001: package ch.ethz.ssh2.signature;
002:
003: import java.io.IOException;
004: import java.math.BigInteger;
005:
006: import ch.ethz.ssh2.crypto.SimpleDERReader;
007: import ch.ethz.ssh2.crypto.digest.SHA1;
008: import ch.ethz.ssh2.log.Logger;
009: import ch.ethz.ssh2.packets.TypesReader;
010: import ch.ethz.ssh2.packets.TypesWriter;
011:
012: /**
013: * RSASHA1Verify.
014: *
015: * @author Christian Plattner, plattner@inf.ethz.ch
016: * @version $Id: RSASHA1Verify.java,v 1.4 2005/12/07 10:25:49 cplattne Exp $
017: */
018: public class RSASHA1Verify {
019: private static final Logger log = Logger
020: .getLogger(RSASHA1Verify.class);
021:
022: public static RSAPublicKey decodeSSHRSAPublicKey(byte[] key)
023: throws IOException {
024: TypesReader tr = new TypesReader(key);
025:
026: String key_format = tr.readString();
027:
028: if (key_format.equals("ssh-rsa") == false)
029: throw new IllegalArgumentException(
030: "This is not a ssh-rsa public key");
031:
032: BigInteger e = tr.readMPINT();
033: BigInteger n = tr.readMPINT();
034:
035: if (tr.remain() != 0)
036: throw new IOException("Padding in RSA public key!");
037:
038: return new RSAPublicKey(e, n);
039: }
040:
041: public static byte[] encodeSSHRSAPublicKey(RSAPublicKey pk)
042: throws IOException {
043: TypesWriter tw = new TypesWriter();
044:
045: tw.writeString("ssh-rsa");
046: tw.writeMPInt(pk.getE());
047: tw.writeMPInt(pk.getN());
048:
049: return tw.getBytes();
050: }
051:
052: public static RSASignature decodeSSHRSASignature(byte[] sig)
053: throws IOException {
054: TypesReader tr = new TypesReader(sig);
055:
056: String sig_format = tr.readString();
057:
058: if (sig_format.equals("ssh-rsa") == false)
059: throw new IOException("Peer sent wrong signature format");
060:
061: /* S is NOT an MPINT. "The value for 'rsa_signature_blob' is encoded as a string
062: * containing s (which is an integer, without lengths or padding, unsigned and in
063: * network byte order)." See also below.
064: */
065:
066: byte[] s = tr.readByteString();
067:
068: if (s.length == 0)
069: throw new IOException("Error in RSA signature, S is empty.");
070:
071: if (log.isEnabled()) {
072: log.log(80, "Decoding ssh-rsa signature string (length: "
073: + s.length + ")");
074: }
075:
076: if (tr.remain() != 0)
077: throw new IOException("Padding in RSA signature!");
078:
079: return new RSASignature(new BigInteger(1, s));
080: }
081:
082: public static byte[] encodeSSHRSASignature(RSASignature sig)
083: throws IOException {
084: TypesWriter tw = new TypesWriter();
085:
086: tw.writeString("ssh-rsa");
087:
088: /* S is NOT an MPINT. "The value for 'rsa_signature_blob' is encoded as a string
089: * containing s (which is an integer, without lengths or padding, unsigned and in
090: * network byte order)."
091: */
092:
093: byte[] s = sig.getS().toByteArray();
094:
095: /* Remove first zero sign byte, if present */
096:
097: if ((s.length > 1) && (s[0] == 0x00))
098: tw.writeString(s, 1, s.length - 1);
099: else
100: tw.writeString(s, 0, s.length);
101:
102: return tw.getBytes();
103: }
104:
105: public static RSASignature generateSignature(byte[] message,
106: RSAPrivateKey pk) throws IOException {
107: SHA1 md = new SHA1();
108: md.update(message);
109: byte[] sha_message = new byte[md.getDigestLength()];
110: md.digest(sha_message);
111:
112: byte[] der_header = new byte[] { 0x30, 0x21, 0x30, 0x09, 0x06,
113: 0x05, 0x2b, 0x0e, 0x03, 0x02, 0x1a, 0x05, 0x00, 0x04,
114: 0x14 };
115:
116: int rsa_block_len = (pk.getN().bitLength() + 7) / 8;
117:
118: int num_pad = rsa_block_len
119: - (2 + der_header.length + sha_message.length) - 1;
120:
121: if (num_pad < 8)
122: throw new IOException(
123: "Cannot sign with RSA, message too long");
124:
125: byte[] sig = new byte[der_header.length + sha_message.length
126: + 2 + num_pad];
127:
128: sig[0] = 0x01;
129:
130: for (int i = 0; i < num_pad; i++) {
