modified IESEngine so that MAC check is the primary one

dghgit · dghgit · commit 21dcb3d9744c · 2016-08-27T13:20:05.000+10:00
added general BadBlockException class for asymmetric ciphers.
diff --git a/core/src/main/java/org/bouncycastle/crypto/engines/IESEngine.java b/core/src/main/java/org/bouncycastle/crypto/engines/IESEngine.java
@@ -67,8 +67,8 @@ public IESEngine(
 
 
     /**
-     * set up for use in conjunction with a block cipher to handle the
-     * message.
+     * Set up for use in conjunction with a block cipher to handle the
+     * message.It is <b>strongly</b> recommended that the cipher is not in ECB mode.
      *
      * @param agree  the key agreement used as the basis for the encryption
      * @param kdf    the key derivation function used for byte generation
@@ -269,15 +269,16 @@ private byte[] decryptBlock(
         int inLen)
         throws InvalidCipherTextException
     {
-        byte[] M = null, K = null, K1 = null, K2 = null;
-        int len;
+        byte[] M, K, K1, K2;
+        int len = 0;
 
         // Ensure that the length of the input is greater than the MAC in bytes
         if (inLen < V.length + mac.getMacSize())
         {
             throw new InvalidCipherTextException("Length of input must be greater than the MAC and V combined");
         }
 
+        // note order is important: set up keys, do simple encryptions, check mac, do final encryption.
         if (cipher == null)
         {
             // Streaming mode.
@@ -298,14 +299,13 @@ private byte[] decryptBlock(
                 System.arraycopy(K, K1.length, K2, 0, K2.length);
             }
 
+            // process the message
             M = new byte[K1.length];
 
             for (int i = 0; i != K1.length; i++)
             {
                 M[i] = (byte)(in_enc[inOff + V.length + i] ^ K1[i]);
             }
-
-            len = K1.length;
         }
         else
         {
@@ -325,15 +325,15 @@ private byte[] decryptBlock(
             }
             else
             {
-                cipher.init(false, new KeyParameter(K1));    
+                cipher.init(false, new KeyParameter(K1));
             }
 
             M = new byte[cipher.getOutputSize(inLen - V.length - mac.getMacSize())];
+
+            // do initial processing
             len = cipher.processBytes(in_enc, inOff + V.length, inLen - V.length - mac.getMacSize(), M, 0);
-            len += cipher.doFinal(M, len);
         }
 
-
         // Convert the length of the encoding vector into a byte array.
         byte[] P2 = param.getEncodingV();
         byte[] L2 = null;
@@ -362,11 +362,19 @@ private byte[] decryptBlock(
 
         if (!Arrays.constantTimeAreEqual(T1, T2))
         {
-            throw new InvalidCipherTextException("Invalid MAC.");
+            throw new InvalidCipherTextException("invalid MAC");
         }
 
-        // Output the message.
-        return Arrays.copyOfRange(M, 0, len);
+        if (cipher == null)
+        {
+            return M;
+        }
+        else
+        {
+            len += cipher.doFinal(M, len);
+
+            return Arrays.copyOfRange(M, 0, len);
+        }
     }
 
 
diff --git a/prov/src/main/java/org/bouncycastle/jcajce/provider/asymmetric/dh/IESCipher.java b/prov/src/main/java/org/bouncycastle/jcajce/provider/asymmetric/dh/IESCipher.java
@@ -45,6 +45,7 @@
 import org.bouncycastle.crypto.parsers.DHIESPublicKeyParser;
 import org.bouncycastle.jcajce.provider.asymmetric.util.DHUtil;
 import org.bouncycastle.jcajce.provider.asymmetric.util.IESUtil;
+import org.bouncycastle.jcajce.provider.util.BadBlockException;
 import org.bouncycastle.jcajce.util.BCJcaJceHelper;
 import org.bouncycastle.jcajce.util.JcaJceHelper;
 import org.bouncycastle.jce.interfaces.IESKey;
@@ -425,7 +426,7 @@ public byte[] engineDoFinal(
             }
             catch (Exception e)
             {
-                throw new BadPaddingException(e.getMessage());
+                throw new BadBlockException("unable to process block", e);
             }
         }
 
