Mercurial > 510Connectbot
comparison src/ch/ethz/ssh2/signature/ECDSASHA2Verify.java @ 274:82bd20cb0d1d ganymed
start conversion from trilead to ganymed
author | Carl Byington <carl@five-ten-sg.com> |
---|---|
date | Fri, 18 Jul 2014 11:32:32 -0700 |
parents | |
children | d7e088fa2123 |
comparison
equal
deleted
inserted
replaced
273:91a31873c42a | 274:82bd20cb0d1d |
---|---|
1 /** | |
2 * | |
3 */ | |
4 package ch.ethz.ssh2.signature; | |
5 | |
6 import java.io.ByteArrayOutputStream; | |
7 import java.io.IOException; | |
8 import java.io.OutputStream; | |
9 import java.math.BigInteger; | |
10 import java.security.InvalidKeyException; | |
11 import java.security.KeyFactory; | |
12 import java.security.NoSuchAlgorithmException; | |
13 import java.security.Signature; | |
14 import java.security.SignatureException; | |
15 import java.security.interfaces.ECPrivateKey; | |
16 import java.security.interfaces.ECPublicKey; | |
17 import java.security.spec.ECFieldFp; | |
18 import java.security.spec.ECParameterSpec; | |
19 import java.security.spec.ECPoint; | |
20 import java.security.spec.ECPublicKeySpec; | |
21 import java.security.spec.EllipticCurve; | |
22 import java.security.spec.InvalidKeySpecException; | |
23 import java.security.spec.KeySpec; | |
24 import java.util.Map; | |
25 import java.util.TreeMap; | |
26 | |
27 import com.trilead.ssh2.log.Logger; | |
28 import com.trilead.ssh2.packets.TypesReader; | |
29 import com.trilead.ssh2.packets.TypesWriter; | |
30 | |
31 /** | |
32 * @author Kenny Root | |
33 * | |
34 */ | |
35 public class ECDSASHA2Verify { | |
36 private static final Logger log = Logger.getLogger(ECDSASHA2Verify.class); | |
37 | |
38 public static final String ECDSA_SHA2_PREFIX = "ecdsa-sha2-"; | |
39 | |
40 private static final String NISTP256 = "nistp256"; | |
41 private static final String NISTP256_OID = "1.2.840.10045.3.1.7"; | |
42 private static final String NISTP384 = "nistp384"; | |
43 private static final String NISTP384_OID = "1.3.132.0.34"; | |
44 private static final String NISTP521 = "nistp521"; | |
45 private static final String NISTP521_OID = "1.3.132.0.35"; | |
46 | |
47 private static final Map<String, ECParameterSpec> CURVES = new TreeMap<String, ECParameterSpec>(); | |
48 static { | |
49 CURVES.put(NISTP256, EllipticCurves.nistp256); | |
50 CURVES.put(NISTP384, EllipticCurves.nistp384); | |
51 CURVES.put(NISTP521, EllipticCurves.nistp521); | |
52 } | |
53 | |
54 private static final Map<Integer, String> CURVE_SIZES = new TreeMap<Integer, String>(); | |
55 static { | |
56 CURVE_SIZES.put(256, NISTP256); | |
57 CURVE_SIZES.put(384, NISTP384); | |
58 CURVE_SIZES.put(521, NISTP521); | |
59 } | |
60 | |
61 private static final Map<String, String> CURVE_OIDS = new TreeMap<String, String>(); | |
62 static { | |
63 CURVE_OIDS.put(NISTP256_OID, NISTP256); | |
64 CURVE_OIDS.put(NISTP384_OID, NISTP256); | |
65 CURVE_OIDS.put(NISTP521_OID, NISTP256); | |
66 } | |
67 | |
68 public static int[] getCurveSizes() { | |
69 int[] keys = new int[CURVE_SIZES.size()]; | |
70 int i = 0; | |
71 | |
72 for (Integer n : CURVE_SIZES.keySet().toArray(new Integer[keys.length])) { | |
73 keys[i++] = n; | |
74 } | |
75 | |
76 return keys; | |
77 } | |
78 | |
79 public static ECParameterSpec getCurveForSize(int size) { | |
80 final String name = CURVE_SIZES.get(size); | |
81 | |
82 if (name == null) { | |
83 return null; | |
84 } | |
85 | |
86 return CURVES.get(name); | |
87 } | |
88 | |
89 public static ECPublicKey decodeSSHECDSAPublicKey(byte[] key) throws IOException { | |
