/*
 * Copyright (c) 2009, 2017, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
 * under the terms of the GNU General Public License version 2 only, as
 * published by the Free Software Foundation.  Oracle designates this
 * particular file as subject to the "Classpath" exception as provided
 * by Oracle in the LICENSE file that accompanied this code.
 *
 * This code is distributed in the hope that it will be useful, but WITHOUT
 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
 * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
 * version 2 for more details (a copy is included in the LICENSE file that
 * accompanied this code).
 *
 * You should have received a copy of the GNU General Public License version
 * 2 along with this work; if not, write to the Free Software Foundation,
 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
 *
 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
 * or visit www.oracle.com if you need additional information or have any
 * questions.
 */

package sun.security.ec;

import java.io.IOException;
import java.nio.ByteBuffer;
import java.math.BigInteger;

import java.security.*;
import java.security.interfaces.*;
import java.security.spec.*;

import sun.security.jca.JCAUtil;
import sun.security.util.*;
import static sun.security.ec.ECOperations.IntermediateValueException;

ECDSA signature implementation. This class currently supports the following algorithm names: . "NONEwithECDSA" . "SHA1withECDSA" . "SHA224withECDSA" . "SHA256withECDSA" . "SHA384withECDSA" . "SHA512withECDSA"
Since: 1.7
/** * ECDSA signature implementation. This class currently supports the * following algorithm names: * * . "NONEwithECDSA" * . "SHA1withECDSA" * . "SHA224withECDSA" * . "SHA256withECDSA" * . "SHA384withECDSA" * . "SHA512withECDSA" * * @since 1.7 */
abstract class ECDSASignature extends SignatureSpi { // message digest implementation we use private final MessageDigest messageDigest; // supplied entropy private SecureRandom random; // flag indicating whether the digest has been reset private boolean needsReset; // private key, if initialized for signing private ECPrivateKey privateKey; // public key, if initialized for verifying private ECPublicKey publicKey;
Constructs a new ECDSASignature. Used by Raw subclass.
Throws:
  • ProviderException – if the native ECC library is unavailable.
/** * Constructs a new ECDSASignature. Used by Raw subclass. * * @exception ProviderException if the native ECC library is unavailable. */
ECDSASignature() { messageDigest = null; }
Constructs a new ECDSASignature. Used by subclasses.
/** * Constructs a new ECDSASignature. Used by subclasses. */
ECDSASignature(String digestName) { try { messageDigest = MessageDigest.getInstance(digestName); } catch (NoSuchAlgorithmException e) { throw new ProviderException(e); } needsReset = false; } // Nested class for NONEwithECDSA signatures public static final class Raw extends ECDSASignature { // the longest supported digest is 512 bits (SHA-512) private static final int RAW_ECDSA_MAX = 64; private final byte[] precomputedDigest; private int offset = 0; public Raw() { precomputedDigest = new byte[RAW_ECDSA_MAX]; } // Stores the precomputed message digest value. @Override protected void engineUpdate(byte b) throws SignatureException { if (offset >= precomputedDigest.length) { offset = RAW_ECDSA_MAX + 1; return; } precomputedDigest[offset++] = b; } // Stores the precomputed message digest value. @Override protected void engineUpdate(byte[] b, int off, int len) throws SignatureException { if (offset >= precomputedDigest.length) { offset = RAW_ECDSA_MAX + 1; return; } System.arraycopy(b, off, precomputedDigest, offset, len); offset += len; } // Stores the precomputed message digest value. @Override protected void engineUpdate(ByteBuffer byteBuffer) { int len = byteBuffer.remaining(); if (len <= 0) { return; } if (offset + len >= precomputedDigest.length) { offset = RAW_ECDSA_MAX + 1; return; } byteBuffer.get(precomputedDigest, offset, len); offset += len; } @Override protected void resetDigest() { offset = 0; } // Returns the precomputed message digest value. @Override protected byte[] getDigestValue() throws SignatureException { if (offset > RAW_ECDSA_MAX) { throw new SignatureException("Message digest is too long"); } byte[] result = new byte[offset]; System.arraycopy(precomputedDigest, 0, result, 0, offset); offset = 0; return result; } } // Nested class for SHA1withECDSA signatures public static final class SHA1 extends ECDSASignature { public SHA1() { super("SHA1"); } } // Nested class for SHA224withECDSA signatures public static final class SHA224 extends ECDSASignature { public SHA224() { super("SHA-224"); } } // Nested class for SHA256withECDSA signatures public static final class SHA256 extends ECDSASignature { public SHA256() { super("SHA-256"); } } // Nested class for SHA384withECDSA signatures public static final class SHA384 extends ECDSASignature { public SHA384() { super("SHA-384"); } } // Nested class for SHA512withECDSA signatures public static final class SHA512 extends ECDSASignature { public SHA512() { super("SHA-512"); } } // initialize