-
DSA
-
debug: boolean
-
BLINDING_BITS: int
-
BLINDING_CONSTANT: BigInteger
-
params: DSAParams
-
presetP: BigInteger
-
presetQ: BigInteger
-
presetG: BigInteger
-
presetY: BigInteger
-
presetX: BigInteger
-
signingRandom: SecureRandom
-
md: MessageDigest
-
DSA(MessageDigest): void
-
checkKey(DSAParams, int, String): void
-
engineInitSign(PrivateKey): void
-
engineInitVerify(PublicKey): void
-
engineUpdate(byte): void
-
engineUpdate(byte[], int, int): void
-
engineUpdate(ByteBuffer): void
-
engineSign(): byte[]
-
engineVerify(byte[]): boolean
-
engineVerify(byte[], int, int): boolean
-
engineSetParameter(String, Object): void
-
engineSetParameter(AlgorithmParameterSpec): void
-
engineGetParameter(String): Object
-
engineGetParameters(): AlgorithmParameters
-
generateR(BigInteger, BigInteger, BigInteger, BigInteger): BigInteger
-
generateS(BigInteger, BigInteger, BigInteger, BigInteger): BigInteger
-
generateW(BigInteger, BigInteger, BigInteger, BigInteger): BigInteger
-
generateV(BigInteger, BigInteger, BigInteger, BigInteger, BigInteger, BigInteger): BigInteger
-
generateK(BigInteger): BigInteger
-
getSigningRandom(): SecureRandom
-
toString(): String
-
SHA224withDSA
-
SHA256withDSA
-
SHA1withDSA
-
RawDSA
-
/*
* Copyright (c) 1996, 2020, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation. Oracle designates this
* particular file as subject to the "Classpath" exception as provided
* by Oracle in the LICENSE file that accompanied this code.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/
package sun.security.provider;
import java.io.*;
import java.util.*;
import java.math.BigInteger;
import java.nio.ByteBuffer;
import java.security.*;
import java.security.SecureRandom;
import java.security.interfaces.*;
import java.security.spec.*;
import sun.security.util.Debug;
import sun.security.util.DerValue;
import sun.security.util.DerInputStream;
import sun.security.util.DerOutputStream;
import sun.security.x509.AlgIdDSA;
import sun.security.jca.JCAUtil;
The Digital Signature Standard (using the Digital Signature
Algorithm), as described in fips186-3 of the National Instute of
Standards and Technology (NIST), using SHA digest algorithms
from FIPS180-3.
This file contains both the signature implementation for the
commonly used SHA1withDSA (DSS), SHA224withDSA, SHA256withDSA,
as well as RawDSA, used by TLS among others. RawDSA expects
the 20 byte SHA-1 digest as input via update rather than the
original data like other signature implementations.
Author: Benjamin Renaud See Also: Since: 1.1
/**
* The Digital Signature Standard (using the Digital Signature
* Algorithm), as described in fips186-3 of the National Instute of
* Standards and Technology (NIST), using SHA digest algorithms
* from FIPS180-3.
*
* This file contains both the signature implementation for the
* commonly used SHA1withDSA (DSS), SHA224withDSA, SHA256withDSA,
* as well as RawDSA, used by TLS among others. RawDSA expects
* the 20 byte SHA-1 digest as input via update rather than the
* original data like other signature implementations.
*
* @author Benjamin Renaud
*
* @since 1.1
*
* @see DSAPublicKey
* @see DSAPrivateKey
*/
abstract class DSA extends SignatureSpi {
/* Are we debugging? */
private static final boolean debug = false;
/* The number of bits used in exponent blinding */
private static final int BLINDING_BITS = 7;
/* The constant component of the exponent blinding value */
private static final BigInteger BLINDING_CONSTANT =
BigInteger.valueOf(1 << BLINDING_BITS);
/* The parameter object */
private DSAParams params;
/* algorithm parameters */
private BigInteger presetP, presetQ, presetG;
/* The public key, if any */
private BigInteger presetY;
/* The private key, if any */
private BigInteger presetX;
/* The RNG used to output a seed for generating k */
private SecureRandom signingRandom;
/* The message digest object used */
private final MessageDigest md;
Construct a blank DSA object. It must be
initialized before being usable for signing or verifying.
