0N/A/*
2362N/A * Copyright (c) 1997, 2006, Oracle and/or its affiliates. All rights reserved.
0N/A * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
0N/A *
0N/A * This code is free software; you can redistribute it and/or modify it
0N/A * under the terms of the GNU General Public License version 2 only, as
2362N/A * published by the Free Software Foundation. Oracle designates this
0N/A * particular file as subject to the "Classpath" exception as provided
2362N/A * by Oracle in the LICENSE file that accompanied this code.
0N/A *
0N/A * This code is distributed in the hope that it will be useful, but WITHOUT
0N/A * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
0N/A * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
0N/A * version 2 for more details (a copy is included in the LICENSE file that
0N/A * accompanied this code).
0N/A *
0N/A * You should have received a copy of the GNU General Public License version
0N/A * 2 along with this work; if not, write to the Free Software Foundation,
0N/A * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
0N/A *
2362N/A * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
2362N/A * or visit www.oracle.com if you need additional information or have any
2362N/A * questions.
0N/A */
0N/A
0N/Apackage sun.security.provider;
0N/A
0N/Aimport java.math.BigInteger;
0N/Aimport java.security.AlgorithmParameterGeneratorSpi;
0N/Aimport java.security.AlgorithmParameters;
0N/Aimport java.security.InvalidAlgorithmParameterException;
0N/Aimport java.security.NoSuchAlgorithmException;
0N/Aimport java.security.NoSuchProviderException;
0N/Aimport java.security.InvalidParameterException;
0N/Aimport java.security.SecureRandom;
0N/Aimport java.security.spec.AlgorithmParameterSpec;
0N/Aimport java.security.spec.InvalidParameterSpecException;
0N/Aimport java.security.spec.DSAParameterSpec;
0N/A
0N/A/**
0N/A * This class generates parameters for the DSA algorithm. It uses a default
0N/A * prime modulus size of 1024 bits, which can be overwritten during
0N/A * initialization.
0N/A *
0N/A * @author Jan Luehe
0N/A *
0N/A *
0N/A * @see java.security.AlgorithmParameters
0N/A * @see java.security.spec.AlgorithmParameterSpec
0N/A * @see DSAParameters
0N/A *
0N/A * @since 1.2
0N/A */
0N/A
0N/Apublic class DSAParameterGenerator extends AlgorithmParameterGeneratorSpi {
0N/A
0N/A // the modulus length
0N/A private int modLen = 1024; // default
0N/A
0N/A // the source of randomness
0N/A private SecureRandom random;
0N/A
0N/A // useful constants
0N/A private static final BigInteger ZERO = BigInteger.valueOf(0);
0N/A private static final BigInteger ONE = BigInteger.valueOf(1);
0N/A private static final BigInteger TWO = BigInteger.valueOf(2);
0N/A
0N/A // Make a SHA-1 hash function
0N/A private SHA sha;
0N/A
0N/A public DSAParameterGenerator() {
0N/A this.sha = new SHA();
0N/A }
0N/A
0N/A /**
0N/A * Initializes this parameter generator for a certain strength
0N/A * and source of randomness.
0N/A *
0N/A * @param strength the strength (size of prime) in bits
0N/A * @param random the source of randomness
0N/A */
0N/A protected void engineInit(int strength, SecureRandom random) {
0N/A /*
0N/A * Bruce Schneier, "Applied Cryptography", 2nd Edition,
0N/A * Description of DSA:
0N/A * [...] The algorithm uses the following parameter:
0N/A * p=a prime number L bits long, when L ranges from 512 to 1024 and is
0N/A * a multiple of 64. [...]
0N/A */
0N/A if ((strength < 512) || (strength > 1024) || (strength % 64 != 0)) {
0N/A throw new InvalidParameterException
0N/A ("Prime size must range from 512 to 1024 "
0N/A + "and be a multiple of 64");
0N/A }
0N/A this.modLen = strength;
0N/A this.random = random;
0N/A }
0N/A
0N/A /**
0N/A * Initializes this parameter generator with a set of
0N/A * algorithm-specific parameter generation values.