@@ -464,7 +465,7 @@ public byte[] getEncoded(AsymmetricKeyParameter keyParameter)
             }
             catch (Exception e)
             {
-                throw new BadPaddingException(e.getMessage());
+                throw new BadBlockException("unable to process block", e);
             }
         }
         else if (state == Cipher.DECRYPT_MODE || state == Cipher.UNWRAP_MODE)
@@ -478,7 +479,7 @@ else if (state == Cipher.DECRYPT_MODE || state == Cipher.UNWRAP_MODE)
             }
             catch (InvalidCipherTextException e)
             {
-                throw new BadPaddingException(e.getMessage());
+                throw new BadBlockException("unable to process block", e);
             }
         }
         else
diff --git a/prov/src/main/java/org/bouncycastle/jcajce/provider/asymmetric/ec/IESCipher.java b/prov/src/main/java/org/bouncycastle/jcajce/provider/asymmetric/ec/IESCipher.java
@@ -43,6 +43,7 @@
 import org.bouncycastle.crypto.parsers.ECIESPublicKeyParser;
 import org.bouncycastle.jcajce.provider.asymmetric.util.ECUtil;
 import org.bouncycastle.jcajce.provider.asymmetric.util.IESUtil;
+import org.bouncycastle.jcajce.provider.util.BadBlockException;
 import org.bouncycastle.jcajce.util.BCJcaJceHelper;
 import org.bouncycastle.jcajce.util.JcaJceHelper;
 import org.bouncycastle.jce.interfaces.ECKey;
@@ -430,7 +431,7 @@ public byte[] engineDoFinal(
             }
             catch (Exception e)
             {
-                throw new BadPaddingException(e.getMessage());
+                throw new BadBlockException("unable to process block", e);
             }
         }
 
@@ -456,11 +457,10 @@ public byte[] getEncoded(AsymmetricKeyParameter keyParameter)
 
                 return engine.processBlock(in, 0, in.length);
             }
-            catch (Exception e)
+            catch (final Exception e)
             {
-                throw new BadPaddingException(e.getMessage());
+                throw new BadBlockException("unable to process block", e);
             }
-
         }
         else if (state == Cipher.DECRYPT_MODE || state == Cipher.UNWRAP_MODE)
         {
@@ -473,7 +473,7 @@ else if (state == Cipher.DECRYPT_MODE || state == Cipher.UNWRAP_MODE)
             }
             catch (InvalidCipherTextException e)
             {
-                throw new BadPaddingException(e.getMessage());
+                throw new BadBlockException("unable to process block", e);
             }
         }
         else
diff --git a/prov/src/main/java/org/bouncycastle/jcajce/provider/asymmetric/rsa/CipherSpi.java b/prov/src/main/java/org/bouncycastle/jcajce/provider/asymmetric/rsa/CipherSpi.java
@@ -32,6 +32,7 @@
 import org.bouncycastle.crypto.engines.RSABlindedEngine;
 import org.bouncycastle.crypto.params.ParametersWithRandom;
 import org.bouncycastle.jcajce.provider.asymmetric.util.BaseCipherSpi;
+import org.bouncycastle.jcajce.provider.util.BadBlockException;
 import org.bouncycastle.jcajce.provider.util.DigestFactory;
 import org.bouncycastle.jcajce.util.BCJcaJceHelper;
 import org.bouncycastle.jcajce.util.JcaJceHelper;
@@ -528,15 +529,9 @@ private byte[] getOutput()
 
             return cipher.processBlock(bytes, 0, bytes.length);
         }
-        catch (final InvalidCipherTextException e)
+        catch (InvalidCipherTextException e)
         {
-            throw new BadPaddingException("unable to decrypt block")
-            {
-                public synchronized Throwable getCause()
-                {
-                    return e;
-                }
-            };
+            throw new BadBlockException("unable to decrypt block", e);
         }
         finally
         {
diff --git a/prov/src/main/java/org/bouncycastle/jcajce/provider/util/BadBlockException.java b/prov/src/main/java/org/bouncycastle/jcajce/provider/util/BadBlockException.java
@@ -0,0 +1,21 @@
+package org.bouncycastle.jcajce.provider.util;
+
+import javax.crypto.BadPaddingException;
+
+public class BadBlockException
+    extends BadPaddingException
+{
+    private final Throwable cause;
+
+    public BadBlockException(String msg, Throwable cause)
+    {
+        super(msg);
+
+        this.cause = cause;
+    }
+
+    public Throwable getCause()
+    {
+        return cause;
+    }
+}
diff --git a/prov/src/test/java/org/bouncycastle/jce/provider/test/DHIESTest.java b/prov/src/test/java/org/bouncycastle/jce/provider/test/DHIESTest.java
@@ -7,6 +7,7 @@
 import java.security.SecureRandom;
 import java.security.Security;
 
