stan/jdk-24
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

8302233: HSS/LMS: keytool and jarsigner changes

Browse Source 
Reviewed-by: mullan
This commit is contained in:
Weijun Wang 2023-11-30 19:14:29 +00:00
parent 7ad700596f
commit 0a60b0f99e
10 changed files with 120 additions and 118 deletions
src
java.base/share/classes/sun/security
pkcs
PKCS7.javaSignerInfo.java
util
KeyUtil.javaSignatureFileVerifier.javaSignatureUtil.java
jdk.jartool/share/classes
jdk/security/jarsigner
JarSigner.java
sun/security/tools/jarsigner
Main.java
test
jdk/sun/security/pkcs/pkcs7
NewSigAlg.javaTwoHash.java
lib/jdk/test/lib/security/timestamp
TsaSigner.java

65
src/java.base/share/classes/sun/security/pkcs/PKCS7.java

@ -720,7 +720,7 @@ public class PKCS7 {
*
* @param sigalg signature algorithm to be used
* @param sigProvider (optional) provider
* @param privateKey signer's private ky
* @param privateKey signer's private key
* @param signerChain signer's certificate chain
* @param content the content to sign
* @param internalsf whether the content should be included in output
@ -732,7 +732,7 @@ public class PKCS7 {
* @throws IOException should not happen here, all byte array
* @throws NoSuchAlgorithmException if siglag is bad
*/
public static byte[] generateNewSignedData(
public static byte[] generateSignedData(
String sigalg, Provider sigProvider,
PrivateKey privateKey, X509Certificate[] signerChain,
byte[] content, boolean internalsf, boolean directsign,
@ -743,7 +743,7 @@ public class PKCS7 {
Signature signer = SignatureUtil.fromKey(sigalg, privateKey, sigProvider);
AlgorithmId digAlgID = SignatureUtil.getDigestAlgInPkcs7SignerInfo(
signer, sigalg, privateKey, directsign);
signer, sigalg, privateKey, signerChain[0].getPublicKey(), directsign);
AlgorithmId sigAlgID = SignatureUtil.fromSignature(signer, privateKey);
PKCS9Attributes authAttrs = null;
@ -837,65 +837,6 @@ public class PKCS7 {
return p7out.toByteArray();
}
/**
* Assembles a PKCS #7 signed data message that optionally includes a
* signature timestamp.
*
* @param signature the signature bytes
* @param signerChain the signer's X.509 certificate chain
* @param content the content that is signed; specify null to not include
* it in the PKCS7 data
* @param signatureAlgorithm the name of the signature algorithm
* @param tsaURI the URI of the Timestamping Authority; or null if no
* timestamp is requested
* @param tSAPolicyID the TSAPolicyID of the Timestamping Authority as a
* numerical object identifier; or null if we leave the TSA server
* to choose one. This argument is only used when tsaURI is provided
* @return the bytes of the encoded PKCS #7 signed data message
* @throws NoSuchAlgorithmException The exception is thrown if the signature
* algorithm is unrecognised.
* @throws CertificateException The exception is thrown if an error occurs
* while processing the signer's certificate or the TSA's
* certificate.
* @throws IOException The exception is thrown if an error occurs while
* generating the signature timestamp or while generating the signed
* data message.
*/
@Deprecated(since="16", forRemoval=true)
public static byte[] generateSignedData(byte[] signature,
X509Certificate[] signerChain,
byte[] content,
String signatureAlgorithm,
URI tsaURI,
String tSAPolicyID,
String tSADigestAlg)
throws CertificateException, IOException, NoSuchAlgorithmException
{
// Generate the timestamp token
PKCS9Attributes unauthAttrs = null;
if (tsaURI != null) {
// Timestamp the signature
HttpTimestamper tsa = new HttpTimestamper(tsaURI);
byte[] tsToken = generateTimestampToken(
tsa, tSAPolicyID, tSADigestAlg, signature);
// Insert the timestamp token into the PKCS #7 signer info element
// (as an unsigned attribute)
unauthAttrs =
new PKCS9Attributes(new PKCS9Attribute[]{
new PKCS9Attribute(
PKCS9Attribute.SIGNATURE_TIMESTAMP_TOKEN_OID,
tsToken)});
}
return constructToken(signature, signerChain, content,
null,
unauthAttrs,
AlgorithmId.get(SignatureUtil.extractDigestAlgFromDwithE(signatureAlgorithm)),
AlgorithmId.get(signatureAlgorithm));
}
/**
* Examine the certificate for a Subject Information Access extension
* (<a href="https://tools.ietf.org/html/rfc5280">RFC 5280</a>).

