/*
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation. Oracle designates this
* particular file as subject to the "Classpath" exception as provided
* by Oracle in the LICENSE file that accompanied this code.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/
/**
* Core of the RSA implementation. Has code to perform public and private key
* RSA operations (with and without CRT for private key ops). Private CRT ops
* also support blinding to twart timing attacks.
*
* The code in this class only does the core RSA operation. Padding and
* unpadding must be done externally.
*
* Note: RSA keys should be at least 512 bits long
*
* @since 1.5
* @author Andreas Sterbenz
*/
public final class RSACore {
private RSACore() {
// empty
}
/**
* Return the number of bytes required to store the magnitude byte[] of
* this BigInteger. Do not count a 0x00 byte toByteArray() would
* prefix for 2's complement form.
*/
int n = b.bitLength();
return (n + 7) >> 3;
}
/**
* Return the number of bytes required to store the modulus of this
* RSA key.
*/
}
// temporary, used by RSACipher and RSAPadding. Move this somewhere else
return b;
} else {
byte[] t = new byte[len];
return t;
}
}
/**
* Perform an RSA public key operation.
*/
throws BadPaddingException {
}
/**
* Perform an RSA private key operation. Uses CRT if the key is a
* CRT key.
*/
throws BadPaddingException {
if (key instanceof RSAPrivateCrtKey) {
} else {
}
}
/**
* RSA public key ops and non-CRT private key ops. Simple modPow().
*/
throws BadPaddingException {
return toByteArray(c, getByteLength(n));
}
/**
* RSA private key operations with CRT. Algorithm and variable naming
* are taken from PKCS#1 v2.1, section 5.1.2.
*
* The only difference is the addition of blinding to twart timing attacks.
* This is described in the RSA Bulletin#2 (Jan 96) among other places.
* This means instead of implementing RSA as
* m = c ^ d mod n (or RSA in CRT variant)
* we do
* r = random(0, n-1)
* c' = c * r^e mod n
* m' = c' ^ d mod n (or RSA in CRT variant)
* m = m' * r^-1 mod n (where r^-1 is the modular inverse of r mod n)
* This works because r^(e*d) * r^-1 = r * r^-1 = 1 (all mod n)
*
* We do not generate new blinding parameters for each operation but reuse
* them BLINDING_MAX_REUSE times (see definition below).
*/
throws BadPaddingException {
if (ENABLE_BLINDING) {
} else {
}
// m1 = c ^ dP mod p
// m2 = c ^ dQ mod q
// h = (m1 - m2) * qInv mod p
}
// m = m2 + q * h
}
return toByteArray(m, getByteLength(n));
}
/**
* Parse the msg into a BigInteger and check against the modulus n.
*/
throws BadPaddingException {
if (m.compareTo(n) >= 0) {
throw new BadPaddingException("Message is larger than modulus");
}
return m;
}
/**
* Return the encoding of this BigInteger that is exactly len bytes long.
* Precondition: bi must fit into len bytes
*/
byte[] b = bi.toByteArray();
int n = b.length;
if (n == len) {
return b;
}
// BigInteger prefixed a 0x00 byte for 2's complement form, remove it
byte[] t = new byte[len];
return t;
}
// must be smaller
assert (n < len);
byte[] t = new byte[len];
return t;
}
private final static boolean ENABLE_BLINDING = true;
// maximum number of times that we will use a set of blinding parameters
// value suggested by Paul Kocher (quoted by NSS)
// cache for blinding parameters. Map<BigInteger, BlindingParameters>
// use a weak hashmap so that cached values are automatically cleared
// when the modulus is GC'ed
new WeakHashMap<>();
/**
* Set of blinding parameters for a given RSA key.
*
* The RSA modulus is usually unique, so we index by modulus in
* blindingCache. However, to protect against the unlikely case of two
* keys sharing the same modulus, we also store the public exponent.
* This means we cannot cache blinding parameters for multiple keys that
* share the same modulus, but since sharing moduli is fundamentally broken
* an insecure, this does not matter.
*/
private static final class BlindingParameters {
// e (RSA public exponent)
final BigInteger e;
// r ^ e mod n
// inverse of r mod n
// how many more times this parameter object can be used
private volatile int remainingUses;
this.e = e;
// initialize remaining uses, subtract current use now
}
int k = remainingUses--;
return (k > 0) && this.e.equals(e);
}
}
/**
* Return valid RSA blinding parameters for the given private key.
* Use cached parameters if available. If not, generate new parameters
* and cache.
*/
(RSAPrivateCrtKey key) {
// we release the lock between get() and put()
// that means threads might concurrently generate new blinding
// parameters for the same modulus. this is only a slight waste
// of cycles and seems preferable in terms of scalability
// to locking out all threads while generating new parameters
synchronized (blindingCache) {
}
return params;
}
synchronized (blindingCache) {
}
return params;
}
}