com.google.crypto.tink.signature.RsaSsaPssParameters Maven / Gradle / Ivy
Show all versions of tink-android Show documentation
// Copyright 2023 Google LLC
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
//
////////////////////////////////////////////////////////////////////////////////
package com.google.crypto.tink.signature;
import com.google.errorprone.annotations.CanIgnoreReturnValue;
import com.google.errorprone.annotations.Immutable;
import java.math.BigInteger;
import java.security.GeneralSecurityException;
import java.security.InvalidAlgorithmParameterException;
import java.util.Objects;
import javax.annotation.Nullable;
/**
* Describes the parameters of a {@link RsaSsaPssPublicKey} and {@link RsaSsaPssPrivateKey}.
*
* Standard: https://datatracker.ietf.org/doc/html/rfc8017#section-8.1
*/
public final class RsaSsaPssParameters extends SignatureParameters {
/**
* Describes details of the signature.
*
*
The usual key is used for variant "NO_PREFIX". Other variants slightly change how the
* signature is computed, or add a prefix to every computation depending on the key id.
*/
@Immutable
public static final class Variant {
public static final Variant TINK = new Variant("TINK");
public static final Variant CRUNCHY = new Variant("CRUNCHY");
public static final Variant LEGACY = new Variant("LEGACY");
public static final Variant NO_PREFIX = new Variant("NO_PREFIX");
private final String name;
private Variant(String name) {
this.name = name;
}
@Override
public String toString() {
return name;
}
}
/** The Hash algorithm used. */
@Immutable
public static final class HashType {
public static final HashType SHA256 = new HashType("SHA256");
public static final HashType SHA384 = new HashType("SHA384");
public static final HashType SHA512 = new HashType("SHA512");
private final String name;
private HashType(String name) {
this.name = name;
}
@Override
public String toString() {
return name;
}
}
public static final BigInteger F4 = BigInteger.valueOf(65537);
/** Builds a new RsaSsaPssParameters instance. */
public static final class Builder {
@Nullable private Integer modulusSizeBits = null;
@Nullable private BigInteger publicExponent = F4;
@Nullable private HashType sigHashType = null;
@Nullable private HashType mgf1HashType = null;
@Nullable private Integer saltLengthBytes = null;
private Variant variant = Variant.NO_PREFIX;
private Builder() {}
@CanIgnoreReturnValue
public Builder setModulusSizeBits(int modulusSizeBits) {
this.modulusSizeBits = modulusSizeBits;
return this;
}
@CanIgnoreReturnValue
public Builder setPublicExponent(BigInteger e) {
this.publicExponent = e;
return this;
}
@CanIgnoreReturnValue
public Builder setVariant(Variant variant) {
this.variant = variant;
return this;
}
@CanIgnoreReturnValue
public Builder setSigHashType(HashType sigHashType) {
this.sigHashType = sigHashType;
return this;
}
@CanIgnoreReturnValue
public Builder setMgf1HashType(HashType mgf1HashType) {
this.mgf1HashType = mgf1HashType;
return this;
}
@CanIgnoreReturnValue
public Builder setSaltLengthBytes(int saltLengthBytes) throws GeneralSecurityException {
if (saltLengthBytes < 0) {
throw new GeneralSecurityException(
String.format(
"Invalid salt length in bytes %d; salt length must be positive", saltLengthBytes));
}
this.saltLengthBytes = saltLengthBytes;
return this;
}
private static final BigInteger TWO = BigInteger.valueOf(2);
private static final BigInteger PUBLIC_EXPONENT_UPPER_BOUND = TWO.pow(256);
private static final int MIN_RSA_MODULUS_SIZE = 2048;
private void validatePublicExponent(BigInteger publicExponent)
throws InvalidAlgorithmParameterException {
// We use the validation of the public exponent as defined in
// https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf, B.3
int c = publicExponent.compareTo(F4);
if (c == 0) {
// publicExponent is F4.
return;
}
if (c < 0) {
// publicExponent is smaller than F4.
throw new InvalidAlgorithmParameterException("Public exponent must be at least 65537.");
}
if (publicExponent.mod(TWO).equals(BigInteger.ZERO)) {
// publicExponent is even. This is invalid since it is not co-prime to p-1.
