Google Git
Sign in
cobalt / cobalt / c22907dbc00f1b681ca5a66f4cbc333d84fae0a5 / . / src / third_party / ukey2 / src / main / java / com / google / security / cryptauth / lib / securemessage / PublicKeyProtoUtil.java
blob: ab97cca15a9993470fdc70353494291e4a643113 [file] [log] [blame]
/* Copyright 2018 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* https://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package com.google.security.cryptauth.lib.securemessage;
import com.google.protobuf.ByteString;
import com.google.security.annotations.SuppressInsecureCipherModeCheckerPendingReview;
import com.google.security.cryptauth.lib.securemessage.SecureMessageProto.DhPublicKey;
import com.google.security.cryptauth.lib.securemessage.SecureMessageProto.EcP256PublicKey;
import com.google.security.cryptauth.lib.securemessage.SecureMessageProto.GenericPublicKey;
import com.google.security.cryptauth.lib.securemessage.SecureMessageProto.SimpleRsaPublicKey;
import java.math.BigInteger;
import java.security.InvalidAlgorithmParameterException;
import java.security.KeyFactory;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.NoSuchAlgorithmException;
import java.security.PublicKey;
import java.security.SecureRandom;
import java.security.interfaces.ECPublicKey;
import java.security.interfaces.RSAPublicKey;
import java.security.spec.ECFieldFp;
import java.security.spec.ECGenParameterSpec;
import java.security.spec.ECParameterSpec;
import java.security.spec.ECPoint;
import java.security.spec.ECPublicKeySpec;
import java.security.spec.InvalidKeySpecException;
import java.security.spec.RSAPublicKeySpec;
import javax.crypto.interfaces.DHPrivateKey;
import javax.crypto.interfaces.DHPublicKey;
import javax.crypto.spec.DHParameterSpec;
import javax.crypto.spec.DHPublicKeySpec;
/**
* Utility class containing static factory methods for a simple protobuf based representation of
* EC public keys that is intended for use with the SecureMessage library.
*
* N.B.: Requires the availability of an EC security provider supporting the NIST P-256 curve.
*
*/
public class PublicKeyProtoUtil {
private PublicKeyProtoUtil() {} // Do not instantiate
/**
* Caches state about whether the current platform supports Elliptic Curve algorithms.
*/
private static final Boolean IS_LEGACY_CRYPTO_REQUIRED = determineIfLegacyCryptoRequired();
private static final BigInteger ONE = new BigInteger("1");
private static final BigInteger TWO = new BigInteger("2");
/**
* Name for Elliptic Curve cryptography algorithm suite, used by the security provider. If the
* security provider does not implement the specified algorithm, runtime errors will ensue.
*/
private static final String EC_ALG = "EC";
/**
* A common name for the NIST P-256 curve, used by most Java security providers.
*/
private static final String EC_P256_COMMON_NAME = "secp256r1";
/**
* A name the NIST P-256 curve, used by the OpenSSL Java security provider (e.g,. on Android).
*/
private static final String EC_P256_OPENSSL_NAME = "prime256v1";
/**
* The {@link ECParameterSpec} for the NIST P-256 Elliptic Curve.
*/
private static final ECParameterSpec EC_P256_PARAMS = isLegacyCryptoRequired() ? null :
((ECPublicKey) generateEcP256KeyPair().getPublic()).getParams();
/**
* The prime {@code p} describing the field for the NIST P-256 curve.
*/
private static final BigInteger EC_P256_P = isLegacyCryptoRequired() ? null :
((ECFieldFp) EC_P256_PARAMS.getCurve().getField()).getP();
/**
* The coefficient {@code a} for the NIST P-256 curve.
*/
private static final BigInteger EC_P256_A = isLegacyCryptoRequired() ? null :
EC_P256_PARAMS.getCurve().getA();
/**
* The coefficient {@code b} for the NIST P-256 curve.
