 607 digest = new byte[bytesProcessed]; 608 System.arraycopy(buffer, 0, digest, 0, bytesProcessed); 609 } 610 } 611 if (keyAlgorithm.equals("RSA") == false) { 612 // DSA and ECDSA 613 signature = token.p11.C_Sign(session.id(), digest); 614 } else { // RSA 615 byte[] data = encodeSignature(digest); 616 if (mechanism == CKM_RSA_X_509) { 617 data = pkcs1Pad(data); 618 } 619 signature = token.p11.C_Sign(session.id(), data); 620 } 621 } 622 if (keyAlgorithm.equals("RSA")) { 623 return signature; 624 } else { 625 if (p1363Format) { 626 return signature; 627 } else { 628 return dsaToASN1(signature); 629 } 630 } 631 } catch (PKCS11Exception pe) { 632 throw new ProviderException(pe); 633 } catch (SignatureException | ProviderException e) { 634 cancelOperation(); 635 throw e; 636 } finally { 637 initialized = false; 638 session = token.releaseSession(session); 639 } 640 } 641 642 // see JCA spec 643 @Override 644 protected boolean engineVerify(byte[] signature) throws SignatureException { 645 ensureInitialized(); 646 try { 647 if (!p1363Format) { 648 if (keyAlgorithm.equals("DSA")) { 649 signature = asn1ToDSA(signature); 650 } else if (keyAlgorithm.equals("EC")) { 651 signature = asn1ToECDSA(signature); 652 } 653 } 654 if (type == T_UPDATE) { 655 token.p11.C_VerifyFinal(session.id(), signature); 656 } else { 657 byte[] digest; 658 if (type == T_DIGEST) { 659 digest = md.digest(); 660 } else { // T_RAW 661 if (mechanism == CKM_DSA) { 662 if (bytesProcessed != buffer.length) { 663 throw new SignatureException 664 ("Data for RawDSA must be exactly 20 bytes long"); 665 } 666 digest = buffer; 667 } else { 668 if (bytesProcessed > buffer.length) { 669 throw new SignatureException("Data for NONEwithECDSA" 670 + " must be at most " + RAW_ECDSA_MAX + " bytes long"); 671 } 672 digest = new byte[bytesProcessed]; 673 System.arraycopy(buffer, 0, digest, 0, bytesProcessed); 674 } 675 } 676 if (keyAlgorithm.equals("RSA") == false) { 677 // DSA and ECDSA 678 token.p11.C_Verify(session.id(), digest, signature); 679 } else { // RSA 680 byte[] data = encodeSignature(digest); 681 if (mechanism == CKM_RSA_X_509) { 682 data = pkcs1Pad(data); 683 } 684 token.p11.C_Verify(session.id(), data, signature); 685 } 686 } 687 return true; 688 } catch (PKCS11Exception pe) { 689 long errorCode = pe.getErrorCode(); 690 if (errorCode == CKR_SIGNATURE_INVALID) { 691 return false; 692 } 693 if (errorCode == CKR_SIGNATURE_LEN_RANGE) { 694 // return false rather than throwing an exception 695 return false; 696 } 697 // ECF bug? 698 if (errorCode == CKR_DATA_LEN_RANGE) { 699 return false; 700 } 701 throw new ProviderException(pe); 702 } catch (SignatureException | ProviderException e) { 703 cancelOperation(); 704 throw e; 705 } finally { 706 initialized = false; 707 session = token.releaseSession(session); 708 } 709 } 710 711 private byte[] pkcs1Pad(byte[] data) { 712 try { 713 int len = (p11Key.length() + 7) >> 3; 714 RSAPadding padding = RSAPadding.getInstance 715 (RSAPadding.PAD_BLOCKTYPE_1, len); 716 byte[] padded = padding.pad(data); 717 return padded; 718 } catch (GeneralSecurityException e) { 719 throw new ProviderException(e); 720 } 721 } 722 723 private byte[] encodeSignature(byte[] digest) throws SignatureException { 724 try { 725 return RSASignature.encodeSignature(digestOID, digest); 726 } catch (IOException e) { 727 throw new SignatureException("Invalid encoding", e); 728 } 729 } 730 731 // private static byte[] decodeSignature(byte[] signature) throws IOException { 732 // return RSASignature.decodeSignature(digestOID, signature); 733 // } 734 735 // For DSA and ECDSA signatures, PKCS#11 represents them as a simple 736 // byte array that contains the concatenation of r and s. 737 // For DSA, r and s are always exactly 20 bytes long. 738 // For ECDSA, r and s are of variable length, but we know that each 739 // occupies half of the array. 