+import javax.crypto.BadPaddingException;
 import javax.crypto.Cipher;
 import javax.crypto.interfaces.DHPrivateKey;
 import javax.crypto.interfaces.DHPublicKey;
@@ -222,6 +223,27 @@ public void doTest(
         out2 = c2.doFinal(out1, 0, out1.length);
         if (!areEqual(out2, message))
             fail(testname + " test failed with non-null parameters, DHAES mode true.");
+
+        //
+        // corrupted data test
+        //
+        byte[] tmp = new byte[out1.length];
+        for (int i = 0; i != out1.length; i++)
+        {
+            System.arraycopy(out1, 0, tmp, 0, tmp.length);
+            tmp[i] = (byte)~tmp[i];
+
+            try
+            {
+                c2.doFinal(tmp, 0, tmp.length);
+
+                fail("decrypted corrupted data");
+            }
+            catch (BadPaddingException e)
+            {
+                isTrue("wrong message: " + e.getMessage(), "unable to process block".equals(e.getMessage()));
+            }
+        }
     }
 
     public static void main(
diff --git a/prov/src/test/java/org/bouncycastle/jce/provider/test/ECIESTest.java b/prov/src/test/java/org/bouncycastle/jce/provider/test/ECIESTest.java
@@ -7,6 +7,7 @@
 import java.security.Security;
 import java.security.spec.ECGenParameterSpec;
 
+import javax.crypto.BadPaddingException;
 import javax.crypto.Cipher;
 import javax.crypto.SealedObject;
 
@@ -241,7 +242,27 @@ public void doTest(
         if (!areEqual(out2, message))
             fail(testname + " test failed with non-null parameters, DHAES mode false.");
         
+        //
+        // corrupted data test
+        //
+        int offset = out1.length - (message.length + 8);
+        byte[] tmp = new byte[out1.length];
+        for (int i = offset; i != out1.length; i++)
+        {
+            System.arraycopy(out1, 0, tmp, 0, tmp.length);
+            tmp[i] = (byte)~tmp[i];
+
+            try
+            {
+                c2.doFinal(tmp, 0, tmp.length);
 
+                fail("decrypted corrupted data");
+            }
+            catch (BadPaddingException e)
+            {
+                isTrue("wrong message: " + e.getMessage(), "unable to process block".equals(e.getMessage()));
+            }
+        }
 // TODO: DHAES mode is not currently implemented, perhaps it shouldn't be...
 //        c1 = Cipher.getInstance(cipher + "/DHAES/PKCS7Padding","BC");
 //        c2 = Cipher.getInstance(cipher + "/DHAES/PKCS7Padding","BC");

