1
/*
2
 * Copyright (c) 2009, 2020, Oracle and/or its affiliates. All rights reserved.
3
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
4
 *
5
 * This code is free software; you can redistribute it and/or modify it
6
 * under the terms of the GNU General Public License version 2 only, as
7
 * published by the Free Software Foundation.  Oracle designates this
8
 * particular file as subject to the "Classpath" exception as provided
9
 * by Oracle in the LICENSE file that accompanied this code.
10
 *
11
 * This code is distributed in the hope that it will be useful, but WITHOUT
12
 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
13
 * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
14
 * version 2 for more details (a copy is included in the LICENSE file that
15
 * accompanied this code).
16
 *
17
 * You should have received a copy of the GNU General Public License version
18
 * 2 along with this work; if not, write to the Free Software Foundation,
19
 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
20
 *
21
 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
22
 * or visit www.oracle.com if you need additional information or have any
23
 * questions.
24
 */
25

26
package sun.security.ec;
27

28
import java.nio.ByteBuffer;
29

30
import java.security.*;
31
import java.security.interfaces.*;
32
import java.security.spec.*;
33
import java.util.Optional;
34

35
import sun.security.jca.JCAUtil;
36
import sun.security.util.*;
37
import static sun.security.ec.ECOperations.IntermediateValueException;
38

39
/**
40
 * ECDSA signature implementation. This class currently supports the
41
 * following algorithm names:
42
 *
43
 *   . "NONEwithECDSA"
44
 *   . "SHA1withECDSA"
45
 *   . "SHA224withECDSA"
46
 *   . "SHA256withECDSA"
47
 *   . "SHA384withECDSA"
48
 *   . "SHA512withECDSA"
49
 *   . "SHA3-224withECDSA"
50
 *   . "SHA3-256withECDSA"
51
 *   . "SHA3-384withECDSA"
52
 *   . "SHA3-512withECDSA"
53
 *   . "NONEwithECDSAinP1363Format"
54
 *   . "SHA1withECDSAinP1363Format"
55
 *   . "SHA224withECDSAinP1363Format"
56
 *   . "SHA256withECDSAinP1363Format"
57
 *   . "SHA384withECDSAinP1363Format"
58
 *   . "SHA512withECDSAinP1363Format"
59
 *   . "SHA3-224withECDSAinP1363Format"
60
 *   . "SHA3-256withECDSAinP1363Format"
61
 *   . "SHA3-384withECDSAinP1363Format"
62
 *   . "SHA3-512withECDSAinP1363Format"
63
 *
64
 * @since   1.7
65
 */
66
abstract class ECDSASignature extends SignatureSpi {
67

68
    // message digest implementation we use
69
    private final MessageDigest messageDigest;
70

71
    // supplied entropy
72
    private SecureRandom random;
73

74
    // flag indicating whether the digest has been reset
75
    private boolean needsReset;
76

77
    // private key, if initialized for signing
78
    private ECPrivateKey privateKey;
79

80
    // public key, if initialized for verifying
81
    private ECPublicKey publicKey;
82

83
    // signature parameters
84
    private ECParameterSpec sigParams = null;
85

86
    // The format. true for the IEEE P1363 format. false (default) for ASN.1
87
    private final boolean p1363Format;
88

89
    /**
90
     * Constructs a new ECDSASignature.
91
     *
92
     * @exception ProviderException if the native ECC library is unavailable.
93
     */
94
    ECDSASignature() {
95
        this(false);
96
    }
97

98
    /**
99
     * Constructs a new ECDSASignature that will use the specified
100
     * signature format. {@code p1363Format} should be {@code true} to
101
     * use the IEEE P1363 format. If {@code p1363Format} is {@code false},
102
     * the DER-encoded ASN.1 format will be used. This constructor is
103
     * used by the RawECDSA subclasses.
104
     */
105
    ECDSASignature(boolean p1363Format) {
106
        this.messageDigest = null;
107
        this.p1363Format = p1363Format;
108
    }
109

