Bouncy Castle Cryptography Library 1.85

org.bouncycastle.crypto.signers
Class RSABlindSignatureClient

java.lang.Object
  extended byorg.bouncycastle.crypto.signers.RSABlindSignatureClient

public class RSABlindSignatureClient
extends java.lang.Object

Client side of the RSA Blind Signature Scheme with Appendix (RSABSSA) defined in RFC 9474. A single blind(byte[]) call performs both (sec. 4.1) and (sec. 4.2); #finalize(Blinded, byte[]) performs (sec. 4.4). The server step lives in RSABlindSignatureServer and the variant choices in RSABlindSignatureParameters.

The client side is therefore two calls — then — with the server's in between: The SecureRandom used for the prepare prefix, the EMSA-PSS salt, and the blinding factor is supplied at construction; the convenience constructor uses the CryptoServicesRegistrar default.

is expressed on the existing BC RSA blinding toolkit — RSABlindingFactorGenerator, RSABlindingParameters and PSSSigner driven by an RSABlindingEngine — the same composition uses for Chaum RSA-PSS blind signing.

Each request's state is carried by the returned RSABlindSignatureClient.Blinded (the blinded message, the prepared message, and the secret unblinding value), so a single instance is reusable across requests.

For randomised variants the resulting signature is over a prepared message that prepends a fresh 32-byte prefix to (RFC 9474 sec. 4.1); that prepared message — RSABlindSignatureClient.Blinded.getPreparedMessage() — is what downstream verifiers check the signature against, not the original .


Nested Class Summary
static class RSABlindSignatureClient.Blinded
          Output of blind(byte[]).
 
Constructor Summary
RSABlindSignatureClient(RSABlindSignatureParameters parameters, RSAKeyParameters publicKey)
          Equivalent to RSABlindSignatureClient(RSABlindSignatureParameters, RSAKeyParameters, SecureRandom) with a SecureRandom obtained from CryptoServicesRegistrar.
RSABlindSignatureClient(RSABlindSignatureParameters parameters, RSAKeyParameters publicKey, java.security.SecureRandom random)
           
 
Method Summary
 RSABlindSignatureClient.Blinded blind(byte[] msg)
          RFC 9474 (sec. 4.1) followed by (sec. 4.2): prepare (prepend a fresh 32-byte prefix for randomised variants, identity otherwise), EMSA-PSS encode it, draw an invertible blinding factor , and blind the encoding to .
 byte[] finalize(RSABlindSignatureClient.Blinded blinded, byte[] blindSig)
          RFC 9474 (sec. 4.4): unblind the server's signature for the supplied RSABlindSignatureClient.Blinded request and verify it as a standard RSASSA-PSS signature over the prepared message.
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Constructor Detail

RSABlindSignatureClient

public RSABlindSignatureClient(RSABlindSignatureParameters parameters,
                               RSAKeyParameters publicKey)
Equivalent to RSABlindSignatureClient(RSABlindSignatureParameters, RSAKeyParameters, SecureRandom) with a SecureRandom obtained from CryptoServicesRegistrar.

Parameters:
parameters - the RFC 9474 sec. 5 variant.
publicKey - the server's RSA public key.

RSABlindSignatureClient

public RSABlindSignatureClient(RSABlindSignatureParameters parameters,
                               RSAKeyParameters publicKey,
                               java.security.SecureRandom random)
Parameters:
parameters - the RFC 9474 sec. 5 variant.
publicKey - the server's RSA public key.
random - source of randomness for the prepare prefix (randomised variants), the EMSA-PSS salt, and the blinding factor; must not be — use RSABlindSignatureClient(RSABlindSignatureParameters, RSAKeyParameters) for the CryptoServicesRegistrar default.
Method Detail

blind

public RSABlindSignatureClient.Blinded blind(byte[] msg)
                                      throws CryptoException
RFC 9474 (sec. 4.1) followed by (sec. 4.2): prepare (prepend a fresh 32-byte prefix for randomised variants, identity otherwise), EMSA-PSS encode it, draw an invertible blinding factor , and blind the encoding to . The returned RSABlindSignatureClient.Blinded carries the prepared message, the to send to the server, and the secret unblinding value for #finalize(Blinded, byte[]).

Parameters:
msg - the application message to be signed.
Throws:
CryptoException - if EMSA-PSS encoding fails (e.g. the modulus is too small for the variant's hash/salt lengths) or the encoded message is not coprime with the modulus.

finalize

public byte[] finalize(RSABlindSignatureClient.Blinded blinded,
                       byte[] blindSig)
                throws CryptoException
RFC 9474 (sec. 4.4): unblind the server's signature for the supplied RSABlindSignatureClient.Blinded request and verify it as a standard RSASSA-PSS signature over the prepared message.

The method name follows the RFC 9474 sec. 4.4 step; it is an overload of Object.finalize() (distinct signature), not an override.

Parameters:
blinded - the value returned by blind(byte[]) for this request.
blindSig - the returned by the server.
Returns:
the unblinded RSASSA-PSS signature; it verifies against .
Throws:
CryptoException - if has the wrong length or the unblinded signature fails RSASSA-PSS verification.

Bouncy Castle Cryptography Library 1.85