1 /*
2 * Copyright (c) 2009, 2018, Oracle and/or its affiliates. All rights reserved.
3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
4 *
5 * This code is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License version 2 only, as
7 * published by the Free Software Foundation. Oracle designates this
8 * particular file as subject to the "Classpath" exception as provided
9 * by Oracle in the LICENSE file that accompanied this code.
10 *
11 * This code is distributed in the hope that it will be useful, but WITHOUT
12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * version 2 for more details (a copy is included in the LICENSE file that
15 * accompanied this code).
16 *
17 * You should have received a copy of the GNU General Public License version
18 * 2 along with this work; if not, write to the Free Software Foundation,
19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
20 *
21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
22 * or visit www.oracle.com if you need additional information or have any
23 * questions.
24 */
25
26 package sun.security.ec;
27
28 import java.io.IOException;
29 import java.nio.ByteBuffer;
30 import java.math.BigInteger;
31
32 import java.security.*;
33 import java.security.interfaces.*;
34 import java.security.spec.*;
35 import java.util.Optional;
36
37 import sun.security.jca.JCAUtil;
38 import sun.security.util.*;
39 import static sun.security.ec.ECOperations.IntermediateValueException;
40
41 /**
42 * ECDSA signature implementation. This class currently supports the
43 * following algorithm names:
44 *
45 * . "NONEwithECDSA"
46 * . "SHA1withECDSA"
47 * . "SHA224withECDSA"
48 * . "SHA256withECDSA"
49 * . "SHA384withECDSA"
50 * . "SHA512withECDSA"
51 * . "NONEwithECDSAinP1363Format"
52 * . "SHA1withECDSAinP1363Format"
53 * . "SHA224withECDSAinP1363Format"
54 * . "SHA256withECDSAinP1363Format"
55 * . "SHA384withECDSAinP1363Format"
56 * . "SHA512withECDSAinP1363Format"
57 *
58 * @since 1.7
59 */
60 abstract class ECDSASignature extends SignatureSpi {
61
62 // message digest implementation we use
63 private final MessageDigest messageDigest;
64
65 // supplied entropy
66 private SecureRandom random;
67
68 // flag indicating whether the digest has been reset
69 private boolean needsReset;
70
71 // private key, if initialized for signing
72 private ECPrivateKey privateKey;
73
74 // public key, if initialized for verifying
75 private ECPublicKey publicKey;
76
77 // The format. true for the IEEE P1363 format. false (default) for ASN.1
78 private final boolean p1363Format;
79
80 /**
81 * Constructs a new ECDSASignature.
82 *
83 * @exception ProviderException if the native ECC library is unavailable.
84 */
85 ECDSASignature() {
86 this(false);
87 }
88
89 /**
90 * Constructs a new ECDSASignature that will use the specified
91 * signature format. {@code p1363Format} should be {@code true} to
92 * use the IEEE P1363 format. If {@code p1363Format} is {@code false},
93 * the DER-encoded ASN.1 format will be used. This constructor is
94 * used by the RawECDSA subclasses.
95 */
96 ECDSASignature(boolean p1363Format) {
97 this.messageDigest = null;
98 this.p1363Format = p1363Format;
99 }
100
101 /**
102 * Constructs a new ECDSASignature. Used by subclasses.
103 */
104 ECDSASignature(String digestName) {
105 this(digestName, false);
106 }
107
108 /**
109 * Constructs a new ECDSASignature that will use the specified
110 * digest and signature format. {@code p1363Format} should be
111 * {@code true} to use the IEEE P1363 format. If {@code p1363Format}
112 * is {@code false}, the DER-encoded ASN.1 format will be used. This
113 * constructor is used by subclasses.
114 */
115 ECDSASignature(String digestName, boolean p1363Format) {
116 try {
117 messageDigest = MessageDigest.getInstance(digestName);
118 } catch (NoSuchAlgorithmException e) {
119 throw new ProviderException(e);
120 }
121 this.needsReset = false;
122 this.p1363Format = p1363Format;
123 }
124
125 // Class for Raw ECDSA signatures.