110
    /**
111
     * Constructs a new ECDSASignature. Used by subclasses.
112
     */
113
    ECDSASignature(String digestName) {
114
        this(digestName, false);
115
    }
116

117
    /**
118
     * Constructs a new ECDSASignature that will use the specified
119
     * digest and signature format. {@code p1363Format} should be
120
     * {@code true} to use the IEEE P1363 format. If {@code p1363Format}
121
     * is {@code false}, the DER-encoded ASN.1 format will be used. This
122
     * constructor is used by subclasses.
123
     */
124
    ECDSASignature(String digestName, boolean p1363Format) {
125
        try {
126
            messageDigest = MessageDigest.getInstance(digestName);
127
        } catch (NoSuchAlgorithmException e) {
128
            throw new ProviderException(e);
129
        }
130
        this.needsReset = false;
131
        this.p1363Format = p1363Format;
132
    }
133

134
    // Class for Raw ECDSA signatures.
135
    static class RawECDSA extends ECDSASignature {
136

137
        // the longest supported digest is 512 bits (SHA-512)
138
        private static final int RAW_ECDSA_MAX = 64;
139

140
        private final byte[] precomputedDigest;
141
        private int offset = 0;
142

143
        RawECDSA(boolean p1363Format) {
144
            super(p1363Format);
145
            precomputedDigest = new byte[RAW_ECDSA_MAX];
146
        }
147

148
        // Stores the precomputed message digest value.
149
        @Override
150
        protected void engineUpdate(byte b) throws SignatureException {
151
            if (offset >= precomputedDigest.length) {
152
                offset = RAW_ECDSA_MAX + 1;
153
                return;
154
            }
155
            precomputedDigest[offset++] = b;
156
        }
157

158
        // Stores the precomputed message digest value.
159
        @Override
160
        protected void engineUpdate(byte[] b, int off, int len)
161
        throws SignatureException {
162
            if (offset >= precomputedDigest.length) {
163
                offset = RAW_ECDSA_MAX + 1;
164
                return;
165
            }
166
            System.arraycopy(b, off, precomputedDigest, offset, len);
167
            offset += len;
168
        }
169

170
        // Stores the precomputed message digest value.
171
        @Override
172
        protected void engineUpdate(ByteBuffer byteBuffer) {
173
            int len = byteBuffer.remaining();
174
            if (len <= 0) {
175
                return;
176
            }
177
            if (len >= precomputedDigest.length - offset) {
178
                offset = RAW_ECDSA_MAX + 1;
179
                return;
180
            }
181
            byteBuffer.get(precomputedDigest, offset, len);
182
            offset += len;
183
        }
184

185
        @Override
186
        protected void resetDigest() {
187
            offset = 0;
188
        }
189

190
        // Returns the precomputed message digest value.
191
        @Override
192
        protected byte[] getDigestValue() throws SignatureException {
193
            if (offset > RAW_ECDSA_MAX) {
194
                throw new SignatureException("Message digest is too long");
195

196
            }
197
            byte[] result = new byte[offset];
198
            System.arraycopy(precomputedDigest, 0, result, 0, offset);
199
            offset = 0;
200

201
            return result;
202
        }
203
    }
204

205
    // Nested class for NONEwithECDSA signatures
206
    public static final class Raw extends RawECDSA {
207
        public Raw() {
208
            super(false);
209
        }
210
    }
211

212
    // Nested class for NONEwithECDSAinP1363Format signatures
213
    public static final class RawinP1363Format extends RawECDSA {
214
        public RawinP1363Format() {
215
            super(true);
216
        }
217
    }
218

219
    // Nested class for SHA1withECDSA signatures
220
    public static final class SHA1 extends ECDSASignature {
221
        public SHA1() {
222
            super("SHA1");
223
        }
224
    }
225

