/*
* Copyright (c) 2009, 2020, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation. Oracle designates this
* particular file as subject to the "Classpath" exception as provided
* by Oracle in the LICENSE file that accompanied this code.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/
package sun.security.ec;
import java.nio.ByteBuffer;
import java.security.*;
import java.security.interfaces.*;
import java.security.spec.*;
import java.util.Optional;
import sun.security.jca.JCAUtil;
import sun.security.util.*;
import static sun.security.ec.ECOperations.IntermediateValueException;
ECDSA signature implementation. This class currently supports the
following algorithm names:
. "NONEwithECDSA"
. "SHA1withECDSA"
. "SHA224withECDSA"
. "SHA256withECDSA"
. "SHA384withECDSA"
. "SHA512withECDSA"
. "SHA3-224withECDSA"
. "SHA3-256withECDSA"
. "SHA3-384withECDSA"
. "SHA3-512withECDSA"
. "NONEwithECDSAinP1363Format"
. "SHA1withECDSAinP1363Format"
. "SHA224withECDSAinP1363Format"
. "SHA256withECDSAinP1363Format"
. "SHA384withECDSAinP1363Format"
. "SHA512withECDSAinP1363Format"
. "SHA3-224withECDSAinP1363Format"
. "SHA3-256withECDSAinP1363Format"
. "SHA3-384withECDSAinP1363Format"
. "SHA3-512withECDSAinP1363Format"
Since: 1.7
/**
* ECDSA signature implementation. This class currently supports the
* following algorithm names:
*
* . "NONEwithECDSA"
* . "SHA1withECDSA"
* . "SHA224withECDSA"
* . "SHA256withECDSA"
* . "SHA384withECDSA"
* . "SHA512withECDSA"
* . "SHA3-224withECDSA"
* . "SHA3-256withECDSA"
* . "SHA3-384withECDSA"
* . "SHA3-512withECDSA"
* . "NONEwithECDSAinP1363Format"
* . "SHA1withECDSAinP1363Format"
* . "SHA224withECDSAinP1363Format"
* . "SHA256withECDSAinP1363Format"
* . "SHA384withECDSAinP1363Format"
* . "SHA512withECDSAinP1363Format"
* . "SHA3-224withECDSAinP1363Format"
* . "SHA3-256withECDSAinP1363Format"
* . "SHA3-384withECDSAinP1363Format"
* . "SHA3-512withECDSAinP1363Format"
*
* @since 1.7
*/
abstract class ECDSASignature extends SignatureSpi {
// message digest implementation we use
private final MessageDigest messageDigest;
// supplied entropy
private SecureRandom random;
// flag indicating whether the digest has been reset
private boolean needsReset;
// private key, if initialized for signing
private ECPrivateKey privateKey;
// public key, if initialized for verifying
private ECPublicKey publicKey;
// signature parameters
private ECParameterSpec sigParams = null;
// The format. true for the IEEE P1363 format. false (default) for ASN.1
private final boolean p1363Format;
Constructs a new ECDSASignature.
Throws: - ProviderException – if the native ECC library is unavailable.
/**
* Constructs a new ECDSASignature.
*
* @exception ProviderException if the native ECC library is unavailable.
*/
ECDSASignature() {
this(false);
}
Constructs a new ECDSASignature that will use the specified signature format. p1363Format
should be true
to use the IEEE P1363 format. If p1363Format
is false
, the DER-encoded ASN.1 format will be used. This constructor is used by the RawECDSA subclasses. /**
* Constructs a new ECDSASignature that will use the specified
* signature format. {@code p1363Format} should be {@code true} to
* use the IEEE P1363 format. If {@code p1363Format} is {@code false},
* the DER-encoded ASN.1 format will be used. This constructor is
* used by the RawECDSA subclasses.
*/
ECDSASignature(boolean p1363Format) {
this.messageDigest = null;
this.p1363Format = p1363Format;
}
Constructs a new ECDSASignature. Used by subclasses.
/**
* Constructs a new ECDSASignature. Used by subclasses.
