/*
* Copyright (c) 2003, 2006, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation. Oracle designates this
* particular file as subject to the "Classpath" exception as provided
* by Oracle in the LICENSE file that accompanied this code.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/
package sun.security.rsa;
import java.math.BigInteger;
import java.util.*;
import java.security.SecureRandom;
import java.security.interfaces.*;
import javax.crypto.BadPaddingException;
import sun.security.jca.JCAUtil;
/**
* Core of the RSA implementation. Has code to perform public and private key
* RSA operations (with and without CRT for private key ops). Private CRT ops
* also support blinding to twart timing attacks.
*
* The code in this class only does the core RSA operation. Padding and
* unpadding must be done externally.
*
* Note: RSA keys should be at least 512 bits long
*
* @since 1.5
* @author Andreas Sterbenz
*/
public final class RSACore {
private RSACore() {
// empty
}
/**
* Return the number of bytes required to store the magnitude byte[] of
* this BigInteger. Do not count a 0x00 byte toByteArray() would
* prefix for 2's complement form.
*/
public static int getByteLength(BigInteger b) {
int n = b.bitLength();
return (n + 7) >> 3;
}
/**
* Return the number of bytes required to store the modulus of this
* RSA key.
*/
public static int getByteLength(RSAKey key) {
return getByteLength(key.getModulus());
}
// temporary, used by RSACipher and RSAPadding. Move this somewhere else
public static byte[] convert(byte[] b, int ofs, int len) {
if ((ofs == 0) && (len == b.length)) {
return b;
} else {
byte[] t = new byte[len];
System.arraycopy(b, ofs, t, 0, len);
return t;
}
}
/**
* Perform an RSA public key operation.
*/
public static byte[] rsa(byte[] msg, RSAPublicKey key)
throws BadPaddingException {
return crypt(msg, key.getModulus(), key.getPublicExponent());
}
/**
* Perform an RSA private key operation. Uses CRT if the key is a
* CRT key.
*/
public static byte[] rsa(byte[] msg, RSAPrivateKey key)
throws BadPaddingException {
if (key instanceof RSAPrivateCrtKey) {
return crtCrypt(msg, (RSAPrivateCrtKey)key);
} else {
return crypt(msg, key.getModulus(), key.getPrivateExponent());
}
}
/**
* RSA public key ops and non-CRT private key ops. Simple modPow().
*/
private static byte[] crypt(byte[] msg, BigInteger n, BigInteger exp)
throws BadPaddingException {
BigInteger m = parseMsg(msg, n);
BigInteger c = m.modPow(exp, n);
return toByteArray(c, getByteLength(n));
}
/**
* RSA private key operations with CRT. Algorithm and variable naming
* are taken from PKCS#1 v2.1, section 5.1.2.
*
* The only difference is the addition of blinding to twart timing attacks.
* This is described in the RSA Bulletin#2 (Jan 96) among other places.
* This means instead of implementing RSA as
* m = c ^ d mod n (or RSA in CRT variant)
* we do
* r = random(0, n-1)
* c' = c * r^e mod n
* m' = c' ^ d mod n (or RSA in CRT variant)
* m = m' * r^-1 mod n (where r^-1 is the modular inverse of r mod n)
* This works because r^(e*d) * r^-1 = r * r^-1 = 1 (all mod n)
*
* We do not generate new blinding parameters for each operation but reuse
* them BLINDING_MAX_REUSE times (see definition below).
*/
private static byte[] crtCrypt(byte[] msg, RSAPrivateCrtKey key)
throws BadPaddingException {
BigInteger n = key.getModulus();
BigInteger c = parseMsg(msg, n);
BigInteger p = key.getPrimeP();
BigInteger q = key.getPrimeQ();
BigInteger dP = key.getPrimeExponentP();
BigInteger dQ = key.getPrimeExponentQ();
BigInteger qInv = key.getCrtCoefficient();
BlindingParameters params;
if (ENABLE_BLINDING) {
params = getBlindingParameters(key);
c = c.multiply(params.re).mod(n);
} else {
params = null;
}
// m1 = c ^ dP mod p
BigInteger m1 = c.modPow(dP, p);
// m2 = c ^ dQ mod q
BigInteger m2 = c.modPow(dQ, q);
// h = (m1 - m2) * qInv mod p
BigInteger mtmp = m1.subtract(m2);
if (mtmp.signum() < 0) {
mtmp = mtmp.add(p);
}
BigInteger h = mtmp.multiply(qInv).mod(p);
// m = m2 + q * h
BigInteger m = h.multiply(q).add(m2);
if (params != null) {
m = m.multiply(params.rInv).mod(n);
}
return toByteArray(m, getByteLength(n));
}
/**
* Parse the msg into a BigInteger and check against the modulus n.
