TLS PSS raw signatures

4 files changed, 52 insertions, 47 deletions

diff --git a/crypto/src/crypto/signers/PssSigner.cs b/crypto/src/crypto/signers/PssSigner.cs
index 66efa51b8..2a941df47 100644
--- a/crypto/src/crypto/signers/PssSigner.cs
+++ b/crypto/src/crypto/signers/PssSigner.cs
@@ -15,7 +15,7 @@ namespace Org.BouncyCastle.Crypto.Signers
 	public class PssSigner
 		: ISigner
 	{
-		public const byte TrailerImplicit = (byte)0xBC;
+		public const byte TrailerImplicit = 0xBC;
 
 		private readonly IDigest contentDigest1, contentDigest2;
 		private readonly IDigest mgfDigest;
@@ -33,23 +33,23 @@ namespace Org.BouncyCastle.Crypto.Signers
 		private byte[] block;
 		private byte trailer;
 
-		public static PssSigner CreateRawSigner(
-			IAsymmetricBlockCipher	cipher,
-			IDigest					digest)
+		public static PssSigner CreateRawSigner(IAsymmetricBlockCipher cipher, IDigest digest)
 		{
 			return new PssSigner(cipher, new NullDigest(), digest, digest, digest.GetDigestSize(), null, TrailerImplicit);
 		}
 
-		public static PssSigner CreateRawSigner(
-			IAsymmetricBlockCipher	cipher,
-			IDigest					contentDigest,
-			IDigest					mgfDigest,
-			int						saltLen,
-			byte					trailer)
+		public static PssSigner CreateRawSigner(IAsymmetricBlockCipher cipher, IDigest contentDigest, IDigest mgfDigest,
+			int saltLen, byte trailer)
 		{
 			return new PssSigner(cipher, new NullDigest(), contentDigest, mgfDigest, saltLen, null, trailer);
 		}
 
+		public static PssSigner CreateRawSigner(IAsymmetricBlockCipher cipher, IDigest contentDigest, IDigest mgfDigest,
+			byte[] salt, byte trailer)
+		{
+			return new PssSigner(cipher, new NullDigest(), contentDigest, mgfDigest, salt.Length, salt, trailer);
+		}
+
 		public PssSigner(
 			IAsymmetricBlockCipher	cipher,
 			IDigest					digest)
@@ -225,6 +225,9 @@ namespace Org.BouncyCastle.Crypto.Signers
 		/// </summary>
 		public virtual byte[] GenerateSignature()
 		{
+			if (contentDigest1.GetDigestSize() != hLen)
+				throw new InvalidOperationException();
+
 			contentDigest1.DoFinal(mDash, mDash.Length - hLen - sLen);
 
 			if (sLen != 0)
@@ -271,7 +274,10 @@ namespace Org.BouncyCastle.Crypto.Signers
 		public virtual bool VerifySignature(
 			byte[] signature)
 		{
-            contentDigest1.DoFinal(mDash, mDash.Length - hLen - sLen);
+			if (contentDigest1.GetDigestSize() != hLen)
+				throw new InvalidOperationException();
+
+			contentDigest1.DoFinal(mDash, mDash.Length - hLen - sLen);
 
             byte[] b = cipher.ProcessBlock(signature, 0, signature.Length);
             Arrays.Fill(block, 0, block.Length - b.Length, 0);
diff --git a/crypto/src/tls/crypto/impl/bc/BcTlsRsaPssSigner.cs b/crypto/src/tls/crypto/impl/bc/BcTlsRsaPssSigner.cs
index 3e7d1ceef..1b33573f6 100644
--- a/crypto/src/tls/crypto/impl/bc/BcTlsRsaPssSigner.cs
+++ b/crypto/src/tls/crypto/impl/bc/BcTlsRsaPssSigner.cs
@@ -22,7 +22,7 @@ namespace Org.BouncyCastle.Tls.Crypto.Impl.BC
             this.m_signatureScheme = signatureScheme;
         }
 
