0
+ − 1 /**
+ − 2 *
+ − 3 */
+ − 4 package com.trilead.ssh2.signature;
+ − 5
+ − 6 import java.io.ByteArrayOutputStream;
+ − 7 import java.io.IOException;
+ − 8 import java.io.OutputStream;
+ − 9 import java.math.BigInteger;
+ − 10 import java.security.InvalidKeyException;
+ − 11 import java.security.KeyFactory;
+ − 12 import java.security.NoSuchAlgorithmException;
+ − 13 import java.security.Signature;
+ − 14 import java.security.SignatureException;
+ − 15 import java.security.interfaces.ECPrivateKey;
+ − 16 import java.security.interfaces.ECPublicKey;
+ − 17 import java.security.spec.ECFieldFp;
+ − 18 import java.security.spec.ECParameterSpec;
+ − 19 import java.security.spec.ECPoint;
+ − 20 import java.security.spec.ECPublicKeySpec;
+ − 21 import java.security.spec.EllipticCurve;
+ − 22 import java.security.spec.InvalidKeySpecException;
+ − 23 import java.security.spec.KeySpec;
+ − 24 import java.util.Map;
+ − 25 import java.util.TreeMap;
+ − 26
+ − 27 import com.trilead.ssh2.log.Logger;
+ − 28 import com.trilead.ssh2.packets.TypesReader;
+ − 29 import com.trilead.ssh2.packets.TypesWriter;
+ − 30
+ − 31 /**
+ − 32 * @author Kenny Root
+ − 33 *
+ − 34 */
+ − 35 public class ECDSASHA2Verify {
+ − 36 private static final Logger log = Logger.getLogger(ECDSASHA2Verify.class);
+ − 37
+ − 38 public static final String ECDSA_SHA2_PREFIX = "ecdsa-sha2-";
+ − 39
+ − 40 private static final String NISTP256 = "nistp256";
+ − 41 private static final String NISTP256_OID = "1.2.840.10045.3.1.7";
+ − 42 private static final String NISTP384 = "nistp384";
+ − 43 private static final String NISTP384_OID = "1.3.132.0.34";
+ − 44 private static final String NISTP521 = "nistp521";
+ − 45 private static final String NISTP521_OID = "1.3.132.0.35";
+ − 46
+ − 47 private static final Map<String, ECParameterSpec> CURVES = new TreeMap<String, ECParameterSpec>();
+ − 48 static {
+ − 49 CURVES.put(NISTP256, EllipticCurves.nistp256);
+ − 50 CURVES.put(NISTP384, EllipticCurves.nistp384);
+ − 51 CURVES.put(NISTP521, EllipticCurves.nistp521);
+ − 52 }
+ − 53
+ − 54 private static final Map<Integer, String> CURVE_SIZES = new TreeMap<Integer, String>();
+ − 55 static {
+ − 56 CURVE_SIZES.put(256, NISTP256);
+ − 57 CURVE_SIZES.put(384, NISTP384);
+ − 58 CURVE_SIZES.put(521, NISTP521);
+ − 59 }
+ − 60
+ − 61 private static final Map<String, String> CURVE_OIDS = new TreeMap<String, String>();
+ − 62 static {
+ − 63 CURVE_OIDS.put(NISTP256_OID, NISTP256);
+ − 64 CURVE_OIDS.put(NISTP384_OID, NISTP256);
+ − 65 CURVE_OIDS.put(NISTP521_OID, NISTP256);
+ − 66 }
+ − 67
+ − 68 public static int[] getCurveSizes() {
+ − 69 int[] keys = new int[CURVE_SIZES.size()];
+ − 70 int i = 0;
+ − 71
+ − 72 for (Integer n : CURVE_SIZES.keySet().toArray(new Integer[keys.length])) {
