PssSigner.cs 9.7 KB


  1. #if !BESTHTTP_DISABLE_ALTERNATE_SSL && (!UNITY_WEBGL || UNITY_EDITOR)
  2. using System;
  3. using Org.BouncyCastle.Crypto.Digests;
  4. using Org.BouncyCastle.Crypto.Parameters;
  5. using Org.BouncyCastle.Security;
  6. namespace Org.BouncyCastle.Crypto.Signers
  7. {
  8. /// <summary> RSA-PSS as described in Pkcs# 1 v 2.1.
  9. /// <p>
  10. /// Note: the usual value for the salt length is the number of
  11. /// bytes in the hash function.</p>
  12. /// </summary>
  13. public class PssSigner
  14. : ISigner
  15. {
  16. public const byte TrailerImplicit = (byte)0xBC;
  17. private readonly IDigest contentDigest1, contentDigest2;
  18. private readonly IDigest mgfDigest;
  19. private readonly IAsymmetricBlockCipher cipher;
  20. private SecureRandom random;
  21. private int hLen;
  22. private int mgfhLen;
  23. private int sLen;
  24. private bool sSet;
  25. private int emBits;
  26. private byte[] salt;
  27. private byte[] mDash;
  28. private byte[] block;
  29. private byte trailer;
  30. public static PssSigner CreateRawSigner(
  31. IAsymmetricBlockCipher cipher,
  32. IDigest digest)
  33. {
  34. return new PssSigner(cipher, new NullDigest(), digest, digest, digest.GetDigestSize(), null, TrailerImplicit);
  35. }
  36. public static PssSigner CreateRawSigner(
  37. IAsymmetricBlockCipher cipher,
  38. IDigest contentDigest,
  39. IDigest mgfDigest,
  40. int saltLen,
  41. byte trailer)
  42. {
  43. return new PssSigner(cipher, new NullDigest(), contentDigest, mgfDigest, saltLen, null, trailer);
  44. }
  45. public PssSigner(
  46. IAsymmetricBlockCipher cipher,
  47. IDigest digest)
  48. : this(cipher, digest, digest.GetDigestSize())
  49. {
  50. }
  51. /// <summary>Basic constructor</summary>
  52. /// <param name="cipher">the asymmetric cipher to use.</param>
  53. /// <param name="digest">the digest to use.</param>
  54. /// <param name="saltLen">the length of the salt to use (in bytes).</param>
  55. public PssSigner(
  56. IAsymmetricBlockCipher cipher,
  57. IDigest digest,
  58. int saltLen)
  59. : this(cipher, digest, saltLen, TrailerImplicit)
  60. {
  61. }
  62. /// <summary>Basic constructor</summary>
  63. /// <param name="cipher">the asymmetric cipher to use.</param>
  64. /// <param name="digest">the digest to use.</param>
  65. /// <param name="salt">the fixed salt to be used.</param>
  66. public PssSigner(
  67. IAsymmetricBlockCipher cipher,
  68. IDigest digest,
  69. byte[] salt)
  70. : this(cipher, digest, digest, digest, salt.Length, salt, TrailerImplicit)
  71. {
  72. }
  73. public PssSigner(
  74. IAsymmetricBlockCipher cipher,
  75. IDigest contentDigest,
  76. IDigest mgfDigest,
  77. int saltLen)
  78. : this(cipher, contentDigest, mgfDigest, saltLen, TrailerImplicit)
  79. {
  80. }
  81. public PssSigner(
  82. IAsymmetricBlockCipher cipher,
  83. IDigest contentDigest,
  84. IDigest mgfDigest,
  85. byte[] salt)
  86. : this(cipher, contentDigest, contentDigest, mgfDigest, salt.Length, salt, TrailerImplicit)
  87. {
  88. }
  89. public PssSigner(
  90. IAsymmetricBlockCipher cipher,
  91. IDigest digest,
  92. int saltLen,
  93. byte trailer)
  94. : this(cipher, digest, digest, saltLen, TrailerImplicit)
  95. {
  96. }
  97. public PssSigner(
  98. IAsymmetricBlockCipher cipher,
  99. IDigest contentDigest,
  100. IDigest mgfDigest,
  101. int saltLen,
  102. byte trailer)
  103. : this(cipher, contentDigest, contentDigest, mgfDigest, saltLen, null, trailer)
  104. {
  105. }
  106. private PssSigner(
  107. IAsymmetricBlockCipher cipher,
  108. IDigest contentDigest1,
  109. IDigest contentDigest2,
  110. IDigest mgfDigest,
