1 /*
2  * Copyright (c) 2020, Oracle and/or its affiliates. All rights reserved.
3  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
4  *
5  * This code is free software; you can redistribute it and/or modify it
6  * under the terms of the GNU General Public License version 2 only, as
7  * published by the Free Software Foundation.
8  *
9  * This code is distributed in the hope that it will be useful, but WITHOUT
10  * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
11  * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
12  * version 2 for more details (a copy is included in the LICENSE file that
13  * accompanied this code).
14  *
15  * You should have received a copy of the GNU General Public License version
16  * 2 along with this work; if not, write to the Free Software Foundation,
17  * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
18  *
19  * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
20  * or visit www.oracle.com if you need additional information or have any
21  * questions.
22  */
23 
24 /*
25  * @test
26  * @bug 8255494
27  * @summary Make sure the signature algorithm to verify a PKCS7 block is
28  *      DIGwithENC instead of HASHwithENC.
29  * @modules java.base/sun.security.pkcs
30  *          java.base/sun.security.tools.keytool
31  *          java.base/sun.security.x509
32  */
33 
34 import sun.security.pkcs.PKCS7;
35 import sun.security.tools.keytool.CertAndKeyGen;
36 import sun.security.x509.X500Name;
37 
38 import java.nio.charset.StandardCharsets;
39 import java.security.cert.X509Certificate;
40 
41 public class TwoHash {
main(String[] args)42     public static void main(String[] args) throws Exception {
43 
44         byte[] content = "Hello You fool I love you".getBytes();
45 
46         CertAndKeyGen cak = new CertAndKeyGen("EC", "SHA512withECDSA");
47         cak.generate("secp256r1");
48         byte[] signature = PKCS7.generateNewSignedData(
49                 "SHA256withECDSA",
50                 null,
51                 cak.getPrivateKey(),
52                 new X509Certificate[] {cak.getSelfCertificate(new X500Name("CN=Me"), 1000)},
53                 content,
54                 false,
55                 true, // direct sign, so that RFC 6211 check is not possible
56                 null);
57 
58         // The original signature should verify.
59         if (new PKCS7(signature).verify(content) == null) {
60             throw new RuntimeException("Should be verified");
61         }
62 
63         // Modify the SHA256withECDSA signature algorithm (OID encoded as
64         // "06 08 2A 86 48 CE 3D 04 03 02") to SHA384withECDSA (OID encoded as
65         // "06 08 2A 86 48 CE 3D 04 03 03"). ISO_8859_1 charset is chosen
66         // because it's a strictly one byte per char encoding.
67         String s = new String(signature, StandardCharsets.ISO_8859_1);
68         String s1 = s.replace(
69                 "\u0006\u0008\u002A\u0086\u0048\u00CE\u003D\u0004\u0003\u0002",
70                 "\u0006\u0008\u002A\u0086\u0048\u00CE\u003D\u0004\u0003\u0003");
71         byte[] modified = s1.getBytes(StandardCharsets.ISO_8859_1);
72 
73         // The modified signature should still verify because the HASH
74         // part of signature algorithm is ignored.
75         if (new PKCS7(modified).verify(content) == null) {
76             throw new RuntimeException("Should be verified");
77         }
78     }
79 }
80