diff options
28 files changed, 2999 insertions, 143 deletions
diff --git a/crypto-test/CryptoTest.cs b/crypto-test/CryptoTest.cs index 1f6973e28..5a411b482 100644 --- a/crypto-test/CryptoTest.cs +++ b/crypto-test/CryptoTest.cs @@ -14,27 +14,28 @@ namespace crypto_test try { - Org.BouncyCastle.Asn1.Tests.RegressionTest.Main(args); - //Org.BouncyCastle.Bcpg.OpenPgp.Tests.Dsa2Test.? - Org.BouncyCastle.Bcpg.OpenPgp.Tests.RegressionTest.Main(args); - Org.BouncyCastle.Bcpg.OpenPgp.Examples.Tests.AllTests.Main(args); - Org.BouncyCastle.Cms.Tests.AllTests.Main(args); - Org.BouncyCastle.Crypto.Tests.RegressionTest.Main(args); - Org.BouncyCastle.Crypto.IO.Tests.AllTests.Main(args); - Org.BouncyCastle.Math.Tests.AllTests.Main(args); - Org.BouncyCastle.Math.EC.Tests.AllTests.Main(args); - Org.BouncyCastle.Ocsp.Tests.AllTests.Main(args); - //Org.BouncyCastle.Pkcs.Tests.? - Org.BouncyCastle.Pkcs.Tests.EncryptedPrivateKeyInfoTest.Main(args); - Org.BouncyCastle.Pkcs.Tests.Pkcs10Test.Main(args); - Org.BouncyCastle.Pkcs.Tests.Pkcs12StoreTest.Main(args); - //Org.BouncyCastle.OpenSsl.Tests.? - Org.BouncyCastle.OpenSsl.Tests.ReaderTest.Main(args); - Org.BouncyCastle.OpenSsl.Tests.WriterTest.Main(args); - //Org.BouncyCastle.Security.Tests.? - Org.BouncyCastle.Tests.RegressionTest.Main(args); - Org.BouncyCastle.Tsp.Tests.AllTests.Main(args); - //Org.BouncyCastle.X509.Tests.? + Org.BouncyCastle.Asn1.Tests.RegressionTest.Main(args); + //Org.BouncyCastle.Bcpg.OpenPgp.Tests.Dsa2Test.? + Org.BouncyCastle.Bcpg.OpenPgp.Tests.RegressionTest.Main(args); + Org.BouncyCastle.Bcpg.OpenPgp.Examples.Tests.AllTests.Main(args); + Org.BouncyCastle.Cms.Tests.AllTests.Main(args); + Org.BouncyCastle.Crypto.Agreement.Tests.AllTests.Main(args); + Org.BouncyCastle.Crypto.Tests.RegressionTest.Main(args); + Org.BouncyCastle.Crypto.IO.Tests.AllTests.Main(args); + Org.BouncyCastle.Math.Tests.AllTests.Main(args); + Org.BouncyCastle.Math.EC.Tests.AllTests.Main(args); + Org.BouncyCastle.Ocsp.Tests.AllTests.Main(args); + //Org.BouncyCastle.Pkcs.Tests.? + Org.BouncyCastle.Pkcs.Tests.EncryptedPrivateKeyInfoTest.Main(args); + Org.BouncyCastle.Pkcs.Tests.Pkcs10Test.Main(args); + Org.BouncyCastle.Pkcs.Tests.Pkcs12StoreTest.Main(args); + //Org.BouncyCastle.OpenSsl.Tests.? + Org.BouncyCastle.OpenSsl.Tests.ReaderTest.Main(args); + Org.BouncyCastle.OpenSsl.Tests.WriterTest.Main(args); + //Org.BouncyCastle.Security.Tests.? + Org.BouncyCastle.Tests.RegressionTest.Main(args); + Org.BouncyCastle.Tsp.Tests.AllTests.Main(args); + //Org.BouncyCastle.X509.Tests.? } catch (Exception e) { diff --git a/crypto/crypto.csproj b/crypto/crypto.csproj index df7df9f5a..b80a3fec0 100644 --- a/crypto/crypto.csproj +++ b/crypto/crypto.csproj @@ -3199,6 +3199,41 @@ BuildAction = "Compile" /> <File + RelPath = "src\crypto\agreement\jpake\JPakeParticipant.cs" + SubType = "Code" + BuildAction = "Compile" + /> + <File + RelPath = "src\crypto\agreement\jpake\JPakePrimeOrderGroup.cs" + SubType = "Code" + BuildAction = "Compile" + /> + <File + RelPath = "src\crypto\agreement\jpake\JPakePrimeOrderGroups.cs" + SubType = "Code" + BuildAction = "Compile" + /> + <File + RelPath = "src\crypto\agreement\jpake\JPakeRound1Payload.cs" + SubType = "Code" + BuildAction = "Compile" + /> + <File + RelPath = "src\crypto\agreement\jpake\JPakeRound2Payload.cs" + SubType = "Code" + BuildAction = "Compile" + /> + <File + RelPath = "src\crypto\agreement\jpake\JPakeRound3Payload.cs" + SubType = "Code" + BuildAction = "Compile" + /> + <File + RelPath = "src\crypto\agreement\jpake\JPakeUtilities.cs" + SubType = "Code" + BuildAction = "Compile" + /> + <File RelPath = "src\crypto\agreement\kdf\DHKdfParameters.cs" SubType = "Code" BuildAction = "Compile" @@ -10990,6 +11025,26 @@ BuildAction = "Compile" /> <File + RelPath = "test\src\crypto\agreement\test\AllTests.cs" + SubType = "Code" + BuildAction = "Compile" + /> + <File + RelPath = "test\src\crypto\agreement\test\JPakeParticipantTest.cs" + SubType = "Code" + BuildAction = "Compile" + /> + <File + RelPath = "test\src\crypto\agreement\test\JPakePrimeOrderGroupTest.cs" + SubType = "Code" + BuildAction = "Compile" + /> + <File + RelPath = "test\src\crypto\agreement\test\JPakeUtilitiesTest.cs" + SubType = "Code" + BuildAction = "Compile" + /> + <File RelPath = "test\src\crypto\examples\DESExample.cs" SubType = "Code" BuildAction = "Compile" diff --git a/crypto/src/crypto/agreement/jpake/JPakeParticipant.cs b/crypto/src/crypto/agreement/jpake/JPakeParticipant.cs new file mode 100755 index 000000000..794284866 --- /dev/null +++ b/crypto/src/crypto/agreement/jpake/JPakeParticipant.cs @@ -0,0 +1,456 @@ +using System; + +using Org.BouncyCastle.Crypto; +using Org.BouncyCastle.Crypto.Digests; +using Org.BouncyCastle.Math; +using Org.BouncyCastle.Security; + +namespace Org.BouncyCastle.Crypto.Agreement.JPake +{ + /// <summary> + /// A participant in a Password Authenticated Key Exchange by Juggling (J-PAKE) exchange. + /// + /// The J-PAKE exchange is defined by Feng Hao and Peter Ryan in the paper + /// <a href="http://grouper.ieee.org/groups/1363/Research/contributions/hao-ryan-2008.pdf"> + /// "Password Authenticated Key Exchange by Juggling, 2008."</a> + /// + /// The J-PAKE protocol is symmetric. + /// There is no notion of a <i>client</i> or <i>server</i>, but rather just two <i>participants</i>. + /// An instance of JPakeParticipant represents one participant, and + /// is the primary interface for executing the exchange. + /// + /// To execute an exchange, construct a JPakeParticipant on each end, + /// and call the following 7 methods + /// (once and only once, in the given order, for each participant, sending messages between them as described): + /// + /// CreateRound1PayloadToSend() - and send the payload to the other participant + /// ValidateRound1PayloadReceived(JPakeRound1Payload) - use the payload received from the other participant + /// CreateRound2PayloadToSend() - and send the payload to the other participant + /// ValidateRound2PayloadReceived(JPakeRound2Payload) - use the payload received from the other participant + /// CalculateKeyingMaterial() + /// CreateRound3PayloadToSend(BigInteger) - and send the payload to the other participant + /// ValidateRound3PayloadReceived(JPakeRound3Payload, BigInteger) - use the payload received from the other participant + /// + /// Each side should derive a session key from the keying material returned by CalculateKeyingMaterial(). + /// The caller is responsible for deriving the session key using a secure key derivation function (KDF). + /// + /// Round 3 is an optional key confirmation process. + /// If you do not execute round 3, then there is no assurance that both participants are using the same key. + /// (i.e. if the participants used different passwords, then their session keys will differ.) + /// + /// If the round 3 validation succeeds, then the keys are guaranteed to be the same on both sides. + /// + /// The symmetric design can easily support the asymmetric cases when one party initiates the communication. + /// e.g. Sometimes the round1 payload and round2 payload may be sent in one pass. + /// Also, in some cases, the key confirmation payload can be sent together with the round2 payload. + /// These are the trivial techniques to optimize the communication. + /// + /// The key confirmation process is implemented as specified in + /// <a href="http://csrc.nist.gov/publications/nistpubs/800-56A/SP800-56A_Revision1_Mar08-2007.pdf">NIST SP 800-56A Revision 1</a>, + /// Section 8.2 Unilateral Key Confirmation for Key Agreement Schemes. + /// + /// This class is stateful and NOT threadsafe. + /// Each instance should only be used for ONE complete J-PAKE exchange + /// (i.e. a new JPakeParticipant should be constructed for each new J-PAKE exchange). + /// </summary> + public class JPakeParticipant + { + // Possible internal states. Used for state checking. + public static readonly int STATE_INITIALIZED = 0; + public static readonly int STATE_ROUND_1_CREATED = 10; + public static readonly int STATE_ROUND_1_VALIDATED = 20; + public static readonly int STATE_ROUND_2_CREATED = 30; + public static readonly int STATE_ROUND_2_VALIDATED = 40; + public static readonly int STATE_KEY_CALCULATED = 50; + public static readonly int STATE_ROUND_3_CREATED = 60; + public static readonly int STATE_ROUND_3_VALIDATED = 70; + + // Unique identifier of this participant. + // The two participants in the exchange must NOT share the same id. + private string participantId; + + // Shared secret. This only contains the secret between construction + // and the call to CalculateKeyingMaterial(). + // + // i.e. When CalculateKeyingMaterial() is called, this buffer overwritten with 0's, + // and the field is set to null. + private char[] password; + + // Digest to use during calculations. + private IDigest digest; + + // Source of secure random data. + private readonly SecureRandom random; + + private readonly BigInteger p; + private readonly BigInteger q; + private readonly BigInteger g; + + // The participantId of the other participant in this exchange. + private string partnerParticipantId; + + // Alice's x1 or Bob's x3. + private BigInteger x1; + // Alice's x2 or Bob's x4. + private BigInteger x2; + // Alice's g^x1 or Bob's g^x3. + private BigInteger gx1; + // Alice's g^x2 or Bob's g^x4. + private BigInteger gx2; + // Alice's g^x3 or Bob's g^x1. + private BigInteger gx3; + // Alice's g^x4 or Bob's g^x2. + private BigInteger gx4; + // Alice's B or Bob's A. + private BigInteger b; + + // The current state. + // See the <tt>STATE_*</tt> constants for possible values. + private int state; + + /// <summary> + /// Convenience constructor for a new JPakeParticipant that uses + /// the JPakePrimeOrderGroups#NIST_3072 prime order group, + /// a SHA-256 digest, and a default SecureRandom implementation. + /// + /// After construction, the State state will be STATE_INITIALIZED. + /// + /// Throws NullReferenceException if any argument is null. Throws + /// ArgumentException if password is empty. + /// </summary> + /// <param name="participantId">Unique identifier of this participant. + /// The two participants in the exchange must NOT share the same id.</param> + /// <param name="password">Shared secret. + /// A defensive copy of this array is made (and cleared once CalculateKeyingMaterial() is called). + /// Caller should clear the input password as soon as possible.</param> + public JPakeParticipant(string participantId, char[] password) + : this(participantId, password, JPakePrimeOrderGroups.NIST_3072) { } + + /// <summary> + /// Convenience constructor for a new JPakeParticipant that uses + /// a SHA-256 digest, and a default SecureRandom implementation. + /// + /// After construction, the State state will be STATE_INITIALIZED. + /// + /// Throws NullReferenceException if any argument is null. Throws + /// ArgumentException if password is empty. + /// </summary> + /// <param name="participantId">Unique identifier of this participant. + /// The two participants in the exchange must NOT share the same id.</param> + /// <param name="password">Shared secret. + /// A defensive copy of this array is made (and cleared once CalculateKeyingMaterial() is called). + /// Caller should clear the input password as soon as possible.</param> + /// <param name="group">Prime order group. See JPakePrimeOrderGroups for standard groups.</param> + public JPakeParticipant(string participantId, char[] password, JPakePrimeOrderGroup group) + : this(participantId, password, group, new Sha256Digest(), new SecureRandom()) { } + + + /// <summary> + /// Constructor for a new JPakeParticipant. + /// + /// After construction, the State state will be STATE_INITIALIZED. + /// + /// Throws NullReferenceException if any argument is null. Throws + /// ArgumentException if password is empty. + /// </summary> + /// <param name="participantId">Unique identifier of this participant. + /// The two participants in the exchange must NOT share the same id.</param> + /// <param name="password">Shared secret. + /// A defensive copy of this array is made (and cleared once CalculateKeyingMaterial() is called). + /// Caller should clear the input password as soon as possible.</param> + /// <param name="group">Prime order group. See JPakePrimeOrderGroups for standard groups.</param> + /// <param name="digest">Digest to use during zero knowledge proofs and key confirmation + /// (SHA-256 or stronger preferred).</param> + /// <param name="random">Source of secure random data for x1 and x2, and for the zero knowledge proofs.</param> + public JPakeParticipant(string participantId, char[] password, JPakePrimeOrderGroup group, IDigest digest, SecureRandom random) + { + JPakeUtilities.ValidateNotNull(participantId, "participantId"); + JPakeUtilities.ValidateNotNull(password, "password"); + JPakeUtilities.ValidateNotNull(group, "p"); + JPakeUtilities.ValidateNotNull(digest, "digest"); + JPakeUtilities.ValidateNotNull(random, "random"); + + if (password.Length == 0) + { + throw new ArgumentException("Password must not be empty."); + } + + this.participantId = participantId; + + // Create a defensive copy so as to fully encapsulate the password. + // + // This array will contain the password for the lifetime of this + // participant BEFORE CalculateKeyingMaterial() is called. + // + // i.e. When CalculateKeyingMaterial() is called, the array will be cleared + // in order to remove the password from memory. + // + // The caller is responsible for clearing the original password array + // given as input to this constructor. + this.password = new char[password.Length]; + Array.Copy(password, this.password, password.Length); + + this.p = group.P; + this.q = group.Q; + this.g = group.G; + + this.digest = digest; + this.random = random; + + this.state = STATE_INITIALIZED; + } + + /// <summary> + /// Gets the current state of this participant. + /// See the <tt>STATE_*</tt> constants for possible values. + /// </summary> + public virtual int State + { + get { return state; } + } + + + /// <summary> + /// Creates and returns the payload to send to the other participant during round 1. + /// + /// After execution, the State state} will be STATE_ROUND_1_CREATED}. + /// </summary> + public virtual JPakeRound1Payload CreateRound1PayloadToSend() + { + if (this.state >= STATE_ROUND_1_CREATED) + throw new InvalidOperationException("Round 1 payload already created for " + this.participantId); + + this.x1 = JPakeUtilities.GenerateX1(q, random); + this.x2 = JPakeUtilities.GenerateX2(q, random); + + this.gx1 = JPakeUtilities.CalculateGx(p, g, x1); + this.gx2 = JPakeUtilities.CalculateGx(p, g, x2); + BigInteger[] knowledgeProofForX1 = JPakeUtilities.CalculateZeroKnowledgeProof(p, q, g, gx1, x1, participantId, digest, random); + BigInteger[] knowledgeProofForX2 = JPakeUtilities.CalculateZeroKnowledgeProof(p, q, g, gx2, x2, participantId, digest, random); + + this.state = STATE_ROUND_1_CREATED; + + return new JPakeRound1Payload(participantId, gx1, gx2, knowledgeProofForX1, knowledgeProofForX2); + } + + /// <summary> + /// Validates the payload received from the other participant during round 1. + /// + /// Must be called prior to CreateRound2PayloadToSend(). + /// + /// After execution, the State state will be STATE_ROUND_1_VALIDATED. + /// + /// Throws CryptoException if validation fails. Throws InvalidOperationException + /// if called multiple times. + /// </summary> + public virtual void ValidateRound1PayloadReceived(JPakeRound1Payload round1PayloadReceived) + { + if (this.state >= STATE_ROUND_1_VALIDATED) + throw new InvalidOperationException("Validation already attempted for round 1 payload for " + this.participantId); + + this.partnerParticipantId = round1PayloadReceived.ParticipantId; + this.gx3 = round1PayloadReceived.Gx1; + this.gx4 = round1PayloadReceived.Gx2; + + BigInteger[] knowledgeProofForX3 = round1PayloadReceived.KnowledgeProofForX1; + BigInteger[] knowledgeProofForX4 = round1PayloadReceived.KnowledgeProofForX2; + + JPakeUtilities.ValidateParticipantIdsDiffer(participantId, round1PayloadReceived.ParticipantId); + JPakeUtilities.ValidateGx4(gx4); + JPakeUtilities.ValidateZeroKnowledgeProof(p, q, g, gx3, knowledgeProofForX3, round1PayloadReceived.ParticipantId, digest); + JPakeUtilities.ValidateZeroKnowledgeProof(p, q, g, gx4, knowledgeProofForX4, round1PayloadReceived.ParticipantId, digest); + this.state = STATE_ROUND_1_VALIDATED; + } + + /// <summary> + /// Creates and returns the payload to send to the other participant during round 2. + /// + /// ValidateRound1PayloadReceived(JPakeRound1Payload) must