1 /*
   2  * Copyright (c) 2012, 2018, Oracle and/or its affiliates. All rights reserved.
   3  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
   4  *
   5  * This code is free software; you can redistribute it and/or modify it
   6  * under the terms of the GNU General Public License version 2 only, as
   7  * published by the Free Software Foundation.  Oracle designates this
   8  * particular file as subject to the "Classpath" exception as provided
   9  * by Oracle in the LICENSE file that accompanied this code.
  10  *
  11  * This code is distributed in the hope that it will be useful, but WITHOUT
  12  * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  13  * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  14  * version 2 for more details (a copy is included in the LICENSE file that
  15  * accompanied this code).
  16  *
  17  * You should have received a copy of the GNU General Public License version
  18  * 2 along with this work; if not, write to the Free Software Foundation,
  19  * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
  20  *
  21  * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
  22  * or visit www.oracle.com if you need additional information or have any
  23  * questions.
  24  */
  25 
  26 package com.sun.crypto.provider;
  27 
  28 import java.io.*;
  29 import java.security.NoSuchAlgorithmException;
  30 import java.security.AlgorithmParametersSpi;
  31 import java.security.spec.AlgorithmParameterSpec;
  32 import java.security.spec.InvalidParameterSpecException;
  33 import javax.crypto.spec.IvParameterSpec;
  34 import javax.crypto.spec.PBEParameterSpec;
  35 import sun.security.util.*;
  36 
  37 /**
  38  * This class implements the parameter set used with password-based
  39  * encryption scheme 2 (PBES2), which is defined in PKCS#5 as follows:
  40  *
  41  * <pre>
  42  * -- PBES2
  43  *
  44  * PBES2Algorithms ALGORITHM-IDENTIFIER ::=
  45  *   { {PBES2-params IDENTIFIED BY id-PBES2}, ...}
  46  *
  47  * id-PBES2 OBJECT IDENTIFIER ::= {pkcs-5 13}
  48  *
  49  * PBES2-params ::= SEQUENCE {
  50  *   keyDerivationFunc AlgorithmIdentifier {{PBES2-KDFs}},
  51  *   encryptionScheme AlgorithmIdentifier {{PBES2-Encs}} }
  52  *
  53  * PBES2-KDFs ALGORITHM-IDENTIFIER ::=
  54  *   { {PBKDF2-params IDENTIFIED BY id-PBKDF2}, ... }
  55  *
  56  * PBES2-Encs ALGORITHM-IDENTIFIER ::= { ... }
  57  *
  58  * -- PBKDF2
  59  *
  60  * PBKDF2Algorithms ALGORITHM-IDENTIFIER ::=
  61  *   { {PBKDF2-params IDENTIFIED BY id-PBKDF2}, ...}
  62  *
  63  * id-PBKDF2 OBJECT IDENTIFIER ::= {pkcs-5 12}
  64  *
  65  * PBKDF2-params ::= SEQUENCE {
  66  *     salt CHOICE {
  67  *       specified OCTET STRING,
  68  *       otherSource AlgorithmIdentifier {{PBKDF2-SaltSources}}
  69  *     },
  70  *     iterationCount INTEGER (1..MAX),
  71  *     keyLength INTEGER (1..MAX) OPTIONAL,
  72  *     prf AlgorithmIdentifier {{PBKDF2-PRFs}} DEFAULT algid-hmacWithSHA1
  73  * }
  74  *
  75  * PBKDF2-SaltSources ALGORITHM-IDENTIFIER ::= { ... }
  76  *
  77  * PBKDF2-PRFs ALGORITHM-IDENTIFIER ::= {
  78  *     {NULL IDENTIFIED BY id-hmacWithSHA1} |
  79  *     {NULL IDENTIFIED BY id-hmacWithSHA224} |
  80  *     {NULL IDENTIFIED BY id-hmacWithSHA256} |
  81  *     {NULL IDENTIFIED BY id-hmacWithSHA384} |
  82  *     {NULL IDENTIFIED BY id-hmacWithSHA512}, ... }
  83  *
  84  * algid-hmacWithSHA1 AlgorithmIdentifier {{PBKDF2-PRFs}} ::=
  85  *     {algorithm id-hmacWithSHA1, parameters NULL : NULL}
  86  *
  87  * id-hmacWithSHA1 OBJECT IDENTIFIER ::= {digestAlgorithm 7}
  88  *
  89  * PBES2-Encs ALGORITHM-IDENTIFIER ::= { ... }
  90  *
  91  * </pre>
  92  */
  93 
  94 abstract class PBES2Parameters extends AlgorithmParametersSpi {
  95 
  96     private static final int pkcs5PBKDF2[] =
  97                                         {1, 2, 840, 113549, 1, 5, 12};