*/
private static BigInteger parseMsg(byte[] msg, BigInteger n)
throws BadPaddingException {
BigInteger m = new BigInteger(1, msg);
if (m.compareTo(n) >= 0) {
throw new BadPaddingException("Message is larger than modulus");
}
return m;
}
/**
* Return the encoding of this BigInteger that is exactly len bytes long.
* Prefix/strip off leading 0x00 bytes if necessary.
* Precondition: bi must fit into len bytes
*/
private static byte[] toByteArray(BigInteger bi, int len) {
byte[] b = bi.toByteArray();
int n = b.length;
if (n == len) {
return b;
}
// BigInteger prefixed a 0x00 byte for 2's complement form, remove it
if ((n == len + 1) && (b[0] == 0)) {
byte[] t = new byte[len];
System.arraycopy(b, 1, t, 0, len);
return t;
}
// must be smaller
assert (n < len);
byte[] t = new byte[len];
System.arraycopy(b, 0, t, (len - n), n);
return t;
}
// globally enable/disable use of blinding
private final static boolean ENABLE_BLINDING = true;
// maximum number of times that we will use a set of blinding parameters
// value suggested by Paul Kocher (quoted by NSS)
private final static int BLINDING_MAX_REUSE = 50;
// cache for blinding parameters. Map<BigInteger,BlindingParameters>
// use a weak hashmap so that cached values are automatically cleared
// when the modulus is GC'ed
private final static Map<BigInteger,BlindingParameters> blindingCache =
new WeakHashMap<BigInteger,BlindingParameters>();
/**
* Set of blinding parameters for a given RSA key.
*
* The RSA modulus is usually unique, so we index by modulus in
* blindingCache. However, to protect against the unlikely case of two
* keys sharing the same modulus, we also store the public exponent.
* This means we cannot cache blinding parameters for multiple keys that
* share the same modulus, but since sharing moduli is fundamentally broken
* an insecure, this does not matter.
*/
private static final class BlindingParameters {
// e (RSA public exponent)
final BigInteger e;
// r ^ e mod n
final BigInteger re;
// inverse of r mod n
final BigInteger rInv;
// how many more times this parameter object can be used
private volatile int remainingUses;
BlindingParameters(BigInteger e, BigInteger re, BigInteger rInv) {
this.e = e;
this.re = re;
this.rInv = rInv;
// initialize remaining uses, subtract current use now
remainingUses = BLINDING_MAX_REUSE - 1;
}
boolean valid(BigInteger e) {
int k = remainingUses--;
return (k > 0) && this.e.equals(e);
}
}
/**
* Return valid RSA blinding parameters for the given private key.
* Use cached parameters if available. If not, generate new parameters
* and cache.
*/
private static BlindingParameters getBlindingParameters
(RSAPrivateCrtKey key) {
BigInteger modulus = key.getModulus();
BigInteger e = key.getPublicExponent();
BlindingParameters params;
// we release the lock between get() and put()
// that means threads might concurrently generate new blinding
// parameters for the same modulus. this is only a slight waste
// of cycles and seems preferable in terms of scalability
// to locking out all threads while generating new parameters
synchronized (blindingCache) {
params = blindingCache.get(modulus);
}
if ((params != null) && params.valid(e)) {
return params;
}
int len = modulus.bitLength();
SecureRandom random = JCAUtil.getSecureRandom();
BigInteger r = new BigInteger(len, random).mod(modulus);
BigInteger re = r.modPow(e, modulus);
BigInteger rInv = r.modInverse(modulus);
params = new BlindingParameters(e, re, rInv);
synchronized (blindingCache) {
blindingCache.put(modulus, params);
}
return params;
}
}