diff --git a/src/java.base/share/classes/com/sun/crypto/provider/OAEPParameters.java b/src/java.base/share/classes/com/sun/crypto/provider/OAEPParameters.java index 57261376d78..bdb1da97b63 100644 --- a/src/java.base/share/classes/com/sun/crypto/provider/OAEPParameters.java +++ b/src/java.base/share/classes/com/sun/crypto/provider/OAEPParameters.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2003, 2020, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2003, 2021, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -40,14 +40,15 @@ import javax.crypto.spec.OAEPParameterSpec; /** * This class implements the OAEP parameters used with the RSA * algorithm in OAEP padding. Here is its ASN.1 definition: + *
  * RSAES-OAEP-params ::= SEQUENCE {
  *   hashAlgorithm      [0] HashAlgorithm     DEFAULT sha1,
  *   maskGenAlgorithm   [1] MaskGenAlgorithm  DEFAULT mgf1SHA1,
  *   pSourceAlgorithm   [2] PSourceAlgorithm  DEFAULT pSpecifiedEmpty
  * }
+ * 
* * @author Valerie Peng - * */ public final class OAEPParameters extends AlgorithmParametersSpi { @@ -91,61 +92,48 @@ public final class OAEPParameters extends AlgorithmParametersSpi { } } - protected void engineInit(byte[] encoded) - throws IOException { - DerInputStream der = new DerInputStream(encoded); - mdName = "SHA-1"; - mgfSpec = MGF1ParameterSpec.SHA1; - p = new byte[0]; - DerValue[] datum = der.getSequence(3); - for (int i=0; i MGF1ParameterSpec.SHA1; + case "SHA-224" -> MGF1ParameterSpec.SHA224; + case "SHA-256" -> MGF1ParameterSpec.SHA256; + case "SHA-384" -> MGF1ParameterSpec.SHA384; + case "SHA-512" -> MGF1ParameterSpec.SHA512; + case "SHA-512/224" -> MGF1ParameterSpec.SHA512_224; + case "SHA-512/256" -> MGF1ParameterSpec.SHA512_256; + default -> throw new IOException( + "Unrecognized message digest algorithm"); + }; + } else { + mgfSpec = MGF1ParameterSpec.SHA1; + } + sub = der.getOptionalExplicitContextSpecific(2); + if (sub.isPresent()) { + AlgorithmId val = AlgorithmId.parse(sub.get()); + if (!val.getOID().equals(OID_PSpecified)) { + throw new IOException("Wrong OID for pSpecified"); + } + p = DerValue.wrap(val.getEncodedParams()).getOctetString(); + } else { + p = new byte[0]; + } + der.atEnd(); } protected void engineInit(byte[] encoded, String decodingMethod) diff --git a/src/java.base/share/classes/com/sun/crypto/provider/PBES2Parameters.java b/src/java.base/share/classes/com/sun/crypto/provider/PBES2Parameters.java index 42f6bc20903..a26c95b16d3 100644 --- a/src/java.base/share/classes/com/sun/crypto/provider/PBES2Parameters.java +++ b/src/java.base/share/classes/com/sun/crypto/provider/PBES2Parameters.java @@ -268,48 +268,34 @@ abstract class PBES2Parameters extends AlgorithmParametersSpi { } iCount = pBKDF2_params.data.getInteger(); - DerValue prf = null; // keyLength INTEGER (1..MAX) OPTIONAL, - if (pBKDF2_params.data.available() > 0) { - DerValue keyLength = pBKDF2_params.data.getDerValue(); - if (keyLength.tag == DerValue.tag_Integer) { - keysize = keyLength.getInteger() * 8; // keysize (in bits) - } else { - // Should be the prf - prf = keyLength; - } + var ksDer = pBKDF2_params.data.getOptional(DerValue.tag_Integer); + if (ksDer.isPresent()) { + keysize = ksDer.get().getInteger() * 8; // keysize (in bits) } + // prf AlgorithmIdentifier {{PBKDF2-PRFs}} DEFAULT algid-hmacWithSHA1 - String kdfAlgo = "HmacSHA1"; - if (prf == null) { - if (pBKDF2_params.data.available() > 0) { - prf = pBKDF2_params.data.getDerValue(); - } - } - if (prf != null) { + String kdfAlgo; + var prfDer = pBKDF2_params.data.getOptional(DerValue.tag_Sequence); + if (prfDer.isPresent()) { + DerValue prf = prfDer.get(); kdfAlgo_OID = prf.data.getOID(); KnownOIDs o = KnownOIDs.findMatch(kdfAlgo_OID.toString()); if (o == null || (!o.stdName().equals("HmacSHA1") && - !o.stdName().equals("HmacSHA224") && - !o.stdName().equals("HmacSHA256") && - !o.stdName().equals("HmacSHA384") && - !o.stdName().equals("HmacSHA512"))) { + !o.stdName().equals("HmacSHA224") && + !o.stdName().equals("HmacSHA256") && + !o.stdName().equals("HmacSHA384") && + !o.stdName().equals("HmacSHA512"))) { throw new IOException("PBE parameter parsing error: " + "expecting the object identifier for a HmacSHA key " + "derivation function"); } kdfAlgo = o.stdName(); - - if (prf.data.available() != 0) { - // parameter is 'NULL' for all HmacSHA KDFs - DerValue parameter = prf.data.getDerValue(); - if (parameter.tag != DerValue.tag_Null) { - throw new IOException("PBE parameter parsing error: " - + "not an ASN.1 NULL tag"); - } - } + prf.data.getOptional(DerValue.tag_Null); + prf.data.atEnd(); + } else { + kdfAlgo = "HmacSHA1"; } - return kdfAlgo; } diff --git a/src/java.base/share/classes/sun/security/pkcs/PKCS7.java b/src/java.base/share/classes/sun/security/pkcs/PKCS7.java index a068c9e0023..63d1451148f 100644 --- a/src/java.base/share/classes/sun/security/pkcs/PKCS7.java +++ b/src/java.base/share/classes/sun/security/pkcs/PKCS7.java @@ -255,6 +255,16 @@ public class PKCS7 { } } + // SignedData ::= SEQUENCE { + // version Version, + // digestAlgorithms DigestAlgorithmIdentifiers, + // contentInfo ContentInfo, + // certificates + // [0] IMPLICIT ExtendedCertificatesAndCertificates + // OPTIONAL, + // crls + // [1] IMPLICIT CertificateRevocationLists OPTIONAL, + // signerInfos SignerInfos } private void parseSignedData(DerValue val) throws ParsingException, IOException { @@ -294,9 +304,9 @@ public class PKCS7 { * check if certificates (implicit tag) are provided * (certificates are OPTIONAL) */ - if ((byte)(dis.peekByte()) == (byte)0xA0) { - DerValue[] certVals = dis.getSet(2, true); - + var certDer = dis.getOptionalImplicitContextSpecific(0, DerValue.tag_SetOf); + if (certDer.isPresent()) { + DerValue[] certVals = certDer.get().subs(DerValue.tag_SetOf, 2); len = certVals.length; certificates = new X509Certificate[len]; int count = 0; @@ -339,9 +349,9 @@ public class PKCS7 { } // check if crls (implicit tag) are provided (crls are OPTIONAL) - if ((byte)(dis.peekByte()) == (byte)0xA1) { - DerValue[] crlVals = dis.getSet(1, true); - + var crlsDer = dis.getOptionalImplicitContextSpecific(1, DerValue.tag_SetOf); + if (crlsDer.isPresent()) { + DerValue[] crlVals = crlsDer.get().subs(DerValue.tag_SetOf, 1); len = crlVals.length; crls = new X509CRL[len]; diff --git a/src/java.base/share/classes/sun/security/util/DerInputStream.java b/src/java.base/share/classes/sun/security/util/DerInputStream.java index d937cf1ec2b..f10be6a3540 100644 --- a/src/java.base/share/classes/sun/security/util/DerInputStream.java +++ b/src/java.base/share/classes/sun/security/util/DerInputStream.