  98     private static final int pkcs5PBES2[] =
  99                                         {1, 2, 840, 113549, 1, 5, 13};
 100     private static final int hmacWithSHA1[] =
 101                                         {1, 2, 840, 113549, 2, 7};
 102     private static final int hmacWithSHA224[] =
 103                                         {1, 2, 840, 113549, 2, 8};
 104     private static final int hmacWithSHA256[] =
 105                                         {1, 2, 840, 113549, 2, 9};
 106     private static final int hmacWithSHA384[] =
 107                                         {1, 2, 840, 113549, 2, 10};
 108     private static final int hmacWithSHA512[] =
 109                                         {1, 2, 840, 113549, 2, 11};
 110     private static final int aes128CBC[] =
 111                                         {2, 16, 840, 1, 101, 3, 4, 1, 2};
 112     private static final int aes192CBC[] =
 113                                         {2, 16, 840, 1, 101, 3, 4, 1, 22};
 114     private static final int aes256CBC[] =
 115                                         {2, 16, 840, 1, 101, 3, 4, 1, 42};
 116 
 117     private static ObjectIdentifier pkcs5PBKDF2_OID;
 118     private static ObjectIdentifier pkcs5PBES2_OID;
 119     private static ObjectIdentifier hmacWithSHA1_OID;
 120     private static ObjectIdentifier hmacWithSHA224_OID;
 121     private static ObjectIdentifier hmacWithSHA256_OID;
 122     private static ObjectIdentifier hmacWithSHA384_OID;
 123     private static ObjectIdentifier hmacWithSHA512_OID;
 124     private static ObjectIdentifier aes128CBC_OID;
 125     private static ObjectIdentifier aes192CBC_OID;
 126     private static ObjectIdentifier aes256CBC_OID;
 127 
 128     static {
 129         try {
 130             pkcs5PBKDF2_OID = new ObjectIdentifier(pkcs5PBKDF2);
 131             pkcs5PBES2_OID = new ObjectIdentifier(pkcs5PBES2);
 132             hmacWithSHA1_OID = new ObjectIdentifier(hmacWithSHA1);
 133             hmacWithSHA224_OID = new ObjectIdentifier(hmacWithSHA224);
 134             hmacWithSHA256_OID = new ObjectIdentifier(hmacWithSHA256);
 135             hmacWithSHA384_OID = new ObjectIdentifier(hmacWithSHA384);
 136             hmacWithSHA512_OID = new ObjectIdentifier(hmacWithSHA512);
 137             aes128CBC_OID = new ObjectIdentifier(aes128CBC);
 138             aes192CBC_OID = new ObjectIdentifier(aes192CBC);
 139             aes256CBC_OID = new ObjectIdentifier(aes256CBC);
 140         } catch (IOException ioe) {
 141             // should not happen
 142         }
 143     }
 144 
 145     // the PBES2 algorithm name
 146     private String pbes2AlgorithmName = null;
 147 
 148     // the salt
 149     private byte[] salt = null;
 150 
 151     // the iteration count
 152     private int iCount = 0;
 153 
 154     // the cipher parameter
 155     private AlgorithmParameterSpec cipherParam = null;
 156 
 157     // the key derivation function (default is HmacSHA1)
 158     private ObjectIdentifier kdfAlgo_OID = hmacWithSHA1_OID;
 159 
 160     // the encryption function
 161     private ObjectIdentifier cipherAlgo_OID = null;
 162 
 163     // the cipher keysize (in bits)
 164     private int keysize = -1;
 165 
 166     PBES2Parameters() {
 167         // KDF, encryption & keysize values are set later, in engineInit(byte[])
 168     }
 169 
 170     PBES2Parameters(String pbes2AlgorithmName) throws NoSuchAlgorithmException {
 171         int and;
 172         String kdfAlgo = null;
 173         String cipherAlgo = null;
 174 
 175         // Extract the KDF and encryption algorithm names
 176         this.pbes2AlgorithmName = pbes2AlgorithmName;
 177         if (pbes2AlgorithmName.startsWith("PBEWith") &&
 178             (and = pbes2AlgorithmName.indexOf("And", 7 + 1)) > 0) {
 179             kdfAlgo = pbes2AlgorithmName.substring(7, and);
