Skip to content

Commit

Permalink
8199697: FIPS 186-4 RSA Key Generation
Browse files Browse the repository at this point in the history
Reviewed-by: xuelei
  • Loading branch information
Valerie Peng committed Oct 21, 2020
1 parent 60d3fa2 commit 1191a63
Show file tree
Hide file tree
Showing 2 changed files with 154 additions and 68 deletions.
218 changes: 152 additions & 66 deletions src/java.base/share/classes/sun/security/rsa/RSAKeyPairGenerator.java
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,7 @@
import java.security.spec.AlgorithmParameterSpec;
import java.security.spec.RSAKeyGenParameterSpec;

import static java.math.BigInteger.*;
import sun.security.jca.JCAUtil;
import sun.security.rsa.RSAUtil.KeyType;

Expand All @@ -48,6 +49,16 @@
*/
public abstract class RSAKeyPairGenerator extends KeyPairGeneratorSpi {

private static final BigInteger SQRT_2048;
private static final BigInteger SQRT_3072;
private static final BigInteger SQRT_4096;

static {
SQRT_2048 = TWO.pow(2047).sqrt();
SQRT_3072 = TWO.pow(3071).sqrt();
SQRT_4096 = TWO.pow(4095).sqrt();
}

// public exponent to use
private BigInteger publicExponent;

Expand All @@ -60,6 +71,10 @@ public abstract class RSAKeyPairGenerator extends KeyPairGeneratorSpi {
// PRNG to use
private SecureRandom random;

// whether to generate key pairs following the new guidelines from
// FIPS 186-4 and later
private boolean useNew;

RSAKeyPairGenerator(KeyType type, int defKeySize) {
this.type = type;
// initialize to default in case the app does not call initialize()
Expand All @@ -86,30 +101,42 @@ public void initialize(AlgorithmParameterSpec params, SecureRandom random)

RSAKeyGenParameterSpec rsaSpec = (RSAKeyGenParameterSpec)params;
int tmpKeySize = rsaSpec.getKeysize();
BigInteger tmpPublicExponent = rsaSpec.getPublicExponent();
BigInteger tmpPubExp = rsaSpec.getPublicExponent();
AlgorithmParameterSpec tmpParams = rsaSpec.getKeyParams();

if (tmpPublicExponent == null) {
tmpPublicExponent = RSAKeyGenParameterSpec.F4;
// use the new approach for even key sizes >= 2048 AND when the
// public exponent is within FIPS valid range
boolean useNew = (tmpKeySize >= 2048 && ((tmpKeySize & 1) == 0));

if (tmpPubExp == null) {
tmpPubExp = RSAKeyGenParameterSpec.F4;
} else {
if (tmpPublicExponent.compareTo(RSAKeyGenParameterSpec.F0) < 0) {
if (!tmpPubExp.testBit(0)) {
throw new InvalidAlgorithmParameterException
("Public exponent must be 3 or larger");
("Public exponent must be an odd number");
}
if (!tmpPublicExponent.testBit(0)) {
// current impl checks that F0 <= e < 2^keysize
// vs FIPS 186-4 checks that F4 <= e < 2^256
// for backward compatibility, we keep the same checks
BigInteger minValue = RSAKeyGenParameterSpec.F0;
int maxBitLength = tmpKeySize;
if (tmpPubExp.compareTo(RSAKeyGenParameterSpec.F0) < 0) {
throw new InvalidAlgorithmParameterException
("Public exponent must be an odd number");
("Public exponent must be " + minValue + " or larger");
}
if (tmpPublicExponent.bitLength() > tmpKeySize) {
if (tmpPubExp.bitLength() > maxBitLength) {
throw new InvalidAlgorithmParameterException
("Public exponent must be smaller than key size");
("Public exponent must be no longer than " +
maxBitLength + " bits");
}
useNew &= ((tmpPubExp.compareTo(RSAKeyGenParameterSpec.F4) >= 0) &&
(tmpPubExp.bitLength() < 256));
}

// do not allow unreasonably large key sizes, probably user error
try {
RSAKeyFactory.checkKeyLengths(tmpKeySize, tmpPublicExponent,
512, 64 * 1024);
RSAKeyFactory.checkKeyLengths(tmpKeySize, tmpPubExp, 512,
64 * 1024);
} catch (InvalidKeyException e) {
throw new InvalidAlgorithmParameterException(
"Invalid key sizes", e);
Expand All @@ -123,70 +150,129 @@ public void initialize(AlgorithmParameterSpec params, SecureRandom random)
}

this.keySize = tmpKeySize;
this.publicExponent = tmpPublicExponent;
this.random = random;
this.publicExponent = tmpPubExp;
this.random = (random == null? JCAUtil.getSecureRandom() : random);
this.useNew = useNew;
}

// generate the keypair. See JCA doc
// FIPS 186-4 B.3.3 / FIPS 186-5 A.1.3
// Generation of Random Primes that are Probably Prime
public KeyPair generateKeyPair() {
// accommodate odd key sizes in case anybody wants to use them
int lp = (keySize + 1) >> 1;
int lq = keySize - lp;
if (random == null) {
random = JCAUtil.getSecureRandom();
}
BigInteger e = publicExponent;
BigInteger minValue = (useNew? getSqrt(keySize) : ZERO);
int lp = (keySize + 1) >> 1;;
int lq = keySize - lp;
int pqDiffSize = lp - 100;

while (true) {
// generate two random primes of size lp/lq
BigInteger p = BigInteger.probablePrime(lp, random);
BigInteger q, n;
do {
q = BigInteger.probablePrime(lq, random);
// convention is for p > q
if (p.compareTo(q) < 0) {
BigInteger tmp = p;
p = q;
q = tmp;
BigInteger p = null;
BigInteger q = null;

int i = 0;
while (i++ < 10*lp) {
BigInteger tmpP = BigInteger.probablePrime(lp, random);
if ((!useNew || tmpP.compareTo(minValue) == 1) &&
isRelativePrime(e, tmpP.subtract(ONE))) {
p = tmpP;
break;
}
// modulus n = p * q
n = p.multiply(q);
// even with correctly sized p and q, there is a chance that
// n will be one bit short. re-generate the smaller prime if so
} while (n.bitLength() < keySize);

