protected byte[] engineSign() throws SignatureException {
byte[] hash = new byte[digest.getDigestSize()];
digest.doFinal(hash, 0);
try {
byte[] sigBytes = new byte[64];
BigInteger[] sig = signer.generateSignature(hash);
byte[] r = sig[0].toByteArray();
byte[] s = sig[1].toByteArray();
if (s[0] != 0) {
System.arraycopy(s, 0, sigBytes, 32 - s.length, s.length);
} else {
System.arraycopy(s, 1, sigBytes, 32 - (s.length - 1), s.length - 1);
}
if (r[0] != 0) {
System.arraycopy(r, 0, sigBytes, 64 - r.length, r.length);
} else {
System.arraycopy(r, 1, sigBytes, 64 - (r.length - 1), r.length - 1);
}
return sigBytes;
} catch (Exception e) {
throw new SignatureException(e.toString());
}
}
public static byte[] hashContents(byte[] contents) {
final Digest digest = new SHA256Digest();
digest.update(contents, 0, contents.length);
final byte[] digestValue = new byte[digest.getDigestSize()];
digest.doFinal(digestValue, 0);
return digestValue;
}
private void appendHash(BitString m, byte[] hash) {
hashAlg.update(seed, 0, seed.length);
putInt(hashAlg, counter);
hashAlg.doFinal(hash, 0);
m.appendBits(hash);
}
/**
* Some key wrap algorithms make use of the Key Checksum defined in CMS [CMS-Algorithms]. This is
* used to provide an integrity check value for the key being wrapped. The algorithm is
*
* <p>- Compute the 20 octet SHA-1 hash on the key being wrapped. - Use the first 8 octets of this
* hash as the checksum value.
*
* @param key
* @return the CMS checksum.
* @throws RuntimeException
* @see http://www.w3.org/TR/xmlenc-core/#sec-CMSKeyChecksum
*/
private byte[] calculateCMSKeyChecksum(byte[] key) {
byte[] result = new byte[8];
sha1.update(key, 0, key.length);
sha1.doFinal(digest, 0);
System.arraycopy(digest, 0, result, 0, 8);
return result;
}
/**
* Computes the digest for the given data in a single operation.
*
* @param input Data to be digested.
* @return Message digest as byte array.
*/
public byte[] digest(final byte[] input) {
if (salt != null) {
digest.update(salt, 0, salt.length);
}
digest.update(input, 0, input.length);
final byte[] hash = new byte[digest.getDigestSize()];
digest.doFinal(hash, 0);
return hash;
}
/** generate a signature for the loaded message using the key we were initialised with. */
public byte[] generateSignature() throws CryptoException {
int digSize = digest.getDigestSize();
int t = 0;
int delta = 0;
if (trailer == TRAILER_IMPLICIT) {
t = 8;
delta = block.length - digSize - 1;
digest.doFinal(block, delta);
block[block.length - 1] = (byte) TRAILER_IMPLICIT;
} else {
t = 16;
delta = block.length - digSize - 2;
digest.doFinal(block, delta);
block[block.length - 2] = (byte) (trailer >>> 8);
block[block.length - 1] = (byte) trailer;
}
byte header = 0;
int x = (digSize + messageLength) * 8 + t + 4 - keyBits;
if (x > 0) {
int mR = messageLength - ((x + 7) / 8);
header = 0x60;
delta -= mR;
System.arraycopy(mBuf, 0, block, delta, mR);
} else {
header = 0x40;
delta -= messageLength;
System.arraycopy(mBuf, 0, block, delta, messageLength);
}
if ((delta - 1) > 0) {
for (int i = delta - 1; i != 0; i--) {
block[i] = (byte) 0xbb;
}
block[delta - 1] ^= (byte) 0x01;
block[0] = (byte) 0x0b;
block[0] |= header;
} else {
block[0] = (byte) 0x0a;
block[0] |= header;
}
byte[] b = cipher.processBlock(block, 0, block.length);
clearBlock(mBuf);
clearBlock(block);
return b;
}
private void testDetachedRSA() throws Exception {
Digest md = new SHA1Digest();
List certList = new ArrayList();