 180             cipherAlgo = pbes2AlgorithmName.substring(and + 3);
 181 
 182             // Check for keysize
 183             int underscore;
 184             if ((underscore = cipherAlgo.indexOf('_')) > 0) {
 185                 int slash;
 186                 if ((slash = cipherAlgo.indexOf('/', underscore + 1)) > 0) {
 187                     keysize =
 188                         Integer.parseInt(cipherAlgo.substring(underscore + 1,
 189                             slash));
 190                 } else {
 191                     keysize =
 192                         Integer.parseInt(cipherAlgo.substring(underscore + 1));
 193                 }
 194                 cipherAlgo = cipherAlgo.substring(0, underscore);
 195             }
 196         } else {
 197             throw new NoSuchAlgorithmException("No crypto implementation for " +
 198                 pbes2AlgorithmName);
 199         }
 200 
 201         switch (kdfAlgo) {
 202         case "HmacSHA1":
 203             kdfAlgo_OID = hmacWithSHA1_OID;
 204             break;
 205         case "HmacSHA224":
 206             kdfAlgo_OID = hmacWithSHA224_OID;
 207             break;
 208         case "HmacSHA256":
 209             kdfAlgo_OID = hmacWithSHA256_OID;
 210             break;
 211         case "HmacSHA384":
 212             kdfAlgo_OID = hmacWithSHA384_OID;
 213             break;
 214         case "HmacSHA512":
 215             kdfAlgo_OID = hmacWithSHA512_OID;
 216             break;
 217         default:
 218             throw new NoSuchAlgorithmException(
 219                 "No crypto implementation for " + kdfAlgo);
 220         }
 221 
 222         if (cipherAlgo.equals("AES")) {
 223             this.keysize = keysize;
 224             switch (keysize) {
 225             case 128:
 226                 cipherAlgo_OID = aes128CBC_OID;
 227                 break;
 228             case 256:
 229                 cipherAlgo_OID = aes256CBC_OID;
 230                 break;
 231             default:
 232                 throw new NoSuchAlgorithmException(
 233                     "No Cipher implementation for " + keysize + "-bit " +
 234                         cipherAlgo);
 235             }
 236         } else {
 237             throw new NoSuchAlgorithmException("No Cipher implementation for " +
 238                 cipherAlgo);
 239         }
 240     }
 241 
 242     protected void engineInit(AlgorithmParameterSpec paramSpec)
 243         throws InvalidParameterSpecException
 244     {
 245        if (!(paramSpec instanceof PBEParameterSpec)) {
 246            throw new InvalidParameterSpecException
 247                ("Inappropriate parameter specification");
 248        }
 249        this.salt = ((PBEParameterSpec)paramSpec).getSalt().clone();
 250        this.iCount = ((PBEParameterSpec)paramSpec).getIterationCount();
 251        this.cipherParam = ((PBEParameterSpec)paramSpec).getParameterSpec();
 252     }
 253 
 254     protected void engineInit(byte[] encoded)
 255         throws IOException
 256     {
 257         String kdfAlgo = null;
 258         String cipherAlgo = null;
 259 
 260         DerValue pBES2_params = new DerValue(encoded);
 261         if (pBES2_params.tag != DerValue.tag_Sequence) {
 262             throw new IOException("PBE parameter parsing error: "
 263                 + "not an ASN.1 SEQUENCE tag");
 264         }
 265         DerValue kdf = pBES2_params.data.getDerValue();
 266 
 267         // Before JDK-8202837, PBES2-params was mistakenly encoded like
 268         // an AlgorithmId which is a sequence of its own OID and the real
 269         // PBES2-params. If the first DerValue is an OID instead of a
 270         // PBES2-KDFs (which should be a SEQUENCE), we are likely to be
 271         // dealing with this buggy encoding. Skip the OID and treat the
 272         // next DerValue as the real PBES2-params.