+ − 73 keys[i++] = n;
+ − 74 }
+ − 75
+ − 76 return keys;
+ − 77 }
+ − 78
+ − 79 public static ECParameterSpec getCurveForSize(int size) {
+ − 80 final String name = CURVE_SIZES.get(size);
+ − 81
+ − 82 if (name == null) {
+ − 83 return null;
+ − 84 }
+ − 85
+ − 86 return CURVES.get(name);
+ − 87 }
+ − 88
+ − 89 public static ECPublicKey decodeSSHECDSAPublicKey(byte[] key) throws IOException {
+ − 90 TypesReader tr = new TypesReader(key);
+ − 91 String key_format = tr.readString();
+ − 92
+ − 93 if (key_format.startsWith(ECDSA_SHA2_PREFIX) == false)
+ − 94 throw new IllegalArgumentException("This is not an ECDSA public key");
+ − 95
+ − 96 String curveName = tr.readString();
+ − 97 byte[] groupBytes = tr.readByteString();
+ − 98
+ − 99 if (tr.remain() != 0)
+ − 100 throw new IOException("Padding in ECDSA public key!");
+ − 101
+ − 102 if (key_format.equals(ECDSA_SHA2_PREFIX + curveName) == false) {
+ − 103 throw new IOException("Key format is inconsistent with curve name: " + key_format
+ − 104 + " != " + curveName);
+ − 105 }
+ − 106
+ − 107 ECParameterSpec params = CURVES.get(curveName);
+ − 108
+ − 109 if (params == null) {
+ − 110 throw new IOException("Curve is not supported: " + curveName);
+ − 111 }
+ − 112
+ − 113 ECPoint group = ECDSASHA2Verify.decodeECPoint(groupBytes, params.getCurve());
+ − 114
+ − 115 if (group == null) {
+ − 116 throw new IOException("Invalid ECDSA group");
+ − 117 }
+ − 118
+ − 119 KeySpec keySpec = new ECPublicKeySpec(group, params);
+ − 120
+ − 121 try {
+ − 122 KeyFactory kf = KeyFactory.getInstance("EC");
+ − 123 return (ECPublicKey) kf.generatePublic(keySpec);
+ − 124 }
+ − 125 catch (NoSuchAlgorithmException nsae) {
+ − 126 IOException ioe = new IOException("No EC KeyFactory available");
+ − 127 ioe.initCause(nsae);
+ − 128 throw ioe;
+ − 129 }
+ − 130 catch (InvalidKeySpecException ikse) {
+ − 131 IOException ioe = new IOException("No EC KeyFactory available");
+ − 132 ioe.initCause(ikse);
+ − 133 throw ioe;
+ − 134 }
+ − 135 }
+ − 136
+ − 137 public static byte[] encodeSSHECDSAPublicKey(ECPublicKey key) throws IOException {
+ − 138 TypesWriter tw = new TypesWriter();
+ − 139 String curveName = getCurveName(key.getParams());
+ − 140 String keyFormat = ECDSA_SHA2_PREFIX + curveName;
+ − 141 tw.writeString(keyFormat);
+ − 142 tw.writeString(curveName);
+ − 143 byte[] encoded = encodeECPoint(key.getW(), key.getParams().getCurve());
+ − 144 tw.writeString(encoded, 0, encoded.length);
+ − 145 return tw.getBytes();
+ − 146 }
+ − 147
+ − 148 public static String getCurveName(ECParameterSpec params) throws IOException {
+ − 149 int fieldSize = getCurveSize(params);
+ − 150 final String curveName = getCurveName(fieldSize);
+ − 151