126 static class RawECDSA extends ECDSASignature {
127
128 // the longest supported digest is 512 bits (SHA-512)
129 private static final int RAW_ECDSA_MAX = 64;
130
131 private final byte[] precomputedDigest;
132 private int offset = 0;
133
134 RawECDSA(boolean p1363Format) {
135 super(p1363Format);
136 precomputedDigest = new byte[RAW_ECDSA_MAX];
137 }
138
139 // Stores the precomputed message digest value.
140 @Override
141 protected void engineUpdate(byte b) throws SignatureException {
142 if (offset >= precomputedDigest.length) {
143 offset = RAW_ECDSA_MAX + 1;
144 return;
145 }
146 precomputedDigest[offset++] = b;
147 }
148
149 // Stores the precomputed message digest value.
150 @Override
151 protected void engineUpdate(byte[] b, int off, int len)
152 throws SignatureException {
153 if (offset >= precomputedDigest.length) {
154 offset = RAW_ECDSA_MAX + 1;
155 return;
156 }
157 System.arraycopy(b, off, precomputedDigest, offset, len);
158 offset += len;
159 }
160
161 // Stores the precomputed message digest value.
162 @Override
163 protected void engineUpdate(ByteBuffer byteBuffer) {
164 int len = byteBuffer.remaining();
165 if (len <= 0) {
166 return;
167 }
168 if (offset + len >= precomputedDigest.length) {
169 offset = RAW_ECDSA_MAX + 1;
170 return;
171 }
172 byteBuffer.get(precomputedDigest, offset, len);
173 offset += len;
174 }
175
176 @Override
177 protected void resetDigest() {
178 offset = 0;
179 }
180
181 // Returns the precomputed message digest value.
182 @Override
183 protected byte[] getDigestValue() throws SignatureException {
184 if (offset > RAW_ECDSA_MAX) {
185 throw new SignatureException("Message digest is too long");
186
187 }
188 byte[] result = new byte[offset];
189 System.arraycopy(precomputedDigest, 0, result, 0, offset);
190 offset = 0;
191
192 return result;
193 }
194 }
195
196 // Nested class for NONEwithECDSA signatures
197 public static final class Raw extends RawECDSA {
198 public Raw() {
199 super(false);
200 }
201 }
202
203 // Nested class for NONEwithECDSAinP1363Format signatures
204 public static final class RawinP1363Format extends RawECDSA {
205 public RawinP1363Format() {
206 super(true);
207 }
208 }
209
210 // Nested class for SHA1withECDSA signatures
211 public static final class SHA1 extends ECDSASignature {
212 public SHA1() {
213 super("SHA1");
214 }
215 }
216
217 // Nested class for SHA1withECDSAinP1363Format signatures
218 public static final class SHA1inP1363Format extends ECDSASignature {
219 public SHA1inP1363Format() {
220 super("SHA1", true);
221 }
222 }
223
224 // Nested class for SHA224withECDSA signatures
225 public static final class SHA224 extends ECDSASignature {
226 public SHA224() {
227 super("SHA-224");
228 }
229 }
230
231 // Nested class for SHA224withECDSAinP1363Format signatures
232 public static final class SHA224inP1363Format extends ECDSASignature {
233 public SHA224inP1363Format() {
234 super("SHA-224", true);
235 }
236 }
237
238 // Nested class for SHA256withECDSA signatures
239 public static final class SHA256 extends ECDSASignature {
240 public SHA256() {
241 super("SHA-256");
242 }
243 }
244
245 // Nested class for SHA256withECDSAinP1363Format signatures
246 public static final class SHA256inP1363Format extends ECDSASignature {
247 public SHA256inP1363Format() {
248 super("SHA-256", true);
249 }
250 }
251
252 // Nested class for SHA384withECDSA signatures
253 public static final class SHA384 extends ECDSASignature {
254 public SHA384() {
255 super("SHA-384");
256 }
257 }
258
259 // Nested class for SHA384withECDSAinP1363Format signatures
260 public static final class SHA384inP1363Format extends ECDSASignature {
261 public SHA384inP1363Format() {
262 super("SHA-384", true);
263 }
264 }
265
266 // Nested class for SHA512withECDSA signatures