be called prior to this method. + /// + /// After execution, the State state will be STATE_ROUND_2_CREATED. + /// + /// Throws InvalidOperationException if called prior to ValidateRound1PayloadReceived(JPakeRound1Payload), or multiple times + /// </summary> + public virtual JPakeRound2Payload CreateRound2PayloadToSend() + { + if (this.state >= STATE_ROUND_2_CREATED) + throw new InvalidOperationException("Round 2 payload already created for " + this.participantId); + if (this.state < STATE_ROUND_1_VALIDATED) + throw new InvalidOperationException("Round 1 payload must be validated prior to creating round 2 payload for " + this.participantId); + + BigInteger gA = JPakeUtilities.CalculateGA(p, gx1, gx3, gx4); + BigInteger s = JPakeUtilities.CalculateS(password); + BigInteger x2s = JPakeUtilities.CalculateX2s(q, x2, s); + BigInteger A = JPakeUtilities.CalculateA(p, q, gA, x2s); + BigInteger[] knowledgeProofForX2s = JPakeUtilities.CalculateZeroKnowledgeProof(p, q, gA, A, x2s, participantId, digest, random); + + this.state = STATE_ROUND_2_CREATED; + + return new JPakeRound2Payload(participantId, A, knowledgeProofForX2s); + } + + /// <summary> + /// Validates the payload received from the other participant during round 2. + /// Note that this DOES NOT detect a non-common password. + /// The only indication of a non-common password is through derivation + /// of different keys (which can be detected explicitly by executing round 3 and round 4) + /// + /// Must be called prior to CalculateKeyingMaterial(). + /// + /// After execution, the State state will be STATE_ROUND_2_VALIDATED. + /// + /// Throws CryptoException if validation fails. Throws + /// InvalidOperationException if called prior to ValidateRound1PayloadReceived(JPakeRound1Payload), or multiple times + /// </summary> + public virtual void ValidateRound2PayloadReceived(JPakeRound2Payload round2PayloadReceived) + { + if (this.state >= STATE_ROUND_2_VALIDATED) + throw new InvalidOperationException("Validation already attempted for round 2 payload for " + this.participantId); + if (this.state < STATE_ROUND_1_VALIDATED) + throw new InvalidOperationException("Round 1 payload must be validated prior to validation round 2 payload for " + this.participantId); + + BigInteger gB = JPakeUtilities.CalculateGA(p, gx3, gx1, gx2); + this.b = round2PayloadReceived.A; + BigInteger[] knowledgeProofForX4s = round2PayloadReceived.KnowledgeProofForX2s; + + JPakeUtilities.ValidateParticipantIdsDiffer(participantId, round2PayloadReceived.ParticipantId); + JPakeUtilities.ValidateParticipantIdsEqual(this.partnerParticipantId, round2PayloadReceived.ParticipantId); + JPakeUtilities.ValidateGa(gB); + JPakeUtilities.ValidateZeroKnowledgeProof(p, q, gB, b, knowledgeProofForX4s, round2PayloadReceived.ParticipantId, digest); + + this.state = STATE_ROUND_2_VALIDATED; + } + + /// <summary> + /// Calculates and returns the key material. + /// A session key must be derived from this key material using a secure key derivation function (KDF). + /// The KDF used to derive the key is handled externally (i.e. not by JPakeParticipant). + /// + /// The keying material will be identical for each participant if and only if + /// each participant's password is the same. i.e. If the participants do not + /// share the same password, then each participant will derive a different key. + /// Therefore, if you immediately start using a key derived from + /// the keying material, then you must handle detection of incorrect keys. + /// If you want to handle this detection explicitly, you can optionally perform + /// rounds 3 and 4. See JPakeParticipant for details on how to execute + /// rounds 3 and 4. + /// + /// The keying material will be in the range <tt>[0, p-1]</tt>. + /// + /// ValidateRound2PayloadReceived(JPakeRound2Payload) must be called prior to this method. + /// + /// As a side effect, the internal password array is cleared, since it is no longer needed. + /// + /// After execution, the State state will be STATE_KEY_CALCULATED. + /// + /// Throws InvalidOperationException if called prior to ValidateRound2PayloadReceived(JPakeRound2Payload), + /// or if called multiple times. + /// </summary> + public virtual BigInteger CalculateKeyingMaterial() + { + if (this.state >= STATE_KEY_CALCULATED) + throw new InvalidOperationException("Key already calculated for " + participantId); + if (this.state < STATE_ROUND_2_VALIDATED) + throw new InvalidOperationException("Round 2 payload must be validated prior to creating key for " + participantId); + + BigInteger s = JPakeUtilities.CalculateS(password); + + // Clear the password array from memory, since we don't need it anymore. + // Also set the field to null as a flag to indicate that the key has already been calculated. + Array.Clear(password, 0, password.Length); + this.password = null; + + BigInteger keyingMaterial = JPakeUtilities.CalculateKeyingMaterial(p, q, gx4, x2, s, b); + + // Clear the ephemeral private key fields as well. + // Note that we're relying on the garbage collector to do its job to clean these up. + // The old objects will hang around in memory until the garbage collector destroys them. + // + // If the ephemeral private keys x1 and x2 are leaked, + // the attacker might be able to brute-force the password. + this.x1 = null; + this.x2 = null; + this.b = null; + + // Do not clear gx* yet, since those are needed by round 3. + + this.state = STATE_KEY_CALCULATED; + + return keyingMaterial; + } + + /// <summary> + /// Creates and returns the payload to send to the other participant during round 3. + /// + /// See JPakeParticipant for more details on round 3. + /// + /// After execution, the State state} will be STATE_ROUND_3_CREATED. + /// Throws InvalidOperationException if called prior to CalculateKeyingMaterial, or multiple + /// times. + /// </summary> + /// <param name="keyingMaterial">The keying material as returned from CalculateKeyingMaterial().</param> + public virtual JPakeRound3Payload CreateRound3PayloadToSend(BigInteger keyingMaterial) + { + if (this.state >= STATE_ROUND_3_CREATED) + throw new InvalidOperationException("Round 3 payload already created for " + this.participantId); + if (this.state < STATE_KEY_CALCULATED) + throw new InvalidOperationException("Keying material must be calculated prior to creating round 3 payload for " + this.participantId); + + BigInteger macTag = JPakeUtilities.CalculateMacTag( + this.participantId, + this.partnerParticipantId, + this.gx1, + this.gx2, + this.gx3, + this.gx4, + keyingMaterial, + this.digest); + + this.state = STATE_ROUND_3_CREATED; + + return new JPakeRound3Payload(participantId, macTag); + } + + /// <summary> + /// Validates the payload received from the other participant during round 3. + /// + /// See JPakeParticipant for more details on round 3. + /// + /// After execution, the State state will be STATE_ROUND_3_VALIDATED. + /// + /// Throws CryptoException if validation fails. Throws InvalidOperationException if called prior to + /// CalculateKeyingMaterial or multiple times + /// </summary> + /// <param name="round3PayloadReceived">The round 3 payload received from the other participant.</param> + /// <param name="keyingMaterial">The keying material as returned from CalculateKeyingMaterial().</param> + public virtual void ValidateRound3PayloadReceived(JPakeRound3Payload round3PayloadReceived, BigInteger keyingMaterial) + { + if (this.state >= STATE_ROUND_3_VALIDATED) + throw new InvalidOperationException("Validation already attempted for round 3 payload for " + this.participantId); + if (this.state < STATE_KEY_CALCULATED) + throw new InvalidOperationException("Keying material must be calculated prior to validating round 3 payload for " + this.participantId); + + JPakeUtilities.ValidateParticipantIdsDiffer(participantId, round3PayloadReceived.ParticipantId); + JPakeUtilities.ValidateParticipantIdsEqual(this.partnerParticipantId, round3PayloadReceived.ParticipantId); + + JPakeUtilities.ValidateMacTag( + this.participantId, + this.partnerParticipantId, + this.gx1, + this.gx2, + this.gx3, + this.gx4, + keyingMaterial, + this.digest, + round3PayloadReceived.MacTag); + + // Clear the rest of the fields. + this.gx1 = null; + this.gx2 = null; + this.gx3 = null; + this.gx4 = null; + + this.state = STATE_ROUND_3_VALIDATED; + } + } +} diff --git a/crypto/src/crypto/agreement/jpake/JPakePrimeOrderGroup.cs b/crypto/src/crypto/agreement/jpake/JPakePrimeOrderGroup.cs new file mode 100755 index 000000000..08ffe1a55 --- /dev/null +++ b/crypto/src/crypto/agreement/jpake/JPakePrimeOrderGroup.cs @@ -0,0 +1,103 @@ +using System; + +using Org.BouncyCastle.Math; + +namespace Org.BouncyCastle.Crypto.Agreement.JPake +{ + /// <summary> + /// A pre-computed prime order group for use during a J-PAKE exchange. + /// + /// Typically a Schnorr group is used. In general, J-PAKE can use any prime order group + /// that is suitable for public key cryptography, including elliptic curve cryptography. + /// + /// See JPakePrimeOrderGroups for convenient standard groups. + /// + /// NIST <a href="http://csrc.nist.gov/groups/ST/toolkit/documents/Examples/DSA2_All.pdf">publishes</a> + /// many groups that can be used for the desired level of security. + /// </summary> + public class JPakePrimeOrderGroup + { + private readonly BigInteger p; + private readonly BigInteger q; + private readonly BigInteger g; + + /// <summary> + /// Constructs a new JPakePrimeOrderGroup. + /// + /// In general, you should use one of the pre-approved groups from + /// JPakePrimeOrderGroups, rather than manually constructing one. + /// + /// The following basic checks are performed: + /// + /// p-1 must be evenly divisible by q + /// g must be in [2, p-1] + /// g^q mod p must equal 1 + /// p must be prime (within reasonably certainty) + /// q must be prime (within reasonably certainty) + /// + /// The prime checks are performed using BigInteger#isProbablePrime(int), + /// and are therefore subject to the same probability guarantees. + /// + /// These checks prevent trivial mistakes. + /// However, due to the small uncertainties if p and q are not prime, + /// advanced attacks are not prevented. + /// Use it at your own risk. + /// + /// Throws NullReferenceException if any argument is null. Throws + /// InvalidOperationException is any of the above validations fail. + /// </summary> + public JPakePrimeOrderGroup(BigInteger p, BigInteger q, BigInteger g) + : this(p, q, g, false) + { + // Don't skip the checks on user-specified groups. + } + + /// <summary> + /// Constructor used by the pre-approved groups in JPakePrimeOrderGroups. + /// These pre-approved groups can avoid the expensive checks. + /// User-specified groups should not use this constructor. + /// </summary> + public JPakePrimeOrderGroup(BigInteger p, BigInteger q, BigInteger g, bool skipChecks) + { + JPakeUtilities.ValidateNotNull(p, "p"); + JPakeUtilities.ValidateNotNull(q, "q"); + JPakeUtilities.ValidateNotNull(g, "g"); + + if (!skipChecks) + { + if (!p.Subtract(JPakeUtilities.One).Mod(q).Equals(JPakeUtilities.Zero)) + throw new ArgumentException("p-1 must be evenly divisible by q"); + if (g.CompareTo(BigInteger.Two) == -1 || g.CompareTo(p.Subtract(JPakeUtilities.One)) == 1) + throw new ArgumentException("g must be in [2, p-1]"); + if (!g.ModPow(q, p).Equals(JPakeUtilities.One)) + throw new ArgumentException("g^q mod p must equal 1"); + + // Note these checks do not guarantee that p and q are prime. + // We just have reasonable certainty that they are prime. + if (!p.IsProbablePrime(20)) + throw new ArgumentException("p must be prime"); + if (!q.IsProbablePrime(20)) + throw new ArgumentException("q must be prime"); + } + + this.p = p; + this.q = q; + this.g = g; + } + + public virtual BigInteger P + { + get { return p; } + } + + public virtual BigInteger Q + { + get { return q; } + } + + public virtual BigInteger G + { + get { return g; } + } + } +} diff --git a/crypto/src/crypto/agreement/jpake/JPakePrimeOrderGroups.cs b/crypto/src/crypto/agreement/jpake/JPakePrimeOrderGroups.cs new file mode 100755 index 000000000..192cd2b51 --- /dev/null +++ b/crypto/src/crypto/agreement/jpake/JPakePrimeOrderGroups.cs @@ -0,0 +1,108 @@ +using Org.BouncyCastle.Math; + +namespace Org.BouncyCastle.Crypto.Agreement.JPake +{ + /// <summary> + /// Standard pre-computed prime order groups for use by J-PAKE. + /// (J-PAKE can use pre-computed prime order groups, same as DSA and Diffie-Hellman.) + /// <p/> + /// This class contains some convenient constants for use as input for + /// constructing {@link JPAKEParticipant}s. + /// <p/> + /// The prime order groups below are taken from Sun's JDK JavaDoc (docs/guide/security/CryptoSpec.html#AppB), + /// and from the prime order groups + /// <a href="http://csrc.nist.gov/groups/ST/toolkit/documents/Examples/DSA2_All.pdf">published by NIST</a>. + /// </summary> + public class JPakePrimeOrderGroups + { + /// <summary> + /// From Sun's JDK JavaDoc (docs/guide/security/CryptoSpec.html#AppB) + /// 1024-bit p, 160-bit q and 1024-bit g for 80-bit security. + /// </summary> + public static readonly JPakePrimeOrderGroup SUN_JCE_1024 = new JPakePrimeOrderGroup( + // p + new BigInteger( + "fd7f53811d75122952df4a9c2eece4e7f611b7523cef4400c31e3f80b6512669" + + "455d402251fb593d8d58fabfc5f5ba30f6cb9b556cd7813b801d346ff26660b7" + + "6b9950a5a49f9fe8047b1022c24fbba9d7feb7c61bf83b57e7c6a8a6150f04fb" + + "83f6d3c51ec3023554135a169132f675f3ae2b61d72aeff22203199dd14801c7", 16), + // q + new BigInteger("9760508f15230bccb292b982a2eb840bf0581cf5", 16), + // g + new BigInteger( + "f7e1a085d69b3ddecbbcab5c36b857b97994afbbfa3aea82f9574c0b3d078267" + + "5159578ebad4594fe67107108180b449167123e84c281613b7cf09328cc8a6e1" + + "3c167a8b547c8d28e0a3ae1e2bb3a675916ea37f0bfa213562f1fb627a01243b" + + "cca4f1bea8519089a883dfe15ae59f06928b665e807b552564014c3bfecf492a", 16), + true + ); + + /// <summary> + /// From NIST. + /// 2048-bit p, 224-bit q and 2048-bit g for 112-bit security. + /// </summary> + public static readonly JPakePrimeOrderGroup NIST_2048 = new JPakePrimeOrderGroup( + // p + new BigInteger( + "C196BA05AC29E1F9C3C72D56DFFC6154A033F1477AC88EC37F09BE6C5BB95F51" + + "C296DD20D1A28A067CCC4D4316A4BD1DCA55ED1066D438C35AEBAABF57E7DAE4" + + "28782A95ECA1C143DB701FD48533A3C18F0FE23557EA7AE619ECACC7E0B51652" + + "A8776D02A425567DED36EABD90CA33A1E8D988F0BBB92D02D1D20290113BB562" + + "CE1FC856EEB7CDD92D33EEA6F410859B179E7E789A8F75F645FAE2E136D252BF" + + "FAFF89528945C1ABE705A38DBC2D364AADE99BE0D0AAD82E5320121496DC65B3" + + "930E38047294FF877831A16D5228418DE8AB275D7D75651CEFED65F78AFC3EA7" + + "FE4D79B35F62A0402A1117599ADAC7B269A59F353CF450E6982D3B1702D9CA83", 16), + // q + new BigInteger("90EAF4D1AF0708B1B612FF35E0A2997EB9E9D263C9CE659528945C0D", 16), + // g + new BigInteger( + "A59A749A11242C58C894E9E5A91804E8FA0AC64B56288F8D47D51B1EDC4D6544" + + "4FECA0111D78F35FC9FDD4CB1F1B79A3BA9CBEE83A3F811012503C8117F98E50" + + "48B089E387AF6949BF8784EBD9EF45876F2E6A5A495BE64B6E770409494B7FEE" + + "1DBB1E4B2BC2A53D4F893D418B7159592E4FFFDF6969E91D770DAEBD0B5CB14C" + + "00AD68EC7DC1E5745EA55C706C4A1C5C88964E34D09DEB753AD418C1AD0F4FDF" + + "D049A955E5D78491C0B7A2F1575A008CCD727AB376DB6E695515B05BD412F5B8" + + "C2F4C77EE10DA48ABD53F5DD498927EE7B692BBBCDA2FB23A516C5B4533D7398" + + "0B2A3B60E384ED200AE21B40D273651AD6060C13D97FD69AA13C5611A51B9085", 16), + true + ); + + /// <summary> + /// From NIST. + /// 3072-bit p, 256-bit q and 3072-bit g for 128-bit security. + /// </summary> + public static readonly JPakePrimeOrderGroup NIST_3072 = new JPakePrimeOrderGroup( + // p + new BigInteger( + "90066455B5CFC38F9CAA4A48B4281F292C260FEEF01FD61037E56258A7795A1C" + + "7AD46076982CE6BB956936C6AB4DCFE05E6784586940CA544B9B2140E1EB523F" + + "009D20A7E7880E4E5BFA690F1B9004A27811CD9904AF70420EEFD6EA11EF7DA1" + + "29F58835FF56B89FAA637BC9AC2EFAAB903402229F491D8D3485261CD068699B" + + "6BA58A1DDBBEF6DB51E8FE34E8A78E542D7BA351C21EA8D8F1D29F5D5D159394" + + "87E27F4416B0CA632C59EFD1B1EB66511A5A0FBF615B766C5862D0BD8A3FE7A0" + + "E0DA0FB2FE1FCB19E8F9996A8EA0FCCDE538175238FC8B0EE6F29AF7F642773E" + + "BE8CD5402415A01451A840476B2FCEB0E388D30D4B376C37FE401C2A2C2F941D" + + "AD179C540C1C8CE030D460C4D983BE9AB0B20F69144C1AE13F9383EA1C08504F" + + "B0BF321503EFE43488310DD8DC77EC5B8349B8BFE97C2C560EA878DE87C11E3D" + + "597F1FEA742D73EEC7F37BE43949EF1A0D15C3F3E3FC0A8335617055AC91328E" + + "C22B50FC15B941D3D1624CD88BC25F3E941FDDC6200689581BFEC416B4B2CB73", 16), + // q + new BigInteger("CFA0478A54717B08CE64805B76E5B14249A77A4838469DF7F7DC987EFCCFB11D", 16), + // g + new