/**
* Construct a blank DSA object. It must be
* initialized before being usable for signing or verifying.
*/
DSA(MessageDigest md) {
super();
this.md = md;
}
private static void checkKey(DSAParams params, int digestLen, String mdAlgo)
throws InvalidKeyException {
// FIPS186-3 states in sec4.2 that a hash function which provides
// a lower security strength than the (L, N) pair ordinarily should
// not be used.
int valueN = params.getQ().bitLength();
if (valueN > digestLen) {
throw new InvalidKeyException("The security strength of " +
mdAlgo + " digest algorithm is not sufficient for this key size");
}
}
Initialize the DSA object with a DSA private key.
Params: - privateKey – the DSA private key
Throws: - InvalidKeyException – if the key is not a valid DSA private
key.
/**
* Initialize the DSA object with a DSA private key.
*
* @param privateKey the DSA private key
*
* @exception InvalidKeyException if the key is not a valid DSA private
* key.
*/
protected void engineInitSign(PrivateKey privateKey)
throws InvalidKeyException {
if (!(privateKey instanceof java.security.interfaces.DSAPrivateKey)) {
throw new InvalidKeyException("not a DSA private key: " +
privateKey);
}
java.security.interfaces.DSAPrivateKey priv =
(java.security.interfaces.DSAPrivateKey)privateKey;
// check for algorithm specific constraints before doing initialization
DSAParams params = priv.getParams();
if (params == null) {
throw new InvalidKeyException("DSA private key lacks parameters");
}
// check key size against hash output size for signing
// skip this check for verification to minimize impact on existing apps
if (md.getAlgorithm() != "NullDigest20") {
checkKey(params, md.getDigestLength()*8, md.getAlgorithm());
}
this.params = params;
this.presetX = priv.getX();
this.presetY = null;
this.presetP = params.getP();
this.presetQ = params.getQ();
this.presetG = params.getG();
this.md.reset();
}
Initialize the DSA object with a DSA public key.
Params: - publicKey – the DSA public key.
Throws: - InvalidKeyException – if the key is not a valid DSA public
key.
/**
* Initialize the DSA object with a DSA public key.
*
* @param publicKey the DSA public key.
*
* @exception InvalidKeyException if the key is not a valid DSA public
* key.
*/
protected void engineInitVerify(PublicKey publicKey)
throws InvalidKeyException {
if (!(publicKey instanceof java.security.interfaces.DSAPublicKey)) {
throw new InvalidKeyException("not a DSA public key: " +
publicKey);
}
java.security.interfaces.DSAPublicKey pub =
(java.security.interfaces.DSAPublicKey)publicKey;
// check for algorithm specific constraints before doing initialization
DSAParams params = pub.getParams();
if (params == null) {
throw new InvalidKeyException("DSA public key lacks parameters");
}
this.params = params;
this.presetY = pub.getY();
this.presetX = null;
this.presetP = params.getP();
this.presetQ = params.getQ();
this.presetG = params.getG();
this.md.reset();
}
Update a byte to be signed or verified.
/**
* Update a byte to be signed or verified.
*/
protected void engineUpdate(byte b) {
md.update(b);
}
Update an array of bytes to be signed or verified.
/**
* Update an array of bytes to be signed or verified.
*/
protected void engineUpdate(byte[] data, int off, int len) {
md.update(data, off, len);
}
protected void engineUpdate(ByteBuffer b) {
md.update(b);
}
Sign all the data thus far updated. The signature is formatted
according to the Canonical Encoding Rules, returned as a DER
sequence of Integer, r and s.
Throws: - SignatureException – if the signature object was not
properly initialized, or if another exception occurs.
