J. Duke | 319a3b9 | 2007-12-01 00:00:00 +0000 | [diff] [blame^] | 1 | /* |
| 2 | * Copyright 1996-2006 Sun Microsystems, Inc. All Rights Reserved. |
| 3 | * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. |
| 4 | * |
| 5 | * This code is free software; you can redistribute it and/or modify it |
| 6 | * under the terms of the GNU General Public License version 2 only, as |
| 7 | * published by the Free Software Foundation. Sun designates this |
| 8 | * particular file as subject to the "Classpath" exception as provided |
| 9 | * by Sun in the LICENSE file that accompanied this code. |
| 10 | * |
| 11 | * This code is distributed in the hope that it will be useful, but WITHOUT |
| 12 | * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or |
| 13 | * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License |
| 14 | * version 2 for more details (a copy is included in the LICENSE file that |
| 15 | * accompanied this code). |
| 16 | * |
| 17 | * You should have received a copy of the GNU General Public License version |
| 18 | * 2 along with this work; if not, write to the Free Software Foundation, |
| 19 | * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. |
| 20 | * |
| 21 | * Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, |
| 22 | * CA 95054 USA or visit www.sun.com if you need additional information or |
| 23 | * have any questions. |
| 24 | */ |
| 25 | |
| 26 | package java.security; |
| 27 | |
| 28 | import java.security.spec.AlgorithmParameterSpec; |
| 29 | import java.util.*; |
| 30 | import java.util.concurrent.ConcurrentHashMap; |
| 31 | import java.io.*; |
| 32 | import java.security.cert.Certificate; |
| 33 | import java.security.cert.X509Certificate; |
| 34 | |
| 35 | import java.nio.ByteBuffer; |
| 36 | |
| 37 | import java.security.Provider.Service; |
| 38 | |
| 39 | import javax.crypto.Cipher; |
| 40 | import javax.crypto.CipherSpi; |
| 41 | import javax.crypto.IllegalBlockSizeException; |
| 42 | import javax.crypto.BadPaddingException; |
| 43 | import javax.crypto.NoSuchPaddingException; |
| 44 | |
| 45 | import sun.security.util.Debug; |
| 46 | import sun.security.jca.*; |
| 47 | import sun.security.jca.GetInstance.Instance; |
| 48 | |
| 49 | /** |
| 50 | * This Signature class is used to provide applications the functionality |
| 51 | * of a digital signature algorithm. Digital signatures are used for |
| 52 | * authentication and integrity assurance of digital data. |
| 53 | * |
| 54 | * <p> The signature algorithm can be, among others, the NIST standard |
| 55 | * DSA, using DSA and SHA-1. The DSA algorithm using the |
| 56 | * SHA-1 message digest algorithm can be specified as <tt>SHA1withDSA</tt>. |
| 57 | * In the case of RSA, there are multiple choices for the message digest |
| 58 | * algorithm, so the signing algorithm could be specified as, for example, |
| 59 | * <tt>MD2withRSA</tt>, <tt>MD5withRSA</tt>, or <tt>SHA1withRSA</tt>. |
| 60 | * The algorithm name must be specified, as there is no default. |
| 61 | * |
| 62 | * <p> A Signature object can be used to generate and verify digital |
| 63 | * signatures. |
| 64 | * |
| 65 | * <p> There are three phases to the use of a Signature object for |
| 66 | * either signing data or verifying a signature:<ol> |
| 67 | * |
| 68 | * <li>Initialization, with either |
| 69 | * |
| 70 | * <ul> |
| 71 | * |
| 72 | * <li>a public key, which initializes the signature for |
| 73 | * verification (see {@link #initVerify(PublicKey) initVerify}), or |
| 74 | * |
| 75 | * <li>a private key (and optionally a Secure Random Number Generator), |
| 76 | * which initializes the signature for signing |
| 77 | * (see {@link #initSign(PrivateKey)} |
| 78 | * and {@link #initSign(PrivateKey, SecureRandom)}). |
| 79 | * |
| 80 | * </ul><p> |
| 81 | * |
| 82 | * <li>Updating<p> |
| 83 | * |
| 84 | * <p>Depending on the type of initialization, this will update the |
| 85 | * bytes to be signed or verified. See the |
| 86 | * {@link #update(byte) update} methods.<p> |
| 87 | * |
| 88 | * <li>Signing or Verifying a signature on all updated bytes. See the |
| 89 | * {@link #sign() sign} methods and the {@link #verify(byte[]) verify} |
| 90 | * method. |
| 91 | * |
| 92 | * </ol> |
| 93 | * |
| 94 | * <p>Note that this class is abstract and extends from |
| 95 | * <code>SignatureSpi</code> for historical reasons. |
| 96 | * Application developers should only take notice of the methods defined in |
| 97 | * this <code>Signature</code> class; all the methods in |
| 98 | * the superclass are intended for cryptographic service providers who wish to |
| 99 | * supply their own implementations of digital signature algorithms. |
| 100 | * |
| 101 | * @author Benjamin Renaud |
| 102 | * |
| 103 | */ |
| 104 | |
| 105 | public abstract class Signature extends SignatureSpi { |
| 106 | |
| 107 | private static final Debug debug = |
| 108 | Debug.getInstance("jca", "Signature"); |
| 109 | |
| 110 | /* |
| 111 | * The algorithm for this signature object. |
| 112 | * This value is used to map an OID to the particular algorithm. |
| 113 | * The mapping is done in AlgorithmObject.algOID(String algorithm) |
| 114 | */ |
| 115 | private String algorithm; |
| 116 | |
| 117 | // The provider |
| 118 | Provider provider; |
| 119 | |
| 120 | /** |
| 121 | * Possible {@link #state} value, signifying that |
| 122 | * this signature object has not yet been initialized. |
| 123 | */ |
| 124 | protected final static int UNINITIALIZED = 0; |
| 125 | |
| 126 | /** |
| 127 | * Possible {@link #state} value, signifying that |
| 128 | * this signature object has been initialized for signing. |
| 129 | */ |
| 130 | protected final static int SIGN = 2; |
| 131 | |
| 132 | /** |
| 133 | * Possible {@link #state} value, signifying that |
| 134 | * this signature object has been initialized for verification. |
| 135 | */ |
| 136 | protected final static int VERIFY = 3; |
| 137 | |
| 138 | /** |
| 139 | * Current state of this signature object. |
| 140 | */ |
| 141 | protected int state = UNINITIALIZED; |
| 142 | |
| 143 | /** |
| 144 | * Creates a Signature object for the specified algorithm. |
| 145 | * |
| 146 | * @param algorithm the standard string name of the algorithm. |
| 147 | * See Appendix A in the <a href= |
| 148 | * "../../../technotes/guides/security/crypto/CryptoSpec.html#AppA"> |
| 149 | * Java Cryptography Architecture API Specification & Reference </a> |
