8349732: Add support for JARs signed with ML-DSA

Reviewed-by: mullan

Author: wangweij

src/java.base/share/classes/sun/security/pkcs/PKCS7.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1996, 2024, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1996, 2025, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -530,8 +530,23 @@ public void encodeSignedData(DerOutputStream out)
      * @exception SignatureException on signature handling errors.
      */
     public SignerInfo verify(SignerInfo info, byte[] bytes)
-    throws NoSuchAlgorithmException, SignatureException {
-        return info.verify(this, bytes);
+            throws NoSuchAlgorithmException, SignatureException {
+        return info.verify(this, bytes, null);
+    }
+
+    /**
+     * This verifies a given SignerInfo.
+     *
+     * @param info the signer information.
+     * @param bytes the DER encoded content information.
+     * @param cert certificate used to verify; find one inside the block if null
+     *
+     * @exception NoSuchAlgorithmException on unrecognized algorithms.
+     * @exception SignatureException on signature handling errors.
+     */
+    public SignerInfo verify(SignerInfo info, byte[] bytes, X509Certificate cert)
+            throws NoSuchAlgorithmException, SignatureException {
+        return info.verify(this, bytes, cert);
     }
 
     /**
@@ -715,6 +730,19 @@ public boolean isOldStyle() {
         return this.oldStyle;
     }
 
+    // Generate signed data without a specified digAlgID.
+    public static byte[] generateSignedData(
+            String sigalg, Provider sigProvider,
+            PrivateKey privateKey, X509Certificate[] signerChain,
+            byte[] content, boolean internalsf, boolean directsign,
+            Function<byte[], PKCS9Attributes> ts)
+            throws SignatureException, InvalidKeyException, IOException,
+            NoSuchAlgorithmException {
+        return generateSignedData(sigalg, sigProvider, privateKey, signerChain,
+                content, internalsf, directsign,
+                null, ts);
+    }
+
     /**
      * Generate a PKCS7 data block.
      *
@@ -725,6 +753,7 @@ public boolean isOldStyle() {
      * @param content the content to sign
      * @param internalsf whether the content should be included in output
      * @param directsign if the content is signed directly or through authattrs
+     * @param digAlgID digest alg to use; derive from other arguments if null
      * @param ts (optional) timestamper
      * @return the pkcs7 output in an array
      * @throws SignatureException if signing failed
@@ -736,23 +765,27 @@ public static byte[] generateSignedData(
             String sigalg, Provider sigProvider,
             PrivateKey privateKey, X509Certificate[] signerChain,
             byte[] content, boolean internalsf, boolean directsign,
+            AlgorithmId digAlgID,
             Function<byte[], PKCS9Attributes> ts)
                 throws SignatureException, InvalidKeyException, IOException,
                     NoSuchAlgorithmException {
 
         Signature signer = SignatureUtil.fromKey(sigalg, privateKey, sigProvider);
 
-        AlgorithmId digAlgID = SignatureUtil.getDigestAlgInPkcs7SignerInfo(
-                signer, sigalg, privateKey, signerChain[0].getPublicKey(), directsign);
+        if (digAlgID == null) {
+            digAlgID = SignatureUtil.getDigestAlgInPkcs7SignerInfo(
+                    signer, sigalg, privateKey, signerChain[0].getPublicKey(), directsign);
+        }
         AlgorithmId sigAlgID = SignatureUtil.fromSignature(signer, privateKey);
 
         PKCS9Attributes authAttrs = null;
         if (!directsign) {
             // MessageDigest
             byte[] md;
             String digAlgName = digAlgID.getName();
-            if (digAlgName.equals("SHAKE256") || digAlgName.equals("SHAKE256-LEN")) {
-                // No MessageDigest impl for SHAKE256 yet
+            if (digAlgName.equals("SHAKE256-LEN")) {
+                // We don't check the LEN here. Usually it is returned
+                // by SignatureUtil.getDigestAlgInPkcs7SignerInfo
                 var shaker = new SHAKE256(64);
                 shaker.update(content, 0, content.length);
                 md = shaker.digest();

src/java.base/share/classes/sun/security/pkcs/SignerInfo.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1996, 2024, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1996, 2025, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -303,15 +303,20 @@ public ArrayList<X509Certificate> getCertificateChain(PKCS7 block)
         return certList;
     }
 
