org.bouncycastle.crypto.signers
Class RSABlindSignatureServer
java.lang.Object
org.bouncycastle.crypto.signers.RSABlindSignatureServer
- public class RSABlindSignatureServer
- extends java.lang.Object
Server side of the RSA Blind Signature Scheme with Appendix (RSABSSA) defined
in RFC 9474. Implements the step (sec. 4.3): given a blinded
message produced by RSABlindSignatureClient.blind(byte[]), compute
and return it, after a self-consistency check
() that catches CRT faults before the value leaves
the server.
The private-key operation is driven through
RSABlindedEngine so the modular
exponentiation is itself blinded against timing side-channels — orthogonal to
the RFC 9474 client/server blinding, which only hides the message.
The variant choice (PSS vs PSSZERO, randomised vs deterministic) is opaque
to the server — only the client cares — so this class is variant-agnostic.
|
Method Summary |
byte[] |
blindSign(byte[] blindedMsg)
RFC 9474 sec. 4.3 . |
| Methods inherited from class java.lang.Object |
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait |
RSABlindSignatureServer
public RSABlindSignatureServer(RSAKeyParameters privateKey)
- Parameters:
privateKey - the server's RSA private key. CRT-form
(RSAPrivateCrtKeyParameters) is strongly
recommended; the public exponent must be available
for the RSAVP1 self-check (RFC 9474 sec. 4.3 step 3).
blindSign
public byte[] blindSign(byte[] blindedMsg)
throws CryptoException
- RFC 9474 sec. 4.3 . Verifies as an
integer in of the modulus length, applies RSASP1, and
checks that RSAVP1 round-trips back to the input before returning.
- Parameters:
blindedMsg - the blinded message received from the client; must be
exactly bytes.
- Returns:
- the blinded signature, bytes.
- Throws:
CryptoException - if the input is the wrong length, out of range,
or the RSASP1/RSAVP1 round-trip fails (CRT fault).