0N/A *
0N/A * @param params the set of algorithm-specific parameter generation values
0N/A * @param random the source of randomness
0N/A *
0N/A * @exception InvalidAlgorithmParameterException if the given parameter
0N/A * generation values are inappropriate for this parameter generator
0N/A */
0N/A protected void engineInit(AlgorithmParameterSpec genParamSpec,
0N/A SecureRandom random)
0N/A throws InvalidAlgorithmParameterException {
0N/A throw new InvalidAlgorithmParameterException("Invalid parameter");
0N/A }
0N/A
0N/A /**
0N/A * Generates the parameters.
0N/A *
0N/A * @return the new AlgorithmParameters object
0N/A */
0N/A protected AlgorithmParameters engineGenerateParameters() {
0N/A AlgorithmParameters algParams = null;
0N/A try {
0N/A if (this.random == null) {
0N/A this.random = new SecureRandom();
0N/A }
0N/A
0N/A BigInteger[] pAndQ = generatePandQ(this.random, this.modLen);
0N/A BigInteger paramP = pAndQ[0];
0N/A BigInteger paramQ = pAndQ[1];
0N/A BigInteger paramG = generateG(paramP, paramQ);
0N/A
0N/A DSAParameterSpec dsaParamSpec = new DSAParameterSpec(paramP,
0N/A paramQ,
0N/A paramG);
0N/A algParams = AlgorithmParameters.getInstance("DSA", "SUN");
0N/A algParams.init(dsaParamSpec);
0N/A } catch (InvalidParameterSpecException e) {
0N/A // this should never happen
0N/A throw new RuntimeException(e.getMessage());
0N/A } catch (NoSuchAlgorithmException e) {
0N/A // this should never happen, because we provide it
0N/A throw new RuntimeException(e.getMessage());
0N/A } catch (NoSuchProviderException e) {
0N/A // this should never happen, because we provide it
0N/A throw new RuntimeException(e.getMessage());
0N/A }
0N/A
0N/A return algParams;
0N/A }
0N/A
0N/A /*
0N/A * Generates the prime and subprime parameters for DSA,
0N/A * using the provided source of randomness.
0N/A * This method will generate new seeds until a suitable
0N/A * seed has been found.
0N/A *
0N/A * @param random the source of randomness to generate the
0N/A * seed
0N/A * @param L the size of <code>p</code>, in bits.
0N/A *
0N/A * @return an array of BigInteger, with <code>p</code> at index 0 and
0N/A * <code>q</code> at index 1.
0N/A */
0N/A BigInteger[] generatePandQ(SecureRandom random, int L) {
0N/A BigInteger[] result = null;
0N/A byte[] seed = new byte[20];
0N/A
0N/A while(result == null) {
0N/A for (int i = 0; i < 20; i++) {
0N/A seed[i] = (byte)random.nextInt();
0N/A }
0N/A result = generatePandQ(seed, L);
0N/A }
0N/A return result;
0N/A }
0N/A
0N/A /*
0N/A * Generates the prime and subprime parameters for DSA.
0N/A *
0N/A * <p>The seed parameter corresponds to the <code>SEED</code> parameter
0N/A * referenced in the FIPS specification of the DSA algorithm,
0N/A * and L is the size of <code>p</code>, in bits.
0N/A *
0N/A * @param seed the seed to generate the parameters
0N/A * @param L the size of <code>p</code>, in bits.
0N/A *
0N/A * @return an array of BigInteger, with <code>p</code> at index 0,
0N/A * <code>q</code> at index 1, the seed at index 2, and the counter value
0N/A * at index 3, or null if the seed does not yield suitable numbers.
