author | wetmore |
Fri, 11 May 2018 15:53:12 -0700 | |
branch | JDK-8145252-TLS13-branch |
changeset 56542 | 56aaa6cb3693 |
parent 47216 | 71c04702a3d5 |
permissions | -rw-r--r-- |
2 | 1 |
/* |
56542 | 2 |
* Copyright (c) 2003, 2018, Oracle and/or its affiliates. All rights reserved. |
2 | 3 |
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. |
4 |
* |
|
5 |
* This code is free software; you can redistribute it and/or modify it |
|
6 |
* under the terms of the GNU General Public License version 2 only, as |
|
5506 | 7 |
* published by the Free Software Foundation. Oracle designates this |
2 | 8 |
* particular file as subject to the "Classpath" exception as provided |
5506 | 9 |
* by Oracle in the LICENSE file that accompanied this code. |
2 | 10 |
* |
11 |
* This code is distributed in the hope that it will be useful, but WITHOUT |
|
12 |
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or |
|
13 |
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License |
|
14 |
* version 2 for more details (a copy is included in the LICENSE file that |
|
15 |
* accompanied this code). |
|
16 |
* |
|
17 |
* You should have received a copy of the GNU General Public License version |
|
18 |
* 2 along with this work; if not, write to the Free Software Foundation, |
|
19 |
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. |
|
20 |
* |
|
5506 | 21 |
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA |
22 |
* or visit www.oracle.com if you need additional information or have any |
|
23 |
* questions. |
|
2 | 24 |
*/ |
25 |
||
26 |
package sun.security.rsa; |
|
27 |
||
28 |
import java.util.*; |
|
29 |
||
30 |
import java.security.*; |
|
31 |
import java.security.spec.*; |
|
32 |
||
33 |
import javax.crypto.BadPaddingException; |
|
34 |
import javax.crypto.spec.PSource; |
|
35 |
import javax.crypto.spec.OAEPParameterSpec; |
|
36 |
||
37 |
import sun.security.jca.JCAUtil; |
|
38 |
||
39 |
/** |
|
40 |
* RSA padding and unpadding. |
|
41 |
* |
|
56542 | 42 |
* The various PKCS#1 versions can be found in the IETF RFCs |
43 |
* tracking the corresponding PKCS#1 standards. |
|
23911 | 44 |
* |
56542 | 45 |
* RFC 2313: PKCS#1 v1.5 |
46 |
* RFC 2437: PKCS#1 v2.0 |
|
47 |
* RFC 3447: PKCS#1 v2.1 |
|
48 |
* RFC 8017: PKCS#1 v2.2 |
|
23911 | 49 |
* |
50 |
* The format of PKCS#1 v1.5 padding is: |
|
51 |
* |
|
2 | 52 |
* 0x00 | BT | PS...PS | 0x00 | data...data |
23911 | 53 |
* |
2 | 54 |
* where BT is the blocktype (1 or 2). The length of the entire string |
55 |
* must be the same as the size of the modulus (i.e. 128 byte for a 1024 bit |
|
56 |
* key). Per spec, the padding string must be at least 8 bytes long. That |
|
57 |
* leaves up to (length of key in bytes) - 11 bytes for the data. |
|
58 |
* |
|
23911 | 59 |
* OAEP padding was introduced in PKCS#1 v2.0 and is a bit more complicated |
60 |
* and has a number of options. We support: |
|
61 |
* |
|
2 | 62 |
* . arbitrary hash functions ('Hash' in the specification), MessageDigest |
63 |
* implementation must be available |
