Merge branch 'main' of gitlab.cryptoworkshop.com:root/bc-java

Author: dghgit

core/src/main/java/org/bouncycastle/asn1/ASN1InputStream.java

@@ -540,7 +540,10 @@ static ASN1Primitive createPrimitiveDERObject(
             case INTEGER:
                 return ASN1Integer.createPrimitive(defIn.toByteArray());
             case NULL:
-                return ASN1Null.createPrimitive(defIn.toByteArray());
+            {
+                ASN1Null.checkContentsLength(defIn.getRemaining());
+                return ASN1Null.createPrimitive();
+            }
             case NUMERIC_STRING:
                 return ASN1NumericString.createPrimitive(defIn.toByteArray());
             case OBJECT_DESCRIPTOR:

core/src/main/java/org/bouncycastle/asn1/ASN1Null.java

@@ -12,7 +12,8 @@ public abstract class ASN1Null
     {
         ASN1Primitive fromImplicitPrimitive(DEROctetString octetString)
         {
-            return createPrimitive(octetString.getOctets());
+            checkContentsLength(octetString.getOctetsLength());
+            return createPrimitive();
         }
     };
 
@@ -88,12 +89,16 @@ public String toString()
          return "NULL";
     }
 
-    static ASN1Null createPrimitive(byte[] contents)
+    static void checkContentsLength(int contentsLength)
     {
-        if (0 != contents.length)
+        if (0 != contentsLength)
         {
             throw new IllegalStateException("malformed NULL encoding encountered");
         }
+    }
+
+    static ASN1Null createPrimitive()
+    {
         return DERNull.INSTANCE;
     }
 }

core/src/main/java/org/bouncycastle/asn1/pkcs/RSAESOAEPparams.java

@@ -100,7 +100,17 @@ public AlgorithmIdentifier getPSourceAlgorithm()
     {
         return pSourceAlgorithm;
     }
-    
+
+    public RSAESOAEPparams withDefaultPSource()
+    {
+        if (DEFAULT_P_SOURCE_ALGORITHM == pSourceAlgorithm)
+        {
+            return this;
+        }
+
+        return new RSAESOAEPparams(hashAlgorithm, maskGenAlgorithm, DEFAULT_P_SOURCE_ALGORITHM);
+    }
+
     /**
      * <pre>
      *  RSAES-OAEP-params ::= SEQUENCE {
@@ -145,7 +155,7 @@ public ASN1Primitive toASN1Primitive()
         {
             v.add(new DERTaggedObject(true, 2, pSourceAlgorithm));
         }
-        
+
         return new DERSequence(v);
     }
 }

core/src/main/java/org/bouncycastle/asn1/x509/X509ObjectIdentifiers.java

@@ -31,7 +31,7 @@ public interface X509ObjectIdentifiers
      * id-SHA1 OBJECT IDENTIFIER ::=    
      *   {iso(1) identified-organization(3) oiw(14) secsig(3) algorithms(2) 26 }
      * <p>
-     * OID: 1.3.14.3.2.27
+     * OID: 1.3.14.3.2.26
      */
     static final ASN1ObjectIdentifier    id_SHA1                 = new ASN1ObjectIdentifier("1.3.14.3.2.26").intern();
 

core/src/main/java/org/bouncycastle/pqc/crypto/hqc/HQCEngine.java

@@ -179,12 +179,12 @@ public int decaps(byte[] ss, byte[] ct, byte[] sk)
         pkeEncrypt(cKemPrimeU64, cKemPrimeV64, sk, mPrime, kThetaPrime, 32);
         hashGJ(kBar, 256, hashEkKem, sk, pkSize + SEED_BYTES, K_BYTE, ct, 0, ct.length, (byte)3);
 
-        if (!Arrays.constantTimeAreEqual(u64, cKemPrimeU64))
+        if (!Arrays.constantTimeAreEqual(N_BYTE_64, u64, 0, cKemPrimeU64, 0))
         {
             result = 1;
         }
 
-        if (!Arrays.constantTimeAreEqual(v64, cKemPrimeV64))
+        if (!Arrays.constantTimeAreEqual(N_BYTE_64, v64, 0, cKemPrimeV64, 0))
         {
             result = 1;
         }

core/src/main/java/org/bouncycastle/util/Arrays.java

@@ -149,6 +149,37 @@ public static boolean constantTimeAreEqual(int len, byte[] a, int aOff, byte[] b
         return 0 == d;
     }
 
