archive/jdk
1
0
Fork 0
mirror of https://github.com/openjdk/jdk.git synced 2025-08-27 23:04:50 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

8166597: Crypto support for the EdDSA Signature Algorithm

Browse source 
Reviewed-by: weijun, mullan, wetmore
This commit is contained in:
Anthony Scarpino 2020-05-18 09:42:52 -07:00
parent 02293daa64
commit fd28aad72d
47 changed files with 4697 additions and 155 deletions
Download patch file Download diff file Expand all files Collapse all files

47
src/java.base/share/classes/java/security/interfaces/EdECKey.java Normal file
View file

@ -0,0 +1,47 @@
/*
* Copyright (c) 2020, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation. Oracle designates this
* particular file as subject to the "Classpath" exception as provided
* by Oracle in the LICENSE file that accompanied this code.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/
package java.security.interfaces;
import java.security.spec.NamedParameterSpec;
/**
* An interface for an elliptic curve public/private key as defined by
* <a href="https://tools.ietf.org/html/rfc8032">RFC 8032: Edwards-Curve
* Digital Signature Algorithm (EdDSA)</a>. These keys are distinct from the
* keys represented by {@code ECKey}, and they are intended for use with
* algorithms based on RFC 8032 such as the EdDSA {@code Signature} algorithm.
* This interface allows access to the algorithm parameters associated with
* the key.
*
* @since 15
*/
public interface EdECKey {
/**
* Returns the algorithm parameters associated with the key.
*
* @return the associated algorithm parameters.
*/
NamedParameterSpec getParams();
}

55
src/java.base/share/classes/java/security/interfaces/EdECPrivateKey.java Normal file
View file

@ -0,0 +1,55 @@
/*
* Copyright (c) 2020, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation. Oracle designates this
* particular file as subject to the "Classpath" exception as provided
* by Oracle in the LICENSE file that accompanied this code.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/
package java.security.interfaces;
import java.security.PrivateKey;
import java.util.Optional;
/**
* An interface for an elliptic curve private key as defined by
* <a href="https://tools.ietf.org/html/rfc8032">RFC 8032: Edwards-Curve
* Digital Signature Algorithm (EdDSA)</a>. These keys are distinct from the
* keys represented by {@code ECPrivateKey}, and they are intended for use
* with algorithms based on RFC 8032 such as the EdDSA {@code Signature}
* algorithm.
* <p>
* An Edwards-Curve private key is a bit string. This interface only supports bit
* string lengths that are a multiple of 8, and the key is represented using
* a byte array.
*
* @since 15
*/
public interface EdECPrivateKey extends EdECKey, PrivateKey {
/**
* Get a copy of the byte array representing the private key. This method
* may return an empty {@code Optional} if the implementation is not
* willing to produce the private key value.
*
* @return an {@code Optional} containing the private key byte array.
* If the key is not available, then an empty {@code Optional}.
*/
Optional<byte[]> getBytes();
}

50
src/java.base/share/classes/java/security/interfaces/EdECPublicKey.java Normal file
View file

@ -0,0 +1,50 @@
/*
* Copyright (c) 2020, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation. Oracle designates this
* particular file as subject to the "Classpath" exception as provided
* by Oracle in the LICENSE file that accompanied this code.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/
package java.security.interfaces;
import java.security.PublicKey;
import java.security.spec.EdECPoint;
/**
* An interface for an elliptic curve public key as defined by
* <a href="https://tools.ietf.org/html/rfc8032">RFC 8032: Edwards-Curve
* Digital Signature Algorithm (EdDSA)</a>. These keys are distinct from the
* keys represented by {@code ECPublicKey}, and they are intended for use with
* algorithms based on RFC 8032 such as the EdDSA {@code Signature} algorithm.
* <p>
* An Edwards-Curve public key is a point on the curve, which is represented using an
* EdECPoint.
*
* @since 15
*/
public interface EdECPublicKey extends EdECKey, PublicKey {
/**
* Get the point representing the public key.
*
* @return the {@code EdECPoint} representing the public key.
*/
EdECPoint getPoint();
}

110
src/java.base/share/classes/java/security/spec/EdDSAParameterSpec.java Normal file
View file