66
src/java.base/share/classes/sun/security/pkcs/SignerInfo.java

@ -398,8 +398,7 @@ public class SignerInfo implements DerEncoder {
// to form signing algorithm. See makeSigAlg for details.
String sigAlgName = makeSigAlg(
digestAlgorithmId,
digestEncryptionAlgorithmId,
authenticatedAttributes == null);
digestEncryptionAlgorithmId);
KnownOIDs oid = KnownOIDs.findMatch(sigAlgName);
if (oid != null) {
@ -422,6 +421,12 @@ public class SignerInfo implements DerEncoder {
+ "critical extension(s)");
}
algorithmsConformanceCheck(
digestAlgorithmId,
digestEncryptionAlgorithmId,
key,
authenticatedAttributes == null);
// Make sure that if the usage of the key in the certificate is
// restricted, it can be used for digital signatures.
// XXX We may want to check for additional extensions in the
@ -471,26 +476,17 @@ public class SignerInfo implements DerEncoder {
}
/**
* Derives the signature algorithm name from the digest algorithm
* and the encryption algorithm inside a PKCS7 SignerInfo.
*
* The digest algorithm is in the form "DIG", and the encryption
* algorithm can be in any of the 3 forms:
*
* 1. Old style key algorithm like RSA, DSA, EC, this method returns
* DIGwithKEY.
* 2. New style signature algorithm in the form of HASHwithKEY, this
* method returns DIGwithKEY. Please note this is not HASHwithKEY.
* 3. Modern signature algorithm like RSASSA-PSS and EdDSA, this method
* returns the signature algorithm itself but ensures digAlgId is
* compatible with the algorithm as described in RFC 4056 and 8419.
* Checks if the digest algorithm and encryption algorithm combination
* inside a PKCS7 SignerInfo is legal.
*
* @param digAlgId the digest algorithm
* @param encAlgId the encryption algorithm
* @param key the public key for verification
* @param directSign whether the signature is calculated on the content
* directly. This makes difference for Ed448.
*/
public static String makeSigAlg(AlgorithmId digAlgId, AlgorithmId encAlgId,
private static void algorithmsConformanceCheck(
AlgorithmId digAlgId, AlgorithmId encAlgId, PublicKey key,
boolean directSign) throws NoSuchAlgorithmException {
String encAlg = encAlgId.getName();
switch (encAlg) {
@ -509,12 +505,12 @@ public class SignerInfo implements DerEncoder {
if (!AlgorithmId.get(spec.getDigestAlgorithm()).equals(digAlgId)) {
throw new NoSuchAlgorithmException("Incompatible digest algorithm");
}
return encAlg;
break;
case "Ed25519":
if (!digAlgId.equals(SignatureUtil.EdDSADigestAlgHolder.sha512)) {
throw new NoSuchAlgorithmException("Incompatible digest algorithm");
}
return encAlg;
break;
case "Ed448":
if (directSign) {
if (!digAlgId.equals(SignatureUtil.EdDSADigestAlgHolder.shake256)) {
@ -525,6 +521,40 @@ public class SignerInfo implements DerEncoder {
throw new NoSuchAlgorithmException("Incompatible digest algorithm");
}
}
break;
case "HSS/LMS":
// RFC 8708 requires the same hash algorithm used as in the HSS/LMS algorithm
if (!digAlgId.equals(AlgorithmId.get(KeyUtil.hashAlgFromHSS(key)))) {
throw new NoSuchAlgorithmException("Incompatible digest algorithm");
}
break;
}
}
/**
* Derives the signature algorithm name from the digest algorithm
* and the encryption algorithm inside a PKCS7 SignerInfo.
*
* The digest algorithm is in the form "DIG", and the encryption
* algorithm can be in any of the 3 forms:
*
* 1. Old style key algorithm like RSA, DSA, EC, this method returns
* DIGwithKEY.
* 2. New style signature algorithm in the form of HASHwithKEY, this
* method returns DIGwithKEY. Please note this is not HASHwithKEY.
* 3. Modern signature algorithm like RSASSA-PSS and EdDSA, this method
* returns the signature algorithm itself.
*
* @param digAlgId the digest algorithm
* @param encAlgId the encryption algorithm
*/
public static String makeSigAlg(AlgorithmId digAlgId, AlgorithmId encAlgId) {
String encAlg = encAlgId.getName();
switch (encAlg) {
case "RSASSA-PSS":
case "Ed25519":
case "Ed448":
case "HSS/LMS":
return encAlg;
default:
String digAlg = digAlgId.getName();