*/
private static final BigInteger EC_P256_B = isLegacyCryptoRequired() ? null :
EC_P256_PARAMS.getCurve().getB();
/**
* Maximum number of bytes in a 2's complement encoding of a NIST P-256 elliptic curve point.
*/
private static final int MAX_P256_ENCODING_BYTES = 33;
/**
* The JCA name for the RSA cryptography suite.
*/
private static final String RSA_ALG = "RSA";
private static final int RSA2048_MODULUS_BITS = 2048;
/**
* Maximum number of bytes in a 2's complement encoding of a 2048-bit RSA key.
*/
private static final int MAX_RSA2048_ENCODING_BYTES = 257;
/**
* The JCA name for the Diffie-Hellman cryptography suite.
*/
private static final String DH_ALG = "DH";
/**
* The prime from the 2048-bit MODP Group (group 14) described in RFC 3526, to be used for
* Diffie-Hellman computations. Use only if Elliptic Curve ciphers are unavailable.
*/
public static final BigInteger DH_P = new BigInteger(
"FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD1" +
"29024E088A67CC74020BBEA63B139B22514A08798E3404DD" +
"EF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245" +
"E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7ED" +
"EE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3D" +
"C2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F" +
"83655D23DCA3AD961C62F356208552BB9ED529077096966D" +
"670C354E4ABC9804F1746C08CA18217C32905E462E36CE3B" +
"E39E772C180E86039B2783A2EC07A28FB5C55DF06F4C52C9" +
"DE2BCBF6955817183995497CEA956AE515D2261898FA0510" +
"15728E5A8AACAA68FFFFFFFFFFFFFFFF", 16);
/**
* The generator for the 2048-bit MODP Group (group 14) described in RFC 3526, to be used for
* Diffie-Hellman computations. Use only if Elliptic Curve ciphers are unavailable.
*/
public static final BigInteger DH_G = TWO;
/**
* The size of the Diffie-Hellman exponent to use, in bits.
*/
public static final int DH_LEN = 512;
/**
* Maximum number of bytes in a 2's complement encoding of a
* Diffie-Hellman key using {@link #DH_G}.
*/
private static final int MAX_DH2048_ENCODING_BYTES = 257;
/**
* Version code for the Honeycomb release of Android, which is the first release supporting
* Elliptic Curve.
*/
public static final int ANDROID_HONEYCOMB_SDK_INT = 11;
/**
* Encodes any supported {@link PublicKey} type as a {@link GenericPublicKey} proto message.
*
* @see SecureMessageProto constants (defined in the .proto file) for supported types
*/
public static GenericPublicKey encodePublicKey(PublicKey pk) {
if (pk == null) {
throw new NullPointerException();
}
if (pk instanceof ECPublicKey) {
return GenericPublicKey.newBuilder()
.setType(SecureMessageProto.PublicKeyType.EC_P256)
.setEcP256PublicKey(encodeEcPublicKey(pk))
.build();
}
if (pk instanceof RSAPublicKey) {
return GenericPublicKey.newBuilder()
.setType(SecureMessageProto.PublicKeyType.RSA2048)
.setRsa2048PublicKey(encodeRsa2048PublicKey(pk))
.build();
}
if (pk instanceof DHPublicKey) {
return GenericPublicKey.newBuilder()
.setType(SecureMessageProto.PublicKeyType.DH2048_MODP)
.setDh2048PublicKey(encodeDh2048PublicKey(pk))
.build();
}
throw new IllegalArgumentException("Unsupported PublicKey type");
}
/**
* Encodes an {@link ECPublicKey} to an {@link EcP256PublicKey} proto message.
*/
public static EcP256PublicKey encodeEcPublicKey(PublicKey pk) {
ECPublicKey epk = pkToECPublicKey(pk);
return EcP256PublicKey.newBuilder()
.setX(extractX(epk))
.setY(extractY(epk))
.build();
}
/**
* Encodes a 2048-bit {@link RSAPublicKey} to an {@link SimpleRsaPublicKey} proto message.