  111. int saltLen,
  112. byte[] salt,
  113. byte trailer)
  114. {
  115. this.cipher = cipher;
  116. this.contentDigest1 = contentDigest1;
  117. this.contentDigest2 = contentDigest2;
  118. this.mgfDigest = mgfDigest;
  119. this.hLen = contentDigest2.GetDigestSize();
  120. this.mgfhLen = mgfDigest.GetDigestSize();
  121. this.sLen = saltLen;
  122. this.sSet = salt != null;
  123. if (sSet)
  124. {
  125. this.salt = salt;
  126. }
  127. else
  128. {
  129. this.salt = new byte[saltLen];
  130. }
  131. this.mDash = new byte[8 + saltLen + hLen];
  132. this.trailer = trailer;
  133. }
  134. public virtual string AlgorithmName
  135. {
  136. get { return mgfDigest.AlgorithmName + "withRSAandMGF1"; }
  137. }
  138. public virtual void Init(
  139. bool forSigning,
  140. ICipherParameters parameters)
  141. {
  142. if (parameters is ParametersWithRandom)
  143. {
  144. ParametersWithRandom p = (ParametersWithRandom) parameters;
  145. parameters = p.Parameters;
  146. random = p.Random;
  147. }
  148. else
  149. {
  150. if (forSigning)
  151. {
  152. random = new SecureRandom();
  153. }
  154. }
  155. cipher.Init(forSigning, parameters);
  156. RsaKeyParameters kParam;
  157. if (parameters is RsaBlindingParameters)
  158. {
  159. kParam = ((RsaBlindingParameters) parameters).PublicKey;
  160. }
  161. else
  162. {
  163. kParam = (RsaKeyParameters) parameters;
  164. }
  165. emBits = kParam.Modulus.BitLength - 1;
  166. if (emBits < (8 * hLen + 8 * sLen + 9))
  167. throw new ArgumentException("key too small for specified hash and salt lengths");
  168. block = new byte[(emBits + 7) / 8];
  169. }
  170. /// <summary> clear possible sensitive data</summary>
  171. private void ClearBlock(
  172. byte[] block)
  173. {
  174. Array.Clear(block, 0, block.Length);
  175. }
  176. /// <summary> update the internal digest with the byte b</summary>
  177. public virtual void Update(
  178. byte input)
  179. {
  180. contentDigest1.Update(input);
  181. }
  182. /// <summary> update the internal digest with the byte array in</summary>
  183. public virtual void BlockUpdate(
  184. byte[] input,
  185. int inOff,
  186. int length)
  187. {
  188. contentDigest1.BlockUpdate(input, inOff, length);
  189. }
  190. /// <summary> reset the internal state</summary>
  191. public virtual void Reset()
  192. {
  193. contentDigest1.Reset();
  194. }
  195. /// <summary> Generate a signature for the message we've been loaded with using
  196. /// the key we were initialised with.
  197. /// </summary>
  198. public virtual byte[] GenerateSignature()
  199. {
  200. contentDigest1.DoFinal(mDash, mDash.Length - hLen - sLen);
  201. if (sLen != 0)
  202. {
  203. if (!sSet)
  204. {
  205. random.NextBytes(salt);
  206. }
  207. salt.CopyTo(mDash, mDash.Length - sLen);
  208. }
  209. byte[] h = new byte[hLen];
  210. contentDigest2.BlockUpdate(mDash, 0, mDash.Length);
  211. contentDigest2.DoFinal(h, 0);
  212. block[block.Length - sLen - 1 - hLen - 1] = (byte) (0x01);
  213. salt.CopyTo(block, block.Length - sLen - hLen - 1);
  214. byte[] dbMask = MaskGeneratorFunction1(h, 0, h.Length, block.Length - hLen - 1);
  215. for (int i = 0; i != dbMask.Length; i++)
  216. {
  217. block[i] ^= dbMask[i];
  218. }
  219. block[0] &= (byte) ((0xff >> ((block.Length * 8) - emBits)));
  220. h.CopyTo(block, block.Length - hLen - 1);
  221. block[block.Length - 1] = trailer;
  222. byte[] b = cipher.ProcessBlock(block, 0, block.Length);
  223. ClearBlock(block);
  224. return b;
  225. }
  226. /// <summary> return true if the internal state represents the signature described
  227. /// in the passed in array.
