1
/*
2
 * Copyright (c) 2006, 2021, Oracle and/or its affiliates. All rights reserved.
3
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
4
 *
5
 * This code is free software; you can redistribute it and/or modify it
6
 * under the terms of the GNU General Public License version 2 only, as
7
 * published by the Free Software Foundation.  Oracle designates this
8
 * particular file as subject to the "Classpath" exception as provided
9
 * by Oracle in the LICENSE file that accompanied this code.
10
 *
11
 * This code is distributed in the hope that it will be useful, but WITHOUT
12
 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
13
 * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
14
 * version 2 for more details (a copy is included in the LICENSE file that
15
 * accompanied this code).
16
 *
17
 * You should have received a copy of the GNU General Public License version
18
 * 2 along with this work; if not, write to the Free Software Foundation,
19
 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
20
 *
21
 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
22
 * or visit www.oracle.com if you need additional information or have any
23
 * questions.
24
 */
25

26
package sun.security.ec;
27

28
import java.io.IOException;
29
import java.math.BigInteger;
30

31
import java.security.*;
32
import java.security.interfaces.*;
33
import java.security.spec.*;
34
import java.util.Arrays;
35

36
import sun.security.util.*;
37
import sun.security.x509.AlgorithmId;
38
import sun.security.pkcs.PKCS8Key;
39

40
/**
41
 * Key implementation for EC private keys.
42
 *
43
 * ASN.1 syntax for EC private keys from SEC 1 v1.5 (draft):
44
 *
45
 * <pre>
46
 * EXPLICIT TAGS
47
 *
48
 * ECPrivateKey ::= SEQUENCE {
49
 *   version INTEGER { ecPrivkeyVer1(1) } (ecPrivkeyVer1),
50
 *   privateKey OCTET STRING,
51
 *   parameters [0] ECDomainParameters {{ SECGCurveNames }} OPTIONAL,
52
 *   publicKey [1] BIT STRING OPTIONAL
53
 * }
54
 * </pre>
55
 *
56
 * We currently ignore the optional parameters and publicKey fields. We
57
 * require that the parameters are encoded as part of the AlgorithmIdentifier,
58
 * not in the private key structure.
59
 *
60
 * @since   1.6
61
 * @author  Andreas Sterbenz
62
 */
63
public final class ECPrivateKeyImpl extends PKCS8Key implements ECPrivateKey {
64

65
    private static final long serialVersionUID = 88695385615075129L;
66

67
    private BigInteger s;       // private value
68
    private byte[] arrayS;      // private value as a little-endian array
69
    private ECParameterSpec params;
70

71
    /**
72
     * Construct a key from its encoding. Called by the ECKeyFactory.
73
     */
74
    ECPrivateKeyImpl(byte[] encoded) throws InvalidKeyException {
75
        super(encoded);
76
        parseKeyBits();
77
    }
78

79
    /**
80
     * Construct a key from its components. Used by the
81
     * KeyFactory.
82
     */
83
    ECPrivateKeyImpl(BigInteger s, ECParameterSpec params)
84
            throws InvalidKeyException {
85
        this.s = s;
86
        this.params = params;
87
        makeEncoding(s);
88

89
    }
90

91
    ECPrivateKeyImpl(byte[] s, ECParameterSpec params)
92
            throws InvalidKeyException {
93
        this.arrayS = s.clone();
94
        this.params = params;
95
        makeEncoding(s);
96
    }
97

98
    private void makeEncoding(byte[] s) throws InvalidKeyException {
99
        algid = new AlgorithmId
100
        (AlgorithmId.EC_oid, ECParameters.getAlgorithmParameters(params));
101
        try {
102
            DerOutputStream out = new DerOutputStream();
103
            out.putInteger(1); // version 1
104
            byte[] privBytes = s.clone();
105
            ArrayUtil.reverse(privBytes);
106
            out.putOctetString(privBytes);
107
            Arrays.fill(privBytes, (byte)0);
108
            DerValue val = DerValue.wrap(DerValue.tag_Sequence, out);
109
            key = val.toByteArray();
110
            val.clear();
111
        } catch (IOException exc) {
112
            // should never occur
113
            throw new InvalidKeyException(exc);
114
        }
115
    }
116