CMSTypedData msg = new CMSProcessableByteArray("Hello world!".getBytes());
certList.add(_origCert);
certList.add(_signCert);
Store certs = new CollectionStore(certList);
CMSSignedDataGenerator gen = new CMSSignedDataGenerator();
byte[] digValue = new byte[md.getDigestSize()];
byte[] data = "Hello world!".getBytes();
md.update(data, 0, data.length);
md.doFinal(digValue, 0);
Attribute attr =
new Attribute(CMSAttributes.messageDigest, new DERSet(new DEROctetString(digValue)));
ASN1EncodableVector v = new ASN1EncodableVector();
v.add(attr);
AsymmetricKeyParameter privKey = (AsymmetricKeyParameter) _origKP.getPrivate();
AlgorithmIdentifier sigAlgId =
new DefaultSignatureAlgorithmIdentifierFinder().find("SHA1withRSA");
AlgorithmIdentifier digAlgId = new DefaultDigestAlgorithmIdentifierFinder().find(sigAlgId);
BcContentSignerBuilder contentSignerBuilder = new BcRSAContentSignerBuilder(sigAlgId, digAlgId);
gen.addSignerInfoGenerator(
new SignerInfoGeneratorBuilder(new BcDigestCalculatorProvider())
.setSignedAttributeGenerator(
new DefaultSignedAttributeTableGenerator(new AttributeTable(v)))
.build(contentSignerBuilder.build(privKey), _origCert));
gen.addCertificates(certs);
CMSSignedData s = gen.generate(new CMSAbsentContent(), false);
//
// the signature is detached, so need to add msg before passing on
//
s = new CMSSignedData(msg, s.getEncoded());
//
// compute expected content digest
//
verifyRSASignatures(s, digValue);
}
public boolean isPublicKeyBlackListed(PublicKey publicKey) {
byte[] encoded = publicKey.getEncoded();
Digest digest = AndroidDigestFactory.getSHA1();
digest.update(encoded, 0, encoded.length);
byte[] out = new byte[digest.getDigestSize()];
digest.doFinal(out, 0);
for (byte[] blacklisted : pubkeyBlacklist) {
if (Arrays.equals(blacklisted, Hex.encode(out))) {
return true;
}
}
return false;
}
/**
* Calculates the MacKey (i.e. the key to use when calculating the MagTag for key confirmation).
*
* <p>
*
* <p>
*
* <pre>
* MacKey = H(K || "JPAKE_KC")
* </pre>
*/
private static byte[] calculateMacKey(BigInteger keyingMaterial, Digest digest) {
digest.reset();
updateDigest(digest, keyingMaterial);
/*
* This constant is used to ensure that the macKey is NOT the same as the derived key.
*/
updateDigest(digest, "JPAKE_KC");
byte[] output = new byte[digest.getDigestSize()];
digest.doFinal(output, 0);
return output;
}
protected void engineInitVerify(PublicKey publicKey) throws InvalidKeyException {
CipherParameters param;
if (publicKey instanceof ECPublicKey) {
param = ECUtil.generatePublicKeyParameter(publicKey);
} else if (publicKey instanceof GOST3410Key) {
param = GOST3410Util.generatePublicKeyParameter(publicKey);
} else {
try {
byte[] bytes = publicKey.getEncoded();
publicKey = BouncyCastleProvider.getPublicKey(SubjectPublicKeyInfo.getInstance(bytes));
if (publicKey instanceof ECPublicKey) {
param = ECUtil.generatePublicKeyParameter(publicKey);
} else {
throw new InvalidKeyException("can't recognise key type in DSA based signer");
}
} catch (Exception e) {
throw new InvalidKeyException("can't recognise key type in DSA based signer");
}
}
digest.reset();
signer.init(false, param);
}
private static BigInteger calculateGenerator_FIPS186_3_Verifiable(
Digest d, BigInteger p, BigInteger q, byte[] seed, int index) {
// A.2.3 Verifiable Canonical Generation of the Generator g
BigInteger e = p.subtract(ONE).divide(q);
byte[] ggen = Hex.decode("6767656E");
// 7. U = domain_parameter_seed || "ggen" || index || count.
