package com.google.crypto.tink.subtle;
import com.google.crypto.tink.PublicKeyVerify;
import com.google.crypto.tink.subtle.Enums.HashType;
import java.math.BigInteger;
import java.security.GeneralSecurityException;
import java.security.MessageDigest;
import java.security.interfaces.RSAPublicKey;
public final class RsaSsaPkcs1VerifyJce implements PublicKeyVerify {
private static final String ASN_PREFIX_SHA256 = "3031300d060960864801650304020105000420";
private static final String ASN_PREFIX_SHA512 = "3051300d060960864801650304020305000440";
private final RSAPublicKey publicKey;
private final HashType hash;
public RsaSsaPkcs1VerifyJce(final RSAPublicKey pubKey, HashType hash)
throws GeneralSecurityException {
Validators.validateSignatureHash(hash);
Validators.validateRsaModulusSize(pubKey.getModulus().bitLength());
this.publicKey = pubKey;
this.hash = hash;
}
@Override
public void verify(final byte[] signature, final byte[] data) throws GeneralSecurityException {
BigInteger e = publicKey.getPublicExponent();
BigInteger n = publicKey.getModulus();
int nLengthInBytes = (n.bitLength() + 7) / 8;
if (nLengthInBytes != signature.length) {
throw new GeneralSecurityException("invalid signature's length");
}
BigInteger s = SubtleUtil.bytes2Integer(signature);
if (s.compareTo(n) >= 0) {
throw new GeneralSecurityException("signature out of range");
}
BigInteger m = s.modPow(e, n);
byte[] em = SubtleUtil.integer2Bytes(m, nLengthInBytes);
byte[] expectedEm = emsaPkcs1(data, nLengthInBytes, hash);
if (!Bytes.equal(em, expectedEm)) {
throw new GeneralSecurityException("invalid signature");
}
}
private byte[] emsaPkcs1(byte[] m, int emLen, HashType hash) throws GeneralSecurityException {
Validators.validateSignatureHash(hash);
MessageDigest digest =
EngineFactory.MESSAGE_DIGEST.getInstance(SubtleUtil.toDigestAlgo(this.hash));
digest.update(m);
byte[] h = digest.digest();
byte[] asnPrefix = toAsnPrefix(hash);
int tLen = asnPrefix.length + h.length;
if (emLen < tLen + 11) {
throw new GeneralSecurityException("intended encoded message length too short");
}
byte[] em = new byte[emLen];
int offset = 0;
em[offset++] = 0x00;
em[offset++] = 0x01;
for (int i = 0; i < emLen - tLen - 3; i++) {
em[offset++] = (byte) 0xff;
}
em[offset++] = 0x00;
System.arraycopy(asnPrefix, 0, em, offset, asnPrefix.length);
System.arraycopy(h, 0, em, offset + asnPrefix.length, h.length);
return em;
}
private byte[] toAsnPrefix(HashType hash) throws GeneralSecurityException {
switch (hash) {
case SHA256:
return Hex.decode(ASN_PREFIX_SHA256);
case SHA512:
return Hex.decode(ASN_PREFIX_SHA512);
default:
throw new GeneralSecurityException("Unsupported hash " + hash);
}
}
}