*/
ECDSASignature(String digestName) {
this(digestName, false);
}
Constructs a new ECDSASignature that will use the specified digest and signature format. p1363Format
should be true
to use the IEEE P1363 format. If p1363Format
is false
, the DER-encoded ASN.1 format will be used. This constructor is used by subclasses. /**
* Constructs a new ECDSASignature that will use the specified
* digest and signature format. {@code p1363Format} should be
* {@code true} to use the IEEE P1363 format. If {@code p1363Format}
* is {@code false}, the DER-encoded ASN.1 format will be used. This
* constructor is used by subclasses.
*/
ECDSASignature(String digestName, boolean p1363Format) {
try {
messageDigest = MessageDigest.getInstance(digestName);
} catch (NoSuchAlgorithmException e) {
throw new ProviderException(e);
}
this.needsReset = false;
this.p1363Format = p1363Format;
}
// Class for Raw ECDSA signatures.
static class RawECDSA extends ECDSASignature {
// the longest supported digest is 512 bits (SHA-512)
private static final int RAW_ECDSA_MAX = 64;
private final byte[] precomputedDigest;
private int offset = 0;
RawECDSA(boolean p1363Format) {
super(p1363Format);
precomputedDigest = new byte[RAW_ECDSA_MAX];
}
// Stores the precomputed message digest value.
@Override
protected void engineUpdate(byte b) throws SignatureException {
if (offset >= precomputedDigest.length) {
offset = RAW_ECDSA_MAX + 1;
return;
}
precomputedDigest[offset++] = b;
}
// Stores the precomputed message digest value.
@Override
protected void engineUpdate(byte[] b, int off, int len)
throws SignatureException {
if (offset >= precomputedDigest.length) {
offset = RAW_ECDSA_MAX + 1;
return;
}
System.arraycopy(b, off, precomputedDigest, offset, len);
offset += len;
}
// Stores the precomputed message digest value.
@Override
protected void engineUpdate(ByteBuffer byteBuffer) {
int len = byteBuffer.remaining();
if (len <= 0) {
return;
}
if (len >= precomputedDigest.length - offset) {
offset = RAW_ECDSA_MAX + 1;
return;
}
byteBuffer.get(precomputedDigest, offset, len);
offset += len;
}
@Override
protected void resetDigest() {
offset = 0;
}
// Returns the precomputed message digest value.
@Override
protected byte[] getDigestValue() throws SignatureException {
if (offset > RAW_ECDSA_MAX) {
throw new SignatureException("Message digest is too long");
}
byte[] result = new byte[offset];
System.arraycopy(precomputedDigest, 0, result, 0, offset);
offset = 0;
return result;
}
}
// Nested class for NONEwithECDSA signatures
public static final class Raw extends RawECDSA {
public Raw() {
super(false);
}
}
// Nested class for NONEwithECDSAinP1363Format signatures
public static final class RawinP1363Format extends RawECDSA {
public RawinP1363Format() {
super(true);
}
}
// Nested class for SHA1withECDSA signatures
public static final class SHA1 extends ECDSASignature {
public SHA1() {
super("SHA1");
}
}
// Nested class for SHA1withECDSAinP1363Format signatures
public static final class SHA1inP1363Format extends ECDSASignature {
public SHA1inP1363Format() {
super("SHA1", true);
}
}
// Nested class for SHA224withECDSA signatures
public static final class SHA224 extends ECDSASignature {
public SHA224() {
super("SHA-224");
}
}
// Nested class for SHA224withECDSAinP1363Format signatures
public static final class SHA224inP1363Format extends ECDSASignature {
public SHA224inP1363Format() {
super("SHA-224", true);
}
}
// Nested class for SHA256withECDSA signatures
public static final class SHA256 extends ECDSASignature {
public SHA256() {
super("SHA-256");
}
}
// Nested class for SHA256withECDSAinP1363Format signatures
public static final class SHA256inP1363Format extends ECDSASignature {