267 public static final class SHA512 extends ECDSASignature {
268 public SHA512() {
269 super("SHA-512");
270 }
271 }
272
273 // Nested class for SHA512withECDSAinP1363Format signatures
274 public static final class SHA512inP1363Format extends ECDSASignature {
275 public SHA512inP1363Format() {
276 super("SHA-512", true);
277 }
278 }
279
280 // initialize for verification. See JCA doc
281 @Override
282 protected void engineInitVerify(PublicKey publicKey)
283 throws InvalidKeyException {
284 this.publicKey = (ECPublicKey) ECKeyFactory.toECKey(publicKey);
285
286 // Should check that the supplied key is appropriate for signature
287 // algorithm (e.g. P-256 for SHA256withECDSA)
288 this.privateKey = null;
289 resetDigest();
290 }
291
292 // initialize for signing. See JCA doc
293 @Override
294 protected void engineInitSign(PrivateKey privateKey)
295 throws InvalidKeyException {
296 engineInitSign(privateKey, null);
297 }
298
299 // initialize for signing. See JCA doc
300 @Override
301 protected void engineInitSign(PrivateKey privateKey, SecureRandom random)
302 throws InvalidKeyException {
303 this.privateKey = (ECPrivateKey) ECKeyFactory.toECKey(privateKey);
304
305 // Should check that the supplied key is appropriate for signature
306 // algorithm (e.g. P-256 for SHA256withECDSA)
307 this.publicKey = null;
308 this.random = random;
309 resetDigest();
310 }
311
312 /**
313 * Resets the message digest if needed.
314 */
315 protected void resetDigest() {
316 if (needsReset) {
317 if (messageDigest != null) {
318 messageDigest.reset();
319 }
320 needsReset = false;
321 }
322 }
323
324 /**
325 * Returns the message digest value.
326 */
327 protected byte[] getDigestValue() throws SignatureException {
328 needsReset = false;
329 return messageDigest.digest();
330 }
331
332 // update the signature with the plaintext data. See JCA doc
333 @Override
334 protected void engineUpdate(byte b) throws SignatureException {
335 messageDigest.update(b);
336 needsReset = true;
337 }
338
339 // update the signature with the plaintext data. See JCA doc
340 @Override
341 protected void engineUpdate(byte[] b, int off, int len)
342 throws SignatureException {
343 messageDigest.update(b, off, len);
344 needsReset = true;
345 }
346
347 // update the signature with the plaintext data. See JCA doc
348 @Override
349 protected void engineUpdate(ByteBuffer byteBuffer) {
350 int len = byteBuffer.remaining();
351 if (len <= 0) {
352 return;
353 }
354
355 messageDigest.update(byteBuffer);
356 needsReset = true;
357 }
358
359 private byte[] signDigestImpl(ECDSAOperations ops, int seedBits,
360 byte[] digest, ECPrivateKeyImpl privImpl, SecureRandom random)
361 throws SignatureException {
362
363 byte[] seedBytes = new byte[(seedBits + 7) / 8];
364 byte[] s = privImpl.getArrayS();
365
366 // Attempt to create the signature in a loop that uses new random input
367 // each time. The chance of failure is very small assuming the
368 // implementation derives the nonce using extra bits
369 int numAttempts = 128;
370 for (int i = 0; i < numAttempts; i++) {
371 random.nextBytes(seedBytes);
372 ECDSAOperations.Seed seed = new ECDSAOperations.Seed(seedBytes);
373 try {
374 return ops.signDigest(s, digest, seed);
375 } catch (IntermediateValueException ex) {
376 // try again in the next iteration
377 }
378 }
379
380 throw new SignatureException("Unable to produce signature after "
381 + numAttempts + " attempts");
382 }
383
384
385 private Optional<byte[]> signDigestImpl(ECPrivateKey privateKey,
386 byte[] digest, SecureRandom random) throws SignatureException {
387
388 if (! (privateKey instanceof ECPrivateKeyImpl)) {
389 return Optional.empty();
390 }
391 ECPrivateKeyImpl privImpl = (ECPrivateKeyImpl) privateKey;