@ -0,0 +1,110 @@
/*
* Copyright (c) 2020, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation. Oracle designates this
* particular file as subject to the "Classpath" exception as provided
* by Oracle in the LICENSE file that accompanied this code.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/
package java.security.spec;
import java.security.InvalidParameterException;
import java.util.Objects;
import java.util.Optional;
/**
* A class used to specify EdDSA signature and verification parameters. All
* algorithm modes in <a href="https://tools.ietf.org/html/rfc8032">RFC 8032:
* Edwards-Curve Digital Signature Algorithm (EdDSA)</a> can be specified using
* combinations of the settings in this class.
*
* <ul>
* <li>If prehash is true, then the mode is Ed25519ph or Ed448ph</li>
* <li>Otherwise, if a context is present, the mode is Ed25519ctx or Ed448</li>
* <li>Otherwise, the mode is Ed25519 or Ed448</li>
* </ul>
*
* @since 15
*/
public class EdDSAParameterSpec implements AlgorithmParameterSpec {
private final boolean prehash;
private final byte[] context;
/**
* Construct an {@code EdDSAParameterSpec} by specifying whether the prehash mode
* is used. No context is provided so this constructor specifies a mode
* in which the context is null. Note that this mode may be different
* than the mode in which an empty array is used as the context.
*
* @param prehash whether the prehash mode is specified.
*/
public EdDSAParameterSpec(boolean prehash) {
this.prehash = prehash;
this.context = null;
}
/**
* Construct an {@code EdDSAParameterSpec} by specifying a context and whether the
* prehash mode is used. The context may not be null, but it may be an
* empty array. The mode used when the context is an empty array may not be
* the same as the mode used when the context is absent.
*
* @param prehash whether the prehash mode is specified.
* @param context the context is copied and bound to the signature.
* @throws NullPointerException if context is null.
* @throws InvalidParameterException if context length is greater than 255.
*/
public EdDSAParameterSpec(boolean prehash, byte[] context) {
Objects.requireNonNull(context, "context may not be null");
if (context.length > 255) {
throw new InvalidParameterException("context length cannot be " +
"greater than 255");
}
this.prehash = prehash;
this.context = context.clone();
}
/**
* Get whether the prehash mode is specified.
*
* @return whether the prehash mode is specified.
*/
public boolean isPrehash() {
return prehash;
}
/**
* Get the context that the signature will use.
*
* @return {@code Optional} contains a copy of the context or empty
* if context is null.
*/
public Optional<byte[]> getContext() {
if (context == null) {
return Optional.empty();
} else {
return Optional.of(context.clone());
}
}
}

86
src/java.base/share/classes/java/security/spec/EdECPoint.java Normal file
View file

@ -0,0 +1,86 @@
/*
* Copyright (c) 2020, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation. Oracle designates this
* particular file as subject to the "Classpath" exception as provided
* by Oracle in the LICENSE file that accompanied this code.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/
package java.security.spec;
import java.math.BigInteger;
import java.util.Objects;
/**
* An elliptic curve point used to specify keys as defined by
* <a href="https://tools.ietf.org/html/rfc8032">RFC 8032: Edwards-Curve
* Digital Signature Algorithm (EdDSA)</a>. These points are distinct from the
* points represented by {@code ECPoint}, and they are intended for use with
* algorithms based on RFC 8032 such as the EdDSA {@code Signature} algorithm.
* <p>
* An EdEC point is specified by its y-coordinate value and a boolean that
* indicates whether the x-coordinate is odd. The y-coordinate is an
* element of the field of integers modulo some value p that is determined by
* the algorithm parameters. This field element is represented by a
* {@code BigInteger}, and implementations that consume objects of this class
* may reject integer values which are not in the range [0, p).
*
* @since 15
*/
public final class EdECPoint {
private final boolean xOdd;
private final BigInteger y;
/**
* Construct an EdECPoint.
*
* @param xOdd whether the x-coordinate is odd.
* @param y the y-coordinate, represented using a {@code BigInteger}.
*
* @throws NullPointerException if {@code y} is null.
*/
public EdECPoint(boolean xOdd, BigInteger y) {
Objects.requireNonNull(y, "y must not be null");
this.xOdd = xOdd;
this.y = y;
}
/**
* Get whether the x-coordinate of the point is odd.
*
* @return a boolean indicating whether the x-coordinate is odd.
*/
public boolean isXOdd() {
return xOdd;
}
/**
* Get the y-coordinate of the point.
*
* @return the y-coordinate, represented using a {@code BigInteger}.
*/
public BigInteger getY() {
return y;
}
}

81
src/java.base/share/classes/java/security/spec/EdECPrivateKeySpec.java Normal file
View file

