Mercurial > 510Connectbot
diff src/ch/ethz/ssh2/signature/RSASHA1Verify.java @ 273:91a31873c42a ganymed
start conversion from trilead to ganymed
| author | Carl Byington <carl@five-ten-sg.com> |
|---|---|
| date | Fri, 18 Jul 2014 11:21:46 -0700 |
| parents | |
| children | d7e088fa2123 |
line wrap: on
line diff
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/src/ch/ethz/ssh2/signature/RSASHA1Verify.java Fri Jul 18 11:21:46 2014 -0700 @@ -0,0 +1,283 @@ +/* + * Copyright (c) 2006-2011 Christian Plattner. All rights reserved. + * Please refer to the LICENSE.txt for licensing details. + */ +package ch.ethz.ssh2.signature; + +import java.io.IOException; +import java.math.BigInteger; +import java.security.DigestException; + +import ch.ethz.ssh2.PacketFormatException; +import ch.ethz.ssh2.crypto.SimpleDERReader; +import ch.ethz.ssh2.crypto.digest.SHA1; +import ch.ethz.ssh2.log.Logger; +import ch.ethz.ssh2.packets.TypesReader; +import ch.ethz.ssh2.packets.TypesWriter; + +/** + * RSASHA1Verify. + * + * @author Christian Plattner + * @version $Id: RSASHA1Verify.java 154 2014-04-28 11:45:02Z dkocher@sudo.ch $ + */ +public class RSASHA1Verify { + private static final Logger log = Logger.getLogger(RSASHA1Verify.class); + + public static RSAPublicKey decodeSSHRSAPublicKey(byte[] key) throws IOException { + TypesReader tr = new TypesReader(key); + + String key_format = tr.readString(); + + if(!key_format.equals("ssh-rsa")) { + throw new IllegalArgumentException("Not a ssh-rsa public key"); + } + + BigInteger e = tr.readMPINT(); + BigInteger n = tr.readMPINT(); + + if(tr.remain() != 0) { + throw new PacketFormatException("Padding in RSA public key"); + } + + return new RSAPublicKey(e, n); + } + + public static byte[] encodeSSHRSAPublicKey(RSAPublicKey pk) throws IOException { + TypesWriter tw = new TypesWriter(); + + tw.writeString("ssh-rsa"); + tw.writeMPInt(pk.getE()); + tw.writeMPInt(pk.getN()); + + return tw.getBytes(); + } + + public static RSASignature decodeSSHRSASignature(byte[] sig) throws IOException { + TypesReader tr = new TypesReader(sig); + + String sig_format = tr.readString(); + + if(!sig_format.equals("ssh-rsa")) { + throw new PacketFormatException("Peer sent wrong signature format"); + } + + /* S is NOT an MPINT. "The value for 'rsa_signature_blob' is encoded as a string + * containing s (which is an integer, without lengths or padding, unsigned and in + * network byte order)." See also below. + */ + + byte[] s = tr.readByteString(); + + if(s.length == 0) { + throw new PacketFormatException("Error in RSA signature, S is empty."); + } + + if(log.isDebugEnabled()) { + log.debug("Decoding ssh-rsa signature string (length: " + s.length + ")"); + } + + if(tr.remain() != 0) { + throw new PacketFormatException("Padding in RSA signature!"); + } + + return new RSASignature(new BigInteger(1, s)); + } + + public static byte[] encodeSSHRSASignature(RSASignature sig) throws IOException { + TypesWriter tw = new TypesWriter(); + + tw.writeString("ssh-rsa"); + + /* S is NOT an MPINT. "The value for 'rsa_signature_blob' is encoded as a string + * containing s (which is an integer, without lengths or padding, unsigned and in + * network byte order)." + */ + + byte[] s = sig.getS().toByteArray(); + + /* Remove first zero sign byte, if present */ + + if((s.length > 1) && (s[0] == 0x00)) { + tw.writeString(s, 1, s.length - 1); + } + else { + tw.writeString(s, 0, s.length); + } + + return tw.getBytes(); + } + + public static RSASignature generateSignature(byte[] message, RSAPrivateKey pk) throws IOException { + SHA1 md = new SHA1(); + md.update(message); + byte[] sha_message = new byte[md.getDigestLength()]; + try { + md.digest(sha_message); + } + catch(DigestException e) { + throw new IOException(e); + } + + byte[] der_header = new byte[]{0x30, 0x21, 0x30, 0x09, 0x06, 0x05, 0x2b, 0x0e, 