public class RSABlindSignatureClient
extends java.lang.Object
blind(byte[]) call performs both Prepare
(sec. 4.1) and Blind (sec. 4.2); finalize(Blinded, byte[])
performs Finalize (sec. 4.4). The BlindSign server step lives
in RSABlindSignatureServer and the variant choices in
RSABlindSignatureParameters.
The client side is therefore two calls — blind then finalize —
with the server's BlindSign in between:
RSABlindSignatureClient client = new RSABlindSignatureClient(
RSABlindSignatureParameters.RSABSSA_SHA384_PSS_RANDOMIZED, publicKey);
RSABlindSignatureClient.Blinded blinded = client.blind(msg);
// send blinded.getBlindedMessage() to the server; receive blind_sig
byte[] sig = client.finalize(blinded, blindSig);
// (blinded.getPreparedMessage(), sig) is the RSASSA-PSS pair verifiers check
The SecureRandom used for the prepare prefix, the EMSA-PSS salt, and
the blinding factor is supplied at construction; the
(parameters, publicKey) convenience constructor uses the
CryptoServicesRegistrar default.
Blind is expressed on the existing BC RSA blinding toolkit —
RSABlindingFactorGenerator, RSABlindingParameters and
PSSSigner driven by an RSABlindingEngine — the same
composition PSSBlindTest uses for Chaum RSA-PSS blind signing.
Each request's state is carried by the returned RSABlindSignatureClient.Blinded (the blinded
message, the prepared message, and the secret unblinding value), so a single
instance is reusable across requests.
For randomised variants the resulting signature is over a prepared message
that prepends a fresh 32-byte prefix to msg (RFC 9474 sec. 4.1); that
prepared message — RSABlindSignatureClient.Blinded.getPreparedMessage() — is what downstream
verifiers check the signature against, not the original msg.
| Modifier and Type | Class and Description |
|---|---|
static class |
RSABlindSignatureClient.Blinded
Output of
blind(byte[]). |
| Constructor and Description |
|---|
RSABlindSignatureClient(RSABlindSignatureParameters parameters,
RSAKeyParameters publicKey)
Equivalent to
RSABlindSignatureClient(RSABlindSignatureParameters, RSAKeyParameters, SecureRandom)
with a SecureRandom obtained from CryptoServicesRegistrar. |
RSABlindSignatureClient(RSABlindSignatureParameters parameters,
RSAKeyParameters publicKey,
java.security.SecureRandom random) |
| Modifier and Type | Method and Description |
|---|---|
RSABlindSignatureClient.Blinded |
blind(byte[] msg)
RFC 9474
Prepare (sec. 4.1) followed by Blind (sec. 4.2):
prepare msg (prepend a fresh 32-byte prefix for randomised
variants, identity otherwise), EMSA-PSS encode it, draw an invertible
blinding factor r, and blind the encoding to
z = encoded_msg * r^e mod n. |
byte[] |
finalize(RSABlindSignatureClient.Blinded blinded,
byte[] blindSig)
RFC 9474
Finalize (sec. 4.4): unblind the server's signature for
the supplied RSABlindSignatureClient.Blinded request and verify it as a standard
RSASSA-PSS signature over the prepared message. |
public RSABlindSignatureClient(RSABlindSignatureParameters parameters, RSAKeyParameters publicKey)
RSABlindSignatureClient(RSABlindSignatureParameters, RSAKeyParameters, SecureRandom)
with a SecureRandom obtained from CryptoServicesRegistrar.parameters - the RFC 9474 sec. 5 variant.publicKey - the server's RSA public key.public RSABlindSignatureClient(RSABlindSignatureParameters parameters, RSAKeyParameters publicKey, java.security.SecureRandom random)
parameters - the RFC 9474 sec. 5 variant.publicKey - the server's RSA public key.random - source of randomness for the prepare prefix (randomised
variants), the EMSA-PSS salt, and the blinding factor;
must not be null — use
RSABlindSignatureClient(RSABlindSignatureParameters, RSAKeyParameters)
for the CryptoServicesRegistrar default.public RSABlindSignatureClient.Blinded blind(byte[] msg) throws CryptoException
Prepare (sec. 4.1) followed by Blind (sec. 4.2):
prepare msg (prepend a fresh 32-byte prefix for randomised
variants, identity otherwise), EMSA-PSS encode it, draw an invertible
blinding factor r, and blind the encoding to
z = encoded_msg * r^e mod n. The returned RSABlindSignatureClient.Blinded carries
the prepared message, the blinded_msg to send to the server, and
the secret unblinding value for finalize(Blinded, byte[]).msg - the application message to be signed.CryptoException - if EMSA-PSS encoding fails (e.g. the modulus is too
small for the variant's hash/salt lengths) or the
encoded message is not coprime with the modulus.public byte[] finalize(RSABlindSignatureClient.Blinded blinded, byte[] blindSig) throws CryptoException
Finalize (sec. 4.4): unblind the server's signature for
the supplied RSABlindSignatureClient.Blinded request and verify it as a standard
RSASSA-PSS signature over the prepared message.
The method name follows the RFC 9474 sec. 4.4 Finalize step; it is
an overload of Object.finalize() (distinct signature), not an override.
blinded - the value returned by blind(byte[]) for this request.blindSig - the blind_sig returned by the server.blinded.getPreparedMessage().CryptoException - if blindSig has the wrong length or the
unblinded signature fails RSASSA-PSS verification.