1 /* 2 * Copyright (c) 2020, Oracle and/or its affiliates. All rights reserved. 3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. 4 * 5 * This code is free software; you can redistribute it and/or modify it 6 * under the terms of the GNU General Public License version 2 only, as 7 * published by the Free Software Foundation. 8 * 9 * This code is distributed in the hope that it will be useful, but WITHOUT 10 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 11 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License 12 * version 2 for more details (a copy is included in the LICENSE file that 13 * accompanied this code). 14 * 15 * You should have received a copy of the GNU General Public License version 16 * 2 along with this work; if not, write to the Free Software Foundation, 17 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. 18 * 19 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA 20 * or visit www.oracle.com if you need additional information or have any 21 * questions. 22 */ 23 24 /* 25 * @test 26 * @bug 8255494 27 * @summary Make sure the signature algorithm to verify a PKCS7 block is 28 * DIGwithENC instead of HASHwithENC. 29 * @modules java.base/sun.security.pkcs 30 * java.base/sun.security.tools.keytool 31 * java.base/sun.security.x509 32 */ 33 34 import sun.security.pkcs.PKCS7; 35 import sun.security.tools.keytool.CertAndKeyGen; 36 import sun.security.x509.X500Name; 37 38 import java.nio.charset.StandardCharsets; 39 import java.security.cert.X509Certificate; 40 41 public class TwoHash { main(String[] args)42 public static void main(String[] args) throws Exception { 43 44 byte[] content = "Hello You fool I love you".getBytes(); 45 46 CertAndKeyGen cak = new CertAndKeyGen("EC", "SHA512withECDSA"); 47 cak.generate("secp256r1"); 48 byte[] signature = PKCS7.generateNewSignedData( 49 "SHA256withECDSA", 50 null, 51 cak.getPrivateKey(), 52 new X509Certificate[] {cak.getSelfCertificate(new X500Name("CN=Me"), 1000)}, 53 content, 54 false, 55 true, // direct sign, so that RFC 6211 check is not possible 56 null); 57 58 // The original signature should verify. 59 if (new PKCS7(signature).verify(content) == null) { 60 throw new RuntimeException("Should be verified"); 61 } 62 63 // Modify the SHA256withECDSA signature algorithm (OID encoded as 64 // "06 08 2A 86 48 CE 3D 04 03 02") to SHA384withECDSA (OID encoded as 65 // "06 08 2A 86 48 CE 3D 04 03 03"). ISO_8859_1 charset is chosen 66 // because it's a strictly one byte per char encoding. 67 String s = new String(signature, StandardCharsets.ISO_8859_1); 68 String s1 = s.replace( 69 "\u0006\u0008\u002A\u0086\u0048\u00CE\u003D\u0004\u0003\u0002", 70 "\u0006\u0008\u002A\u0086\u0048\u00CE\u003D\u0004\u0003\u0003"); 71 byte[] modified = s1.getBytes(StandardCharsets.ISO_8859_1); 72 73 // The modified signature should still verify because the HASH 74 // part of signature algorithm is ignored. 75 if (new PKCS7(modified).verify(content) == null) { 76 throw new RuntimeException("Should be verified"); 77 } 78 } 79 } 80