Original file line number	Diff line number	Diff line change
`@@ -67,8 +67,8 @@ public IESEngine(`
`67`	`67`
`68`	`68`
`69`	`69`	`/**`
`70`		`- * set up for use in conjunction with a block cipher to handle the`
`71`		`- * message.`
	`70`	`+ * Set up for use in conjunction with a block cipher to handle the`
	`71`	`+ * message.It is <b>strongly</b> recommended that the cipher is not in ECB mode.`
`72`	`72`	`*`
`73`	`73`	`* @param agree the key agreement used as the basis for the encryption`
`74`	`74`	`* @param kdf the key derivation function used for byte generation`
`@@ -269,15 +269,16 @@ private byte[] decryptBlock(`
`269`	`269`	`int inLen)`
`270`	`270`	`throws InvalidCipherTextException`
`271`	`271`	`{`
`272`		`- byte[] M = null, K = null, K1 = null, K2 = null;`
`273`		`- int len;`
	`272`	`+ byte[] M, K, K1, K2;`
	`273`	`+ int len = 0;`
`274`	`274`
`275`	`275`	`// Ensure that the length of the input is greater than the MAC in bytes`
`276`	`276`	`if (inLen < V.length + mac.getMacSize())`
`277`	`277`	`{`
`278`	`278`	`throw new InvalidCipherTextException("Length of input must be greater than the MAC and V combined");`
`279`	`279`	`}`
`280`	`280`
	`281`	`+ // note order is important: set up keys, do simple encryptions, check mac, do final encryption.`
`281`	`282`	`if (cipher == null)`
`282`	`283`	`{`
`283`	`284`	`// Streaming mode.`
`@@ -298,14 +299,13 @@ private byte[] decryptBlock(`
`298`	`299`	`System.arraycopy(K, K1.length, K2, 0, K2.length);`
`299`	`300`	`}`
`300`	`301`
	`302`	`+ // process the message`
`301`	`303`	`M = new byte[K1.length];`
`302`	`304`
`303`	`305`	`for (int i = 0; i != K1.length; i++)`
`304`	`306`	`{`
`305`	`307`	`M[i] = (byte)(in_enc[inOff + V.length + i] ^ K1[i]);`
`306`	`308`	`}`
`307`		`-`
`308`		`- len = K1.length;`
`309`	`309`	`}`
`310`	`310`	`else`
`311`	`311`	`{`
`@@ -325,15 +325,15 @@ private byte[] decryptBlock(`
`325`	`325`	`}`
`326`	`326`	`else`
`327`	`327`	`{`
`328`		`- cipher.init(false, new KeyParameter(K1));`
	`328`	`+ cipher.init(false, new KeyParameter(K1));`
`329`	`329`	`}`
`330`	`330`
`331`	`331`	`M = new byte[cipher.getOutputSize(inLen - V.length - mac.getMacSize())];`
	`332`	`+`
	`333`	`+ // do initial processing`
`332`	`334`	`len = cipher.processBytes(in_enc, inOff + V.length, inLen - V.length - mac.getMacSize(), M, 0);`
`333`		`- len += cipher.doFinal(M, len);`
`334`	`335`	`}`
`335`	`336`
`336`		`-`
`337`	`337`	`// Convert the length of the encoding vector into a byte array.`
`338`	`338`	`byte[] P2 = param.getEncodingV();`
`339`	`339`	`byte[] L2 = null;`
`@@ -362,11 +362,19 @@ private byte[] decryptBlock(`
`362`	`362`
`363`	`363`	`if (!Arrays.constantTimeAreEqual(T1, T2))`
`364`	`364`	`{`
`365`		`- throw new InvalidCipherTextException("Invalid MAC.");`
	`365`	`+ throw new InvalidCipherTextException("invalid MAC");`
`366`	`366`	`}`
`367`	`367`
`368`		`- // Output the message.`
`369`		`- return Arrays.copyOfRange(M, 0, len);`
	`368`	`+ if (cipher == null)`
	`369`	`+ {`
	`370`	`+ return M;`
	`371`	`+ }`
	`372`	`+ else`
	`373`	`+ {`
	`374`	`+ len += cipher.doFinal(M, len);`
	`375`	`+`
	`376`	`+ return Arrays.copyOfRange(M, 0, len);`
	`377`	`+ }`
`370`	`378`	`}`
`371`	`379`
`372`	`380`
Original file line number	Diff line number	Diff line change
`@@ -45,6 +45,7 @@`
`45`	`45`	`import org.bouncycastle.crypto.parsers.DHIESPublicKeyParser;`
`46`	`46`	`import org.bouncycastle.jcajce.provider.asymmetric.util.DHUtil;`
`47`	`47`	`import org.bouncycastle.jcajce.provider.asymmetric.util.IESUtil;`
	`48`	`+import org.bouncycastle.jcajce.provider.util.BadBlockException;`
`48`	`49`	`import org.bouncycastle.jcajce.util.BCJcaJceHelper;`
`49`	`50`	`import org.bouncycastle.jcajce.util.JcaJceHelper;`
`50`	`51`	`import org.bouncycastle.jce.interfaces.IESKey;`
`@@ -425,7 +426,7 @@ public byte[] engineDoFinal(`
`425`	`426`	`}`
`426`	`427`	`catch (Exception e)`