| 150 | * for information about standard algorithm names. |
| 151 | */ |
| 152 | protected Signature(String algorithm) { |
| 153 | this.algorithm = algorithm; |
| 154 | } |
| 155 | |
| 156 | // name of the special signature alg |
| 157 | private final static String RSA_SIGNATURE = "NONEwithRSA"; |
| 158 | |
| 159 | // name of the equivalent cipher alg |
| 160 | private final static String RSA_CIPHER = "RSA/ECB/PKCS1Padding"; |
| 161 | |
| 162 | // all the services we need to lookup for compatibility with Cipher |
| 163 | private final static List<ServiceId> rsaIds = Arrays.asList( |
| 164 | new ServiceId[] { |
| 165 | new ServiceId("Signature", "NONEwithRSA"), |
| 166 | new ServiceId("Cipher", "RSA/ECB/PKCS1Padding"), |
| 167 | new ServiceId("Cipher", "RSA/ECB"), |
| 168 | new ServiceId("Cipher", "RSA//PKCS1Padding"), |
| 169 | new ServiceId("Cipher", "RSA"), |
| 170 | } |
| 171 | ); |
| 172 | |
| 173 | /** |
| 174 | * Returns a Signature object that implements the specified signature |
| 175 | * algorithm. |
| 176 | * |
| 177 | * <p> This method traverses the list of registered security Providers, |
| 178 | * starting with the most preferred Provider. |
| 179 | * A new Signature object encapsulating the |
| 180 | * SignatureSpi implementation from the first |
| 181 | * Provider that supports the specified algorithm is returned. |
| 182 | * |
| 183 | * <p> Note that the list of registered providers may be retrieved via |
| 184 | * the {@link Security#getProviders() Security.getProviders()} method. |
| 185 | * |
| 186 | * @param algorithm the standard name of the algorithm requested. |
| 187 | * See Appendix A in the <a href= |
| 188 | * "../../../technotes/guides/security/crypto/CryptoSpec.html#AppA"> |
| 189 | * Java Cryptography Architecture API Specification & Reference </a> |
| 190 | * for information about standard algorithm names. |
| 191 | * |
| 192 | * @return the new Signature object. |
| 193 | * |
| 194 | * @exception NoSuchAlgorithmException if no Provider supports a |
| 195 | * Signature implementation for the |
| 196 | * specified algorithm. |
| 197 | * |
| 198 | * @see Provider |
| 199 | */ |
| 200 | public static Signature getInstance(String algorithm) |
| 201 | throws NoSuchAlgorithmException { |
| 202 | List<Service> list; |
| 203 | if (algorithm.equalsIgnoreCase(RSA_SIGNATURE)) { |
| 204 | list = GetInstance.getServices(rsaIds); |
| 205 | } else { |
| 206 | list = GetInstance.getServices("Signature", algorithm); |
| 207 | } |
| 208 | Iterator<Service> t = list.iterator(); |
| 209 | if (t.hasNext() == false) { |
| 210 | throw new NoSuchAlgorithmException |
| 211 | (algorithm + " Signature not available"); |
| 212 | } |
| 213 | // try services until we find an Spi or a working Signature subclass |
| 214 | NoSuchAlgorithmException failure; |
| 215 | do { |
| 216 | Service s = t.next(); |
| 217 | if (isSpi(s)) { |
| 218 | return new Delegate(s, t, algorithm); |
| 219 | } else { |
| 220 | // must be a subclass of Signature, disable dynamic selection |
| 221 | try { |
| 222 | Instance instance = |
| 223 | GetInstance.getInstance(s, SignatureSpi.class); |
| 224 | return getInstance(instance, algorithm); |
| 225 | } catch (NoSuchAlgorithmException e) { |
| 226 | failure = e; |
| 227 | } |
| 228 | } |
| 229 | } while (t.hasNext()); |
| 230 | throw failure; |
| 231 | } |
| 232 | |
| 233 | private static Signature getInstance(Instance instance, String algorithm) { |
| 234 | Signature sig; |
| 235 | if (instance.impl instanceof Signature) { |
| 236 | sig = (Signature)instance.impl; |
| 237 | } else { |
| 238 | SignatureSpi spi = (SignatureSpi)instance.impl; |
| 239 | sig = new Delegate(spi, algorithm); |
| 240 | } |
| 241 | sig.provider = instance.provider; |
| 242 | return sig; |
| 243 | } |
| 244 | |
| 245 | private final static Map<String,Boolean> signatureInfo; |
| 246 | |
| 247 | static { |
| 248 | signatureInfo = new ConcurrentHashMap<String,Boolean>(); |
| 249 | Boolean TRUE = Boolean.TRUE; |
| 250 | // pre-initialize with values for our SignatureSpi implementations |
| 251 | signatureInfo.put("sun.security.provider.DSA$RawDSA", TRUE); |
| 252 | signatureInfo.put("sun.security.provider.DSA$SHA1withDSA", TRUE); |
| 253 | signatureInfo.put("sun.security.rsa.RSASignature$MD2withRSA", TRUE); |
| 254 | signatureInfo.put("sun.security.rsa.RSASignature$MD5withRSA", TRUE); |
| 255 | signatureInfo.put("sun.security.rsa.RSASignature$SHA1withRSA", TRUE); |
| 256 | signatureInfo.put("sun.security.rsa.RSASignature$SHA256withRSA", TRUE); |
| 257 | signatureInfo.put("sun.security.rsa.RSASignature$SHA384withRSA", TRUE); |
| 258 | signatureInfo.put("sun.security.rsa.RSASignature$SHA512withRSA", TRUE); |
| 259 | signatureInfo.put("com.sun.net.ssl.internal.ssl.RSASignature", TRUE); |
| 260 | signatureInfo.put("sun.security.pkcs11.P11Signature", TRUE); |
| 261 | } |
| 262 | |
| 263 | private static boolean isSpi(Service s) { |
| 264 | if (s.getType().equals("Cipher")) { |
| 265 | // must be a CipherSpi, which we can wrap with the CipherAdapter |
| 266 | return true; |
| 267 | } |
| 268 | String className = s.getClassName(); |
| 269 | Boolean result = signatureInfo.get(className); |
| 270 | if (result == null) { |
| 271 | try { |
| 272 | Object instance = s.newInstance(null); |
| 273 | // Signature extends SignatureSpi |
| 274 | // so it is a "real" Spi if it is an |
| 275 | // instance of SignatureSpi but not Signature |
| 276 | boolean r = (instance instanceof SignatureSpi) |
| 277 | && (instance instanceof Signature == false); |
| 278 | if ((debug != null) && (r == false)) { |
| 279 | debug.println("Not a SignatureSpi " + className); |
| 280 | debug.println("Delayed provider selection may not be " |
| 281 | + "available for algorithm " + s.getAlgorithm()); |
| 282 | } |
| 283 | result = Boolean.valueOf(r); |
| 284 | signatureInfo.put(className, result); |
| 285 | } catch (Exception e) { |
| 286 | // something is wrong, assume not an SPI |
| 287 | return false; |
| 288 | } |
| 289 | } |
| 290 | return result.booleanValue(); |
| 291 | } |
| 292 | |
| 293 | /** |
| 294 | * Returns a Signature object that implements the specified signature |
| 295 | * algorithm. |
| 296 | * |
| 297 | * <p> A new Signature object encapsulating the |
| 298 | * SignatureSpi implementation from the specified provider |
| 299 | * is returned. The specified provider must be registered |
| 300 | * in the security provider list. |
| 301 | * |