BigInteger( + "5E5CBA992E0A680D885EB903AEA78E4A45A469103D448EDE3B7ACCC54D521E37" + + "F84A4BDD5B06B0970CC2D2BBB715F7B82846F9A0C393914C792E6A923E2117AB" + + "805276A975AADB5261D91673EA9AAFFEECBFA6183DFCB5D3B7332AA19275AFA1" + + "F8EC0B60FB6F66CC23AE4870791D5982AAD1AA9485FD8F4A60126FEB2CF05DB8" + + "A7F0F09B3397F3937F2E90B9E5B9C9B6EFEF642BC48351C46FB171B9BFA9EF17" + + "A961CE96C7E7A7CC3D3D03DFAD1078BA21DA425198F07D2481622BCE45969D9C" + + "4D6063D72AB7A0F08B2F49A7CC6AF335E08C4720E31476B67299E231F8BD90B3" + + "9AC3AE3BE0C6B6CACEF8289A2E2873D58E51E029CAFBD55E6841489AB66B5B4B" + + "9BA6E2F784660896AFF387D92844CCB8B69475496DE19DA2E58259B090489AC8" + + "E62363CDF82CFD8EF2A427ABCD65750B506F56DDE3B988567A88126B914D7828" + + "E2B63A6D7ED0747EC59E0E0A23CE7D8A74C1D2C2A7AFB6A29799620F00E11C33" + + "787F7DED3B30E1A22D09F1FBDA1ABBBFBF25CAE05A13F812E34563F99410E73B", 16), + true + ); + } +} diff --git a/crypto/src/crypto/agreement/jpake/JPakeRound1Payload.cs b/crypto/src/crypto/agreement/jpake/JPakeRound1Payload.cs new file mode 100755 index 000000000..9e4ab7a5f --- /dev/null +++ b/crypto/src/crypto/agreement/jpake/JPakeRound1Payload.cs @@ -0,0 +1,101 @@ +using System; + +using Org.BouncyCastle.Math; + +namespace Org.BouncyCastle.Crypto.Agreement.JPake +{ + /// <summary> + /// The payload sent/received during the first round of a J-PAKE exchange. + /// + /// Each JPAKEParticipant creates and sends an instance of this payload to + /// the other. The payload to send should be created via + /// JPAKEParticipant.CreateRound1PayloadToSend(). + /// + /// Each participant must also validate the payload received from the other. + /// The received payload should be validated via + /// JPAKEParticipant.ValidateRound1PayloadReceived(JPakeRound1Payload). + /// </summary> + public class JPakeRound1Payload + { + /// <summary> + /// The id of the JPAKEParticipant who created/sent this payload. + /// </summary> + private readonly string participantId; + + /// <summary> + /// The value of g^x1 + /// </summary> + private readonly BigInteger gx1; + + /// <summary> + /// The value of g^x2 + /// </summary> + private readonly BigInteger gx2; + + /// <summary> + /// The zero knowledge proof for x1. + /// + /// This is a two element array, containing {g^v, r} for x1. + /// </summary> + private readonly BigInteger[] knowledgeProofForX1; + + /// <summary> + /// The zero knowledge proof for x2. + /// + /// This is a two element array, containing {g^v, r} for x2. + /// </summary> + private readonly BigInteger[] knowledgeProofForX2; + + public JPakeRound1Payload(string participantId, BigInteger gx1, BigInteger gx2, BigInteger[] knowledgeProofForX1, BigInteger[] knowledgeProofForX2) + { + JPakeUtilities.ValidateNotNull(participantId, "participantId"); + JPakeUtilities.ValidateNotNull(gx1, "gx1"); + JPakeUtilities.ValidateNotNull(gx2, "gx2"); + JPakeUtilities.ValidateNotNull(knowledgeProofForX1, "knowledgeProofForX1"); + JPakeUtilities.ValidateNotNull(knowledgeProofForX2, "knowledgeProofForX2"); + + this.participantId = participantId; + this.gx1 = gx1; + this.gx2 = gx2; + this.knowledgeProofForX1 = new BigInteger[knowledgeProofForX1.Length]; + Array.Copy(knowledgeProofForX1, this.knowledgeProofForX1, knowledgeProofForX1.Length); + this.knowledgeProofForX2 = new BigInteger[knowledgeProofForX2.Length]; + Array.Copy(knowledgeProofForX2, this.knowledgeProofForX2, knowledgeProofForX2.Length); + } + + public virtual string ParticipantId + { + get { return participantId; } + } + + public virtual BigInteger Gx1 + { + get { return gx1; } + } + + public virtual BigInteger Gx2 + { + get { return gx2; } + } + + public virtual BigInteger[] KnowledgeProofForX1 + { + get + { + BigInteger[] kp = new BigInteger[knowledgeProofForX1.Length]; + Array.Copy(knowledgeProofForX1, kp, knowledgeProofForX1.Length); + return kp; + } + } + + public virtual BigInteger[] KnowledgeProofForX2 + { + get + { + BigInteger[] kp = new BigInteger[knowledgeProofForX2.Length]; + Array.Copy(knowledgeProofForX2, kp, knowledgeProofForX2.Length); + return kp; + } + } + } +} diff --git a/crypto/src/crypto/agreement/jpake/JPakeRound2Payload.cs b/crypto/src/crypto/agreement/jpake/JPakeRound2Payload.cs new file mode 100755 index 000000000..47962cb3f --- /dev/null +++ b/crypto/src/crypto/agreement/jpake/JPakeRound2Payload.cs @@ -0,0 +1,72 @@ +using System; + +using Org.BouncyCastle.Math; +using Org.BouncyCastle.Utilities; + +namespace Org.BouncyCastle.Crypto.Agreement.JPake +{ + /// <summary> + /// The payload sent/received during the second round of a J-PAKE exchange. + /// + /// Each JPAKEParticipant creates and sends an instance + /// of this payload to the other JPAKEParticipant. + /// The payload to send should be created via + /// JPAKEParticipant#createRound2PayloadToSend() + /// + /// Each JPAKEParticipant must also validate the payload + /// received from the other JPAKEParticipant. + /// The received payload should be validated via + /// JPAKEParticipant#validateRound2PayloadReceived(JPakeRound2Payload) + /// </summary> + public class JPakeRound2Payload + { + /// <summary> + /// The id of the JPAKEParticipant who created/sent this payload. + /// </summary> + private readonly string participantId; + + /// <summary> + /// The value of A, as computed during round 2. + /// </summary> + private readonly BigInteger a; + + /// <summary> + /// The zero knowledge proof for x2 * s. + /// + /// This is a two element array, containing {g^v, r} for x2 * s. + /// </summary> + private readonly BigInteger[] knowledgeProofForX2s; + + public JPakeRound2Payload(string participantId, BigInteger a, BigInteger[] knowledgeProofForX2s) + { + JPakeUtilities.ValidateNotNull(participantId, "participantId"); + JPakeUtilities.ValidateNotNull(a, "a"); + JPakeUtilities.ValidateNotNull(knowledgeProofForX2s, "knowledgeProofForX2s"); + + this.participantId = participantId; + this.a = a; + this.knowledgeProofForX2s = new BigInteger[knowledgeProofForX2s.Length]; + knowledgeProofForX2s.CopyTo(this.knowledgeProofForX2s, 0); + } + + public virtual string ParticipantId + { + get { return participantId; } + } + + public virtual BigInteger A + { + get { return a; } + } + + public virtual BigInteger[] KnowledgeProofForX2s + { + get + { + BigInteger[] kp = new BigInteger[knowledgeProofForX2s.Length]; + Array.Copy(knowledgeProofForX2s, kp, knowledgeProofForX2s.Length); + return kp; + } + } + } +} diff --git a/crypto/src/crypto/agreement/jpake/JPakeRound3Payload.cs b/crypto/src/crypto/agreement/jpake/JPakeRound3Payload.cs new file mode 100755 index 000000000..767702f23 --- /dev/null +++ b/crypto/src/crypto/agreement/jpake/JPakeRound3Payload.cs @@ -0,0 +1,51 @@ +using System; + +using Org.BouncyCastle.Math; + +namespace Org.BouncyCastle.Crypto.Agreement.JPake +{ + /// <summary> + /// The payload sent/received during the optional third round of a J-PAKE exchange, + /// which is for explicit key confirmation. + /// + /// Each JPAKEParticipant creates and sends an instance + /// of this payload to the other JPAKEParticipant. + /// The payload to send should be created via + /// JPAKEParticipant#createRound3PayloadToSend(BigInteger) + /// + /// Eeach JPAKEParticipant must also validate the payload + /// received from the other JPAKEParticipant. + /// The received payload should be validated via + /// JPAKEParticipant#validateRound3PayloadReceived(JPakeRound3Payload, BigInteger) + /// </summary> + public class JPakeRound3Payload + { + /// <summary> + /// The id of the {@link JPAKEParticipant} who created/sent this payload. + /// </summary> + private readonly string participantId; + + /// <summary> + /// The value of MacTag, as computed by round 3. + /// + /// See JPAKEUtil#calculateMacTag(string, string, BigInteger, BigInteger, BigInteger, BigInteger, BigInteger, org.bouncycastle.crypto.Digest) + /// </summary> + private readonly BigInteger macTag; + + public JPakeRound3Payload(string participantId, BigInteger magTag) + { + this.participantId = participantId; + this.macTag = magTag; + } + + public virtual string ParticipantId + { + get { return participantId; } + } + + public virtual BigInteger MacTag + { + get { return macTag; } + } + } +} diff --git a/crypto/src/crypto/agreement/jpake/JPakeUtilities.cs b/crypto/src/crypto/agreement/jpake/JPakeUtilities.cs new file mode 100644 index 000000000..b23518a8c --- /dev/null +++ b/crypto/src/crypto/agreement/jpake/JPakeUtilities.cs @@ -0,0 +1,390 @@ +using System; +using System.Text; + +using Org.BouncyCastle.Crypto; +using Org.BouncyCastle.Crypto.Macs; +using Org.BouncyCastle.Crypto.Parameters; +using Org.BouncyCastle.Crypto.Utilities; +using Org.BouncyCastle.Math; +using Org.BouncyCastle.Security; +using Org.BouncyCastle.Utilities; + +namespace Org.BouncyCastle.Crypto.Agreement.JPake +{ + /// <summary> + /// Primitives needed for a J-PAKE exchange. + /// + /// The recommended way to perform a J-PAKE exchange is by using + /// two JPAKEParticipants. Internally, those participants + /// call these primitive operations in JPakeUtilities. + /// + /// The primitives, however, can be used without a JPAKEParticipant if needed. + /// </summary> + public abstract class JPakeUtilities + { + public static readonly BigInteger Zero = BigInteger.Zero; + public static readonly BigInteger One = BigInteger.One; + + /// <summary> + /// Return a value that can be used as x1 or x3 during round 1. + /// The returned value is a random value in the range [0, q-1]. + /// </summary> + public static BigInteger GenerateX1(BigInteger q, SecureRandom random) + { + BigInteger min = Zero; + BigInteger max = q.Subtract(One); + return BigIntegers.CreateRandomInRange(min, max, random); + } + + /// <summary> + /// Return a value that can be used as x2 or x4 during round 1. + /// The returned value is a random value in the range [1, q-1]. + /// </summary> + public static BigInteger GenerateX2(BigInteger q, SecureRandom random) + { + BigInteger min = One; + BigInteger max = q.Subtract(One); + return BigIntegers.CreateRandomInRange(min, max, random); + } + + /// <summary> + /// Converts the given password to a BigInteger + /// for use in arithmetic calculations. + /// </summary> + public static BigInteger CalculateS(char[] password) + { + return new BigInteger(Encoding.UTF8.GetBytes(password)); + } + + /// <summary> + /// Calculate g^x mod p as done in round 1. + /// </summary> + public static BigInteger CalculateGx(BigInteger p, BigInteger g, BigInteger x) + { + return g.ModPow(x, p); + } + + /// <summary> + /// Calculate ga as done in round 2. + /// </summary> + public static BigInteger CalculateGA(BigInteger p, BigInteger gx1, BigInteger gx3, BigInteger gx4) + { + // ga = g^(x1+x3+x4) = g^x1 * g^x3 * g^x4 + return gx1.Multiply(gx3).Multiply(gx4).Mod(p); + } + + /// <summary> + /// Calculate x2 * s as done in round 2. + /// </summary> + public static BigInteger CalculateX2s(BigInteger q, BigInteger x2, BigInteger s) + { + return x2.Multiply(s).Mod(q); + } + + /// <summary> + /// Calculate A as done in round 2. + /// </summary> + public static BigInteger CalculateA(BigInteger p, BigInteger q, BigInteger gA, BigInteger x2s) + { + // A = ga^(x*s) + return gA.ModPow(x2s, p); + } + + /// <summary> + /// Calculate a zero knowledge proof of x using Schnorr's signature. + /// The returned array has two elements {g^v, r = v-x*h} for x. + /// </summary> + public static BigInteger[] CalculateZeroKnowledgeProof(BigInteger p, BigInteger q, BigInteger g, + BigInteger gx, BigInteger x, string participantId, IDigest digest, SecureRandom random) + { + /* Generate a random v, and compute g^v */ + BigInteger vMin = Zero; + BigInteger vMax = q.Subtract(One); + BigInteger v = BigIntegers.CreateRandomInRange(vMin, vMax, random); + + BigInteger gv = g.ModPow(v, p); + BigInteger h = CalculateHashForZeroKnowledgeProof(g, gv, gx, participantId, digest); // h + + return new BigInteger[] + { + gv, + v.Subtract(x.Multiply(h)).Mod(q) // r = v-x*h + }; + } + + private static BigInteger CalculateHashForZeroKnowledgeProof(BigInteger g, BigInteger gr, BigInteger gx, + string participantId, IDigest digest) + { + digest.Reset(); + + UpdateDigestIncludingSize(digest, g); + + UpdateDigestIncludingSize(digest, gr); + + UpdateDigestIncludingSize(digest, gx); + + UpdateDigestIncludingSize(digest, participantId); + + byte[] output = DigestUtilities.DoFinal(digest); + + return new BigInteger(output); + } + + /// <summary> + /// Validates that g^x4 is not 1. + /// throws CryptoException if g^x4 is 1 + /// </summary> + public static void ValidateGx4(BigInteger gx4) + { + if (gx4.Equals(One)) + throw new CryptoException("g^x validation failed. g^x should not be 1."); + } + + /// <summary> + /// Validates that ga is not 1. + /// + /// As described by Feng Hao... + /// Alice could simply check ga != 1 to ensure it is a generator. + /// In fact, as we will explain in Section 3, (x1 + x3 + x4 ) is random over Zq even in the face of active attacks. + /// Hence, the probability for ga = 1 is extremely small - on the order of 2^160 for 160-bit q. + /// + /// throws CryptoException if ga is 1 + /// </summary> + public static void ValidateGa(BigInteger ga) + { + if (ga.Equals(One)) + throw new CryptoException("ga is equal to 1. It should not be. The chances of this happening are on the order of 2^160 for a 160-bit q. Try again."); + } + + /// <summary> + /// Validates the zero knowledge proof (generated by + /// calculateZeroKnowledgeProof(BigInteger, BigInteger, BigInteger, BigInteger, BigInteger, string, Digest, SecureRandom) + /// is correct. + /// + /// throws CryptoException if the zero knowledge proof is not correct + /// </summary> + public static void ValidateZeroKnowledgeProof(BigInteger p, BigInteger q, BigInteger g, + BigInteger gx, BigInteger[] zeroKnowledgeProof, string participantId, IDigest digest) + { + /* sig={g^v,r} */ + BigInteger gv = zeroKnowledgeProof[0]; + BigInteger r = zeroKnowledgeProof[1]; + + BigInteger h = CalculateHashForZeroKnowledgeProof(g, gv, gx, participantId, digest); + if (!(gx.CompareTo(Zero) == 1 && // g^x > 0 + gx.CompareTo(p) == -1 && // g^x < p + gx.ModPow(q, p).CompareTo(One) == 0 && // g^x^q mod q = 1 + /* + * Below, I took a straightforward way to compute g^r * g^x^h, + * which needs 2 exp. Using a simultaneous computation technique + * would only need 1 exp. + */ + g.ModPow(r, p).Multiply(gx.ModPow(h, p)).Mod(p).CompareTo(gv) == 0)) // g^v=g^r * g^x^h + { + throw new CryptoException("Zero-knowledge proof validation failed"); + } + } + + /// <summary> + /// Calculates the keying material, which can be done after round 2 has completed. + /// A session key must be derived from this key material using a secure key derivation function (KDF). + /// The KDF used to derive the key is handled externally (i.e. not by JPAKEParticipant). + /// + /// KeyingMaterial = (B/g^{x2*x4*s})^x2 + /// </summary> + public static BigInteger CalculateKeyingMaterial(BigInteger p, BigInteger q, + BigInteger gx4, BigInteger x2, BigInteger s, BigInteger B) + { + return gx4.ModPow(x2.Multiply(s).Negate().Mod(q), p).Multiply(B).ModPow(x2, p); + } + + /// <summary> + /// Validates that the given participant ids are not equal. + /// (For the J-PAKE exchange, each participant must use a unique id.) + /// + /// Throws CryptoException if the participantId strings are equal. + /// </summary> + public static void ValidateParticipantIdsDiffer(string participantId1, string participantId2) + { + if (participantId1.Equals(participantId2)) + { + throw new CryptoException( + "Both participants are using the same participantId (" + + participantId1 + + "). This is not allowed. " + + "Each participant must use a unique participantId."); + } + } + + /// <summary> + /// Validates that the given participant ids are equal. + /// This is used to ensure that the payloads received from + /// each round all come from the same participant. + /// </summary> + public static void ValidateParticipantIdsEqual(string expectedParticipantId, string actualParticipantId) + { + if (!expectedParticipantId.Equals(actualParticipantId)) + { + throw new CryptoException( + "Received payload from incorrect partner (" + + actualParticipantId + + "). Expected to receive payload from " + + expectedParticipantId + + "."); + } + } + + /// <summary> + /// Validates that the given object is not null. + /// throws NullReferenceException if the object is null. + /// </summary> + /// <param name="obj">object in question</param> + /// <param name="description">name of the object (to be used in exception message)</param> + public static void ValidateNotNull(object obj, string description) + { + if (obj == null) + throw new ArgumentNullException(description); + } + + /// <summary> + /// Calculates the MacTag (to be used for key confirmation), as defined by + /// <a href="http://csrc.nist.gov/publications/nistpubs/800-56A/SP800-56A_Revision1_Mar08-2007.pdf">NIST SP 800-56A Revision 1</a>, + /// Section 8.2 Unilateral Key Confirmation for Key Agreement Schemes. + /// + /// MacTag = HMAC(MacKey, MacLen, MacData) + /// MacKey = H(K || "JPAKE_KC") + /// MacData = "KC_1_U" || participantId || partnerParticipantId || gx1 || gx2 || gx3 || gx4 + /// + /// Note that both participants use "KC_1_U" because the sender of the round 3 message + /// is always the initiator for key confirmation. + /// + /// HMAC = {@link HMac} used with the given {@link Digest} + /// H = The given {@link Digest} + /// MacLen = length of MacTag + /// </summary> + public static BigInteger CalculateMacTag(string participantId, string partnerParticipantId, + BigInteger gx1, BigInteger gx2, BigInteger gx3, BigInteger gx4, BigInteger keyingMaterial, IDigest digest) + { + byte[] macKey = CalculateMacKey(keyingMaterial, digest); + + HMac mac = new HMac(digest); + mac.Init(new KeyParameter(macKey)); + Arrays.Fill(macKey, (byte)0); + + /* + * MacData = "KC_1_U" || participantId_Alice || participantId_Bob || gx1 || gx2 || gx3 || gx4. + */ + UpdateMac(mac, "KC_1_U"); + UpdateMac(mac, participantId); + UpdateMac(mac, partnerParticipantId); + UpdateMac(mac, gx1); + UpdateMac(mac, gx2); + UpdateMac(mac, gx3); + UpdateMac(mac, gx4); + + byte[] macOutput = MacUtilities.DoFinal(mac); + + return new BigInteger(macOutput); + } + + /// <summary> + /// Calculates the MacKey (i.e. the key to use when calculating the MagTag for key confirmation). + /// + /// MacKey = H(K || "JPAKE_KC") + /// </summary> + private static byte[] CalculateMacKey(BigInteger keyingMaterial, IDigest digest) + { + digest.Reset(); + + UpdateDigest(digest, keyingMaterial); + /* + * This constant is used to ensure that the macKey is NOT the same as the derived key. + */ + UpdateDigest(digest, "JPAKE_KC"); + + return DigestUtilities.DoFinal(digest); + } + + /// <summary> + /// Validates the MacTag received from the partner participant. + /// + /// throws CryptoException if the participantId strings are equal. + /// </summary> + public static void ValidateMacTag(string participantId, string partnerParticipantId, + BigInteger gx1, BigInteger gx2, BigInteger gx3, BigInteger gx4, + BigInteger keyingMaterial, IDigest digest, BigInteger partnerMacTag) + { + /* + * Calculate the expected MacTag using the parameters as the partner + * would have used when the partner called calculateMacTag. + * + * i.e. basically all the parameters are reversed. + * participantId <-> partnerParticipantId + * x1 <-> x3 + * x2 <-> x4 + */ + BigInteger expectedMacTag = CalculateMacTag(partnerParticipantId, participantId, gx3, gx4, gx1, gx2, keyingMaterial, digest); + + if (!expectedMacTag.Equals(partnerMacTag)) + { + throw new CryptoException( + "Partner MacTag validation failed. " + + "Therefore, the password, MAC, or digest algorithm of each participant does not match."); + } + } + + private static void UpdateDigest(IDigest digest, BigInteger bigInteger) + { + UpdateDigest(digest, BigIntegers.AsUnsignedByteArray(bigInteger)); + } + + private static void UpdateDigest(IDigest digest, string str) + { + UpdateDigest(digest, Encoding.UTF8.GetBytes(str)); + } + + private static void UpdateDigest(IDigest digest, byte[] bytes) + { + digest.BlockUpdate(bytes, 0, bytes.Length); + Arrays.Fill(bytes, (byte)0); + } + + private static void UpdateDigestIncludingSize(IDigest digest, BigInteger bigInteger) + { + UpdateDigestIncludingSize(digest, BigIntegers.AsUnsignedByteArray(bigInteger)); + } + + private static void UpdateDigestIncludingSize(IDigest digest, string str) + { + UpdateDigestIncludingSize(digest, Encoding.UTF8.GetBytes(str)); + } + + private static void UpdateDigestIncludingSize(IDigest digest, byte[] bytes) + { + digest.BlockUpdate(IntToByteArray(bytes.Length), 0, 4); + digest.BlockUpdate(bytes, 0, bytes.Length); + Arrays.Fill(bytes, (byte)0); + } + + private static void UpdateMac(IMac mac, BigInteger bigInteger) + { + UpdateMac(mac, BigIntegers.AsUnsignedByteArray(bigInteger)); + } + + private static void UpdateMac(IMac mac, string str) + { + UpdateMac(mac, Encoding.UTF8.GetBytes(str)); + } + + private static void UpdateMac(IMac mac, byte[] bytes) + { + mac.BlockUpdate(bytes, 0, bytes.Length); + Arrays.Fill(bytes, (byte)0); + } + + private static byte[] IntToByteArray(int value) + { + return Pack.UInt32_To_BE((uint)value); + } + } +} diff --git a/crypto/src/crypto/tls/TlsClientProtocol.cs b/crypto/src/crypto/tls/TlsClientProtocol.cs index 14c1cf4a4..c2447e434 100644 --- a/crypto/src/crypto/tls/TlsClientProtocol.cs +++ b/crypto/src/crypto/tls/TlsClientProtocol.cs @@ -43,12 +43,12 @@ namespace Org.BouncyCastle.Crypto.Tls } /** - * Constructor for non-blocking mode.<br> - * <br> + * Constructor for non-blocking mode.<br/> + * <br/> * When data is received, use {@link #offerInput(java.nio.ByteBuffer)} to * provide the received ciphertext, then use - * {@link #readInput(byte[], int, int)} to read the corresponding cleartext.<br> - * <br> + * {@link #readInput(byte[], int, int)} to read the corresponding cleartext.<br/> + * <br/> * Similarly, when data needs to be sent, use * {@link #offerOutput(byte[], int, int)} to provide the cleartext, then use * {@link #readOutput(byte[], int, int)} to get the corresponding @@ -63,8 +63,8 @@ namespace Org.BouncyCastle.Crypto.Tls } /** - * Initiates a TLS handshake in the role of client.<br> - * <br> + * Initiates a TLS handshake in the role of client.<br/> + * <br/> * In blocking mode, this will not return until the handshake is complete. * In non-blocking mode, use {@link TlsPeer#NotifyHandshakeComplete()} to * receive a callback when the handshake is complete. diff --git a/crypto/src/crypto/tls/TlsProtocol.cs b/crypto/src/crypto/tls/TlsProtocol.cs index 7acc34d3c..fffde0b2b 100644 --- a/crypto/src/crypto/tls/TlsProtocol.cs +++ b/crypto/src/crypto/tls/TlsProtocol.cs @@ -604,15 +604,15 @@ namespace Org.BouncyCastle.Crypto.Tls } /** - * Offer input from an arbitrary source. Only allowed in non-blocking mode.<br> - * <br> + * Offer input from an arbitrary source. Only allowed in non-blocking mode.<br/> + * <br/> * After this method returns, the input buffer is "owned" by this object. Other code - * must not attempt to do anything with it.<br> - * <br> + * must not attempt to do anything with it.<br/> + * <br/> * This method will decrypt and process all records that are fully available. * If only part of a record is available, the buffer will be retained until the - * remainder of the record is offered.<br> - * <br> + * remainder of the record is offered.<br/> + * <br/> * If any records containing application data were processed, the decrypted data * can be obtained using {@link #readInput(byte[], int, int)}. If any records * containing protocol data were processed, a response may have been generated. @@ -649,8 +649,8 @@ namespace Org.BouncyCastle.Crypto.Tls /** * Gets the amount of received application data. A call to {@link #readInput(byte[], int, int)} - * is guaranteed to be able to return at least this much data.<br> - * <br> + * is guaranteed to be able to return at least this much data.<br/> + * <br/> * Only allowed in non-blocking mode. * @return The number of bytes of available application data */ @@ -666,8 +666,8 @@ namespace Org.BouncyCastle.Crypto.Tls * Retrieves received application data. Use {@link #getAvailableInputBytes()} to check * how much application data is currently available. This method functions similarly to * {@link InputStream#read(byte[], int, int)}, except that it never blocks. If no data - * is available, nothing will be copied and zero will be returned.<br> - * <br> + * is available, nothing will be copied and zero will be returned.<br/> + * <br/> * Only allowed in non-blocking mode. * @param buffer The buffer to hold the application data * @param offset The start offset in the buffer at which the data is written @@ -684,12 +684,12 @@ namespace Org.BouncyCastle.Crypto.Tls } /** - * Offer output from an arbitrary source. Only allowed in non-blocking mode.<br> - * <br> + * Offer output from an arbitrary source. Only allowed in non-blocking mode.<br/> + * <br/> * After this method returns, the specified section of the buffer will have been * processed. Use {@link #readOutput(byte[], int, int)} to get the bytes to - * transmit to the other peer.<br> - * <br> + * transmit to the other peer.<br/> + * <br/> * This method must not be called until after the handshake is complete! Attempting * to call it before the handshake is complete will result in an exception. * @param buffer The buffer containing application data to encrypt @@ -710,8 +710,8 @@ namespace Org.BouncyCastle.Crypto.Tls /** * Gets the amount of encrypted data available to be sent. A call to * {@link #readOutput(byte[], int, int)} is guaranteed to be able to return at - * least this much data.<br> - * <br> + * least this much data.<br/> + * <br/> * Only allowed in non-blocking mode. * @return The number of bytes of available encrypted data */ @@ -727,8 +727,8 @@ namespace Org.BouncyCastle.Crypto.Tls * Retrieves encrypted data to be sent. Use {@link #getAvailableOutputBytes()} to check * how much encrypted data is currently available. This method functions similarly to * {@link InputStream#read(byte[], int, int)}, except that it never blocks. If no data - * is available, nothing will be copied and zero will be returned.<br> - * <br> + * is available, nothing will be copied and zero will be returned.<br/> + * <br/> * Only allowed in non-blocking mode. * @param buffer The buffer to hold the encrypted data * @param offset The start offset in the buffer at which the data is written diff --git a/crypto/src/crypto/tls/TlsServerProtocol.cs b/crypto/src/crypto/tls/TlsServerProtocol.cs index 27f7a1dfd..4ab628b13 100644 --- a/crypto/src/crypto/tls/TlsServerProtocol.cs +++ b/crypto/src/crypto/tls/TlsServerProtocol.cs @@ -45,12 +45,12 @@ namespace Org.BouncyCastle.Crypto.Tls } /** - * Constructor for non-blocking mode.<br> - * <br> + * Constructor for non-blocking mode.<br/> + * <br/> * When data is received, use {@link #offerInput(java.nio.ByteBuffer)} to * provide the received ciphertext, then use - * {@link #readInput(byte[], int, int)} to read the corresponding cleartext.<br> - * <br> + * {@link #readInput(byte[], int, int)} to read the corresponding cleartext.<br/> + * <br/> * Similarly, when data needs to be sent, use * {@link #offerOutput(byte[], int, int)} to provide the cleartext, then use * {@link #readOutput(byte[], int, int)} to get the corresponding @@ -65,8 +65,8 @@ namespace Org.BouncyCastle.Crypto.Tls } /** - * Receives a TLS handshake in the role of server.<br> - * <br> + * Receives a TLS handshake in the role of server.<br/> + * <br/> * In blocking mode, this will not return until the handshake is complete. * In non-blocking mode, use {@link TlsPeer#notifyHandshakeComplete()} to * receive a callback when the handshake is complete. diff --git a/crypto/src/openpgp/PgpEncryptedDataGenerator.cs b/crypto/src/openpgp/PgpEncryptedDataGenerator.cs index 2a2e63961..06868eab1 100644 --- a/crypto/src/openpgp/PgpEncryptedDataGenerator.cs +++ b/crypto/src/openpgp/PgpEncryptedDataGenerator.cs @@ -271,26 +271,55 @@ namespace Org.BouncyCastle.Bcpg.OpenPgp /// <summary> /// Add a PBE encryption method to the encrypted object using the default algorithm (S2K_SHA1). /// </summary> - public void AddMethod( - char[] passPhrase) + /// <remarks> + /// Conversion of the passphrase characters to bytes is performed using Convert.ToByte(), which is + /// the historical behaviour of the library (1.7 and earlier). + /// </remarks> + [Obsolete("Use version that takes an explicit s2kDigest parameter")] + public void AddMethod(char[] passPhrase) { AddMethod(passPhrase, HashAlgorithmTag.Sha1); } - /// <summary>Add a PBE encryption method to the encrypted object.</summary> - public void AddMethod( - char[] passPhrase, - HashAlgorithmTag s2kDigest) + /// <summary>Add a PBE encryption method to the encrypted object.</summary> + /// <remarks> + /// Conversion of the passphrase characters to bytes is performed using Convert.ToByte(), which is + /// the historical behaviour of the library (1.7 and earlier). + /// </remarks> + public void AddMethod(char[] passPhrase, HashAlgorithmTag s2kDigest) + { + DoAddMethod(PgpUtilities.EncodePassPhrase(passPhrase, false), true, s2kDigest); + } + + /// <summary>Add a PBE encryption method to the encrypted object.</summary> + /// <remarks> + /// The passphrase is encoded to bytes using UTF8 (Encoding.UTF8.GetBytes). + /// </remarks> + public void AddMethodUtf8(char[] passPhrase, HashAlgorithmTag s2kDigest) + { + DoAddMethod(PgpUtilities.EncodePassPhrase(passPhrase, true), true, s2kDigest); + } + + /// <summary>Add a PBE encryption method to the encrypted object.</summary> + /// <remarks> + /// Allows the caller to handle the encoding of the passphrase to bytes. + /// </remarks> + public void AddMethodRaw(byte[] rawPassPhrase, HashAlgorithmTag s2kDigest) + { + DoAddMethod(rawPassPhrase, false, s2kDigest); + } + + internal void DoAddMethod(byte[] rawPassPhrase, bool clearPassPhrase, HashAlgorithmTag s2kDigest) { byte[] iv = new byte[8]; - rand.NextBytes(iv); + rand.NextBytes(iv); - S2k s2k = new S2k(s2kDigest, iv, 0x60); + S2k s2k = new S2k(s2kDigest, iv, 0x60); - methods.Add(new PbeMethod(defAlgorithm, s2k, PgpUtilities.MakeKeyFromPassPhrase(defAlgorithm, s2k, passPhrase))); + methods.Add(new PbeMethod(defAlgorithm, s2k, PgpUtilities.DoMakeKeyFromPassPhrase(defAlgorithm, s2k, rawPassPhrase, clearPassPhrase))); } - /// <summary>Add a public key encrypted session key to the encrypted object.</summary> + /// <summary>Add a public key encrypted session key to the encrypted object.</summary> public void AddMethod( PgpPublicKey key) { diff --git a/crypto/src/openpgp/PgpKeyRingGenerator.cs b/crypto/src/openpgp/PgpKeyRingGenerator.cs index 92ea394a2..4f6a4b12f 100644 --- a/crypto/src/openpgp/PgpKeyRingGenerator.cs +++ b/crypto/src/openpgp/PgpKeyRingGenerator.cs @@ -17,7 +17,7 @@ namespace Org.BouncyCastle.Bcpg.OpenPgp private SymmetricKeyAlgorithmTag encAlgorithm; private HashAlgorithmTag hashAlgorithm; private int certificationLevel; - private char[] passPhrase; + private byte[] rawPassPhrase; private bool useSha1; private PgpKeyPair masterKey; private PgpSignatureSubpacketVector hashedPacketVector; @@ -28,7 +28,11 @@ namespace Org.BouncyCastle.Bcpg.OpenPgp /// Create a new key ring generator using old style checksumming. It is recommended to use /// SHA1 checksumming where possible. /// </summary> - /// <param name="certificationLevel">The certification level for keys on this ring.</param> + /// <remarks> + /// Conversion of the passphrase characters to bytes is performed using Convert.ToByte(), which is + /// the historical behaviour of the library (1.7 and earlier). + /// </remarks> + /// <param name="certificationLevel">The certification level for keys on this ring.</param> /// <param name="masterKey">The master key pair.</param> /// <param name="id">The id to be associated with the ring.</param> /// <param name="encAlgorithm">The algorithm to be used to protect secret keys.</param> @@ -36,6 +40,7 @@ namespace Org.BouncyCastle.Bcpg.OpenPgp /// <param name="hashedPackets">Packets to be included in the certification hash.</param> /// <param name="unhashedPackets">Packets to be attached unhashed to the certification.</param> /// <param name="rand">input secured random.</param> + [Obsolete("Use version taking an explicit 'useSha1' parameter instead")] public PgpKeyRingGenerator( int certificationLevel, PgpKeyPair masterKey, @@ -52,7 +57,11 @@ namespace Org.BouncyCastle.Bcpg.OpenPgp /// <summary> /// Create a new key ring generator. /// </summary> - /// <param name="certificationLevel">The certification level for keys on this ring.</param> + /// <remarks> + /// Conversion of the passphrase characters to bytes is performed using Convert.ToByte(), which is + /// the historical behaviour of the library (1.7 and earlier). + /// </remarks> + /// <param name="certificationLevel">The certification level for keys on this ring.</param> /// <param name="masterKey">The master key pair.</param> /// <param name="id">The id to be associated with the ring.</param> /// <param name="encAlgorithm">The algorithm to be used to protect secret keys.