for verification. See JCA doc @Override protected void engineInitVerify(PublicKey publicKey) throws InvalidKeyException { this.publicKey = (ECPublicKey) ECKeyFactory.toECKey(publicKey); // Should check that the supplied key is appropriate for signature // algorithm (e.g. P-256 for SHA256withECDSA) this.privateKey = null; resetDigest(); } // initialize for signing. See JCA doc @Override protected void engineInitSign(PrivateKey privateKey) throws InvalidKeyException { engineInitSign(privateKey, null); } // initialize for signing. See JCA doc @Override protected void engineInitSign(PrivateKey privateKey, SecureRandom random) throws InvalidKeyException { this.privateKey = (ECPrivateKey) ECKeyFactory.toECKey(privateKey); // Should check that the supplied key is appropriate for signature // algorithm (e.g. P-256 for SHA256withECDSA) this.publicKey = null; this.random = random; resetDigest(); }
Resets the message digest if needed.
/** * Resets the message digest if needed. */
protected void resetDigest() { if (needsReset) { if (messageDigest != null) { messageDigest.reset(); } needsReset = false; } }
Returns the message digest value.
/** * Returns the message digest value. */
protected byte[] getDigestValue() throws SignatureException { needsReset = false; return messageDigest.digest(); } // update the signature with the plaintext data. See JCA doc @Override protected void engineUpdate(byte b) throws SignatureException { messageDigest.update(b); needsReset = true; } // update the signature with the plaintext data. See JCA doc @Override protected void engineUpdate(byte[] b, int off, int len) throws SignatureException { messageDigest.update(b, off, len); needsReset = true; } // update the signature with the plaintext data. See JCA doc @Override protected void engineUpdate(ByteBuffer byteBuffer) { int len = byteBuffer.remaining(); if (len <= 0) { return; } messageDigest.update(byteBuffer); needsReset = true; } private byte[] signDigestImpl(ECDSAOperations ops, int seedBits, byte[] digest, ECPrivateKeyImpl privImpl, SecureRandom random) throws SignatureException { byte[] seedBytes = new byte[(seedBits + 7) / 8]; byte[] s = privImpl.getArrayS(); // Attempt to create the signature in a loop that uses new random input // each time. The chance of failure is very small assuming the // implementation derives the nonce using extra bits int numAttempts = 128; for (int i = 0; i < numAttempts; i++) { random.nextBytes(seedBytes); ECDSAOperations.Seed seed = new ECDSAOperations.Seed(seedBytes); try { return ops.signDigest(s, digest, seed); } catch (IntermediateValueException ex) { // try again in the next iteration } } throw new SignatureException("Unable to produce signature after " + numAttempts + " attempts"); } private Optional<byte[]> signDigestImpl(ECPrivateKey privateKey, byte[] digest, SecureRandom random) throws SignatureException { if (! (privateKey instanceof ECPrivateKeyImpl)) { return Optional.empty(); } ECPrivateKeyImpl privImpl = (ECPrivateKeyImpl) privateKey; ECParameterSpec params = privateKey.getParams(); // seed is the key size + 64 bits int seedBits = params.getOrder().bitLength() + 64; Optional<ECDSAOperations> opsOpt = ECDSAOperations.forParameters(params); if (opsOpt.isEmpty()) { return Optional.empty(); } else { byte[] sig = signDigestImpl(opsOpt.get(), seedBits, digest, privImpl, random); return Optional.of(sig); } } private byte[] signDigestNative(ECPrivateKey privateKey, byte[] digest, SecureRandom random) throws SignatureException { byte[] s = privateKey.getS().toByteArray(); ECParameterSpec params = privateKey.getParams(); // DER OID byte[] encodedParams = ECUtil.encodeECParameterSpec(null, params); int keySize = params.getCurve().getField().getFieldSize(); // seed is twice the key size (in bytes) plus 1 byte[] seed = new byte[(((keySize + 7) >> 3) + 1) * 2]; random.nextBytes(seed); // random bits needed for timing countermeasures int timingArgument = random.nextInt(); // values must be non-zero to enable countermeasures timingArgument |= 1; try { return signDigest(digest, s, encodedParams, seed, timingArgument); } catch (GeneralSecurityException e) { throw new SignatureException("Could not sign data", e); } } // sign the data and return the signature. See JCA doc @Override protected byte[] engineSign() throws SignatureException { if (random == null) { random = JCAUtil.getSecureRandom(); } byte[] digest = getDigestValue(); Optional<byte[]> sigOpt = signDigestImpl(privateKey, digest, random); byte[] sig; if (sigOpt.isPresent()) { sig = sigOpt.get(); } else { sig = signDigestNative(privateKey, digest, random); } return encodeSignature(sig); } // verify the data and return the result. See JCA doc @Override protected boolean engineVerify(byte[] signature) throws SignatureException { byte[] w; ECParameterSpec params = publicKey.getParams(); // DER OID byte[] encodedParams = ECUtil.encodeECParameterSpec(null, params); if (publicKey instanceof ECPublicKeyImpl) { w = ((ECPublicKeyImpl) publicKey).getEncodedPublicValue(); } else { // instanceof ECPublicKey w = ECUtil.encodePoint(publicKey.getW(), params.getCurve()); } try { return