2362N/A * Copyright (c) 2003, Oracle and/or its affiliates. All rights reserved. 0N/A * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. 0N/A * This code is free software; you can redistribute it and/or modify it 0N/A * under the terms of the GNU General Public License version 2 only, as 2362N/A * published by the Free Software Foundation. Oracle designates this 0N/A * particular file as subject to the "Classpath" exception as provided 2362N/A * by Oracle in the LICENSE file that accompanied this code. 0N/A * This code is distributed in the hope that it will be useful, but WITHOUT 0N/A * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 0N/A * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License 0N/A * version 2 for more details (a copy is included in the LICENSE file that 0N/A * accompanied this code). 0N/A * You should have received a copy of the GNU General Public License version 0N/A * 2 along with this work; if not, write to the Free Software Foundation, 0N/A * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. 2362N/A * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA 2362N/A * or visit www.oracle.com if you need additional information or have any 0N/A * RSA padding and unpadding. 0N/A * Format of PKCS#1 v1.5 padding is: 0N/A * 0x00 | BT | PS...PS | 0x00 | data...data 0N/A * where BT is the blocktype (1 or 2). The length of the entire string 0N/A * must be the same as the size of the modulus (i.e. 128 byte for a 1024 bit 0N/A * key). Per spec, the padding string must be at least 8 bytes long. That 0N/A * leaves up to (length of key in bytes) - 11 bytes for the data. 0N/A * OAEP padding is a bit more complicated and has a number of options. 0N/A * . arbitrary hash functions ('Hash' in the specification), MessageDigest 0N/A * implementation must be available 0N/A * . MGF1 as the mask generation function 0N/A * . the empty string as the default value for label L and whatever 0N/A * specified in javax.crypto.spec.OAEPParameterSpec 0N/A * Note: RSA keys should be at least 512 bits long 0N/A * @author Andreas Sterbenz 0N/A // NOTE: the constants below are embedded in the JCE RSACipher class 0N/A // file. Do not change without coordinating the update 0N/A // PKCS#1 v1.5 padding, blocktype 1 (signing) 0N/A // PKCS#1 v1.5 padding, blocktype 2 (encryption) 0N/A // nopadding. Does not do anything, but allows simpler RSACipher code 0N/A // PKCS#1 v2.1 OAEP padding 0N/A // type, one of PAD_* 0N/A // size of the padded block (i.e. size of the modulus) 0N/A // PRNG used to generate padding bytes (PAD_BLOCKTYPE_2, PAD_OAEP_MGF1) 0N/A // maximum size of the data 0N/A // OAEP: main messagedigest 0N/A // OAEP: message digest for MGF1 0N/A // OAEP: value of digest of data (user-supplied or zero-length) using md 0N/A * Get a RSAPadding instance of the specified type. 0N/A * Keys used with this padding must be paddedSize bytes long. 0N/A * Get a RSAPadding instance of the specified type. 0N/A * Keys used with this padding must be paddedSize bytes long. 0N/A * Get a RSAPadding instance of the specified type, which must be 0N/A * OAEP. Keys used with this padding must be paddedSize bytes long. 0N/A // internal constructor 0N/A (
"Key is too short for encryption using OAEPPadding" +
0N/A // cache of hashes of zero length data 0N/A * Return the value of the digest using the specified message digest 0N/A * <code>md</code> and the digest input <code>digestInput</code>. 0N/A * if <code>digestInput</code> is null or 0-length, zero length 0N/A * is used to generate the initial digest. 0N/A * Note: the md object must be in reset state 0N/A * Return the maximum size of the plaintext data that can be processed using 0N/A * Pad the data and return the padded block. 0N/A * Pad the data and return the padded block. 0N/A * Unpad the padded block and return the data. 0N/A * Unpad the padded block and return the data. 0N/A * PKCS#1 v1.5 padding (blocktype 1 and 2). 0N/A // blocktype 1: all padding bytes are 0xff 0N/A // blocktype 2: padding bytes are random non-zero bytes 0N/A // generate non-zero padding bytes 0N/A // use a buffer to reduce calls to SecureRandom 0N/A byte[] r =
new byte[
64];
0N/A * PKCS#1 v1.5 unpadding (blocktype 1 and 2). 0N/A * PKCS#1 v2.0 OAEP padding (MGF1). 0N/A * Paragraph references refer to PKCS#1 v2.1 (June 14, 2002) 0N/A // 2.d: generate a random octet string seed of length hLen 0N/A // buffer for encoded message EM 0N/A // start and length of seed (as index into EM) 0N/A // copy seed into EM 0N/A // start and length of data block DB in EM 0N/A // we place it inside of EM to reduce copying 0N/A // start of message M in EM 0N/A // 2.b: Concatenate lHash, PS, a single octet with hexadecimal value 0N/A // 0x01, and the message M to form a data block DB of length 0N/A // k - hLen -1 octets as DB = lHash || PS || 0x01 || M 0N/A // (note that PS is all zeros) 0N/A * PKCS#1 v2.1 OAEP unpadding (MGF1). 0N/A // verify lHash == lHash' 0N/A // skip over padding (0x00 bytes) 0N/A (
"Padding string not terminated by 0x01 byte");
0N/A * Compute MGF1 using mgfMD as the message digest. 0N/A * Note that we combine MGF1 with the XOR operation to reduce data 0N/A * We generate maskLen bytes of MGF1 from the seed and XOR it into 0N/A * out[] starting at outOfs; 0N/A byte[] C =
new byte[
4];
// 32 bit counter 0N/A byte[]
digest =
new byte[
20];
// 20 bytes is length of SHA-1 digest 0N/A // should never happen 0N/A // increment counter 0N/A for (
int i = C.
length -
1; (++C[i] ==
0) && (i >
0); i--) {