+ − 152 if (curveName == null) {
+ − 153 throw new IOException("invalid curve size " + fieldSize);
+ − 154 }
+ − 155
+ − 156 return curveName;
+ − 157 }
+ − 158
+ − 159 public static String getCurveName(int fieldSize) {
+ − 160 String curveName = CURVE_SIZES.get(fieldSize);
+ − 161
+ − 162 if (curveName == null) {
+ − 163 return null;
+ − 164 }
+ − 165
+ − 166 return curveName;
+ − 167 }
+ − 168
+ − 169 public static int getCurveSize(ECParameterSpec params) {
+ − 170 return params.getCurve().getField().getFieldSize();
+ − 171 }
+ − 172
+ − 173 public static ECParameterSpec getCurveForOID(String oid) {
+ − 174 String name = CURVE_OIDS.get(oid);
+ − 175
+ − 176 if (name == null)
+ − 177 return null;
+ − 178
+ − 179 return CURVES.get(name);
+ − 180 }
+ − 181
+ − 182 public static byte[] decodeSSHECDSASignature(byte[] sig) throws IOException {
+ − 183 byte[] rsArray = null;
+ − 184 TypesReader tr = new TypesReader(sig);
+ − 185 String sig_format = tr.readString();
+ − 186
+ − 187 if (sig_format.startsWith(ECDSA_SHA2_PREFIX) == false)
+ − 188 throw new IOException("Peer sent wrong signature format");
+ − 189
+ − 190 String curveName = sig_format.substring(ECDSA_SHA2_PREFIX.length());
+ − 191
+ − 192 if (CURVES.containsKey(curveName) == false) {
+ − 193 throw new IOException("Unsupported curve: " + curveName);
+ − 194 }
+ − 195
+ − 196 rsArray = tr.readByteString();
+ − 197
+ − 198 if (tr.remain() != 0)
+ − 199 throw new IOException("Padding in ECDSA signature!");
+ − 200
+ − 201 byte[] rArray;
+ − 202 byte[] sArray;
+ − 203 {
+ − 204 TypesReader rsReader = new TypesReader(rsArray);
+ − 205 rArray = rsReader.readMPINT().toByteArray();
+ − 206 sArray = rsReader.readMPINT().toByteArray();
+ − 207 }
+ − 208 int first = rArray.length;
+ − 209 int second = sArray.length;
+ − 210
+ − 211 /* We can't have the high bit set, so add an extra zero at the beginning if so. */
+ − 212 if ((rArray[0] & 0x80) != 0) {
+ − 213 first++;
+ − 214 }
+ − 215
+ − 216 if ((sArray[0] & 0x80) != 0) {
+ − 217 second++;
+ − 218 }
+ − 219
+ − 220 /* Calculate total output length */
+ − 221 ByteArrayOutputStream os = new ByteArrayOutputStream(6 + first + second);
+ − 222 /* ASN.1 SEQUENCE tag */
+ − 223 os.write(0x30);
+ − 224 /* Size of SEQUENCE */
+ − 225 writeLength(4 + first + second, os);
+ − 226 /* ASN.1 INTEGER tag */
+ − 227 os.write(0x02);
+ − 228 /* "r" INTEGER length */
+ − 229 writeLength(first, os);
+ − 230
+ − 231 /* Copy in the "r" INTEGER */
+ − 232 if (first != rArray.length) {
+ − 233 os.write(0x00);
+ − 234 }
+ − 235
+ − 236 os.write(rArray);
+ − 237 /* ASN.1 INTEGER tag */
+ − 238 os.write(0x02);
+ − 239 /* "s" INTEGER length */
+ − 240 writeLength(second, os);
+ − 241
+ − 242 /* Copy in the "s" INTEGER */