90 TypesReader tr = new TypesReader(key); | |
91 String key_format = tr.readString(); | |
92 | |
93 if (key_format.startsWith(ECDSA_SHA2_PREFIX) == false) | |
94 throw new IllegalArgumentException("This is not an ECDSA public key"); | |
95 | |
96 String curveName = tr.readString(); | |
97 byte[] groupBytes = tr.readByteString(); | |
98 | |
99 if (tr.remain() != 0) | |
100 throw new IOException("Padding in ECDSA public key!"); | |
101 | |
102 if (key_format.equals(ECDSA_SHA2_PREFIX + curveName) == false) { | |
103 throw new IOException("Key format is inconsistent with curve name: " + key_format | |
104 + " != " + curveName); | |
105 } | |
106 | |
107 ECParameterSpec params = CURVES.get(curveName); | |
108 | |
109 if (params == null) { | |
110 throw new IOException("Curve is not supported: " + curveName); | |
111 } | |
112 | |
113 ECPoint group = ECDSASHA2Verify.decodeECPoint(groupBytes, params.getCurve()); | |
114 | |
115 if (group == null) { | |
116 throw new IOException("Invalid ECDSA group"); | |
117 } | |
118 | |
119 KeySpec keySpec = new ECPublicKeySpec(group, params); | |
120 | |
121 try { | |
122 KeyFactory kf = KeyFactory.getInstance("EC"); | |
123 return (ECPublicKey) kf.generatePublic(keySpec); | |
124 } | |
125 catch (NoSuchAlgorithmException nsae) { | |
126 IOException ioe = new IOException("No EC KeyFactory available"); | |
127 ioe.initCause(nsae); | |
128 throw ioe; | |
129 } | |
130 catch (InvalidKeySpecException ikse) { | |
131 IOException ioe = new IOException("No EC KeyFactory available"); | |
132 ioe.initCause(ikse); | |
133 throw ioe; | |
134 } | |
135 } | |
136 | |
137 public static byte[] encodeSSHECDSAPublicKey(ECPublicKey key) throws IOException { | |
138 TypesWriter tw = new TypesWriter(); | |
139 String curveName = getCurveName(key.getParams()); | |
140 String keyFormat = ECDSA_SHA2_PREFIX + curveName; | |
141 tw.writeString(keyFormat); | |
142 tw.writeString(curveName); | |
143 byte[] encoded = encodeECPoint(key.getW(), key.getParams().getCurve()); | |
144 tw.writeString(encoded, 0, encoded.length); | |
145 return tw.getBytes(); | |
146 } | |
147 | |
148 public static String getCurveName(ECParameterSpec params) throws IOException { | |
149 int fieldSize = getCurveSize(params); | |
150 final String curveName = getCurveName(fieldSize); | |
151 | |
152 if (curveName == null) { | |
153 throw new IOException("invalid curve size " + fieldSize); | |
154 } | |
155 | |
156 return curveName; | |
157 } | |
158 | |
159 public static String getCurveName(int fieldSize) { | |
160 String curveName = CURVE_SIZES.get(fieldSize); | |
161 | |
162 if (curveName == null) { | |
163 return null; | |
164 } | |
165 | |
166 return curveName; | |
167 } | |
168 | |
169 public static int getCurveSize(ECParameterSpec params) { | |
170 return params.getCurve().getField().getFieldSize(); | |
171 } | |
172 | |
173 public static ECParameterSpec getCurveForOID(String oid) { | |
174 String name = CURVE_OIDS.get(oid); | |
175 | |
176 if (name == null) | |
177 return null; | |
178 | |
179 return CURVES.get(name); | |
180 } | |
181 | |
182 public static byte[] decodeSSHECDSASignature(byte[] sig) throws IOException { | |
183 byte[] rsArray = null; | |
184 TypesReader tr = new TypesReader(sig); | |
185 String sig_format = tr.readString(); | |
186 | |
187 if (sig_format.startsWith(ECDSA_SHA2_PREFIX) == false) | |
188 throw new IOException("Peer sent wrong signature format"); | |
189 | |
190 String curveName = sig_format.substring(ECDSA_SHA2_PREFIX.length()); | |
191 | |
192 if (CURVES.containsKey(curveName) == false) { | |