| 302 | * <p> Note that the list of registered providers may be retrieved via |
| 303 | * the {@link Security#getProviders() Security.getProviders()} method. |
| 304 | * |
| 305 | * @param algorithm the name of the algorithm requested. |
| 306 | * See Appendix A in the <a href= |
| 307 | * "../../../technotes/guides/security/crypto/CryptoSpec.html#AppA"> |
| 308 | * Java Cryptography Architecture API Specification & Reference </a> |
| 309 | * for information about standard algorithm names. |
| 310 | * |
| 311 | * @param provider the name of the provider. |
| 312 | * |
| 313 | * @return the new Signature object. |
| 314 | * |
| 315 | * @exception NoSuchAlgorithmException if a SignatureSpi |
| 316 | * implementation for the specified algorithm is not |
| 317 | * available from the specified provider. |
| 318 | * |
| 319 | * @exception NoSuchProviderException if the specified provider is not |
| 320 | * registered in the security provider list. |
| 321 | * |
| 322 | * @exception IllegalArgumentException if the provider name is null |
| 323 | * or empty. |
| 324 | * |
| 325 | * @see Provider |
| 326 | */ |
| 327 | public static Signature getInstance(String algorithm, String provider) |
| 328 | throws NoSuchAlgorithmException, NoSuchProviderException { |
| 329 | if (algorithm.equalsIgnoreCase(RSA_SIGNATURE)) { |
| 330 | // exception compatibility with existing code |
| 331 | if ((provider == null) || (provider.length() == 0)) { |
| 332 | throw new IllegalArgumentException("missing provider"); |
| 333 | } |
| 334 | Provider p = Security.getProvider(provider); |
| 335 | if (p == null) { |
| 336 | throw new NoSuchProviderException |
| 337 | ("no such provider: " + provider); |
| 338 | } |
| 339 | return getInstanceRSA(p); |
| 340 | } |
| 341 | Instance instance = GetInstance.getInstance |
| 342 | ("Signature", SignatureSpi.class, algorithm, provider); |
| 343 | return getInstance(instance, algorithm); |
| 344 | } |
| 345 | |
| 346 | /** |
| 347 | * Returns a Signature object that implements the specified |
| 348 | * signature algorithm. |
| 349 | * |
| 350 | * <p> A new Signature object encapsulating the |
| 351 | * SignatureSpi implementation from the specified Provider |
| 352 | * object is returned. Note that the specified Provider object |
| 353 | * does not have to be registered in the provider list. |
| 354 | * |
| 355 | * @param algorithm the name of the algorithm requested. |
| 356 | * See Appendix A in the <a href= |
| 357 | * "../../../technotes/guides/security/crypto/CryptoSpec.html#AppA"> |
| 358 | * Java Cryptography Architecture API Specification & Reference </a> |
| 359 | * for information about standard algorithm names. |
| 360 | * |
| 361 | * @param provider the provider. |
| 362 | * |
| 363 | * @return the new Signature object. |
| 364 | * |
| 365 | * @exception NoSuchAlgorithmException if a SignatureSpi |
| 366 | * implementation for the specified algorithm is not available |
| 367 | * from the specified Provider object. |
| 368 | * |
| 369 | * @exception IllegalArgumentException if the provider is null. |
| 370 | * |
| 371 | * @see Provider |
| 372 | * |
| 373 | * @since 1.4 |
| 374 | */ |
| 375 | public static Signature getInstance(String algorithm, Provider provider) |
| 376 | throws NoSuchAlgorithmException { |
| 377 | if (algorithm.equalsIgnoreCase(RSA_SIGNATURE)) { |
| 378 | // exception compatibility with existing code |
| 379 | if (provider == null) { |
| 380 | throw new IllegalArgumentException("missing provider"); |
| 381 | } |
| 382 | return getInstanceRSA(provider); |
| 383 | } |
| 384 | Instance instance = GetInstance.getInstance |
| 385 | ("Signature", SignatureSpi.class, algorithm, provider); |
| 386 | return getInstance(instance, algorithm); |
| 387 | } |
| 388 | |
| 389 | // return an implementation for NONEwithRSA, which is a special case |
| 390 | // because of the Cipher.RSA/ECB/PKCS1Padding compatibility wrapper |
| 391 | private static Signature getInstanceRSA(Provider p) |
| 392 | throws NoSuchAlgorithmException { |
| 393 | // try Signature first |
| 394 | Service s = p.getService("Signature", RSA_SIGNATURE); |
| 395 | if (s != null) { |
| 396 | Instance instance = GetInstance.getInstance(s, SignatureSpi.class); |
| 397 | return getInstance(instance, RSA_SIGNATURE); |
| 398 | } |
| 399 | // check Cipher |
| 400 | try { |
| 401 | Cipher c = Cipher.getInstance(RSA_CIPHER, p); |
| 402 | return new Delegate(new CipherAdapter(c), RSA_SIGNATURE); |
| 403 | } catch (GeneralSecurityException e) { |
| 404 | // throw Signature style exception message to avoid confusion, |
| 405 | // but append Cipher exception as cause |
| 406 | throw new NoSuchAlgorithmException("no such algorithm: " |
| 407 | + RSA_SIGNATURE + " for provider " + p.getName(), e); |
| 408 | } |
| 409 | } |
| 410 | |
| 411 | /** |
| 412 | * Returns the provider of this signature object. |
| 413 | * |
| 414 | * @return the provider of this signature object |
| 415 | */ |
| 416 | public final Provider getProvider() { |
| 417 | chooseFirstProvider(); |
| 418 | return this.provider; |
| 419 | } |
| 420 | |
| 421 | void chooseFirstProvider() { |
| 422 | // empty, overridden in Delegate |
| 423 | } |
| 424 | |
| 425 | /** |
| 426 | * Initializes this object for verification. If this method is called |
| 427 | * again with a different argument, it negates the effect |
| 428 | * of this call. |
| 429 | * |
| 430 | * @param publicKey the public key of the identity whose signature is |
| 431 | * going to be verified. |
| 432 | * |
| 433 | * @exception InvalidKeyException if the key is invalid. |
| 434 | */ |
| 435 | public final void initVerify(PublicKey publicKey) |
| 436 | throws InvalidKeyException { |
| 437 | engineInitVerify(publicKey); |
| 438 | state = VERIFY; |
| 439 | } |
| 440 | |
| 441 | /** |
| 442 | * Initializes this object for verification, using the public key from |
| 443 | * the given certificate. |
| 444 | * <p>If the certificate is of type X.509 and has a <i>key usage</i> |
| 445 | * extension field marked as critical, and the value of the <i>key usage</i> |
| 446 | * extension field implies that the public key in |
| 447 | * the certificate and its corresponding private key are not |
| 448 | * supposed to be used for digital signatures, an |
| 449 | * <code>InvalidKeyException</code> is thrown. |
| 450 | * |
| 451 | * @param certificate the certificate of the identity whose signature is |
| 452 | * going to be verified. |