verifySignedDigest( decodeSignature(signature), getDigestValue(), w, encodedParams); } catch (GeneralSecurityException e) { throw new SignatureException("Could not verify signature", e); } } // set parameter, not supported. See JCA doc @Override @Deprecated protected void engineSetParameter(String param, Object value) throws InvalidParameterException { throw new UnsupportedOperationException("setParameter() not supported"); } // get parameter, not supported. See JCA doc @Override @Deprecated protected Object engineGetParameter(String param) throws InvalidParameterException { throw new UnsupportedOperationException("getParameter() not supported"); } // Convert the concatenation of R and S into their DER encoding private byte[] encodeSignature(byte[] signature) throws SignatureException { try { int n = signature.length >> 1; byte[] bytes = new byte[n]; System.arraycopy(signature, 0, bytes, 0, n); BigInteger r = new BigInteger(1, bytes); System.arraycopy(signature, n, bytes, 0, n); BigInteger s = new BigInteger(1, bytes); DerOutputStream out = new DerOutputStream(signature.length + 10); out.putInteger(r); out.putInteger(s); DerValue result = new DerValue(DerValue.tag_Sequence, out.toByteArray()); return result.toByteArray(); } catch (Exception e) { throw new SignatureException("Could not encode signature", e); } } // Convert the DER encoding of R and S into a concatenation of R and S private byte[] decodeSignature(byte[] sig) throws SignatureException { try { // Enforce strict DER checking for signatures DerInputStream in = new DerInputStream(sig, 0, sig.length, false); DerValue[] values = in.getSequence(2); // check number of components in the read sequence // and trailing data if ((values.length != 2) || (in.available() != 0)) { throw new IOException("Invalid encoding for signature"); } BigInteger r = values[0].getPositiveBigInteger(); BigInteger s = values[1].getPositiveBigInteger(); // trim leading zeroes byte[] rBytes = trimZeroes(r.toByteArray()); byte[] sBytes = trimZeroes(s.toByteArray()); int k = Math.max(rBytes.length, sBytes.length); // r and s each occupy half the array byte[] result = new byte[k << 1]; System.arraycopy(rBytes, 0, result, k - rBytes.length, rBytes.length); System.arraycopy(sBytes, 0, result, result.length - sBytes.length, sBytes.length); return result; } catch (Exception e) { throw new SignatureException("Invalid encoding for signature", e); } } // trim leading (most significant) zeroes from the result private static byte[] trimZeroes(byte[] b) { int i = 0; while ((i < b.length - 1) && (b[i] == 0)) { i++; } if (i == 0) { return b; } byte[] t = new byte[b.length - i]; System.arraycopy(b, i, t, 0, t.length); return t; }
Signs the digest using the private key.
Params:
  • digest – the digest to be signed.
  • s – the private key's S value.
  • encodedParams – the curve's DER encoded object identifier.
  • seed – the random seed.
  • timing – When non-zero, the implmentation will use timing countermeasures to hide secrets from timing channels. The EC implementation will disable the countermeasures when this value is zero, because the underlying EC functions are shared by several crypto operations, some of which do not use the countermeasures. The high-order 31 bits must be uniformly random. The entropy from these bits is used by the countermeasures.
Returns:byte[] the signature.
/** * Signs the digest using the private key. * * @param digest the digest to be signed. * @param s the private key's S value. * @param encodedParams the curve's DER encoded object identifier. * @param seed the random seed. * @param timing When non-zero, the implmentation will use timing * countermeasures to hide secrets from timing channels. The EC * implementation will disable the countermeasures when this value is * zero, because the underlying EC functions are shared by several * crypto operations, some of which do not use the countermeasures. * The high-order 31 bits must be uniformly random. The entropy from * these bits is used by the countermeasures. * * @return byte[] the signature. */
private static native byte[] signDigest(byte[] digest, byte[] s, byte[] encodedParams, byte[] seed, int timing) throws GeneralSecurityException;
Verifies the signed digest using the public key.
Params:
  • signature – the signature to be verified. It is encoded as a concatenation of the key's R and S values.
  • digest – the digest to be used.
  • w – the public key's W point (in uncompressed form).
  • encodedParams – the curve's DER encoded object identifier.
Returns:boolean true if the signature is successfully verified.
/** * Verifies the signed digest using the public key. * * @param signature the signature to be verified. It is encoded * as a concatenation of the key's R and S values. * @param digest the digest to be used. * @param w the public key's W point (in uncompressed form). * @param encodedParams the curve's DER encoded object identifier. * * @return boolean true if the signature is successfully verified. */
private static native boolean verifySignedDigest(byte[] signature, byte[] digest, byte[] w, byte[] encodedParams) throws GeneralSecurityException; }