com.google.crypto.tink.signature.SignaturePemKeysetReader Maven / Gradle / Ivy
Show all versions of tink-android Show documentation
// Copyright 2017 Google LLC
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
//
////////////////////////////////////////////////////////////////////////////////
package com.google.crypto.tink.signature;
import com.google.crypto.tink.KeysetReader;
import com.google.crypto.tink.PemKeyType;
import com.google.crypto.tink.proto.EcdsaParams;
import com.google.crypto.tink.proto.EcdsaPublicKey;
import com.google.crypto.tink.proto.EcdsaSignatureEncoding;
import com.google.crypto.tink.proto.EllipticCurveType;
import com.google.crypto.tink.proto.EncryptedKeyset;
import com.google.crypto.tink.proto.HashType;
import com.google.crypto.tink.proto.KeyData;
import com.google.crypto.tink.proto.KeyStatusType;
import com.google.crypto.tink.proto.Keyset;
import com.google.crypto.tink.proto.OutputPrefixType;
import com.google.crypto.tink.proto.RsaSsaPkcs1Params;
import com.google.crypto.tink.proto.RsaSsaPkcs1PublicKey;
import com.google.crypto.tink.proto.RsaSsaPssParams;
import com.google.crypto.tink.proto.RsaSsaPssPublicKey;
import com.google.crypto.tink.signature.internal.SigUtil;
import com.google.crypto.tink.subtle.Random;
import com.google.errorprone.annotations.CanIgnoreReturnValue;
import java.io.BufferedReader;
import java.io.IOException;
import java.io.StringReader;
import java.security.Key;
import java.security.interfaces.ECPublicKey;
import java.security.interfaces.RSAPublicKey;
import java.util.ArrayList;
import java.util.List;
import javax.annotation.Nullable;
/**
* SignaturePemKeysetReader is a {@link KeysetReader} that can read digital signature keys in PEM
* format (RFC 7468).
*
* Only supports public keys.
*
*
Private, unknown or invalid keys are ignored.
*
*
Usage
*
* {@code
* import com.google.crypto.tink.PemKeyType;
*
* String pem = ...;
* PemKeyType type = ...;
* KeysetReader reader = SignaturePemKeysetReader.newBuilder().addPem(pem, type).build();
* }
*/
public final class SignaturePemKeysetReader implements KeysetReader {
private List pemKeys;
SignaturePemKeysetReader(List pemKeys) {
this.pemKeys = pemKeys;
}
/** Returns a {@link Builder} for {@link SignaturePemKeysetReader}. */
public static Builder newBuilder() {
return new Builder();
}
/** Builder for SignaturePemKeysetReader */
public static final class Builder {
private List pemKeys = new ArrayList();
Builder() {}
public KeysetReader build() {
return new SignaturePemKeysetReader(pemKeys);
}
/**
* Adds a PEM.
*
* A single PEM can contain multiple keys, but all must have the same {@code keyType}.
* Invalid or unparsable keys are ignored.
*
*
The first key in the first added PEM is the primary key.
*/
@CanIgnoreReturnValue
public Builder addPem(String pem, PemKeyType keyType) {
PemKey pemKey = new PemKey();
pemKey.reader = new BufferedReader(new StringReader(pem));
pemKey.type = keyType;
pemKeys.add(pemKey);
return this;
}
}
private static final class PemKey {
BufferedReader reader;
PemKeyType type;
}
@Override
public Keyset read() throws IOException {
Keyset.Builder keyset = Keyset.newBuilder();
for (PemKey pemKey : pemKeys) {
for (Keyset.Key key = readKey(pemKey.reader, pemKey.type);
key != null;
key = readKey(pemKey.reader, pemKey.type)) {
keyset.addKey(key);
}
}
if (keyset.getKeyCount() == 0) {
throw new IOException("cannot find any key");
}
// Use the first key as the primary key id.
keyset.setPrimaryKeyId(keyset.getKey(0).getKeyId());
return keyset.build();
}
@Override
public EncryptedKeyset readEncrypted() throws IOException {
throw new UnsupportedOperationException();
}
/** Reads a single PEM key from {@code reader}. Invalid or unparsable PEM would be ignored */
@Nullable
private static Keyset.Key readKey(BufferedReader reader, PemKeyType pemKeyType)
throws IOException {
Key key = pemKeyType.readKey(reader);
if (key == null) {
return null;
}
KeyData keyData;
if (key instanceof RSAPublicKey) {
keyData = convertRsaPublicKey(pemKeyType, (RSAPublicKey) key);
} else if (key instanceof ECPublicKey) {
keyData = convertEcPublicKey(pemKeyType, (ECPublicKey) key);
} else {
// Private keys are ignored.
