Skip to content

Commit

Permalink
Merge pull request #54 from canonical/rsa-sha256
Browse files Browse the repository at this point in the history 
RSAwithSHA256 - make SHA256 the default digest for RSA signatures
  • Loading branch information
@pushkarnk
pushkarnk authored Dec 11, 2024
2 parents 3bf1691 + 359e0cd commit ecf169e
Show file tree
Hide file tree
Showing 7 changed files with 37 additions and 34 deletions.
2 changes: 1 addition & 1 deletion src/main/java/com/canonical/openssl/provider/OpenSSLFIPSProvider.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -56,7 +56,7 @@ public OpenSSLFIPSProvider() {
put("MessageDigest.MDSHA512", "com.canonical.openssl.md.MDSHA512");

// Signatures
put("Signature.RSA", "com.canonical.openssl.signature.SignatureRSA");
put("Signature.RSAwithSHA256", "com.canonical.openssl.signature.SignatureRSAwithSHA256");
// The openssl FIPS provider for Ubuntu Pro does not have support for ED448 and ED25519.
// There is lack of clarity over the FIPS approval status of these algorithms.
// put("Signature.ED448", "com.canonical.openssl.signature.SignatureED448");
Expand Down
8 changes: 6 additions & 2 deletions src/main/java/com/canonical/openssl/signature/OpenSSLSignature.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -61,9 +61,9 @@ public void run() {

private Params params = new Params(null, -1, Padding.NONE, null);;

enum Padding { NONE, PSS };
protected static enum Padding { NONE, PSS };

class Params {
protected static class Params {

static final int NO_PADDING = 0;
static final int PSS_PADDING = 1;
Expand Down Expand Up @@ -97,6 +97,10 @@ public int getPadding() {
}
}

protected OpenSSLSignature(Params params) {
this.params = params;
}

protected abstract String getSignatureName();

@Override
Expand Down
4 changes: 4 additions & 0 deletions src/main/java/com/canonical/openssl/signature/SignatureED25519.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,10 @@
package com.canonical.openssl.signature;

public final class SignatureED25519 extends OpenSSLSignature {
public SignatureED25519() {
super(null);
}

protected String getSignatureName() {
return "ED25519";
}
Expand Down
4 changes: 4 additions & 0 deletions src/main/java/com/canonical/openssl/signature/SignatureED448.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,10 @@
package com.canonical.openssl.signature;

public final class SignatureED448 extends OpenSSLSignature {
public SignatureED448() {
super(null);
}

protected String getSignatureName() {
return "ED448";
}
Expand Down
9 changes: 7 additions & 2 deletions ...nical/openssl/signature/SignatureRSA.java → ...ssl/signature/SignatureRSAwithSHA256.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,8 +16,13 @@
*/
package com.canonical.openssl.signature;

public final class SignatureRSA extends OpenSSLSignature {
public final class SignatureRSAwithSHA256 extends OpenSSLSignature {

public SignatureRSAwithSHA256() {
super(new OpenSSLSignature.Params("SHA-256", -1, OpenSSLSignature.Padding.NONE, null));
}

protected String getSignatureName() {
return "RSA";
return "RSAwithSHA256";
}
}
2 changes: 1 addition & 1 deletion src/test/java/ProviderSanityTest.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -108,7 +108,7 @@ public void testMessageDigests() {

@Test
public void testSignatures() {
test(Signature.class, "RSA", SignatureRSA.class, "sigSpi");
test(Signature.class, "RSAwithSHA256", SignatureRSAwithSHA256.class, "sigSpi");
//test(Signature.class, "ED448", SignatureED448.class, "sigSpi");
//test(Signature.class, "ED25519", SignatureED25519.class, "sigSpi");
}
Expand Down
42 changes: 14 additions & 28 deletions src/test/java/SignatureTest.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -62,15 +62,13 @@ public void testRSABasic() throws Exception {
PublicKey publicKey = gen.pubKey;
PrivateKey privateKey = gen.privKey;

Signature signer = Signature.getInstance("RSA", "OpenSSLFIPSProvider");
signer.setParameter("digest", "SHA-256"); // TODO: why does this work only with SHA-256?
Signature signer = Signature.getInstance("RSAwithSHA256", "OpenSSLFIPSProvider");
signer.initSign(privateKey);
byte[] bytes = message.getBytes();
signer.update(bytes, 0, bytes.length);
byte[] sigBytes = signer.sign();

Signature verifier = Signature.getInstance("RSA", "OpenSSLFIPSProvider");
verifier.setParameter("digest", "SHA-256");
Signature verifier = Signature.getInstance("RSAwithSHA256", "OpenSSLFIPSProvider");
verifier.initVerify(publicKey);
verifier.update(bytes, 0, bytes.length);

Expand All @@ -82,17 +80,15 @@ public void testRSAwithMultipleUpdates() throws Exception {
PublicKey publicKey = new RSAPublicKey("src/test/keys/rsa16384-pub.pem");
PrivateKey privateKey = new RSAPrivateKey("src/test/keys/rsa16384-priv.pem");

Signature signer = Signature.getInstance("RSA", "OpenSSLFIPSProvider");
signer.setParameter("digest", "SHA-256");
Signature signer = Signature.getInstance("RSAwithSHA256", "OpenSSLFIPSProvider");
signer.initSign(privateKey);
byte[] bytes = message.getBytes();
signer.update(bytes, 0, bytes.length);
signer.update(bytes, 2, bytes.length-2);
signer.update(bytes, 3, bytes.length-3);
byte[] sigBytes = signer.sign();