*/
public static SimpleRsaPublicKey encodeRsa2048PublicKey(PublicKey pk) {
RSAPublicKey rpk = pkToRSAPublicKey(pk);
return SimpleRsaPublicKey.newBuilder()
.setN(ByteString.copyFrom(rpk.getModulus().toByteArray()))
.setE(rpk.getPublicExponent().intValue())
.build();
}
/**
* Encodes a 2048-bit {@link DhPublicKey} using the {@link #DH_G} group to a
* {@link DhPublicKey} proto message.
*/
public static DhPublicKey encodeDh2048PublicKey(PublicKey pk) {
DHPublicKey dhpk = pkToDHPublicKey(pk);
return DhPublicKey.newBuilder()
.setY(ByteString.copyFrom(dhpk.getY().toByteArray()))
.build();
}
/**
* Extracts a {@link PublicKey} from an {@link GenericPublicKey} proto message.
*
* @throws InvalidKeySpecException if the input is not a valid and/or supported public key type
*/
public static PublicKey parsePublicKey(GenericPublicKey gpk) throws InvalidKeySpecException {
if (!gpk.hasType()) {
// "required" means nothing in micro proto land. We have to check this ourselves.
throw new InvalidKeySpecException("GenericPublicKey.type is a required field");
}
switch (gpk.getType()) {
case EC_P256:
if (!gpk.hasEcP256PublicKey()) {
break;
}
return parseEcPublicKey(gpk.getEcP256PublicKey());
case RSA2048:
if (!gpk.hasRsa2048PublicKey()) {
break;
}
return parseRsa2048PublicKey(gpk.getRsa2048PublicKey());
case DH2048_MODP:
if (!gpk.hasDh2048PublicKey()) {
break;
}
return parseDh2048PublicKey(gpk.getDh2048PublicKey());
default:
throw new InvalidKeySpecException("Unsupported GenericPublicKey type: " + gpk.getType());
}
throw new InvalidKeySpecException("key object is missing for key type: " + gpk.getType());
}
/**
* Extracts a {@link ECPublicKey} from an {@link EcP256PublicKey} proto message.
*
* @throws InvalidKeySpecException if the input is not a valid NIST P-256 public key or if
* this platform does not support Elliptic Curve keys
*/
public static ECPublicKey parseEcPublicKey(EcP256PublicKey p256pk)
throws InvalidKeySpecException {
if (!p256pk.hasX() || !p256pk.hasY()) {
throw new InvalidKeySpecException("Key is missing a required coordinate");
}
if (isLegacyCryptoRequired()) {
throw new InvalidKeySpecException("Elliptic Curve keys not supported on this platform");
}
byte[] encodedX = p256pk.getX().toByteArray();
byte[] encodedY = p256pk.getY().toByteArray();
try {
validateEcP256CoordinateEncoding(encodedX);
validateEcP256CoordinateEncoding(encodedY);
BigInteger wX = new BigInteger(encodedX);
BigInteger wY = new BigInteger(encodedY);
validateEcP256CurvePoint(wX, wY);
return (ECPublicKey) KeyFactory.getInstance(EC_ALG).generatePublic(
new ECPublicKeySpec(new ECPoint(wX, wY), EC_P256_PARAMS));
} catch (NoSuchAlgorithmException e) {
throw new RuntimeException(e);
}
}
/**
* Extracts a {@link RSAPublicKey} from an {@link SimpleRsaPublicKey} proto message.
