Java Code Examples for javacard.framework.Util#arrayFillNonAtomic()

public boolean unwrap(byte[] keyHandle, short keyHandleOffset, short keyHandleLength, byte[] applicationParameter, short applicationParameterOffset, ECPrivateKey unwrappedPrivateKey) {
	
	calcMAC(applicationParameter, applicationParameterOffset, keyHandle, keyHandleOffset);
	
	//Compare MAC
	if (Util.arrayCompare(scratch, (short) 0, keyHandle, (short)(keyHandleOffset+32), (short)32)!=0) {
		return false;
	}
	
	//only get key if signing is required
    if (unwrappedPrivateKey != null) {

    	//Regenerate PrivKey 
    	generatePrivateKey(applicationParameter, applicationParameterOffset, keyHandle, keyHandleOffset);
    	
        unwrappedPrivateKey.setS(scratch, (short)0, (short)32);
    }
    Util.arrayFillNonAtomic(scratch, (short)0, (short)32, (byte)0x00);
    return true;
}
 

/**
 * Erase all values stored in helper objects
 */
void erase() {
    helper_BN_A.erase();
    helper_BN_B.erase();
    helper_BN_C.erase();
    helper_BN_D.erase();
    helper_BN_E.erase();
    helper_BN_F.erase();
    
    helperEC_BN_A.erase();
    helperEC_BN_B.erase();
    helperEC_BN_C.erase();
    helperEC_BN_D.erase();
    helperEC_BN_E.erase();
    helperEC_BN_F.erase();
    

    Util.arrayFillNonAtomic(helper_BN_array1, (short) 0, (short) helper_BN_array1.length, (byte) 0);
    Util.arrayFillNonAtomic(helper_BN_array2, (short) 0, (short) helper_BN_array2.length, (byte) 0);
    Util.arrayFillNonAtomic(helper_uncompressed_point_arr1, (short) 0, (short) helper_uncompressed_point_arr1.length, (byte) 0);
}
 

/**
 * Prepends zeros before the value of this Bignat up to target length. 
 *
 * @param targetLength required length including prepended zeroes
 * @param outBuffer output buffer for value with prepended zeroes
 * @param outOffset start offset inside outBuffer for write
 */
public void prepend_zeros(short targetLength, byte[] outBuffer, short outOffset) { 
    short other_start = (short) (targetLength - this.size);
    if (other_start > 0) {
        Util.arrayFillNonAtomic(outBuffer, outOffset, other_start, (byte) 0); //fill prefix with zeros
    }
    Util.arrayCopyNonAtomic(value, (short) 0, outBuffer, (short) (outOffset + other_start), this.size); //copy the value
}
 

private void clearCipherState() {
    Util.arrayFillNonAtomic(roundKeysBuff, OFFSET_ZERO,
            (short) roundKeysBuff.length, (byte) 0x0);
    Util.arrayFillNonAtomic(cipherBuff, OFFSET_ZERO,
            (short) cipherBuff.length, (byte) 0x0);
    Util.arrayFillNonAtomic(cbcNextV, OFFSET_ZERO, (short) cbcNextV.length,
            (byte) 0);
    Util.arrayFillNonAtomic(cbcV, OFFSET_ZERO, (short) cbcV.length,
            (byte) 0);
}
 

public short reset(){
	short base = 0;
	short nb_deleted=0;
	while (base<this.size) {
		if (Util.arrayCompare(this.ptr, base, this.empty, (short)0, this.size_id)!=0){
			Util.arrayFillNonAtomic(this.ptr, base, this.size_elem, (byte)0x00);
			this.nb_elem_free++;
			this.nb_elem_used--;
			nb_deleted++;
		}
		base+=this.size_elem;
	}
	return nb_deleted;
}
 