| 453 | * |
| 454 | * @exception InvalidKeyException if the public key in the certificate |
| 455 | * is not encoded properly or does not include required parameter |
| 456 | * information or cannot be used for digital signature purposes. |
| 457 | * @since 1.3 |
| 458 | */ |
| 459 | public final void initVerify(Certificate certificate) |
| 460 | throws InvalidKeyException { |
| 461 | // If the certificate is of type X509Certificate, |
| 462 | // we should check whether it has a Key Usage |
| 463 | // extension marked as critical. |
| 464 | if (certificate instanceof java.security.cert.X509Certificate) { |
| 465 | // Check whether the cert has a key usage extension |
| 466 | // marked as a critical extension. |
| 467 | // The OID for KeyUsage extension is 2.5.29.15. |
| 468 | X509Certificate cert = (X509Certificate)certificate; |
| 469 | Set<String> critSet = cert.getCriticalExtensionOIDs(); |
| 470 | |
| 471 | if (critSet != null && !critSet.isEmpty() |
| 472 | && critSet.contains("2.5.29.15")) { |
| 473 | boolean[] keyUsageInfo = cert.getKeyUsage(); |
| 474 | // keyUsageInfo[0] is for digitalSignature. |
| 475 | if ((keyUsageInfo != null) && (keyUsageInfo[0] == false)) |
| 476 | throw new InvalidKeyException("Wrong key usage"); |
| 477 | } |
| 478 | } |
| 479 | |
| 480 | PublicKey publicKey = certificate.getPublicKey(); |
| 481 | engineInitVerify(publicKey); |
| 482 | state = VERIFY; |
| 483 | } |
| 484 | |
| 485 | /** |
| 486 | * Initialize this object for signing. If this method is called |
| 487 | * again with a different argument, it negates the effect |
| 488 | * of this call. |
| 489 | * |
| 490 | * @param privateKey the private key of the identity whose signature |
| 491 | * is going to be generated. |
| 492 | * |
| 493 | * @exception InvalidKeyException if the key is invalid. |
| 494 | */ |
| 495 | public final void initSign(PrivateKey privateKey) |
| 496 | throws InvalidKeyException { |
| 497 | engineInitSign(privateKey); |
| 498 | state = SIGN; |
| 499 | } |
| 500 | |
| 501 | /** |
| 502 | * Initialize this object for signing. If this method is called |
| 503 | * again with a different argument, it negates the effect |
| 504 | * of this call. |
| 505 | * |
| 506 | * @param privateKey the private key of the identity whose signature |
| 507 | * is going to be generated. |
| 508 | * |
| 509 | * @param random the source of randomness for this signature. |
| 510 | * |
| 511 | * @exception InvalidKeyException if the key is invalid. |
| 512 | */ |
| 513 | public final void initSign(PrivateKey privateKey, SecureRandom random) |
| 514 | throws InvalidKeyException { |
| 515 | engineInitSign(privateKey, random); |
| 516 | state = SIGN; |
| 517 | } |
| 518 | |
| 519 | /** |
| 520 | * Returns the signature bytes of all the data updated. |
| 521 | * The format of the signature depends on the underlying |
| 522 | * signature scheme. |
| 523 | * |
| 524 | * <p>A call to this method resets this signature object to the state |
| 525 | * it was in when previously initialized for signing via a |
| 526 | * call to <code>initSign(PrivateKey)</code>. That is, the object is |
| 527 | * reset and available to generate another signature from the same |
| 528 | * signer, if desired, via new calls to <code>update</code> and |
| 529 | * <code>sign</code>. |
| 530 | * |
| 531 | * @return the signature bytes of the signing operation's result. |
| 532 | * |
| 533 | * @exception SignatureException if this signature object is not |
| 534 | * initialized properly or if this signature algorithm is unable to |
| 535 | * process the input data provided. |
| 536 | */ |
| 537 | public final byte[] sign() throws SignatureException { |
| 538 | if (state == SIGN) { |
| 539 | return engineSign(); |
| 540 | } |
| 541 | throw new SignatureException("object not initialized for " + |
| 542 | "signing"); |
| 543 | } |
| 544 | |
| 545 | /** |
| 546 | * Finishes the signature operation and stores the resulting signature |
| 547 | * bytes in the provided buffer <code>outbuf</code>, starting at |
| 548 | * <code>offset</code>. |
| 549 | * The format of the signature depends on the underlying |
| 550 | * signature scheme. |
| 551 | * |
| 552 | * <p>This signature object is reset to its initial state (the state it |
| 553 | * was in after a call to one of the <code>initSign</code> methods) and |
| 554 | * can be reused to generate further signatures with the same private key. |
| 555 | * |
| 556 | * @param outbuf buffer for the signature result. |
| 557 | * |
| 558 | * @param offset offset into <code>outbuf</code> where the signature is |
| 559 | * stored. |
| 560 | * |
| 561 | * @param len number of bytes within <code>outbuf</code> allotted for the |
| 562 | * signature. |
| 563 | * |
| 564 | * @return the number of bytes placed into <code>outbuf</code>. |
| 565 | * |
| 566 | * @exception SignatureException if this signature object is not |
| 567 | * initialized properly, if this signature algorithm is unable to |
| 568 | * process the input data provided, or if <code>len</code> is less |
| 569 | * than the actual signature length. |
| 570 | * |
| 571 | * @since 1.2 |
| 572 | */ |
| 573 | public final int sign(byte[] outbuf, int offset, int len) |
| 574 | throws SignatureException { |
| 575 | if (outbuf == null) { |
| 576 | throw new IllegalArgumentException("No output buffer given"); |
| 577 | } |
| 578 | if (outbuf.length - offset < len) { |
| 579 | throw new IllegalArgumentException |
| 580 | ("Output buffer too small for specified offset and length"); |
| 581 | } |
| 582 | if (state != SIGN) { |
| 583 | throw new SignatureException("object not initialized for " + |
| 584 | "signing"); |
| 585 | } |
| 586 | return engineSign(outbuf, offset, len); |
| 587 | } |
| 588 | |
| 589 | /** |
| 590 | * Verifies the passed-in signature. |
| 591 | * |
| 592 | * <p>A call to this method resets this signature object to the state |
| 593 | * it was in when previously initialized for verification via a |
| 594 | * call to <code>initVerify(PublicKey)</code>. That is, the object is |
| 595 | * reset and available to verify another signature from the identity |
| 596 | * whose public key was specified in the call to <code>initVerify</code>. |
| 597 | * |
| 598 | * @param signature the signature bytes to be verified. |
| 599 | * |
| 600 | * @return true if the signature was verified, false if not. |
| 601 | * |
