iaik.security.rsa
Class RawRSAPssSignature

java.lang.Object
  |
  +--java.security.SignatureSpi
        |
        +--java.security.Signature
              |
              +--iaik.security.rsa.RSAPkcs1Signature
                    |
                    +--iaik.security.rsa.RSAPssSignature
                          |
                          +--iaik.security.rsa.RawRSAPssSignature

public class RawRSAPssSignature

extends RSAPssSignature

This class represents a "raw" implemention of the RSA PKCS#1v2.1 RSASSA-PSS digital signature algorithm where the hash on the data to be signed has to be calculated by the application.

This class may be used in a similar way than parent class RSAPssSignature except that the message hash value has to be calculated by the application. All required parameters (hash algorithm, mask generation algorithm, salt length) have to be supplied as RSAPssParameterSpec. As defined for PSS the trailer field is fixed to 0xBC.

Generally the following steps have to be performed for calculating/verifying a PSS signature when using this "raw" signature engine:

• First an instance of the raw RSASSA-PSS signature engine has to be created using a proper getInstance method, e.g.:

   Signature pss = Signature.getInstance("RawRSASSA-PSS");
   

• Second, the Signature object just created has to be properly initialized for signing a message respectively verifying a signature using a RSA private respectively RSA public key, e.g.:
  • Initialize for Signing: pss.initSign(rsaPrivateKey);
  • Initialize for Verifying: pss.initVerify(rsaPublicKey);

• Third, supply the required parameters (hash algorithm, mask generation function, salt length -- trailer field is fixed) as RSAPssParameterSpec, e.g.:

   // hash algorithm
   AlgorithmID hashID = (AlgorithmID)AlgorithmID.ripeMd160.clone();
   // mask generation function ID
   AlgorithmID mgfID = (AlgorithmID)AlgorithmID.mgf1.clone();
   mgfID.setParameter(hashID.toASN1Object());
   // salt length
   int saltLength = 20;
   // create a RSAPssParameterSpec
   RSAPssParameterSpec pssParamSpec = new RSAPssParameterSpec(hashID, mgfID, saltLength);
   // optionally set hash and mgf engines
   MessageDigest hashEngine = MessageDigest.getInstance(“SHA-1”);
   pssParamSpec.setHashEngine(hashEngine);
   MaskGenerationAlgorithm mgfEngine = MaskGenerationAlgorithm.getInstance(“MGF1”);
   MGF1ParameterSpec mgf1Spec = new MGF1ParameterSpec(hashID);
   mgf1Spec.setHashEngine(hashEngine);
   mgfEngine.setParameters(mgf1Spec);
   pssParamSpec.setMGFEngine(mgfEngine);
   // set parameters (for JDK 1.1.8 use pss.setParameter(null, pssParamSpec);)
   pss.setParameter(pssParamSpec); 
   

• Finally, if the Signature object has been initialized for signing, the (already calculated) message hash value is supplied by calling an update method and subsequently the signature is created by calling the sign method returning the signature as byte array. Otherwise, if the Signature object has been initialized for verifying, first again the message hash value is supplied by calling an update method is supplied to the Signature object, and subsequently the signature is verified by calling the verify method, supplied with the byte array holding the corresponding signature value:
  • Calculate and supply the message hash value to be signed/verified:

     MessageDigest hashEngine = hashID.getMessageDigestInstance();
     byte[] rawHash = hashEngine.digest(data);
     

  • Sign the message:

     byte[] signature = pss.sign();
     

  • Respectively verify the signature:

     System.out.println("Signature " + (pss.verify(signature) ? "correct!" : "not correct!"));
     

Please note that in step 3) above when supplying the parameters it would not make sense to also set a hash engine since the message hash has to be calculated outside the engine by the calling application. This does not apply to the mask generation function which may be based on a hash algorithm (like MGF1). Any required hash operation except calculating the message hash may be done by the signature engine itself.

Please note that it is the entire responsibility of the application to take care to provide a proper hash value when calling an update method; no check is performed if the supplied hash value corresponds to the hash algorithm in use (e.g. has the correct length).

Please note that in contrast to PKCS1v1.5 -- where attacks that are based on hash algorithm compromise ("hash function substitution") are caught by including the hash algorithm id in the DigestInfo encoding -- no such mechanism is used by the PSS signature scheme. So hash function substitution has to be addressed by other means when using PSS. One possible solution is to use the same hash function for message hashing and any hash operations done by the mask generation function (if based on a hash algorithm). This is ensured for all JCA based hash engines where the hash algorithm(s) to be used are already given by the implementing class: SHA1withRSAandMGF1, for instance, uses the SHA-1 algorithm for both message hashing and MGF1 hash operations. When using this general RSASSA-PSS signature engine, hash algorithm and mask generation function have to be supplied by the calling application. In this case it is the responsibility of the application to take care of hash function substitution issues - if desired. This may be done by, for instance, setting the same hash algorithm parameter for message hashing and MGF hashing, or, for instance, using one and only hash algorithm in any case, or following any other suitable strategy.

Version:

File Revision 12

See Also:

RSAPssSignature

Fields inherited from class iaik.security.rsa.RSAPssSignature

hash

Fields inherited from class java.security.Signature

SIGN, state, UNINITIALIZED, VERIFY

Fields inherited from class java.security.SignatureSpi

appRandom

Constructor Summary

RawRSAPssSignature()
Default constructor.

Method Summary

protected void	engineUpdate(byte b) SPI: Updates the data to be signed or verified with the specified byte.
protected void	engineUpdate(byte[] b, int off, int len) SPI: Updates the data to be signed or verified with the specified number of bytes, beginning at the specified offset within the given byte array.

Methods inherited from class iaik.security.rsa.RSAPssSignature

engineGetParameter, engineGetParameters, engineInitSign, engineInitSign, engineInitVerify, engineSetParameter, engineSetParameter, engineSign, engineVerify

Methods inherited from class java.security.Signature

clone, getAlgorithm, getInstance, getInstance, getParameter, getProvider, initSign, initSign, initVerify, initVerify, setParameter, setParameter, sign, sign, toString, update, update, update, verify

Methods inherited from class java.security.SignatureSpi

engineSign

Methods inherited from class java.lang.Object

equals, finalize, getClass, hashCode, notify, notifyAll, wait, wait, wait

Constructor Detail

RawRSAPssSignature

public RawRSAPssSignature()

Default constructor.

An application shall call

 Signature.getInstance("RawRSASSA-PSS");
 

to get the required raw PSS signature engine.

Method Detail

engineUpdate

protected void engineUpdate(byte b)

SPI: Updates the data to be signed or verified with the specified byte. Only feeds the byte to the internal buffer.

Overrides:

engineUpdate in class iaik.security.rsa.RSAPkcs1Signature

Parameters:

b - the byte to be used for updating.

engineUpdate

protected void engineUpdate(byte[] b,
                            int off,
                            int len)

SPI: Updates the data to be signed or verified with the specified number of bytes, beginning at the specified offset within the given byte array. Only feeds the bytes to the internal buffer.

Overrides:

engineUpdate in class iaik.security.rsa.RSAPkcs1Signature

Parameters:

b - the byte array holding the data to be used for this update operation.

off - the offset, indicating the start position within the given byte array.

len - the number of bytes to be obtained from the given byte array, starting at the given position.