117
    private void makeEncoding(BigInteger s) throws InvalidKeyException {
118
        algid = new AlgorithmId(AlgorithmId.EC_oid,
119
                ECParameters.getAlgorithmParameters(params));
120
        try {
121
            byte[] sArr = s.toByteArray();
122
            // convert to fixed-length array
123
            int numOctets = (params.getOrder().bitLength() + 7) / 8;
124
            byte[] sOctets = new byte[numOctets];
125
            int inPos = Math.max(sArr.length - sOctets.length, 0);
126
            int outPos = Math.max(sOctets.length - sArr.length, 0);
127
            int length = Math.min(sArr.length, sOctets.length);
128
            System.arraycopy(sArr, inPos, sOctets, outPos, length);
129
            Arrays.fill(sArr, (byte)0);
130

131
            DerOutputStream out = new DerOutputStream();
132
            out.putInteger(1); // version 1
133
            out.putOctetString(sOctets);
134
            Arrays.fill(sOctets, (byte)0);
135
            DerValue val = DerValue.wrap(DerValue.tag_Sequence, out);
136
            key = val.toByteArray();
137
            val.clear();
138
        } catch (IOException exc) {
139
            throw new AssertionError("Should not happen", exc);
140
        }
141
    }
142

143
    // see JCA doc
144
    public String getAlgorithm() {
145
        return "EC";
146
    }
147

148
    // see JCA doc
149
    public BigInteger getS() {
150
        if (s == null) {
151
            byte[] arrCopy = arrayS.clone();
152
            ArrayUtil.reverse(arrCopy);
153
            s = new BigInteger(1, arrCopy);
154
            Arrays.fill(arrCopy, (byte)0);
155
        }
156
        return s;
157
    }
158

159
    public byte[] getArrayS() {
160
        if (arrayS == null) {
161
            arrayS = ECUtil.sArray(getS(), params);
162
        }
163
        return arrayS.clone();
164
    }
165

166
    // see JCA doc
167
    public ECParameterSpec getParams() {
168
        return params;
169
    }
170

171
    private void parseKeyBits() throws InvalidKeyException {
172
        try {
173
            DerInputStream in = new DerInputStream(key);
174
            DerValue derValue = in.getDerValue();
175
            if (derValue.tag != DerValue.tag_Sequence) {
176
                throw new IOException("Not a SEQUENCE");
177
            }
178
            DerInputStream data = derValue.data;
179
            int version = data.getInteger();
180
            if (version != 1) {
181
                throw new IOException("Version must be 1");
182
            }
183
            byte[] privData = data.getOctetString();
184
            ArrayUtil.reverse(privData);
185
            arrayS = privData;
186
            while (data.available() != 0) {
187
                DerValue value = data.getDerValue();
188
                if (value.isContextSpecific((byte) 0)) {
189
                    // ignore for now
190
                } else if (value.isContextSpecific((byte) 1)) {
191
                    // ignore for now
192
                } else {
193
                    throw new InvalidKeyException("Unexpected value: " + value);
194
                }
195
            }
196
            AlgorithmParameters algParams = this.algid.getParameters();
197
            if (algParams == null) {
198
                throw new InvalidKeyException("EC domain parameters must be "
199
                    + "encoded in the algorithm identifier");
200
            }
201
            params = algParams.getParameterSpec(ECParameterSpec.class);
202
        } catch (IOException e) {
203
            throw new InvalidKeyException("Invalid EC private key", e);
204
        } catch (InvalidParameterSpecException e) {
205
            throw new InvalidKeyException("Invalid EC private key", e);
206
        }
207
    }
208
}
209

210