| 602 | * @exception SignatureException if this signature object is not |
| 603 | * initialized properly, the passed-in signature is improperly |
| 604 | * encoded or of the wrong type, if this signature algorithm is unable to |
| 605 | * process the input data provided, etc. |
| 606 | */ |
| 607 | public final boolean verify(byte[] signature) throws SignatureException { |
| 608 | if (state == VERIFY) { |
| 609 | return engineVerify(signature); |
| 610 | } |
| 611 | throw new SignatureException("object not initialized for " + |
| 612 | "verification"); |
| 613 | } |
| 614 | |
| 615 | /** |
| 616 | * Verifies the passed-in signature in the specified array |
| 617 | * of bytes, starting at the specified offset. |
| 618 | * |
| 619 | * <p>A call to this method resets this signature object to the state |
| 620 | * it was in when previously initialized for verification via a |
| 621 | * call to <code>initVerify(PublicKey)</code>. That is, the object is |
| 622 | * reset and available to verify another signature from the identity |
| 623 | * whose public key was specified in the call to <code>initVerify</code>. |
| 624 | * |
| 625 | * |
| 626 | * @param signature the signature bytes to be verified. |
| 627 | * @param offset the offset to start from in the array of bytes. |
| 628 | * @param length the number of bytes to use, starting at offset. |
| 629 | * |
| 630 | * @return true if the signature was verified, false if not. |
| 631 | * |
| 632 | * @exception SignatureException if this signature object is not |
| 633 | * initialized properly, the passed-in signature is improperly |
| 634 | * encoded or of the wrong type, if this signature algorithm is unable to |
| 635 | * process the input data provided, etc. |
| 636 | * @exception IllegalArgumentException if the <code>signature</code> |
| 637 | * byte array is null, or the <code>offset</code> or <code>length</code> |
| 638 | * is less than 0, or the sum of the <code>offset</code> and |
| 639 | * <code>length</code> is greater than the length of the |
| 640 | * <code>signature</code> byte array. |
| 641 | * @since 1.4 |
| 642 | */ |
| 643 | public final boolean verify(byte[] signature, int offset, int length) |
| 644 | throws SignatureException { |
| 645 | if (state == VERIFY) { |
| 646 | if ((signature == null) || (offset < 0) || (length < 0) || |
| 647 | (offset + length > signature.length)) { |
| 648 | throw new IllegalArgumentException("Bad arguments"); |
| 649 | } |
| 650 | |
| 651 | return engineVerify(signature, offset, length); |
| 652 | } |
| 653 | throw new SignatureException("object not initialized for " + |
| 654 | "verification"); |
| 655 | } |
| 656 | |
| 657 | /** |
| 658 | * Updates the data to be signed or verified by a byte. |
| 659 | * |
| 660 | * @param b the byte to use for the update. |
| 661 | * |
| 662 | * @exception SignatureException if this signature object is not |
| 663 | * initialized properly. |
| 664 | */ |
| 665 | public final void update(byte b) throws SignatureException { |
| 666 | if (state == VERIFY || state == SIGN) { |
| 667 | engineUpdate(b); |
| 668 | } else { |
| 669 | throw new SignatureException("object not initialized for " |
| 670 | + "signature or verification"); |
| 671 | } |
| 672 | } |
| 673 | |
| 674 | /** |
| 675 | * Updates the data to be signed or verified, using the specified |
| 676 | * array of bytes. |
| 677 | * |
| 678 | * @param data the byte array to use for the update. |
| 679 | * |
| 680 | * @exception SignatureException if this signature object is not |
| 681 | * initialized properly. |
| 682 | */ |
| 683 | public final void update(byte[] data) throws SignatureException { |
| 684 | update(data, 0, data.length); |
| 685 | } |
| 686 | |
| 687 | /** |
| 688 | * Updates the data to be signed or verified, using the specified |
| 689 | * array of bytes, starting at the specified offset. |
| 690 | * |
| 691 | * @param data the array of bytes. |
| 692 | * @param off the offset to start from in the array of bytes. |
| 693 | * @param len the number of bytes to use, starting at offset. |
| 694 | * |
| 695 | * @exception SignatureException if this signature object is not |
| 696 | * initialized properly. |
| 697 | */ |
| 698 | public final void update(byte[] data, int off, int len) |
| 699 | throws SignatureException { |
| 700 | if (state == SIGN || state == VERIFY) { |
| 701 | engineUpdate(data, off, len); |
| 702 | } else { |
| 703 | throw new SignatureException("object not initialized for " |
| 704 | + "signature or verification"); |
| 705 | } |
| 706 | } |
| 707 | |
| 708 | /** |
| 709 | * Updates the data to be signed or verified using the specified |
| 710 | * ByteBuffer. Processes the <code>data.remaining()</code> bytes |
| 711 | * starting at at <code>data.position()</code>. |
| 712 | * Upon return, the buffer's position will be equal to its limit; |
| 713 | * its limit will not have changed. |
| 714 | * |
| 715 | * @param data the ByteBuffer |
| 716 | * |
| 717 | * @exception SignatureException if this signature object is not |
| 718 | * initialized properly. |
| 719 | * @since 1.5 |
| 720 | */ |
| 721 | public final void update(ByteBuffer data) throws SignatureException { |
| 722 | if ((state != SIGN) && (state != VERIFY)) { |
| 723 | throw new SignatureException("object not initialized for " |
| 724 | + "signature or verification"); |
| 725 | } |
| 726 | if (data == null) { |
| 727 | throw new NullPointerException(); |
| 728 | } |
| 729 | engineUpdate(data); |
| 730 | } |
| 731 | |
| 732 | /** |
| 733 | * Returns the name of the algorithm for this signature object. |
| 734 | * |
| 735 | * @return the name of the algorithm for this signature object. |
| 736 | */ |
| 737 | public final String getAlgorithm() { |
| 738 | return this.algorithm; |
| 739 | } |
| 740 | |
| 741 | /** |
| 742 | * Returns a string representation of this signature object, |
| 743 | * providing information that includes the state of the object |
| 744 | * and the name of the algorithm used. |
| 745 | * |
| 746 | * @return a string representation of this signature object. |
| 747 | */ |
| 748 | public String toString() { |
| 749 | String initState = ""; |
| 750 | switch (state) { |
| 751 | case UNINITIALIZED: |
| 752 | initState = "<not initialized>"; |
| 753 | break; |
| 754 | case VERIFY: |
| 755 | initState = "<initialized for verifying>"; |
| 756 | break; |
| 757 | case SIGN: |
| 758 | initState = "<initialized for signing>"; |
| 759 | break; |
| 760 | } |