-    /* Returns null if verify fails, this signerInfo if
-       verify succeeds. */
-    SignerInfo verify(PKCS7 block, byte[] data)
-    throws NoSuchAlgorithmException, SignatureException {
+    /**
+     * Verify this signerInfo in a PKCS7 block.
+     *
+     * @param block the PKCS7 object
+     * @param data the content to verify against; read from block if null
+     * @param cert certificate to verify with; read from block if null
+     * @return null if verify fails, this signerInfo if verify succeeds.
+     */
+    SignerInfo verify(PKCS7 block, byte[] data, X509Certificate cert)
+            throws NoSuchAlgorithmException, SignatureException {
 
         try {
-            Timestamp timestamp = null;
             try {
-                timestamp = getTimestamp();
+                getTimestamp();
             } catch (Exception e) {
                 // Log exception and continue. This allows for the case
                 // where, if there are no other errors, the code is
@@ -356,22 +361,19 @@ SignerInfo verify(PKCS7 block, byte[] data)
                     return null;
 
                 byte[] computedMessageDigest;
-                if (digestAlgName.equals("SHAKE256")
-                        || digestAlgName.equals("SHAKE256-LEN")) {
-                    if (digestAlgName.equals("SHAKE256-LEN")) {
-                        // RFC8419: for EdDSA in CMS, the id-shake256-len
-                        // algorithm id must contain parameter value 512
-                        // encoded as a positive integer value
-                        byte[] params = digestAlgorithmId.getEncodedParams();
-                        if (params == null) {
-                            throw new SignatureException(
-                                    "id-shake256-len oid missing length");
-                        }
-                        int v = new DerValue(params).getInteger();
-                        if (v != 512) {
-                            throw new SignatureException(
-                                    "Unsupported id-shake256-" + v);
-                        }
+                if (digestAlgName.equals("SHAKE256-LEN")) {
+                    // RFC8419: for EdDSA in CMS, the id-shake256-len
+                    // algorithm id must contain parameter value 512
+                    // encoded as a positive integer value
+                    byte[] params = digestAlgorithmId.getEncodedParams();
+                    if (params == null) {
+                        throw new SignatureException(
+                                "id-shake256-len oid missing length");
+                    }
+                    int v = new DerValue(params).getInteger();
+                    if (v != 512) {
+                        throw new SignatureException(
+                                "Unsupported id-shake256-" + v);
                     }
                     var md = new SHAKE256(64);
                     md.update(data, 0, data.length);
@@ -410,9 +412,11 @@ SignerInfo verify(PKCS7 block, byte[] data)
                         "SignerInfo digestEncryptionAlgorithm field", true));
             }
 
-            X509Certificate cert = getCertificate(block);
             if (cert == null) {
-                return null;
+                cert = getCertificate(block);
+                if (cert == null) {
+                    return null;
+                }
             }
             PublicKey key = cert.getPublicKey();
 
@@ -503,29 +507,59 @@ private static void algorithmsConformanceCheck(
                 }
 