public SHA256inP1363Format() {
super("SHA-256", true);
}
}
// Nested class for SHA384withECDSA signatures
public static final class SHA384 extends ECDSASignature {
public SHA384() {
super("SHA-384");
}
}
// Nested class for SHA384withECDSAinP1363Format signatures
public static final class SHA384inP1363Format extends ECDSASignature {
public SHA384inP1363Format() {
super("SHA-384", true);
}
}
// Nested class for SHA512withECDSA signatures
public static final class SHA512 extends ECDSASignature {
public SHA512() {
super("SHA-512");
}
}
// Nested class for SHA512withECDSAinP1363Format signatures
public static final class SHA512inP1363Format extends ECDSASignature {
public SHA512inP1363Format() {
super("SHA-512", true);
}
}
// Nested class for SHA3_224withECDSA signatures
public static final class SHA3_224 extends ECDSASignature {
public SHA3_224() {
super("SHA3-224");
}
}
// Nested class for SHA3_224withECDSAinP1363Format signatures
public static final class SHA3_224inP1363Format extends ECDSASignature {
public SHA3_224inP1363Format() {
super("SHA3-224", true);
}
}
// Nested class for SHA3_256withECDSA signatures
public static final class SHA3_256 extends ECDSASignature {
public SHA3_256() {
super("SHA3-256");
}
}
// Nested class for SHA3_256withECDSAinP1363Format signatures
public static final class SHA3_256inP1363Format extends ECDSASignature {
public SHA3_256inP1363Format() {
super("SHA3-256", true);
}
}
// Nested class for SHA3_384withECDSA signatures
public static final class SHA3_384 extends ECDSASignature {
public SHA3_384() {
super("SHA3-384");
}
}
// Nested class for SHA3_384withECDSAinP1363Format signatures
public static final class SHA3_384inP1363Format extends ECDSASignature {
public SHA3_384inP1363Format() {
super("SHA3-384", true);
}
}
// Nested class for SHA3_512withECDSA signatures
public static final class SHA3_512 extends ECDSASignature {
public SHA3_512() {
super("SHA3-512");
}
}
// Nested class for SHA3_512withECDSAinP1363Format signatures
public static final class SHA3_512inP1363Format extends ECDSASignature {
public SHA3_512inP1363Format() {
super("SHA3-512", true);
}
}
// initialize for verification. See JCA doc
@Override
protected void engineInitVerify(PublicKey publicKey)
throws InvalidKeyException {
ECPublicKey key = (ECPublicKey) ECKeyFactory.toECKey(publicKey);
if (!isCompatible(this.sigParams, key.getParams())) {
throw new InvalidKeyException("Key params does not match signature params");
}
// Should check that the supplied key is appropriate for signature
// algorithm (e.g. P-256 for SHA256withECDSA)
this.publicKey = key;
this.privateKey = null;
resetDigest();
}
// initialize for signing. See JCA doc
@Override
protected void engineInitSign(PrivateKey privateKey)
throws InvalidKeyException {
engineInitSign(privateKey, null);
}
// initialize for signing. See JCA doc
@Override
protected void engineInitSign(PrivateKey privateKey, SecureRandom random)
throws InvalidKeyException {
ECPrivateKey key = (ECPrivateKey) ECKeyFactory.toECKey(privateKey);
if (!isCompatible(this.sigParams, key.getParams())) {
throw new InvalidKeyException("Key params does not match signature params");
}
// Should check that the supplied key is appropriate for signature
// algorithm (e.g. P-256 for SHA256withECDSA)
this.privateKey = key;
this.publicKey = null;
this.random = random;
resetDigest();
}
Resets the message digest if needed.
/**
* Resets the message digest if needed.
*/
protected void resetDigest() {
if (needsReset) {
if (messageDigest != null) {
messageDigest.reset();
}
needsReset = false;
}
}
Returns the message digest value.
/**
* Returns the message digest value.