+ − 243 if (second != sArray.length) {
+ − 244 os.write(0x00);
+ − 245 }
+ − 246
+ − 247 os.write(sArray);
+ − 248 return os.toByteArray();
+ − 249 }
+ − 250
+ − 251 private static final void writeLength(int length, OutputStream os) throws IOException {
+ − 252 if (length <= 0x7F) {
+ − 253 os.write(length);
+ − 254 return;
+ − 255 }
+ − 256
+ − 257 int numOctets = 0;
+ − 258 int lenCopy = length;
+ − 259
+ − 260 while (lenCopy != 0) {
+ − 261 lenCopy >>>= 8;
+ − 262 numOctets++;
+ − 263 }
+ − 264
+ − 265 os.write(0x80 | numOctets);
+ − 266
+ − 267 for (int i = (numOctets - 1) * 8; i >= 0; i -= 8) {
+ − 268 os.write((byte)(length >> i));
+ − 269 }
+ − 270 }
+ − 271
+ − 272 public static byte[] encodeSSHECDSASignature(byte[] sig, ECParameterSpec params) throws IOException {
+ − 273 TypesWriter tw = new TypesWriter();
+ − 274 String curveName = getCurveName(params);
+ − 275 tw.writeString(ECDSA_SHA2_PREFIX + curveName);
+ − 276
+ − 277 if ((sig[0] != 0x30) || (sig[1] != sig.length - 2) || (sig[2] != 0x02)) {
+ − 278 throw new IOException("Invalid signature format");
+ − 279 }
+ − 280
+ − 281 int rLength = sig[3];
+ − 282
+ − 283 if ((rLength + 6 > sig.length) || (sig[4 + rLength] != 0x02)) {
+ − 284 throw new IOException("Invalid signature format");
+ − 285 }
+ − 286
+ − 287 int sLength = sig[5 + rLength];
+ − 288
+ − 289 if (6 + rLength + sLength > sig.length) {
+ − 290 throw new IOException("Invalid signature format");
+ − 291 }
+ − 292
+ − 293 byte[] rArray = new byte[rLength];
+ − 294 byte[] sArray = new byte[sLength];
+ − 295 System.arraycopy(sig, 4, rArray, 0, rLength);
+ − 296 System.arraycopy(sig, 6 + rLength, sArray, 0, sLength);
+ − 297 BigInteger r = new BigInteger(rArray);
+ − 298 BigInteger s = new BigInteger(sArray);
+ − 299 // Write the <r,s> to its own types writer.
+ − 300 TypesWriter rsWriter = new TypesWriter();
+ − 301 rsWriter.writeMPInt(r);
+ − 302 rsWriter.writeMPInt(s);
+ − 303 byte[] encoded = rsWriter.getBytes();
+ − 304 tw.writeString(encoded, 0, encoded.length);
+ − 305 return tw.getBytes();
+ − 306 }
+ − 307
+ − 308 public static byte[] generateSignature(byte[] message, ECPrivateKey pk) throws IOException {
+ − 309 final String algo = getSignatureAlgorithmForParams(pk.getParams());
+ − 310
+ − 311 try {
+ − 312 Signature s = Signature.getInstance(algo);
+ − 313 s.initSign(pk);
+ − 314 s.update(message);
+ − 315 return s.sign();
+ − 316 }
+ − 317 catch (NoSuchAlgorithmException e) {
+ − 318 IOException ex = new IOException();
+ − 319 ex.initCause(e);
+ − 320 throw ex;
+ − 321 }
+ − 322 catch (InvalidKeyException e) {
+ − 323 IOException ex = new IOException();
+ − 324 ex.initCause(e);
+ − 325 throw ex;
+ − 326 }
+ − 327 catch (SignatureException e) {
+ − 328 IOException ex = new IOException();