See Also: - engineUpdate.engineUpdate
- engineVerify.engineVerify
Returns: a signature block formatted according to the Canonical
Encoding Rules.
/**
* Sign all the data thus far updated. The signature is formatted
* according to the Canonical Encoding Rules, returned as a DER
* sequence of Integer, r and s.
*
* @return a signature block formatted according to the Canonical
* Encoding Rules.
*
* @exception SignatureException if the signature object was not
* properly initialized, or if another exception occurs.
*
* @see sun.security.DSA#engineUpdate
* @see sun.security.DSA#engineVerify
*/
protected byte[] engineSign() throws SignatureException {
BigInteger k = generateK(presetQ);
BigInteger r = generateR(presetP, presetQ, presetG, k);
BigInteger s = generateS(presetX, presetQ, r, k);
try {
DerOutputStream outseq = new DerOutputStream(100);
outseq.putInteger(r);
outseq.putInteger(s);
DerValue result = new DerValue(DerValue.tag_Sequence,
outseq.toByteArray());
return result.toByteArray();
} catch (IOException e) {
throw new SignatureException("error encoding signature");
}
}
Verify all the data thus far updated.
Params: - signature – the alledged signature, encoded using the
Canonical Encoding Rules, as a sequence of integers, r and s.
Throws: - SignatureException – if the signature object was not
properly initialized, or if another exception occurs.
See Also: - engineUpdate.engineUpdate
- engineSign.engineSign
/**
* Verify all the data thus far updated.
*
* @param signature the alledged signature, encoded using the
* Canonical Encoding Rules, as a sequence of integers, r and s.
*
* @exception SignatureException if the signature object was not
* properly initialized, or if another exception occurs.
*
* @see sun.security.DSA#engineUpdate
* @see sun.security.DSA#engineSign
*/
protected boolean engineVerify(byte[] signature)
throws SignatureException {
return engineVerify(signature, 0, signature.length);
}
Verify all the data thus far updated.
Params: - signature – the alledged signature, encoded using the
Canonical Encoding Rules, as a sequence of integers, r and s.
- offset – the offset to start from in the array of bytes.
- length – the number of bytes to use, starting at offset.
Throws: - SignatureException – if the signature object was not
properly initialized, or if another exception occurs.
See Also: - engineUpdate.engineUpdate
- engineSign.engineSign
/**
* Verify all the data thus far updated.
*
* @param signature the alledged signature, encoded using the
* Canonical Encoding Rules, as a sequence of integers, r and s.
*
* @param offset the offset to start from in the array of bytes.
*
* @param length the number of bytes to use, starting at offset.
*
* @exception SignatureException if the signature object was not
* properly initialized, or if another exception occurs.
*
* @see sun.security.DSA#engineUpdate
* @see sun.security.DSA#engineSign
*/
protected boolean engineVerify(byte[] signature, int offset, int length)
throws SignatureException {
BigInteger r = null;
BigInteger s = null;
// first decode the signature.
