/* * Copyright (c) 2003, 2020, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License version 2 only, as * published by the Free Software Foundation. Oracle designates this * particular file as subject to the "Classpath" exception as provided * by Oracle in the LICENSE file that accompanied this code. * * This code is distributed in the hope that it will be useful, but WITHOUT * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * version 2 for more details (a copy is included in the LICENSE file that * accompanied this code). * * You should have received a copy of the GNU General Public License version * 2 along with this work; if not, write to the Free Software Foundation, * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. * * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA * or visit www.oracle.com if you need additional information or have any * questions. */ package sun.security.rsa; import java.math.BigInteger; import java.security.*; import java.security.spec.AlgorithmParameterSpec; import java.security.spec.RSAKeyGenParameterSpec; import static java.math.BigInteger.*; import sun.security.jca.JCAUtil; import sun.security.rsa.RSAUtil.KeyType; import static sun.security.util.SecurityProviderConstants.DEF_RSA_KEY_SIZE; import static sun.security.util.SecurityProviderConstants.DEF_RSASSA_PSS_KEY_SIZE; /** * RSA keypair generation. Standard algorithm, minimum key length 512 bit. * We generate two random primes until we find two where phi is relative * prime to the public exponent. Default exponent is 65537. It has only bit 0 * and bit 4 set, which makes it particularly efficient. * * @since 1.5 * @author Andreas Sterbenz */ public abstract class RSAKeyPairGenerator extends KeyPairGeneratorSpi { private static final BigInteger SQRT_2048; private static final BigInteger SQRT_3072; private static final BigInteger SQRT_4096; static { SQRT_2048 = TWO.pow(2047).sqrt(); SQRT_3072 = TWO.pow(3071).sqrt(); SQRT_4096 = TWO.pow(4095).sqrt(); } // public exponent to use private BigInteger publicExponent; // size of the key to generate, >= RSAKeyFactory.MIN_MODLEN private int keySize; private final KeyType type; private AlgorithmParameterSpec keyParams; // PRNG to use private SecureRandom random; // whether to generate key pairs following the new guidelines from // FIPS 186-4 and later private boolean useNew; RSAKeyPairGenerator(KeyType type, int defKeySize) { this.type = type; // initialize to default in case the app does not call initialize() initialize(defKeySize, null); } // initialize the generator. See JCA doc public void initialize(int keySize, SecureRandom random) { try { initialize(new RSAKeyGenParameterSpec(keySize, RSAKeyGenParameterSpec.F4), random); } catch (InvalidAlgorithmParameterException iape) { throw new InvalidParameterException(iape.getMessage()); } } // second initialize method. See JCA doc. public void initialize(AlgorithmParameterSpec params, SecureRandom random) throws InvalidAlgorithmParameterException { if (params instanceof RSAKeyGenParameterSpec == false) { throw new InvalidAlgorithmParameterException ("Params must be instance of RSAKeyGenParameterSpec"); } RSAKeyGenParameterSpec rsaSpec = (RSAKeyGenParameterSpec)params; int tmpKeySize = rsaSpec.getKeysize(); BigInteger tmpPubExp = rsaSpec.getPublicExponent(); AlgorithmParameterSpec tmpParams = rsaSpec.getKeyParams(); // use the new approach for even key sizes >= 2048 AND when the // public exponent is within FIPS valid range boolean useNew = (tmpKeySize >= 2048 && ((tmpKeySize & 1) == 0)); if (tmpPubExp == null) { tmpPubExp = RSAKeyGenParameterSpec.F4; } else { if (!tmpPubExp.testBit(0)) { throw new InvalidAlgorithmParameterException ("Public exponent must be an odd number"); } // current impl checks that F0 <= e < 2^keysize // vs FIPS 186-4 checks that F4 <= e < 2^256 // for backward compatibility, we keep the same checks BigInteger minValue = RSAKeyGenParameterSpec.F0; int maxBitLength = tmpKeySize; if (tmpPubExp.compareTo(RSAKeyGenParameterSpec.F0) < 0) { throw new InvalidAlgorithmParameterException ("Public exponent