public static void hmac(byte[] key, short keyOffset, short keyLength, byte[] data, short dataOffset, short dataLength, byte[] out, short outOffset, byte[] block, short blockOffset) {
	byte i;
	boolean nativeSha512 = (Crypto.digestSha512 != null); 
	if (!nativeSha512) {
		Crypto.sha512.init();
	}
	for (i=0; i<2; i++) {
		Util.arrayFillNonAtomic(block, blockOffset, BLOCK_SIZE, (i == 0 ? IPAD : OPAD));
		for (short j=0; j<keyLength; j++) {
			block[(short)(blockOffset + j)] ^= key[(short)(keyOffset + j)];
		}
		if (nativeSha512) {
			Crypto.digestSha512.update(block, blockOffset, BLOCK_SIZE);				
		}
		else {
			Crypto.sha512.update(block, blockOffset, BLOCK_SIZE);
		}			
		if (i == 0) {
			if (nativeSha512) {
				Crypto.digestSha512.doFinal(data, dataOffset, dataLength, out, outOffset);
			}
			else {
				Crypto.sha512.doFinal(data, dataOffset, dataLength, out, outOffset);
			}
		}
		else {
			if (nativeSha512) {
				Crypto.digestSha512.doFinal(out, outOffset, DIGEST_SIZE, out, outOffset);
			}
			else {
				Crypto.sha512.doFinal(out, outOffset, DIGEST_SIZE, out, outOffset);
			}				
		}			
	}
}
 

public static void signTransientPrivate(byte[] keyBuffer, short keyOffset, byte[] dataBuffer, short dataOffset, byte[] targetBuffer, short targetOffset) {
	initTransientPrivate(keyBuffer, keyOffset);
    Util.arrayFillNonAtomic(keyBuffer, keyOffset, (short)32, (byte)0x00);
    // recheck with the target platform, initializing once instead might be possible and save a few flash write
    // (this part is unspecified in the Java Card API)
    signature.init(transientPrivate, Signature.MODE_SIGN);
    signature.sign(dataBuffer, dataOffset, (short)32, targetBuffer, targetOffset);
    if (transientPrivateTransient) {
        transientPrivate.clearKey();
    }
}
 

/**
 * \brief Clear the contents of the file.
 */
void clearContents() {
    short i;

    for(i = 0; i < currentRecordCount; i++) {
        Util.arrayFillNonAtomic(records[i].data, (short)0, (short)records[i].data.length, (byte)0);
        records[i] = null;
    }
}
 

private static void reset() {
    Crypto.random.generateData(scratch256, (short)0, (short)16);
    chipKey.setKey(scratch256, (short)0);
    Util.arrayFillNonAtomic(scratch256, (short)0, (short)16, (byte)0x00);
    setup = TC.FALSE;
    limitsSet = TC.FALSE;
}
 

public void ClearFlashBuffer() {
    if (flash_buf != null)
    {
        if(JCSystem.isObjectDeletionSupported()) {
            flash_buf = null;
            JCSystem.requestObjectDeletion();
        } else {
            Util.arrayFillNonAtomic(flash_buf, (short)0, FLASH_BUF_SIZE, (byte)0x00);
        }
    }
}
 

public static short computeHmacSha512(byte[] key, short key_offset, short key_length, 
		byte[] message, short message_offset, short message_length,
		byte[] mac, short mac_offset){
	
	if (key_length>BLOCKSIZE || key_length<0){
		ISOException.throwIt(CardEdge.SW_HMAC_UNSUPPORTED_KEYSIZE); // don't accept keys bigger than block size 
	}
	if (message_length>HASHSIZE || message_length<0){
		ISOException.throwIt(CardEdge.SW_HMAC_UNSUPPORTED_MSGSIZE); // don't accept message bigger than block size (should be sufficient for BIP32)
	}
	
	// compute inner hash
	for (short i=0; i<key_length; i++){
		data[i]= (byte) (key[(short)(key_offset+i)] ^ (0x36));
	}
	Util.arrayFillNonAtomic(data, key_length, (short)(BLOCKSIZE-key_length), (byte)0x36);		
	Util.arrayCopyNonAtomic(message, message_offset, data, BLOCKSIZE, message_length);
	sha512.reset();
	sha512.doFinal(data, (short)0, (short)(BLOCKSIZE+message_length), data, BLOCKSIZE); // copy hash result to data buffer!
	
