diff options
Diffstat (limited to 'libraries/spongycastle/core/src/main/java/org/spongycastle/crypto/signers/PSSSigner.java')
-rw-r--r-- | libraries/spongycastle/core/src/main/java/org/spongycastle/crypto/signers/PSSSigner.java | 348 |
1 files changed, 0 insertions, 348 deletions
diff --git a/libraries/spongycastle/core/src/main/java/org/spongycastle/crypto/signers/PSSSigner.java b/libraries/spongycastle/core/src/main/java/org/spongycastle/crypto/signers/PSSSigner.java deleted file mode 100644 index 3fb8bf50b..000000000 --- a/libraries/spongycastle/core/src/main/java/org/spongycastle/crypto/signers/PSSSigner.java +++ /dev/null @@ -1,348 +0,0 @@ -package org.spongycastle.crypto.signers; - -import java.security.SecureRandom; - -import org.spongycastle.crypto.AsymmetricBlockCipher; -import org.spongycastle.crypto.CipherParameters; -import org.spongycastle.crypto.CryptoException; -import org.spongycastle.crypto.DataLengthException; -import org.spongycastle.crypto.Digest; -import org.spongycastle.crypto.Signer; -import org.spongycastle.crypto.params.ParametersWithRandom; -import org.spongycastle.crypto.params.RSABlindingParameters; -import org.spongycastle.crypto.params.RSAKeyParameters; - -/** - * RSA-PSS as described in PKCS# 1 v 2.1. - * <p> - * Note: the usual value for the salt length is the number of - * bytes in the hash function. - */ -public class PSSSigner - implements Signer -{ - static final public byte TRAILER_IMPLICIT = (byte)0xBC; - - private Digest contentDigest; - private Digest mgfDigest; - private AsymmetricBlockCipher cipher; - private SecureRandom random; - - private int hLen; - private int mgfhLen; - private int sLen; - private int emBits; - private byte[] salt; - private byte[] mDash; - private byte[] block; - private byte trailer; - - /** - * basic constructor - * - * @param cipher the asymmetric cipher to use. - * @param digest the digest to use. - * @param sLen the length of the salt to use (in bytes). - */ - public PSSSigner( - AsymmetricBlockCipher cipher, - Digest digest, - int sLen) - { - this(cipher, digest, sLen, TRAILER_IMPLICIT); - } - - public PSSSigner( - AsymmetricBlockCipher cipher, - Digest contentDigest, - Digest mgfDigest, - int sLen) - { - this(cipher, contentDigest, mgfDigest, sLen, TRAILER_IMPLICIT); - } - - public PSSSigner( - AsymmetricBlockCipher cipher, - Digest digest, - int sLen, - byte trailer) - { - this(cipher, digest, digest, sLen, trailer); - } - - public PSSSigner( - AsymmetricBlockCipher cipher, - Digest contentDigest, - Digest mgfDigest, - int sLen, - byte trailer) - { - this.cipher = cipher; - this.contentDigest = contentDigest; - this.mgfDigest = mgfDigest; - this.hLen = contentDigest.getDigestSize(); - this.mgfhLen = mgfDigest.getDigestSize(); - this.sLen = sLen; - this.salt = new byte[sLen]; - this.mDash = new byte[8 + sLen + hLen]; - this.trailer = trailer; - } - - public void init( - boolean forSigning, - CipherParameters param) - { - CipherParameters params; - - if (param instanceof ParametersWithRandom) - { - ParametersWithRandom p = (ParametersWithRandom)param; - - params = p.getParameters(); - random = p.getRandom(); - } - else - { - params = param; - if (forSigning) - { - random = new SecureRandom(); - } - } - - cipher.init(forSigning, params); - - RSAKeyParameters kParam; - - if (params instanceof RSABlindingParameters) - { - kParam = ((RSABlindingParameters)params).getPublicKey(); - } - else - { - kParam = (RSAKeyParameters)params; - } - - emBits = kParam.getModulus().bitLength() - 1; - - if (emBits < (8 * hLen + 8 * sLen + 9)) - { - throw new IllegalArgumentException("key too small for specified hash and salt lengths"); - } - - block = new byte[(emBits + 7) / 8]; - - reset(); - } - - /** - * clear possible sensitive data - */ - private void clearBlock( - byte[] block) - { - for (int i = 0; i != block.length; i++) - { - block[i] = 0; - } - } - - /** - * update the internal digest with