byte[] U = new byte[seed.length + ggen.length + 1 + 2];
System.arraycopy(seed, 0, U, 0, seed.length);
System.arraycopy(ggen, 0, U, seed.length, ggen.length);
U[U.length - 3] = (byte) index;
byte[] w = new byte[d.getDigestSize()];
for (int count = 1; count < (1 << 16); ++count) {
inc(U);
hash(d, U, w);
BigInteger W = new BigInteger(1, w);
BigInteger g = W.modPow(e, p);
if (g.compareTo(TWO) >= 0) {
return g;
}
}
return null;
}
// TODO
public GMSSSigner(GMSSDigestProvider digest) {
digestProvider = digest;
messDigestTrees = digest.get();
messDigestOTS = messDigestTrees;
mdLength = messDigestTrees.getDigestSize();
gmssRandom = new GMSSRandom(messDigestTrees);
}
public void init(boolean forSigning, CipherParameters param) {
RSAKeyParameters kParam = (RSAKeyParameters) param;
cipher.init(forSigning, kParam);
keyBits = kParam.getModulus().bitLength();
block = new byte[(keyBits + 7) / 8];
if (trailer == TRAILER_IMPLICIT) {
mBuf = new byte[block.length - digest.getDigestSize() - 2];
} else {
mBuf = new byte[block.length - digest.getDigestSize() - 3];
}
reset();
}
private static BigInteger calculateHashForZeroKnowledgeProof(
BigInteger g, BigInteger gr, BigInteger gx, String participantId, Digest digest) {
digest.reset();
updateDigestIncludingSize(digest, g);
updateDigestIncludingSize(digest, gr);
updateDigestIncludingSize(digest, gx);
updateDigestIncludingSize(digest, participantId);
byte[] output = new byte[digest.getDigestSize()];
digest.doFinal(output, 0);
return new BigInteger(output);
}
/** Initializes the signature algorithm for signing a message. */
private void initSign() {
messDigestTrees.reset();
// set private key and take from it ots key, auth, tree and key
// counter, rootSign
GMSSPrivateKeyParameters gmssPrivateKey = (GMSSPrivateKeyParameters) key;
if (gmssPrivateKey.isUsed()) {
throw new IllegalStateException("Private key already used");
}
// check if last signature has been generated
if (gmssPrivateKey.getIndex(0) >= gmssPrivateKey.getNumLeafs(0)) {
throw new IllegalStateException("No more signatures can be generated");
}
// get Parameterset
this.gmssPS = gmssPrivateKey.getParameters();
// get numLayer
this.numLayer = gmssPS.getNumOfLayers();
// get OTS Instance of lowest layer
byte[] seed = gmssPrivateKey.getCurrentSeeds()[numLayer - 1];
byte[] OTSSeed = new byte[mdLength];
byte[] dummy = new byte[mdLength];
System.arraycopy(seed, 0, dummy, 0, mdLength);
OTSSeed =
gmssRandom.nextSeed(
dummy); // secureRandom.nextBytes(currentSeeds[currentSeeds.length-1]);secureRandom.nextBytes(OTSseed);
this.ots =
new WinternitzOTSignature(
OTSSeed, digestProvider.get(), gmssPS.getWinternitzParameter()[numLayer - 1]);
byte[][][] helpCurrentAuthPaths = gmssPrivateKey.getCurrentAuthPaths();
currentAuthPaths = new byte[numLayer][][];
// copy the main tree authentication path
for (int j = 0; j < numLayer; j++) {
currentAuthPaths[j] = new byte[helpCurrentAuthPaths[j].length][mdLength];