</param> @@ -71,23 +80,86 @@ namespace Org.BouncyCastle.Bcpg.OpenPgp PgpSignatureSubpacketVector hashedPackets, PgpSignatureSubpacketVector unhashedPackets, SecureRandom rand) + : this(certificationLevel, masterKey, id, encAlgorithm, false, passPhrase, useSha1, hashedPackets, unhashedPackets, rand) + { + } + + /// <summary> + /// Create a new key ring generator. + /// </summary> + /// <param name="certificationLevel">The certification level for keys on this ring.</param> + /// <param name="masterKey">The master key pair.</param> + /// <param name="id">The id to be associated with the ring.</param> + /// <param name="encAlgorithm">The algorithm to be used to protect secret keys.</param> + /// <param name="utf8PassPhrase"> + /// If true, conversion of the passphrase to bytes uses Encoding.UTF8.GetBytes(), otherwise the conversion + /// is performed using Convert.ToByte(), which is the historical behaviour of the library (1.7 and earlier). + /// </param> + /// <param name="passPhrase">The passPhrase to be used to protect secret keys.</param> + /// <param name="useSha1">Checksum the secret keys with SHA1 rather than the older 16 bit checksum.</param> + /// <param name="hashedPackets">Packets to be included in the certification hash.</param> + /// <param name="unhashedPackets">Packets to be attached unhashed to the certification.</param> + /// <param name="rand">input secured random.</param> + public PgpKeyRingGenerator( + int certificationLevel, + PgpKeyPair masterKey, + string id, + SymmetricKeyAlgorithmTag encAlgorithm, + bool utf8PassPhrase, + char[] passPhrase, + bool useSha1, + PgpSignatureSubpacketVector hashedPackets, + PgpSignatureSubpacketVector unhashedPackets, + SecureRandom rand) + : this(certificationLevel, masterKey, id, encAlgorithm, + PgpUtilities.EncodePassPhrase(passPhrase, utf8PassPhrase), + useSha1, hashedPackets, unhashedPackets, rand) + { + } + + /// <summary> + /// Create a new key ring generator. + /// </summary> + /// <param name="certificationLevel">The certification level for keys on this ring.</param> + /// <param name="masterKey">The master key pair.</param> + /// <param name="id">The id to be associated with the ring.</param> + /// <param name="encAlgorithm">The algorithm to be used to protect secret keys.</param> + /// <param name="rawPassPhrase">The passPhrase to be used to protect secret keys.</param> + /// <param name="useSha1">Checksum the secret keys with SHA1 rather than the older 16 bit checksum.</param> + /// <param name="hashedPackets">Packets to be included in the certification hash.</param> + /// <param name="unhashedPackets">Packets to be attached unhashed to the certification.</param> + /// <param name="rand">input secured random.</param> + public PgpKeyRingGenerator( + int certificationLevel, + PgpKeyPair masterKey, + string id, + SymmetricKeyAlgorithmTag encAlgorithm, + byte[] rawPassPhrase, + bool useSha1, + PgpSignatureSubpacketVector hashedPackets, + PgpSignatureSubpacketVector unhashedPackets, + SecureRandom rand) { this.certificationLevel = certificationLevel; this.masterKey = masterKey; this.id = id; this.encAlgorithm = encAlgorithm; - this.passPhrase = passPhrase; + this.rawPassPhrase = rawPassPhrase; this.useSha1 = useSha1; this.hashedPacketVector = hashedPackets; this.unhashedPacketVector = unhashedPackets; this.rand = rand; - keys.Add(new PgpSecretKey(certificationLevel, masterKey, id, encAlgorithm, passPhrase, useSha1, hashedPackets, unhashedPackets, rand)); + keys.Add(new PgpSecretKey(certificationLevel, masterKey, id, encAlgorithm, rawPassPhrase, false, useSha1, hashedPackets, unhashedPackets, rand)); } /// <summary> /// Create a new key ring generator. /// </summary> + /// <remarks> + /// Conversion of the passphrase characters to bytes is performed using Convert.ToByte(), which is + /// the historical behaviour of the library (1.7 and earlier). + /// </remarks> /// <param name="certificationLevel">The certification level for keys on this ring.</param> /// <param name="masterKey">The master key pair.</param> /// <param name="id">The id to be associated with the ring.</param> @@ -109,19 +181,85 @@ namespace Org.BouncyCastle.Bcpg.OpenPgp PgpSignatureSubpacketVector hashedPackets, PgpSignatureSubpacketVector unhashedPackets, SecureRandom rand) + : this(certificationLevel, masterKey, id, encAlgorithm, hashAlgorithm, false, passPhrase, useSha1, hashedPackets, unhashedPackets, rand) + { + } + + /// <summary> + /// Create a new key ring generator. + /// </summary> + /// <param name="certificationLevel">The certification level for keys on this ring.</param> + /// <param name="masterKey">The master key pair.</param> + /// <param name="id">The id to be associated with the ring.</param> + /// <param name="encAlgorithm">The algorithm to be used to protect secret keys.</param> + /// <param name="hashAlgorithm">The hash algorithm.</param> + /// <param name="utf8PassPhrase"> + /// If true, conversion of the passphrase to bytes uses Encoding.UTF8.GetBytes(), otherwise the conversion + /// is performed using Convert.ToByte(), which is the historical behaviour of the library (1.7 and earlier). + /// </param> + /// <param name="passPhrase">The passPhrase to be used to protect secret keys.</param> + /// <param name="useSha1">Checksum the secret keys with SHA1 rather than the older 16 bit checksum.</param> + /// <param name="hashedPackets">Packets to be included in the certification hash.</param> + /// <param name="unhashedPackets">Packets to be attached unhashed to the certification.</param> + /// <param name="rand">input secured random.</param> + public PgpKeyRingGenerator( + int certificationLevel, + PgpKeyPair masterKey, + string id, + SymmetricKeyAlgorithmTag encAlgorithm, + HashAlgorithmTag hashAlgorithm, + bool utf8PassPhrase, + char[] passPhrase, + bool useSha1, + PgpSignatureSubpacketVector hashedPackets, + PgpSignatureSubpacketVector unhashedPackets, + SecureRandom rand) + : this(certificationLevel, masterKey, id, encAlgorithm, hashAlgorithm, + PgpUtilities.EncodePassPhrase(passPhrase, utf8PassPhrase), + useSha1, hashedPackets, unhashedPackets, rand) + { + } + + /// <summary> + /// Create a new key ring generator. + /// </summary> + /// <remarks> + /// Allows the caller to handle the encoding of the passphrase to bytes. + /// </remarks> + /// <param name="certificationLevel">The certification level for keys on this ring.</param> + /// <param name="masterKey">The master key pair.</param> + /// <param name="id">The id to be associated with the ring.</param> + /// <param name="encAlgorithm">The algorithm to be used to protect secret keys.</param> + /// <param name="hashAlgorithm">The hash algorithm.</param> + /// <param name="rawPassPhrase">The passPhrase to be used to protect secret keys.</param> + /// <param name="useSha1">Checksum the secret keys with SHA1 rather than the older 16 bit checksum.</param> + /// <param name="hashedPackets">Packets to be included in the certification hash.</param> + /// <param name="unhashedPackets">Packets to be attached unhashed to the certification.</param> + /// <param name="rand">input secured random.</param> + public PgpKeyRingGenerator( + int certificationLevel, + PgpKeyPair masterKey, + string id, + SymmetricKeyAlgorithmTag encAlgorithm, + HashAlgorithmTag hashAlgorithm, + byte[] rawPassPhrase, + bool useSha1, + PgpSignatureSubpacketVector hashedPackets, + PgpSignatureSubpacketVector unhashedPackets, + SecureRandom rand) { this.certificationLevel = certificationLevel; this.masterKey = masterKey; this.id = id; this.encAlgorithm = encAlgorithm; - this.passPhrase = passPhrase; + this.rawPassPhrase = rawPassPhrase; this.useSha1 = useSha1; this.hashedPacketVector = hashedPackets; this.unhashedPacketVector = unhashedPackets; this.rand = rand; this.hashAlgorithm = hashAlgorithm; - keys.Add(new PgpSecretKey(certificationLevel, masterKey, id, encAlgorithm, hashAlgorithm, passPhrase, useSha1, hashedPackets, unhashedPackets, rand)); + keys.Add(new PgpSecretKey(certificationLevel, masterKey, id, encAlgorithm, hashAlgorithm, rawPassPhrase, false, useSha1, hashedPackets, unhashedPackets, rand)); } /// <summary>Add a subkey to the key ring to be generated with default certification.</summary> @@ -172,7 +310,8 @@ namespace Org.BouncyCastle.Bcpg.OpenPgp subSigs.Add(sGen.GenerateCertification(masterKey.PublicKey, keyPair.PublicKey)); - keys.Add(new PgpSecretKey(keyPair.PrivateKey, new PgpPublicKey(keyPair.PublicKey, null, subSigs), encAlgorithm, passPhrase, useSha1, rand)); + keys.Add(new PgpSecretKey(keyPair.PrivateKey, new PgpPublicKey(keyPair.PublicKey, null, subSigs), encAlgorithm, + rawPassPhrase, false, useSha1, rand, false)); } catch (PgpException e) { @@ -202,7 +341,7 @@ namespace Org.BouncyCastle.Bcpg.OpenPgp { try { - var sGen = new PgpSignatureGenerator(masterKey.PublicKey.Algorithm, hashAlgorithm); + PgpSignatureGenerator sGen = new PgpSignatureGenerator(masterKey.PublicKey.Algorithm, hashAlgorithm); // // Generate the certification @@ -215,7 +354,8 @@ namespace Org.BouncyCastle.Bcpg.OpenPgp IList subSigs = Platform.CreateArrayList(); subSigs.Add(sGen.GenerateCertification(masterKey.PublicKey, keyPair.PublicKey)); - keys.Add(new PgpSecretKey(keyPair.PrivateKey, new PgpPublicKey(keyPair.PublicKey, null, subSigs), encAlgorithm, passPhrase, useSha1, rand)); + keys.Add(new PgpSecretKey(keyPair.PrivateKey, new PgpPublicKey(keyPair.PublicKey, null, subSigs), encAlgorithm, + rawPassPhrase, false, useSha1, rand, false)); } catch (PgpException) { diff --git a/crypto/src/openpgp/PgpPbeEncryptedData.cs b/crypto/src/openpgp/PgpPbeEncryptedData.cs index c5fe89407..f43f2f512 100644 --- a/crypto/src/openpgp/PgpPbeEncryptedData.cs +++ b/crypto/src/openpgp/PgpPbeEncryptedData.cs @@ -30,18 +30,43 @@ namespace Org.BouncyCastle.Bcpg.OpenPgp } /// <summary>Return the decrypted input stream, using the passed in passphrase.</summary> - public Stream GetDataStream( - char[] passPhrase) + /// <remarks> + /// Conversion of the passphrase characters to bytes is performed using Convert.ToByte(), which is + /// the historical behaviour of the library (1.7 and earlier). + /// </remarks> + public Stream GetDataStream(char[] passPhrase) + { + return DoGetDataStream(PgpUtilities.EncodePassPhrase(passPhrase, false), true); + } + + /// <summary>Return the decrypted input stream, using the passed in passphrase.</summary> + /// <remarks> + /// The passphrase is encoded to bytes using UTF8 (Encoding.UTF8.GetBytes). + /// </remarks> + public Stream GetDataStreamUtf8(char[] passPhrase) + { + return DoGetDataStream(PgpUtilities.EncodePassPhrase(passPhrase, true), true); + } + + /// <summary>Return the decrypted input stream, using the passed in passphrase.</summary> + /// <remarks> + /// Allows the caller to handle the encoding of the passphrase to bytes. + /// </remarks> + public Stream GetDataStreamRaw(byte[] rawPassPhrase) + { + return DoGetDataStream(rawPassPhrase, false); + } + + internal Stream DoGetDataStream(byte[] rawPassPhrase, bool clearPassPhrase) { try { SymmetricKeyAlgorithmTag keyAlgorithm = keyData.EncAlgorithm; - KeyParameter key = PgpUtilities.MakeKeyFromPassPhrase( - keyAlgorithm, keyData.S2k, passPhrase); - + KeyParameter key = PgpUtilities.DoMakeKeyFromPassPhrase( + keyAlgorithm, keyData.S2k, rawPassPhrase, clearPassPhrase); - byte[] secKeyData = keyData.GetSecKeyData(); + byte[] secKeyData = keyData.GetSecKeyData(); if (secKeyData != null && secKeyData.Length > 0) { IBufferedCipher keyCipher = CipherUtilities.GetCipher( diff --git a/crypto/src/openpgp/PgpSecretKey.cs b/crypto/src/openpgp/PgpSecretKey.cs index 1027393ce..0f472c1a4 100644 --- a/crypto/src/openpgp/PgpSecretKey.cs +++ b/crypto/src/openpgp/PgpSecretKey.cs @@ -30,18 +30,8 @@ namespace Org.BouncyCastle.Bcpg.OpenPgp PgpPrivateKey privKey, PgpPublicKey pubKey, SymmetricKeyAlgorithmTag encAlgorithm, - char[] passPhrase, - bool useSha1, - SecureRandom rand) - : this(privKey, pubKey, encAlgorithm, passPhrase, useSha1, rand, false) - { - } - - internal PgpSecretKey( - PgpPrivateKey privKey, - PgpPublicKey pubKey, - SymmetricKeyAlgorithmTag encAlgorithm, - char[] passPhrase, + byte[] rawPassPhrase, + bool clearPassPhrase, bool useSha1, SecureRandom rand, bool isMasterKey) @@ -107,7 +97,7 @@ namespace Org.BouncyCastle.Bcpg.OpenPgp byte[] encData; if (pub.Version >= 4) { - encData = EncryptKeyData(keyData, encAlgorithm, passPhrase, rand, out s2k, out iv); + encData = EncryptKeyData(keyData, encAlgorithm, rawPassPhrase, clearPassPhrase, rand, out s2k, out iv); } else { @@ -139,6 +129,11 @@ namespace Org.BouncyCastle.Bcpg.OpenPgp } } + /// <remarks> + /// Conversion of the passphrase characters to bytes is performed using Convert.ToByte(), which is + /// the historical behaviour of the library (1.7 and earlier). + /// </remarks> + [Obsolete("Use the constructor taking an explicit 'useSha1' parameter instead")] public PgpSecretKey( int certificationLevel, PgpKeyPair keyPair, @@ -152,32 +147,151 @@ namespace Org.BouncyCastle.Bcpg.OpenPgp { } + /// <remarks> + /// Conversion of the passphrase characters to bytes is performed using Convert.ToByte(), which is + /// the historical behaviour of the library (1.7 and earlier). + /// </remarks> + public PgpSecretKey( + int certificationLevel, + PgpKeyPair keyPair, + string id, + SymmetricKeyAlgorithmTag encAlgorithm, + char[] passPhrase, + bool useSha1, + PgpSignatureSubpacketVector hashedPackets, + PgpSignatureSubpacketVector unhashedPackets, + SecureRandom rand) + : this(certificationLevel, keyPair, id, encAlgorithm, false, passPhrase, useSha1, hashedPackets, unhashedPackets, rand) + { + } + + /// <remarks> + /// If utf8PassPhrase is true, conversion of the passphrase to bytes uses Encoding.UTF8.GetBytes(), otherwise the conversion + /// is performed using Convert.ToByte(), which is the historical behaviour of the library (1.7 and earlier). + /// </remarks> public PgpSecretKey( int certificationLevel, PgpKeyPair keyPair, string id, SymmetricKeyAlgorithmTag encAlgorithm, + bool utf8PassPhrase, char[] passPhrase, bool useSha1, PgpSignatureSubpacketVector hashedPackets, PgpSignatureSubpacketVector unhashedPackets, SecureRandom rand) - : this(keyPair.PrivateKey, CertifiedPublicKey(certificationLevel, keyPair, id, hashedPackets, unhashedPackets), encAlgorithm, passPhrase, useSha1, rand, true) + : this(certificationLevel, keyPair, id, encAlgorithm, + PgpUtilities.EncodePassPhrase(passPhrase, utf8PassPhrase), true, + useSha1, hashedPackets, unhashedPackets, rand) + { + } + + /// <remarks> + /// Allows the caller to handle the encoding of the passphrase to bytes. + /// </remarks> + public PgpSecretKey( + int certificationLevel, + PgpKeyPair keyPair, + string id, + SymmetricKeyAlgorithmTag encAlgorithm, + byte[] rawPassPhrase, + bool useSha1, + PgpSignatureSubpacketVector hashedPackets, + PgpSignatureSubpacketVector unhashedPackets, + SecureRandom rand) + : this(certificationLevel, keyPair, id, encAlgorithm, rawPassPhrase, false, useSha1, hashedPackets, unhashedPackets, rand) + { + } + + internal PgpSecretKey( + int certificationLevel, + PgpKeyPair keyPair, + string id, + SymmetricKeyAlgorithmTag encAlgorithm, + byte[] rawPassPhrase, + bool clearPassPhrase, + bool useSha1, + PgpSignatureSubpacketVector hashedPackets, + PgpSignatureSubpacketVector unhashedPackets, + SecureRandom rand) + : this(keyPair.PrivateKey, CertifiedPublicKey(certificationLevel, keyPair, id, hashedPackets, unhashedPackets), + encAlgorithm, rawPassPhrase, clearPassPhrase, useSha1, rand, true) + { + } + + /// <remarks> + /// Conversion of the passphrase characters to bytes is performed using Convert.ToByte(), which is + /// the historical behaviour of the library (1.7 and earlier). + /// </remarks> + public PgpSecretKey( + int certificationLevel, + PgpKeyPair keyPair, + string id, + SymmetricKeyAlgorithmTag encAlgorithm, + HashAlgorithmTag hashAlgorithm, + char[] passPhrase, + bool useSha1, + PgpSignatureSubpacketVector hashedPackets, + PgpSignatureSubpacketVector unhashedPackets, + SecureRandom rand) + : this(certificationLevel, keyPair, id, encAlgorithm, hashAlgorithm, false, passPhrase, useSha1, hashedPackets, unhashedPackets, rand) { } + /// <remarks> + /// If utf8PassPhrase is true, conversion of the passphrase to bytes uses Encoding.UTF8.GetBytes(), otherwise the conversion + /// is performed using Convert.ToByte(), which is the historical behaviour of the library (1.7 and earlier). + /// </remarks> public PgpSecretKey( int certificationLevel, PgpKeyPair keyPair, string id, SymmetricKeyAlgorithmTag encAlgorithm, HashAlgorithmTag hashAlgorithm, + bool utf8PassPhrase, char[] passPhrase, bool useSha1, PgpSignatureSubpacketVector