 273         if (kdf.getTag() == DerValue.tag_ObjectId) {
 274             pBES2_params = pBES2_params.data.getDerValue();
 275             kdf = pBES2_params.data.getDerValue();
 276         }
 277 
 278         kdfAlgo = parseKDF(kdf);
 279 
 280         if (pBES2_params.tag != DerValue.tag_Sequence) {
 281             throw new IOException("PBE parameter parsing error: "
 282                 + "not an ASN.1 SEQUENCE tag");
 283         }
 284         cipherAlgo = parseES(pBES2_params.data.getDerValue());
 285 
 286         pbes2AlgorithmName = new StringBuilder().append("PBEWith")
 287             .append(kdfAlgo).append("And").append(cipherAlgo).toString();
 288     }
 289 
 290     private String parseKDF(DerValue keyDerivationFunc) throws IOException {
 291 
 292         if (!pkcs5PBKDF2_OID.equals(keyDerivationFunc.data.getOID())) {
 293             throw new IOException("PBE parameter parsing error: "
 294                 + "expecting the object identifier for PBKDF2");
 295         }
 296         if (keyDerivationFunc.tag != DerValue.tag_Sequence) {
 297             throw new IOException("PBE parameter parsing error: "
 298                 + "not an ASN.1 SEQUENCE tag");
 299         }
 300         DerValue pBKDF2_params = keyDerivationFunc.data.getDerValue();
 301         if (pBKDF2_params.tag != DerValue.tag_Sequence) {
 302             throw new IOException("PBE parameter parsing error: "
 303                 + "not an ASN.1 SEQUENCE tag");
 304         }
 305         DerValue specified = pBKDF2_params.data.getDerValue();
 306         // the 'specified' ASN.1 CHOICE for 'salt' is supported
 307         if (specified.tag == DerValue.tag_OctetString) {
 308             salt = specified.getOctetString();
 309         } else {
 310             // the 'otherSource' ASN.1 CHOICE for 'salt' is not supported
 311             throw new IOException("PBE parameter parsing error: "
 312                 + "not an ASN.1 OCTET STRING tag");
 313         }
 314         iCount = pBKDF2_params.data.getInteger();
 315 
 316         DerValue prf = null;
 317         // keyLength INTEGER (1..MAX) OPTIONAL,
 318         if (pBKDF2_params.data.available() > 0) {
 319             DerValue keyLength = pBKDF2_params.data.getDerValue();
 320             if (keyLength.tag == DerValue.tag_Integer) {
 321                 keysize = keyLength.getInteger() * 8; // keysize (in bits)
 322             } else {
 323                 // Should be the prf
 324                 prf = keyLength;
 325             }
 326         }
 327         // prf AlgorithmIdentifier {{PBKDF2-PRFs}} DEFAULT algid-hmacWithSHA1
 328         String kdfAlgo = "HmacSHA1";
 329         if (prf == null) {
 330             if (pBKDF2_params.data.available() > 0) {
 331                 prf = pBKDF2_params.data.getDerValue();
 332             }
 333         }
 334         if (prf != null) {
 335             kdfAlgo_OID = prf.data.getOID();
 336             if (hmacWithSHA1_OID.equals(kdfAlgo_OID)) {
 337                 kdfAlgo = "HmacSHA1";
 338             } else if (hmacWithSHA224_OID.equals(kdfAlgo_OID)) {
 339                 kdfAlgo = "HmacSHA224";
 340             } else if (hmacWithSHA256_OID.equals(kdfAlgo_OID)) {
 341                 kdfAlgo = "HmacSHA256";
 342             } else if (hmacWithSHA384_OID.equals(kdfAlgo_OID)) {
 343                 kdfAlgo = "HmacSHA384";
 344             } else if (hmacWithSHA512_OID.equals(kdfAlgo_OID)) {
 345                 kdfAlgo = "HmacSHA512";
 346             } else {
 347                 throw new IOException("PBE parameter parsing error: "
 348                         + "expecting the object identifier for a HmacSHA key "
 349                         + "derivation function");
 350             }
 351             if (prf.data.available() != 0) {
 352                 // parameter is 'NULL' for all HmacSHA KDFs
 353                 DerValue parameter = prf.data.getDerValue();
 354                 if (parameter.tag != DerValue.tag_Null) {
 355                     throw new IOException("PBE parameter parsing error: "