+    public static boolean constantTimeAreEqual(int len, long[] a, int aOff, long[] b, int bOff)
+    {
+        if (null == a)
+        {
+            throw new NullPointerException("'a' cannot be null");
+        }
+        if (null == b)
+        {
+            throw new NullPointerException("'b' cannot be null");
+        }
+        if (len < 0)
+        {
+            throw new IllegalArgumentException("'len' cannot be negative");
+        }
+        if (aOff > (a.length - len))
+        {
+            throw new IndexOutOfBoundsException("'aOff' value invalid for specified length");
+        }
+        if (bOff > (b.length - len))
+        {
+            throw new IndexOutOfBoundsException("'bOff' value invalid for specified length");
+        }
+
+        long d = 0;
+        for (int i = 0; i < len; ++i)
+        {
+            d |= (a[aOff + i] ^ b[bOff + i]);
+        }
+        return 0L == d;
+    }
+
     /**
      * A constant time equals comparison - does not terminate early if
      * comparison fails. For best results always pass the expected value

pkix/src/main/java/org/bouncycastle/operator/jcajce/OperatorHelper.java

@@ -23,12 +23,11 @@
 import javax.crypto.Cipher;
 import javax.crypto.KeyAgreement;
 
-import org.bouncycastle.asn1.ASN1Encodable;
+import org.bouncycastle.asn1.ASN1Encoding;
 import org.bouncycastle.asn1.ASN1Integer;
 import org.bouncycastle.asn1.ASN1ObjectIdentifier;
 import org.bouncycastle.asn1.ASN1Sequence;
 import org.bouncycastle.asn1.DERNull;
-import org.bouncycastle.asn1.DERSequence;
 import org.bouncycastle.asn1.cryptopro.CryptoProObjectIdentifiers;
 import org.bouncycastle.asn1.kisa.KISAObjectIdentifiers;
 import org.bouncycastle.asn1.nist.NISTObjectIdentifiers;
@@ -47,6 +46,7 @@
 import org.bouncycastle.jcajce.util.MessageDigestUtils;
 import org.bouncycastle.operator.DefaultSignatureNameFinder;
 import org.bouncycastle.operator.OperatorCreationException;
+import org.bouncycastle.util.Arrays;
 import org.bouncycastle.util.Integers;
 
 class OperatorHelper
@@ -56,13 +56,11 @@ class OperatorHelper
     private static final Map symmetricWrapperAlgNames = new HashMap();
     private static final Map symmetricKeyAlgNames = new HashMap();
     private static final Map symmetricWrapperKeySizes = new HashMap();
+    // ASN1ObjectIdentifier -> OAEPParamsValue
+    private static final Map oaepParamsMap = new HashMap();
 
     private static DefaultSignatureNameFinder sigFinder = new DefaultSignatureNameFinder();
 
-    private static final RSAESOAEPparams oaepParams_sha256 = calculateDefForDigest(NISTObjectIdentifiers.id_sha256);
-    private static final RSAESOAEPparams oaepParams_sha384 = calculateDefForDigest(NISTObjectIdentifiers.id_sha384);
-    private static final RSAESOAEPparams oaepParams_sha512 = calculateDefForDigest(NISTObjectIdentifiers.id_sha512);
-
     static
     {
         oids.put(OIWObjectIdentifiers.idSHA1, "SHA1");
@@ -107,17 +105,12 @@ class OperatorHelper
         symmetricKeyAlgNames.put(NISTObjectIdentifiers.id_aes256_CBC, "AES");
         symmetricKeyAlgNames.put(PKCSObjectIdentifiers.des_EDE3_CBC, "DESede");
         symmetricKeyAlgNames.put(PKCSObjectIdentifiers.RC2_CBC, "RC2");
-    }
 