@ -0,0 +1,81 @@
/*
* Copyright (c) 2020, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation. Oracle designates this
* particular file as subject to the "Classpath" exception as provided
* by Oracle in the LICENSE file that accompanied this code.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/
package java.security.spec;
import java.util.Objects;
/**
* A class representing elliptic curve private keys as defined in
* <a href="https://tools.ietf.org/html/rfc8032">RFC 8032: Edwards-Curve
* Digital Signature Algorithm (EdDSA)</a>, including the curve and other
* algorithm parameters. The private key is a bit string represented using
* a byte array. This class only supports bit string lengths that are a
* multiple of 8.
*
* @since 15
*/
public final class EdECPrivateKeySpec implements KeySpec {
private final NamedParameterSpec params;
private final byte[] bytes;
/**
* Construct a private key spec using the supplied parameters and
* bit string.
*
* @param params the algorithm parameters.
* @param bytes the key as a byte array. This array is copied
* to protect against subsequent modification.
*
* @throws NullPointerException if {@code params} or {@code bytes}
* is null.
*/
public EdECPrivateKeySpec(NamedParameterSpec params, byte[] bytes) {
Objects.requireNonNull(params, "params must not be null");
Objects.requireNonNull(bytes, "bytes must not be null");
this.params = params;
this.bytes = bytes.clone();
}
/**
* Get the algorithm parameters that define the curve and other settings.
*
* @return the algorithm parameters.
*/
public NamedParameterSpec getParams() {
return params;
}
/**
* Get the byte array representing the private key. A new copy of the array
* is returned each time this method is called.
*
* @return the private key as a byte array.
*/
public byte[] getBytes() {
return bytes.clone();
}
}

78
src/java.base/share/classes/java/security/spec/EdECPublicKeySpec.java Normal file
View file

@ -0,0 +1,78 @@
/*
* Copyright (c) 2020, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation. Oracle designates this
* particular file as subject to the "Classpath" exception as provided
* by Oracle in the LICENSE file that accompanied this code.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/
package java.security.spec;
import java.util.Objects;
/**
* A class representing elliptic curve public keys as defined in
* <a href="https://tools.ietf.org/html/rfc8032">RFC 8032: Edwards-Curve
* Digital Signature Algorithm (EdDSA)</a>, including the curve and other
* algorithm parameters. The public key is a point on the curve, which is
* represented using an {@code EdECPoint}.
*
* @since 15
*/
public final class EdECPublicKeySpec implements KeySpec {
private final NamedParameterSpec params;
private final EdECPoint point;
/**
* Construct a public key spec using the supplied parameters and
* point.
*
* @param params the algorithm parameters.
* @param point the point representing the public key.
*
* @throws NullPointerException if {@code params} or {@code point}
* is null.
*/
public EdECPublicKeySpec(NamedParameterSpec params, EdECPoint point) {
Objects.requireNonNull(params, "params must not be null");
Objects.requireNonNull(point, "point must not be null");
this.params = params;
this.point = point;
}
/**
* Get the algorithm parameters that define the curve and other settings.
*
* @return the parameters.
*/
public NamedParameterSpec getParams() {
return params;
}
/**
* Get the point representing the public key.
*
* @return the {@code EdECPoint} representing the public key.
*/
public EdECPoint getPoint() {
return point;
}
}

18
src/java.base/share/classes/java/security/spec/NamedParameterSpec.java
View file

@ -1,5 +1,5 @@
/*
* Copyright (c) 2018, 2019, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2018, 2020, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -52,6 +52,22 @@ public class NamedParameterSpec implements AlgorithmParameterSpec {
public static final NamedParameterSpec X448
= new NamedParameterSpec("X448");
/**
* The Ed25519 parameters
*
* @since 15
*/
public static final NamedParameterSpec ED25519
= new NamedParameterSpec("Ed25519");
/**
* The Ed448 parameters
*
* @since 15
*/
public static final NamedParameterSpec ED448
= new NamedParameterSpec("Ed448");
private String name;
/**

1
src/java.base/share/classes/module-info.java
View file

@ -294,6 +294,7 @@ module java.base {
java.rmi,
java.security.jgss,
jdk.crypto.cryptoki,
jdk.crypto.ec,
jdk.security.auth;
exports sun.security.provider.certpath to
java.naming;

6
src/java.base/share/classes/sun/security/pkcs/PKCS7.java
View file

@ -1,5 +1,5 @@
/*
* Copyright (c) 1996, 2015, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 1996, 2020, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -829,6 +829,10 @@ public class PKCS7 {
BigInteger serialNumber = signerChain[0].getSerialNumber();
String encAlg = AlgorithmId.getEncAlgFromSigAlg(signatureAlgorithm);
String digAlg = AlgorithmId.getDigAlgFromSigAlg(signatureAlgorithm);
if (digAlg == null) {
throw new UnsupportedOperationException("Unable to determine " +
"the digest algorithm from the signature algorithm.");
}
SignerInfo signerInfo = new SignerInfo(issuerName, serialNumber,
AlgorithmId.get(digAlg), null,
AlgorithmId.get(encAlg),