226
    // Nested class for SHA1withECDSAinP1363Format signatures
227
    public static final class SHA1inP1363Format extends ECDSASignature {
228
        public SHA1inP1363Format() {
229
            super("SHA1", true);
230
        }
231
    }
232

233
    // Nested class for SHA224withECDSA signatures
234
    public static final class SHA224 extends ECDSASignature {
235
        public SHA224() {
236
            super("SHA-224");
237
        }
238
    }
239

240
    // Nested class for SHA224withECDSAinP1363Format signatures
241
    public static final class SHA224inP1363Format extends ECDSASignature {
242
        public SHA224inP1363Format() {
243
            super("SHA-224", true);
244
        }
245
    }
246

247
    // Nested class for SHA256withECDSA signatures
248
    public static final class SHA256 extends ECDSASignature {
249
        public SHA256() {
250
            super("SHA-256");
251
        }
252
    }
253

254
    // Nested class for SHA256withECDSAinP1363Format signatures
255
    public static final class SHA256inP1363Format extends ECDSASignature {
256
        public SHA256inP1363Format() {
257
            super("SHA-256", true);
258
        }
259
    }
260

261
    // Nested class for SHA384withECDSA signatures
262
    public static final class SHA384 extends ECDSASignature {
263
        public SHA384() {
264
            super("SHA-384");
265
        }
266
    }
267

268
    // Nested class for SHA384withECDSAinP1363Format signatures
269
    public static final class SHA384inP1363Format extends ECDSASignature {
270
        public SHA384inP1363Format() {
271
            super("SHA-384", true);
272
        }
273
    }
274

275
    // Nested class for SHA512withECDSA signatures
276
    public static final class SHA512 extends ECDSASignature {
277
        public SHA512() {
278
            super("SHA-512");
279
        }
280
    }
281

282
    // Nested class for SHA512withECDSAinP1363Format signatures
283
    public static final class SHA512inP1363Format extends ECDSASignature {
284
        public SHA512inP1363Format() {
285
            super("SHA-512", true);
286
        }
287
    }
288

289
    // Nested class for SHA3_224withECDSA signatures
290
    public static final class SHA3_224 extends ECDSASignature {
291
        public SHA3_224() {
292
           super("SHA3-224");
293
        }
294
    }
295

296
    // Nested class for SHA3_224withECDSAinP1363Format signatures
297
    public static final class SHA3_224inP1363Format extends ECDSASignature {
298
        public SHA3_224inP1363Format() {
299
            super("SHA3-224", true);
300
        }
301
    }
302

303
    // Nested class for SHA3_256withECDSA signatures
304
    public static final class SHA3_256 extends ECDSASignature {
305
        public SHA3_256() {
306
            super("SHA3-256");
307
        }
308
    }
309

310
    // Nested class for SHA3_256withECDSAinP1363Format signatures
311
    public static final class SHA3_256inP1363Format extends ECDSASignature {
312
        public SHA3_256inP1363Format() {
313
            super("SHA3-256", true);
314
        }
315
    }
316

317
    // Nested class for SHA3_384withECDSA signatures
318
    public static final class SHA3_384 extends ECDSASignature {
319
        public SHA3_384() {
320
            super("SHA3-384");
321
        }
322
    }
323

324
    // Nested class for SHA3_384withECDSAinP1363Format signatures
325
    public static final class SHA3_384inP1363Format extends ECDSASignature {
326
        public SHA3_384inP1363Format() {
327
            super("SHA3-384", true);
328
        }
329
    }
330

331
    // Nested class for SHA3_512withECDSA signatures
332
    public static final class SHA3_512 extends ECDSASignature {
333
        public SHA3_512() {
334
            super("SHA3-512");
335
        }
336
    }
337

338
    // Nested class for SHA3_512withECDSAinP1363Format signatures
339
    public static final class SHA3_512inP1363Format extends ECDSASignature {
340
        public SHA3_512inP1363Format() {
341
            super("SHA3-512", true);
342
        }
343
    }
344

