libjava/classpath/gnu/java/security/sig/rsa/EME_PKCS1_V1_5.java

   1 /* EME_PKCS1_V1_5.java --
   2    Copyright (C) 2003, 2006 Free Software Foundation, Inc.
   3
   4 This file is a part of GNU Classpath.
   5
   6 GNU Classpath is free software; you can redistribute it and/or modify
   7 it under the terms of the GNU General Public License as published by
   8 the Free Software Foundation; either version 2 of the License, or (at
   9 your option) any later version.
  10
  11 GNU Classpath is distributed in the hope that it will be useful, but
  12 WITHOUT ANY WARRANTY; without even the implied warranty of
  13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
  14 General Public License for more details.
  15
  16 You should have received a copy of the GNU General Public License
  17 along with GNU Classpath; if not, write to the Free Software
  18 Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301
  19 USA
  20
  21 Linking this library statically or dynamically with other modules is
  22 making a combined work based on this library.  Thus, the terms and
  23 conditions of the GNU General Public License cover the whole
  24 combination.
  25
  26 As a special exception, the copyright holders of this library give you
  27 permission to link this library with independent modules to produce an
  28 executable, regardless of the license terms of these independent
  29 modules, and to copy and distribute the resulting executable under
  30 terms of your choice, provided that you also meet, for each linked
  31 independent module, the terms and conditions of the license of that
  32 module.  An independent module is a module which is not derived from
  33 or based on this library.  If you modify this library, you may extend
  34 this exception to your version of the library, but you are not
  35 obligated to do so.  If you do not wish to do so, delete this
  36 exception statement from your version.  */
  37
  38
  39 package gnu.java.security.sig.rsa;
  40
  41 import gnu.java.security.prng.IRandom;
  42 import gnu.java.security.prng.LimitReachedException;
  43 import gnu.java.security.util.PRNG;
  44
  45 import java.io.ByteArrayOutputStream;
  46 import java.security.interfaces.RSAKey;
  47 import java.util.Random;
  48
  49 /**
  50  * <p>An implementation of the EME-PKCS1-V1.5 encoding and decoding methods.</p>
  51  *
  52  * <p>EME-PKCS1-V1.5 is parameterised by the entity <code>k</code> which is the
  53  * byte count of an RSA public shared modulus.</p>
  54  *
  55  * <p>References:</p>
  56  * <ol>
  57  *    <li><a href="http://www.ietf.org/rfc/rfc3447.txt">Public-Key Cryptography
  58  *    Standards (PKCS) #1:</a><br>
  59  *    RSA Cryptography Specifications Version 2.1.<br>
  60  *    Jakob Jonsson and Burt Kaliski.</li>
  61  * </ol>
  62  */
  63 public class EME_PKCS1_V1_5
  64 {
  65
  66   // Constants and variables
  67   // -------------------------------------------------------------------------
  68
  69   private int k;
  70
  71   private ByteArrayOutputStream baos = new ByteArrayOutputStream();
  72
  73   /** Our default source of randomness. */
  74   private PRNG prng = PRNG.getInstance();
  75
  76   // Constructor(s)
  77   // -------------------------------------------------------------------------
  78
  79   private EME_PKCS1_V1_5(final int k)
  80   {
  81     super();
  82
  83     this.k = k;
  84   }
  85
  86   // Class methods
  87   // -------------------------------------------------------------------------
  88
  89   public static final EME_PKCS1_V1_5 getInstance(final int k)
  90   {
  91     if (k < 0)
  92       {
  93         throw new IllegalArgumentException("k must be a positive integer");
  94       }
  95     return new EME_PKCS1_V1_5(k);
  96   }
  97
  98   public static final EME_PKCS1_V1_5 getInstance(final RSAKey key)
  99   {
 100     final int modBits = key.getModulus().bitLength();
 101     final int k = (modBits + 7) / 8;
 102     return EME_PKCS1_V1_5.getInstance(k);
 103   }
 104
 105   // Instance methods
 106   // -------------------------------------------------------------------------
 107
 108   /**
 109    * <p>Generates an octet string <code>PS</code> of length <code>k - mLen -
 110    * 3</code> consisting of pseudo-randomly generated nonzero octets. The
 111    * length of <code>PS</code> will be at least eight octets.</p>
 112    *
 113    * <p>The method then concatenates <code>PS</code>, the message <code>M</code>,
 114    * and other padding to form an encoded message <code>EM</code> of length
 115    * <code>k</code> octets as:</p>
 116    *
 117    * <pre>
 118    *    EM = 0x00 || 0x02 || PS || 0x00 || M.
 119    * </pre>
 120    *
 121    * <p>This method uses a default PRNG to obtain the padding bytes.</p>
 122    *
 123    * @param M the message to encode.
 124    * @return the encoded message <code>EM</code>.
 125    */
 126   public byte[] encode(final byte[] M)
 127   {
 128     // a. Generate an octet string PS of length k - mLen - 3 consisting
 129     //    of pseudo-randomly generated nonzero octets.  The length of PS
 130     //    will be at least eight octets.
 131     final byte[] PS = new byte[k - M.length - 3];
 132
 133     // FIXME. This should be configurable, somehow.
 134     prng.nextBytes(PS);
 135     int i = 0;
 136     for (; i < PS.length; i++)
 137       {
 138         if (PS[i] == 0)
 139           PS[i] = 1;
 140       }
 141     // b. Concatenate PS, the message M, and other padding to form an
 142     //    encoded message EM of length k octets as
 143     //
 144     //    EM = 0x00 || 0x02 || PS || 0x00 || M.
