Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
PojavLauncherTeam
GitHub Repository: PojavLauncherTeam/jdk17u
 Path: blob/master/src/jdk.crypto.ec/share/classes/sun/security/ec/ECDSAOperations.java
64507 views
1
/*

2
 * Copyright (c) 2018, 2021, Oracle and/or its affiliates. All rights reserved.

3
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.

4
 *

5
 * This code is free software; you can redistribute it and/or modify it

6
 * under the terms of the GNU General Public License version 2 only, as

7
 * published by the Free Software Foundation.  Oracle designates this

8
 * particular file as subject to the "Classpath" exception as provided

9
 * by Oracle in the LICENSE file that accompanied this code.

10
 *

11
 * This code is distributed in the hope that it will be useful, but WITHOUT

12
 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or

13
 * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License

14
 * version 2 for more details (a copy is included in the LICENSE file that

15
 * accompanied this code).

16
 *

17
 * You should have received a copy of the GNU General Public License version

18
 * 2 along with this work; if not, write to the Free Software Foundation,

19
 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.

20
 *

21
 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA

22
 * or visit www.oracle.com if you need additional information or have any

23
 * questions.

24
 */

25


26
package sun.security.ec;

27


28
import sun.security.ec.point.*;

29
import sun.security.util.ArrayUtil;

30
import sun.security.util.math.*;

31
import static sun.security.ec.ECOperations.IntermediateValueException;

32


33
import java.math.BigInteger;

34
import java.security.ProviderException;

35
import java.security.spec.*;

36
import java.util.Arrays;

37
import java.util.Optional;

38


39
public class ECDSAOperations {

40


41
    public static class Seed {

42
        private final byte[] seedValue;

43


44
        public Seed(byte[] seedValue) {

45
            this.seedValue = seedValue;

46
        }

47


48
        public byte[] getSeedValue() {

49
            return seedValue;

50
        }

51
    }

52


53
    public static class Nonce {

54
        private final byte[] nonceValue;

55


56
        public Nonce(byte[] nonceValue) {

57
            this.nonceValue = nonceValue;

58
        }

59


60
        public byte[] getNonceValue() {

61
            return nonceValue;

62
        }

63
    }

64


65
    private final ECOperations ecOps;

66
    private final AffinePoint basePoint;

67


68
    public ECDSAOperations(ECOperations ecOps, ECPoint basePoint) {

69
        this.ecOps = ecOps;

70
        this.basePoint = toAffinePoint(basePoint, ecOps.getField());

71
    }

72


73
    public ECOperations getEcOperations() {

74
        return ecOps;

75
    }

76


77
    public AffinePoint basePointMultiply(byte[] scalar) {

78
        return ecOps.multiply(basePoint, scalar).asAffine();

79
    }

80


81
    public static AffinePoint toAffinePoint(ECPoint point,

82
        IntegerFieldModuloP field) {

83


84
        ImmutableIntegerModuloP affineX = field.getElement(point.getAffineX());

85
        ImmutableIntegerModuloP affineY = field.getElement(point.getAffineY());

86
        return new AffinePoint(affineX, affineY);

87
    }

88


89
    public static

90
    Optional<ECDSAOperations> forParameters(ECParameterSpec ecParams) {

91
        Optional<ECOperations> curveOps =

92
            ECOperations.forParameters(ecParams);

93
        return curveOps.map(

94
            ops -> new ECDSAOperations(ops, ecParams.getGenerator())

95
        );

96
    }

97


98
    /**

99
     *

100
     * Sign a digest using the provided private key and seed.

101
     * IMPORTANT: The private key is a scalar represented using a

102
     * little-endian byte array. This is backwards from the conventional

103
     * representation in ECDSA. The routines that produce and consume this

104
     * value uses little-endian, so this deviation from convention removes

105
     * the requirement to swap the byte order. The returned signature is in

106
     * the conventional byte order.

107
     *

108
     * @param privateKey the private key scalar as a little-endian byte array

109
     * @param digest the digest to be signed

110
     * @param seed the seed that will be used to produce the nonce. This object

111
     *             should contain an array that is at least 64 bits longer than

112
     *             the number of bits required to represent the group order.

113
     * @return the ECDSA signature value

114
     * @throws IntermediateValueException if the signature cannot be produced

115
     *      due to an unacceptable intermediate or final value. If this

116
     *      exception is thrown, then the caller should discard the nonnce and

117
     *      try again with an entirely new nonce value.

118
     */

119
    public byte[] signDigest(byte[] privateKey, byte[] digest, Seed seed)

120
        throws IntermediateValueException {

121


122
        byte[] nonceArr = ecOps.seedToScalar(seed.getSeedValue());

123


124
        Nonce nonce = new Nonce(nonceArr);

125
        return signDigest(privateKey, digest, nonce);

126
    }

127


128
    /**

129
     *

130
     * Sign a digest using the provided private key and nonce.

131
     * IMPORTANT: The private key and nonce are scalars represented by a

132
     * little-endian byte array. This is backwards from the conventional

133
     * representation in ECDSA. The routines that produce and consume these

134
     * values use little-endian, so this deviation from convention removes

135
     * the requirement to swap the byte order. The returned signature is in

136
     * the conventional byte order.

137
     *

138
     * @param privateKey the private key scalar as a little-endian byte array

139
     * @param digest the digest to be signed

140
     * @param nonce the nonce object containing a little-endian scalar value.

141
     * @return the ECDSA signature value

142
     * @throws IntermediateValueException if the signature cannot be produced

143
     *      due to an unacceptable intermediate or final value. If this

144
     *      exception is thrown, then the caller should discard the nonnce and

145
     *      try again with an entirely new nonce value.