39
src/java.base/share/classes/sun/security/util/KeyUtil.java

@ -25,11 +25,9 @@
package sun.security.util;
import java.io.IOException;
import java.math.BigInteger;
import java.security.AlgorithmParameters;
import java.security.InvalidKeyException;
import java.security.Key;
import java.security.SecureRandom;
import java.security.*;
import java.security.interfaces.*;
import java.security.spec.*;
import java.util.Arrays;
@ -405,5 +403,38 @@ public final class KeyUtil {
return t;
}
/**
* Finds the hash algorithm from an HSS/LMS public key.
*
* @param publicKey the HSS/LMS public key
* @return the hash algorithm
* @throws NoSuchAlgorithmException if key is from an unknown configuration
*/
public static String hashAlgFromHSS(PublicKey publicKey)
throws NoSuchAlgorithmException {
try {
DerValue val = new DerValue(publicKey.getEncoded());
val.data.getDerValue();
byte[] rawKey = new DerValue(val.data.getBitString()).getOctetString();
// According to https://www.rfc-editor.org/rfc/rfc8554.html:
// Section 6.1: HSS public key is u32str(L) || pub[0], where pub[0]
// is the LMS public key for the top-level tree.
// Section 5.3: LMS public key is u32str(type) || u32str(otstype) || I || T[1]
// Section 8: type is the numeric identifier for an LMS specification.
// This RFC defines 5 SHA-256 based types, value from 5 to 9.
if (rawKey.length < 8) {
throw new NoSuchAlgorithmException("Cannot decode public key");
}
int num = ((rawKey[4] & 0xff) << 24) + ((rawKey[5] & 0xff) << 16)
+ ((rawKey[6] & 0xff) << 8) + (rawKey[7] & 0xff);
return switch (num) {
// RFC 8554 only supports SHA_256 hash algorithm
case 5, 6, 7, 8, 9 -> "SHA-256";
default -> throw new NoSuchAlgorithmException("Unknown LMS type: " + num);
};
} catch (IOException e) {
throw new NoSuchAlgorithmException("Cannot decode public key", e);
}
}
}

19
src/java.base/share/classes/sun/security/util/SignatureFileVerifier.java

@ -184,21 +184,20 @@ public class SignatureFileVerifier {
/**
* Returns the signed JAR block file extension for a key.
*
* Returns "DSA" for unknown algorithms. This is safe because the
* signature verification process does not require the extension to
* match the key algorithm as long as it is "RSA", "DSA", or "EC."
*
* @param key the key used to sign the JAR file
* @return the extension
* @see #isBlockOrSF(String)
*/
public static String getBlockExtension(PrivateKey key) {
String keyAlgorithm = key.getAlgorithm().toUpperCase(Locale.ENGLISH);
if (keyAlgorithm.equals("RSASSA-PSS")) {
return "RSA";
} else if (keyAlgorithm.equals("EDDSA")
|| keyAlgorithm.equals("ED25519")
|| keyAlgorithm.equals("ED448")) {
return "EC";
} else {
return keyAlgorithm;
}
return switch (key.getAlgorithm().toUpperCase(Locale.ENGLISH)) {
case "RSA", "RSASSA-PSS" -> "RSA";
case "EC", "EDDSA", "ED25519", "ED448" -> "EC";
default -> "DSA";
};
}
/**

32
src/java.base/share/classes/sun/security/util/SignatureUtil.java

@ -1,5 +1,5 @@
/*
* Copyright (c) 2018, 2022, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2018, 2023, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -212,12 +212,13 @@ public class SignatureUtil {
* @param signer Signature object that tells you RSASSA-PSS params
* @param sigalg Signature algorithm
* @param privateKey key tells you EdDSA params
* @param publicKey key tells you HSS/LMS hash algorithm
* @param directsign Ed448 uses different digest algs depending on this
* @return the digest algId
* @throws NoSuchAlgorithmException
*/
public static AlgorithmId getDigestAlgInPkcs7SignerInfo(
Signature signer, String sigalg, PrivateKey privateKey, boolean directsign)
Signature signer, String sigalg, PrivateKey privateKey, PublicKey publicKey, boolean directsign)
throws NoSuchAlgorithmException {
AlgorithmId digAlgID;
String kAlg = privateKey.getAlgorithm();
@ -243,18 +244,18 @@ public class SignatureUtil {
default:
throw new AssertionError("Unknown curve name: " + kAlg);
}
} else {
if (sigalg.equalsIgnoreCase("RSASSA-PSS")) {
try {
digAlgID = AlgorithmId.get(signer.getParameters()
.getParameterSpec(PSSParameterSpec.class)
.getDigestAlgorithm());
} catch (InvalidParameterSpecException e) {
throw new AssertionError("Should not happen", e);
}
} else {
digAlgID = AlgorithmId.get(extractDigestAlgFromDwithE(sigalg));
} else if (sigalg.equalsIgnoreCase("RSASSA-PSS")) {
try {
digAlgID = AlgorithmId.get(signer.getParameters()
.getParameterSpec(PSSParameterSpec.class)
.getDigestAlgorithm());
} catch (InvalidParameterSpecException e) {
throw new AssertionError("Should not happen", e);
}
} else if (sigalg.equalsIgnoreCase("HSS/LMS")) {
digAlgID = AlgorithmId.get(KeyUtil.hashAlgFromHSS(publicKey));
} else {
digAlgID = AlgorithmId.get(extractDigestAlgFromDwithE(sigalg));
}
return digAlgID;
}
@ -484,14 +485,15 @@ public class SignatureUtil {
public static String getDefaultSigAlgForKey(PrivateKey k) {
String kAlg = k.getAlgorithm().toUpperCase(Locale.ENGLISH);
return switch (kAlg) {
case "DH", "XDH", "X25519", "X448" -> null;
case "DSA" -> "SHA256withDSA";
case "RSA" -> ifcFfcStrength(KeyUtil.getKeySize(k)) + "withRSA";
case "EC" -> ecStrength(KeyUtil.getKeySize(k)) + "withECDSA";
case "EDDSA" -> k instanceof EdECPrivateKey
? ((EdECPrivateKey) k).getParams().getName()
: kAlg;
case "RSASSA-PSS", "ED25519", "ED448" -> kAlg;
default -> null;
default -> kAlg; // All modern signature algorithms,
// RSASSA-PSS, ED25519, ED448, HSS/LMS, etc
};
}