345
    // initialize for verification. See JCA doc
346
    @Override
347
    protected void engineInitVerify(PublicKey publicKey)
348
    throws InvalidKeyException {
349
        ECPublicKey key = (ECPublicKey) ECKeyFactory.toECKey(publicKey);
350
        if (!isCompatible(this.sigParams, key.getParams())) {
351
            throw new InvalidKeyException("Key params does not match signature params");
352
        }
353

354
        // Should check that the supplied key is appropriate for signature
355
        // algorithm (e.g. P-256 for SHA256withECDSA)
356
        this.publicKey = key;
357
        this.privateKey = null;
358
        resetDigest();
359
    }
360

361
    // initialize for signing. See JCA doc
362
    @Override
363
    protected void engineInitSign(PrivateKey privateKey)
364
    throws InvalidKeyException {
365
        engineInitSign(privateKey, null);
366
    }
367

368
    // initialize for signing. See JCA doc
369
    @Override
370
    protected void engineInitSign(PrivateKey privateKey, SecureRandom random)
371
    throws InvalidKeyException {
372
        ECPrivateKey key = (ECPrivateKey) ECKeyFactory.toECKey(privateKey);
373
        if (!isCompatible(this.sigParams, key.getParams())) {
374
            throw new InvalidKeyException("Key params does not match signature params");
375
        }
376

377
        // Should check that the supplied key is appropriate for signature
378
        // algorithm (e.g. P-256 for SHA256withECDSA)
379
        this.privateKey = key;
380
        this.publicKey = null;
381
        this.random = random;
382
        resetDigest();
383
    }
384

385
    /**
386
     * Resets the message digest if needed.
387
     */
388
    protected void resetDigest() {
389
        if (needsReset) {
390
            if (messageDigest != null) {
391
                messageDigest.reset();
392
            }
393
            needsReset = false;
394
        }
395
    }
396

397
    /**
398
     * Returns the message digest value.
399
     */
400
    protected byte[] getDigestValue() throws SignatureException {
401
        needsReset = false;
402
        return messageDigest.digest();
403
    }
404

405
    // update the signature with the plaintext data. See JCA doc
406
    @Override
407
    protected void engineUpdate(byte b) throws SignatureException {
408
        messageDigest.update(b);
409
        needsReset = true;
410
    }
411

412
    // update the signature with the plaintext data. See JCA doc
413
    @Override
414
    protected void engineUpdate(byte[] b, int off, int len)
415
    throws SignatureException {
416
        messageDigest.update(b, off, len);
417
        needsReset = true;
418
    }
419

420
    // update the signature with the plaintext data. See JCA doc
421
    @Override
422
    protected void engineUpdate(ByteBuffer byteBuffer) {
423
        int len = byteBuffer.remaining();
424
        if (len <= 0) {
425
            return;
426
        }
427

428
        messageDigest.update(byteBuffer);
429
        needsReset = true;
430
    }
431

432
    private static boolean isCompatible(ECParameterSpec sigParams,
433
            ECParameterSpec keyParams) {
434
        if (sigParams == null) {
435
            // no restriction on key param
436
            return true;
437
        }
438
        return ECUtil.equals(sigParams, keyParams);
439
    }
440

441
    private byte[] signDigestImpl(ECDSAOperations ops, int seedBits,
442
        byte[] digest, ECPrivateKey priv, SecureRandom random)
443
        throws SignatureException {
444

445
        byte[] seedBytes = new byte[(seedBits + 7) / 8];
446
        byte[] s = priv instanceof ECPrivateKeyImpl
447
                ? ((ECPrivateKeyImpl)priv).getArrayS()
448
                : ECUtil.sArray(priv.getS(), priv.getParams());
449