return null;
}
return Keyset.Key.newBuilder()
.setKeyData(keyData)
.setStatus(KeyStatusType.ENABLED)
.setOutputPrefixType(OutputPrefixType.RAW) // PEM keys don't add any prefix to signatures
.setKeyId(Random.randInt())
.build();
}
private static KeyData convertRsaPublicKey(PemKeyType pemKeyType, RSAPublicKey key)
throws IOException {
if (pemKeyType.algorithm.equals("RSASSA-PKCS1-v1_5")) {
RsaSsaPkcs1Params params =
RsaSsaPkcs1Params.newBuilder().setHashType(getHashType(pemKeyType)).build();
RsaSsaPkcs1PublicKey pkcs1PubKey =
RsaSsaPkcs1PublicKey.newBuilder()
.setVersion(0)
.setParams(params)
.setE(SigUtil.toUnsignedIntByteString(key.getPublicExponent()))
.setN(SigUtil.toUnsignedIntByteString(key.getModulus()))
.build();
return KeyData.newBuilder()
.setTypeUrl(RsaSsaPkcs1VerifyKeyManager.getKeyType())
.setValue(pkcs1PubKey.toByteString())
.setKeyMaterialType(KeyData.KeyMaterialType.ASYMMETRIC_PUBLIC)
.build();
} else if (pemKeyType.algorithm.equals("RSASSA-PSS")) {
RsaSsaPssParams params =
RsaSsaPssParams.newBuilder()
.setSigHash(getHashType(pemKeyType))
.setMgf1Hash(getHashType(pemKeyType))
.setSaltLength(getDigestSizeInBytes(pemKeyType))
.build();
RsaSsaPssPublicKey pssPubKey =
RsaSsaPssPublicKey.newBuilder()
.setVersion(0)
.setParams(params)
.setE(SigUtil.toUnsignedIntByteString(key.getPublicExponent()))
.setN(SigUtil.toUnsignedIntByteString(key.getModulus()))
.build();
return KeyData.newBuilder()
.setTypeUrl(RsaSsaPssVerifyKeyManager.getKeyType())
.setValue(pssPubKey.toByteString())
.setKeyMaterialType(KeyData.KeyMaterialType.ASYMMETRIC_PUBLIC)
.build();
}
throw new IOException("unsupported RSA signature algorithm: " + pemKeyType.algorithm);
}
private static KeyData convertEcPublicKey(PemKeyType pemKeyType, ECPublicKey key)
throws IOException {
if (pemKeyType.algorithm.equals("ECDSA")) {
EcdsaParams params =
EcdsaParams.newBuilder()
.setHashType(getHashType(pemKeyType))
.setCurve(getCurveType(pemKeyType))
.setEncoding(EcdsaSignatureEncoding.DER)
.build();
EcdsaPublicKey ecdsaPubKey =
EcdsaPublicKey.newBuilder()
.setVersion(0)
.setParams(params)
.setX(SigUtil.toUnsignedIntByteString(key.getW().getAffineX()))
.setY(SigUtil.toUnsignedIntByteString(key.getW().getAffineY()))
.build();
return KeyData.newBuilder()
.setTypeUrl(EcdsaVerifyKeyManager.getKeyType())
.setValue(ecdsaPubKey.toByteString())
.setKeyMaterialType(KeyData.KeyMaterialType.ASYMMETRIC_PUBLIC)
.build();
}
throw new IOException("unsupported EC signature algorithm: " + pemKeyType.algorithm);
}
private static HashType getHashType(PemKeyType pemKeyType) {
switch (pemKeyType.hash) {
case SHA256:
return HashType.SHA256;
case SHA384:
return HashType.SHA384;
case SHA512:
return HashType.SHA512;
default:
break;
}
throw new IllegalArgumentException("unsupported hash type: " + pemKeyType.hash.name());
}
private static int getDigestSizeInBytes(PemKeyType pemKeyType) {
switch (pemKeyType.hash) {
case SHA256:
return 32;
case SHA384:
return 48;
case SHA512:
return 64;
default:
break;
}
throw new IllegalArgumentException("unsupported hash type: " + pemKeyType.hash.name());
}
private static EllipticCurveType getCurveType(PemKeyType pemKeyType) {
switch (pemKeyType.keySizeInBits) {
case 256:
return EllipticCurveType.NIST_P256;
case 384:
return EllipticCurveType.NIST_P384;
case 521:
return EllipticCurveType.NIST_P521;
default:
break;
}
throw new IllegalArgumentException(
"unsupported curve for key size: " + pemKeyType.keySizeInBits);
}
}