`427`	`428`	`{`
`428`		`- throw new BadPaddingException(e.getMessage());`
	`429`	`+ throw new BadBlockException("unable to process block", e);`
`429`	`430`	`}`
`430`	`431`	`}`
`431`	`432`
`@@ -464,7 +465,7 @@ public byte[] getEncoded(AsymmetricKeyParameter keyParameter)`
`464`	`465`	`}`
`465`	`466`	`catch (Exception e)`
`466`	`467`	`{`
`467`		`- throw new BadPaddingException(e.getMessage());`
	`468`	`+ throw new BadBlockException("unable to process block", e);`
`468`	`469`	`}`
`469`	`470`	`}`
`470`	`471`	`else if (state == Cipher.DECRYPT_MODE \|\| state == Cipher.UNWRAP_MODE)`
`@@ -478,7 +479,7 @@ else if (state == Cipher.DECRYPT_MODE \|\| state == Cipher.UNWRAP_MODE)`
`478`	`479`	`}`
`479`	`480`	`catch (InvalidCipherTextException e)`
`480`	`481`	`{`
`481`		`- throw new BadPaddingException(e.getMessage());`
	`482`	`+ throw new BadBlockException("unable to process block", e);`
`482`	`483`	`}`
`483`	`484`	`}`
`484`	`485`	`else`
Original file line number	Diff line number	Diff line change
`@@ -43,6 +43,7 @@`
`43`	`43`	`import org.bouncycastle.crypto.parsers.ECIESPublicKeyParser;`
`44`	`44`	`import org.bouncycastle.jcajce.provider.asymmetric.util.ECUtil;`
`45`	`45`	`import org.bouncycastle.jcajce.provider.asymmetric.util.IESUtil;`
	`46`	`+import org.bouncycastle.jcajce.provider.util.BadBlockException;`
`46`	`47`	`import org.bouncycastle.jcajce.util.BCJcaJceHelper;`
`47`	`48`	`import org.bouncycastle.jcajce.util.JcaJceHelper;`
`48`	`49`	`import org.bouncycastle.jce.interfaces.ECKey;`
`@@ -430,7 +431,7 @@ public byte[] engineDoFinal(`
`430`	`431`	`}`
`431`	`432`	`catch (Exception e)`
`432`	`433`	`{`
`433`		`- throw new BadPaddingException(e.getMessage());`
	`434`	`+ throw new BadBlockException("unable to process block", e);`
`434`	`435`	`}`
`435`	`436`	`}`
`436`	`437`
`@@ -456,11 +457,10 @@ public byte[] getEncoded(AsymmetricKeyParameter keyParameter)`
`456`	`457`
`457`	`458`	`return engine.processBlock(in, 0, in.length);`
`458`	`459`	`}`
`459`		`- catch (Exception e)`
	`460`	`+ catch (final Exception e)`
`460`	`461`	`{`
`461`		`- throw new BadPaddingException(e.getMessage());`
	`462`	`+ throw new BadBlockException("unable to process block", e);`
`462`	`463`	`}`
`463`		`-`
`464`	`464`	`}`
`465`	`465`	`else if (state == Cipher.DECRYPT_MODE \|\| state == Cipher.UNWRAP_MODE)`
`466`	`466`	`{`
`@@ -473,7 +473,7 @@ else if (state == Cipher.DECRYPT_MODE \|\| state == Cipher.UNWRAP_MODE)`
`473`	`473`	`}`
`474`	`474`	`catch (InvalidCipherTextException e)`
`475`	`475`	`{`
`476`		`- throw new BadPaddingException(e.getMessage());`
	`476`	`+ throw new BadBlockException("unable to process block", e);`
`477`	`477`	`}`
`478`	`478`	`}`
`479`	`479`	`else`
Original file line number	Diff line number	Diff line change
`@@ -32,6 +32,7 @@`
`32`	`32`	`import org.bouncycastle.crypto.engines.RSABlindedEngine;`
`33`	`33`	`import org.bouncycastle.crypto.params.ParametersWithRandom;`
`34`	`34`	`import org.bouncycastle.jcajce.provider.asymmetric.util.BaseCipherSpi;`
	`35`	`+import org.bouncycastle.jcajce.provider.util.BadBlockException;`
`35`	`36`	`import org.bouncycastle.jcajce.provider.util.DigestFactory;`
`36`	`37`	`import org.bouncycastle.jcajce.util.BCJcaJceHelper;`
`37`	`38`	`import org.bouncycastle.jcajce.util.JcaJceHelper;`
`@@ -528,15 +529,9 @@ private byte[] getOutput()`
`528`	`529`
`529`	`530`	`return cipher.processBlock(bytes, 0, bytes.length);`
`530`	`531`	`}`
`531`		`- catch (final InvalidCipherTextException e)`
	`532`	`+ catch (InvalidCipherTextException e)`
`532`	`533`	`{`
`533`		`- throw new BadPaddingException("unable to decrypt block")`
`534`		`- {`
`535`		`- public synchronized Throwable getCause()`
`536`		`- {`
`537`		`- return e;`
`538`		`- }`
`539`		`- };`
	`534`	`+ throw new BadBlockException("unable to decrypt block", e);`
`540`	`535`	`}`
`541`	`536`	`finally`
`542`	`537`	`{`