2
src/jdk.jartool/share/classes/jdk/security/jarsigner/JarSigner.java

@ -845,7 +845,7 @@ public final class JarSigner {
};
}
// We now create authAttrs in block data, so "direct == false".
block = PKCS7.generateNewSignedData(sigalg, sigProvider, privateKey, certChain,
block = PKCS7.generateSignedData(sigalg, sigProvider, privateKey, certChain,
content, internalsf, false, timestamper);
String sfFilename = sf.getMetaName();

6
src/jdk.jartool/share/classes/sun/security/tools/jarsigner/Main.java

@ -1015,8 +1015,7 @@ public class Main {
String digestAlg = digestMap.get(s);
String sigAlg = SignerInfo.makeSigAlg(
si.getDigestAlgorithmId(),
si.getDigestEncryptionAlgorithmId(),
si.getAuthenticatedAttributes() == null);
si.getDigestEncryptionAlgorithmId());
AlgorithmId encAlgId = si.getDigestEncryptionAlgorithmId();
AlgorithmParameters sigAlgParams = encAlgId.getParameters();
PublicKey key = signer.getPublicKey();
@ -1031,8 +1030,7 @@ public class Main {
String tsDigestAlg = tsTokenInfo.getHashAlgorithm().getName();
String tsSigAlg = SignerInfo.makeSigAlg(
tsSi.getDigestAlgorithmId(),
tsSi.getDigestEncryptionAlgorithmId(),
tsSi.getAuthenticatedAttributes() == null);
tsSi.getDigestEncryptionAlgorithmId());
AlgorithmId tsEncAlgId = tsSi.getDigestEncryptionAlgorithmId();
AlgorithmParameters tsSigAlgParams = tsEncAlgId.getParameters();
Calendar c = Calendar.getInstance(

2
test/jdk/sun/security/pkcs/pkcs7/NewSigAlg.java

@ -46,6 +46,6 @@ public class NewSigAlg {
static void test(String d, String e, String s) throws Exception {
Asserts.assertEQ(s, SignerInfo.makeSigAlg(
AlgorithmId.get(d), AlgorithmId.get(s), false));
AlgorithmId.get(d), AlgorithmId.get(s)));
}
}

2
test/jdk/sun/security/pkcs/pkcs7/TwoHash.java

@ -45,7 +45,7 @@ public class TwoHash {
CertAndKeyGen cak = new CertAndKeyGen("EC", "SHA512withECDSA");
cak.generate("secp256r1");
byte[] signature = PKCS7.generateNewSignedData(
byte[] signature = PKCS7.generateSignedData(
"SHA256withECDSA",
null,
cak.getPrivateKey(),

5
test/lib/jdk/test/lib/security/timestamp/TsaSigner.java

@ -1,5 +1,5 @@
/*
* Copyright (c) 2020, 2022, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2020, 2023, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -219,7 +219,8 @@ public class TsaSigner {
new X500Name(issuerName),
signerEntry.cert.getSerialNumber(),
SignatureUtil.getDigestAlgInPkcs7SignerInfo(
signature, sigAlgo, signerEntry.privateKey, false),
signature, sigAlgo, signerEntry.privateKey,
signerEntry.cert.getPublicKey(), false),
AlgorithmId.get(sigAlgo),
signature.sign());