  228. /// </summary>
  229. public virtual bool VerifySignature(
  230. byte[] signature)
  231. {
  232. contentDigest1.DoFinal(mDash, mDash.Length - hLen - sLen);
  233. byte[] b = cipher.ProcessBlock(signature, 0, signature.Length);
  234. b.CopyTo(block, block.Length - b.Length);
  235. if (block[block.Length - 1] != trailer)
  236. {
  237. ClearBlock(block);
  238. return false;
  239. }
  240. byte[] dbMask = MaskGeneratorFunction1(block, block.Length - hLen - 1, hLen, block.Length - hLen - 1);
  241. for (int i = 0; i != dbMask.Length; i++)
  242. {
  243. block[i] ^= dbMask[i];
  244. }
  245. block[0] &= (byte) ((0xff >> ((block.Length * 8) - emBits)));
  246. for (int i = 0; i != block.Length - hLen - sLen - 2; i++)
  247. {
  248. if (block[i] != 0)
  249. {
  250. ClearBlock(block);
  251. return false;
  252. }
  253. }
  254. if (block[block.Length - hLen - sLen - 2] != 0x01)
  255. {
  256. ClearBlock(block);
  257. return false;
  258. }
  259. if (sSet)
  260. {
  261. Array.Copy(salt, 0, mDash, mDash.Length - sLen, sLen);
  262. }
  263. else
  264. {
  265. Array.Copy(block, block.Length - sLen - hLen - 1, mDash, mDash.Length - sLen, sLen);
  266. }
  267. contentDigest2.BlockUpdate(mDash, 0, mDash.Length);
  268. contentDigest2.DoFinal(mDash, mDash.Length - hLen);
  269. for (int i = block.Length - hLen - 1, j = mDash.Length - hLen; j != mDash.Length; i++, j++)
  270. {
  271. if ((block[i] ^ mDash[j]) != 0)
  272. {
  273. ClearBlock(mDash);
  274. ClearBlock(block);
  275. return false;
  276. }
  277. }
  278. ClearBlock(mDash);
  279. ClearBlock(block);
  280. return true;
  281. }
  282. /// <summary> int to octet string.</summary>
  283. private void ItoOSP(
  284. int i,
  285. byte[] sp)
  286. {
  287. sp[0] = (byte)((uint) i >> 24);
  288. sp[1] = (byte)((uint) i >> 16);
  289. sp[2] = (byte)((uint) i >> 8);
  290. sp[3] = (byte)((uint) i >> 0);
  291. }
  292. /// <summary> mask generator function, as described in Pkcs1v2.</summary>
  293. private byte[] MaskGeneratorFunction1(
  294. byte[] Z,
  295. int zOff,
  296. int zLen,
  297. int length)
  298. {
  299. byte[] mask = new byte[length];
  300. byte[] hashBuf = new byte[mgfhLen];
  301. byte[] C = new byte[4];
  302. int counter = 0;
  303. mgfDigest.Reset();
  304. while (counter < (length / mgfhLen))
  305. {
  306. ItoOSP(counter, C);
  307. mgfDigest.BlockUpdate(Z, zOff, zLen);
  308. mgfDigest.BlockUpdate(C, 0, C.Length);
  309. mgfDigest.DoFinal(hashBuf, 0);
  310. hashBuf.CopyTo(mask, counter * mgfhLen);
  311. ++counter;
  312. }
  313. if ((counter * mgfhLen) < length)
  314. {
  315. ItoOSP(counter, C);
  316. mgfDigest.BlockUpdate(Z, zOff, zLen);
  317. mgfDigest.BlockUpdate(C, 0, C.Length);
  318. mgfDigest.DoFinal(hashBuf, 0);
  319. Array.Copy(hashBuf, 0, mask, counter * mgfhLen, mask.Length - (counter * mgfhLen));
  320. }
  321. return mask;
  322. }
  323. }
  324. }
  325. #endif