131: sig[i + 1] = (byte) 0xff;
132: }
133:
134: sig[num_pad + 1] = 0x00;
135:
136: System.arraycopy(der_header, 0, sig, 2 + num_pad,
137: der_header.length);
138: System.arraycopy(sha_message, 0, sig, 2 + num_pad
139: + der_header.length, sha_message.length);
140:
141: BigInteger m = new BigInteger(1, sig);
142:
143: BigInteger s = m.modPow(pk.getD(), pk.getN());
144:
145: return new RSASignature(s);
146: }
147:
148: public static boolean verifySignature(byte[] message,
149: RSASignature ds, RSAPublicKey dpk) throws IOException {
150: SHA1 md = new SHA1();
151: md.update(message);
152: byte[] sha_message = new byte[md.getDigestLength()];
153: md.digest(sha_message);
154:
155: BigInteger n = dpk.getN();
156: BigInteger e = dpk.getE();
157: BigInteger s = ds.getS();
158:
159: if (n.compareTo(s) <= 0) {
160: log.log(20, "ssh-rsa signature: n.compareTo(s) <= 0");
161: return false;
162: }
163:
164: int rsa_block_len = (n.bitLength() + 7) / 8;
165:
166: /* And now the show begins */
167:
168: if (rsa_block_len < 1) {
169: log.log(20, "ssh-rsa signature: rsa_block_len < 1");
170: return false;
171: }
172:
173: byte[] v = s.modPow(e, n).toByteArray();
174:
175: int startpos = 0;
176:
177: if ((v.length > 0) && (v[0] == 0x00))
178: startpos++;
179:
180: if ((v.length - startpos) != (rsa_block_len - 1)) {
181: log
182: .log(20,
183: "ssh-rsa signature: (v.length - startpos) != (rsa_block_len - 1)");
184: return false;
185: }
186:
187: if (v[startpos] != 0x01) {
188: log.log(20, "ssh-rsa signature: v[startpos] != 0x01");
189: return false;
190: }
191:
192: int pos = startpos + 1;
193:
194: while (true) {
195: if (pos >= v.length) {
196: log.log(20, "ssh-rsa signature: pos >= v.length");
197: return false;
198: }
199: if (v[pos] == 0x00)
200: break;
201: if (v[pos] != (byte) 0xff) {
202: log.log(20, "ssh-rsa signature: v[pos] != (byte) 0xff");
203: return false;
204: }
205: pos++;
206: }
207:
208: int num_pad = pos - (startpos + 1);
209:
210: if (num_pad < 8) {
211: log.log(20, "ssh-rsa signature: num_pad < 8");
212: return false;
213: }
214:
215: pos++;
216:
217: if (pos >= v.length) {
218: log.log(20, "ssh-rsa signature: pos >= v.length");
219: return false;
220: }
221:
222: SimpleDERReader dr = new SimpleDERReader(v, pos, v.length - pos);
223:
224: byte[] seq = dr.readSequenceAsByteArray();
225:
226: if (dr.available() != 0) {
227: log.log(20, "ssh-rsa signature: dr.available() != 0");
228: return false;
229: }
230:
231: dr.resetInput(seq);
232:
233: /* Read digestAlgorithm */
234:
235: byte digestAlgorithm[] = dr.readSequenceAsByteArray();
236:
237: /* Inspired by RFC 3347, however, ignoring the comment regarding old BER based implementations */
238:
239: if ((digestAlgorithm.length < 8)
240: || (digestAlgorithm.length > 9)) {
241: log
242: .log(
243: 20,
244: "ssh-rsa signature: (digestAlgorithm.length < 8) || (digestAlgorithm.length > 9)");
245: return false;
246: }
247:
248: byte[] digestAlgorithm_sha1 = new byte[] { 0x06, 0x05, 0x2b,
249: 0x0e, 0x03, 0x02, 0x1a, 0x05, 0x00 };
250:
251: for (int i = 0; i < digestAlgorithm.length; i++) {
252: if (digestAlgorithm[i] != digestAlgorithm_sha1[i]) {
253: log
254: .log(20,
255: "ssh-rsa signature: digestAlgorithm[i] != digestAlgorithm_sha1[i]");
256: return false;
257: }
258: }
259:
260: byte[] digest = dr.readOctetString();
261:
262: if (dr.available() != 0) {
263: log.log(20, "ssh-rsa signature: dr.available() != 0 (II)");
264: return false;
265: }
266:
267: if (digest.length != sha_message.length) {
268: log
269: .log(20,
270: "ssh-rsa signature: digest.length != sha_message.length");
271: return false;
272: }
273:
274: for (int i = 0; i < sha_message.length; i++) {
275: if (sha_message[i] != digest[i]) {
276: log
277: .log(20,
278: "ssh-rsa signature: sha_message[i] != digest[i]");
279: return false;
280: }
281: }
282:
283: return true;
284: }
285: }
|