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 1996, 2020, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1996, 2021, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -30,6 +30,8 @@ import java.io.IOException; import java.math.BigInteger; import java.util.Arrays; import java.util.Date; +import java.util.Optional; +import java.util.function.Predicate; /** * A DER input stream, used for parsing ASN.1 DER-encoded data such as @@ -53,7 +55,6 @@ import java.util.Date; * @author Amit Kapoor * @author Hemma Prafullchandra */ - public class DerInputStream { // The static part @@ -305,4 +306,105 @@ public class DerInputStream { * empty. */ public int available() { return end - pos; } + + /** + * Ensures there is no more data. This can be called when the last + * expected field is parsed, and we need to make sure no unread is left. + * + * @throws IOException if the end is NOT reached yet + */ + public void atEnd() throws IOException { + if (available() != 0) { + throw new IOException("Extra unused bytes"); + } + } + + /** + * Checks if the tag of the next DerValue matches the rule. + * + * @param rule the rule to check for the tag. + * @return true if matches, false if not or stream is at end. + * @throws IOException if an I/O error happens while peeking the byte + */ + private boolean checkNextTag(Predicate rule) { + return available() > 0 && rule.test(data[pos]); + } + + /** + * Detect if the tag of the next DerValue is the specified one. + * + * @param tag the expected tag + * @return true if matches, false if not or stream is at end. + * @throws IOException if an I/O error happens while peeking the byte + */ + private boolean checkNextTag(byte tag) { + return checkNextTag(t -> t == tag); + } + + /** + * Returns the next DerValue if its tag is the given one. + * + * @param tag the expected tag + * @return the next DerValue, or empty if not found or stream at end + * @throws IOException if an I/O error happens + */ + public Optional getOptional(byte tag) throws IOException { + if (checkNextTag(tag)) { + return Optional.of(getDerValue()); + } else { + return Optional.empty(); + } + } + + /** + * Detect if the next DerValue is a context-specific value + * tagged by {@code n}. + * + * @param n the expected tag + * @return true if matches, false if not or stream is at end. + * @throws IOException if an I/O error happens while peeking the byte + */ + public boolean seeOptionalContextSpecific(int n) throws IOException { + return checkNextTag(t -> (t & 0x0c0) == 0x080 && (t & 0x01f) == n); + } + + /** + * Returns the inner DerValue if the next DerValue is + * an EXPLICIT context-specific value tagged by {@code n}. + * + * @param n the expected tag + * @return the inner DerValue, or empty if not found or stream at end + * @throws IOException if an I/O error happens + */ + public Optional getOptionalExplicitContextSpecific(int n) + throws IOException { + if (seeOptionalContextSpecific(n)) { + DerInputStream sub = getDerValue().data(); // stream inside [n] + DerValue inner = sub.getDerValue(); // inside [n] + sub.atEnd(); // make sure there is only one inner value + return Optional.of(inner); + } else { + return Optional.empty(); + } + } + + /** + * Returns the restored DerValue if the next DerValue is + * an IMPLICIT context-specific value tagged by {@code n}. + * + * @param n the expected tag + * @param tag the real tag for the IMPLICIT type + * @return the restored DerValue, or empty if not found or stream at end + * @throws IOException if an I/O error happens + */ + public Optional getOptionalImplicitContextSpecific(int n, byte tag) + throws IOException { + if (seeOptionalContextSpecific(n)) { + DerValue v = getDerValue(); // [n] + // restore tag because IMPLICIT has overwritten it + return Optional.of(v.withTag(tag)); + } else { + return Optional.empty(); + } + } } diff --git a/src/java.base/share/classes/sun/security/util/DerValue.java b/src/java.base/share/classes/sun/security/util/DerValue.java index 