|
64 |
* . MGF1 as the mask generation function |
|
65 |
* . the empty string as the default value for label L and whatever |
|
66 |
* specified in javax.crypto.spec.OAEPParameterSpec |
|
67 |
* |
|
23911 | 68 |
* The algorithms (representations) are forwards-compatible: that is, |
69 |
* the algorithm described in previous releases are in later releases. |
|
70 |
* However, additional comments/checks/clarifications were added to the |
|
71 |
* later versions based on real-world experience (e.g. stricter v1.5 |
|
72 |
* format checking.) |
|
73 |
* |
|
2 | 74 |
* Note: RSA keys should be at least 512 bits long |
75 |
* |
|
76 |
* @since 1.5 |
|
77 |
* @author Andreas Sterbenz |
|
78 |
*/ |
|
79 |
public final class RSAPadding { |
|
80 |
||
81 |
// NOTE: the constants below are embedded in the JCE RSACipher class |
|
82 |
// file. Do not change without coordinating the update |
|
83 |
||
84 |
// PKCS#1 v1.5 padding, blocktype 1 (signing) |
|
32649
2ee9017c7597
8136583: Core libraries should use blessed modifier order
martin
parents:
32212
diff
changeset
|
85 |
public static final int PAD_BLOCKTYPE_1 = 1; |
2 | 86 |
// PKCS#1 v1.5 padding, blocktype 2 (encryption) |
32649
2ee9017c7597
8136583: Core libraries should use blessed modifier order
martin
parents:
32212
diff
changeset
|
87 |
public static final int PAD_BLOCKTYPE_2 = 2; |
2 | 88 |
// nopadding. Does not do anything, but allows simpler RSACipher code |
32649
2ee9017c7597
8136583: Core libraries should use blessed modifier order
martin
parents:
32212
diff
changeset
|
89 |
public static final int PAD_NONE = 3; |
2 | 90 |
// PKCS#1 v2.1 OAEP padding |
32649
2ee9017c7597
8136583: Core libraries should use blessed modifier order
martin
parents:
32212
diff
changeset
|
91 |
public static final int PAD_OAEP_MGF1 = 4; |
2 | 92 |
|
93 |
// type, one of PAD_* |
|
94 |
private final int type; |
|
95 |
||
96 |
// size of the padded block (i.e. size of the modulus) |
|
97 |
private final int paddedSize; |
|
98 |
||
99 |
// PRNG used to generate padding bytes (PAD_BLOCKTYPE_2, PAD_OAEP_MGF1) |
|
100 |
private SecureRandom random; |
|
101 |
||
102 |
// maximum size of the data |
|
103 |
private final int maxDataSize; |
|
104 |
||
56542 | 105 |
// OAEP: main message digest |
2 | 106 |
private MessageDigest md; |
107 |
||
56542 | 108 |
// OAEP: MGF1 |
109 |
private MGF1 mgf; |
|
2 | 110 |
|
111 |
// OAEP: value of digest of data (user-supplied or zero-length) using md |
|
112 |
private byte[] lHash; |
|
113 |
||
114 |
/** |
|
115 |
* Get a RSAPadding instance of the specified type. |
|
116 |
* Keys used with this padding must be paddedSize bytes long. |
|
117 |
*/ |
|
118 |
public static RSAPadding getInstance(int type, int paddedSize) |
|
119 |
throws InvalidKeyException, InvalidAlgorithmParameterException { |
|
120 |
return new RSAPadding(type, paddedSize, null, null); |
|
121 |
} |
|
122 |
||
123 |
/** |
|
124 |
* Get a RSAPadding instance of the specified type. |
|
125 |
* Keys used with this padding must be paddedSize bytes long. |