-    private static RSAESOAEPparams calculateDefForDigest(ASN1ObjectIdentifier digest)
-    {
-        AlgorithmIdentifier hashAlgorithm = new AlgorithmIdentifier(
-            digest,
-            DERNull.INSTANCE);
-        AlgorithmIdentifier maskGenAlgorithm = new AlgorithmIdentifier(
-            PKCSObjectIdentifiers.id_mgf1,
-            new AlgorithmIdentifier(digest, DERNull.INSTANCE));
-        return new RSAESOAEPparams(hashAlgorithm, maskGenAlgorithm, RSAESOAEPparams.DEFAULT_P_SOURCE_ALGORITHM);
+        OAEPParamsValue.add(oaepParamsMap, "RSA/ECB/OAEPWithSHA-1AndMGF1Padding", OIWObjectIdentifiers.idSHA1);
+        OAEPParamsValue.add(oaepParamsMap, "RSA/ECB/OAEPWithSHA-224AndMGF1Padding", NISTObjectIdentifiers.id_sha224);
+        OAEPParamsValue.add(oaepParamsMap, "RSA/ECB/OAEPWithSHA-256AndMGF1Padding", NISTObjectIdentifiers.id_sha256);
+        OAEPParamsValue.add(oaepParamsMap, "RSA/ECB/OAEPWithSHA-384AndMGF1Padding", NISTObjectIdentifiers.id_sha384);
+        OAEPParamsValue.add(oaepParamsMap, "RSA/ECB/OAEPWithSHA-512AndMGF1Padding", NISTObjectIdentifiers.id_sha512);
     }
 
     private JcaJceHelper helper;
@@ -207,52 +200,51 @@ KeyAgreement createKeyAgreement(ASN1ObjectIdentifier algorithm)
     Cipher createAsymmetricWrapper(AlgorithmIdentifier algorithmID, Map extraAlgNames)
         throws OperatorCreationException
     {
-        ASN1ObjectIdentifier algorithm = algorithmID.getAlgorithm();
+        if (algorithmID == null)
+        {
+            throw new NullPointerException("'algorithmID' cannot be null");
+        }
+
+        ASN1ObjectIdentifier algOID = algorithmID.getAlgorithm();
         try
         {
             String cipherName = null;
 
-            if (!extraAlgNames.isEmpty())
+            if (extraAlgNames != null && !extraAlgNames.isEmpty())
             {
-                cipherName = (String)extraAlgNames.get(algorithm);
+                cipherName = (String)extraAlgNames.get(algOID);
             }
 
             if (cipherName == null)
             {
-                cipherName = (String)asymmetricWrapperAlgNames.get(algorithm);
+                cipherName = (String)asymmetricWrapperAlgNames.get(algOID);
+            }
+
+            if (cipherName != null)
+            {
                 if (cipherName.indexOf("OAEPPadding") > 0)
                 {
-                    ASN1Encodable params = algorithmID.getParameters().toASN1Primitive();
-                    if ((params instanceof ASN1Sequence))
+                    try
                     {
-                        ASN1Sequence paramSeq = ASN1Sequence.getInstance(params);
-                        if (paramSeq.size() == 0)
+                        RSAESOAEPparams oaepParams = RSAESOAEPparams.getInstance(algorithmID.getParameters());
+                        if (oaepParams != null)
                         {
-                            cipherName = "RSA/ECB/OAEPWithSHA-1AndMGF1Padding";
-                        }
-                        else if (paramSeq.size() >= 2)
-                        {
-                            // we only check the first 2 as pSource may be different
-                            paramSeq = new DERSequence(new ASN1Encodable[]{ paramSeq.getObjectAt(0), paramSeq.getObjectAt(1) });
-                            if (oaepParams_sha256.equals(paramSeq))
-                            {
-                                cipherName = "RSA/ECB/OAEPWithSHA-256AndMGF1Padding";
-                            }
-                            else if (oaepParams_sha512.equals(paramSeq))
-                            {
-                                cipherName = "RSA/ECB/OAEPWithSHA-512AndMGF1Padding";
-                            }
-                            else if (oaepParams_sha384.equals(paramSeq))
+                            ASN1ObjectIdentifier digestOID = oaepParams.getHashAlgorithm().getAlgorithm();
+                            OAEPParamsValue oaepParamsValue = (OAEPParamsValue)oaepParamsMap.get(digestOID);
+
+                            // Note that the original pSourceAlgorithm is ignored for this comparison 
+                            if (oaepParamsValue != null && oaepParamsValue.matches(oaepParams.withDefaultPSource()))
                             {
-                                cipherName = "RSA/ECB/OAEPWithSHA-384AndMGF1Padding";
+                                cipherName = oaepParamsValue.getCipherName();
                             }
                         }
                     }
+                    catch (Exception e)
+                    {
+                        // Ignore
+                    }
                 }
-            }
 