for (int i = 0; i < helpCurrentAuthPaths[j].length; i++) {
System.arraycopy(helpCurrentAuthPaths[j][i], 0, currentAuthPaths[j][i], 0, mdLength);
}
}
// copy index
index = new int[numLayer];
System.arraycopy(gmssPrivateKey.getIndex(), 0, index, 0, numLayer);
// copy subtreeRootSig
byte[] helpSubtreeRootSig;
subtreeRootSig = new byte[numLayer - 1][];
for (int i = 0; i < numLayer - 1; i++) {
helpSubtreeRootSig = gmssPrivateKey.getSubtreeRootSig(i);
subtreeRootSig[i] = new byte[helpSubtreeRootSig.length];
System.arraycopy(helpSubtreeRootSig, 0, subtreeRootSig[i], 0, helpSubtreeRootSig.length);
}
gmssPrivateKey.markUsed();
}
/** update the internal digest with the byte b */
public void update(byte b) {
digest.update(b);
if (preSig == null && messageLength < mBuf.length) {
mBuf[messageLength] = b;
}
messageLength++;
}
/**
* Computes the digest for all the data in the stream by reading data and hashing it in chunks.
*
* @param in Input stream containing data to be digested.
* @return Message digest as byte array.
* @throws IOException On input stream read errors.
*/
public byte[] digest(final InputStream in) throws IOException {
if (in == null) {
throw new IllegalArgumentException("Input stream cannot be null.");
}
final byte[] buffer = new byte[CHUNK_SIZE];
int count;
if (salt != null) {
digest.update(salt, 0, salt.length);
}
while ((count = in.read(buffer, 0, CHUNK_SIZE)) > 0) {
digest.update(buffer, 0, count);
}
final byte[] hash = new byte[digest.getDigestSize()];
digest.doFinal(hash, 0);
return hash;
}
/** Initializes the signature algorithm for verifying a signature. */
private void initVerify() {
messDigestTrees.reset();
GMSSPublicKeyParameters gmssPublicKey = (GMSSPublicKeyParameters) key;
pubKeyBytes = gmssPublicKey.getPublicKey();
gmssPS = gmssPublicKey.getParameters();
// get numLayer
this.numLayer = gmssPS.getNumOfLayers();
}
/** update the internal digest with the byte array in */
public void update(byte[] in, int off, int len) {
digest.update(in, off, len);
if (preSig == null && messageLength < mBuf.length) {
for (int i = 0; i < len && (i + messageLength) < mBuf.length; i++) {
mBuf[messageLength + i] = in[off + i];
}
}
messageLength += len;
}
/**
* fill len bytes of the output buffer with bytes generated from the derivation function.
*
* @throws IllegalArgumentException if the size of the request will cause an overflow.
* @throws DataLengthException if the out buffer is too small.
*/
public int generateBytes(byte[] out, int outOff, int len)
throws DataLengthException, IllegalArgumentException {
if ((out.length - len) < outOff) {
throw new DataLengthException("output buffer too small");
}
long oBytes = len;
int outLen = digest.getDigestSize();
//
// this is at odds with the standard implementation, the
// maximum value should be hBits * (2^32 - 1) where hBits
// is the digest output size in bits. We can't have an
// array with a long index at the moment...