*/
protected byte[] getDigestValue() throws SignatureException {
needsReset = false;
return messageDigest.digest();
}
// update the signature with the plaintext data. See JCA doc
@Override
protected void engineUpdate(byte b) throws SignatureException {
messageDigest.update(b);
needsReset = true;
}
// update the signature with the plaintext data. See JCA doc
@Override
protected void engineUpdate(byte[] b, int off, int len)
throws SignatureException {
messageDigest.update(b, off, len);
needsReset = true;
}
// update the signature with the plaintext data. See JCA doc
@Override
protected void engineUpdate(ByteBuffer byteBuffer) {
int len = byteBuffer.remaining();
if (len <= 0) {
return;
}
messageDigest.update(byteBuffer);
needsReset = true;
}
private static boolean isCompatible(ECParameterSpec sigParams,
ECParameterSpec keyParams) {
if (sigParams == null) {
// no restriction on key param
return true;
}
return ECUtil.equals(sigParams, keyParams);
}
private byte[] signDigestImpl(ECDSAOperations ops, int seedBits,
byte[] digest, ECPrivateKey priv, SecureRandom random)
throws SignatureException {
byte[] seedBytes = new byte[(seedBits + 7) / 8];
byte[] s = priv instanceof ECPrivateKeyImpl
? ((ECPrivateKeyImpl)priv).getArrayS()
: ECUtil.sArray(priv.getS(), priv.getParams());
// Attempt to create the signature in a loop that uses new random input
// each time. The chance of failure is very small assuming the
// implementation derives the nonce using extra bits
int numAttempts = 128;
for (int i = 0; i < numAttempts; i++) {
random.nextBytes(seedBytes);
ECDSAOperations.Seed seed = new ECDSAOperations.Seed(seedBytes);
try {
return ops.signDigest(s, digest, seed);
} catch (IntermediateValueException ex) {
// try again in the next iteration
}
}
throw new SignatureException("Unable to produce signature after "
+ numAttempts + " attempts");
}
// sign the data and return the signature. See JCA doc
@Override
protected byte[] engineSign() throws SignatureException {
if (random == null) {
random = JCAUtil.getSecureRandom();
}
byte[] digest = getDigestValue();
ECParameterSpec params = privateKey.getParams();
// seed is the key size + 64 bits
int seedBits = params.getOrder().bitLength() + 64;
Optional<ECDSAOperations> opsOpt =
ECDSAOperations.forParameters(params);
if (opsOpt.isEmpty()) {
throw new SignatureException("Curve not supported: " +
params.toString());
}
byte[] sig = signDigestImpl(opsOpt.get(), seedBits, digest, privateKey,
random);
if (p1363Format) {
return sig;
} else {
return ECUtil.encodeSignature(sig);
}
}
// verify the data and return the result. See JCA doc
@Override
protected boolean engineVerify(byte[] signature) throws SignatureException {
byte[] sig;
if (p1363Format) {
sig = signature;
} else {
sig = ECUtil.decodeSignature(signature);
}
byte[] digest = getDigestValue();
Optional<ECDSAOperations> opsOpt =
ECDSAOperations.forParameters(publicKey.getParams());
if (opsOpt.isEmpty()) {
throw new SignatureException("Curve not supported: " +
publicKey.getParams().toString());
}
return opsOpt.get().verifySignedDigest(digest, sig, publicKey.getW());
}
// set parameter, not supported. See JCA doc
@Override
@Deprecated
protected void engineSetParameter(String param, Object value)
throws InvalidParameterException {
throw new UnsupportedOperationException("setParameter() not supported");
}
@Override
protected void engineSetParameter(AlgorithmParameterSpec params)
throws InvalidAlgorithmParameterException {
if (params != null && !(params instanceof ECParameterSpec)) {
throw new InvalidAlgorithmParameterException("No parameter accepted");
}
ECKey key = (this.privateKey == null? this.publicKey : this.privateKey);
if ((key != null) && !isCompatible((ECParameterSpec)params, key.getParams())) {
throw new InvalidAlgorithmParameterException
("Signature params does not match key params");
}
sigParams = (ECParameterSpec) params;
}
// get parameter, not supported. See JCA doc
@Override
@Deprecated
protected Object engineGetParameter(String param)
throws InvalidParameterException {
throw new UnsupportedOperationException("getParameter() not supported");
}
@Override
protected AlgorithmParameters engineGetParameters() {
if (sigParams == null) {
return null;
}
try {
AlgorithmParameters ap = AlgorithmParameters.getInstance("EC");
ap.init(sigParams);
return ap;
} catch (Exception e) {
// should never happen
throw new ProviderException("Error retrieving EC parameters", e);
}
}
}