hashedPackets, PgpSignatureSubpacketVector unhashedPackets, SecureRandom rand) - : this(keyPair.PrivateKey, CertifiedPublicKey(certificationLevel, keyPair, id, hashedPackets, unhashedPackets, hashAlgorithm), encAlgorithm, passPhrase, useSha1, rand, true) + : this(certificationLevel, keyPair, id, encAlgorithm, hashAlgorithm, + PgpUtilities.EncodePassPhrase(passPhrase, utf8PassPhrase), true, + useSha1, hashedPackets, unhashedPackets, rand) + { + } + + /// <remarks> + /// Allows the caller to handle the encoding of the passphrase to bytes. + /// </remarks> + public PgpSecretKey( + int certificationLevel, + PgpKeyPair keyPair, + string id, + SymmetricKeyAlgorithmTag encAlgorithm, + HashAlgorithmTag hashAlgorithm, + byte[] rawPassPhrase, + bool useSha1, + PgpSignatureSubpacketVector hashedPackets, + PgpSignatureSubpacketVector unhashedPackets, + SecureRandom rand) + : this(certificationLevel, keyPair, id, encAlgorithm, hashAlgorithm, rawPassPhrase, false, useSha1, hashedPackets, unhashedPackets, rand) + { + } + + internal PgpSecretKey( + int certificationLevel, + PgpKeyPair keyPair, + string id, + SymmetricKeyAlgorithmTag encAlgorithm, + HashAlgorithmTag hashAlgorithm, + byte[] rawPassPhrase, + bool clearPassPhrase, + bool useSha1, + PgpSignatureSubpacketVector hashedPackets, + PgpSignatureSubpacketVector unhashedPackets, + SecureRandom rand) + : this(keyPair.PrivateKey, CertifiedPublicKey(certificationLevel, keyPair, id, hashedPackets, unhashedPackets, hashAlgorithm), + encAlgorithm, rawPassPhrase, clearPassPhrase, useSha1, rand, true) { } @@ -269,7 +383,7 @@ namespace Org.BouncyCastle.Bcpg.OpenPgp SecureRandom rand) : this(certificationLevel, new PgpKeyPair(algorithm, pubKey, privKey, time), - id, encAlgorithm, passPhrase, hashedPackets, unhashedPackets, rand) + id, encAlgorithm, passPhrase, false, hashedPackets, unhashedPackets, rand) { } @@ -367,8 +481,7 @@ namespace Org.BouncyCastle.Bcpg.OpenPgp get { return pub.GetUserAttributes(); } } - private byte[] ExtractKeyData( - char[] passPhrase) + private byte[] ExtractKeyData(byte[] rawPassPhrase, bool clearPassPhrase) { SymmetricKeyAlgorithmTag encAlgorithm = secret.EncAlgorithm; byte[] encData = secret.GetSecretKeyData(); @@ -380,7 +493,7 @@ namespace Org.BouncyCastle.Bcpg.OpenPgp // TODO Factor this block out as 'decryptData' try { - KeyParameter key = PgpUtilities.MakeKeyFromPassPhrase(secret.EncAlgorithm, secret.S2k, passPhrase); + KeyParameter key = PgpUtilities.DoMakeKeyFromPassPhrase(secret.EncAlgorithm, secret.S2k, rawPassPhrase, clearPassPhrase); byte[] iv = secret.GetIV(); byte[] data; @@ -483,8 +596,34 @@ namespace Org.BouncyCastle.Bcpg.OpenPgp } /// <summary>Extract a <c>PgpPrivateKey</c> from this secret key's encrypted contents.</summary> - public PgpPrivateKey ExtractPrivateKey( - char[] passPhrase) + /// <remarks> + /// Conversion of the passphrase characters to bytes is performed using Convert.ToByte(), which is + /// the historical behaviour of the library (1.7 and earlier). + /// </remarks> + public PgpPrivateKey ExtractPrivateKey(char[] passPhrase) + { + return DoExtractPrivateKey(PgpUtilities.EncodePassPhrase(passPhrase, false), true); + } + + /// <summary>Extract a <c>PgpPrivateKey</c> from this secret key's encrypted contents.</summary> + /// <remarks> + /// The passphrase is encoded to bytes using UTF8 (Encoding.UTF8.GetBytes). + /// </remarks> + public PgpPrivateKey ExtractPrivateKeyUtf8(char[] passPhrase) + { + return DoExtractPrivateKey(PgpUtilities.EncodePassPhrase(passPhrase, true), true); + } + + /// <summary>Extract a <c>PgpPrivateKey</c> from this secret key's encrypted contents.</summary> + /// <remarks> + /// Allows the caller to handle the encoding of the passphrase to bytes. + /// </remarks> + public PgpPrivateKey ExtractPrivateKeyRaw(byte[] rawPassPhrase) + { + return DoExtractPrivateKey(rawPassPhrase, false); + } + + internal PgpPrivateKey DoExtractPrivateKey(byte[] rawPassPhrase, bool clearPassPhrase) { if (IsPrivateKeyEmpty) return null; @@ -492,7 +631,7 @@ namespace Org.BouncyCastle.Bcpg.OpenPgp PublicKeyPacket pubPk = secret.PublicKeyPacket; try { - byte[] data = ExtractKeyData(passPhrase); + byte[] data = ExtractKeyData(rawPassPhrase, clearPassPhrase); BcpgInputStream bcpgIn = BcpgInputStream.Wrap(new MemoryStream(data, false)); AsymmetricKeyParameter privateKey; switch (pubPk.Algorithm) @@ -652,6 +791,10 @@ namespace Org.BouncyCastle.Bcpg.OpenPgp /// Return a copy of the passed in secret key, encrypted using a new password /// and the passed in algorithm. /// </summary> + /// <remarks> + /// Conversion of the passphrase characters to bytes is performed using Convert.ToByte(), which is + /// the historical behaviour of the library (1.7 and earlier). + /// </remarks> /// <param name="key">The PgpSecretKey to be copied.</param> /// <param name="oldPassPhrase">The current password for the key.</param> /// <param name="newPassPhrase">The new password for the key.</param> @@ -664,11 +807,67 @@ namespace Org.BouncyCastle.Bcpg.OpenPgp SymmetricKeyAlgorithmTag newEncAlgorithm, SecureRandom rand) { + return DoCopyWithNewPassword(key, PgpUtilities.EncodePassPhrase(oldPassPhrase, false), + PgpUtilities.EncodePassPhrase(newPassPhrase, false), true, newEncAlgorithm, rand); + } + + /// <summary> + /// Return a copy of the passed in secret key, encrypted using a new password + /// and the passed in algorithm. + /// </summary> + /// <remarks> + /// The passphrase is encoded to bytes using UTF8 (Encoding.UTF8.GetBytes). + /// </remarks> + /// <param name="key">The PgpSecretKey to be copied.</param> + /// <param name="oldPassPhrase">The current password for the key.</param> + /// <param name="newPassPhrase">The new password for the key.</param> + /// <param name="newEncAlgorithm">The algorithm to be used for the encryption.</param> + /// <param name="rand">Source of randomness.</param> + public static PgpSecretKey CopyWithNewPasswordUtf8( + PgpSecretKey key, + char[] oldPassPhrase, + char[] newPassPhrase, + SymmetricKeyAlgorithmTag newEncAlgorithm, + SecureRandom rand) + { + return DoCopyWithNewPassword(key, PgpUtilities.EncodePassPhrase(oldPassPhrase, true), + PgpUtilities.EncodePassPhrase(newPassPhrase, true), true, newEncAlgorithm, rand); + } + + /// <summary> + /// Return a copy of the passed in secret key, encrypted using a new password + /// and the passed in algorithm. + /// </summary> + /// <remarks> + /// Allows the caller to handle the encoding of the passphrase to bytes. + /// </remarks> + /// <param name="key">The PgpSecretKey to be copied.</param> + /// <param name="rawOldPassPhrase">The current password for the key.</param> + /// <param name="rawNewPassPhrase">The new password for the key.</param> + /// <param name="newEncAlgorithm">The algorithm to be used for the encryption.</param> + /// <param name="rand">Source of randomness.</param> + public static PgpSecretKey CopyWithNewPasswordRaw( + PgpSecretKey key, + byte[] rawOldPassPhrase, + byte[] rawNewPassPhrase, + SymmetricKeyAlgorithmTag newEncAlgorithm, + SecureRandom rand) + { + return DoCopyWithNewPassword(key, rawOldPassPhrase, rawNewPassPhrase, false, newEncAlgorithm, rand); + } + internal static PgpSecretKey DoCopyWithNewPassword( + PgpSecretKey key, + byte[] rawOldPassPhrase, + byte[] rawNewPassPhrase, + bool clearPassPhrase, + SymmetricKeyAlgorithmTag newEncAlgorithm, + SecureRandom rand) + { if (key.IsPrivateKeyEmpty) throw new PgpException("no private key in this SecretKey - public key present only."); - byte[] rawKeyData = key.ExtractKeyData(oldPassPhrase); + byte[] rawKeyData = key.ExtractKeyData(rawOldPassPhrase, clearPassPhrase); int s2kUsage = key.secret.S2kUsage; byte[] iv = null; S2k s2k = null; @@ -696,11 +895,16 @@ namespace Org.BouncyCastle.Bcpg.OpenPgp } else { + if (s2kUsage == SecretKeyPacket.UsageNone) + { + s2kUsage = SecretKeyPacket.UsageChecksum; + } + try { if (pubKeyPacket.Version >= 4) { - keyData = EncryptKeyData(rawKeyData, newEncAlgorithm, newPassPhrase, rand, out s2k, out iv); + keyData = EncryptKeyData(rawKeyData, newEncAlgorithm, rawNewPassPhrase, clearPassPhrase, rand, out s2k, out iv); } else { @@ -749,7 +953,8 @@ namespace Org.BouncyCastle.Bcpg.OpenPgp private static byte[] EncryptKeyData( byte[] rawKeyData, SymmetricKeyAlgorithmTag encAlgorithm, - char[] passPhrase, + byte[] rawPassPhrase, + bool clearPassPhrase, SecureRandom random, out S2k s2k, out byte[] iv) @@ -769,7 +974,7 @@ namespace Org.BouncyCastle.Bcpg.OpenPgp random.NextBytes(s2kIV); s2k = new S2k(HashAlgorithmTag.Sha1, s2kIV, 0x60); - KeyParameter kp = PgpUtilities.MakeKeyFromPassPhrase(encAlgorithm, s2k, passPhrase); + KeyParameter kp = PgpUtilities.DoMakeKeyFromPassPhrase(encAlgorithm, s2k, rawPassPhrase, clearPassPhrase); iv = new byte[c.GetBlockSize()]; random.NextBytes(iv); @@ -779,13 +984,42 @@ namespace Org.BouncyCastle.Bcpg.OpenPgp return c.DoFinal(rawKeyData); } - /** - * Parse a secret key from one of the GPG S expression keys associating it with the passed in public key. - * - * @return a secret key object. - */ + /// <summary> + /// Parse a secret key from one of the GPG S expression keys associating it with the passed in public key. + /// </summary> + /// <remarks> + /// Conversion of the passphrase characters to bytes is performed using Convert.ToByte(), which is + /// the historical behaviour of the library (1.7 and earlier). + /// </remarks> public static PgpSecretKey ParseSecretKeyFromSExpr(Stream inputStream, char[] passPhrase, PgpPublicKey pubKey) { + return DoParseSecretKeyFromSExpr(inputStream, PgpUtilities.EncodePassPhrase(passPhrase, false), true, pubKey); + } + + /// <summary> + /// Parse a secret key from one of the GPG S expression keys associating it with the passed in public key. + /// </summary> + /// <remarks> + /// The passphrase is encoded to bytes using UTF8 (Encoding.UTF8.GetBytes). + /// </remarks> + public static PgpSecretKey ParseSecretKeyFromSExprUtf8(Stream inputStream, char[] passPhrase, PgpPublicKey pubKey) + { + return DoParseSecretKeyFromSExpr(inputStream, PgpUtilities.EncodePassPhrase(passPhrase, true), true, pubKey); + } + + /// <summary> + /// Parse a secret key from one of the GPG S expression keys associating it with the passed in public key. + /// </summary> + /// <remarks> + /// Allows the caller to handle the encoding of the passphrase to bytes. + /// </remarks> + public static PgpSecretKey ParseSecretKeyFromSExprRaw(Stream inputStream, byte[] rawPassPhrase, PgpPublicKey pubKey) + { + return DoParseSecretKeyFromSExpr(inputStream, rawPassPhrase, false, pubKey); + } + + internal static PgpSecretKey DoParseSecretKeyFromSExpr(Stream inputStream, byte[] rawPassPhrase, bool clearPassPhrase, PgpPublicKey pubKey) + { SXprUtilities.SkipOpenParenthesis(inputStream); string type = SXprUtilities.ReadString(inputStream, inputStream.ReadByte()); @@ -826,7 +1060,7 @@ namespace Org.BouncyCastle.Bcpg.OpenPgp SXprUtilities.SkipCloseParenthesis(inputStream); - byte[] dValue = GetDValue(inputStream, passPhrase, curveName); + byte[] dValue = GetDValue(inputStream, rawPassPhrase, clearPassPhrase, curveName); // TODO: check SHA-1 hash. return new PgpSecretKey(new SecretKeyPacket(pubKey.PublicKeyPacket, SymmetricKeyAlgorithmTag.Null, null, null, @@ -836,13 +1070,45 @@ namespace Org.BouncyCastle.Bcpg.OpenPgp throw new PgpException("unknown key type found"); } - /** - * Parse a secret key from one of the GPG S expression keys. - * - * @return a secret key object. - */ + /// <summary> + /// Parse a secret key from one of the GPG S expression keys. + /// </summary> + /// <remarks> + /// Conversion of the passphrase characters to bytes is performed using Convert.ToByte(), which is + /// the historical behaviour of the library (1.7 and earlier). + /// </remarks> public static PgpSecretKey ParseSecretKeyFromSExpr(Stream inputStream, char[] passPhrase) { + return DoParseSecretKeyFromSExpr(inputStream, PgpUtilities.EncodePassPhrase(passPhrase, false), true); + } + + /// <summary> + /// Parse a secret key from one of the GPG S expression keys. + /// </summary> + /// <remarks> + /// The passphrase is encoded to bytes using UTF8 (Encoding.UTF8.GetBytes). + /// </remarks> + public static PgpSecretKey ParseSecretKeyFromSExprUtf8(Stream inputStream, char[] passPhrase) + { + return DoParseSecretKeyFromSExpr(inputStream, PgpUtilities.EncodePassPhrase(passPhrase, true), true); + } + + /// <summary> + /// Parse a secret key from one of the GPG S expression keys. + /// </summary> + /// <remarks> + /// Allows the caller to handle the encoding of the passphrase to bytes. + /// </remarks> + public static PgpSecretKey ParseSecretKeyFromSExprRaw(Stream inputStream, byte[] rawPassPhrase) + { + return DoParseSecretKeyFromSExpr(inputStream, rawPassPhrase, false); + } + + /// <summary> + /// Parse a secret key from one of the GPG S expression keys. + /// </summary> + internal static PgpSecretKey DoParseSecretKeyFromSExpr(Stream inputStream, byte[] rawPassPhrase, bool clearPassPhrase) + { SXprUtilities.SkipOpenParenthesis(inputStream); string type = SXprUtilities.ReadString(inputStream, inputStream.ReadByte()); @@ -891,7 +1157,7 @@ namespace Org.BouncyCastle.Bcpg.OpenPgp SXprUtilities.SkipCloseParenthesis(inputStream); - byte[] dValue = GetDValue(inputStream, passPhrase, curveName); + byte[] dValue = GetDValue(inputStream, rawPassPhrase, clearPassPhrase, curveName); // TODO: check SHA-1 hash. return new PgpSecretKey(new SecretKeyPacket(pubPacket, SymmetricKeyAlgorithmTag.Null, null, null, @@ -901,7 +1167,7 @@ namespace Org.BouncyCastle.Bcpg.OpenPgp throw new PgpException("unknown key type found"); } - private static byte[] GetDValue(Stream inputStream, char[] passPhrase, string curveName) + private static byte[] GetDValue(Stream inputStream, byte[] rawPassPhrase, bool clearPassPhrase, string curveName) { string type; SXprUtilities.SkipOpenParenthesis(inputStream); @@ -932,7 +1198,7 @@ namespace Org.BouncyCastle.Bcpg.OpenPgp } // TODO: recognise other algorithms - KeyParameter key = PgpUtilities.MakeKeyFromPassPhrase(SymmetricKeyAlgorithmTag.Aes128, s2k, passPhrase); + KeyParameter key = PgpUtilities.DoMakeKeyFromPassPhrase(SymmetricKeyAlgorithmTag.Aes128, s2k, rawPassPhrase, clearPassPhrase); byte[] data = RecoverKeyData(SymmetricKeyAlgorithmTag.Aes128, "/CBC/NoPadding", key, iv, secKeyData, 0, secKeyData.Length); diff --git a/crypto/src/openpgp/PgpUtilities.cs b/crypto/src/openpgp/PgpUtilities.cs index e4551db07..65c07b2e2 100644 --- a/crypto/src/openpgp/PgpUtilities.cs +++ b/crypto/src/openpgp/PgpUtilities.cs @@ -193,13 +193,44 @@ namespace Org.BouncyCastle.Bcpg.OpenPgp return MakeKey(algorithm, keyBytes); } - public static KeyParameter MakeKeyFromPassPhrase( - SymmetricKeyAlgorithmTag algorithm, - S2k s2k, - char[] passPhrase) + internal static byte[] EncodePassPhrase(char[] passPhrase, bool utf8) + { + return passPhrase == null + ? null + : utf8 + ? Encoding.UTF8.GetBytes(passPhrase) + : Strings.ToByteArray(passPhrase); + } + + /// <remarks> + /// Conversion of the passphrase characters to bytes is performed using Convert.ToByte(), which is + /// the historical behaviour of the library (1.7 and earlier). + /// </remarks> + public static KeyParameter MakeKeyFromPassPhrase(SymmetricKeyAlgorithmTag algorithm, S2k s2k, char[] passPhrase) + { + return DoMakeKeyFromPassPhrase(algorithm, s2k, EncodePassPhrase(passPhrase, false), true); + } + + /// <remarks> + /// The passphrase is encoded to bytes using UTF8 (Encoding.UTF8.GetBytes). + /// </remarks> + public static KeyParameter MakeKeyFromPassPhraseUtf8(SymmetricKeyAlgorithmTag algorithm, S2k s2k, char[] passPhrase) + { + return DoMakeKeyFromPassPhrase(algorithm, s2k, EncodePassPhrase(passPhrase, true), true); + } + + /// <remarks> + /// Allows the caller to handle the encoding of the passphrase to bytes. + /// </remarks> + public static KeyParameter MakeKeyFromPassPhraseRaw(SymmetricKeyAlgorithmTag algorithm, S2k s2k, byte[] rawPassPhrase) + { + return DoMakeKeyFromPassPhrase(algorithm, s2k, rawPassPhrase, false); + } + + internal static KeyParameter DoMakeKeyFromPassPhrase(SymmetricKeyAlgorithmTag algorithm, S2k s2k, byte[] rawPassPhrase, bool clearPassPhrase) { int keySize = GetKeySize(algorithm); - byte[] pBytes = Encoding.UTF8.GetBytes(passPhrase); + byte[] pBytes = rawPassPhrase; byte[] keyBytes = new byte[(keySize + 7) / 8]; int generatedBytes = 0; @@ -308,12 +339,15 @@ namespace Org.BouncyCastle.Bcpg.OpenPgp loopCount++; } - Array.Clear(pBytes, 0, pBytes.Length); + if (clearPassPhrase && rawPassPhrase != null) + { + Array.Clear(rawPassPhrase, 0, rawPassPhrase.Length); + } - return MakeKey(algorithm, keyBytes); + return MakeKey(algorithm, keyBytes); } - /// <summary>Write out the passed in file as a literal data packet.