//
if (oBytes > ((2L << 32) - 1)) {
throw new IllegalArgumentException("Output length too large");
}
int cThreshold = (int) ((oBytes + outLen - 1) / outLen);
byte[] dig = new byte[digest.getDigestSize()];
byte[] C = new byte[4];
Pack.intToBigEndian(counterStart, C, 0);
int counterBase = counterStart & ~0xFF;
for (int i = 0; i < cThreshold; i++) {
digest.update(shared, 0, shared.length);
digest.update(C, 0, C.length);
if (iv != null) {
digest.update(iv, 0, iv.length);
}
digest.doFinal(dig, 0);
if (len > outLen) {
System.arraycopy(dig, 0, out, outOff, outLen);
outOff += outLen;
len -= outLen;
} else {
System.arraycopy(dig, 0, out, outOff, len);
}
if (++C[3] == 0) {
counterBase += 0x100;
Pack.intToBigEndian(counterBase, C, 0);
}
}
digest.reset();
return (int) oBytes;
}
/**
* Generate a key parameter derived from the password, salt, and iteration count we are currently
* initialised with.
*
* @param keySize the size of the key we want (in bits)
* @return a KeyParameter object.
* @exception IllegalArgumentException if the key length larger than the base hash size.
*/
public CipherParameters generateDerivedParameters(int keySize) {
keySize = keySize / 8;
if (keySize > digest.getDigestSize()) {
throw new IllegalArgumentException(
"Can't generate a derived key " + keySize + " bytes long.");
}
byte[] dKey = generateDerivedKey();
return new KeyParameter(dKey, 0, keySize);
}
/** reset the internal state */
public void reset() {
digest.reset();
messageLength = 0;
clearBlock(mBuf);
if (recoveredMessage != null) {
clearBlock(recoveredMessage);
}
recoveredMessage = null;
fullMessage = false;
}
/**
* Returns a number <code>i</code> such that <code>0 <= i < N</code>.
*
* @return
*/
int nextIndex() {
if (!initialized) {
buf = new BitString();
byte[] hash = new byte[hashAlg.getDigestSize()];
while (counter < minCallsR) {
appendHash(buf, hash);
counter++;
}
totLen = minCallsR * 8 * hLen;
remLen = totLen;
initialized = true;
}
while (true) {
totLen += c;
BitString M = buf.getTrailing(remLen);
if (remLen < c) {
int tmpLen = c - remLen;
int cThreshold = counter + (tmpLen + hLen - 1) / hLen;
byte[] hash = new byte[hashAlg.getDigestSize()];
while (counter < cThreshold) {
appendHash(M, hash);
counter++;
if (tmpLen > 8 * hLen) {
tmpLen -= 8 * hLen;
}
}
remLen = 8 * hLen - tmpLen;
buf = new BitString();
buf.appendBits(hash);
} else {
remLen -= c;
}
int i = M.getLeadingAsInt(c); // assume c<32
if (i < (1 << c) - ((1 << c) % N)) {
return i % N;
}
}
}
// 1. m = [requested_number_of_bits / outlen]
// 2. data = V.
// 3. W = the Null string.
// 4. For i = 1 to m
// 4.1 wi = Hash (data).
// 4.2 W = W || wi.
// 4.3 data = (data + 1) mod 2^seedlen
// .
// 5. returned_bits = Leftmost (requested_no_of_bits) bits of W.
private byte[] hashgen(byte[] input, int lengthInBits) {
int digestSize = _digest.getDigestSize();
int m = (lengthInBits / 8) / digestSize;
byte[] data = new byte[input.length];
System.arraycopy(input, 0, data, 0, input.length);
byte[] W = new byte[lengthInBits / 8];
byte[] dig = new byte[_digest.getDigestSize()];
for (int i = 0; i <= m; i++) {
doHash(data, dig);
int bytesToCopy =
((W.length - i * dig.length) > dig.length) ? dig.length : (W.length - i * dig.length);
System.arraycopy(dig, 0, W, i * dig.length, bytesToCopy);
addTo(data, ONE);
}
return W;
}
/**
* Constructs a new index generator.