22
src/java.base/share/classes/sun/security/provider/SHA3.java
View file

@ -1,5 +1,5 @@
/*
* Copyright (c) 2016, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2016, 2020, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -61,14 +61,16 @@ abstract class SHA3 extends DigestBase {
0x8000000000008080L, 0x80000001L, 0x8000000080008008L,
};
private final byte suffix;
private byte[] state = new byte[WIDTH];
private long[] lanes = new long[DM*DM];
/**
* Creates a new SHA-3 object.
*/
SHA3(String name, int digestLength) {
super(name, digestLength, (WIDTH - (2 * digestLength)));
SHA3(String name, int digestLength, byte suffix, int c) {
super(name, digestLength, (WIDTH - c));
this.suffix = suffix;
}
/**
@ -88,7 +90,7 @@ abstract class SHA3 extends DigestBase {
*/
void implDigest(byte[] out, int ofs) {
int numOfPadding =
setPaddingBytes(buffer, (int)(bytesProcessed % buffer.length));
setPaddingBytes(suffix, buffer, (int)(bytesProcessed % buffer.length));
if (numOfPadding < 1) {
throw new ProviderException("Incorrect pad size: " + numOfPadding);
}
@ -112,13 +114,13 @@ abstract class SHA3 extends DigestBase {
* pad10*1 algorithm (section 5.1) and the 2-bit suffix "01" required
* for SHA-3 hash (section 6.1).
*/
private static int setPaddingBytes(byte[] in, int len) {
private static int setPaddingBytes(byte suffix, byte[] in, int len) {
if (len != in.length) {
// erase leftover values
Arrays.fill(in, len, in.length, (byte)0);
// directly store the padding bytes into the input
// as the specified buffer is allocated w/ size = rateR
in[len] |= (byte) 0x06;
in[len] |= suffix;
in[in.length - 1] |= (byte) 0x80;
}
return (in.length - len);
@ -268,7 +270,7 @@ abstract class SHA3 extends DigestBase {
*/
public static final class SHA224 extends SHA3 {
public SHA224() {
super("SHA3-224", 28);
super("SHA3-224", 28, (byte)0x06, 56);
}
}
@ -277,7 +279,7 @@ abstract class SHA3 extends DigestBase {
*/
public static final class SHA256 extends SHA3 {
public SHA256() {
super("SHA3-256", 32);
super("SHA3-256", 32, (byte)0x06, 64);
}
}
@ -286,7 +288,7 @@ abstract class SHA3 extends DigestBase {
*/
public static final class SHA384 extends SHA3 {
public SHA384() {
super("SHA3-384", 48);
super("SHA3-384", 48, (byte)0x06, 96);
}
}
@ -295,7 +297,7 @@ abstract class SHA3 extends DigestBase {
*/
public static final class SHA512 extends SHA3 {
public SHA512() {
super("SHA3-512", 64);
super("SHA3-512", 64, (byte)0x06, 128);
}
}
}

45
src/java.base/share/classes/sun/security/provider/SHAKE256.java Normal file
View file

@ -0,0 +1,45 @@
/*
* Copyright (c) 2020, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation. Oracle designates this
* particular file as subject to the "Classpath" exception as provided
* by Oracle in the LICENSE file that accompanied this code.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/
package sun.security.provider;
/*
* The SHAKE256 extendable output function.
*/
public final class SHAKE256 extends SHA3 {
public SHAKE256(int d) {
super("SHAKE256", d, (byte) 0x1F, 64);
}
public void update(byte in) {
engineUpdate(in);
}
public void update(byte[] in, int off, int len) {
engineUpdate(in, off, len);
}
public byte[] digest() {
return engineDigest();
}
}

6
src/java.base/share/classes/sun/security/tools/keytool/Main.java
View file

@ -1870,6 +1870,12 @@ public final class Main {
keysize = SecurityProviderConstants.DEF_RSA_KEY_SIZE;
} else if ("DSA".equalsIgnoreCase(keyAlgName)) {
keysize = SecurityProviderConstants.DEF_DSA_KEY_SIZE;
} else if ("EdDSA".equalsIgnoreCase(keyAlgName)) {
keysize = SecurityProviderConstants.DEF_ED_KEY_SIZE;
} else if ("Ed25519".equalsIgnoreCase(keyAlgName)) {
keysize = 255;
} else if ("Ed448".equalsIgnoreCase(keyAlgName)) {
keysize = 448;
}
} else {
if ("EC".equalsIgnoreCase(keyAlgName)) {