|
126 |
*/ |
|
127 |
public static RSAPadding getInstance(int type, int paddedSize, |
|
128 |
SecureRandom random) throws InvalidKeyException, |
|
129 |
InvalidAlgorithmParameterException { |
|
130 |
return new RSAPadding(type, paddedSize, random, null); |
|
131 |
} |
|
132 |
||
133 |
/** |
|
134 |
* Get a RSAPadding instance of the specified type, which must be |
|
135 |
* OAEP. Keys used with this padding must be paddedSize bytes long. |
|
136 |
*/ |
|
137 |
public static RSAPadding getInstance(int type, int paddedSize, |
|
138 |
SecureRandom random, OAEPParameterSpec spec) |
|
139 |
throws InvalidKeyException, InvalidAlgorithmParameterException { |
|
140 |
return new RSAPadding(type, paddedSize, random, spec); |
|
141 |
} |
|
142 |
||
143 |
// internal constructor |
|
144 |
private RSAPadding(int type, int paddedSize, SecureRandom random, |
|
145 |
OAEPParameterSpec spec) throws InvalidKeyException, |
|
146 |
InvalidAlgorithmParameterException { |
|
147 |
this.type = type; |
|
148 |
this.paddedSize = paddedSize; |
|
149 |
this.random = random; |
|
150 |
if (paddedSize < 64) { |
|
151 |
// sanity check, already verified in RSASignature/RSACipher |
|
152 |
throw new InvalidKeyException("Padded size must be at least 64"); |
|
153 |
} |
|
154 |
switch (type) { |
|
155 |
case PAD_BLOCKTYPE_1: |
|
156 |
case PAD_BLOCKTYPE_2: |
|
157 |
maxDataSize = paddedSize - 11; |
|
158 |
break; |
|
159 |
case PAD_NONE: |
|
160 |
maxDataSize = paddedSize; |
|
161 |
break; |
|
162 |
case PAD_OAEP_MGF1: |
|
163 |
String mdName = "SHA-1"; |
|
56542 | 164 |
String mgfMdName = mdName; |
2 | 165 |
byte[] digestInput = null; |
166 |
try { |
|
167 |
if (spec != null) { |
|
168 |
mdName = spec.getDigestAlgorithm(); |
|
169 |
String mgfName = spec.getMGFAlgorithm(); |
|
170 |
if (!mgfName.equalsIgnoreCase("MGF1")) { |
|
171 |
throw new InvalidAlgorithmParameterException |
|
172 |
("Unsupported MGF algo: " + mgfName); |
|
173 |
} |
|
23911 | 174 |
mgfMdName = ((MGF1ParameterSpec)spec.getMGFParameters()) |
175 |
.getDigestAlgorithm(); |
|
2 | 176 |
PSource pSrc = spec.getPSource(); |
177 |
String pSrcAlgo = pSrc.getAlgorithm(); |
|
178 |
if (!pSrcAlgo.equalsIgnoreCase("PSpecified")) { |
|
179 |
throw new InvalidAlgorithmParameterException |
|
180 |
("Unsupported pSource algo: " + pSrcAlgo); |
|
181 |
} |
|
182 |
digestInput = ((PSource.PSpecified) pSrc).getValue(); |
|
183 |
} |
|
184 |
md = MessageDigest.getInstance(mdName); |
|
56542 | 185 |
mgf = new MGF1(mgfMdName); |
2 | 186 |
} catch (NoSuchAlgorithmException e) { |
56542 | 187 |
throw new InvalidKeyException("Digest not available", e); |
2 | 188 |
} |
189 |
lHash = getInitialHash(md, digestInput); |
|
190 |
int digestLen = lHash.length; |
|
191 |
maxDataSize = paddedSize - 2 - 2 * digestLen; |
|
192 |
if (maxDataSize <= 0) { |
|
193 |
throw new InvalidKeyException |
|
194 |
("Key is too short for encryption using OAEPPadding" + |
|
56542 | 195 |
" with " + mdName + " and " + mgf.getName()); |
2 | 196 |
} |