throw new InvalidAlgorithmParameterException("Invalid public exponent");
}
if (publicExponent.compareTo(PUBLIC_EXPONENT_UPPER_BOUND) > 0) {
// publicExponent is larger than PUBLIC_EXPONENT_UPPER_BOUND.
throw new InvalidAlgorithmParameterException(
"Public exponent cannot be larger than 2^256.");
}
}
public RsaSsaPssParameters build() throws GeneralSecurityException {
if (modulusSizeBits == null) {
throw new GeneralSecurityException("key size is not set");
}
if (publicExponent == null) {
throw new GeneralSecurityException("publicExponent is not set");
}
if (sigHashType == null) {
throw new GeneralSecurityException("signature hash type is not set");
}
if (mgf1HashType == null) {
throw new GeneralSecurityException("mgf1 hash type is not set");
}
if (variant == null) {
throw new GeneralSecurityException("variant is not set");
}
if (saltLengthBytes == null) {
throw new GeneralSecurityException("salt length is not set");
}
if (modulusSizeBits < MIN_RSA_MODULUS_SIZE) {
throw new InvalidAlgorithmParameterException(
String.format(
"Invalid key size in bytes %d; must be at least %d bits",
modulusSizeBits, MIN_RSA_MODULUS_SIZE));
}
if (sigHashType != mgf1HashType) {
throw new GeneralSecurityException("MGF1 hash is different from signature hash");
}
validatePublicExponent(publicExponent);
return new RsaSsaPssParameters(
modulusSizeBits, publicExponent, variant, sigHashType, mgf1HashType, saltLengthBytes);
}
}
private final int modulusSizeBits;
private final BigInteger publicExponent;
private final Variant variant;
private final HashType sigHashType;
private final HashType mgf1HashType;
private final int saltLengthBytes;
private RsaSsaPssParameters(
int modulusSizeBits,
BigInteger publicExponent,
Variant variant,
HashType sigHashType,
HashType mgf1HashType,
int saltLengthBytes) {
this.modulusSizeBits = modulusSizeBits;
this.publicExponent = publicExponent;
this.variant = variant;
this.sigHashType = sigHashType;
this.mgf1HashType = mgf1HashType;
this.saltLengthBytes = saltLengthBytes;
}
public static Builder builder() {
return new Builder();
}
public int getModulusSizeBits() {
return modulusSizeBits;
}
public BigInteger getPublicExponent() {
return publicExponent;
}
public Variant getVariant() {
return variant;
}
public HashType getSigHashType() {
return sigHashType;
}
public HashType getMgf1HashType() {
return mgf1HashType;
}
public int getSaltLengthBytes() {
return saltLengthBytes;
}
@Override
public boolean equals(Object o) {
if (!(o instanceof RsaSsaPssParameters)) {
return false;
}
RsaSsaPssParameters that = (RsaSsaPssParameters) o;
return that.getModulusSizeBits() == getModulusSizeBits()
&& Objects.equals(that.getPublicExponent(), getPublicExponent())
&& Objects.equals(that.getVariant(), getVariant())
&& Objects.equals(that.getSigHashType(), getSigHashType())
&& Objects.equals(that.getMgf1HashType(), getMgf1HashType())
&& that.getSaltLengthBytes() == getSaltLengthBytes();
}
@Override
public int hashCode() {
return Objects.hash(
RsaSsaPssParameters.class,
modulusSizeBits,
publicExponent,
variant,
sigHashType,
mgf1HashType,
saltLengthBytes);
}
@Override
public boolean hasIdRequirement() {
return variant != Variant.NO_PREFIX;
}
@Override
public String toString() {
return "RSA SSA PSS Parameters (variant: "
+ variant
+ ", signature hashType: "
+ sigHashType
+ ", mgf1 hashType: "
+ mgf1HashType
+ ", saltLengthBytes: "
+ saltLengthBytes
+ ", publicExponent: "
+ publicExponent
+ ", and "
+ modulusSizeBits
+ "-bit modulus)";
}
}