	// compute outer hash
	for (short i=0; i<key_length; i++){
		data[i]= (byte) (key[(short)(key_offset+i)] ^ (0x5c));
	}
	Util.arrayFillNonAtomic(data, key_length, (short)(BLOCKSIZE-key_length), (byte)0x5c);
	// previous hash already copied to correct offset in data
	sha512.reset();
	sha512.doFinal(data, (short)0, (short)(BLOCKSIZE+HASHSIZE), mac, mac_offset);
	
	return HASHSIZE;
}
 

public void unlock(byte[] objToUnlock) {
    if (!bLockingActive) {
        return;
    }
    unlock((Object) objToUnlock);
    if (ERASE_ON_UNLOCK) {
        Util.arrayFillNonAtomic(objToUnlock, (short) 0, (short) objToUnlock.length, (byte) 0);
    }
}
 

/**
   * This function signs the current hash transaction with a std or the last extended key
   * The hash provided in the APDU is compared to the version stored inside the chip.
* Depending of the total amount in the transaction and the predefined limit, 
* a HMAC must be provided as an additional security layer. 
* 
   * ins: 0x6F
* p1: key number or 0xFF for the last derived Bip32 extended key  
* p2: 0x00
* data: [hash(32b) | option: 2FA-flag(2b)|hmac(20b)]
* 
* return: [sig ]
*
   */
  private short SignTransaction(APDU apdu, byte[] buffer){
// check that PIN[0] has been entered previously
if (!pins[0].isValidated())
	ISOException.throwIt(SW_UNAUTHORIZED);

  	byte key_nb = buffer[ISO7816.OFFSET_P1];
if ( (key_nb!=(byte)0xFF) && ((key_nb < 0) || (key_nb >= MAX_NUM_KEYS)) )
	ISOException.throwIt(SW_INCORRECT_P1);

  	short bytesLeft = Util.makeShort((byte) 0x00, buffer[ISO7816.OFFSET_LC]);
if (bytesLeft<MessageDigest.LENGTH_SHA_256)
	ISOException.throwIt(ISO7816.SW_WRONG_LENGTH);
  	
  	// check whether the seed is initialized
if (key_nb==(byte)0xFF && !bip32_seeded)
	ISOException.throwIt(SW_BIP32_UNINITIALIZED_SEED);

// check doublehash value in buffer with cached singlehash value
sha256.reset();
sha256.doFinal(transactionData, OFFSET_TRANSACTION_HASH, MessageDigest.LENGTH_SHA_256, recvBuffer, (short)0);
if ((byte)0 != Util.arrayCompare(buffer, ISO7816.OFFSET_CDATA, recvBuffer, (short)0, MessageDigest.LENGTH_SHA_256))
	ISOException.throwIt(SW_INCORRECT_TXHASH);

// check challenge-response answer if necessary
if(needs_2FA){
	if(	Biginteger.lessThan(data2FA, OFFSET_2FA_LIMIT, transactionData, OFFSET_TRANSACTION_AMOUNT, (short)8)){
		if (bytesLeft<MessageDigest.LENGTH_SHA_256+MessageDigest.LENGTH_SHA+(short)2)
			ISOException.throwIt(ISO7816.SW_WRONG_LENGTH);
		// check flag for 2fa_hmac_chalresp
		short hmac_flags= Util.getShort(buffer, (short)(ISO7816.OFFSET_CDATA+32));
		if (hmac_flags!=HMAC_CHALRESP_2FA)
			ISOException.throwIt(SW_INCORRECT_ALG);
		// hmac of 64-bytes msg: (doublesha256(raw_tx) | 32bytes zero-padding)
		Util.arrayFillNonAtomic(recvBuffer, (short)32, (short)32, (byte)0x00);
		HmacSha160.computeHmacSha160(data2FA, OFFSET_2FA_HMACKEY, (short)20, recvBuffer, (short)0, (short)64, recvBuffer, (short)64);
		if (Util.arrayCompare(buffer, (short)(ISO7816.OFFSET_CDATA+32+2), recvBuffer, (short)64, (short)20)!=0)
			ISOException.throwIt(SW_SIGNATURE_INVALID);
		// reset total amount
		Util.arrayFillNonAtomic(transactionData, OFFSET_TRANSACTION_TOTAL, (short)8, (byte)0x00);
	}
	else{					
		//update total amount
		Util.arrayCopyNonAtomic(transactionData, OFFSET_TRANSACTION_AMOUNT, transactionData, OFFSET_TRANSACTION_TOTAL, (short)8);
	}
}