*
* @throws InvalidKeySpecException when the input RSA public key is invalid
*/
public static RSAPublicKey parseRsa2048PublicKey(SimpleRsaPublicKey pk)
throws InvalidKeySpecException {
if (!pk.hasN()) {
throw new InvalidKeySpecException("required field is missing");
}
byte[] encodedN = pk.getN().toByteArray();
validateSimpleRsaEncoding(encodedN);
BigInteger n = new BigInteger(encodedN);
if (n.bitLength() != RSA2048_MODULUS_BITS) {
throw new InvalidKeySpecException();
}
BigInteger e = BigInteger.valueOf(pk.getE());
try {
return (RSAPublicKey) KeyFactory.getInstance(RSA_ALG).generatePublic(
new RSAPublicKeySpec(n, e));
} catch (NoSuchAlgorithmException e1) {
throw new AssertionError(e1); // Should never happen
}
}
/**
* Extracts a {@link DHPublicKey} from an {@link DhPublicKey} proto message.
*
* @throws InvalidKeySpecException when the input DH public key is invalid
*/
@SuppressInsecureCipherModeCheckerPendingReview // b/32143855
public static DHPublicKey parseDh2048PublicKey(DhPublicKey pk) throws InvalidKeySpecException {
if (!pk.hasY()) {
throw new InvalidKeySpecException("required field is missing");
}
byte[] encodedY = pk.getY().toByteArray();
validateDhEncoding(encodedY);
BigInteger y;
try {
y = new BigInteger(encodedY);
} catch (NumberFormatException e) {
throw new InvalidKeySpecException();
}
validateDhGroupElement(y);
try {
return (DHPublicKey) KeyFactory.getInstance(DH_ALG).generatePublic(
new DHPublicKeySpec(y, DH_P, DH_G));
} catch (NoSuchAlgorithmException e) {
throw new AssertionError(e); // Should never happen
}
}
/**
* @return a freshly generated NIST P-256 Elliptic Curve key pair.
*/
public static KeyPair generateEcP256KeyPair() {
return getEcKeyGen().generateKeyPair();
}
/**
* @return a freshly generated 2048-bit RSA key pair.
*/
public static KeyPair generateRSA2048KeyPair() {
return getRsaKeyGen().generateKeyPair();
}
/**
* @return a freshly generated Diffie-Hellman key pair for the 2048-bit group
* described by {@link #DH_G}
*/
public static KeyPair generateDh2048KeyPair() {
try {
return getDhKeyGen().generateKeyPair();
} catch (InvalidAlgorithmParameterException e) {
// Construct an appropriate KeyPair manually, since this platform refuses to do it for us
DHParameterSpec spec = new DHParameterSpec(DH_P, DH_G);
BigInteger x = new BigInteger(DH_LEN, new SecureRandom());
DHPrivateKey privateKey = new DHPrivateKeyShim(x, spec);
DHPublicKey publicKey = new DHPublicKeyShim(DH_G.modPow(x, DH_P), spec);
return new KeyPair(publicKey, privateKey);
}
}
/**
* A lightweight encoding for a {@link DHPrivateKey}. Strongly recommended over attempting to use
* {@link DHPrivateKey#getEncoded()}, but not compatible with the standard encoding.
*
* @see #parseDh2048PrivateKey(byte[])
*/
public static byte[] encodeDh2048PrivateKey(DHPrivateKey sk) {
return sk.getX().toByteArray();
}
/**
* Parses a {@link DHPrivateKey} encoded with {@link #encodeDh2048PrivateKey(DHPrivateKey)}.