Signature verifier = Signature.getInstance("RSA", "OpenSSLFIPSProvider");
verifier.setParameter("digest", "SHA-256");
Signature verifier = Signature.getInstance("RSAwithSHA256", "OpenSSLFIPSProvider");
verifier.initVerify(publicKey);
verifier.update(bytes, 0, bytes.length);
verifier.update(bytes, 2, bytes.length-2);
Expand All @@ -109,8 +105,7 @@ public void testRSAsingleByteUpdates() throws Exception {
PublicKey publicKey = gen.pubKey;
PrivateKey privateKey = gen.privKey;

Signature signer = Signature.getInstance("RSA", "OpenSSLFIPSProvider");
signer.setParameter("digest", "SHA-256");
Signature signer = Signature.getInstance("RSAwithSHA256", "OpenSSLFIPSProvider");
signer.initSign(privateKey);
byte[] bytes = message.getBytes();

Expand All @@ -119,8 +114,7 @@ public void testRSAsingleByteUpdates() throws Exception {
}
byte[] sigBytes = signer.sign();

Signature verifier = Signature.getInstance("RSA", "OpenSSLFIPSProvider");
verifier.setParameter("digest", "SHA-256");
Signature verifier = Signature.getInstance("RSAwithSHA256", "OpenSSLFIPSProvider");
verifier.initVerify(publicKey);
verifier.update(bytes, 0, bytes.length);

Expand All @@ -132,15 +126,13 @@ public void testRSAmultipleByteBufferUpdates() throws Exception {
PublicKey publicKey = new RSAPublicKey("src/test/keys/rsa8192-pub.pem");
PrivateKey privateKey = new RSAPrivateKey("src/test/keys/rsa8192-priv.pem");

Signature signer = Signature.getInstance("RSA", "OpenSSLFIPSProvider");
signer.setParameter("digest", "SHA-256");
Signature signer = Signature.getInstance("RSAwithSHA256", "OpenSSLFIPSProvider");
signer.initSign(privateKey);
byte[] bytes = message.getBytes();
signer.update(ByteBuffer.wrap(message.getBytes()));
byte[] sigBytes = signer.sign();

Signature verifier = Signature.getInstance("RSA", "OpenSSLFIPSProvider");
verifier.setParameter("digest", "SHA-256");
Signature verifier = Signature.getInstance("RSAwithSHA256", "OpenSSLFIPSProvider");
verifier.initVerify(publicKey);
verifier.update(bytes, 0, bytes.length);

Expand All @@ -153,15 +145,13 @@ public void testRSAsignNonzeroOffset() throws Exception {
PrivateKey privateKey = new RSAPrivateKey("src/test/keys/rsa4096-priv.pem");

byte[] sigBytes = new byte[612];
Signature signer = Signature.getInstance("RSA", "OpenSSLFIPSProvider");
signer.setParameter("digest", "SHA-256");
Signature signer = Signature.getInstance("RSAwithSHA256", "OpenSSLFIPSProvider");
signer.initSign(privateKey);
byte[] bytes = message.getBytes();
signer.update(ByteBuffer.wrap(message.getBytes()));
signer.sign(sigBytes, 100, 512);

Signature verifier = Signature.getInstance("RSA", "OpenSSLFIPSProvider");
verifier.setParameter("digest", "SHA-256");
Signature verifier = Signature.getInstance("RSAwithSHA256", "OpenSSLFIPSProvider");
verifier.initVerify(publicKey);
verifier.update(bytes, 0, bytes.length);

Expand All @@ -176,8 +166,7 @@ public void testRSAtamperedSignature() throws Exception {
PublicKey publicKey = gen.pubKey;
PrivateKey privateKey = gen.privKey;

Signature signer = Signature.getInstance("RSA", "OpenSSLFIPSProvider");
signer.setParameter("digest", "SHA-256");
Signature signer = Signature.getInstance("RSAwithSHA256", "OpenSSLFIPSProvider");
signer.initSign(privateKey);
byte[] bytes = message.getBytes();

Expand All @@ -186,8 +175,7 @@ public void testRSAtamperedSignature() throws Exception {
}
byte[] sigBytes = signer.sign();

Signature verifier = Signature.getInstance("RSA", "OpenSSLFIPSProvider");
verifier.setParameter("digest", "SHA-256");
Signature verifier = Signature.getInstance("RSAwithSHA256", "OpenSSLFIPSProvider");
verifier.initVerify(publicKey);
verifier.update(bytes, 0, bytes.length);

Expand All @@ -205,8 +193,7 @@ public void testRSAtamperedContent() throws Exception {
PublicKey publicKey = gen.pubKey;
PrivateKey privateKey = gen.privKey;

Signature signer = Signature.getInstance("RSA", "OpenSSLFIPSProvider");
signer.setParameter("digest", "SHA-256");
Signature signer = Signature.getInstance("RSAwithSHA256", "OpenSSLFIPSProvider");
signer.initSign(privateKey);
byte[] bytes = message.getBytes();

Expand All @@ -217,8 +204,7 @@ public void testRSAtamperedContent() throws Exception {

// tamper content
bytes[0] += 1;
Signature verifier = Signature.getInstance("RSA", "OpenSSLFIPSProvider");
verifier.setParameter("digest", "SHA-256");
Signature verifier = Signature.getInstance("RSAwithSHA256", "OpenSSLFIPSProvider");
verifier.initVerify(publicKey);
verifier.update(bytes, 0, bytes.length);

Expand Down

0 comments on commit ecf169e

Please sign in to comment.