*
* @param seed a seed of arbitrary length to initialize the index generator with
* @param params NtruEncrypt parameters
*/
IndexGenerator(byte[] seed, NTRUEncryptionParameters params) {
this.seed = seed;
N = params.N;
c = params.c;
minCallsR = params.minCallsR;
totLen = 0;
remLen = 0;
counter = 0;
hashAlg = params.hashAlg;
hLen = hashAlg.getDigestSize(); // hash length
initialized = false;
}
protected boolean engineVerify(byte[] sigBytes) throws SignatureException {
byte[] hash = new byte[digest.getDigestSize()];
digest.doFinal(hash, 0);
BigInteger[] sig;
try {
byte[] r = new byte[32];
byte[] s = new byte[32];
System.arraycopy(sigBytes, 0, s, 0, 32);
System.arraycopy(sigBytes, 32, r, 0, 32);
sig = new BigInteger[2];
sig[0] = new BigInteger(1, r);
sig[1] = new BigInteger(1, s);
} catch (Exception e) {
throw new SignatureException("error decoding signature bytes.");
}
return signer.verifySignature(hash, sig[0], sig[1]);
}
/**
* Generate a signer for the with either implicit or explicit trailers for ISO9796-2.
*
* @param cipher base cipher to use for signature creation/verification
* @param digest digest to use.
* @param implicit whether or not the trailer is implicit or gives the hash.
*/
public ISO9796d2Signer(AsymmetricBlockCipher cipher, Digest digest, boolean implicit) {
this.cipher = cipher;
this.digest = digest;
if (implicit) {
trailer = TRAILER_IMPLICIT;
} else {
Integer trailerObj = (Integer) trailerMap.get(digest.getAlgorithmName());
if (trailerObj != null) {
trailer = trailerObj.intValue();
} else {
throw new IllegalArgumentException("no valid trailer for digest");
}
}
}
public byte[] calculateFingerprint(PublicKeyPacket publicPk) throws PGPException {
BCPGKey key = publicPk.getKey();
Digest digest;
if (publicPk.getVersion() <= 3) {
RSAPublicBCPGKey rK = (RSAPublicBCPGKey) key;
try {
digest = new MD5Digest();
byte[] bytes = new MPInteger(rK.getModulus()).getEncoded();
digest.update(bytes, 2, bytes.length - 2);
bytes = new MPInteger(rK.getPublicExponent()).getEncoded();
digest.update(bytes, 2, bytes.length - 2);
} catch (IOException e) {
throw new PGPException("can't encode key components: " + e.getMessage(), e);
}
} else {
try {
byte[] kBytes = publicPk.getEncodedContents();
digest = new SHA1Digest();
digest.update((byte) 0x99);
digest.update((byte) (kBytes.length >> 8));
digest.update((byte) kBytes.length);
digest.update(kBytes, 0, kBytes.length);
} catch (IOException e) {
throw new PGPException("can't encode key components: " + e.getMessage(), e);
}
}
byte[] digBuf = new byte[digest.getDigestSize()];
digest.doFinal(digBuf, 0);
return digBuf;
}
protected void engineInitSign(PrivateKey privateKey) throws InvalidKeyException {
CipherParameters param;
if (privateKey instanceof ECKey) {
param = ECUtil.generatePrivateKeyParameter(privateKey);
} else {
param = GOST3410Util.generatePrivateKeyParameter(privateKey);
}
digest.reset();
if (random != null) {
signer.init(true, new ParametersWithRandom(param, random));
} else {
signer.init(true, param);
}
}
/** the derived key function, the ith hash of the password and the salt. */
private byte[] generateDerivedKey() {
byte[] digestBytes = new byte[digest.getDigestSize()];
digest.update(password, 0, password.length);
digest.update(salt, 0, salt.length);
digest.doFinal(digestBytes, 0);
for (int i = 1; i < iterationCount; i++) {
digest.update(digestBytes, 0, digestBytes.length);
digest.doFinal(digestBytes, 0);
}
return digestBytes;
}
