Utility methods related to the RSA algorithm.
* *References:
*An implementation of the RSASP method: Assuming that the * designated RSA private key is a valid one, this method computes a * signature representative for a designated message * representative signed by the holder of the designated RSA private * key.
*
* @param K the RSA private key.
* @param m the message representative: an integer between
* 0 and n - 1, where n is the RSA
* modulus.
* @return the signature representative, an integer between
* 0 and n - 1, where n is the RSA
* modulus.
* @throws ClassCastException if K is not an RSA one.
* @throws IllegalArgumentException if m (the message
* representative) is out of range.
*/
public static final BigInteger sign(final PrivateKey K, final BigInteger m)
{
try
{
return RSADP((RSAPrivateKey) K, m);
}
catch (IllegalArgumentException x)
{
throw new IllegalArgumentException(
"message representative out of range");
}
}
/**
*
An implementation of the RSAVP method: Assuming that the * designated RSA public key is a valid one, this method computes a * message representative for the designated signature * representative generated by an RSA private key, for a message * intended for the holder of the designated RSA public key.
* * @param K the RSA public key. * @param s the signature representative, an integer between *0 and n - 1, where n is the RSA
* modulus.
* @return a message representative: an integer between 0
* and n - 1, where n is the RSA modulus.
* @throws ClassCastException if K is not an RSA one.
* @throws IllegalArgumentException if s (the signature
* representative) is out of range.
*/
public static final BigInteger verify(final PublicKey K, final BigInteger s)
{
try
{
return RSAEP((RSAPublicKey) K, s);
}
catch (IllegalArgumentException x)
{
throw new IllegalArgumentException(
"signature representative out of range");
}
}
// Encryption and decryption methods ---------------------------------------
/**
* An implementation of the RSAEP algorithm.
0 and
* n - 1 (n being the public shared modulus)-- that
* will eventually be padded with an appropriate framing/padding scheme.
* @throws ClassCastException if K is not an RSA one.
* @throws IllegalArgumentException if m, the message
* representative is not between 0 and n - 1
* (n being the public shared modulus).
*/
public static final BigInteger encrypt(final PublicKey K, final BigInteger m)
{
try
{
return RSAEP((RSAPublicKey) K, m);
}
catch (IllegalArgumentException x)
{
throw new IllegalArgumentException(
"message representative out of range");
}
}
/**
* An implementation of the RSADP algorithm.
0 and
* n - 1 (n being the shared public modulus).
* @throws ClassCastException if K is not an RSA one.
* @throws IllegalArgumentException if c, the ciphertext
* representative is not between 0 and n - 1
* (n being the shared public modulus).
*/
public static final BigInteger decrypt(final PrivateKey K, final BigInteger c)
{
try
{
return RSADP((RSAPrivateKey) K, c);
}
catch (IllegalArgumentException x)
{
throw new IllegalArgumentException(
"ciphertext representative out of range");
}
}
// Conversion methods ------------------------------------------------------
/**
* Converts a multi-precision integer (MPI) s into an
* octet sequence of length k.
s is greater than k.
*/
public static final byte[] I2OSP(final BigInteger s, final int k)
{
byte[] result = s.toByteArray();
if (result.length < k)
{
final byte[] newResult = new byte[k];
System.arraycopy(result, 0, newResult, k - result.length, result.length);
result = newResult;
}
else if (result.length > k)
{ // leftmost extra bytes should all be 0
final int limit = result.length - k;
for (int i = 0; i < limit; i++)
{
if (result[i] != 0x00)
{
throw new IllegalArgumentException("integer too large");
}
}
final byte[] newResult = new byte[k];
System.arraycopy(result, limit, newResult, 0, k);
result = newResult;
}
return result;
}
// helper methods ----------------------------------------------------------
private static final BigInteger RSAEP(final RSAPublicKey K, final BigInteger m)
{
// 1. If the representative m is not between 0 and n - 1, output
// "representative out of range" and stop.
final BigInteger n = K.getModulus();
if (m.compareTo(ZERO) < 0 || m.compareTo(n.subtract(ONE)) > 0)
{
throw new IllegalArgumentException();
}
// 2. Let c = m^e mod n.
final BigInteger e = K.getPublicExponent();
final BigInteger result = m.modPow(e, n);
// 3. Output c.
return result;
}
private static final BigInteger RSADP(final RSAPrivateKey K, BigInteger c)
{
// 1. If the representative c is not between 0 and n - 1, output
// "representative out of range" and stop.
final BigInteger n = K.getModulus();
if (c.compareTo(ZERO) < 0 || c.compareTo(n.subtract(ONE)) > 0)
{
throw new IllegalArgumentException();
}
// 2. The representative m is computed as follows.
BigInteger result;
if (!(K instanceof RSAPrivateCrtKey))
{
// a. If the first form (n, d) of K is used, let m = c^d mod n.
final BigInteger d = K.getPrivateExponent();
result = c.modPow(d, n);
}
else
{
// from [3] p.13 --see class docs:
// The RSA blinding operation calculates x = (r^e) * g mod n before
// decryption, where r is random, e is the RSA encryption exponent, and
// g is the ciphertext to be decrypted. x is then decrypted as normal,
// followed by division by r, i.e. (x^e) / r mod n. Since r is random,
// x is random and timing the decryption should not reveal information
// about the key. Note that r should be a new random number for every
// decryption.
final boolean rsaBlinding = Properties.doRSABlinding();
BigInteger r = null;
BigInteger e = null;
if (rsaBlinding)
{ // pre-decryption
r = newR(n);
e = ((RSAPrivateCrtKey) K).getPublicExponent();
final BigInteger x = r.modPow(e, n).multiply(c).mod(n);
c = x;
}
// b. If the second form (p, q, dP, dQ, qInv) and (r_i, d_i, t_i)
// of K is used, proceed as follows:
final BigInteger p = ((RSAPrivateCrtKey) K).getPrimeP();
final BigInteger q = ((RSAPrivateCrtKey) K).getPrimeQ();
final BigInteger dP = ((RSAPrivateCrtKey) K).getPrimeExponentP();
final BigInteger dQ = ((RSAPrivateCrtKey) K).getPrimeExponentQ();
final BigInteger qInv = ((RSAPrivateCrtKey) K).getCrtCoefficient();
// i. Let m_1 = c^dP mod p and m_2 = c^dQ mod q.
final BigInteger m_1 = c.modPow(dP, p);
final BigInteger m_2 = c.modPow(dQ, q);
// ii. If u > 2, let m_i = c^(d_i) mod r_i, i = 3, ..., u.
// iii. Let h = (m_1 - m_2) * qInv mod p.
final BigInteger h = m_1.subtract(m_2).multiply(qInv).mod(p);
// iv. Let m = m_2 + q * h.
result = m_2.add(q.multiply(h));
if (rsaBlinding)
{ // post-decryption
result = result.multiply(r.modInverse(n)).mod(n);
}
}
// 3. Output m
return result;
}
/**
* Returns a random MPI with a random bit-length of the form 8b,
* where b is in the range [32..64].