-        public override TlsStreamSigner GetStreamSigner(SignatureAndHashAlgorithm algorithm)
+        public override byte[] GenerateRawSignature(SignatureAndHashAlgorithm algorithm, byte[] hash)
         {
             if (algorithm == null || SignatureScheme.From(algorithm) != m_signatureScheme)
                 throw new InvalidOperationException("Invalid algorithm: " + algorithm);
@@ -30,10 +30,18 @@ namespace Org.BouncyCastle.Tls.Crypto.Impl.BC
             int cryptoHashAlgorithm = SignatureScheme.GetCryptoHashAlgorithm(m_signatureScheme);
             IDigest digest = m_crypto.CreateDigest(cryptoHashAlgorithm);
 
-            PssSigner signer = new PssSigner(new RsaBlindedEngine(), digest, digest.GetDigestSize());
+            PssSigner signer = PssSigner.CreateRawSigner(new RsaBlindedEngine(), digest, digest, digest.GetDigestSize(),
+                PssSigner.TrailerImplicit);
             signer.Init(true, new ParametersWithRandom(m_privateKey, m_crypto.SecureRandom));
-
-            return new BcTlsStreamSigner(signer);
+            signer.BlockUpdate(hash, 0, hash.Length);
+            try
+            {
+                return signer.GenerateSignature();
+            }
+            catch (CryptoException e)
+            {
+                throw new TlsFatalAlert(AlertDescription.internal_error, e);
+            }
         }
     }
 }
diff --git a/crypto/src/tls/crypto/impl/bc/BcTlsRsaPssVerifier.cs b/crypto/src/tls/crypto/impl/bc/BcTlsRsaPssVerifier.cs
index dc8cebdd9..18c2082aa 100644
--- a/crypto/src/tls/crypto/impl/bc/BcTlsRsaPssVerifier.cs
+++ b/crypto/src/tls/crypto/impl/bc/BcTlsRsaPssVerifier.cs
@@ -22,7 +22,7 @@ namespace Org.BouncyCastle.Tls.Crypto.Impl.BC
             this.m_signatureScheme = signatureScheme;
         }
 
-        public override TlsStreamVerifier GetStreamVerifier(DigitallySigned digitallySigned)
+        public override bool VerifyRawSignature(DigitallySigned digitallySigned, byte[] hash)
         {
             SignatureAndHashAlgorithm algorithm = digitallySigned.Algorithm;
             if (algorithm == null || SignatureScheme.From(algorithm) != m_signatureScheme)
@@ -31,10 +31,11 @@ namespace Org.BouncyCastle.Tls.Crypto.Impl.BC
             int cryptoHashAlgorithm = SignatureScheme.GetCryptoHashAlgorithm(m_signatureScheme);
             IDigest digest = m_crypto.CreateDigest(cryptoHashAlgorithm);
 
-            PssSigner verifier = new PssSigner(new RsaEngine(), digest, digest.GetDigestSize());
+            PssSigner verifier = PssSigner.CreateRawSigner(new RsaEngine(), digest, digest, digest.GetDigestSize(),
+                PssSigner.TrailerImplicit);
             verifier.Init(false, m_publicKey);
-
-            return new BcTlsStreamVerifier(verifier, digitallySigned.Signature);
+            verifier.BlockUpdate(hash, 0, hash.Length);
+            return verifier.VerifySignature(digitallySigned.Signature);
         }
     }
 }
diff --git a/crypto/test/src/tls/crypto/test/BcTlsCryptoTest.cs b/crypto/test/src/tls/crypto/test/BcTlsCryptoTest.cs
index ddbe4c6b8..e0bd39f64 100644
--- a/crypto/test/src/tls/crypto/test/BcTlsCryptoTest.cs
+++ b/crypto/test/src/tls/crypto/test/BcTlsCryptoTest.cs
@@ -585,6 +585,20 @@ namespace Org.BouncyCastle.Tls.Crypto.Tests
             return Utilities.Encoders.Hex.Decode(s.Replace(" ", ""));
         }
 