392 ECParameterSpec params = privateKey.getParams();
393
394 // seed is the key size + 64 bits
395 int seedBits = params.getOrder().bitLength() + 64;
396 Optional<ECDSAOperations> opsOpt =
397 ECDSAOperations.forParameters(params);
398 if (opsOpt.isEmpty()) {
399 return Optional.empty();
400 } else {
401 byte[] sig = signDigestImpl(opsOpt.get(), seedBits, digest,
402 privImpl, random);
403 return Optional.of(sig);
404 }
405 }
406
407 private byte[] signDigestNative(ECPrivateKey privateKey, byte[] digest,
408 SecureRandom random) throws SignatureException {
409
410 byte[] s = privateKey.getS().toByteArray();
411 ECParameterSpec params = privateKey.getParams();
412
413 // DER OID
414 byte[] encodedParams = ECUtil.encodeECParameterSpec(null, params);
415 int keySize = params.getCurve().getField().getFieldSize();
416
417 // seed is twice the key size (in bytes) plus 1
418 byte[] seed = new byte[(((keySize + 7) >> 3) + 1) * 2];
419
420 random.nextBytes(seed);
421
422 // random bits needed for timing countermeasures
423 int timingArgument = random.nextInt();
424 // values must be non-zero to enable countermeasures
425 timingArgument |= 1;
426
427 try {
428 return signDigest(digest, s, encodedParams, seed,
429 timingArgument);
430 } catch (GeneralSecurityException e) {
431 throw new SignatureException("Could not sign data", e);
432 }
433
434 }
435
436 // sign the data and return the signature. See JCA doc
437 @Override
438 protected byte[] engineSign() throws SignatureException {
439
440 if (random == null) {
441 random = JCAUtil.getSecureRandom();
442 }
443
444 byte[] digest = getDigestValue();
445 Optional<byte[]> sigOpt = signDigestImpl(privateKey, digest, random);
446 byte[] sig;
447 if (sigOpt.isPresent()) {
448 sig = sigOpt.get();
449 } else {
450 sig = signDigestNative(privateKey, digest, random);
451 }
452
453 if (p1363Format) {
454 return sig;
455 } else {
456 return encodeSignature(sig);
457 }
458 }
459
460 // verify the data and return the result. See JCA doc
461 @Override
462 protected boolean engineVerify(byte[] signature) throws SignatureException {
463
464 byte[] w;
465 ECParameterSpec params = publicKey.getParams();
466 // DER OID
467 byte[] encodedParams = ECUtil.encodeECParameterSpec(null, params);
468
469 if (publicKey instanceof ECPublicKeyImpl) {
470 w = ((ECPublicKeyImpl) publicKey).getEncodedPublicValue();
471 } else { // instanceof ECPublicKey
472 w = ECUtil.encodePoint(publicKey.getW(), params.getCurve());
473 }
474
475 byte[] sig;
476 if (p1363Format) {
477 sig = signature;
478 } else {
479 sig = decodeSignature(signature);
480 }
481
482 try {
483 return verifySignedDigest(sig, getDigestValue(), w, encodedParams);
484 } catch (GeneralSecurityException e) {
485 throw new SignatureException("Could not verify signature", e);
486 }
487 }
488
489 // set parameter, not supported. See JCA doc
490 @Override
491 @Deprecated
492 protected void engineSetParameter(String param, Object value)
493 throws InvalidParameterException {
494 throw new UnsupportedOperationException("setParameter() not supported");
495 }
496
497 @Override
498 protected void engineSetParameter(AlgorithmParameterSpec params)
499 throws InvalidAlgorithmParameterException {
500 if (params != null) {
501 throw new InvalidAlgorithmParameterException("No parameter accepted");
502 }
503 }
504
505 // get parameter, not supported. See JCA doc
506 @Override
507 @Deprecated
508 protected Object engineGetParameter(String param)
509 throws InvalidParameterException {
510 throw new UnsupportedOperationException("getParameter() not supported");
511 }
512
513 @Override
514 protected AlgorithmParameters engineGetParameters() {
515 return null;
516 }
517
518 // Convert the concatenation of R and S into their DER encoding