+ − 329 ex.initCause(e);
+ − 330 throw ex;
+ − 331 }
+ − 332 }
+ − 333
+ − 334 public static boolean verifySignature(byte[] message, byte[] ds, ECPublicKey dpk) throws IOException {
+ − 335 final String algo = getSignatureAlgorithmForParams(dpk.getParams());
+ − 336
+ − 337 try {
+ − 338 Signature s = Signature.getInstance(algo);
+ − 339 s.initVerify(dpk);
+ − 340 s.update(message);
+ − 341 return s.verify(ds);
+ − 342 }
+ − 343 catch (NoSuchAlgorithmException e) {
+ − 344 IOException ex = new IOException("No such algorithm");
+ − 345 ex.initCause(e);
+ − 346 throw ex;
+ − 347 }
+ − 348 catch (InvalidKeyException e) {
+ − 349 IOException ex = new IOException("No such algorithm");
+ − 350 ex.initCause(e);
+ − 351 throw ex;
+ − 352 }
+ − 353 catch (SignatureException e) {
+ − 354 IOException ex = new IOException();
+ − 355 ex.initCause(e);
+ − 356 throw ex;
+ − 357 }
+ − 358 }
+ − 359
+ − 360 private static String getSignatureAlgorithmForParams(ECParameterSpec params) {
+ − 361 int size = getCurveSize(params);
+ − 362
+ − 363 if (size <= 256) {
+ − 364 return "SHA256withECDSA";
+ − 365 }
+ − 366 else if (size <= 384) {
+ − 367 return "SHA384withECDSA";
+ − 368 }
+ − 369 else {
+ − 370 return "SHA512withECDSA";
+ − 371 }
+ − 372 }
+ − 373
+ − 374 public static String getDigestAlgorithmForParams(ECParameterSpec params) {
+ − 375 int size = getCurveSize(params);
+ − 376
+ − 377 if (size <= 256) {
+ − 378 return "SHA256";
+ − 379 }
+ − 380 else if (size <= 384) {
+ − 381 return "SHA384";
+ − 382 }
+ − 383 else {
+ − 384 return "SHA512";
+ − 385 }
+ − 386 }
+ − 387
+ − 388 /**
+ − 389 * Decode an OctetString to EllipticCurvePoint according to SECG 2.3.4
+ − 390 */
+ − 391 public static ECPoint decodeECPoint(byte[] M, EllipticCurve curve) {
+ − 392 if (M.length == 0) {
+ − 393 return null;
+ − 394 }
+ − 395
+ − 396 // M has len 2 ceil(log_2(q)/8) + 1 ?
+ − 397 int elementSize = (curve.getField().getFieldSize() + 7) / 8;
+ − 398
+ − 399 if (M.length != 2 * elementSize + 1) {
+ − 400 return null;
+ − 401 }
+ − 402
+ − 403 // step 3.2
+ − 404 if (M[0] != 0x04) {
+ − 405 return null;
+ − 406 }
+ − 407
+ − 408 // Step 3.3
+ − 409 byte[] xp = new byte[elementSize];
+ − 410 System.arraycopy(M, 1, xp, 0, elementSize);
+ − 411 // Step 3.4
+ − 412 byte[] yp = new byte[elementSize];
+ − 413 System.arraycopy(M, 1 + elementSize, yp, 0, elementSize);
+ − 414 ECPoint P = new ECPoint(new BigInteger(1, xp), new BigInteger(1, yp));
+ − 415 // TODO check point 3.5
+ − 416 // Step 3.6
+ − 417 return P;
+ − 418 }
+ − 419
+ − 420 /**
+ − 421 * Encode EllipticCurvePoint to an OctetString
+ − 422 */
+ − 423 public static byte[] encodeECPoint(ECPoint group, EllipticCurve curve) {
+ − 424 // M has len 2 ceil(log_2(q)/8) + 1 ?