17
src/java.base/share/classes/sun/security/util/KeyUtil.java
View file

@ -1,5 +1,5 @@
/*
* Copyright (c) 2012, 2016, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2012, 2020, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -27,10 +27,10 @@ package sun.security.util;
import java.security.AlgorithmParameters;
import java.security.Key;
import java.security.PrivilegedAction;
import java.security.AccessController;
import java.security.InvalidKeyException;
import java.security.interfaces.ECKey;
import java.security.interfaces.EdECKey;
import java.security.interfaces.EdECPublicKey;
import java.security.interfaces.RSAKey;
import java.security.interfaces.DSAKey;
import java.security.interfaces.DSAParams;
@ -44,6 +44,7 @@ import javax.crypto.interfaces.DHPublicKey;
import javax.crypto.spec.DHParameterSpec;
import javax.crypto.spec.DHPublicKeySpec;
import java.math.BigInteger;
import java.security.spec.NamedParameterSpec;
import sun.security.jca.JCAUtil;
@ -96,6 +97,16 @@ public final class KeyUtil {
} else if (key instanceof DHKey) {
DHKey pubk = (DHKey)key;
size = pubk.getParams().getP().bitLength();
} else if (key instanceof EdECKey) {
String nc = ((EdECKey) key).getParams().getName();
if (nc.equalsIgnoreCase(NamedParameterSpec.ED25519.getName())) {
size = 255;
} else if (nc.equalsIgnoreCase(
NamedParameterSpec.ED448.getName())) {
size = 448;
} else {
size = -1;
}
} // Otherwise, it may be a unextractable key of PKCS#11, or
// a key we are not able to handle.

7
src/java.base/share/classes/sun/security/util/SecurityProviderConstants.java
View file

@ -1,5 +1,5 @@
/*
* Copyright (c) 2017, 2018, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2017, 2020, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -59,6 +59,7 @@ public final class SecurityProviderConstants {
public static final int DEF_RSASSA_PSS_KEY_SIZE;
public static final int DEF_DH_KEY_SIZE;
public static final int DEF_EC_KEY_SIZE;
public static final int DEF_ED_KEY_SIZE;
private static final String KEY_LENGTH_PROP =
"jdk.security.defaultKeySize";
@ -70,6 +71,7 @@ public final class SecurityProviderConstants {
int rsaSsaPssKeySize = rsaKeySize; // default to same value as RSA
int dhKeySize = 2048;
int ecKeySize = 256;
int edKeySize = 255;
if (keyLengthStr != null) {
try {
@ -106,6 +108,8 @@ public final class SecurityProviderConstants {
dhKeySize = value;
} else if (algoName.equals("EC")) {
ecKeySize = value;
} else if (algoName.equalsIgnoreCase("EdDSA")) {
edKeySize = value;
} else {
if (debug != null) {
debug.println("Ignoring unsupported algo in " +
@ -132,5 +136,6 @@ public final class SecurityProviderConstants {
DEF_RSASSA_PSS_KEY_SIZE = rsaSsaPssKeySize;
DEF_DH_KEY_SIZE = dhKeySize;
DEF_EC_KEY_SIZE = ecKeySize;
DEF_ED_KEY_SIZE = edKeySize;
}
}

34
src/java.base/share/classes/sun/security/util/math/intpoly/IntegerPolynomial.java
View file

@ -1,5 +1,5 @@
/*
* Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2018, 2020, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -157,12 +157,34 @@ public abstract class IntegerPolynomial implements IntegerFieldModuloP {
public SmallValue getSmallValue(int value) {
int maxMag = 1 << (bitsPerLimb - 1);
if (Math.abs(value) >= maxMag) {
throw new IllegalArgumentException(
"max magnitude is " + maxMag);
throw new IllegalArgumentException("max magnitude is " + maxMag);
}
return new Limb(value);
}
protected abstract void reduceIn(long[] c, long v, int i);
private void reduceHigh(long[] limbs) {
// conservatively calculate how many reduce operations can be done
// before a carry is needed
int extraBits = 63 - 2 * bitsPerLimb;
int allowedAdds = 1 << extraBits;
int carryPeriod = allowedAdds / numLimbs;
int reduceCount = 0;
for (int i = limbs.length - 1; i >= numLimbs; i--) {
reduceIn(limbs, limbs[i], i);
limbs[i] = 0;
reduceCount++;
if (reduceCount % carryPeriod == 0) {
carry(limbs, 0, i);
reduceIn(limbs, limbs[i], i);
limbs[i] = 0;
}
}
}
/**
* This version of encode takes a ByteBuffer that is properly ordered, and
* may extract larger values (e.g. long) from the ByteBuffer for better
@ -179,10 +201,12 @@ public abstract class IntegerPolynomial implements IntegerFieldModuloP {
if (requiredLimbs > numLimbs) {
long[] temp = new long[requiredLimbs];
encodeSmall(buf, length, highByte, temp);
// encode does a full carry/reduce
reduceHigh(temp);
System.arraycopy(temp, 0, result, 0, result.length);
reduce(result);
} else {
encodeSmall(buf, length, highByte, result);
postEncodeCarry(result);
}
}
@ -226,8 +250,6 @@ public abstract class IntegerPolynomial implements IntegerFieldModuloP {
result[limbIndex++] = curLimbValue;
}
Arrays.fill(result, limbIndex, result.length, 0);
postEncodeCarry(result);
}
protected void encode(byte[] v, int offset, int length, byte highByte,

11
src/java.base/share/classes/sun/security/util/math/intpoly/IntegerPolynomial1305.java
View file