519 private byte[] encodeSignature(byte[] signature) throws SignatureException {
520
521 try {
522
523 int n = signature.length >> 1;
524 byte[] bytes = new byte[n];
525 System.arraycopy(signature, 0, bytes, 0, n);
526 BigInteger r = new BigInteger(1, bytes);
527 System.arraycopy(signature, n, bytes, 0, n);
528 BigInteger s = new BigInteger(1, bytes);
529
530 DerOutputStream out = new DerOutputStream(signature.length + 10);
531 out.putInteger(r);
532 out.putInteger(s);
533 DerValue result =
534 new DerValue(DerValue.tag_Sequence, out.toByteArray());
535
536 return result.toByteArray();
537
538 } catch (Exception e) {
539 throw new SignatureException("Could not encode signature", e);
540 }
541 }
542
543 // Convert the DER encoding of R and S into a concatenation of R and S
544 private byte[] decodeSignature(byte[] sig) throws SignatureException {
545
546 try {
547 // Enforce strict DER checking for signatures
548 DerInputStream in = new DerInputStream(sig, 0, sig.length, false);
549 DerValue[] values = in.getSequence(2);
550
551 // check number of components in the read sequence
552 // and trailing data
553 if ((values.length != 2) || (in.available() != 0)) {
554 throw new IOException("Invalid encoding for signature");
555 }
556
557 BigInteger r = values[0].getPositiveBigInteger();
558 BigInteger s = values[1].getPositiveBigInteger();
559
560 // trim leading zeroes
561 byte[] rBytes = trimZeroes(r.toByteArray());
562 byte[] sBytes = trimZeroes(s.toByteArray());
563 int k = Math.max(rBytes.length, sBytes.length);
564 // r and s each occupy half the array
565 byte[] result = new byte[k << 1];
566 System.arraycopy(rBytes, 0, result, k - rBytes.length,
567 rBytes.length);
568 System.arraycopy(sBytes, 0, result, result.length - sBytes.length,
569 sBytes.length);
570 return result;
571
572 } catch (Exception e) {
573 throw new SignatureException("Invalid encoding for signature", e);
574 }
575 }
576
577 // trim leading (most significant) zeroes from the result
578 private static byte[] trimZeroes(byte[] b) {
579 int i = 0;
580 while ((i < b.length - 1) && (b[i] == 0)) {
581 i++;
582 }
583 if (i == 0) {
584 return b;
585 }
586 byte[] t = new byte[b.length - i];
587 System.arraycopy(b, i, t, 0, t.length);
588 return t;
589 }
590
591 /**
592 * Signs the digest using the private key.
593 *
594 * @param digest the digest to be signed.
595 * @param s the private key's S value.
596 * @param encodedParams the curve's DER encoded object identifier.
597 * @param seed the random seed.
598 * @param timing When non-zero, the implmentation will use timing
599 * countermeasures to hide secrets from timing channels. The EC
600 * implementation will disable the countermeasures when this value is
601 * zero, because the underlying EC functions are shared by several
602 * crypto operations, some of which do not use the countermeasures.
603 * The high-order 31 bits must be uniformly random. The entropy from
604 * these bits is used by the countermeasures.
605 *
606 * @return byte[] the signature.
607 */
608 private static native byte[] signDigest(byte[] digest, byte[] s,
609 byte[] encodedParams, byte[] seed, int timing)
610 throws GeneralSecurityException;
611
612 /**
613 * Verifies the signed digest using the public key.
614 *
615 * @param signature the signature to be verified. It is encoded
616 * as a concatenation of the key's R and S values.
617 * @param digest the digest to be used.
618 * @param w the public key's W point (in uncompressed form).
619 * @param encodedParams the curve's DER encoded object identifier.
620 *
621 * @return boolean true if the signature is successfully verified.
622 */
623 private static native boolean verifySignedDigest(byte[] signature,
624 byte[] digest, byte[] w, byte[] encodedParams)
625 throws GeneralSecurityException;
626 }