                 if (!AlgorithmId.get(spec.getDigestAlgorithm()).equals(digAlgId)) {
-                    throw new NoSuchAlgorithmException("Incompatible digest algorithm");
+                    throw new NoSuchAlgorithmException("Incompatible digest algorithm " + digAlgId);
                 }
                 break;
             case "Ed25519":
-                if (!digAlgId.equals(SignatureUtil.EdDSADigestAlgHolder.sha512)) {
-                    throw new NoSuchAlgorithmException("Incompatible digest algorithm");
+                if (!digAlgId.equalsOID(AlgorithmId.SHA512_oid)) {
+                    throw new NoSuchAlgorithmException("Incompatible digest algorithm " + digAlgId);
                 }
                 break;
             case "Ed448":
                 if (directSign) {
-                    if (!digAlgId.equals(SignatureUtil.EdDSADigestAlgHolder.shake256)) {
-                        throw new NoSuchAlgorithmException("Incompatible digest algorithm");
+                    if (!digAlgId.equalsOID(AlgorithmId.SHAKE256_512_oid)) {
+                        throw new NoSuchAlgorithmException("Incompatible digest algorithm " + digAlgId);
                     }
                 } else {
-                    if (!digAlgId.equals(SignatureUtil.EdDSADigestAlgHolder.shake256$512)) {
-                        throw new NoSuchAlgorithmException("Incompatible digest algorithm");
+                    if (!digAlgId.equals(SignatureUtil.DigestAlgHolder.shake256lenWith512)) {
+                        throw new NoSuchAlgorithmException("Incompatible digest algorithm " + digAlgId);
                     }
                 }
                 break;
             case "HSS/LMS":
                 // RFC 8708 requires the same hash algorithm used as in the HSS/LMS algorithm
-                if (!digAlgId.equals(AlgorithmId.get(KeyUtil.hashAlgFromHSS(key)))) {
-                    throw new NoSuchAlgorithmException("Incompatible digest algorithm");
+                if (!digAlgId.equalsOID(KeyUtil.hashAlgFromHSS(key))) {
+                    throw new NoSuchAlgorithmException("Incompatible digest algorithm " + digAlgId);
+                }
+                break;
+            case "ML-DSA-44":
+                // Following 3 from Table 1 inside
+                // https://datatracker.ietf.org/doc/html/rfc9882#name-signerinfo-content
+                if (!digAlgId.equalsOID(AlgorithmId.SHA256_oid)
+                        && !digAlgId.equalsOID(AlgorithmId.SHA384_oid)
+                        && !digAlgId.equalsOID(AlgorithmId.SHA512_oid)
+                        && !digAlgId.equalsOID(AlgorithmId.SHA3_256_oid)
+                        && !digAlgId.equalsOID(AlgorithmId.SHA3_384_oid)
+                        && !digAlgId.equalsOID(AlgorithmId.SHA3_512_oid)
+                        && !digAlgId.equalsOID(AlgorithmId.SHAKE128_256_oid)
+                        && !digAlgId.equalsOID(AlgorithmId.SHAKE256_512_oid)) {
+                    throw new NoSuchAlgorithmException("Incompatible digest algorithm " + digAlgId);
+                }
+                break;
+            case "ML-DSA-65":
+                if (!digAlgId.equalsOID(AlgorithmId.SHA384_oid)
+                        && !digAlgId.equalsOID(AlgorithmId.SHA512_oid)
+                        && !digAlgId.equalsOID(AlgorithmId.SHA3_384_oid)
+                        && !digAlgId.equalsOID(AlgorithmId.SHA3_512_oid)
+                        && !digAlgId.equalsOID(AlgorithmId.SHAKE256_512_oid)) {
+                    throw new NoSuchAlgorithmException("Incompatible digest algorithm " + digAlgId);
+                }
+                break;
+            case "ML-DSA-87":
+                if (!digAlgId.equalsOID(AlgorithmId.SHA512_oid)
+                        && !digAlgId.equalsOID(AlgorithmId.SHA3_512_oid)
+                        && !digAlgId.equalsOID(AlgorithmId.SHAKE256_512_oid)) {
+                    throw new NoSuchAlgorithmException("Incompatible digest algorithm " + digAlgId);
                 }
                 break;
         }
@@ -538,9 +572,9 @@ private static void algorithmsConformanceCheck(
      * The digest algorithm is in the form "DIG", and the encryption
      * algorithm can be in any of the 3 forms:
      *
-     * 1. Old style key algorithm like RSA, DSA, EC, this method returns
+     * 1. Simple key algorithm like RSA, DSA, EC, this method returns
      *    DIGwithKEY.
-     * 2. New style signature algorithm in the form of HASHwithKEY, this
+     * 2. Traditional signature algorithm in the form of HASHwithKEY, this
      *    method returns DIGwithKEY. Please note this is not HASHwithKEY.
      * 3. Modern signature algorithm like RSASSA-PSS and EdDSA, this method
      *    returns the signature algorithm itself.
@@ -550,40 +584,26 @@ private static void algorithmsConformanceCheck(
      */
     public static String makeSigAlg(AlgorithmId digAlgId, AlgorithmId encAlgId) {
         String encAlg = encAlgId.getName();
-        switch (encAlg) {
-            case "RSASSA-PSS":
-            case "Ed25519":
-            case "Ed448":
-            case "HSS/LMS":
-                return encAlg;
-            default:
-                String digAlg = digAlgId.getName();
-                String keyAlg = SignatureUtil.extractKeyAlgFromDwithE(encAlg);
-                if (keyAlg == null) {
-                    // The encAlg used to be only the key alg
-                    keyAlg = encAlg;
-                }
-                if (digAlg.startsWith("SHA-")) {
-                    digAlg = "SHA" + digAlg.substring(4);
-                }
-                if (keyAlg.equals("EC")) keyAlg = "ECDSA";
-                String sigAlg = digAlg + "with" + keyAlg;
-                try {
-                    Signature.getInstance(sigAlg);
-                    return sigAlg;
-                } catch (NoSuchAlgorithmException e) {
-                    // Possibly an unknown modern signature algorithm,
-                    // in this case, encAlg should already be a signature
-                    // algorithm.
-                    return encAlg;
-                }
+        String keyAlg = SignatureUtil.extractKeyAlgFromDwithE(encAlg);
+        if (keyAlg == null) { // No "WITH" inside
+            if (encAlg.equals("RSA") || encAlg.equals("DSA") || encAlg.equals("EC")) {
+                keyAlg = encAlg; // Sometimes encAlgId is just the enc alg
+            } else {
+                return encAlg; // Must be a modern algorithm like EdDSA or ML-DSA
+            }
+        }
+        String digAlg = digAlgId.getName();
+        if (digAlg.startsWith("SHA-")) {
+            digAlg = "SHA" + digAlg.substring(4);
         }
+        if (keyAlg.equals("EC")) keyAlg = "ECDSA";
+        return digAlg + "with" + keyAlg;
     }
 