@ -1,5 +1,5 @@
/*
* Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2018, 2020, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -156,7 +156,8 @@ public class IntegerPolynomial1305 extends IntegerPolynomial {
}
}
private void modReduceIn(long[] limbs, int index, long x) {
@Override
protected void reduceIn(long[] limbs, long x, int index) {
// this only works when BITS_PER_LIMB * NUM_LIMBS = POWER exactly
long reducedValue = (x * SUBTRAHEND);
limbs[index - NUM_LIMBS] += reducedValue;
@ -166,13 +167,13 @@ public class IntegerPolynomial1305 extends IntegerPolynomial {
protected void finalCarryReduceLast(long[] limbs) {
long carry = limbs[numLimbs - 1] >> bitsPerLimb;
limbs[numLimbs - 1] -= carry << bitsPerLimb;
modReduceIn(limbs, numLimbs, carry);
reduceIn(limbs, carry, numLimbs);
}
protected final void modReduce(long[] limbs, int start, int end) {
for (int i = start; i < end; i++) {
modReduceIn(limbs, i, limbs[i]);
reduceIn(limbs, limbs[i], i);
limbs[i] = 0;
}
}
@ -203,7 +204,7 @@ public class IntegerPolynomial1305 extends IntegerPolynomial {
long carry4 = carryValue(new4);
limbs[4] = new4 - (carry4 << BITS_PER_LIMB);
modReduceIn(limbs, 5, carry4);
reduceIn(limbs, carry4, 5);
carry(limbs);
}

21
src/java.base/share/classes/sun/security/util/math/intpoly/IntegerPolynomial25519.java
View file

@ -1,5 +1,5 @@
/*
* Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2018, 2020, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -51,6 +51,13 @@ public class IntegerPolynomial25519 extends IntegerPolynomial {
super(BITS_PER_LIMB, NUM_LIMBS, 1, MODULUS);
}
@Override
protected void reduceIn(long[] limbs, long v, int i) {
long t0 = 19 * v;
limbs[i - 10] += (t0 << 5) & LIMB_MASK;
limbs[i - 9] += t0 >> 21;
}
@Override
protected void finalCarryReduceLast(long[] limbs) {
@ -81,17 +88,6 @@ public class IntegerPolynomial25519 extends IntegerPolynomial {
@Override
protected void mult(long[] a, long[] b, long[] r) {
// Use grade-school multiplication into primitives to avoid the
// temporary array allocation. This is equivalent to the following
// code:
// long[] c = new long[2 * NUM_LIMBS - 1];
// for(int i = 0; i < NUM_LIMBS; i++) {
// for(int j - 0; j < NUM_LIMBS; j++) {
// c[i + j] += a[i] * b[j]
// }
// }
long c0 = (a[0] * b[0]);
long c1 = (a[0] * b[1]) + (a[1] * b[0]);
long c2 = (a[0] * b[2]) + (a[1] * b[1]) + (a[2] * b[0]);
@ -172,7 +168,6 @@ public class IntegerPolynomial25519 extends IntegerPolynomial {
// carry(0,9)
carry(r, 0, 9);
}
@Override
protected void square(long[] a, long[] r) {

11
src/java.base/share/classes/sun/security/util/math/intpoly/IntegerPolynomial448.java
View file

@ -1,5 +1,5 @@
/*
* Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2018, 2020, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -45,16 +45,17 @@ public class IntegerPolynomial448 extends IntegerPolynomial {
super(BITS_PER_LIMB, NUM_LIMBS, 1, MODULUS);
}
private void modReduceIn(long[] limbs, int index, long x) {
limbs[index - NUM_LIMBS] += x;
limbs[index - NUM_LIMBS / 2] += x;
@Override
protected void reduceIn(long[] limbs, long v, int i) {
limbs[i - 8] += v;
limbs[i - 16] += v;
}
@Override
protected void finalCarryReduceLast(long[] limbs) {
long carry = limbs[numLimbs - 1] >> bitsPerLimb;
limbs[numLimbs - 1] -= carry << bitsPerLimb;
modReduceIn(limbs, numLimbs, carry);
reduceIn(limbs, carry, numLimbs);
}
@Override

228
src/java.base/share/classes/sun/security/util/math/intpoly/IntegerPolynomialModBinP.java Normal file
View file