+ − 425 int elementSize = (curve.getField().getFieldSize() + 7) / 8;
+ − 426 byte[] M = new byte[2 * elementSize + 1];
+ − 427 // Uncompressed format
+ − 428 M[0] = 0x04;
+ − 429 {
+ − 430 byte[] affineX = removeLeadingZeroes(group.getAffineX().toByteArray());
+ − 431 System.arraycopy(affineX, 0, M, 1 + elementSize - affineX.length, affineX.length);
+ − 432 }
+ − 433 {
+ − 434 byte[] affineY = removeLeadingZeroes(group.getAffineY().toByteArray());
+ − 435 System.arraycopy(affineY, 0, M, 1 + elementSize + elementSize - affineY.length,
+ − 436 affineY.length);
+ − 437 }
+ − 438 return M;
+ − 439 }
+ − 440
+ − 441 private static byte[] removeLeadingZeroes(byte[] input) {
+ − 442 if (input[0] != 0x00) {
+ − 443 return input;
+ − 444 }
+ − 445
+ − 446 int pos = 1;
+ − 447
+ − 448 while (pos < input.length - 1 && input[pos] == 0x00) {
+ − 449 pos++;
+ − 450 }
+ − 451
+ − 452 byte[] output = new byte[input.length - pos];
+ − 453 System.arraycopy(input, pos, output, 0, output.length);
+ − 454 return output;
+ − 455 }
+ − 456
+ − 457 public static class EllipticCurves {
+ − 458 public static ECParameterSpec nistp256 = new ECParameterSpec(
+ − 459 new EllipticCurve(
+ − 460 new ECFieldFp(new BigInteger("FFFFFFFF00000001000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFF", 16)),
+ − 461 new BigInteger("FFFFFFFF00000001000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFC", 16),
+ − 462 new BigInteger("5ac635d8aa3a93e7b3ebbd55769886bc651d06b0cc53b0f63bce3c3e27d2604b", 16)),
+ − 463 new ECPoint(new BigInteger("6B17D1F2E12C4247F8BCE6E563A440F277037D812DEB33A0F4A13945D898C296", 16),
+ − 464 new BigInteger("4FE342E2FE1A7F9B8EE7EB4A7C0F9E162BCE33576B315ECECBB6406837BF51F5", 16)),
+ − 465 new BigInteger("FFFFFFFF00000000FFFFFFFFFFFFFFFFBCE6FAADA7179E84F3B9CAC2FC632551", 16),
+ − 466 1);
+ − 467
+ − 468 public static ECParameterSpec nistp384 = new ECParameterSpec(
+ − 469 new EllipticCurve(
+ − 470 new ECFieldFp(new BigInteger("FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFF0000000000000000FFFFFFFF", 16)),
+ − 471 new BigInteger("FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFF0000000000000000FFFFFFFC", 16),
+ − 472 new BigInteger("B3312FA7E23EE7E4988E056BE3F82D19181D9C6EFE8141120314088F5013875AC656398D8A2ED19D2A85C8EDD3EC2AEF", 16)),
+ − 473 new ECPoint(new BigInteger("AA87CA22BE8B05378EB1C71EF320AD746E1D3B628BA79B9859F741E082542A385502F25DBF55296C3A545E3872760AB7", 16),
+ − 474 new BigInteger("3617DE4A96262C6F5D9E98BF9292DC29F8F41DBD289A147CE9DA3113B5F0B8C00A60B1CE1D7E819D7A431D7C90EA0E5F", 16)),
+ − 475 new BigInteger("FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFC7634D81F4372DDF581A0DB248B0A77AECEC196ACCC52973", 16),
+ − 476 1);
+ − 477
+ − 478 public static ECParameterSpec nistp521 = new ECParameterSpec(
+ − 479 new EllipticCurve(
+ − 480 new ECFieldFp(new BigInteger("01FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", 16)),
+ − 481 new BigInteger("01FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFC", 16),
+ − 482 new BigInteger("0051953EB9618E1C9A1F929A21A0B68540EEA2DA725B99B315F3B8B489918EF109E156193951EC7E937B1652C0BD3BB1BF073573DF883D2C34F1EF451FD46B503F00", 16)),
+ − 483 new ECPoint(new BigInteger("00C6858E06B70404E9CD9E3ECB662395B4429C648139053FB521F828AF606B4D3DBAA14B5E77EFE75928FE1DC127A2FFA8DE3348B3C1856A429BF97E7E31C2E5BD66", 16),
+ − 484 new BigInteger("011839296A789A3BC0045C8A5FB42C7D1BD998F54449579B446817AFBD17273E662C97EE72995EF42640C550B9013FAD0761353C7086A272C24088BE94769FD16650", 16)),
+ − 485 new BigInteger("01FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFA51868783BF2F966B7FCC0148F709A5D03BB5C9B8899C47AEBB6FB71E91386409", 16),
+ − 486 1);
+ − 487 }
+ − 488 }