| 761 | return "Signature object: " + getAlgorithm() + initState; |
| 762 | } |
| 763 | |
| 764 | /** |
| 765 | * Sets the specified algorithm parameter to the specified value. |
| 766 | * This method supplies a general-purpose mechanism through |
| 767 | * which it is possible to set the various parameters of this object. |
| 768 | * A parameter may be any settable parameter for the algorithm, such as |
| 769 | * a parameter size, or a source of random bits for signature generation |
| 770 | * (if appropriate), or an indication of whether or not to perform |
| 771 | * a specific but optional computation. A uniform algorithm-specific |
| 772 | * naming scheme for each parameter is desirable but left unspecified |
| 773 | * at this time. |
| 774 | * |
| 775 | * @param param the string identifier of the parameter. |
| 776 | * @param value the parameter value. |
| 777 | * |
| 778 | * @exception InvalidParameterException if <code>param</code> is an |
| 779 | * invalid parameter for this signature algorithm engine, |
| 780 | * the parameter is already set |
| 781 | * and cannot be set again, a security exception occurs, and so on. |
| 782 | * |
| 783 | * @see #getParameter |
| 784 | * |
| 785 | * @deprecated Use |
| 786 | * {@link #setParameter(java.security.spec.AlgorithmParameterSpec) |
| 787 | * setParameter}. |
| 788 | */ |
| 789 | @Deprecated |
| 790 | public final void setParameter(String param, Object value) |
| 791 | throws InvalidParameterException { |
| 792 | engineSetParameter(param, value); |
| 793 | } |
| 794 | |
| 795 | /** |
| 796 | * Initializes this signature engine with the specified parameter set. |
| 797 | * |
| 798 | * @param params the parameters |
| 799 | * |
| 800 | * @exception InvalidAlgorithmParameterException if the given parameters |
| 801 | * are inappropriate for this signature engine |
| 802 | * |
| 803 | * @see #getParameters |
| 804 | */ |
| 805 | public final void setParameter(AlgorithmParameterSpec params) |
| 806 | throws InvalidAlgorithmParameterException { |
| 807 | engineSetParameter(params); |
| 808 | } |
| 809 | |
| 810 | /** |
| 811 | * Returns the parameters used with this signature object. |
| 812 | * |
| 813 | * <p>The returned parameters may be the same that were used to initialize |
| 814 | * this signature, or may contain a combination of default and randomly |
| 815 | * generated parameter values used by the underlying signature |
| 816 | * implementation if this signature requires algorithm parameters but |
| 817 | * was not initialized with any. |
| 818 | * |
| 819 | * @return the parameters used with this signature, or null if this |
| 820 | * signature does not use any parameters. |
| 821 | * |
| 822 | * @see #setParameter(AlgorithmParameterSpec) |
| 823 | * @since 1.4 |
| 824 | */ |
| 825 | public final AlgorithmParameters getParameters() { |
| 826 | return engineGetParameters(); |
| 827 | } |
| 828 | |
| 829 | /** |
| 830 | * Gets the value of the specified algorithm parameter. This method |
| 831 | * supplies a general-purpose mechanism through which it is possible to |
| 832 | * get the various parameters of this object. A parameter may be any |
| 833 | * settable parameter for the algorithm, such as a parameter size, or |
| 834 | * a source of random bits for signature generation (if appropriate), |
| 835 | * or an indication of whether or not to perform a specific but optional |
| 836 | * computation. A uniform algorithm-specific naming scheme for each |
| 837 | * parameter is desirable but left unspecified at this time. |
| 838 | * |
| 839 | * @param param the string name of the parameter. |
| 840 | * |
| 841 | * @return the object that represents the parameter value, or null if |
| 842 | * there is none. |
| 843 | * |
| 844 | * @exception InvalidParameterException if <code>param</code> is an invalid |
| 845 | * parameter for this engine, or another exception occurs while |
| 846 | * trying to get this parameter. |
| 847 | * |
| 848 | * @see #setParameter(String, Object) |
| 849 | * |
| 850 | * @deprecated |
| 851 | */ |
| 852 | @Deprecated |
| 853 | public final Object getParameter(String param) |
| 854 | throws InvalidParameterException { |
| 855 | return engineGetParameter(param); |
| 856 | } |
| 857 | |
| 858 | /** |
| 859 | * Returns a clone if the implementation is cloneable. |
| 860 | * |
| 861 | * @return a clone if the implementation is cloneable. |
| 862 | * |
| 863 | * @exception CloneNotSupportedException if this is called |
| 864 | * on an implementation that does not support <code>Cloneable</code>. |
| 865 | */ |
| 866 | public Object clone() throws CloneNotSupportedException { |
| 867 | if (this instanceof Cloneable) { |
| 868 | return super.clone(); |
| 869 | } else { |
| 870 | throw new CloneNotSupportedException(); |
| 871 | } |
| 872 | } |
| 873 | |
| 874 | /* |
| 875 | * The following class allows providers to extend from SignatureSpi |
| 876 | * rather than from Signature. It represents a Signature with an |
| 877 | * encapsulated, provider-supplied SPI object (of type SignatureSpi). |
| 878 | * If the provider implementation is an instance of SignatureSpi, the |
| 879 | * getInstance() methods above return an instance of this class, with |
| 880 | * the SPI object encapsulated. |
| 881 | * |
| 882 | * Note: All SPI methods from the original Signature class have been |
| 883 | * moved up the hierarchy into a new class (SignatureSpi), which has |
| 884 | * been interposed in the hierarchy between the API (Signature) |
| 885 | * and its original parent (Object). |
| 886 | */ |
| 887 | |
| 888 | private static class Delegate extends Signature { |
| 889 | |
| 890 | // The provider implementation (delegate) |
| 891 | // filled in once the provider is selected |
| 892 | private SignatureSpi sigSpi; |
| 893 | |
| 894 | // lock for mutex during provider selection |
| 895 | private final Object lock; |
| 896 | |
| 897 | // next service to try in provider selection |
| 898 | // null once provider is selected |
| 899 | private Service firstService; |
| 900 | |
| 901 | // remaining services to try in provider selection |
| 902 | // null once provider is selected |
| 903 | private Iterator<Service> serviceIterator; |
| 904 | |
| 905 | // constructor |
| 906 | Delegate(SignatureSpi sigSpi, String algorithm) { |
| 907 | super(algorithm); |
| 908 | this.sigSpi = sigSpi; |
| 909 | this.lock = null; // no lock needed |
| 910 | } |
| 911 | |