 356                             + "not an ASN.1 NULL tag");
 357                 }
 358             }
 359         }
 360 
 361         return kdfAlgo;
 362     }
 363 
 364     private String parseES(DerValue encryptionScheme) throws IOException {
 365         String cipherAlgo = null;
 366 
 367         cipherAlgo_OID = encryptionScheme.data.getOID();
 368         if (aes128CBC_OID.equals(cipherAlgo_OID)) {
 369             cipherAlgo = "AES_128";
 370             // parameter is AES-IV 'OCTET STRING (SIZE(16))'
 371             cipherParam =
 372                 new IvParameterSpec(encryptionScheme.data.getOctetString());
 373             keysize = 128;
 374         } else if (aes256CBC_OID.equals(cipherAlgo_OID)) {
 375             cipherAlgo = "AES_256";
 376             // parameter is AES-IV 'OCTET STRING (SIZE(16))'
 377             cipherParam =
 378                 new IvParameterSpec(encryptionScheme.data.getOctetString());
 379             keysize = 256;
 380         } else {
 381             throw new IOException("PBE parameter parsing error: "
 382                 + "expecting the object identifier for AES cipher");
 383         }
 384 
 385         return cipherAlgo;
 386     }
 387 
 388     protected void engineInit(byte[] encoded, String decodingMethod)
 389         throws IOException
 390     {
 391         engineInit(encoded);
 392     }
 393 
 394     protected <T extends AlgorithmParameterSpec>
 395             T engineGetParameterSpec(Class<T> paramSpec)
 396         throws InvalidParameterSpecException
 397     {
 398         if (PBEParameterSpec.class.isAssignableFrom(paramSpec)) {
 399             return paramSpec.cast(
 400                 new PBEParameterSpec(this.salt, this.iCount, this.cipherParam));
 401         } else {
 402             throw new InvalidParameterSpecException
 403                 ("Inappropriate parameter specification");
 404         }
 405     }
 406 
 407     protected byte[] engineGetEncoded() throws IOException {
 408         DerOutputStream out = new DerOutputStream();
 409 
 410         DerOutputStream pBES2_params = new DerOutputStream();
 411 
 412         DerOutputStream keyDerivationFunc = new DerOutputStream();
 413         keyDerivationFunc.putOID(pkcs5PBKDF2_OID);
 414 
 415         DerOutputStream pBKDF2_params = new DerOutputStream();
 416         pBKDF2_params.putOctetString(salt); // choice: 'specified OCTET STRING'
 417         pBKDF2_params.putInteger(iCount);
 418 
 419         if (keysize > 0) {
 420             pBKDF2_params.putInteger(keysize / 8); // derived key length (in octets)
 421         }
 422 
 423         DerOutputStream prf = new DerOutputStream();
 424         // algorithm is id-hmacWithSHA1/SHA224/SHA256/SHA384/SHA512
 425         prf.putOID(kdfAlgo_OID);
 426         // parameters is 'NULL'
 427         prf.putNull();
 428         pBKDF2_params.write(DerValue.tag_Sequence, prf);
 429 
 430         keyDerivationFunc.write(DerValue.tag_Sequence, pBKDF2_params);
 431         pBES2_params.write(DerValue.tag_Sequence, keyDerivationFunc);
 432 
 433         DerOutputStream encryptionScheme = new DerOutputStream();
 434         // algorithm is id-aes128-CBC or id-aes256-CBC
 435         encryptionScheme.putOID(cipherAlgo_OID);
 436         // parameters is 'AES-IV ::= OCTET STRING (SIZE(16))'
 437         if (cipherParam != null && cipherParam instanceof IvParameterSpec) {
 438             encryptionScheme.putOctetString(
 439                 ((IvParameterSpec)cipherParam).getIV());
 440         } else {
 441             throw new IOException("Wrong parameter type: IV expected");
 442         }
 443         pBES2_params.write(DerValue.tag_Sequence, encryptionScheme);
 444 
 445         out.write(DerValue.tag_Sequence, pBES2_params);
 446 
 447         return out.toByteArray();
 448     }
 449 
 450     protected byte[] engineGetEncoded(String encodingMethod)
 451         throws IOException
 452     {
 453         return engineGetEncoded();
 454     }
 455 
 456     /*
 457      * Returns a formatted string describing the parameters.