// hash+sign singlehash
  	if (key_nb==(byte)0xFF)
  		sigECDSA.init(bip32_extendedkey, Signature.MODE_SIGN);
  	else{
  		Key key= eckeys[key_nb];
  		// check type and size
  		if ((key == null) || !key.isInitialized())
  			ISOException.throwIt(SW_INCORRECT_P1);
  		if (key.getType() != KeyBuilder.TYPE_EC_FP_PRIVATE)
  			ISOException.throwIt(SW_INCORRECT_ALG);		
  		if (key.getSize()!= LENGTH_EC_FP_256)
  			ISOException.throwIt(SW_INCORRECT_ALG);
  		sigECDSA.init(key, Signature.MODE_SIGN);
  	}
      short sign_size= sigECDSA.sign(transactionData, OFFSET_TRANSACTION_HASH, (short)32, buffer, (short)0);
      return sign_size;
  }
 

/**
   * This function signs a given transaction hash with a std or the last extended key
   * If 2FA is enabled, a HMAC must be provided as an additional security layer. 
* 
   * ins: 0x7A
* p1: key number or 0xFF for the last derived Bip32 extended key  
* p2: 0x00
* data: [hash(32b) | option: 2FA-flag(2b)|hmac(20b)]
* 
* return: [sig ]
* 
   */
  private short SignTransactionHash(APDU apdu, byte[] buffer){
  	
  	// check that PIN[0] has been entered previously
if (!pins[0].isValidated())
	ISOException.throwIt(SW_UNAUTHORIZED);

  	byte key_nb = buffer[ISO7816.OFFSET_P1];
if ( (key_nb!=(byte)0xFF) && ((key_nb < 0) || (key_nb >= MAX_NUM_KEYS)) )
	ISOException.throwIt(SW_INCORRECT_P1);

  	short bytesLeft = Util.makeShort((byte) 0x00, buffer[ISO7816.OFFSET_LC]);
if (bytesLeft<MessageDigest.LENGTH_SHA_256)
	ISOException.throwIt(ISO7816.SW_WRONG_LENGTH);
  	
  	// check whether the seed is initialized
if (key_nb==(byte)0xFF && !bip32_seeded)
	ISOException.throwIt(SW_BIP32_UNINITIALIZED_SEED);
  	
// check 2FA if required
if(needs_2FA){
	// check data length
	if (bytesLeft<MessageDigest.LENGTH_SHA_256+MessageDigest.LENGTH_SHA+(short)2)
		ISOException.throwIt(ISO7816.SW_WRONG_LENGTH);
	// check flag for 2fa_hmac_chalresp
	short hmac_flags= Util.getShort(buffer, (short)(ISO7816.OFFSET_CDATA+32));
	if (hmac_flags!=HMAC_CHALRESP_2FA)
		ISOException.throwIt(SW_INCORRECT_ALG);
	// hmac of 64-bytes msg: ( 32bytes tx_hash | 32bytes 0xCC-padding)
	Util.arrayCopyNonAtomic(buffer, (short)ISO7816.OFFSET_CDATA, recvBuffer, (short)0, (short)32);
	Util.arrayFillNonAtomic(recvBuffer, (short)32, (short)32, (byte)0xCC);
	HmacSha160.computeHmacSha160(data2FA, OFFSET_2FA_HMACKEY, (short)20, recvBuffer, (short)0, (short)64, recvBuffer, (short)64);
	if (Util.arrayCompare(buffer, (short)(ISO7816.OFFSET_CDATA+32+2), recvBuffer, (short)64, (short)20)!=0)
		ISOException.throwIt(SW_SIGNATURE_INVALID);
}