197 |
break; |
|
198 |
default: |
|
199 |
throw new InvalidKeyException("Invalid padding: " + type); |
|
200 |
} |
|
201 |
} |
|
202 |
||
203 |
// cache of hashes of zero length data |
|
204 |
private static final Map<String,byte[]> emptyHashes = |
|
205 |
Collections.synchronizedMap(new HashMap<String,byte[]>()); |
|
206 |
||
207 |
/** |
|
208 |
* Return the value of the digest using the specified message digest |
|
209 |
* <code>md</code> and the digest input <code>digestInput</code>. |
|
210 |
* if <code>digestInput</code> is null or 0-length, zero length |
|
211 |
* is used to generate the initial digest. |
|
212 |
* Note: the md object must be in reset state |
|
213 |
*/ |
|
214 |
private static byte[] getInitialHash(MessageDigest md, |
|
215 |
byte[] digestInput) { |
|
23911 | 216 |
byte[] result; |
2 | 217 |
if ((digestInput == null) || (digestInput.length == 0)) { |
218 |
String digestName = md.getAlgorithm(); |
|
219 |
result = emptyHashes.get(digestName); |
|
220 |
if (result == null) { |
|
221 |
result = md.digest(); |
|
222 |
emptyHashes.put(digestName, result); |
|
223 |
} |
|
224 |
} else { |
|
225 |
result = md.digest(digestInput); |
|
226 |
} |
|
227 |
return result; |
|
228 |
} |
|
229 |
||
230 |
/** |
|
23911 | 231 |
* Return the maximum size of the plaintext data that can be processed |
232 |
* using this object. |
|
2 | 233 |
*/ |
234 |
public int getMaxDataSize() { |
|
235 |
return maxDataSize; |
|
236 |
} |
|
237 |
||
238 |
/** |
|
239 |
* Pad the data and return the padded block. |
|
240 |
*/ |
|
241 |
public byte[] pad(byte[] data, int ofs, int len) |
|
242 |
throws BadPaddingException { |
|
243 |
return pad(RSACore.convert(data, ofs, len)); |
|
244 |
} |
|
245 |
||
246 |
/** |
|
247 |
* Pad the data and return the padded block. |
|
248 |
*/ |
|
249 |
public byte[] pad(byte[] data) throws BadPaddingException { |
|
250 |
if (data.length > maxDataSize) { |
|
251 |
throw new BadPaddingException("Data must be shorter than " |
|
40544
807dd9a425db
8150530: Improve javax.crypto.BadPaddingException messages
coffeys
parents:
32649
diff
changeset
|
252 |
+ (maxDataSize + 1) + " bytes but received " |
807dd9a425db
8150530: Improve javax.crypto.BadPaddingException messages
coffeys
parents:
32649
diff
changeset
|
253 |
+ data.length + " bytes."); |
2 | 254 |
} |
255 |
switch (type) { |
|
256 |
case PAD_NONE: |
|
257 |
return data; |
|
258 |
case PAD_BLOCKTYPE_1: |
|
259 |
case PAD_BLOCKTYPE_2: |
|
260 |
return padV15(data); |
|
261 |
case PAD_OAEP_MGF1: |
|
262 |
return padOAEP(data); |
|
263 |
default: |
|
264 |
throw new AssertionError(); |
|
265 |
} |
|
266 |
} |
|
267 |
||
268 |
/** |
|
269 |
* Unpad the padded block and return the data. |
|
270 |
*/ |
|
271 |
public byte[] unpad(byte[] padded, int ofs, int len) |
|
272 |
throws BadPaddingException { |
|
273 |
return unpad(RSACore.convert(padded, ofs, len)); |
|
274 |
} |
|
275 |
||
276 |
/** |
|
277 |
* Unpad the padded block and return the data. |
|
278 |
*/ |
|
279 |