-            if (cipherName != null)
-            {
                 try
                 {
                     // this is reversed as the Sun policy files now allow unlimited strength RSA
@@ -288,7 +280,7 @@ else if (cipherName.indexOf("ECB/OAEPWith") > 0)
                 }
             }
 
-            return helper.createCipher(algorithm.getId());
+            return helper.createCipher(algOID.getId());
         }
         catch (GeneralSecurityException e)
         {
@@ -626,4 +618,52 @@ private boolean notDefaultPSSParams(ASN1Sequence seq)
 
         return pssParams.getSaltLength().intValue() != digest.getDigestLength();
     }
+
+    private static class OAEPParamsValue
+    {
+        static void add(Map oaepParamsMap, String cipherName, ASN1ObjectIdentifier digestOID)
+        {
+            try
+            {
+                RSAESOAEPparams oaepParams = createOAEPParams(digestOID);
+                byte[] derEncoding = getDEREncoding(oaepParams);
+                oaepParamsMap.put(digestOID, new OAEPParamsValue(cipherName, derEncoding));
+            }
+            catch (Exception e)
+            {
+                throw new RuntimeException(e);
+            }
+        }
+
+        private String cipherName;
+        private byte[] derEncoding;
+
+        private OAEPParamsValue(String cipherName, byte[] derEncoding)
+        {
+            this.cipherName = cipherName;
+            this.derEncoding = derEncoding;
+        }
+
+        String getCipherName()
+        {
+            return cipherName;
+        }
+
+        boolean matches(RSAESOAEPparams oaepParams) throws IOException
+        {
+            return Arrays.areEqual(derEncoding, getDEREncoding(oaepParams));
+        }
+
+        private static RSAESOAEPparams createOAEPParams(ASN1ObjectIdentifier digestOID)
+        {
+            AlgorithmIdentifier hashAlgorithm = new AlgorithmIdentifier(digestOID, DERNull.INSTANCE);
+            AlgorithmIdentifier maskGenAlgorithm = new AlgorithmIdentifier(PKCSObjectIdentifiers.id_mgf1, hashAlgorithm);
+            return new RSAESOAEPparams(hashAlgorithm, maskGenAlgorithm, RSAESOAEPparams.DEFAULT_P_SOURCE_ALGORITHM);
+        }
+
+        private static byte[] getDEREncoding(RSAESOAEPparams oaepParams) throws IOException
+        {
+            return oaepParams.getEncoded(ASN1Encoding.DER);
+        }
+    }
 }

pkix/src/test/java/org/bouncycastle/cms/test/CMSTestUtil.java

@@ -53,6 +53,7 @@ public class CMSTestUtil
 {
     public static SecureRandom     rand;
     public static KeyPairGenerator kpg;
+    public static KeyPairGenerator kpg_2048;
 
     public static KeyPairGenerator gostKpg;
     public static KeyPairGenerator dsaKpg;
@@ -156,8 +157,8 @@ public class CMSTestUtil
             kpg  = KeyPairGenerator.getInstance("RSA", "BC");
             kpg.initialize(1024, rand);
 
-            kpg  = KeyPairGenerator.getInstance("RSA", "BC");
-            kpg.initialize(1024, rand);
+            kpg_2048  = KeyPairGenerator.getInstance("RSA", "BC");
+            kpg_2048.initialize(2048, rand);
 
             gostKpg  = KeyPairGenerator.getInstance("GOST3410", "BC");
             GOST3410ParameterSpec gost3410P = new GOST3410ParameterSpec(CryptoProObjectIdentifiers.gostR3410_94_CryptoPro_A.getId());
@@ -278,6 +279,11 @@ public static KeyPair makeKeyPair()
         return kpg.generateKeyPair();
     }
 
+    public static KeyPair makeKeyPair_2048()
+    {
+        return kpg_2048.generateKeyPair();
+    }
+
     public static KeyPair makeGostKeyPair()
     {
         return gostKpg.generateKeyPair();