0N/A */
0N/A BigInteger[] generatePandQ(byte[] seed, int L) {
0N/A
0N/A /* Useful variables */
0N/A int g = seed.length * 8;
0N/A int n = (L - 1) / 160;
0N/A int b = (L - 1) % 160;
0N/A
0N/A BigInteger SEED = new BigInteger(1, seed);
0N/A BigInteger TWOG = TWO.pow(2 * g);
0N/A
0N/A /* Step 2 (Step 1 is getting seed). */
0N/A byte[] U1 = SHA(seed);
0N/A byte[] U2 = SHA(toByteArray((SEED.add(ONE)).mod(TWOG)));
0N/A
0N/A xor(U1, U2);
0N/A byte[] U = U1;
0N/A
0N/A /* Step 3: For q by setting the msb and lsb to 1 */
0N/A U[0] |= 0x80;
0N/A U[19] |= 1;
0N/A BigInteger q = new BigInteger(1, U);
0N/A
0N/A /* Step 5 */
0N/A if (!q.isProbablePrime(80)) {
0N/A return null;
0N/A
0N/A } else {
0N/A BigInteger V[] = new BigInteger[n + 1];
0N/A BigInteger offset = TWO;
0N/A
0N/A /* Step 6 */
0N/A for (int counter = 0; counter < 4096; counter++) {
0N/A
0N/A /* Step 7 */
0N/A for (int k = 0; k <= n; k++) {
0N/A BigInteger K = BigInteger.valueOf(k);
0N/A BigInteger tmp = (SEED.add(offset).add(K)).mod(TWOG);
0N/A V[k] = new BigInteger(1, SHA(toByteArray(tmp)));
0N/A }
0N/A
0N/A /* Step 8 */
0N/A BigInteger W = V[0];
0N/A for (int i = 1; i < n; i++) {
0N/A W = W.add(V[i].multiply(TWO.pow(i * 160)));
0N/A }
0N/A W = W.add((V[n].mod(TWO.pow(b))).multiply(TWO.pow(n * 160)));
0N/A
0N/A BigInteger TWOLm1 = TWO.pow(L - 1);
0N/A BigInteger X = W.add(TWOLm1);
0N/A
0N/A /* Step 9 */
0N/A BigInteger c = X.mod(q.multiply(TWO));
0N/A BigInteger p = X.subtract(c.subtract(ONE));
0N/A
0N/A /* Step 10 - 13 */
0N/A if (p.compareTo(TWOLm1) > -1 && p.isProbablePrime(80)) {
0N/A BigInteger[] result = {p, q, SEED,
0N/A BigInteger.valueOf(counter)};
0N/A return result;
0N/A }
0N/A offset = offset.add(BigInteger.valueOf(n)).add(ONE);
0N/A }
0N/A return null;
0N/A }
0N/A }
0N/A
0N/A /*
0N/A * Generates the <code>g</code> parameter for DSA.
0N/A *
0N/A * @param p the prime, <code>p</code>.
0N/A * @param q the subprime, <code>q</code>.
0N/A *
0N/A * @param the <code>g</code>
0N/A */
0N/A BigInteger generateG(BigInteger p, BigInteger q) {
0N/A BigInteger h = ONE;
0N/A BigInteger pMinusOneOverQ = (p.subtract(ONE)).divide(q);
0N/A BigInteger g = ONE;
0N/A while (g.compareTo(TWO) < 0) {
0N/A g = h.modPow(pMinusOneOverQ, p);
0N/A h = h.add(ONE);
0N/A }
0N/A return g;
0N/A }
0N/A
0N/A /*
0N/A * Returns the SHA-1 digest of some data
0N/A */
0N/A private byte[] SHA(byte[] array) {
0N/A sha.engineReset();
0N/A sha.engineUpdate(array, 0, array.length);
0N/A return sha.engineDigest();
0N/A }
0N/A
0N/A /*
0N/A * Converts the result of a BigInteger.toByteArray call to an exact
0N/A * signed magnitude representation for any positive number.
0N/A */
0N/A private byte[] toByteArray(BigInteger bigInt) {
0N/A byte[] result = bigInt.toByteArray();
0N/A if (result[0] == 0) {
0N/A byte[] tmp = new byte[result.length - 1];
0N/A System.arraycopy(result, 1, tmp, 0, tmp.length);
0N/A result = tmp;
0N/A }
0N/A return result;
0N/A }
0N/A
0N/A /*
0N/A * XORs U2 into U1
0N/A */
0N/A private void xor(byte[] U1, byte[] U2) {
0N/A for (int i = 0; i < U1.length; i++) {
0N/A U1[i] ^= U2[i];
0N/A }
0N/A }
0N/A}