| 912 | // used with delayed provider selection |
| 913 | Delegate(Service service, |
| 914 | Iterator<Service> iterator, String algorithm) { |
| 915 | super(algorithm); |
| 916 | this.firstService = service; |
| 917 | this.serviceIterator = iterator; |
| 918 | this.lock = new Object(); |
| 919 | } |
| 920 | |
| 921 | /** |
| 922 | * Returns a clone if the delegate is cloneable. |
| 923 | * |
| 924 | * @return a clone if the delegate is cloneable. |
| 925 | * |
| 926 | * @exception CloneNotSupportedException if this is called on a |
| 927 | * delegate that does not support <code>Cloneable</code>. |
| 928 | */ |
| 929 | public Object clone() throws CloneNotSupportedException { |
| 930 | chooseFirstProvider(); |
| 931 | if (sigSpi instanceof Cloneable) { |
| 932 | SignatureSpi sigSpiClone = (SignatureSpi)sigSpi.clone(); |
| 933 | // Because 'algorithm' and 'provider' are private |
| 934 | // members of our supertype, we must perform a cast to |
| 935 | // access them. |
| 936 | Signature that = |
| 937 | new Delegate(sigSpiClone, ((Signature)this).algorithm); |
| 938 | that.provider = ((Signature)this).provider; |
| 939 | return that; |
| 940 | } else { |
| 941 | throw new CloneNotSupportedException(); |
| 942 | } |
| 943 | } |
| 944 | |
| 945 | private static SignatureSpi newInstance(Service s) |
| 946 | throws NoSuchAlgorithmException { |
| 947 | if (s.getType().equals("Cipher")) { |
| 948 | // must be NONEwithRSA |
| 949 | try { |
| 950 | Cipher c = Cipher.getInstance(RSA_CIPHER, s.getProvider()); |
| 951 | return new CipherAdapter(c); |
| 952 | } catch (NoSuchPaddingException e) { |
| 953 | throw new NoSuchAlgorithmException(e); |
| 954 | } |
| 955 | } else { |
| 956 | Object o = s.newInstance(null); |
| 957 | if (o instanceof SignatureSpi == false) { |
| 958 | throw new NoSuchAlgorithmException |
| 959 | ("Not a SignatureSpi: " + o.getClass().getName()); |
| 960 | } |
| 961 | return (SignatureSpi)o; |
| 962 | } |
| 963 | } |
| 964 | |
| 965 | // max number of debug warnings to print from chooseFirstProvider() |
| 966 | private static int warnCount = 10; |
| 967 | |
| 968 | /** |
| 969 | * Choose the Spi from the first provider available. Used if |
| 970 | * delayed provider selection is not possible because initSign()/ |
| 971 | * initVerify() is not the first method called. |
| 972 | */ |
| 973 | void chooseFirstProvider() { |
| 974 | if (sigSpi != null) { |
| 975 | return; |
| 976 | } |
| 977 | synchronized (lock) { |
| 978 | if (sigSpi != null) { |
| 979 | return; |
| 980 | } |
| 981 | if (debug != null) { |
| 982 | int w = --warnCount; |
| 983 | if (w >= 0) { |
| 984 | debug.println("Signature.init() not first method " |
| 985 | + "called, disabling delayed provider selection"); |
| 986 | if (w == 0) { |
| 987 | debug.println("Further warnings of this type will " |
| 988 | + "be suppressed"); |
| 989 | } |
| 990 | new Exception("Call trace").printStackTrace(); |
| 991 | } |
| 992 | } |
| 993 | Exception lastException = null; |
| 994 | while ((firstService != null) || serviceIterator.hasNext()) { |
| 995 | Service s; |
| 996 | if (firstService != null) { |
| 997 | s = firstService; |
| 998 | firstService = null; |
| 999 | } else { |
| 1000 | s = serviceIterator.next(); |
| 1001 | } |
| 1002 | if (isSpi(s) == false) { |
| 1003 | continue; |
| 1004 | } |
| 1005 | try { |
| 1006 | sigSpi = newInstance(s); |
| 1007 | provider = s.getProvider(); |
| 1008 | // not needed any more |
| 1009 | firstService = null; |
| 1010 | serviceIterator = null; |
| 1011 | return; |
| 1012 | } catch (NoSuchAlgorithmException e) { |
| 1013 | lastException = e; |
| 1014 | } |
| 1015 | } |
| 1016 | ProviderException e = new ProviderException |
| 1017 | ("Could not construct SignatureSpi instance"); |
| 1018 | if (lastException != null) { |
| 1019 | e.initCause(lastException); |
| 1020 | } |
| 1021 | throw e; |
| 1022 | } |
| 1023 | } |
| 1024 | |
| 1025 | private void chooseProvider(int type, Key key, SecureRandom random) |
| 1026 | throws InvalidKeyException { |
| 1027 | synchronized (lock) { |
| 1028 | if (sigSpi != null) { |
| 1029 | init(sigSpi, type, key, random); |
| 1030 | return; |
| 1031 | } |
| 1032 | Exception lastException = null; |
| 1033 | while ((firstService != null) || serviceIterator.hasNext()) { |
| 1034 | Service s; |
| 1035 | if (firstService != null) { |
| 1036 | s = firstService; |
| 1037 | firstService = null; |
| 1038 | } else { |
| 1039 | s = serviceIterator.next(); |
| 1040 | } |
| 1041 | // if provider says it does not support this key, ignore it |
| 1042 | if (s.supportsParameter(key) == false) { |
| 1043 | continue; |
| 1044 | } |
| 1045 | // if instance is not a SignatureSpi, ignore it |
| 1046 | if (isSpi(s) == false) { |
| 1047 | continue; |
| 1048 | } |
| 1049 | try { |
| 1050 | SignatureSpi spi = newInstance(s); |
| 1051 | init(spi, type, key, random); |
| 1052 | provider = s.getProvider(); |
| 1053 | sigSpi = spi; |
| 1054 | firstService = null; |
| 1055 | serviceIterator = null; |
| 1056 | return; |
| 1057 | } catch (Exception e) { |
| 1058 | // NoSuchAlgorithmException from newInstance() |
| 1059 | // InvalidKeyException from init() |
| 1060 | // RuntimeException (ProviderException) from init() |
| 1061 | if (lastException == null) { |
| 1062 | lastException = e; |
| 1063 | } |
| 1064 | } |
| 1065 | } |
| 1066 | // no working provider found, fail |
| 1067 | if (lastException instanceof InvalidKeyException) { |
| 1068 | throw (InvalidKeyException)lastException; |
| 1069 | } |
| 1070 | if (lastException instanceof RuntimeException) { |
| 1071 | throw (RuntimeException)lastException; |
| 1072 | } |
| 1073 | String k = (key != null) ? key.getClass().getName() : "(null)"; |
| 1074 | throw new InvalidKeyException |
| 1075 | ("No installed provider supports this key: " |
| 1076 | + k, lastException); |
| 1077 | } |
| 1078 | } |
| 1079 | |
| 1080 | private final static int I_PUB = 1; |
| 1081 | private final static int I_PRIV = 2; |
| 1082 | private final static int I_PRIV_SR = 3; |
| 1083 | |
| 1084 | private void init(SignatureSpi spi, int type, Key key, |
| 1085 | SecureRandom random) throws InvalidKeyException { |
| 1086 | switch (type) { |
| 1087 | case I_PUB: |
| 1088 | spi.engineInitVerify((PublicKey)key); |
| 1089 | break; |
| 1090 | case I_PRIV: |
| 1091 | spi.engineInitSign((PrivateKey)key); |
| 1092 | break; |
| 1093 | case I_PRIV_SR: |
| 1094 | spi.engineInitSign((PrivateKey)key, random); |