try {
// Enforce strict DER checking for signatures
DerInputStream in =
new DerInputStream(signature, offset, length, false);
DerValue[] values = in.getSequence(2);
// check number of components in the read sequence
// and trailing data
if ((values.length != 2) || (in.available() != 0)) {
throw new IOException("Invalid encoding for signature");
}
r = values[0].getBigInteger();
s = values[1].getBigInteger();
} catch (IOException e) {
throw new SignatureException("Invalid encoding for signature", e);
}
// some implementations do not correctly encode values in the ASN.1
// 2's complement format. force r and s to be positive in order to
// to validate those signatures
if (r.signum() < 0) {
r = new BigInteger(1, r.toByteArray());
}
if (s.signum() < 0) {
s = new BigInteger(1, s.toByteArray());
}
if ((r.compareTo(presetQ) == -1) && (s.compareTo(presetQ) == -1)) {
BigInteger w = generateW(presetP, presetQ, presetG, s);
BigInteger v = generateV(presetY, presetP, presetQ, presetG, w, r);
return v.equals(r);
} else {
throw new SignatureException("invalid signature: out of range values");
}
}
@Deprecated
protected void engineSetParameter(String key, Object param) {
throw new InvalidParameterException("No parameter accepted");
}
@Override
protected void engineSetParameter(AlgorithmParameterSpec params)
throws InvalidAlgorithmParameterException {
if (params != null) {
throw new InvalidAlgorithmParameterException("No parameter accepted");
}
}
@Deprecated
protected Object engineGetParameter(String key) {
return null;
}
@Override
protected AlgorithmParameters engineGetParameters() {
return null;
}
private BigInteger generateR(BigInteger p, BigInteger q, BigInteger g,
BigInteger k) {
// exponent blinding to hide information from timing channel
SecureRandom random = getSigningRandom();
// start with a random blinding component
BigInteger blindingValue = new BigInteger(BLINDING_BITS, random);
// add the fixed blinding component
blindingValue = blindingValue.add(BLINDING_CONSTANT);
// replace k with a blinded value that is congruent (mod q)
k = k.add(q.multiply(blindingValue));
BigInteger temp = g.modPow(k, p);
return temp.mod(q);
}
private BigInteger generateS(BigInteger x, BigInteger q,
BigInteger r, BigInteger k) throws SignatureException {
byte[] s2;
try {
s2 = md.digest();
} catch (RuntimeException re) {
// Only for RawDSA due to its 20-byte length restriction
throw new SignatureException(re.getMessage());
}
// get the leftmost min(N, outLen) bits of the digest value
int nBytes = q.bitLength()/8;
if (nBytes < s2.length) {
s2 = Arrays.copyOfRange(s2, 0, nBytes);
}
BigInteger z = new BigInteger(1, s2);
BigInteger k1 = k.modInverse(q);
return x.multiply(r).add(z).multiply(k1).mod(q);
}
private BigInteger generateW(BigInteger p, BigInteger q,
BigInteger g, BigInteger s) {
return s.modInverse(q);
}
private BigInteger generateV(BigInteger y, BigInteger p,
BigInteger q, BigInteger g, BigInteger w, BigInteger r)
throws SignatureException {
byte[] s2;
try {
s2 = md.digest();
} catch (RuntimeException re) {
// Only for RawDSA due to its 20-byte length restriction
throw new SignatureException(re.getMessage());
}
// get the leftmost min(N, outLen) bits of the digest value
int nBytes = q.bitLength()/8;
if (nBytes < s2.length) {
s2 = Arrays.copyOfRange(s2, 0, nBytes);
}
BigInteger z = new BigInteger(1, s2);
BigInteger u1 = z.multiply(w).mod(q);
BigInteger u2 = (r.multiply(w)).mod(q);
BigInteger t1 = g.modPow(u1,p);
BigInteger t2 = y.modPow(u2,p);
BigInteger t3 = t1.multiply(t2);
BigInteger t5 = t3.mod(p);
return t5.mod(q);
}
protected BigInteger generateK(BigInteger q) {
// Implementation defined in FIPS 186-4 AppendixB.2.1.
SecureRandom random = getSigningRandom();
byte[] kValue = new byte[(q.bitLength() + 7)/8 + 8];
random.nextBytes(kValue);
return new BigInteger(1, kValue).mod(
q.subtract(BigInteger.ONE)).add(BigInteger.ONE);
}
// Use the application-specified SecureRandom Object if provided.
// Otherwise, use our default SecureRandom Object.
protected SecureRandom getSigningRandom() {
if (signingRandom == null) {
if (appRandom != null) {
signingRandom = appRandom;
} else {
signingRandom = JCAUtil.getSecureRandom();
}
}
return signingRandom;
}
Return a human readable rendition of the engine.
/**
* Return a human readable rendition of the engine.