@ -0,0 +1,228 @@
/*
* Copyright (c) 2020, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation. Oracle designates this
* particular file as subject to the "Classpath" exception as provided
* by Oracle in the LICENSE file that accompanied this code.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/
package sun.security.util.math.intpoly;
import java.math.BigInteger;
import java.nio.ByteBuffer;
/**
* The field of integers modulo a binomial prime. This is a general-purpose
* field implementation, that is much slower than more specialized classes
* like IntegerPolynomial25519. It is suitable when only a small number of
* arithmetic operations are required in some field. For example, this class
* can be used for operations on scalars/exponents in signature operations.
*
* This class may only be used for primes of the form 2^a + b.
*/
public class IntegerPolynomialModBinP extends IntegerPolynomial {
private final long[] reduceLimbs;
private final int bitOffset;
private final int limbMask;
private final int rightBitOffset;
private final int power;
public IntegerPolynomialModBinP(int bitsPerLimb,
int numLimbs,
int power,
BigInteger subtrahend) {
super(bitsPerLimb, numLimbs, 1,
BigInteger.valueOf(2).pow(power).subtract(subtrahend));
boolean negate = false;
if (subtrahend.compareTo(BigInteger.ZERO) < 0) {
negate = true;
subtrahend = subtrahend.negate();
}
int reduceLimbsLength = subtrahend.bitLength() / bitsPerLimb + 1;
reduceLimbs = new long[reduceLimbsLength];
ImmutableElement reduceElem = getElement(subtrahend);
if (negate) {
reduceElem = reduceElem.additiveInverse();
}
System.arraycopy(reduceElem.limbs, 0, reduceLimbs, 0,
reduceLimbs.length);
// begin test code
System.out.println("reduce limbs:");
for (int i = 0; i < reduceLimbs.length; i++) {
System.out.println(i + ":" + reduceLimbs[i]);
}
// end test code
this.power = power;
this.bitOffset = numLimbs * bitsPerLimb - power;
this.limbMask = -1 >>> (64 - bitsPerLimb);
this.rightBitOffset = bitsPerLimb - bitOffset;
}
@Override
protected void finalCarryReduceLast(long[] limbs) {
int extraBits = bitsPerLimb * numLimbs - power;
int highBits = bitsPerLimb - extraBits;
long c = limbs[numLimbs - 1] >> highBits;
limbs[numLimbs - 1] -= c << highBits;
for (int j = 0; j < reduceLimbs.length; j++) {
int reduceBits = power + extraBits - j * bitsPerLimb;
modReduceInBits(limbs, numLimbs, reduceBits, c * reduceLimbs[j]);
}
}
/**
* Allow more general (and slower) input conversion that takes a large
* value and reduces it.
*/
@Override
public ImmutableElement getElement(byte[] v, int offset, int length,
byte highByte) {
long[] result = new long[numLimbs];
int numHighBits = 32 - Integer.numberOfLeadingZeros(highByte);
int numBits = 8 * length + numHighBits;
int requiredLimbs = (numBits + bitsPerLimb - 1) / bitsPerLimb;
if (requiredLimbs > numLimbs) {
long[] temp = new long[requiredLimbs];
encode(v, offset, length, highByte, temp);
// encode does a full carry/reduce
System.arraycopy(temp, 0, result, 0, result.length);
} else {
encode(v, offset, length, highByte, result);
}
return new ImmutableElement(result, 0);
}
/**
* Multiply a and b, and store the result in c. Requires that
* a.length == b.length == numLimbs and c.length >= 2 * numLimbs - 1.
* It is allowed for a and b to be the same array.
*/
private void multOnly(long[] a, long[] b, long[] c) {
for (int i = 0; i < numLimbs; i++) {
for (int j = 0; j < numLimbs; j++) {
c[i + j] += a[i] * b[j];
}
}
}
@Override
protected void mult(long[] a, long[] b, long[] r) {
long[] c = new long[2 * numLimbs];
multOnly(a, b, c);
carryReduce(c, r);
}
private void modReduceInBits(long[] limbs, int index, int bits, long x) {
if (bits % bitsPerLimb == 0) {
int pos = bits / bitsPerLimb;
limbs[index - pos] += x;
}
else {
int secondPos = bits / (bitsPerLimb);
int bitOffset = (secondPos + 1) * bitsPerLimb - bits;
int rightBitOffset = bitsPerLimb - bitOffset;
limbs[index - (secondPos + 1)] += (x << bitOffset) & limbMask;
limbs[index - secondPos] += x >> rightBitOffset;
}
}
protected void reduceIn(long[] c, long v, int i) {
for (int j = 0; j < reduceLimbs.length; j++) {
modReduceInBits(c, i, power - bitsPerLimb * j, reduceLimbs[j] * v);
}
}
private void carryReduce(long[] c, long[] r) {
// full carry to prevent overflow during reduce
carry(c);
// Reduce in from all high positions
for (int i = c.length - 1; i >= numLimbs; i--) {
reduceIn(c, c[i], i);
c[i] = 0;
}
// carry on lower positions that possibly carries out one position
carry(c, 0, numLimbs);
// reduce in a single position
reduceIn(c, c[numLimbs], numLimbs);
c[numLimbs] = 0;
// final carry
carry(c, 0, numLimbs - 1);
System.arraycopy(c, 0, r, 0, r.length);
}
@Override
protected void reduce(long[] a) {
// TODO: optimize this
long[] c = new long[a.length + 2];
System.arraycopy(a, 0, c, 0, a.length);
carryReduce(c, a);
}
@Override
protected void square(long[] a, long[] r) {
long[] c = new long[2 * numLimbs];
for (int i = 0; i < numLimbs; i++) {
c[2 * i] += a[i] * a[i];
for (int j = i + 1; j < numLimbs; j++) {
c[i + j] += 2 * a[i] * a[j];
}
}
carryReduce(c, r);
}
/**
* The field of integers modulo the order of the Curve25519 subgroup
*/
public static class Curve25519OrderField extends IntegerPolynomialModBinP {
public Curve25519OrderField() {
super(26, 10, 252,
new BigInteger("-27742317777372353535851937790883648493"));
}
}
/**
* The field of integers modulo the order of the Curve448 subgroup
*/
public static class Curve448OrderField extends IntegerPolynomialModBinP {
public Curve448OrderField() {
super(28, 16, 446,
new BigInteger("138180668098951153520073867485154268803366" +
"92474882178609894547503885"));
}
}
}