146
     */

147
    public byte[] signDigest(byte[] privateKey, byte[] digest, Nonce nonce)

148
        throws IntermediateValueException {

149


150
        IntegerFieldModuloP orderField = ecOps.getOrderField();

151
        int orderBits = orderField.getSize().bitLength();

152
        if (orderBits % 8 != 0 && orderBits < digest.length * 8) {

153
            // This implementation does not support truncating digests to

154
            // a length that is not a multiple of 8.

155
            throw new ProviderException("Invalid digest length");

156
        }

157


158
        byte[] k = nonce.getNonceValue();

159
        // check nonce length

160
        int length = (orderField.getSize().bitLength() + 7) / 8;

161
        if (k.length != length) {

162
            throw new ProviderException("Incorrect nonce length");

163
        }

164


165
        MutablePoint R = ecOps.multiply(basePoint, k);

166
        IntegerModuloP r = R.asAffine().getX();

167
        // put r into the correct field by fully reducing to an array

168
        byte[] temp = new byte[length];

169
        r = b2a(r, orderField, temp);

170
        byte[] result = new byte[2 * length];

171
        ArrayUtil.reverse(temp);

172
        System.arraycopy(temp, 0, result, 0, length);

173
        // compare r to 0

174
        if (ECOperations.allZero(temp)) {

175
            throw new IntermediateValueException();

176
        }

177


178
        IntegerModuloP dU = orderField.getElement(privateKey);

179
        int lengthE = Math.min(length, digest.length);

180
        byte[] E = new byte[lengthE];

181
        System.arraycopy(digest, 0, E, 0, lengthE);

182
        ArrayUtil.reverse(E);

183
        IntegerModuloP e = orderField.getElement(E);

184
        IntegerModuloP kElem = orderField.getElement(k);

185
        IntegerModuloP kInv = kElem.multiplicativeInverse();

186
        MutableIntegerModuloP s = r.mutable();

187
        s.setProduct(dU).setSum(e).setProduct(kInv);

188
        // store s in result

189
        s.asByteArray(temp);

190
        ArrayUtil.reverse(temp);

191
        System.arraycopy(temp, 0, result, length, length);

192
        // compare s to 0

193
        if (ECOperations.allZero(temp)) {

194
            throw new IntermediateValueException();

195
        }

196


197
        return result;

198


199
    }

200
    public boolean verifySignedDigest(byte[] digest, byte[] sig, ECPoint pp) {

201


202
        IntegerFieldModuloP field = ecOps.getField();

203
        IntegerFieldModuloP orderField = ecOps.getOrderField();

204
        BigInteger mod = orderField.getSize();

205
        int length = (mod.bitLength() + 7) / 8;

206


207
        byte[] r;

208
        byte[] s;

209


210
        int encodeLength = sig.length / 2;

211
        if (sig.length %2 != 0 || encodeLength > length) {

212
            return false;

213
        } else if (encodeLength == length) {

214
            r = Arrays.copyOf(sig, length);

215
            s = Arrays.copyOfRange(sig, length, length * 2);

216
        } else {

217
            r = new byte[length];

218
            s = new byte[length];

219
            System.arraycopy(sig, 0, r, length - encodeLength, encodeLength);

220
            System.arraycopy(sig, encodeLength, s, length - encodeLength, encodeLength);

221
        }

222


223
        BigInteger rb = new BigInteger(1, r);

224
        BigInteger sb = new BigInteger(1, s);

225
        if (rb.signum() == 0 || sb.signum() == 0

226
                || rb.compareTo(mod) >= 0 || sb.compareTo(mod) >= 0) {

227
            return false;

228
        }

229


230
        ArrayUtil.reverse(r);

231
        ArrayUtil.reverse(s);

232
        IntegerModuloP ri = orderField.getElement(r);

233
        IntegerModuloP si = orderField.getElement(s);

234
        // z

235
        int lengthE = Math.min(length, digest.length);

236
        byte[] E = new byte[lengthE];

237
        System.arraycopy(digest, 0, E, 0, lengthE);

238
        ArrayUtil.reverse(E);

239
        IntegerModuloP e = orderField.getElement(E);

240


241
        IntegerModuloP sInv = si.multiplicativeInverse();

242
        ImmutableIntegerModuloP u1 = e.multiply(sInv);

243
        ImmutableIntegerModuloP u2 = ri.multiply(sInv);

244


245
        AffinePoint pub = new AffinePoint(field.getElement(pp.getAffineX()),

246
                field.getElement(pp.getAffineY()));

247


248
        byte[] temp1 = new byte[length];

249
        b2a(u1, orderField, temp1);

250


251
        byte[] temp2 = new byte[length];

252
        b2a(u2, orderField, temp2);

253


254
        MutablePoint p1 = ecOps.multiply(basePoint, temp1);

255
        MutablePoint p2 = ecOps.multiply(pub, temp2);

256


257
        ecOps.setSum(p1, p2.asAffine());

258
        IntegerModuloP result = p1.asAffine().getX();

259
        result = result.additiveInverse().add(ri);

260


261
        b2a(result, orderField, temp1);

262
        return ECOperations.allZero(temp1);

263
    }

264


265
    public static ImmutableIntegerModuloP b2a(IntegerModuloP b,

266
            IntegerFieldModuloP orderField, byte[] temp1) {

267
        b.asByteArray(temp1);

268
        ImmutableIntegerModuloP b2 = orderField.getElement(temp1);

269
        b2.asByteArray(temp1);

270
        return b2;

271
    }

272
}

273


274