Java Code Examples for org.bouncycastle.util.Arrays#constantTimeAreEqual()

protected BigInteger[] derDecode(byte[] encoding)
        throws IOException {
    ASN1Sequence seq = ASN1Sequence.getInstance(ASN1Primitive.fromByteArray(encoding));
    if (seq.size() != 2) {
        return null;
    }

    BigInteger r = ASN1Integer.getInstance(seq.getObjectAt(0)).getValue();
    BigInteger s = ASN1Integer.getInstance(seq.getObjectAt(1)).getValue();

    byte[] expectedEncoding = derEncode(r, s);
    if (!Arrays.constantTimeAreEqual(expectedEncoding, encoding)) {
        return null;
    }

    return new BigInteger[]{r, s};
}
 

public BigInteger[] derDecode(byte[] encoding) throws IOException {
    ASN1Sequence seq = ASN1Sequence.getInstance(ASN1Primitive.fromByteArray(encoding));
    if (seq.size() != 2) {
        return null;
    }

    BigInteger r = ASN1Integer.getInstance(seq.getObjectAt(0)).getValue();
    BigInteger s = ASN1Integer.getInstance(seq.getObjectAt(1)).getValue();

    byte[] expectedEncoding = derEncode(r, s);
    if (!Arrays.constantTimeAreEqual(expectedEncoding, encoding)) {
        return null;
    }

    return new BigInteger[] {r, s};
}
 

private byte[] decryptBlock(byte[] in_enc, int inOff, int inLen) throws InvalidCipherTextException {
  byte[] M, K, K1, K2;
  int len = 0;

  // Ensure that the length of the input is greater than the MAC in bytes
  if (inLen < V.length + mac.getMacSize()) {
    throw new InvalidCipherTextException("Length of input must be greater than the MAC and V combined");
  }

  // note order is important: set up keys, do simple encryptions, check mac, do final encryption.

  // Block cipher mode.
  K1 = new byte[((IESWithCipherParameters) param).getCipherKeySize() / 8];
  K2 = new byte[param.getMacKeySize() / 8];
  K = new byte[K1.length + K2.length];

  kdf.generateBytes(K, 0, K.length);
  System.arraycopy(K, 0, K1, 0, K1.length);
  System.arraycopy(K, K1.length, K2, 0, K2.length);

  CipherParameters cp = new KeyParameter(K1);

  // If IV provide use it to initialize the cipher
  if (IV != null) {
    cp = new ParametersWithIV(cp, IV);
  }

  cipher.init(false, cp);

  M = new byte[cipher.getOutputSize(inLen - V.length - mac.getMacSize())];

  // do initial processing
  len = cipher.processBytes(in_enc, inOff + V.length, inLen - V.length - mac.getMacSize(), M, 0);


  // Convert the length of the encoding vector into a byte array.
  byte[] P2 = param.getEncodingV();
  byte[] L2 = null;
  if (V.length != 0) {
    L2 = getLengthTag(P2);
  }

  // Verify the MAC.
  int end = inOff + inLen;
  byte[] T1 = Arrays.copyOfRange(in_enc, end - mac.getMacSize(), end);

  byte[] T2 = new byte[T1.length];
  // Ethereum change:
  // Instead of initializing the mac with the bytes, we initialize with the hash of the bytes.
  // Old code: mac.init(new KeyParameter(K2));
  Digest hash = new SHA256Digest();
  byte[] K2hash = new byte[hash.getDigestSize()];
  hash.reset();
  hash.update(K2, 0, K2.length);
  hash.doFinal(K2hash, 0);
  mac.init(new KeyParameter(K2hash));
  // we also update the mac with the IV:
  mac.update(IV, 0, IV.length);
  // end of Ethereum change.

  mac.update(in_enc, inOff + V.length, inLen - V.length - T2.length);

  if (P2 != null) {
    mac.update(P2, 0, P2.length);
  }
  if (V.length != 0) {
    mac.update(L2, 0, L2.length);
  }
  mac.update(commonMac, 0, commonMac.length);
  mac.doFinal(T2, 0);

  if (!Arrays.constantTimeAreEqual(T1, T2)) {
    throw new InvalidCipherTextException("invalid MAC");
  }

  if (cipher == null) {
    return M;
  } else {
    len += cipher.doFinal(M, len);

    return Arrays.copyOfRange(M, 0, len);
  }
}
 

private byte[] decrypt(
    final byte[] inEnc, final int inOff, final int inLen, final byte[] commonMac)
    throws InvalidCipherTextException {
  final byte[] M;
  final byte[] K;
  final byte[] K1;
  final byte[] K2;

  int len;

  // Ensure that the length of the input is greater than the MAC in bytes
  if (inLen <= (CIPHER_MAC_KEY_SIZE / 8)) {
    throw new InvalidCipherTextException("Length of input must be greater than the MAC");
  }

  // Block cipher mode.
  K1 = new byte[CIPHER_KEY_SIZE / 8];
  K2 = new byte[CIPHER_MAC_KEY_SIZE / 8];
  K = new byte[K1.length + K2.length];

  kdf.generateBytes(K, 0, K.length);
  System.arraycopy(K, 0, K1, 0, K1.length);
  System.arraycopy(K, K1.length, K2, 0, K2.length);

  // Use IV to initialize cipher.
  cipher.init(false, new ParametersWithIV(new KeyParameter(K1), iv));

  M = new byte[cipher.getOutputSize(inLen - mac.getMacSize())];
  len = cipher.processBytes(inEnc, inOff, inLen - mac.getMacSize(), M, 0);
  len += cipher.doFinal(M, len);

  // Convert the length of the encoding vector into a byte array.
  final byte[] P2 = PARAM.getEncodingV();

  // Verify the MAC.
  final int end = inOff + inLen;
  final byte[] T1 = Arrays.copyOfRange(inEnc, end - mac.getMacSize(), end);
  final byte[] T2 = new byte[T1.length];

  final byte[] K2hash = new byte[hash.getDigestSize()];
  hash.reset();
  hash.update(K2, 0, K2.length);
  hash.doFinal(K2hash, 0);

  mac.init(new KeyParameter(K2hash));
  mac.update(iv, 0, iv.length);
  mac.update(inEnc, inOff, inLen - T2.length);

  if (P2 != null) {
    mac.update(P2, 0, P2.length);
  }

  if (commonMac != null) {
    mac.update(commonMac, 0, commonMac.length);
  }

  mac.doFinal(T2, 0);

  if (!Arrays.constantTimeAreEqual(T1, T2)) {
    throw new InvalidCipherTextException("Invalid MAC.");
  }

  // Output the message.
  return Arrays.copyOfRange(M, 0, len);
}
 

public byte[] decodeCiphertext(byte[] receivedMAC, byte[] additionalData, byte[] ciphertext)
    throws IOException {

  KeyParameter macKey = initRecordMAC(decryptCipher);

  byte[] calculatedMAC = PolyKeyCreator.create(macKey, additionalData, ciphertext);

  if (!Arrays.constantTimeAreEqual(calculatedMAC, receivedMAC)) {
    throw new TlsFatalAlert(AlertDescription.bad_record_mac);
  }

  byte[] output = new byte[ciphertext.length];
  decryptCipher.processBytes(ciphertext, 0, ciphertext.length, output, 0);

  return output;
}