public byte[] unpad(byte[] padded) throws BadPaddingException { |
|
280 |
if (padded.length != paddedSize) { |
|
40544
807dd9a425db
8150530: Improve javax.crypto.BadPaddingException messages
coffeys
parents:
32649
diff
changeset
|
281 |
throw new BadPaddingException("Decryption error." + |
807dd9a425db
8150530: Improve javax.crypto.BadPaddingException messages
coffeys
parents:
32649
diff
changeset
|
282 |
"The padded array length (" + padded.length + |
807dd9a425db
8150530: Improve javax.crypto.BadPaddingException messages
coffeys
parents:
32649
diff
changeset
|
283 |
") is not the specified padded size (" + paddedSize + ")"); |
2 | 284 |
} |
285 |
switch (type) { |
|
286 |
case PAD_NONE: |
|
287 |
return padded; |
|
288 |
case PAD_BLOCKTYPE_1: |
|
289 |
case PAD_BLOCKTYPE_2: |
|
290 |
return unpadV15(padded); |
|
291 |
case PAD_OAEP_MGF1: |
|
292 |
return unpadOAEP(padded); |
|
293 |
default: |
|
294 |
throw new AssertionError(); |
|
295 |
} |
|
296 |
} |
|
297 |
||
298 |
/** |
|
299 |
* PKCS#1 v1.5 padding (blocktype 1 and 2). |
|
300 |
*/ |
|
301 |
private byte[] padV15(byte[] data) throws BadPaddingException { |
|
302 |
byte[] padded = new byte[paddedSize]; |
|
23911 | 303 |
System.arraycopy(data, 0, padded, paddedSize - data.length, |
304 |
data.length); |
|
2 | 305 |
int psSize = paddedSize - 3 - data.length; |
306 |
int k = 0; |
|
307 |
padded[k++] = 0; |
|
308 |
padded[k++] = (byte)type; |
|
309 |
if (type == PAD_BLOCKTYPE_1) { |
|
310 |
// blocktype 1: all padding bytes are 0xff |
|
311 |
while (psSize-- > 0) { |
|
312 |
padded[k++] = (byte)0xff; |
|
313 |
} |
|
314 |
} else { |
|
315 |
// blocktype 2: padding bytes are random non-zero bytes |
|
316 |
if (random == null) { |
|
317 |
random = JCAUtil.getSecureRandom(); |
|
318 |
} |
|
319 |
// generate non-zero padding bytes |
|
320 |
// use a buffer to reduce calls to SecureRandom |
|
32212
9ced42a5a609
8132330: Ineffective SecureRandom usage in RSA encoding with PKCS1Padding
weijun
parents:
25859
diff
changeset
|
321 |
while (psSize > 0) { |
9ced42a5a609
8132330: Ineffective SecureRandom usage in RSA encoding with PKCS1Padding
weijun
parents:
25859
diff
changeset
|
322 |
// extra bytes to avoid zero bytes, |
9ced42a5a609
8132330: Ineffective SecureRandom usage in RSA encoding with PKCS1Padding
weijun
parents:
25859
diff
changeset
|
323 |
// number of zero bytes <= 4 in 98% cases |
9ced42a5a609
8132330: Ineffective SecureRandom usage in RSA encoding with PKCS1Padding
weijun
parents:
25859
diff
changeset
|
324 |
byte[] r = new byte[psSize + 4]; |
9ced42a5a609
8132330: Ineffective SecureRandom usage in RSA encoding with PKCS1Padding
weijun
parents:
25859
diff
changeset
|
325 |
random.nextBytes(r); |
9ced42a5a609
8132330: Ineffective SecureRandom usage in RSA encoding with PKCS1Padding
weijun
parents:
25859
diff
changeset
|
326 |
for (int i = 0; i < r.length && psSize > 0; i++) { |
9ced42a5a609
8132330: Ineffective SecureRandom usage in RSA encoding with PKCS1Padding
weijun
parents:
25859
diff
changeset
|
327 |
if (r[i] != 0) { |