*/
public static DHPrivateKey parseDh2048PrivateKey(byte[] encodedX)
throws InvalidKeySpecException {
validateDhEncoding(encodedX); // Could be stricter for x, but should be fine to use this
BigInteger x;
try {
x = new BigInteger(encodedX);
} catch (NumberFormatException e) {
throw new InvalidKeySpecException();
}
validateDhGroupElement(x); // Again, this validation should be good enough
return new DHPrivateKeyShim(x, new DHParameterSpec(DH_P, DH_G));
}
/**
* @throws InvalidKeySpecException if point ({@code x},{@code y}) isn't on the NIST P-256 curve
*/
private static void validateEcP256CurvePoint(BigInteger x, BigInteger y)
throws InvalidKeySpecException {
if ((x.signum() == -1) || (y.signum() == -1)) {
throw new InvalidKeySpecException("Point encoding must use only non-negative integers");
}
BigInteger p = EC_P256_P;
if ((x.compareTo(p) >= 0) || (y.compareTo(p) >= 0)) {
throw new InvalidKeySpecException("Point lies outside of the expected field");
}
// Points on the curve satisfy y^2 = x^3 + ax + b (mod p)
BigInteger lhs = squareMod(y, p);
BigInteger rhs = squareMod(x, p).add(EC_P256_A) // = (x^2 + a)
.multiply(x).mod(p) // = x(x^2 + a) = x^3 + ax
.add(EC_P256_B) // = x^3 + ax + b
.mod(p);
if (!lhs.equals(rhs)) {
throw new InvalidKeySpecException("Point does not lie on the expected curve");
}
}
/**
* @return value of {@code x}^2 (mod {@code p})
*/
private static BigInteger squareMod(BigInteger x, BigInteger p) {
return x.multiply(x).mod(p);
}
/**
* @throws InvalidKeySpecException if the coordinate is too large for a 256-bit curve
*/
private static void validateEcP256CoordinateEncoding(byte[] p) throws InvalidKeySpecException {
if ((p.length == 0)
|| (p.length > MAX_P256_ENCODING_BYTES)
|| (p.length == MAX_P256_ENCODING_BYTES && p[0] != 0)) {
throw new InvalidKeySpecException(); // Intentionally vague for security reasons
}
}
/**
* @throws InvalidKeySpecException if the input is too large for a 2048-bit RSA modulus
*/
private static void validateSimpleRsaEncoding(byte[] n) throws InvalidKeySpecException {
if (n.length == 0 || n.length > MAX_RSA2048_ENCODING_BYTES) {
throw new InvalidKeySpecException();
}
}
/**
* @throws InvalidKeySpecException if the public key is too large for a 2048-bit DH group
*/
private static void validateDhEncoding(byte[] y) throws InvalidKeySpecException {
if (y.length == 0 || y.length > MAX_DH2048_ENCODING_BYTES) {
throw new InvalidKeySpecException();
}
}
/**
* @throws InvalidKeySpecException if {@code y} is not a valid Diffie-Hellman public key
*/
private static void validateDhGroupElement(BigInteger y) throws InvalidKeySpecException {
// Check that 1 < y < p -1
if ((y.compareTo(ONE) < 1) || (y.compareTo(DH_P.subtract(ONE)) > -1)) {
throw new InvalidKeySpecException();
}
}
private static ByteString extractY(ECPublicKey epk) {
return ByteString.copyFrom(epk.getW().getAffineY().toByteArray());
}
private static ByteString extractX(ECPublicKey epk) {
return ByteString.copyFrom(epk.getW().getAffineX().toByteArray());
}
private static ECPublicKey pkToECPublicKey(PublicKey pk) {
if (pk == null) {
throw new NullPointerException();
}
if (!(pk instanceof ECPublicKey)) {
throw new IllegalArgumentException("Not an EC Public Key");
}
return (ECPublicKey) pk;
}
private static RSAPublicKey pkToRSAPublicKey(PublicKey pk) {
if (pk == null) {
throw new NullPointerException();
}
if (!(pk instanceof RSAPublicKey)) {
throw new IllegalArgumentException("Not an RSA Public Key");
}
return (RSAPublicKey) pk;
}
private static DHPublicKey pkToDHPublicKey(PublicKey pk) {
if (pk == null) {
throw new NullPointerException();
}
if (!(pk instanceof DHPublicKey)) {
throw new IllegalArgumentException("Not a DH Public Key");
}
return (DHPublicKey) pk;
}
/**
* @return an EC {@link KeyPairGenerator} object initialized for NIST P-256.