*/
public String toString() {
String printable = "DSA Signature";
if (presetP != null && presetQ != null && presetG != null) {
printable += "\n\tp: " + Debug.toHexString(presetP);
printable += "\n\tq: " + Debug.toHexString(presetQ);
printable += "\n\tg: " + Debug.toHexString(presetG);
} else {
printable += "\n\t P, Q or G not initialized.";
}
if (presetY != null) {
printable += "\n\ty: " + Debug.toHexString(presetY);
}
if (presetY == null && presetX == null) {
printable += "\n\tUNINIIALIZED";
}
return printable;
}
Standard SHA224withDSA implementation as defined in FIPS186-3.
/**
* Standard SHA224withDSA implementation as defined in FIPS186-3.
*/
public static final class SHA224withDSA extends DSA {
public SHA224withDSA() throws NoSuchAlgorithmException {
super(MessageDigest.getInstance("SHA-224"));
}
}
Standard SHA256withDSA implementation as defined in FIPS186-3.
/**
* Standard SHA256withDSA implementation as defined in FIPS186-3.
*/
public static final class SHA256withDSA extends DSA {
public SHA256withDSA() throws NoSuchAlgorithmException {
super(MessageDigest.getInstance("SHA-256"));
}
}
Standard SHA1withDSA implementation.
/**
* Standard SHA1withDSA implementation.
*/
public static final class SHA1withDSA extends DSA {
public SHA1withDSA() throws NoSuchAlgorithmException {
super(MessageDigest.getInstance("SHA-1"));
}
}
RawDSA implementation.
RawDSA requires the data to be exactly 20 bytes long. If it is
not, a SignatureException is thrown when sign()/verify() is called
per JCA spec.
/**
* RawDSA implementation.
*
* RawDSA requires the data to be exactly 20 bytes long. If it is
* not, a SignatureException is thrown when sign()/verify() is called
* per JCA spec.
*/
public static final class RawDSA extends DSA {
// Internal special-purpose MessageDigest impl for RawDSA
// Only override whatever methods used
// NOTE: no clone support
public static final class NullDigest20 extends MessageDigest {
// 20 byte digest buffer
private final byte[] digestBuffer = new byte[20];
// offset into the buffer; use Integer.MAX_VALUE to indicate
// out-of-bound condition
private int ofs = 0;
protected NullDigest20() {
super("NullDigest20");
}
protected void engineUpdate(byte input) {
if (ofs == digestBuffer.length) {
ofs = Integer.MAX_VALUE;
} else {
digestBuffer[ofs++] = input;
}
}
protected void engineUpdate(byte[] input, int offset, int len) {
if (len > (digestBuffer.length - ofs)) {
ofs = Integer.MAX_VALUE;
} else {
System.arraycopy(input, offset, digestBuffer, ofs, len);
ofs += len;
}
}
protected final void engineUpdate(ByteBuffer input) {
int inputLen = input.remaining();
if (inputLen > (digestBuffer.length - ofs)) {
ofs = Integer.MAX_VALUE;
} else {
input.get(digestBuffer, ofs, inputLen);
ofs += inputLen;
}
}
protected byte[] engineDigest() throws RuntimeException {
if (ofs != digestBuffer.length) {
throw new RuntimeException
("Data for RawDSA must be exactly 20 bytes long");
}
reset();
return digestBuffer;
}
protected int engineDigest(byte[] buf, int offset, int len)
throws DigestException {
if (ofs != digestBuffer.length) {
throw new DigestException
("Data for RawDSA must be exactly 20 bytes long");
}
if (len < digestBuffer.length) {
throw new DigestException
("Output buffer too small; must be at least 20 bytes");
}
System.arraycopy(digestBuffer, 0, buf, offset, digestBuffer.length);
reset();
return digestBuffer.length;
}
protected void engineReset() {
ofs = 0;
}
protected final int engineGetDigestLength() {
return digestBuffer.length;
}
}
public RawDSA() throws NoSuchAlgorithmException {
super(new NullDigest20());
}
}
}