193 throw new IOException("Unsupported curve: " + curveName); | |
194 } | |
195 | |
196 rsArray = tr.readByteString(); | |
197 | |
198 if (tr.remain() != 0) | |
199 throw new IOException("Padding in ECDSA signature!"); | |
200 | |
201 byte[] rArray; | |
202 byte[] sArray; | |
203 { | |
204 TypesReader rsReader = new TypesReader(rsArray); | |
205 rArray = rsReader.readMPINT().toByteArray(); | |
206 sArray = rsReader.readMPINT().toByteArray(); | |
207 } | |
208 int first = rArray.length; | |
209 int second = sArray.length; | |
210 | |
211 /* We can't have the high bit set, so add an extra zero at the beginning if so. */ | |
212 if ((rArray[0] & 0x80) != 0) { | |
213 first++; | |
214 } | |
215 | |
216 if ((sArray[0] & 0x80) != 0) { | |
217 second++; | |
218 } | |
219 | |
220 /* Calculate total output length */ | |
221 ByteArrayOutputStream os = new ByteArrayOutputStream(6 + first + second); | |
222 /* ASN.1 SEQUENCE tag */ | |
223 os.write(0x30); | |
224 /* Size of SEQUENCE */ | |
225 writeLength(4 + first + second, os); | |
226 /* ASN.1 INTEGER tag */ | |
227 os.write(0x02); | |
228 /* "r" INTEGER length */ | |
229 writeLength(first, os); | |
230 | |
231 /* Copy in the "r" INTEGER */ | |
232 if (first != rArray.length) { | |
233 os.write(0x00); | |
234 } | |
235 | |
236 os.write(rArray); | |
237 /* ASN.1 INTEGER tag */ | |
238 os.write(0x02); | |
239 /* "s" INTEGER length */ | |
240 writeLength(second, os); | |
241 | |
242 /* Copy in the "s" INTEGER */ | |
243 if (second != sArray.length) { | |
244 os.write(0x00); | |
245 } | |
246 | |
247 os.write(sArray); | |
248 return os.toByteArray(); | |
249 } | |
250 | |
251 private static final void writeLength(int length, OutputStream os) throws IOException { | |
252 if (length <= 0x7F) { | |
253 os.write(length); | |
254 return; | |
255 } | |
256 | |
257 int numOctets = 0; | |
258 int lenCopy = length; | |
259 | |
260 while (lenCopy != 0) { | |
261 lenCopy >>>= 8; | |
262 numOctets++; | |
263 } | |
264 | |
265 os.write(0x80 | numOctets); | |
266 | |
267 for (int i = (numOctets - 1) * 8; i >= 0; i -= 8) { | |
268 os.write((byte)(length >> i)); | |
269 } | |
270 } | |
271 | |
272 public static byte[] encodeSSHECDSASignature(byte[] sig, ECParameterSpec params) throws IOException { | |
273 TypesWriter tw = new TypesWriter(); | |
274 String curveName = getCurveName(params); | |
275 tw.writeString(ECDSA_SHA2_PREFIX + curveName); | |
276 | |
277 if ((sig[0] != 0x30) || (sig[1] != sig.length - 2) || (sig[2] != 0x02)) { | |
278 throw new IOException("Invalid signature format"); | |
279 } | |
280 | |
281 int rLength = sig[3]; | |
282 | |
283 if ((rLength + 6 > sig.length) || (sig[4 + rLength] != 0x02)) { | |
284 throw new IOException("Invalid signature format"); | |
285 } | |
286 | |
287 int sLength = sig[5 + rLength]; | |
288 | |
289 if (6 + rLength + sLength > sig.length) { | |
290 throw new IOException("Invalid signature format"); | |
291 } | |
292 | |
293 byte[] rArray = new byte[rLength]; | |
294 byte[] sArray = new byte[sLength]; | |
295 System.arraycopy(sig, 4, rArray, 0, rLength); | |
296 System.arraycopy(sig, 6 + rLength, sArray, 0, sLength); | |
297 BigInteger r = new BigInteger(rArray); | |
298 BigInteger s = new BigInteger(sArray); | |
299 // Write the <r,s> to its own types writer. | |
300 TypesWriter rsWriter = new TypesWriter(); | |
301 rsWriter.writeMPInt(r); | |
302 rsWriter.writeMPInt(s); | |
303 byte[] encoded = rsWriter.getBytes(); | |
304 tw.writeString(encoded, 0, encoded.length); | |
305 return tw.getBytes(); | |
306 } | |
307 | |