| 1095 | break; |
| 1096 | default: |
| 1097 | throw new AssertionError("Internal error: " + type); |
| 1098 | } |
| 1099 | } |
| 1100 | |
| 1101 | protected void engineInitVerify(PublicKey publicKey) |
| 1102 | throws InvalidKeyException { |
| 1103 | if (sigSpi != null) { |
| 1104 | sigSpi.engineInitVerify(publicKey); |
| 1105 | } else { |
| 1106 | chooseProvider(I_PUB, publicKey, null); |
| 1107 | } |
| 1108 | } |
| 1109 | |
| 1110 | protected void engineInitSign(PrivateKey privateKey) |
| 1111 | throws InvalidKeyException { |
| 1112 | if (sigSpi != null) { |
| 1113 | sigSpi.engineInitSign(privateKey); |
| 1114 | } else { |
| 1115 | chooseProvider(I_PRIV, privateKey, null); |
| 1116 | } |
| 1117 | } |
| 1118 | |
| 1119 | protected void engineInitSign(PrivateKey privateKey, SecureRandom sr) |
| 1120 | throws InvalidKeyException { |
| 1121 | if (sigSpi != null) { |
| 1122 | sigSpi.engineInitSign(privateKey, sr); |
| 1123 | } else { |
| 1124 | chooseProvider(I_PRIV_SR, privateKey, sr); |
| 1125 | } |
| 1126 | } |
| 1127 | |
| 1128 | protected void engineUpdate(byte b) throws SignatureException { |
| 1129 | chooseFirstProvider(); |
| 1130 | sigSpi.engineUpdate(b); |
| 1131 | } |
| 1132 | |
| 1133 | protected void engineUpdate(byte[] b, int off, int len) |
| 1134 | throws SignatureException { |
| 1135 | chooseFirstProvider(); |
| 1136 | sigSpi.engineUpdate(b, off, len); |
| 1137 | } |
| 1138 | |
| 1139 | protected void engineUpdate(ByteBuffer data) { |
| 1140 | chooseFirstProvider(); |
| 1141 | sigSpi.engineUpdate(data); |
| 1142 | } |
| 1143 | |
| 1144 | protected byte[] engineSign() throws SignatureException { |
| 1145 | chooseFirstProvider(); |
| 1146 | return sigSpi.engineSign(); |
| 1147 | } |
| 1148 | |
| 1149 | protected int engineSign(byte[] outbuf, int offset, int len) |
| 1150 | throws SignatureException { |
| 1151 | chooseFirstProvider(); |
| 1152 | return sigSpi.engineSign(outbuf, offset, len); |
| 1153 | } |
| 1154 | |
| 1155 | protected boolean engineVerify(byte[] sigBytes) |
| 1156 | throws SignatureException { |
| 1157 | chooseFirstProvider(); |
| 1158 | return sigSpi.engineVerify(sigBytes); |
| 1159 | } |
| 1160 | |
| 1161 | protected boolean engineVerify(byte[] sigBytes, int offset, int length) |
| 1162 | throws SignatureException { |
| 1163 | chooseFirstProvider(); |
| 1164 | return sigSpi.engineVerify(sigBytes, offset, length); |
| 1165 | } |
| 1166 | |
| 1167 | protected void engineSetParameter(String param, Object value) |
| 1168 | throws InvalidParameterException { |
| 1169 | chooseFirstProvider(); |
| 1170 | sigSpi.engineSetParameter(param, value); |
| 1171 | } |
| 1172 | |
| 1173 | protected void engineSetParameter(AlgorithmParameterSpec params) |
| 1174 | throws InvalidAlgorithmParameterException { |
| 1175 | chooseFirstProvider(); |
| 1176 | sigSpi.engineSetParameter(params); |
| 1177 | } |
| 1178 | |
| 1179 | protected Object engineGetParameter(String param) |
| 1180 | throws InvalidParameterException { |
| 1181 | chooseFirstProvider(); |
| 1182 | return sigSpi.engineGetParameter(param); |
| 1183 | } |
| 1184 | |
| 1185 | protected AlgorithmParameters engineGetParameters() { |
| 1186 | chooseFirstProvider(); |
| 1187 | return sigSpi.engineGetParameters(); |
| 1188 | } |
| 1189 | } |
| 1190 | |
| 1191 | // adapter for RSA/ECB/PKCS1Padding ciphers |
| 1192 | private static class CipherAdapter extends SignatureSpi { |
| 1193 | |
| 1194 | private final Cipher cipher; |
| 1195 | |
| 1196 | private ByteArrayOutputStream data; |
| 1197 | |
| 1198 | CipherAdapter(Cipher cipher) { |
| 1199 | this.cipher = cipher; |
| 1200 | } |
| 1201 | |
| 1202 | protected void engineInitVerify(PublicKey publicKey) |
| 1203 | throws InvalidKeyException { |
| 1204 | cipher.init(Cipher.DECRYPT_MODE, publicKey); |
| 1205 | if (data == null) { |
| 1206 | data = new ByteArrayOutputStream(128); |
| 1207 | } else { |
| 1208 | data.reset(); |
| 1209 | } |
| 1210 | } |
| 1211 | |
| 1212 | protected void engineInitSign(PrivateKey privateKey) |
| 1213 | throws InvalidKeyException { |
| 1214 | cipher.init(Cipher.ENCRYPT_MODE, privateKey); |
| 1215 | data = null; |
| 1216 | } |
| 1217 | |
| 1218 | protected void engineInitSign(PrivateKey privateKey, |
| 1219 | SecureRandom random) throws InvalidKeyException { |
| 1220 | cipher.init(Cipher.ENCRYPT_MODE, privateKey, random); |
| 1221 | data = null; |
| 1222 | } |
| 1223 | |
| 1224 | protected void engineUpdate(byte b) throws SignatureException { |
| 1225 | engineUpdate(new byte[] {b}, 0, 1); |
| 1226 | } |
| 1227 | |
| 1228 | protected void engineUpdate(byte[] b, int off, int len) |
| 1229 | throws SignatureException { |
| 1230 | if (data != null) { |
| 1231 | data.write(b, off, len); |
| 1232 | return; |
| 1233 | } |
| 1234 | byte[] out = cipher.update(b, off, len); |
| 1235 | if ((out != null) && (out.length != 0)) { |
| 1236 | throw new SignatureException |
| 1237 | ("Cipher unexpectedly returned data"); |
| 1238 | } |
| 1239 | } |
| 1240 | |
| 1241 | protected byte[] engineSign() throws SignatureException { |
| 1242 | try { |
| 1243 | return cipher.doFinal(); |
| 1244 | } catch (IllegalBlockSizeException e) { |
| 1245 | throw new SignatureException("doFinal() failed", e); |
| 1246 | } catch (BadPaddingException e) { |
| 1247 | throw new SignatureException("doFinal() failed", e); |
| 1248 | } |
| 1249 | } |
| 1250 | |
| 1251 | protected boolean engineVerify(byte[] sigBytes) |
| 1252 | throws SignatureException { |
| 1253 | try { |
| 1254 | byte[] out = cipher.doFinal(sigBytes); |
| 1255 | byte[] dataBytes = data.toByteArray(); |
| 1256 | data.reset(); |
| 1257 | return Arrays.equals(out, dataBytes); |
| 1258 | } catch (BadPaddingException e) { |
| 1259 | // e.g. wrong public key used |
| 1260 | // return false rather than throwing exception |
| 1261 | return false; |
| 1262 | } catch (IllegalBlockSizeException e) { |
| 1263 | throw new SignatureException("doFinal() failed", e); |
| 1264 | } |
| 1265 | } |
| 1266 | |
| 1267 | protected void engineSetParameter(String param, Object value) |
| 1268 | throws InvalidParameterException { |
| 1269 | throw new InvalidParameterException("Parameters not supported"); |
| 1270 | } |
| 1271 | |
| 1272 | protected Object engineGetParameter(String param) |
| 1273 | throws InvalidParameterException { |
| 1274 | throw new InvalidParameterException("Parameters not supported"); |
| 1275 | } |
| 1276 | |
| 1277 | } |
| 1278 | |
| 1279 | } |