must be " + minValue + " or larger"); } if (tmpPubExp.bitLength() > maxBitLength) { throw new InvalidAlgorithmParameterException ("Public exponent must be no longer than " + maxBitLength + " bits"); } useNew &= ((tmpPubExp.compareTo(RSAKeyGenParameterSpec.F4) >= 0) && (tmpPubExp.bitLength() < 256)); } // do not allow unreasonably large key sizes, probably user error try { RSAKeyFactory.checkKeyLengths(tmpKeySize, tmpPubExp, 512, 64 * 1024); } catch (InvalidKeyException e) { throw new InvalidAlgorithmParameterException( "Invalid key sizes", e); } try { this.keyParams = RSAUtil.checkParamsAgainstType(type, tmpParams); } catch (ProviderException e) { throw new InvalidAlgorithmParameterException( "Invalid key parameters", e); } this.keySize = tmpKeySize; this.publicExponent = tmpPubExp; this.random = (random == null? JCAUtil.getSecureRandom() : random); this.useNew = useNew; } // FIPS 186-4 B.3.3 / FIPS 186-5 A.1.3 // Generation of Random Primes that are Probably Prime public KeyPair generateKeyPair() { BigInteger e = publicExponent; BigInteger minValue = (useNew? getSqrt(keySize) : ZERO); int lp = (keySize + 1) >> 1;; int lq = keySize - lp; int pqDiffSize = lp - 100; while (true) { BigInteger p = null; BigInteger q = null; int i = 0; while (i++ < 10*lp) { BigInteger tmpP = BigInteger.probablePrime(lp, random); if ((!useNew || tmpP.compareTo(minValue) == 1) && isRelativePrime(e, tmpP.subtract(ONE))) { p = tmpP; break; } } if (p == null) { throw new ProviderException("Cannot find prime P"); } i = 0; while (i++ < 20*lq) { BigInteger tmpQ = BigInteger.probablePrime(lq, random); if ((!useNew || tmpQ.compareTo(minValue) == 1) && (p.subtract(tmpQ).abs().compareTo (TWO.pow(pqDiffSize)) == 1) && isRelativePrime(e, tmpQ.subtract(ONE))) { q = tmpQ; break; } } if (q == null) { throw new ProviderException("Cannot find prime Q"); } BigInteger n = p.multiply(q); if (n.bitLength() != keySize) { // regenerate P, Q if n is not the right length; should // never happen for the new case but check it anyway continue; } KeyPair kp = createKeyPair(type, keyParams, n, e, p, q); // done, return the generated keypair; if (kp != null) return kp; } } private static BigInteger getSqrt(int keySize) { BigInteger sqrt = null; switch (keySize) { case 2048: sqrt = SQRT_2048; break; case 3072: sqrt = SQRT_3072; break; case 4096: sqrt = SQRT_4096; break; default: sqrt = TWO.pow(keySize-1).sqrt(); } return sqrt; } private static boolean isRelativePrime(BigInteger e, BigInteger bi) { // optimize for common known public exponent prime values if (e.compareTo(RSAKeyGenParameterSpec.F4) == 0 || e.compareTo(RSAKeyGenParameterSpec.F0) == 0) { return !bi.mod(e).equals(ZERO); } else { return e.gcd(bi).equals(ONE); } } private static KeyPair createKeyPair(KeyType type, AlgorithmParameterSpec keyParams, BigInteger n, BigInteger e, BigInteger p, BigInteger q) { // phi = (p - 1) * (q - 1) must be relative prime to e // otherwise RSA just won't work ;-) BigInteger p1 = p.subtract(ONE); BigInteger q1 = q.subtract(ONE); BigInteger phi = p1.multiply(q1); BigInteger gcd = p1.gcd(q1); BigInteger lcm = (gcd.equals(ONE)? phi : phi.divide(gcd)); BigInteger d = e.modInverse(lcm); if (d.compareTo(TWO.pow(p.bitLength())) != 1) { return null; } // 1st prime exponent pe = d mod (p - 1) BigInteger pe = d.mod(p1); // 2nd prime exponent qe = d mod (q - 1) BigInteger qe = d.mod(q1); // crt coefficient coeff is the inverse of q mod p BigInteger coeff = q.modInverse(p); try { PublicKey publicKey = new RSAPublicKeyImpl(type, keyParams, n, e); PrivateKey privateKey = new RSAPrivateCrtKeyImpl( type, keyParams, n, e, d, p, q, pe, qe, coeff); return new KeyPair(publicKey, privateKey); } catch (InvalidKeyException exc) { // invalid key exception only thrown for keys < 512 bit, // will not happen here throw new RuntimeException(exc); } } public static final class Legacy extends RSAKeyPairGenerator { public Legacy() { super(KeyType.RSA, DEF_RSA_KEY_SIZE); } } public static final class PSS extends RSAKeyPairGenerator { public PSS() { super(KeyType.PSS, DEF_RSASSA_PSS_KEY_SIZE); } } }