308 public static byte[] generateSignature(byte[] message, ECPrivateKey pk) throws IOException { | |
309 final String algo = getSignatureAlgorithmForParams(pk.getParams()); | |
310 | |
311 try { | |
312 Signature s = Signature.getInstance(algo); | |
313 s.initSign(pk); | |
314 s.update(message); | |
315 return s.sign(); | |
316 } | |
317 catch (NoSuchAlgorithmException e) { | |
318 IOException ex = new IOException(); | |
319 ex.initCause(e); | |
320 throw ex; | |
321 } | |
322 catch (InvalidKeyException e) { | |
323 IOException ex = new IOException(); | |
324 ex.initCause(e); | |
325 throw ex; | |
326 } | |
327 catch (SignatureException e) { | |
328 IOException ex = new IOException(); | |
329 ex.initCause(e); | |
330 throw ex; | |
331 } | |
332 } | |
333 | |
334 public static boolean verifySignature(byte[] message, byte[] ds, ECPublicKey dpk) throws IOException { | |
335 final String algo = getSignatureAlgorithmForParams(dpk.getParams()); | |
336 | |
337 try { | |
338 Signature s = Signature.getInstance(algo); | |
339 s.initVerify(dpk); | |
340 s.update(message); | |
341 return s.verify(ds); | |
342 } | |
343 catch (NoSuchAlgorithmException e) { | |
344 IOException ex = new IOException("No such algorithm"); | |
345 ex.initCause(e); | |
346 throw ex; | |
347 } | |
348 catch (InvalidKeyException e) { | |
349 IOException ex = new IOException("No such algorithm"); | |
350 ex.initCause(e); | |
351 throw ex; | |
352 } | |
353 catch (SignatureException e) { | |
354 IOException ex = new IOException(); | |
355 ex.initCause(e); | |
356 throw ex; | |
357 } | |
358 } | |
359 | |
360 private static String getSignatureAlgorithmForParams(ECParameterSpec params) { | |
361 int size = getCurveSize(params); | |
362 | |
363 if (size <= 256) { | |
364 return "SHA256withECDSA"; | |
365 } | |
366 else if (size <= 384) { | |
367 return "SHA384withECDSA"; | |
368 } | |
369 else { | |
370 return "SHA512withECDSA"; | |
371 } | |
372 } | |
373 | |
374 public static String getDigestAlgorithmForParams(ECParameterSpec params) { | |
375 int size = getCurveSize(params); | |
376 | |
377 if (size <= 256) { | |
378 return "SHA256"; | |
379 } | |
380 else if (size <= 384) { | |
381 return "SHA384"; | |
382 } | |
383 else { | |
384 return "SHA512"; | |
385 } | |
386 } | |
387 | |
388 /** | |
389 * Decode an OctetString to EllipticCurvePoint according to SECG 2.3.4 | |
390 */ | |
391 public static ECPoint decodeECPoint(byte[] M, EllipticCurve curve) { | |
392 if (M.length == 0) { | |
393 return null; | |
394 } | |
395 | |
396 // M has len 2 ceil(log_2(q)/8) + 1 ? | |
397 int elementSize = (curve.getField().getFieldSize() + 7) / 8; | |
398 | |
399 if (M.length != 2 * elementSize + 1) { | |
400 return null; | |
401 } | |
402 | |
403 // step 3.2 | |
404 if (M[0] != 0x04) { | |
405 return null; | |
406 } | |
407 | |
408 // Step 3.3 | |
409 byte[] xp = new byte[elementSize]; | |
410 System.arraycopy(M, 1, xp, 0, elementSize); | |
411 // Step 3.4 | |
412 byte[] yp = new byte[elementSize]; | |
413 System.arraycopy(M, 1 + elementSize, yp, 0, elementSize); | |
414 ECPoint P = new ECPoint(new BigInteger(1, xp), new BigInteger(1, yp)); | |
415 // TODO check point 3.5 | |
416 // Step 3.6 | |
417 return P; | |
418 } | |
419 | |
420 /** | |
421 * Encode EllipticCurvePoint to an OctetString | |
422 */ | |
423 public static byte[] encodeECPoint(ECPoint group, EllipticCurve curve) { | |
424 // M has len 2 ceil(log_2(q)/8) + 1 ? | |
425 int elementSize = (curve.getField().getFieldSize() + 7) / 8; | |
426 byte[] M = new byte[2 * elementSize + 1]; | |