30
src/java.base/share/classes/sun/security/x509/AlgorithmId.java
View file

@ -28,11 +28,13 @@ package sun.security.x509;
import java.io.*;
import java.security.interfaces.RSAKey;
import java.security.spec.AlgorithmParameterSpec;
import java.security.spec.EdDSAParameterSpec;
import java.security.spec.InvalidParameterSpecException;
import java.security.spec.MGF1ParameterSpec;
import java.security.spec.PSSParameterSpec;
import java.util.*;
import java.security.*;
import java.security.interfaces.*;
import sun.security.rsa.PSSParameters;
import sun.security.util.*;
@ -199,7 +201,8 @@ public class AlgorithmId implements Serializable, DerEncoder {
} else {
bytes.putNull();
}*/
if (algid.equals(RSASSA_PSS_oid)) {
if (algid.equals(RSASSA_PSS_oid) || algid.equals(ed448_oid)
|| algid.equals(ed25519_oid)) {
// RFC 4055 3.3: when an RSASSA-PSS key does not require
// parameter validation, field is absent.
} else {
@ -588,6 +591,12 @@ public class AlgorithmId implements Serializable, DerEncoder {
if (name.equalsIgnoreCase("SHA512withECDSA")) {
return AlgorithmId.sha512WithECDSA_oid;
}
if (name.equalsIgnoreCase("ED25519")) {
return AlgorithmId.ed25519_oid;
}
if (name.equalsIgnoreCase("ED448")) {
return AlgorithmId.ed448_oid;
}
return oidTable().get(name.toUpperCase(Locale.ENGLISH));
}
@ -902,6 +911,11 @@ public class AlgorithmId implements Serializable, DerEncoder {
public static final ObjectIdentifier pbeWithSHA1AndRC2_40_oid =
ObjectIdentifier.of("1.2.840.113549.1.12.1.6");
public static final ObjectIdentifier ed25519_oid =
ObjectIdentifier.of("1.3.101.112");
public static final ObjectIdentifier ed448_oid =
ObjectIdentifier.of("1.3.101.113");
static {
nameTable = new HashMap<>();
nameTable.put(MD5_oid, "MD5");
@ -921,6 +935,8 @@ public class AlgorithmId implements Serializable, DerEncoder {
nameTable.put(DSA_OIW_oid, "DSA");
nameTable.put(EC_oid, "EC");
nameTable.put(ECDH_oid, "ECDH");
nameTable.put(ed25519_oid, "ED25519");
nameTable.put(ed448_oid, "ED448");
nameTable.put(AES_oid, "AES");
@ -1044,6 +1060,8 @@ public class AlgorithmId implements Serializable, DerEncoder {
+ "withRSA";
case "RSASSA-PSS":
return "RSASSA-PSS";
case "EDDSA":
return edAlgFromKey(k);
default:
return null;
}
@ -1094,6 +1112,8 @@ public class AlgorithmId implements Serializable, DerEncoder {
return PSSParamsHolder.PSS_384_ID;
} else if (spec == PSSParamsHolder.PSS_512_SPEC) {
return PSSParamsHolder.PSS_512_ID;
} else if (spec instanceof EdDSAParameterSpec) {
return AlgorithmId.get(algName);
} else {
try {
AlgorithmParameters result =
@ -1130,6 +1150,14 @@ public class AlgorithmId implements Serializable, DerEncoder {
}
}
private static String edAlgFromKey(PrivateKey k) {
if (k instanceof EdECPrivateKey) {
EdECPrivateKey edKey = (EdECPrivateKey) k;
return edKey.getParams().getName();
}
return "EdDSA";
}
// Values from SP800-57 part 1 rev 4 tables 2 and 3
private static String ecStrength (int bitLength) {
if (bitLength >= 512) { // 256 bits of strength