// phi = (p - 1) * (q - 1) must be relative prime to e
// otherwise RSA just won't work ;-)
BigInteger p1 = p.subtract(BigInteger.ONE);
BigInteger q1 = q.subtract(BigInteger.ONE);
BigInteger phi = p1.multiply(q1);
// generate new p and q until they work. typically
// the first try will succeed when using F4
if (e.gcd(phi).equals(BigInteger.ONE) == false) {
continue;
}
if (p == null) {
throw new ProviderException("Cannot find prime P");
}

i = 0;

// private exponent d is the inverse of e mod phi
BigInteger d = e.modInverse(phi);

// 1st prime exponent pe = d mod (p - 1)
BigInteger pe = d.mod(p1);
// 2nd prime exponent qe = d mod (q - 1)
BigInteger qe = d.mod(q1);

// crt coefficient coeff is the inverse of q mod p
BigInteger coeff = q.modInverse(p);

try {
PublicKey publicKey = new RSAPublicKeyImpl(type, keyParams,
n, e);
PrivateKey privateKey = new RSAPrivateCrtKeyImpl(type,
keyParams, n, e, d, p, q, pe, qe, coeff);
return new KeyPair(publicKey, privateKey);
} catch (InvalidKeyException exc) {
// invalid key exception only thrown for keys < 512 bit,
// will not happen here
throw new RuntimeException(exc);
while (i++ < 20*lq) {
BigInteger tmpQ = BigInteger.probablePrime(lq, random);

if ((!useNew || tmpQ.compareTo(minValue) == 1) &&
(p.subtract(tmpQ).abs().compareTo
(TWO.pow(pqDiffSize)) == 1) &&
isRelativePrime(e, tmpQ.subtract(ONE))) {
q = tmpQ;
break;
}
}
if (q == null) {
throw new ProviderException("Cannot find prime Q");
}

BigInteger n = p.multiply(q);
if (n.bitLength() != keySize) {
// regenerate P, Q if n is not the right length; should
// never happen for the new case but check it anyway
continue;
}

KeyPair kp = createKeyPair(type, keyParams, n, e, p, q);
// done, return the generated keypair;
if (kp != null) return kp;
}
}

private static BigInteger getSqrt(int keySize) {
BigInteger sqrt = null;
switch (keySize) {
case 2048:
sqrt = SQRT_2048;
break;
case 3072:
sqrt = SQRT_3072;
break;
case 4096:
sqrt = SQRT_4096;
break;
default:
sqrt = TWO.pow(keySize-1).sqrt();
}
return sqrt;
}

private static boolean isRelativePrime(BigInteger e, BigInteger bi) {
// optimize for common known public exponent prime values
if (e.compareTo(RSAKeyGenParameterSpec.F4) == 0 ||
e.compareTo(RSAKeyGenParameterSpec.F0) == 0) {
return !bi.mod(e).equals(ZERO);
} else {
return e.gcd(bi).equals(ONE);
}
}

private static KeyPair createKeyPair(KeyType type,
AlgorithmParameterSpec keyParams,
BigInteger n, BigInteger e, BigInteger p, BigInteger q) {
// phi = (p - 1) * (q - 1) must be relative prime to e
// otherwise RSA just won't work ;-)
BigInteger p1 = p.subtract(ONE);
BigInteger q1 = q.subtract(ONE);
BigInteger phi = p1.multiply(q1);

BigInteger gcd = p1.gcd(q1);
BigInteger lcm = (gcd.equals(ONE)? phi : phi.divide(gcd));

BigInteger d = e.modInverse(lcm);

if (d.compareTo(TWO.pow(p.bitLength())) != 1) {
return null;
}

// 1st prime exponent pe = d mod (p - 1)
BigInteger pe = d.mod(p1);
// 2nd prime exponent qe = d mod (q - 1)
BigInteger qe = d.mod(q1);
// crt coefficient coeff is the inverse of q mod p
BigInteger coeff = q.modInverse(p);

try {
PublicKey publicKey = new RSAPublicKeyImpl(type, keyParams, n, e);
PrivateKey privateKey = new RSAPrivateCrtKeyImpl(
type, keyParams, n, e, d, p, q, pe, qe, coeff);
return new KeyPair(publicKey, privateKey);
} catch (InvalidKeyException exc) {
// invalid key exception only thrown for keys < 512 bit,
// will not happen here
throw new RuntimeException(exc);
}
}

Expand Down
4 changes: 2 additions & 2 deletions test/jdk/sun/security/rsa/SpecTest.java
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
/*
* Copyright (c) 2015, 2016, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2015, 2020, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
Expand Down Expand Up @@ -30,7 +30,7 @@
* @run main SpecTest 512
* @run main SpecTest 768
* @run main SpecTest 1024
* @run main SpecTest 1024 3
* @run main SpecTest 1024 167971
* @run main SpecTest 2048
* @run main/timeout=240 SpecTest 4096
* @run main/timeout=240 SpecTest 5120
Expand Down

1 comment on commit 1191a63

@bridgekeeper
Copy link

@bridgekeeper bridgekeeper bot commented on 1191a63 Oct 21, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please sign in to comment.