0x03, 0x02, 0x1a, 0x05, 0x00, + 0x04, 0x14}; + + int rsa_block_len = (pk.getN().bitLength() + 7) / 8; + + int num_pad = rsa_block_len - (2 + der_header.length + sha_message.length) - 1; + + if(num_pad < 8) { + throw new PacketFormatException("Cannot sign with RSA, message too long"); + } + + byte[] sig = new byte[der_header.length + sha_message.length + 2 + num_pad]; + + sig[0] = 0x01; + + for(int i = 0; i < num_pad; i++) { + sig[i + 1] = (byte) 0xff; + } + + sig[num_pad + 1] = 0x00; + + System.arraycopy(der_header, 0, sig, 2 + num_pad, der_header.length); + System.arraycopy(sha_message, 0, sig, 2 + num_pad + der_header.length, sha_message.length); + + BigInteger m = new BigInteger(1, sig); + + BigInteger s = m.modPow(pk.getD(), pk.getN()); + + return new RSASignature(s); + } + + public static boolean verifySignature(byte[] message, RSASignature ds, RSAPublicKey dpk) throws IOException { + SHA1 md = new SHA1(); + md.update(message); + byte[] sha_message = new byte[md.getDigestLength()]; + try { + md.digest(sha_message); + } + catch(DigestException e) { + throw new IOException(e); + } + + BigInteger n = dpk.getN(); + BigInteger e = dpk.getE(); + BigInteger s = ds.getS(); + + if(n.compareTo(s) <= 0) { + log.warning("ssh-rsa signature: n.compareTo(s) <= 0"); + return false; + } + + int rsa_block_len = (n.bitLength() + 7) / 8; + + /* And now the show begins */ + + if(rsa_block_len < 1) { + log.warning("ssh-rsa signature: rsa_block_len < 1"); + return false; + } + + byte[] v = s.modPow(e, n).toByteArray(); + + int startpos = 0; + + if((v.length > 0) && (v[0] == 0x00)) { + startpos++; + } + + if((v.length - startpos) != (rsa_block_len - 1)) { + log.warning("ssh-rsa signature: (v.length - startpos) != (rsa_block_len - 1)"); + return false; + } + + if(v[startpos] != 0x01) { + log.warning("ssh-rsa signature: v[startpos] != 0x01"); + return false; + } + + int pos = startpos + 1; + + while(true) { + if(pos >= v.length) { + log.warning("ssh-rsa signature: pos >= v.length"); + return false; + } + if(v[pos] == 0x00) { + break; + } + if(v[pos] != (byte) 0xff) { + log.warning("ssh-rsa signature: v[pos] != (byte) 0xff"); + return false; + } + pos++; + } + + int num_pad = pos - (startpos + 1); + + if(num_pad < 8) { + log.warning("ssh-rsa signature: num_pad < 8"); + return false; + } + + pos++; + + if(pos >= v.length) { + log.warning("ssh-rsa signature: pos >= v.length"); + return false; + } + + SimpleDERReader dr = new SimpleDERReader(v, pos, v.length - pos); + + byte[] seq = dr.readSequenceAsByteArray(); + + if(dr.available() != 0) { + log.warning("ssh-rsa signature: dr.available() != 0"); + return false; + } + + dr.resetInput(seq); + + /* Read digestAlgorithm */ + + byte digestAlgorithm[] = dr.readSequenceAsByteArray(); + + /* Inspired by RFC 3347, however, ignoring the comment regarding old BER based implementations */ + + if((digestAlgorithm.length < 8) || (digestAlgorithm.length > 9)) { + log.warning("ssh-rsa signature: (digestAlgorithm.length < 8) || (digestAlgorithm.length > 9)"); + return false; + } + + byte[] digestAlgorithm_sha1 = new byte[]{0x06, 0x05, 0x2b, 0x0e, 0x03, 0x02, 0x1a, 0x05, 0x00}; + + for(int i = 0; i < digestAlgorithm.length; i++) { + if(digestAlgorithm[i] != digestAlgorithm_sha1[i]) { + log.warning("ssh-rsa signature: digestAlgorithm[i] != digestAlgorithm_sha1[i]"); + return false; + } + } + + byte[] digest = dr.readOctetString(); + + if(dr.available() != 0) { + log.warning("ssh-rsa signature: dr.available() != 0 (II)"); + return false; + } + + if(digest.length != sha_message.length) { + log.warning("ssh-rsa signature: digest.length != sha_message.length"); + return false; + } + + for(int i = 0; i < sha_message.length; i++) { + if(sha_message[i] != digest[i]) { + log.warning("ssh-rsa signature: sha_message[i] != digest[i]"); + return false; + } + } + + return true; + } +}