427 // Uncompressed format | |
428 M[0] = 0x04; | |
429 { | |
430 byte[] affineX = removeLeadingZeroes(group.getAffineX().toByteArray()); | |
431 System.arraycopy(affineX, 0, M, 1 + elementSize - affineX.length, affineX.length); | |
432 } | |
433 { | |
434 byte[] affineY = removeLeadingZeroes(group.getAffineY().toByteArray()); | |
435 System.arraycopy(affineY, 0, M, 1 + elementSize + elementSize - affineY.length, | |
436 affineY.length); | |
437 } | |
438 return M; | |
439 } | |
440 | |
441 private static byte[] removeLeadingZeroes(byte[] input) { | |
442 if (input[0] != 0x00) { | |
443 return input; | |
444 } | |
445 | |
446 int pos = 1; | |
447 | |
448 while (pos < input.length - 1 && input[pos] == 0x00) { | |
449 pos++; | |
450 } | |
451 | |
452 byte[] output = new byte[input.length - pos]; | |
453 System.arraycopy(input, pos, output, 0, output.length); | |
454 return output; | |
455 } | |
456 | |
457 public static class EllipticCurves { | |
458 public static ECParameterSpec nistp256 = new ECParameterSpec( | |
459 new EllipticCurve( | |
460 new ECFieldFp(new BigInteger("FFFFFFFF00000001000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFF", 16)), | |
461 new BigInteger("FFFFFFFF00000001000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFC", 16), | |
462 new BigInteger("5ac635d8aa3a93e7b3ebbd55769886bc651d06b0cc53b0f63bce3c3e27d2604b", 16)), | |
463 new ECPoint(new BigInteger("6B17D1F2E12C4247F8BCE6E563A440F277037D812DEB33A0F4A13945D898C296", 16), | |
464 new BigInteger("4FE342E2FE1A7F9B8EE7EB4A7C0F9E162BCE33576B315ECECBB6406837BF51F5", 16)), | |
465 new BigInteger("FFFFFFFF00000000FFFFFFFFFFFFFFFFBCE6FAADA7179E84F3B9CAC2FC632551", 16), | |
466 1); | |
467 | |
468 public static ECParameterSpec nistp384 = new ECParameterSpec( | |
469 new EllipticCurve( | |
470 new ECFieldFp(new BigInteger("FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFF0000000000000000FFFFFFFF", 16)), | |
471 new BigInteger("FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFF0000000000000000FFFFFFFC", 16), | |
472 new BigInteger("B3312FA7E23EE7E4988E056BE3F82D19181D9C6EFE8141120314088F5013875AC656398D8A2ED19D2A85C8EDD3EC2AEF", 16)), | |
473 new ECPoint(new BigInteger("AA87CA22BE8B05378EB1C71EF320AD746E1D3B628BA79B9859F741E082542A385502F25DBF55296C3A545E3872760AB7", 16), | |
474 new BigInteger("3617DE4A96262C6F5D9E98BF9292DC29F8F41DBD289A147CE9DA3113B5F0B8C00A60B1CE1D7E819D7A431D7C90EA0E5F", 16)), | |
475 new BigInteger("FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFC7634D81F4372DDF581A0DB248B0A77AECEC196ACCC52973", 16), | |
476 1); | |
477 | |
478 public static ECParameterSpec nistp521 = new ECParameterSpec( | |
479 new EllipticCurve( | |
480 new ECFieldFp(new BigInteger("01FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", 16)), | |
481 new BigInteger("01FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFC", 16), | |
482 new BigInteger("0051953EB9618E1C9A1F929A21A0B68540EEA2DA725B99B315F3B8B489918EF109E156193951EC7E937B1652C0BD3BB1BF073573DF883D2C34F1EF451FD46B503F00", 16)), | |
483 new ECPoint(new BigInteger("00C6858E06B70404E9CD9E3ECB662395B4429C648139053FB521F828AF606B4D3DBAA14B5E77EFE75928FE1DC127A2FFA8DE3348B3C1856A429BF97E7E31C2E5BD66", 16), | |
484 new BigInteger("011839296A789A3BC0045C8A5FB42C7D1BD998F54449579B446817AFBD17273E662C97EE72995EF42640C550B9013FAD0761353C7086A272C24088BE94769FD16650", 16)), | |
485 new BigInteger("01FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFA51868783BF2F966B7FCC0148F709A5D03BB5C9B8899C47AEBB6FB71E91386409", 16), | |
486 1); | |
487 } | |
488 } |