     /* Verify the content of the pkcs7 block. */
     SignerInfo verify(PKCS7 block)
         throws NoSuchAlgorithmException, SignatureException {
-        return verify(block, null);
+        return verify(block, null, null);
     }
 
     public BigInteger getVersion() {

src/java.base/share/classes/sun/security/util/KeyUtil.java

@@ -431,7 +431,7 @@ public static byte[] trimZeroes(byte[] b) {
      * @return the hash algorithm
      * @throws NoSuchAlgorithmException if key is from an unknown configuration
      */
-    public static String hashAlgFromHSS(PublicKey publicKey)
+    public static ObjectIdentifier hashAlgFromHSS(PublicKey publicKey)
             throws NoSuchAlgorithmException {
         try {
             DerValue val = new DerValue(publicKey.getEncoded());
@@ -450,7 +450,7 @@ public static String hashAlgFromHSS(PublicKey publicKey)
                     + ((rawKey[6] & 0xff) << 8) + (rawKey[7] & 0xff);
             return switch (num) {
                 // RFC 8554 only supports SHA_256 hash algorithm
-                case 5, 6, 7, 8, 9 -> "SHA-256";
+                case 5, 6, 7, 8, 9 -> AlgorithmId.SHA256_oid;
                 default -> throw new NoSuchAlgorithmException("Unknown LMS type: " + num);
             };
         } catch (IOException e) {

src/java.base/share/classes/sun/security/util/SignatureUtil.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2018, 2024, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2018, 2025, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -190,16 +190,16 @@ public static void initSignWithParam(Signature s, PrivateKey key,
         SharedSecrets.getJavaSecuritySignatureAccess().initSign(s, key, params, sr);
     }
 
-    public static class EdDSADigestAlgHolder {
+    public static class DigestAlgHolder {
         public static final AlgorithmId sha512;
-        public static final AlgorithmId shake256;
-        public static final AlgorithmId shake256$512;
+        public static final AlgorithmId shake256_512;
+        public static final AlgorithmId shake256lenWith512;
 
         static {
             try {
-                sha512 = new AlgorithmId(ObjectIdentifier.of(KnownOIDs.SHA_512));
-                shake256 = new AlgorithmId(ObjectIdentifier.of(KnownOIDs.SHAKE256_512));
-                shake256$512 = new AlgorithmId(
+                sha512 = new AlgorithmId(AlgorithmId.SHA512_oid);
+                shake256_512 = new AlgorithmId(AlgorithmId.SHAKE256_512_oid);
+                shake256lenWith512 = new AlgorithmId(
                         ObjectIdentifier.of(KnownOIDs.SHAKE256_LEN),
                         new DerValue((byte) 2, new byte[]{2, 0})); // int 512
             } catch (IOException e) {
@@ -233,18 +233,22 @@ public static AlgorithmId getDigestAlgInPkcs7SignerInfo(
             // https://www.rfc-editor.org/rfc/rfc8419.html#section-3
             switch (kAlg.toUpperCase(Locale.ENGLISH)) {
                 case "ED25519":
-                    digAlgID = EdDSADigestAlgHolder.sha512;
+                    digAlgID = DigestAlgHolder.sha512;
                     break;
                 case "ED448":
                     if (directsign) {
-                        digAlgID = EdDSADigestAlgHolder.shake256;
+                        digAlgID = DigestAlgHolder.shake256_512;
                     } else {
-                        digAlgID = EdDSADigestAlgHolder.shake256$512;
+                        digAlgID = DigestAlgHolder.shake256lenWith512;
                     }
                     break;
                 default:
                     throw new AssertionError("Unknown curve name: " + kAlg);
             }
+        } else if (kAlg.toUpperCase(Locale.ENGLISH).startsWith("ML-DSA")) {
+            // https://datatracker.ietf.org/doc/html/rfc9882#name-signerinfo-content
+            // Just use SHA-512
+            digAlgID = DigestAlgHolder.sha512;
         } else if (sigalg.equalsIgnoreCase("RSASSA-PSS")) {
             try {
                 digAlgID = AlgorithmId.get(signer.getParameters()
@@ -254,7 +258,7 @@ public static AlgorithmId getDigestAlgInPkcs7SignerInfo(
                 throw new AssertionError("Should not happen", e);
             }
         } else if (sigalg.equalsIgnoreCase("HSS/LMS")) {
-            digAlgID = AlgorithmId.get(KeyUtil.hashAlgFromHSS(publicKey));
+            digAlgID = new AlgorithmId(KeyUtil.hashAlgFromHSS(publicKey));
         } else {
             digAlgID = AlgorithmId.get(extractDigestAlgFromDwithE(sigalg));
         }