740 private static byte[] dsaToASN1(byte[] signature) { 741 int n = signature.length >> 1; 742 BigInteger r = new BigInteger(1, P11Util.subarray(signature, 0, n)); 743 BigInteger s = new BigInteger(1, P11Util.subarray(signature, n, n)); 744 try { 745 DerOutputStream outseq = new DerOutputStream(100); 746 outseq.putInteger(r); 747 outseq.putInteger(s); 748 DerValue result = new DerValue(DerValue.tag_Sequence, 749 outseq.toByteArray()); 750 return result.toByteArray(); 751 } catch (java.io.IOException e) { 752 throw new RuntimeException("Internal error", e); 753 } 754 } 755 756 private static byte[] asn1ToDSA(byte[] sig) throws SignatureException { 757 try { 758 // Enforce strict DER checking for signatures 759 DerInputStream in = new DerInputStream(sig, 0, sig.length, false); 760 DerValue[] values = in.getSequence(2); 761 762 // check number of components in the read sequence 763 // and trailing data 764 if ((values.length != 2) || (in.available() != 0)) { 765 throw new IOException("Invalid encoding for signature"); 766 } 767 768 BigInteger r = values[0].getPositiveBigInteger(); 769 BigInteger s = values[1].getPositiveBigInteger(); 770 771 byte[] br = toByteArray(r, 20); 772 byte[] bs = toByteArray(s, 20); 773 if ((br == null) || (bs == null)) { 774 throw new SignatureException("Out of range value for R or S"); 775 } 776 return P11Util.concat(br, bs); 777 } catch (SignatureException e) { 778 throw e; 779 } catch (Exception e) { 780 throw new SignatureException("Invalid encoding for signature", e); 781 } 782 } 783 784 private byte[] asn1ToECDSA(byte[] sig) throws SignatureException { 785 try { 786 // Enforce strict DER checking for signatures 787 DerInputStream in = new DerInputStream(sig, 0, sig.length, false); 788 DerValue[] values = in.getSequence(2); 789 790 // check number of components in the read sequence 791 // and trailing data 792 if ((values.length != 2) || (in.available() != 0)) { 793 throw new IOException("Invalid encoding for signature"); 794 } 795 796 BigInteger r = values[0].getPositiveBigInteger(); 797 BigInteger s = values[1].getPositiveBigInteger(); 798 799 // trim leading zeroes 800 byte[] br = KeyUtil.trimZeroes(r.toByteArray()); 801 byte[] bs = KeyUtil.trimZeroes(s.toByteArray()); 802 int k = Math.max(br.length, bs.length); 803 // r and s each occupy half the array 804 byte[] res = new byte[k << 1]; 805 System.arraycopy(br, 0, res, k - br.length, br.length); 806 System.arraycopy(bs, 0, res, res.length - bs.length, bs.length); 807 return res; 808 } catch (Exception e) { 809 throw new SignatureException("Invalid encoding for signature", e); 810 } 811 } 812 813 private static byte[] toByteArray(BigInteger bi, int len) { 814 byte[] b = bi.toByteArray(); 815 int n = b.length; 816 if (n == len) { 817 return b; 818 } 819 if ((n == len + 1) && (b[0] == 0)) { 820 byte[] t = new byte[len]; 821 System.arraycopy(b, 1, t, 0, len); 822 return t; 823 } 824 if (n > len) { 825 return null; 826 } 827 // must be smaller 828 byte[] t = new byte[len]; 829 System.arraycopy(b, 0, t, (len - n), n); 830 return t; 831 } 832 833 // see JCA spec 834 @SuppressWarnings("deprecation") 835 @Override 836 protected void engineSetParameter(String param, Object value) 837 throws InvalidParameterException { 838 throw new UnsupportedOperationException("setParameter() not supported"); 839 } 840 841 // see JCA spec 842 @Override 843 protected void engineSetParameter(AlgorithmParameterSpec params) 844 throws InvalidAlgorithmParameterException { 845 if (params != null) { 846 throw new InvalidAlgorithmParameterException("No parameter accepted"); 847 } 848 } 849 850 // see JCA spec 851 @SuppressWarnings("deprecation") 852 @Override 853 protected Object engineGetParameter(String param) 854 throws InvalidParameterException { 855 throw new UnsupportedOperationException("getParameter() not supported"); 856 } 857 858 // see JCA spec 859 @Override 860 protected AlgorithmParameters engineGetParameters() { 861 return null; 862 } 863 }