libjava/classpath/gnu/java/security/sig/rsa/RSAPKCS1V1_5Signature.java

   1 /* RSAPKCS1V1_5Signature.java --
   2    Copyright (C) 2001, 2002, 2003, 2006 Free Software Foundation, Inc.
   3
   4 This file is a part of GNU Classpath.
   5
   6 GNU Classpath is free software; you can redistribute it and/or modify
   7 it under the terms of the GNU General Public License as published by
   8 the Free Software Foundation; either version 2 of the License, or (at
   9 your option) any later version.
  10
  11 GNU Classpath is distributed in the hope that it will be useful, but
  12 WITHOUT ANY WARRANTY; without even the implied warranty of
  13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
  14 General Public License for more details.
  15
  16 You should have received a copy of the GNU General Public License
  17 along with GNU Classpath; if not, write to the Free Software
  18 Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301
  19 USA
  20
  21 Linking this library statically or dynamically with other modules is
  22 making a combined work based on this library.  Thus, the terms and
  23 conditions of the GNU General Public License cover the whole
  24 combination.
  25
  26 As a special exception, the copyright holders of this library give you
  27 permission to link this library with independent modules to produce an
  28 executable, regardless of the license terms of these independent
  29 modules, and to copy and distribute the resulting executable under
  30 terms of your choice, provided that you also meet, for each linked
  31 independent module, the terms and conditions of the license of that
  32 module.  An independent module is a module which is not derived from
  33 or based on this library.  If you modify this library, you may extend
  34 this exception to your version of the library, but you are not
  35 obligated to do so.  If you do not wish to do so, delete this
  36 exception statement from your version.  */
  37
  38
  39 package gnu.java.security.sig.rsa;
  40
  41 import gnu.java.security.Registry;
  42 import gnu.java.security.hash.HashFactory;
  43 import gnu.java.security.hash.IMessageDigest;
  44 import gnu.java.security.sig.BaseSignature;
  45
  46 import java.math.BigInteger;
  47 import java.security.PrivateKey;
  48 import java.security.PublicKey;
  49 import java.security.interfaces.RSAPrivateKey;
  50 import java.security.interfaces.RSAPublicKey;
  51 import java.util.Arrays;
  52
  53 /**
  54  * <p>The RSA-PKCS1-V1.5 signature scheme is a digital signature scheme with
  55  * appendix (SSA) combining the RSA algorithm with the EMSA-PKCS1-v1_5 encoding
  56  * method.</p>
  57  *
  58  * <p>References:</p>
  59  * <ol>
  60  *    <li><a href="http://www.cosic.esat.kuleuven.ac.be/nessie/workshop/submissions/rsa-pss.zip">
  61  *    RSA-PSS Signature Scheme with Appendix, part B.</a><br>
  62  *    Primitive specification and supporting documentation.<br>
  63  *    Jakob Jonsson and Burt Kaliski.</li>
  64  *
  65  *    <li><a href="http://www.ietf.org/rfc/rfc3447.txt">Public-Key Cryptography
  66  *    Standards (PKCS) #1:</a><br>
  67  *    RSA Cryptography Specifications Version 2.1.<br>
  68  *    Jakob Jonsson and Burt Kaliski.</li>
  69  * </ol>
  70  *
  71  * @version $Revision: 1.2 $
  72  */
  73 public class RSAPKCS1V1_5Signature extends BaseSignature
  74 {
  75
  76   // Constants and variables
  77   // -------------------------------------------------------------------------
  78
  79   /** The underlying EMSA-PKCS1-v1.5 instance for this object. */
  80   private EMSA_PKCS1_V1_5 pkcs1;
  81
  82   // Constructor(s)
  83   // -------------------------------------------------------------------------
  84
  85   /**
  86    * Default 0-arguments constructor. Uses SHA-1 as the default hash.
  87    */
  88   public RSAPKCS1V1_5Signature()
  89   {
  90     this(Registry.SHA160_HASH);
  91   }
  92
  93   /**
  94    * <p>Constructs an instance of this object using the designated message
  95    * digest algorithm as its underlying hash function.</p>
  96    *
  97    * @param mdName the canonical name of the underlying hash function.