 145     return assembleEM(PS, M);
 146   }
 147
 148   /**
 149    * <p>Similar to {@link #encode(byte[])} method, except that the source of
 150    * randomness to use for obtaining the padding bytes (an instance of
 151    * {@link IRandom}) is given as a parameter.</p>
 152    *
 153    * @param M the message to encode.
 154    * @param irnd the {@link IRandom} instance to use as a source of randomness.
 155    * @return the encoded message <code>EM</code>.
 156    */
 157   public byte[] encode(final byte[] M, final IRandom irnd)
 158   {
 159     final byte[] PS = new byte[k - M.length - 3];
 160     try
 161       {
 162         irnd.nextBytes(PS, 0, PS.length);
 163         int i = 0;
 164         outer: while (true)
 165           {
 166             for (; i < PS.length; i++)
 167               {
 168                 if (PS[i] == 0x00)
 169                   {
 170                     System.arraycopy(PS, i + 1, PS, i, PS.length - i - 1);
 171                     irnd.nextBytes(PS, PS.length - 1, 1);
 172                     continue outer;
 173                   }
 174               }
 175             break;
 176           }
 177       }
 178     catch (IllegalStateException x)
 179       {
 180         throw new RuntimeException("encode(): " + String.valueOf(x));
 181       }
 182     catch (LimitReachedException x)
 183       {
 184         throw new RuntimeException("encode(): " + String.valueOf(x));
 185       }
 186
 187     return assembleEM(PS, M);
 188   }
 189
 190   /**
 191    * <p>Similar to the {@link #encode(byte[], IRandom)} method, except that
 192    * the source of randmoness is an instance of {@link Random}.
 193    *
 194    * @param M the message to encode.
 195    * @param rnd the {@link Random} instance to use as a source of randomness.
 196    * @return the encoded message <code>EM</code>.
 197    */
 198   public byte[] encode(final byte[] M, final Random rnd)
 199   {
 200     final byte[] PS = new byte[k - M.length - 3];
 201     rnd.nextBytes(PS);
 202     int i = 0;
 203     outer: while (true)
 204       {
 205         for (; i < PS.length; i++)
 206           {
 207             if (PS[i] == 0x00)
 208               {
 209                 System.arraycopy(PS, i + 1, PS, i, PS.length - i - 1);
 210                 PS[PS.length - 1] = (byte) rnd.nextInt();
 211                 continue outer;
 212               }
 213           }
 214         break;
 215       }
 216
 217     return assembleEM(PS, M);
 218   }
 219
 220   /**
 221    * <p>Separate the encoded message <code>EM</code> into an octet string
 222    * <code>PS</code> consisting of nonzero octets and a message <code>M</code>
 223    * as:</p>
 224    *
 225    * <pre>
 226    *    EM = 0x00 || 0x02 || PS || 0x00 || M.
 227    * </pre>
 228    *
 229    * <p>If the first octet of <code>EM</code> does not have hexadecimal value
 230    * <code>0x00</code>, if the second octet of <code>EM</code> does not have
 231    * hexadecimal value <code>0x02</code>, if there is no octet with hexadecimal
 232    * value <code>0x00</code> to separate <code>PS</code> from <code>M</code>,
 233    * or if the length of <code>PS</code> is less than <code>8</code> octets,
 234    * output "decryption error" and stop.</p>
 235
 236    * @param EM the designated encoded message.
 237    * @return the decoded message <code>M</code> framed in the designated
 238    * <code>EM</code> value.
 239    * @throws IllegalArgumentException if the length of the designated entity
 240    * <code>EM</code> is different than <code>k</code> (the length in bytes of
 241    * the public shared modulus), or if any of the conditions described above
 242    * is detected.
 243    */
 244   public byte[] decode(final byte[] EM)
 245   {
 246     // Separate the encoded message EM into an
 247     // octet string PS consisting of nonzero octets and a message M as
 248     //
 249     // EM = 0x00 || 0x02 || PS || 0x00 || M.
 250     //
 251     // If the first octet of EM does not have hexadecimal value 0x00, if
 252     // the second octet of EM does not have hexadecimal value 0x02, if
 253     // there is no octet with hexadecimal value 0x00 to separate PS from
 254     // M, or if the length of PS is less than 8 octets, output
 255     // "decryption error" and stop.  (See the note below.)
 256     final int emLen = EM.length;
 257     if (emLen != k)
 258       {
 259         throw new IllegalArgumentException("decryption error");
 260       }
 261     if (EM[0] != 0x00)
 262       {
 263         throw new IllegalArgumentException("decryption error");
 264       }
 265     if (EM[1] != 0x02)
 266       {
 267         throw new IllegalArgumentException("decryption error");
 268       }
 269     int i = 2;
 270     for (; i < emLen; i++)
 271       {
 272         if (EM[i] == 0x00)
 273           {
 274             break;
 275           }
 276       }
 277     if (i >= emLen || i < 11)
 278       {
 279         throw new IllegalArgumentException("decryption error");
 280       }
 281     i++;
 282     final byte[] result = new byte[emLen - i];
 283     System.arraycopy(EM, i, result, 0, result.length);
 284     return result;
 285   }
 286
 287   // helper methods ----------------------------------------------------------
 288
 289   private byte[] assembleEM(final byte[] PS, final byte[] M)
 290   {
 291     // b. Concatenate PS, the message M, and other padding to form an
 292     //    encoded message EM of length k octets as
 293     //
 294     //    EM = 0x00 || 0x02 || PS || 0x00 || M.
 295     baos.reset();
 296     baos.write(0x00);
 297     baos.write(0x02);
 298     baos.write(PS, 0, PS.length);
 299     baos.write(0x00);
 300     baos.write(M, 0, M.length);
 301     final byte[] result = baos.toByteArray();
 302     baos.reset();
 303
 304     return result;
 305   }
 306 }