*/
private static KeyPairGenerator getEcKeyGen() {
KeyPairGenerator keygen;
try {
keygen = KeyPairGenerator.getInstance(EC_ALG);
} catch (NoSuchAlgorithmException e) {
throw new RuntimeException(e);
}
try {
// Try using the OpenSSL provider first, since we prefer it over BouncyCastle
keygen.initialize(new ECGenParameterSpec(EC_P256_OPENSSL_NAME));
return keygen;
} catch (InvalidAlgorithmParameterException e) {
// Try another name for NIST P-256
}
try {
keygen.initialize(new ECGenParameterSpec(EC_P256_COMMON_NAME));
return keygen;
} catch (InvalidAlgorithmParameterException e) {
throw new RuntimeException("Unable to find the NIST P-256 curve");
}
}
/**
* @return an RSA {@link KeyPairGenerator} object initialized for 2048-bit keys.
*/
private static KeyPairGenerator getRsaKeyGen() {
try {
KeyPairGenerator keygen = KeyPairGenerator.getInstance(RSA_ALG);
keygen.initialize(RSA2048_MODULUS_BITS);
return keygen;
} catch (NoSuchAlgorithmException e) {
throw new AssertionError(e); // This should never happen
}
}
/**
* @return a DH {@link KeyPairGenerator} object initialized for the group described by {@link
* #DH_G}.
* @throws InvalidAlgorithmParameterException on some platforms that don't support large DH groups
*/
@SuppressInsecureCipherModeCheckerPendingReview // b/32143855
private static KeyPairGenerator getDhKeyGen() throws InvalidAlgorithmParameterException {
try {
KeyPairGenerator keygen = KeyPairGenerator.getInstance(DH_ALG);
keygen.initialize(new DHParameterSpec(DH_P, DH_G, DH_LEN));
return keygen;
} catch (NoSuchAlgorithmException e) {
throw new AssertionError(e); // This should never happen
}
}
/**
* A lightweight shim class to enable the creation of {@link DHPublicKey} and {@link DHPrivateKey}
* objects that accept arbitrary {@link DHParameterSpec}s -- unfortunately, many platforms do
* not support using reasonably sized Diffie-Hellman groups any other way. For instance, see
* <a href="http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6521495">Java bug 6521495</a>.
*/
public abstract static class DHKeyShim {
private BigInteger eitherXorY;
private DHParameterSpec params;
public DHKeyShim(BigInteger eitherXorY, DHParameterSpec params) {
this.eitherXorY = eitherXorY;
this.params = params;
}
public DHParameterSpec getParams() {
return params;
}
public String getAlgorithm() {
return "DH";
}
public String getFormat() {
return null;
}
public byte[] getEncoded() {
return null;
}
public BigInteger getX() {
return eitherXorY;
}
public BigInteger getY() {
return eitherXorY;
}
}
/**
* A simple {@link DHPublicKey} implementation.
*
* @see DHKeyShim
*/
public static class DHPublicKeyShim extends DHKeyShim implements DHPublicKey {
public DHPublicKeyShim(BigInteger y, DHParameterSpec params) {
super(y, params);
}
}
/**
* A simple {@link DHPrivateKey} implementation.
*
* @see DHKeyShim
*/
public static class DHPrivateKeyShim extends DHKeyShim implements DHPrivateKey {
public DHPrivateKeyShim(BigInteger x, DHParameterSpec params) {
super(x, params);
}
}
/**
* @return true if this platform does not support Elliptic Curve algorithms
*/
public static boolean isLegacyCryptoRequired() {
return IS_LEGACY_CRYPTO_REQUIRED;
}
/**
* @return true if using the Elliptic Curve key generator fails on this platform
*/
private static boolean determineIfLegacyCryptoRequired() {
try {
getEcKeyGen();
} catch (Exception e) {
return true;
}
return false;
}
}