 458      *
 459      * The algorithn name pattern is: "PBEWith<prf>And<encryption>"
 460      * where <prf> is one of: HmacSHA1, HmacSHA224, HmacSHA256, HmacSHA384,
 461      * or HmacSHA512, and <encryption> is AES with a keysize suffix.
 462      */
 463     protected String engineToString() {
 464         return pbes2AlgorithmName;
 465     }
 466 
 467     public static final class General extends PBES2Parameters {
 468         public General() throws NoSuchAlgorithmException {
 469             super();
 470         }
 471     }
 472 
 473     public static final class HmacSHA1AndAES_128 extends PBES2Parameters {
 474         public HmacSHA1AndAES_128() throws NoSuchAlgorithmException {
 475             super("PBEWithHmacSHA1AndAES_128");
 476         }
 477     }
 478 
 479     public static final class HmacSHA224AndAES_128 extends PBES2Parameters {
 480         public HmacSHA224AndAES_128() throws NoSuchAlgorithmException {
 481             super("PBEWithHmacSHA224AndAES_128");
 482         }
 483     }
 484 
 485     public static final class HmacSHA256AndAES_128 extends PBES2Parameters {
 486         public HmacSHA256AndAES_128() throws NoSuchAlgorithmException {
 487             super("PBEWithHmacSHA256AndAES_128");
 488         }
 489     }
 490 
 491     public static final class HmacSHA384AndAES_128 extends PBES2Parameters {
 492         public HmacSHA384AndAES_128() throws NoSuchAlgorithmException {
 493             super("PBEWithHmacSHA384AndAES_128");
 494         }
 495     }
 496 
 497     public static final class HmacSHA512AndAES_128 extends PBES2Parameters {
 498         public HmacSHA512AndAES_128() throws NoSuchAlgorithmException {
 499             super("PBEWithHmacSHA512AndAES_128");
 500         }
 501     }
 502 
 503     public static final class HmacSHA1AndAES_256 extends PBES2Parameters {
 504         public HmacSHA1AndAES_256() throws NoSuchAlgorithmException {
 505             super("PBEWithHmacSHA1AndAES_256");
 506         }
 507     }
 508 
 509     public static final class HmacSHA224AndAES_256 extends PBES2Parameters {
 510         public HmacSHA224AndAES_256() throws NoSuchAlgorithmException {
 511             super("PBEWithHmacSHA224AndAES_256");
 512         }
 513     }
 514 
 515     public static final class HmacSHA256AndAES_256 extends PBES2Parameters {
 516         public HmacSHA256AndAES_256() throws NoSuchAlgorithmException {
 517             super("PBEWithHmacSHA256AndAES_256");
 518         }
 519     }
 520 
 521     public static final class HmacSHA384AndAES_256 extends PBES2Parameters {
 522         public HmacSHA384AndAES_256() throws NoSuchAlgorithmException {
 523             super("PBEWithHmacSHA384AndAES_256");
 524         }
 525     }
 526 
 527     public static final class HmacSHA512AndAES_256 extends PBES2Parameters {
 528         public HmacSHA512AndAES_256() throws NoSuchAlgorithmException {
 529             super("PBEWithHmacSHA512AndAES_256");
 530         }
 531     }
 532 }