450
        // Attempt to create the signature in a loop that uses new random input
451
        // each time. The chance of failure is very small assuming the
452
        // implementation derives the nonce using extra bits
453
        int numAttempts = 128;
454
        for (int i = 0; i < numAttempts; i++) {
455
            random.nextBytes(seedBytes);
456
            ECDSAOperations.Seed seed = new ECDSAOperations.Seed(seedBytes);
457
            try {
458
                return ops.signDigest(s, digest, seed);
459
            } catch (IntermediateValueException ex) {
460
                // try again in the next iteration
461
            }
462
        }
463

464
        throw new SignatureException("Unable to produce signature after "
465
            + numAttempts + " attempts");
466
    }
467

468

469
    // sign the data and return the signature. See JCA doc
470
    @Override
471
    protected byte[] engineSign() throws SignatureException {
472

473
        if (random == null) {
474
            random = JCAUtil.getSecureRandom();
475
        }
476

477
        byte[] digest = getDigestValue();
478
        ECParameterSpec params = privateKey.getParams();
479

480
        // seed is the key size + 64 bits
481
        int seedBits = params.getOrder().bitLength() + 64;
482
        Optional<ECDSAOperations> opsOpt =
483
            ECDSAOperations.forParameters(params);
484
        if (opsOpt.isEmpty()) {
485
            throw new SignatureException("Curve not supported: " +
486
                params.toString());
487
        }
488
        byte[] sig = signDigestImpl(opsOpt.get(), seedBits, digest, privateKey,
489
            random);
490

491
        if (p1363Format) {
492
            return sig;
493
        } else {
494
            return ECUtil.encodeSignature(sig);
495
        }
496
    }
497

498
    // verify the data and return the result. See JCA doc
499
    @Override
500
    protected boolean engineVerify(byte[] signature) throws SignatureException {
501

502
        byte[] sig;
503
        if (p1363Format) {
504
            sig = signature;
505
        } else {
506
            sig = ECUtil.decodeSignature(signature);
507
        }
508

509
        byte[] digest = getDigestValue();
510

511
        Optional<ECDSAOperations> opsOpt =
512
            ECDSAOperations.forParameters(publicKey.getParams());
513
        if (opsOpt.isEmpty()) {
514
            throw new SignatureException("Curve not supported: " +
515
                publicKey.getParams().toString());
516
        }
517
        return opsOpt.get().verifySignedDigest(digest, sig, publicKey.getW());
518
    }
519

520
    // set parameter, not supported. See JCA doc
521
    @Override
522
    @Deprecated
523
    protected void engineSetParameter(String param, Object value)
524
    throws InvalidParameterException {
525
        throw new UnsupportedOperationException("setParameter() not supported");
526
    }
527

528
    @Override
529
    protected void engineSetParameter(AlgorithmParameterSpec params)
530
    throws InvalidAlgorithmParameterException {
531
        if (params != null && !(params instanceof ECParameterSpec)) {
532
            throw new InvalidAlgorithmParameterException("No parameter accepted");
533
        }
534
        ECKey key = (this.privateKey == null? this.publicKey : this.privateKey);
535
        if ((key != null) && !isCompatible((ECParameterSpec)params, key.getParams())) {
536
            throw new InvalidAlgorithmParameterException
537
                ("Signature params does not match key params");
538
        }
539

540
        sigParams = (ECParameterSpec) params;
541
    }
542

543
    // get parameter, not supported. See JCA doc
544
    @Override
545
    @Deprecated
546
    protected Object engineGetParameter(String param)
547
    throws InvalidParameterException {
548
        throw new UnsupportedOperationException("getParameter() not supported");
549
    }
550

551
    @Override
552
    protected AlgorithmParameters engineGetParameters() {
553
        if (sigParams == null) {
554
            return null;
555
        }
556
        try {
557
            AlgorithmParameters ap = AlgorithmParameters.getInstance("EC");
558
            ap.init(sigParams);
559
            return ap;
560
        } catch (Exception e) {
561
            // should never happen
562
            throw new ProviderException("Error retrieving EC parameters", e);
563
        }
564
    }
565
}
566

567