9ced42a5a609
8132330: Ineffective SecureRandom usage in RSA encoding with PKCS1Padding
weijun
parents:
25859
diff
changeset
|
328 |
padded[k++] = r[i]; |
9ced42a5a609
8132330: Ineffective SecureRandom usage in RSA encoding with PKCS1Padding
weijun
parents:
25859
diff
changeset
|
329 |
psSize--; |
2 | 330 |
} |
32212
9ced42a5a609
8132330: Ineffective SecureRandom usage in RSA encoding with PKCS1Padding
weijun
parents:
25859
diff
changeset
|
331 |
} |
2 | 332 |
} |
333 |
} |
|
334 |
return padded; |
|
335 |
} |
|
336 |
||
337 |
/** |
|
23911 | 338 |
* PKCS#1 v1.5 unpadding (blocktype 1 (signature) and 2 (encryption)). |
22309 | 339 |
* |
340 |
* Note that we want to make it a constant-time operation |
|
2 | 341 |
*/ |
342 |
private byte[] unpadV15(byte[] padded) throws BadPaddingException { |
|
343 |
int k = 0; |
|
23911 | 344 |
boolean bp = false; |
22309 | 345 |
|
2 | 346 |
if (padded[k++] != 0) { |
23911 | 347 |
bp = true; |
2 | 348 |
} |
23911 | 349 |
if (padded[k++] != type) { |
350 |
bp = true; |
|
2 | 351 |
} |
22309 | 352 |
int p = 0; |
353 |
while (k < padded.length) { |
|
2 | 354 |
int b = padded[k++] & 0xff; |
23911 | 355 |
if ((b == 0) && (p == 0)) { |
22309 | 356 |
p = k; |
2 | 357 |
} |
23911 | 358 |
if ((k == padded.length) && (p == 0)) { |
359 |
bp = true; |
|
2 | 360 |
} |
22309 | 361 |
if ((type == PAD_BLOCKTYPE_1) && (b != 0xff) && |
23911 | 362 |
(p == 0)) { |
363 |
bp = true; |
|
2 | 364 |
} |
365 |
} |
|
22309 | 366 |
int n = padded.length - p; |
23911 | 367 |
if (n > maxDataSize) { |
368 |
bp = true; |
|
2 | 369 |
} |
22309 | 370 |
|
371 |
// copy useless padding array for a constant-time method |
|
372 |
byte[] padding = new byte[p]; |
|
373 |
System.arraycopy(padded, 0, padding, 0, p); |
|
374 |
||
2 | 375 |
byte[] data = new byte[n]; |
22309 | 376 |
System.arraycopy(padded, p, data, 0, n); |
377 |
||
23911 | 378 |
BadPaddingException bpe = new BadPaddingException("Decryption error"); |
379 |
||
380 |
if (bp) { |
|
22309 | 381 |
throw bpe; |
23911 | 382 |
} else { |
383 |
return data; |
|
22309 | 384 |
} |
2 | 385 |
} |
386 |
||
387 |
/** |
|
388 |
* PKCS#1 v2.0 OAEP padding (MGF1). |
|
389 |
* Paragraph references refer to PKCS#1 v2.1 (June 14, 2002) |
|
390 |
*/ |
|
391 |
private byte[] padOAEP(byte[] M) throws BadPaddingException { |
|
392 |
if (random == null) { |
|
393 |
random = JCAUtil.getSecureRandom(); |
|
394 |
} |
|
395 |
int hLen = lHash.length; |
|
396 |
||
397 |
// 2.d: generate a random octet string seed of length hLen |
|
398 |
// if necessary |
|
399 |
byte[] seed = new byte[hLen]; |
|
400 |
random.nextBytes(seed); |
|
401 |
||
402 |
// buffer for encoded message EM |
|
403 |
byte[] EM = new byte[paddedSize]; |
|
404 |
||
405 |
// start and length of seed (as index into EM) |
|
406 |
int seedStart = 1; |
|
407 |
int seedLen = hLen; |
|
408 |
||
409 |
// copy seed into EM |
|
410 |
System.arraycopy(seed, 0, EM, seedStart, seedLen); |
|
411 |
||
412 |
// start and length of data block DB in EM |
|
413 |