// hash+sign singlehash
  	if (key_nb==(byte)0xFF)
  		sigECDSA.init(bip32_extendedkey, Signature.MODE_SIGN);
  	else{
  		Key key= eckeys[key_nb];
  		// check type and size
  		if ((key == null) || !key.isInitialized())
  			ISOException.throwIt(SW_INCORRECT_P1);
  		if (key.getType() != KeyBuilder.TYPE_EC_FP_PRIVATE)
  			ISOException.throwIt(SW_INCORRECT_ALG);		
  		if (key.getSize()!= LENGTH_EC_FP_256)
  			ISOException.throwIt(SW_INCORRECT_ALG);
  		sigECDSA.init(key, Signature.MODE_SIGN);
  	}
      short sign_size= sigECDSA.signPreComputedHash(buffer, ISO7816.OFFSET_CDATA, MessageDigest.LENGTH_SHA_256, buffer, (short)0);
      return sign_size;
  }
 

public void clearContents() {
    Util.arrayFillNonAtomic(data, (short)0, (short)data.length, (byte)0);
}
 

/**
 * \brief Process the VERIFY apdu (INS = 20).
 *
 * This apdu is used to verify a PIN and authenticate the user. A counter is used
 * to limit unsuccessful tries (i.e. brute force attacks).
 *
 * \param apdu The apdu.
 *
 * \throw ISOException SW_INCORRECT_P1P2, ISO7816.SW_WRONG_LENGTH, SW_PIN_TRIES_REMAINING.
 */
private void processVerify(APDU apdu) throws ISOException {
    byte[] buf = apdu.getBuffer();
    short offset_cdata;
    short lc;

    // P1P2 0001 only at the moment. (key-reference 01 = PIN)
    if(buf[ISO7816.OFFSET_P1] != 0x00 || buf[ISO7816.OFFSET_P2] != 0x01) {
        ISOException.throwIt(ISO7816.SW_INCORRECT_P1P2);
    }

    // Bytes received must be Lc.
    lc = apdu.setIncomingAndReceive();
    if(lc != apdu.getIncomingLength()) {
        ISOException.throwIt(ISO7816.SW_WRONG_LENGTH);
    }
    offset_cdata = apdu.getOffsetCdata();

    // Lc might be 0, in this case the caller checks if verification is required.
    if((lc > 0 && (lc < PIN_MIN_LENGTH) || lc > PIN_MAX_LENGTH)) {
        ISOException.throwIt(ISO7816.SW_WRONG_LENGTH);
    }

    // Caller asks if verification is needed.
    if(lc == 0
            && state != STATE_CREATION
            && state != STATE_INITIALISATION) {
        // Verification required, return remaining tries.
        ISOException.throwIt((short)(SW_PIN_TRIES_REMAINING | pin.getTriesRemaining()));
    } else if(lc == 0
              && (state == STATE_CREATION
                  || state == STATE_INITIALISATION)) {
        // No verification required.
        ISOException.throwIt(ISO7816.SW_NO_ERROR);
    }

    // Pad the PIN if not done by caller, so no garbage from the APDU will be part of the PIN.
    Util.arrayFillNonAtomic(buf, (short)(offset_cdata + lc), (short)(PIN_MAX_LENGTH - lc), (byte) 0x00);

    // Check the PIN.
    if(!pin.check(buf, offset_cdata, PIN_MAX_LENGTH)) {
        fs.setUserAuthenticated(false);
        ISOException.throwIt((short)(SW_PIN_TRIES_REMAINING | pin.getTriesRemaining()));
    } else {
        fs.setUserAuthenticated(true);
    }
}
 

/**
 * This function imports a Bip32 seed to the applet and derives the master key and chain code.
 * It also derives a second ECC that uniquely authenticates the HDwallet: the authentikey.
 * Lastly, it derives a 32-bit AES key that is used to encrypt/decrypt Bip32 object stored in secure memory 
 * If the seed already exists, it is reset if the logged identities allow it.
 * 
 * The function returns the x-coordinate of the authentikey, self-signed.
 * The authentikey full public key can be recovered from the signature.
 *  
 *  ins: 0x6C
 *  p1: seed_size(1b) 
 *  p2: 0x00 
 *  data: [seed_data (seed_size)]
 *  return: [coordx_size(2b) | coordx | sig_size(2b) | sig]
 */
private short importBIP32Seed(APDU apdu, byte[] buffer){
	// check that PIN[0] has been entered previously
	if (!pins[0].isValidated())
		ISOException.throwIt(SW_UNAUTHORIZED);
	if (buffer[ISO7816.OFFSET_P2] != (byte) 0x00)
		ISOException.throwIt(SW_INCORRECT_P2);
	// if already seeded, must call resetBIP32Seed first!
	if (bip32_seeded)
		ISOException.throwIt(SW_BIP32_INITIALIZED_SEED);
	
	short bytesLeft = Util.makeShort((byte) 0x00, buffer[ISO7816.OFFSET_LC]);
	