25eeab8c7c2..4eb3190b0e4 100644 --- a/src/java.base/share/classes/sun/security/util/DerValue.java +++ b/src/java.base/share/classes/sun/security/util/DerValue.java @@ -290,7 +290,7 @@ public class DerValue { } /** - * Wraps an DerOutputStream. All bytes currently written + * Wraps a DerOutputStream. All bytes currently written * into the stream will become the content of the newly * created DerValue. * @@ -305,6 +305,34 @@ public class DerValue { return new DerValue(tag, out.buf(), 0, out.size(), false); } + /** + * Wraps a byte array as a single DerValue. + * + * Attention: no cloning is made. + * + * @param buf the byte array containing the DER-encoded datum + * @returns a new DerValue + */ + public static DerValue wrap(byte[] buf) + throws IOException { + return wrap(buf, 0, buf.length); + } + + /** + * Wraps a byte array as a single DerValue. + * + * Attention: no cloning is made. + * + * @param buf the byte array containing the DER-encoded datum + * @param offset where the encoded datum starts inside {@code buf} + * @param len length of bytes to parse inside {@code buf} + * @returns a new DerValue + */ + public static DerValue wrap(byte[] buf, int offset, int len) + throws IOException { + return new DerValue(buf, offset, len, true, false); + } + /** * Parse an ASN.1/BER encoded datum. The entire encoding must hold exactly * one datum, including its tag and length. @@ -1229,7 +1257,7 @@ public class DerValue { * @param startLen estimated number of sub-values * @return the sub-values in an array */ - DerValue[] subs(byte expectedTag, int startLen) throws IOException { + public DerValue[] subs(byte expectedTag, int startLen) throws IOException { if (expectedTag != 0 && expectedTag != tag) { throw new IOException("Not the correct tag"); } diff --git a/test/jdk/com/sun/crypto/provider/AlgorithmParameters/OAEPOrder.java b/test/jdk/com/sun/crypto/provider/AlgorithmParameters/OAEPOrder.java new file mode 100644 index 00000000000..1f4697bfd1e --- /dev/null +++ b/test/jdk/com/sun/crypto/provider/AlgorithmParameters/OAEPOrder.java @@ -0,0 +1,66 @@ +/* + * Copyright (c) 2021, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ + +import javax.crypto.spec.OAEPParameterSpec; +import javax.crypto.spec.PSource; +import java.io.IOException; +import java.security.AlgorithmParameters; +import java.security.spec.MGF1ParameterSpec; +import java.util.Arrays; + +/** + * @test + * @bug 8246797 + * @summary Ensures OAEPParameters read correct encoding and + * reject encoding with invalid ordering + */ + +public class OAEPOrder { + public static void main(String[] args) throws Exception { + // Do not use default fields + OAEPParameterSpec spec = new OAEPParameterSpec( + "SHA-384", "MGF1", MGF1ParameterSpec.SHA384, + new PSource.PSpecified(new byte[10])); + AlgorithmParameters alg = AlgorithmParameters.getInstance("OAEP"); + alg.init(spec); + byte[] encoded = alg.getEncoded(); + + // Extract the fields inside encoding + // [0] HashAlgorithm + byte[] a0 = Arrays.copyOfRange(encoded, 2, encoded[3] + 4); + // [1] MaskGenAlgorithm + [2] PSourceAlgorithm + byte[] a12 = Arrays.copyOfRange(encoded, 2 + a0.length, encoded.length); + + // and rearrange [1] and [2] before [0] + System.arraycopy(a12, 0, encoded, 2, a12.length); + System.arraycopy(a0, 0, encoded, 2 + a12.length, a0.length); + + AlgorithmParameters alg2 = AlgorithmParameters.getInstance("OAEP"); + try { + alg2.init(encoded); + throw new RuntimeException("Should fail"); + } catch (IOException ioe) { + // expected + } + } +}