</summary> + /// <summary>Write out the passed in file as a literal data packet.</summary> public static void WriteFileToLiteralData( Stream output, char fileType, diff --git a/crypto/test/src/crypto/agreement/test/AllTests.cs b/crypto/test/src/crypto/agreement/test/AllTests.cs new file mode 100644 index 000000000..ea8f438e5 --- /dev/null +++ b/crypto/test/src/crypto/agreement/test/AllTests.cs @@ -0,0 +1,31 @@ +using System; + +using NUnit.Core; +using NUnit.Framework; + +using Org.BouncyCastle.Utilities.Test; + +namespace Org.BouncyCastle.Crypto.Agreement.Tests +{ + [TestFixture] + public class AllTests + { + public static void Main(string[] args) + { + Suite.Run(new NullListener(), NUnit.Core.TestFilter.Empty); + } + + [Suite] + public static TestSuite Suite + { + get + { + TestSuite suite = new TestSuite("JPAKE Engine Tests"); + suite.Add(new JPakeParticipantTest()); + suite.Add(new JPakePrimeOrderGroupTest()); + suite.Add(new JPakeUtilitiesTest()); + return suite; + } + } + } +} diff --git a/crypto/test/src/crypto/agreement/test/JPakeParticipantTest.cs b/crypto/test/src/crypto/agreement/test/JPakeParticipantTest.cs new file mode 100644 index 000000000..c84264aa5 --- /dev/null +++ b/crypto/test/src/crypto/agreement/test/JPakeParticipantTest.cs @@ -0,0 +1,566 @@ +using System; + +using NUnit.Framework; + +using Org.BouncyCastle.Crypto.Agreement.JPake; +using Org.BouncyCastle.Crypto.Digests; +using Org.BouncyCastle.Math; +using Org.BouncyCastle.Security; +using Org.BouncyCastle.Utilities.Test; + +namespace Org.BouncyCastle.Crypto.Agreement.Tests +{ + [TestFixture] + public class JPakeParticipantTest + : SimpleTest + { + public override void PerformTest() + { + TestConstruction(); + TestSuccessfulExchange(); + TestIncorrectPassword(); + TestStateValidation(); + TestValidateRound1PayloadReceived(); + TestValidateRound2PayloadReceived(); + } + + public override string Name + { + get { return "JPakeParticipant"; } + } + + public static void Main( + string[] args) + { + RunTest(new JPakeParticipantTest()); + } + + [Test] + public void TestFunction() + { + string resultText = Perform().ToString(); + + Assert.AreEqual(Name + ": Okay", resultText); + } + + public void TestConstruction() + { + JPakePrimeOrderGroup group = JPakePrimeOrderGroups.SUN_JCE_1024; + SecureRandom random = new SecureRandom(); + IDigest digest = new Sha256Digest(); + string participantId = "participantId"; + char[] password = "password".ToCharArray(); + + // should succeed + new JPakeParticipant(participantId, password, group, digest, random); + + // null participantId + try + { + new JPakeParticipant(null, password, group, digest, random); + + Fail("failed to throw exception on null participantId"); + } + catch (ArgumentNullException) + { + // expected + } + + // null password + try + { + new JPakeParticipant(participantId, null, group, digest, random); + + Fail("failed to throw exception on null password"); + } + catch (ArgumentNullException) + { + // expected + } + + // empty password + try + { + new JPakeParticipant(participantId, "".ToCharArray(), group, digest, random); + + Fail("failed to throw exception on empty password"); + } + catch (ArgumentException) + { + // expected + } + + // null group + try + { + new JPakeParticipant(participantId, password, null, digest, random); + + Fail("failed to throw exception on null group"); + } + catch (ArgumentNullException) + { + // expected + } + + // null digest + try + { + new JPakeParticipant(participantId, password, group, null, random); + + Fail("failed to throw exception on null digest"); + } + catch (ArgumentNullException) + { + // expected + } + + // null random + try + { + new JPakeParticipant(participantId, password, group, digest, null); + + Fail("failed to throw exception on null random"); + } + catch (ArgumentNullException) + { + // expected + } + } + + public void TestSuccessfulExchange() + { + JPakeParticipant alice = CreateAlice(); + JPakeParticipant bob = CreateBob(); + + ExchangeAfterRound2Creation exchange = RunExchangeUntilRound2Creation(alice, bob); + + alice.ValidateRound2PayloadReceived(exchange.bobRound2Payload); + bob.ValidateRound2PayloadReceived(exchange.aliceRound2Payload); + + BigInteger aliceKeyingMaterial = alice.CalculateKeyingMaterial(); + BigInteger bobKeyingMaterial = bob.CalculateKeyingMaterial(); + + JPakeRound3Payload aliceRound3Payload = alice.CreateRound3PayloadToSend(aliceKeyingMaterial); + JPakeRound3Payload bobRound3Payload = bob.CreateRound3PayloadToSend(bobKeyingMaterial); + + alice.ValidateRound3PayloadReceived(bobRound3Payload, aliceKeyingMaterial); + bob.ValidateRound3PayloadReceived(aliceRound3Payload, bobKeyingMaterial); + + Assert.AreEqual(aliceKeyingMaterial, bobKeyingMaterial); + } + + public void TestIncorrectPassword() + { + JPakeParticipant alice = CreateAlice(); + JPakeParticipant bob = CreateBobWithWrongPassword(); + + ExchangeAfterRound2Creation exchange = RunExchangeUntilRound2Creation(alice, bob); + + alice.ValidateRound2PayloadReceived(exchange.bobRound2Payload); + bob.ValidateRound2PayloadReceived(exchange.aliceRound2Payload); + + BigInteger aliceKeyingMaterial = alice.CalculateKeyingMaterial(); + BigInteger bobKeyingMaterial = bob.CalculateKeyingMaterial(); + + JPakeRound3Payload aliceRound3Payload = alice.CreateRound3PayloadToSend(aliceKeyingMaterial); + JPakeRound3Payload bobRound3Payload = bob.CreateRound3PayloadToSend(bobKeyingMaterial); + + try + { + alice.ValidateRound3PayloadReceived(bobRound3Payload, aliceKeyingMaterial); + + Fail("failed to throw exception on incorrect password"); + } + catch (CryptoException) + { + // expected + } + + try + { + bob.ValidateRound3PayloadReceived(aliceRound3Payload, bobKeyingMaterial); + + Fail("failed to throw exception on incorrect password"); + } + catch (CryptoException) + { + // expected + } + } + + public void TestStateValidation() + { + JPakeParticipant alice = CreateAlice(); + JPakeParticipant bob = CreateBob(); + + // We're testing alice here. Bob is just used for help. + + // START ROUND 1 CHECKS + + Assert.AreEqual(JPakeParticipant.STATE_INITIALIZED, alice.State); + + // create round 2 before round 1 + try + { + alice.CreateRound2PayloadToSend(); + + Fail("failed to throw on round 2 creation before 1"); + } + catch (InvalidOperationException) + { + // expected + } + + JPakeRound1Payload aliceRound1Payload = alice.CreateRound1PayloadToSend(); + Assert.AreEqual(JPakeParticipant.STATE_ROUND_1_CREATED, alice.State); + + // create round 1 twice + try + { + alice.CreateRound1PayloadToSend(); + + Fail("failed to throw on round 1 creation twice"); + } + catch (InvalidOperationException) + { + // expected + } + + // create round 2 before validation round 1 + try + { + alice.CreateRound2PayloadToSend(); + + Fail("failed to throw on round 2 creation before round 1 validation"); + } + catch (InvalidOperationException) + { + // expected + } + + // validate round 2 before validation round 1 + try + { + alice.ValidateRound2PayloadReceived(null); + + Fail("failed to throw on round 2 validation before round 1 validation"); + } + catch (InvalidOperationException) + { + // expected + } + + JPakeRound1Payload bobRound1Payload = bob.CreateRound1PayloadToSend(); + alice.ValidateRound1PayloadReceived(bobRound1Payload); + Assert.AreEqual(JPakeParticipant.STATE_ROUND_1_VALIDATED, alice.State); + + // validate round 1 payload twice + try + { + alice.ValidateRound1PayloadReceived(bobRound1Payload); + + Fail("failed to throw on round 1 validation twice"); + } + catch (InvalidOperationException) + { + // expected + } + + bob.ValidateRound1PayloadReceived(aliceRound1Payload); + + // START ROUND 2 CHECKS + + JPakeRound2Payload aliceRound2Payload = alice.CreateRound2PayloadToSend(); + Assert.AreEqual(JPakeParticipant.STATE_ROUND_2_CREATED, alice.State); + + // create round 2 payload twice + try + { + alice.CreateRound2PayloadToSend(); + + Fail("failed to throw on round 2 creation twice"); + } + catch (InvalidOperationException) + { + // expected + } + + // create key before validation round 2 + try + { + alice.CalculateKeyingMaterial(); + + Fail("failed to throw on calculating keying material before round 2 validation"); + } + catch (InvalidOperationException) + { + // expected + } + + // validate round 3 before validating round 2 + try + { + alice.ValidateRound3PayloadReceived(null, null); + + Fail("failed to throw on validating round 3 before 2"); + } + catch (InvalidOperationException) + { + // expected + } + + JPakeRound2Payload bobRound2Payload = bob.CreateRound2PayloadToSend(); + alice.ValidateRound2PayloadReceived(bobRound2Payload); + Assert.AreEqual(JPakeParticipant.STATE_ROUND_2_VALIDATED, alice.State); + + // validate round 2 payload twice + try + { + alice.ValidateRound2PayloadReceived(bobRound2Payload); + + Fail("failed to throw on validating round 2 twice"); + } + catch (InvalidOperationException) + { + // expected + } + + bob.ValidateRound2PayloadReceived(aliceRound2Payload); + + // create round 3 before calculating key + try + { + alice.CreateRound3PayloadToSend(BigInteger.One); + + Fail("failed to throw on creating round 3 before calculating key aterial"); + } + catch (InvalidOperationException) + { + // expected + } + + // START KEY CALCULATION CHECKS + + BigInteger aliceKeyingMaterial = alice.CalculateKeyingMaterial(); + Assert.AreEqual(JPakeParticipant.STATE_KEY_CALCULATED, alice.State); + + // calculate key twice + try + { + alice.CalculateKeyingMaterial(); + + Fail("failed to throw on calculating key twice"); + } + catch (InvalidOperationException) + { + // expected + } + + BigInteger bobKeyingMaterial = bob.CalculateKeyingMaterial(); + + // START ROUND 3 CHECKS + + JPakeRound3Payload aliceRound3Payload = alice.CreateRound3PayloadToSend(aliceKeyingMaterial); + Assert.AreEqual(JPakeParticipant.STATE_ROUND_3_CREATED, alice.State); + + // create round 3 payload twice + try + { + alice.CreateRound3PayloadToSend(aliceKeyingMaterial); + + Fail("failed to throw on creation round 3 twice"); + } + catch (InvalidOperationException) + { + // expected + } + + JPakeRound3Payload bobRound3Payload = bob.CreateRound3PayloadToSend(bobKeyingMaterial); + alice.ValidateRound3PayloadReceived(bobRound3Payload, aliceKeyingMaterial); + Assert.AreEqual(JPakeParticipant.STATE_ROUND_3_VALIDATED, alice.State); + + // validate round 3 payload twice + try + { + alice.ValidateRound3PayloadReceived(bobRound3Payload, aliceKeyingMaterial); + + Fail("failed to throw on validation round 3 twice"); + } + catch (InvalidOperationException) + { + // expected + } + + bob.ValidateRound3PayloadReceived(aliceRound3Payload, bobKeyingMaterial); + } + + public void TestValidateRound1PayloadReceived() + { + // We're testing alice here. Bob is just used for help. + + JPakeRound1Payload bobRound1Payload = CreateBob().CreateRound1PayloadToSend(); + + // should succeed + CreateAlice().ValidateRound1PayloadReceived(bobRound1Payload); + + // alice verifies alice's payload + try + { + JPakeParticipant alice = CreateAlice(); + alice.ValidateRound1PayloadReceived(alice.CreateRound1PayloadToSend()); + + Fail("failed to throw on participant validating own payload"); + } + catch (CryptoException) + { + // expected + } + + // g^x4 == 1 + try + { + CreateAlice().ValidateRound1PayloadReceived(new JPakeRound1Payload( + bobRound1Payload.ParticipantId, + bobRound1Payload.Gx1, + BigInteger.One, + bobRound1Payload.KnowledgeProofForX1, + bobRound1Payload.KnowledgeProofForX2)); + + Fail("failed to throw on g^x4 == 1"); + } + catch (CryptoException) + { + // expected + } + + // zero knowledge proof for x3 fails + try + { + JPakeRound1Payload bobRound1Payload2 = CreateBob().CreateRound1PayloadToSend(); + CreateAlice().ValidateRound1PayloadReceived(new JPakeRound1Payload( + bobRound1Payload.ParticipantId, + bobRound1Payload.Gx1, + bobRound1Payload.Gx2, + bobRound1Payload2.KnowledgeProofForX1, + bobRound1Payload.KnowledgeProofForX2)); + + Fail("failed to throw on incorrect zero knowledge proof for x3"); + } + catch (CryptoException) + { + // expected + } + + // zero knowledge proof for x4 fails + try + { + JPakeRound1Payload bobRound1Payload2 = CreateBob().CreateRound1PayloadToSend(); + CreateAlice().ValidateRound1PayloadReceived(new JPakeRound1Payload( + bobRound1Payload.ParticipantId, + bobRound1Payload.Gx1, + bobRound1Payload.Gx2, + bobRound1Payload.KnowledgeProofForX1, + bobRound1Payload2.KnowledgeProofForX2)); + + Fail("failed to throw on incorrect zero knowledge proof for x4"); + } + catch (CryptoException) + { + // expected + } + } + + public void TestValidateRound2PayloadReceived() + { + // We're testing alice here. Bob is just used for help. + + // should succeed + ExchangeAfterRound2Creation exchange1 = RunExchangeUntilRound2Creation(CreateAlice(), CreateBob()); + exchange1.alice.ValidateRound2PayloadReceived(exchange1.bobRound2Payload); + + // alice verified alice's payload + ExchangeAfterRound2Creation exchange2 = RunExchangeUntilRound2Creation(CreateAlice(), CreateBob()); + try + { + exchange2.alice.ValidateRound2PayloadReceived(exchange2.aliceRound2Payload); + + Fail("failed to throw on participant verifying own payload 2"); + } + catch (CryptoException) + { + // expected + } + + // wrong z + ExchangeAfterRound2Creation exchange3 = RunExchangeUntilRound2Creation(CreateAlice(), CreateBob()); + ExchangeAfterRound2Creation exchange4 = RunExchangeUntilRound2Creation(CreateAlice(), CreateBob()); + try + { + exchange3.alice.ValidateRound2PayloadReceived(exchange4.bobRound2Payload); + + Fail("failed to throw on wrong z"); + } + catch (CryptoException) + { + // expected + } + } + + private class ExchangeAfterRound2Creation + { + public JPakeParticipant alice; + public JPakeRound2Payload aliceRound2Payload; + public JPakeRound2Payload bobRound2Payload; + + public ExchangeAfterRound2Creation( + JPakeParticipant alice, + JPakeRound2Payload aliceRound2Payload, + JPakeRound2Payload bobRound2Payload) + { + this.alice = alice; + this.aliceRound2Payload = aliceRound2Payload; + this.bobRound2Payload = bobRound2Payload; + } + } + + private ExchangeAfterRound2Creation RunExchangeUntilRound2Creation(JPakeParticipant alice, JPakeParticipant bob) + { + JPakeRound1Payload aliceRound1Payload = alice.CreateRound1PayloadToSend(); + JPakeRound1Payload bobRound1Payload = bob.CreateRound1PayloadToSend(); + + alice.ValidateRound1PayloadReceived(bobRound1Payload); + bob.ValidateRound1PayloadReceived(aliceRound1Payload); + + JPakeRound2Payload aliceRound2Payload = alice.CreateRound2PayloadToSend(); + JPakeRound2Payload bobRound2Payload = bob.CreateRound2PayloadToSend(); + + return new ExchangeAfterRound2Creation( + alice, + aliceRound2Payload, + bobRound2Payload); + } + + private JPakeParticipant CreateAlice() + { + return CreateParticipant("alice", "password"); + } + + private JPakeParticipant CreateBob() + { + return CreateParticipant("bob", "password"); + } + + private JPakeParticipant CreateBobWithWrongPassword() + { + return CreateParticipant("bob", "wrong"); + } + + private JPakeParticipant CreateParticipant(string participantId, string password) + { + return new JPakeParticipant( + participantId, + password.ToCharArray(), + JPakePrimeOrderGroups.SUN_JCE_1024); + } + } +} diff --git a/crypto/test/src/crypto/agreement/test/JPakePrimeOrderGroupTest.cs b/crypto/test/src/crypto/agreement/test/JPakePrimeOrderGroupTest.cs new file mode 100644 index 000000000..0f089f93c --- /dev/null +++ b/crypto/test/src/crypto/agreement/test/JPakePrimeOrderGroupTest.cs @@ -0,0 +1,117 @@ +using System; + +using NUnit.Framework; + +using Org.BouncyCastle.Crypto.Agreement.JPake; +using Org.BouncyCastle.Math; +using Org.BouncyCastle.Utilities.Test; + +namespace Org.BouncyCastle.Crypto.Agreement.Tests +{ + [TestFixture] + public class JPakePrimeOrderGroupTest + : SimpleTest + { + public override void PerformTest() + { + TestConstruction(); + } + + public override string Name + { + get { return "JPakePrimeOrderGroup"; } + } + + public static void Main( + string[] args) + { + RunTest(new JPakePrimeOrderGroupTest()); + } + + [Test] + public void TestFunction() + { + string resultText = Perform().ToString(); + + Assert.AreEqual(Name + ": Okay", resultText); + } + + public void TestConstruction() + { + // p-1 not evenly divisible by q + try + { + new JPakePrimeOrderGroup(BigInteger.ValueOf(7), BigInteger.ValueOf(5), BigInteger.ValueOf(6)); + + Fail("failed to throw exception on p-1 not evenly divisible by q"); + } + catch (ArgumentException) + { + // expected + } + + // g < 2 + try + { + new JPakePrimeOrderGroup(BigInteger.ValueOf(11), BigInteger.ValueOf(5), BigInteger.ValueOf(1)); + + Fail("failed to throw exception on g < 2"); + } + catch (ArgumentException) + { + // expected + } + + // g > p - 1 + try + { + new JPakePrimeOrderGroup(BigInteger.ValueOf(11), BigInteger.ValueOf(5), BigInteger.ValueOf(11)); + + Fail("failed to throw exception on g > p - 1"); + } + catch (ArgumentException) + { + // expected + } + + //g^q mod p not equal 1 + try + { + new JPakePrimeOrderGroup(BigInteger.ValueOf(11), BigInteger.ValueOf(5), BigInteger.ValueOf(6)); + + Fail("failed to throw exception on g^q mod p not equal 1"); + } + catch (ArgumentException) + { + // expected + } + + // p not prime + try + { + new JPakePrimeOrderGroup(BigInteger.ValueOf(15), BigInteger.ValueOf(2), BigInteger.ValueOf(4)); + + Fail("failed to throw exception on p not prime"); + } + catch (ArgumentException) + { + // expected + } + + // q not prime + try + { + new JPakePrimeOrderGroup(BigInteger.ValueOf(7), BigInteger.ValueOf(6), BigInteger.ValueOf(3)); + + Fail("failed to throw exception on q not prime"); + } + catch (ArgumentException) + { + // expected + } + + // should succeed + new JPakePrimeOrderGroup(BigInteger.ValueOf(7), BigInteger.ValueOf(3), BigInteger.ValueOf(4)); + } + } +} diff --git a/crypto/test/src/crypto/agreement/test/JPakeUtilitiesTest.cs b/crypto/test/src/crypto/agreement/test/JPakeUtilitiesTest.cs new file mode 100644 index 000000000..04a52cc06 --- /dev/null +++ b/crypto/test/src/crypto/agreement/test/JPakeUtilitiesTest.cs @@ -0,0 +1,306 @@ +using System; + +using NUnit.Framework; + +using Org.BouncyCastle.Crypto.Agreement.JPake; +using Org.BouncyCastle.Crypto.Digests; +using Org.BouncyCastle.Math; +using Org.BouncyCastle.Security; +using Org.BouncyCastle.Utilities.Test; + +namespace Org.BouncyCastle.Crypto.Agreement.Tests +{ + [TestFixture] + public class JPakeUtilitiesTest + : SimpleTest + { + private static readonly BigInteger Ten = BigInteger.ValueOf(10); + + public override void PerformTest() + { + TestValidateGx4(); + TestValidateGa(); + TestValidateParticipantIdsDiffer(); + TestValidateParticipantsIdsEqual(); + TestValidateMacTag(); + TestValidateNotNull(); + TestValidateZeroKnowledgeProof(); + } + + public override string Name + { + get { return "JPakeUtilities"; } + } + + public static void Main( + string[] args) + { + RunTest(new JPakeUtilitiesTest()); + } + + [Test] + public void TestFunction() + { + string resultText = Perform().ToString(); + + Assert.AreEqual(Name + ": Okay", resultText); + } + + public void TestValidateGx4() + { + JPakeUtilities.ValidateGx4(Ten); + + try + { + JPakeUtilities.ValidateGx4(BigInteger.One); + + Fail("exception not thrown for g^x4 equal to 1"); + } + catch (CryptoException) + { + // expected + } + } + + public void TestValidateGa() + { + JPakeUtilities.ValidateGa(Ten); + + try + { + JPakeUtilities.ValidateGa(BigInteger.One); + + Fail("exception not thrown for g^a equal to 1"); + } + catch (CryptoException) + { + // expected + } + } + + public void TestValidateParticipantIdsDiffer() + { + JPakeUtilities.ValidateParticipantIdsDiffer("a", "b"); + JPakeUtilities.ValidateParticipantIdsDiffer("a", "A"); + + try + { + JPakeUtilities.ValidateParticipantIdsDiffer("a", "a"); + + Fail("validate participant ids differ not throwing exception for equal participant ids"); + } + catch (CryptoException) + { + // expected + } + } + + public void TestValidateParticipantsIdsEqual() + { + JPakeUtilities.ValidateParticipantIdsEqual("a", "a"); + + try + { + JPakeUtilities.ValidateParticipantIdsEqual("a", "b"); + + Fail("validate participant ids equal not throwing exception for different participant ids"); + } + catch (CryptoException) + { + // expected + } + } + + public void TestValidateMacTag() + { + JPakePrimeOrderGroup pg1 = JPakePrimeOrderGroups.SUN_JCE_1024; + + SecureRandom random = new SecureRandom(); + IDigest digest = new Sha256Digest(); + + BigInteger x1 = JPakeUtilities.GenerateX1(pg1.Q, random); + BigInteger x2 = JPakeUtilities.GenerateX2(pg1.Q, random); + BigInteger x3 = JPakeUtilities.GenerateX1(pg1.Q, random); + BigInteger x4 = JPakeUtilities.GenerateX2(pg1.Q, random); + + BigInteger gx1 = JPakeUtilities.CalculateGx(pg1.P, pg1.G, x1); + BigInteger gx2 = JPakeUtilities.CalculateGx(pg1.P, pg1.G, x2); + BigInteger gx3 = JPakeUtilities.CalculateGx(pg1.P, pg1.G, x3); + BigInteger gx4 = JPakeUtilities.CalculateGx(pg1.P, pg1.G, x4); + + BigInteger gB = JPakeUtilities.CalculateGA(pg1.P, gx3, gx1, gx2); + + BigInteger s = JPakeUtilities.CalculateS("password".ToCharArray()); + + BigInteger xs = JPakeUtilities.CalculateX2s(pg1.Q, x4, s); + + BigInteger B = JPakeUtilities.CalculateA(pg1.P, pg1.Q, gB, xs); + + BigInteger keyingMaterial = JPakeUtilities.CalculateKeyingMaterial(pg1.P, pg1.Q, gx4, x2, s, B); + + BigInteger macTag = JPakeUtilities.CalculateMacTag("participantId", "partnerParticipantId", gx1, gx2, gx3, gx4, keyingMaterial, digest); + + // should succeed + JPakeUtilities.ValidateMacTag("partnerParticipantId", "participantId", gx3, gx4, gx1, gx2, keyingMaterial, digest, macTag); + + // validating own macTag (as opposed to the other party's mactag) + try + { + JPakeUtilities.ValidateMacTag("participantId", "partnerParticipantId", gx1, gx2, gx3, gx4, keyingMaterial, digest, macTag); + + Fail("failed to throw exception on validating own macTag (calculated partner macTag)"); + } + catch (CryptoException) + { + // expected + } + + // participant ids switched + try + { + JPakeUtilities.ValidateMacTag("participantId", "partnerParticipantId", gx3, gx4, gx1, gx2, keyingMaterial, digest, macTag); + + Fail("failed to throw exception on validating own macTag (calculated partner macTag"); + } + catch (CryptoException) + { + // expected + } + } + + public void TestValidateNotNull() + { + JPakeUtilities.ValidateNotNull("a", "description"); + + try + { + JPakeUtilities.ValidateNotNull(null, "description"); + + Fail("failed to throw exception on null"); + } + catch (ArgumentNullException) + { + // expected + } + } + + public void TestValidateZeroKnowledgeProof() + { + JPakePrimeOrderGroup pg1 = JPakePrimeOrderGroups.SUN_JCE_1024; + + SecureRandom random = new SecureRandom(); + IDigest digest1 = new Sha256Digest(); + + BigInteger x1 = JPakeUtilities.GenerateX1(pg1.Q, random); + BigInteger gx1 = JPakeUtilities.CalculateGx(pg1.P, pg1.G, x1); + string participantId1 = "participant1"; + + BigInteger[] zkp1 = JPakeUtilities.CalculateZeroKnowledgeProof(pg1.P, pg1.Q, pg1.G, gx1, x1, participantId1, digest1, random); + + // should succeed + JPakeUtilities.ValidateZeroKnowledgeProof(pg1.P, pg1.Q, pg1.G, gx1, zkp1, participantId1, digest1); + + // wrong group + JPakePrimeOrderGroup pg2 = JPakePrimeOrderGroups.NIST_3072; + try + { + JPakeUtilities.ValidateZeroKnowledgeProof(pg2.P, pg2.Q, pg2.G, gx1, zkp1, participantId1, digest1); + + Fail("failed to throw exception on wrong prime order group"); + } + catch (CryptoException) + { + // expected + } + + // wrong digest + IDigest digest2 = new Sha1Digest(); + try + { + JPakeUtilities.ValidateZeroKnowledgeProof(pg1.P, pg1.Q, pg1.G, gx1, zkp1, participantId1, digest2); + + Fail("failed to throw exception on wrong digest"); + } + catch (CryptoException) + { + // expected + } + + // wrong participant + string participantId2 = "participant2"; + try + { + JPakeUtilities.ValidateZeroKnowledgeProof(pg1.P, pg1.Q, pg1.G, gx1, zkp1, participantId2, digest1); + + Fail("failed to throw exception on wrong participant"); + } + catch (CryptoException) + { + // expected + } + + // wrong gx + BigInteger x2 = JPakeUtilities.GenerateX2(pg1.Q, random); + BigInteger gx2 = JPakeUtilities.CalculateGx(pg1.P, pg1.G, x2); + try + { + JPakeUtilities.ValidateZeroKnowledgeProof(pg1.P, pg1.Q, pg1.G, gx2, zkp1, participantId1, digest1); + + Fail("failed to throw exception on wrong gx"); + } + catch (CryptoException) + { + // expected + } + + // wrong zkp + BigInteger[] zkp2 = JPakeUtilities.CalculateZeroKnowledgeProof(pg1.P, pg1.Q, pg1.G, gx2, x2, participantId1, digest1, random); + try + { + JPakeUtilities.ValidateZeroKnowledgeProof(pg1.P, pg1.Q, pg1.G, gx1, zkp2, participantId1, digest1); + + Fail("failed to throw exception on wrong zero knowledge proof"); + } + catch (CryptoException) + { + // expected + } + + // gx <= 0 + try + { + JPakeUtilities.ValidateZeroKnowledgeProof(pg1.P, pg1.Q, pg1.G, BigInteger.Zero, zkp1, participantId1, digest1); + + Fail("failed to throw exception on g^x <= 0"); + } + catch (CryptoException) + { + // expected + } + + // gx >= p + try + { + JPakeUtilities.ValidateZeroKnowledgeProof(pg1.P, pg1.Q, pg1.G, pg1.P, zkp1, participantId1, digest1); + + Fail("failed to throw exception on g^x >= p"); + } + catch (CryptoException) + { + // expected + } + + // gx mod q == 1 + try + { + JPakeUtilities.ValidateZeroKnowledgeProof(pg1.P, pg1.Q, pg1.G, pg1.Q.Add(BigInteger.One), zkp1, participantId1, digest1); + + Fail("failed to throw exception on g^x mod q == 1"); + } + catch (CryptoException) + { + // expected + } + } + } +} diff --git a/crypto/test/src/crypto/tls/test/TlsProtocolNonBlockingTest.cs b/crypto/test/src/crypto/tls/test/TlsProtocolNonBlockingTest.cs index 5fe0f32ad..477e287f1 100644 --- a/crypto/test/src/crypto/tls/test/TlsProtocolNonBlockingTest.cs +++ b/crypto/test/src/crypto/tls/test/TlsProtocolNonBlockingTest.cs @@ -104,7 +104,7 @@ namespace Org.BouncyCastle.Crypto.Tls.Tests protocol.OfferInput(new byte[10]); Assert.Fail("Input was accepted after close"); } - catch (IOException e) + catch (IOException) { } @@ -113,7 +113,7 @@ namespace Org.BouncyCastle.Crypto.Tls.Tests protocol.OfferOutput(new byte[10], 0, 10); Assert.Fail("Output was accepted after close"); } - catch (IOException e) + catch (IOException) { } } diff --git a/crypto/test/src/openpgp/examples/ByteArrayHandler.cs b/crypto/test/src/openpgp/examples/ByteArrayHandler.cs index 676db8766..b5098ff66 100644 --- a/crypto/test/src/openpgp/examples/ByteArrayHandler.cs +++ b/crypto/test/src/openpgp/examples/ByteArrayHandler.cs @@ -123,7 +123,7 @@ namespace Org.BouncyCastle.Bcpg.OpenPgp.Examples } PgpEncryptedDataGenerator encGen = new PgpEncryptedDataGenerator(algorithm, new SecureRandom()); - encGen.AddMethod(passPhrase); + encGen.AddMethod(passPhrase, HashAlgorithmTag.Sha1); Stream encOut = encGen.Open(output, compressedData.Length); diff --git a/crypto/test/src/openpgp/examples/PbeFileProcessor.cs b/crypto/test/src/openpgp/examples/PbeFileProcessor.cs index 66b1cc4ed..961704407 100644 --- a/crypto/test/src/openpgp/examples/PbeFileProcessor.cs +++ b/crypto/test/src/openpgp/examples/PbeFileProcessor.cs @@ -127,7 +127,7 @@ namespace Org.BouncyCastle.Bcpg.OpenPgp.Examples PgpEncryptedDataGenerator encGen = new PgpEncryptedDataGenerator( SymmetricKeyAlgorithmTag.Cast5, withIntegrityCheck, new SecureRandom()); - encGen.AddMethod(passPhrase); + encGen.AddMethod(passPhrase, HashAlgorithmTag.Sha1); Stream encOut = encGen.Open(outputStream, compressedData.Length); diff --git a/crypto/test/src/openpgp/test/PGPPBETest.cs b/crypto/test/src/openpgp/test/PGPPBETest.cs index 621cef684..29b786a83 100644 --- a/crypto/test/src/openpgp/test/PGPPBETest.cs +++ b/crypto/test/src/openpgp/test/PGPPBETest.cs @@ -168,7 +168,7 @@ namespace Org.BouncyCastle.Bcpg.OpenPgp.Tests PgpEncryptedDataGenerator cPk = new PgpEncryptedDataGenerator( SymmetricKeyAlgorithmTag.Cast5, new SecureRandom()); - cPk.AddMethod(pass); + cPk.AddMethod(pass, HashAlgorithmTag.Sha1); byte[] bOutData = bOut.ToArray(); Stream cOut = cPk.Open(new UncloseableStream(cbOut), bOutData.Length); @@ -188,7 +188,7 @@ namespace Org.BouncyCastle.Bcpg.OpenPgp.Tests cPk = new PgpEncryptedDataGenerator( SymmetricKeyAlgorithmTag.Cast5, new SecureRandom()); - cPk.AddMethod(pass); + cPk.AddMethod(pass, HashAlgorithmTag.Sha1); bOutData = bOut.ToArray(); cOut = cPk.Open(new UncloseableStream(cbOut), bOutData.Length); @@ -233,7 +233,7 @@ namespace Org.BouncyCastle.Bcpg.OpenPgp.Tests cPk = new PgpEncryptedDataGenerator( SymmetricKeyAlgorithmTag.Cast5, rand); - cPk.AddMethod(pass); + cPk.AddMethod(pass, HashAlgorithmTag.Sha1); cOut = cPk.Open(new UncloseableStream(cbOut), new byte[16]); { @@ -256,7 +256,7 @@ namespace Org.BouncyCastle.Bcpg.OpenPgp.Tests cPk = new PgpEncryptedDataGenerator( SymmetricKeyAlgorithmTag.Cast5, true, rand); - cPk.AddMethod(pass); + cPk.AddMethod(pass, HashAlgorithmTag.Sha1); cOut = cPk.Open(new UncloseableStream(cbOut), new byte[16]); bOutData = bOut.ToArray(); @@ -328,7 +328,7 @@ namespace Org.BouncyCastle.Bcpg.OpenPgp.Tests cbOut = new MemoryStream(); cPk = new PgpEncryptedDataGenerator(SymmetricKeyAlgorithmTag.Cast5, true, rand); - cPk.AddMethod(pass); + cPk.AddMethod(pass, HashAlgorithmTag.Sha1); cOut = cPk.Open(new UncloseableStream(cbOut), new byte[16]); diff --git a/crypto/test/src/openpgp/test/PGPRSATest.cs b/crypto/test/src/openpgp/test/PGPRSATest.cs index 35f844483..82b569bbb 100644 --- a/crypto/test/src/openpgp/test/PGPRSATest.cs +++ b/crypto/test/src/openpgp/test/PGPRSATest.cs @@ -381,7 +381,7 @@ namespace Org.BouncyCastle.Bcpg.OpenPgp.Tests encGen.AddMethod(pgpPubKey); - encGen.AddMethod("password".ToCharArray()); + encGen.AddMethod("password".ToCharArray(), HashAlgorithmTag.Sha1); Stream cOut = encGen.Open(bcOut, bytes.Length); diff --git a/crypto/test/src/openpgp/test/PgpKeyRingTest.cs b/crypto/test/src/openpgp/test/PgpKeyRingTest.cs index 9896c1ef6..43aef5afa 100644 --- a/crypto/test/src/openpgp/test/PgpKeyRingTest.cs +++ b/crypto/test/src/openpgp/test/PgpKeyRingTest.cs @@ -1844,7 +1844,7 @@ namespace Org.BouncyCastle.Bcpg.OpenPgp.Tests PgpKeyPair elgKeyPair = new PgpKeyPair(PublicKeyAlgorithmTag.ElGamalEncrypt, elgKp, DateTime.UtcNow); PgpKeyRingGenerator keyRingGen = new PgpKeyRingGenerator(PgpSignature.PositiveCertification, dsaKeyPair, - "test", SymmetricKeyAlgorithmTag.Aes256, passPhrase, null, null, new SecureRandom()); + "test", SymmetricKeyAlgorithmTag.Aes256, passPhrase, false, null, null, new SecureRandom()); keyRingGen.AddSubKey(elgKeyPair); @@ -1904,12 +1904,12 @@ namespace Org.BouncyCastle.Bcpg.OpenPgp.Tests PgpKeyPair rsaKeyPair2 = new PgpKeyPair(PublicKeyAlgorithmTag.RsaGeneral, rsaKp, DateTime.UtcNow); PgpKeyRingGenerator keyRingGen = new PgpKeyRingGenerator(PgpSignature.PositiveCertification, - rsaKeyPair1, "test", SymmetricKeyAlgorithmTag.Aes256, passPhrase, null, null, random); + rsaKeyPair1, "test", SymmetricKeyAlgorithmTag.Aes256, passPhrase, false, null, null, random); PgpSecretKeyRing secRing1 = keyRingGen.GenerateSecretKeyRing(); PgpPublicKeyRing pubRing1 = keyRingGen.GeneratePublicKeyRing(); keyRingGen = new PgpKeyRingGenerator(PgpSignature.PositiveCertification, - rsaKeyPair2, "test", SymmetricKeyAlgorithmTag.Aes256, passPhrase, null, null, random); + rsaKeyPair2, "test", SymmetricKeyAlgorithmTag.Aes256, passPhrase, false, null, null, random); PgpSecretKeyRing secRing2 = keyRingGen.GenerateSecretKeyRing(); PgpPublicKeyRing pubRing2 = keyRingGen.GeneratePublicKeyRing(); diff --git a/crypto/test/src/openpgp/test/PgpUnicodeTest.cs b/crypto/test/src/openpgp/test/PgpUnicodeTest.cs index ce1df8980..534e8a471 100644 --- a/crypto/test/src/openpgp/test/PgpUnicodeTest.cs +++ b/crypto/test/src/openpgp/test/PgpUnicodeTest.cs @@ -13,7 +13,7 @@ namespace Org.BouncyCastle.Bcpg.OpenPgp.Tests [TestFixture] public class PgpUnicodeTest { - private void DoTestKey(BigInteger keyId, string passphrase) + private void DoTestKey(BigInteger keyId, string passphrase, bool utf8) { PgpSecretKeyRingBundle secretKeyRing = LoadSecretKeyCollection("secring.gpg"); @@ -25,7 +25,11 @@ namespace Org.BouncyCastle.Bcpg.OpenPgp.Tests try { - PgpPrivateKey privateKey = key.ExtractPrivateKey(passphrase.ToCharArray()); + char[] pass = passphrase.ToCharArray(); + + PgpPrivateKey privateKey = utf8 + ? key.ExtractPrivateKeyUtf8(pass) + : key.ExtractPrivateKey(pass); Assert.IsTrue(privateKey.KeyId == keyId.LongValue); } @@ -53,7 +57,7 @@ namespace Org.BouncyCastle.Bcpg.OpenPgp.Tests // passwordFile.close(); // String passphrase = new String(password); - DoTestKey(keyId, passphrase); + DoTestKey(keyId, passphrase, true); // all fine! @@ -75,7 +79,8 @@ namespace Org.BouncyCastle.Bcpg.OpenPgp.Tests string passphrase = "Admin123"; - DoTestKey(keyId, passphrase); + DoTestKey(keyId, passphrase, false); + DoTestKey(keyId, passphrase, true); // all fine! } @@ -102,7 +107,7 @@ namespace Org.BouncyCastle.Bcpg.OpenPgp.Tests string passphrase = reader.ReadLine(); passwordFile.Close(); - DoTestKey(keyId, passphrase); + DoTestKey(keyId, passphrase, true); // all fine! } |