	// get seed bytesize (max 64 bytes)
	byte bip32_seedsize = buffer[ISO7816.OFFSET_P1]; 
	if (bip32_seedsize <0 || bip32_seedsize>64)
		ISOException.throwIt(ISO7816.SW_WRONG_LENGTH);
	
	short offset= (short)ISO7816.OFFSET_CDATA;
	
	// derive master key!
	HmacSha512.computeHmacSha512(BITCOIN_SEED, (short)0, (short)BITCOIN_SEED.length, buffer, offset, (short)bip32_seedsize, recvBuffer, (short)0);
	bip32_masterkey.setKey(recvBuffer, (short)0); // data must be exactly 32 bytes long
	bip32_masterchaincode.setKey(recvBuffer, (short)32); // data must be exactly 32 bytes long
	
	// derive 2 more keys from seed:
	// - AES encryption key for secure storage of extended keys in object
	// - ECC key for authentication of sensitive data returned by the applet (hash, pubkeys)
	HmacSha512.computeHmacSha512(BITCOIN_SEED2, (short)0, (short)BITCOIN_SEED2.length, buffer, offset, (short)bip32_seedsize, recvBuffer, (short)64);
	bip32_authentikey.setS(recvBuffer, (short)64, BIP32_KEY_SIZE);
	bip32_encryptkey.setKey(recvBuffer, (short)96); // AES-128: 16-bytes key!!
	
	// bip32 is now seeded
	bip32_seeded= true;
	
	// clear recvBuffer
	Util.arrayFillNonAtomic(recvBuffer, (short)0, (short)128, (byte)0);
	
	// compute the partial authentikey public key...
       keyAgreement.init(bip32_authentikey);
       short coordx_size= (short)32;
   	keyAgreement.generateSecret(Secp256k1.SECP256K1, Secp256k1.OFFSET_SECP256K1_G, (short) 65, authentikey_pubkey, (short)0); //pubkey in uncompressed form
    Util.setShort(buffer, (short)0, coordx_size);
       Util.arrayCopyNonAtomic(authentikey_pubkey, (short)1, buffer, (short)2, coordx_size);
       // self signed public key
       sigECDSA.init(bip32_authentikey, Signature.MODE_SIGN);
       short sign_size= sigECDSA.sign(buffer, (short)0, (short)(coordx_size+2), buffer, (short)(coordx_size+4));
       Util.setShort(buffer, (short)(2+coordx_size), sign_size);
       
       // return x-coordinate of public key+signature
       // the client can recover full public-key from the signature or
       // by guessing the compression value () and verifying the signature... 
       // buffer= [coordx_size(2) | coordx | sigsize(2) | sig]
       return (short)(2+coordx_size+2+sign_size);
}
 

public static void clear() {
    Util.arrayFillNonAtomic(ctx, (short)0, (short)ctx.length, (byte)0x00);
}
 

public static void clearScratch() {
    if (TC.ctx[TC.TX_B_MESSAGE_SIGN_READY] != (byte)0x01) {
        Util.arrayFillNonAtomic(scratch256, (short)0, (short)scratch256.length, (byte)0x00);
    }
}
 

/**
 * Appends zeros in the suffix to reach the defined byte length 
 * Essentially multiplies the number with 16 (HEX) 
 * @param targetLength required length including appended zeroes
 * @param outBuffer output buffer for value with appended zeroes
 * @param outOffset start offset inside outBuffer for write
 */
public void append_zeros(short targetLength, byte[] outBuffer, short outOffset) {
    Util.arrayCopyNonAtomic(value, (short) 0, outBuffer, outOffset, this.size); //copy the value
    Util.arrayFillNonAtomic(outBuffer, (short) (outOffset + this.size), (short) (targetLength - this.size), (byte) 0); //append zeros
}