the byte b - */ - public void update( - byte b) - { - contentDigest.update(b); - } - - /** - * update the internal digest with the byte array in - */ - public void update( - byte[] in, - int off, - int len) - { - contentDigest.update(in, off, len); - } - - /** - * reset the internal state - */ - public void reset() - { - contentDigest.reset(); - } - - /** - * generate a signature for the message we've been loaded with using - * the key we were initialised with. - */ - public byte[] generateSignature() - throws CryptoException, DataLengthException - { - contentDigest.doFinal(mDash, mDash.length - hLen - sLen); - - if (sLen != 0) - { - random.nextBytes(salt); - - System.arraycopy(salt, 0, mDash, mDash.length - sLen, sLen); - } - - byte[] h = new byte[hLen]; - - contentDigest.update(mDash, 0, mDash.length); - - contentDigest.doFinal(h, 0); - - block[block.length - sLen - 1 - hLen - 1] = 0x01; - System.arraycopy(salt, 0, block, block.length - sLen - hLen - 1, sLen); - - byte[] dbMask = maskGeneratorFunction1(h, 0, h.length, block.length - hLen - 1); - for (int i = 0; i != dbMask.length; i++) - { - block[i] ^= dbMask[i]; - } - - block[0] &= (0xff >> ((block.length * 8) - emBits)); - - System.arraycopy(h, 0, block, block.length - hLen - 1, hLen); - - block[block.length - 1] = trailer; - - byte[] b = cipher.processBlock(block, 0, block.length); - - clearBlock(block); - - return b; - } - - /** - * return true if the internal state represents the signature described - * in the passed in array. - */ - public boolean verifySignature( - byte[] signature) - { - contentDigest.doFinal(mDash, mDash.length - hLen - sLen); - - try - { - byte[] b = cipher.processBlock(signature, 0, signature.length); - System.arraycopy(b, 0, block, block.length - b.length, b.length); - } - catch (Exception e) - { - return false; - } - - if (block[block.length - 1] != trailer) - { - clearBlock(block); - return false; - } - - byte[] dbMask = maskGeneratorFunction1(block, block.length - hLen - 1, hLen, block.length - hLen - 1); - - for (int i = 0; i != dbMask.length; i++) - { - block[i] ^= dbMask[i]; - } - - block[0] &= (0xff >> ((block.length * 8) - emBits)); - - for (int i = 0; i != block.length - hLen - sLen - 2; i++) - { - if (block[i] != 0) - { - clearBlock(block); - return false; - } - } - - if (block[block.length - hLen - sLen - 2] != 0x01) - { - clearBlock(block); - return false; - } - - System.arraycopy(block, block.length - sLen - hLen - 1, mDash, mDash.length - sLen, sLen); - - contentDigest.update(mDash, 0, mDash.length); - contentDigest.doFinal(mDash, mDash.length - hLen); - - for (int i = block.length - hLen - 1, j = mDash.length - hLen; - j != mDash.length; i++, j++) - { - if ((block[i] ^ mDash[j]) != 0) - { - clearBlock(mDash); - clearBlock(block); - return false; - } - } - - clearBlock(mDash); - clearBlock(block); - - return true; - } - - /** - * int to octet string. - */ - private void ItoOSP( - int i, - byte[] sp) - { - sp[0] = (byte)(i >>> 24); - sp[1] = (byte)(i >>> 16); - sp[2] = (byte)(i >>> 8); - sp[3] = (byte)(i >>> 0); - } - - /** - * mask generator function, as described in PKCS1v2. - */ - private byte[] maskGeneratorFunction1( - byte[] Z, - int zOff, - int zLen, - int length) - { - byte[] mask = new byte[length]; - byte[] hashBuf = new byte[mgfhLen]; - byte[] C = new byte[4]; - int counter = 0; - - mgfDigest.reset(); - - while (counter < (length / mgfhLen)) - { - ItoOSP(counter, C); - - mgfDigest.update(Z, zOff, zLen); - mgfDigest.update(C, 0, C.length); - mgfDigest.doFinal(hashBuf, 0); - - System.arraycopy(hashBuf, 0, mask, counter * mgfhLen, mgfhLen); - - counter++; - } - - if ((counter * mgfhLen) < length) - { - ItoOSP(counter, C); - - mgfDigest.update(Z, zOff, zLen); - mgfDigest.update(C, 0, C.length); - mgfDigest.doFinal(hashBuf, 0); - - System.arraycopy(hashBuf, 0, mask, counter * mgfhLen, mask.length - (counter * mgfhLen)); - } - - return mask; - } -} |