+        private byte[] ImplPrehash(int signatureScheme, byte[] message)
+        {
+            int cryptoHashAlgorithm = SignatureScheme.GetCryptoHashAlgorithm(signatureScheme);
+            TlsHash tlsHash = m_crypto.CreateHash(cryptoHashAlgorithm);
+            tlsHash.Update(message, 0, message.Length);
+            return tlsHash.CalculateHash();
+        }
+
+        private byte[] ImplPrehash(SignatureAndHashAlgorithm signatureAndHashAlgorithm, byte[] message)
+        {
+            int signatureScheme = SignatureScheme.From(signatureAndHashAlgorithm);
+            return ImplPrehash(signatureScheme, message);
+        }
+
         private void ImplTestAgreement(TlsAgreement aA, TlsAgreement aB)
         {
             byte[] pA = aA.GenerateEphemeral();
@@ -682,8 +696,6 @@ namespace Org.BouncyCastle.Tls.Crypto.Tests
         private void ImplTestSignature12(TlsCredentialedSigner credentialedSigner,
             SignatureAndHashAlgorithm signatureAndHashAlgorithm)
         {
-            short hashAlgorithm = signatureAndHashAlgorithm.Hash;
-
             byte[] message = m_crypto.CreateNonceGenerator(TlsUtilities.EmptyBytes).GenerateNonce(100);
 
             byte[] signature;
@@ -696,14 +708,7 @@ namespace Org.BouncyCastle.Tls.Crypto.Tests
             }
             else
             {
-                // Currently 1.2 relies on these being handled by stream signers 
-                Assert.IsTrue(HashAlgorithm.Intrinsic != hashAlgorithm);
-
-                int cryptoHashAlgorithm = TlsCryptoUtilities.GetHash(hashAlgorithm);
-
-                TlsHash tlsHash = m_crypto.CreateHash(cryptoHashAlgorithm);
-                tlsHash.Update(message, 0, message.Length);
-                byte[] hash = tlsHash.CalculateHash();
+                byte[] hash = ImplPrehash(signatureAndHashAlgorithm, message);
                 signature = credentialedSigner.GenerateRawSignature(hash);
             }
 
@@ -722,14 +727,7 @@ namespace Org.BouncyCastle.Tls.Crypto.Tests
             }
             else
             {
-                // Currently 1.2 relies on these being handled by stream verifiers 
-                Assert.IsTrue(HashAlgorithm.Intrinsic != hashAlgorithm);
-
-                int cryptoHashAlgorithm = TlsCryptoUtilities.GetHash(hashAlgorithm);
-
-                TlsHash tlsHash = m_crypto.CreateHash(cryptoHashAlgorithm);
-                tlsHash.Update(message, 0, message.Length);
-                byte[] hash = tlsHash.CalculateHash();
+                byte[] hash = ImplPrehash(signatureAndHashAlgorithm, message);
                 verified = tlsVerifier.VerifyRawSignature(digitallySigned, hash);
             }
 
@@ -750,11 +748,7 @@ namespace Org.BouncyCastle.Tls.Crypto.Tests
             }
             else
             {
-                int cryptoHashAlgorithm = SignatureScheme.GetCryptoHashAlgorithm(signatureScheme);
-
-                TlsHash tlsHash = m_crypto.CreateHash(cryptoHashAlgorithm);
-                tlsHash.Update(message, 0, message.Length);
-                byte[] hash = tlsHash.CalculateHash();
+                byte[] hash = ImplPrehash(signatureScheme, message);
                 signature = credentialedSigner.GenerateRawSignature(hash);
             }
 
@@ -774,11 +768,7 @@ namespace Org.BouncyCastle.Tls.Crypto.Tests
             }
             else
             {
-                int cryptoHashAlgorithm = SignatureScheme.GetCryptoHashAlgorithm(signatureScheme);
-
-                TlsHash tlsHash = m_crypto.CreateHash(cryptoHashAlgorithm);
-                tlsHash.Update(message, 0, message.Length);
-                byte[] hash = tlsHash.CalculateHash();
+                byte[] hash = ImplPrehash(signatureScheme, message);
                 verified = tlsVerifier.VerifyRawSignature(digitallySigned, hash);
             }