// we place it inside of EM to reduce copying |
|
414 |
int dbStart = hLen + 1; |
|
415 |
int dbLen = EM.length - dbStart; |
|
416 |
||
417 |
// start of message M in EM |
|
418 |
int mStart = paddedSize - M.length; |
|
419 |
||
420 |
// build DB |
|
421 |
// 2.b: Concatenate lHash, PS, a single octet with hexadecimal value |
|
422 |
// 0x01, and the message M to form a data block DB of length |
|
423 |
// k - hLen -1 octets as DB = lHash || PS || 0x01 || M |
|
424 |
// (note that PS is all zeros) |
|
425 |
System.arraycopy(lHash, 0, EM, dbStart, hLen); |
|
426 |
EM[mStart - 1] = 1; |
|
427 |
System.arraycopy(M, 0, EM, mStart, M.length); |
|
428 |
||
429 |
// produce maskedDB |
|
56542 | 430 |
mgf.generateAndXor(EM, seedStart, seedLen, dbLen, EM, dbStart); |
2 | 431 |
|
432 |
// produce maskSeed |
|
56542 | 433 |
mgf.generateAndXor(EM, dbStart, dbLen, seedLen, EM, seedStart); |
2 | 434 |
|
435 |
return EM; |
|
436 |
} |
|
437 |
||
438 |
/** |
|
439 |
* PKCS#1 v2.1 OAEP unpadding (MGF1). |
|
440 |
*/ |
|
441 |
private byte[] unpadOAEP(byte[] padded) throws BadPaddingException { |
|
442 |
byte[] EM = padded; |
|
23911 | 443 |
boolean bp = false; |
2 | 444 |
int hLen = lHash.length; |
445 |
||
446 |
if (EM[0] != 0) { |
|
23911 | 447 |
bp = true; |
2 | 448 |
} |
449 |
||
450 |
int seedStart = 1; |
|
451 |
int seedLen = hLen; |
|
452 |
||
453 |
int dbStart = hLen + 1; |
|
454 |
int dbLen = EM.length - dbStart; |
|
455 |
||
56542 | 456 |
mgf.generateAndXor(EM, dbStart, dbLen, seedLen, EM, seedStart); |
457 |
mgf.generateAndXor(EM, seedStart, seedLen, dbLen, EM, dbStart); |
|
2 | 458 |
|
459 |
// verify lHash == lHash' |
|
460 |
for (int i = 0; i < hLen; i++) { |
|
461 |
if (lHash[i] != EM[dbStart + i]) { |
|
23911 | 462 |
bp = true; |
463 |
} |
|
464 |
} |
|
465 |
||
466 |
int padStart = dbStart + hLen; |
|
467 |
int onePos = -1; |
|
468 |
||
469 |
for (int i = padStart; i < EM.length; i++) { |
|
470 |
int value = EM[i]; |
|
471 |
if (onePos == -1) { |
|
472 |
if (value == 0x00) { |
|
473 |
// continue; |
|
474 |
} else if (value == 0x01) { |
|
475 |
onePos = i; |
|
476 |
} else { // Anything other than {0,1} is bad. |
|
477 |
bp = true; |
|
478 |
} |
|
2 | 479 |
} |
480 |
} |
|
481 |
||
23911 | 482 |
// We either ran off the rails or found something other than 0/1. |
483 |
if (onePos == -1) { |
|
484 |
bp = true; |
|
485 |
onePos = EM.length - 1; // Don't inadvertently return any data. |
|
2 | 486 |
} |
487 |
||
23911 | 488 |
int mStart = onePos + 1; |
489 |
||
490 |
// copy useless padding array for a constant-time method |
|
491 |
byte [] tmp = new byte[mStart - padStart]; |
|
492 |
System.arraycopy(EM, padStart, tmp, 0, tmp.length); |
|
2 | 493 |
|
23911 | 494 |
byte [] m = new byte[EM.length - mStart]; |
495 |
System.arraycopy(EM, mStart, m, 0, m.length); |
|
496 |
||
497 |
BadPaddingException bpe = new BadPaddingException("Decryption error"); |
|
2 | 498 |
|
23911 | 499 |
if (bp) { |
500 |
throw bpe; |
|
501 |
} else { |
|
502 |
return m; |
|
503 |
} |
|
2 | 504 |
} |
505 |
} |