  98    */
  99   public RSAPKCS1V1_5Signature(final String mdName)
 100   {
 101     this(HashFactory.getInstance(mdName));
 102   }
 103
 104   public RSAPKCS1V1_5Signature(IMessageDigest md)
 105   {
 106     super(Registry.RSA_PKCS1_V1_5_SIG, md);
 107
 108     pkcs1 = EMSA_PKCS1_V1_5.getInstance(md.name());
 109   }
 110
 111   /** Private constructor for cloning purposes. */
 112   private RSAPKCS1V1_5Signature(final RSAPKCS1V1_5Signature that)
 113   {
 114     this(that.md.name());
 115
 116     this.publicKey = that.publicKey;
 117     this.privateKey = that.privateKey;
 118     this.md = (IMessageDigest) that.md.clone();
 119     this.pkcs1 = (EMSA_PKCS1_V1_5) that.pkcs1.clone();
 120   }
 121
 122   // Class methods
 123   // -------------------------------------------------------------------------
 124
 125   // Instance methods
 126   // -------------------------------------------------------------------------
 127
 128   // Implementation of abstract methods in superclass ------------------------
 129
 130   public Object clone()
 131   {
 132     return new RSAPKCS1V1_5Signature(this);
 133   }
 134
 135   protected void setupForVerification(final PublicKey k)
 136       throws IllegalArgumentException
 137   {
 138     if (!(k instanceof RSAPublicKey))
 139       {
 140         throw new IllegalArgumentException();
 141       }
 142     publicKey = k;
 143   }
 144
 145   protected void setupForSigning(final PrivateKey k)
 146       throws IllegalArgumentException
 147   {
 148     if (!(k instanceof RSAPrivateKey))
 149       {
 150         throw new IllegalArgumentException();
 151       }
 152     privateKey = k;
 153   }
 154
 155   protected Object generateSignature() throws IllegalStateException
 156   {
 157     // 1. EMSA-PKCS1-v1_5 encoding: Apply the EMSA-PKCS1-v1_5 encoding
 158     //    operation (Section 9.2) to the message M to produce an encoded
 159     //    message EM of length k octets:
 160     //
 161     //    EM = EMSA-PKCS1-V1_5-ENCODE (M, k).
 162     //
 163     //    If the encoding operation outputs "message too long," output
 164     //    "message too long" and stop.  If the encoding operation outputs
 165     //    "intended encoded message length too short," output "RSA modulus
 166     //    too short" and stop.
 167     final int modBits = ((RSAPrivateKey) privateKey).getModulus().bitLength();
 168     final int k = (modBits + 7) / 8;
 169     final byte[] EM = pkcs1.encode(md.digest(), k);
 170
 171     // 2. RSA signature:
 172     //    a. Convert the encoded message EM to an integer message epresentative
 173     //       m (see Section 4.2):  m = OS2IP (EM).
 174     final BigInteger m = new BigInteger(1, EM);
 175     //    b. Apply the RSASP1 signature primitive (Section 5.2.1) to the RSA
 176     //       private key K and the message representative m to produce an
 177     //       integer signature representative s:  s = RSASP1 (K, m).
 178     final BigInteger s = RSA.sign(privateKey, m);
 179     //    c. Convert the signature representative s to a signature S of length
 180     //       k octets (see Section 4.1):  S = I2OSP (s, k).
 181     // 3. Output the signature S.
 182     return RSA.I2OSP(s, k);
 183   }
 184
 185   protected boolean verifySignature(final Object sig)
 186       throws IllegalStateException
 187   {
 188     if (publicKey == null)
 189       {
 190         throw new IllegalStateException();
 191       }
 192     final byte[] S = (byte[]) sig;
 193     // 1. Length checking: If the length of the signature S is not k octets,
 194     //    output "invalid signature" and stop.
 195     final int modBits = ((RSAPublicKey) publicKey).getModulus().bitLength();
 196     final int k = (modBits + 7) / 8;
 197     if (S.length != k)
 198       {
 199         return false;
 200       }
 201     // 2. RSA verification:
 202     //    a. Convert the signature S to an integer signature representative
 203     //       s (see Section 4.2): s = OS2IP (S).
 204     final BigInteger s = new BigInteger(1, S);
 205     //    b. Apply the RSAVP1 verification primitive (Section 5.2.2) to the
 206     //       RSA public key (n, e) and the signature representative s to
 207     //       produce an integer message representative m:
 208     //          m = RSAVP1 ((n, e), s).
 209     //       If RSAVP1 outputs "signature representative out of range,"
 210     //       output "invalid signature" and stop.
 211     final BigInteger m;
 212     try
 213       {
 214         m = RSA.verify(publicKey, s);
 215       }
 216     catch (IllegalArgumentException x)
 217       {
 218         return false;
 219       }
 220     //    c. Convert the message representative m to an encoded message EM
 221     //       of length k octets (see Section 4.1): EM = I2OSP (m, k).
 222     //       If I2OSP outputs "integer too large," output "invalid signature"
 223     //       and stop.
 224     final byte[] EM;
 225     try
 226       {
 227         EM = RSA.I2OSP(m, k);
 228       }
 229     catch (IllegalArgumentException x)
 230       {
 231         return false;
 232       }
 233     // 3. EMSA-PKCS1-v1_5 encoding: Apply the EMSA-PKCS1-v1_5 encoding
 234     //    operation (Section 9.2) to the message M to produce a second
 235     //    encoded message EM' of length k octets:
 236     //       EM' = EMSA-PKCS1-V1_5-ENCODE (M, k).
 237     //    If the encoding operation outputs "message too long," output
 238     //    "message too long" and stop.  If the encoding operation outputs
 239     //    "intended encoded message length too short," output "RSA modulus
 240     //    too short" and stop.
 241     final byte[] EMp = pkcs1.encode(md.digest(), k);
 242     // 4. Compare the encoded message EM and the second encoded message EM'.
 243     //    If they are the same, output "valid signature"; otherwise, output
 244     //    "invalid signature."
 245     return Arrays.equals(EM, EMp);
 246   }
 247 }