From 0bd7af01eb0144ecc6d45e2598ef1cb0aaeaa5a4 Mon Sep 17 00:00:00 2001
From: Peter Dettman <peter.dettman@bouncycastle.org>
Date: Thu, 27 Jul 2023 13:07:43 +0700
Subject: Refactor CMP PKMAC verification

---
 crypto/src/cmp/ProtectedPkiMessage.cs | 34 ++++++++++------------------------
 crypto/src/x509/X509Utilities.cs      |  8 ++++++++
 2 files changed, 18 insertions(+), 24 deletions(-)

diff --git a/crypto/src/cmp/ProtectedPkiMessage.cs b/crypto/src/cmp/ProtectedPkiMessage.cs
index 03dd2327e..a7fdd35a9 100644
--- a/crypto/src/cmp/ProtectedPkiMessage.cs
+++ b/crypto/src/cmp/ProtectedPkiMessage.cs
@@ -5,7 +5,6 @@ using Org.BouncyCastle.Asn1.Cmp;
 using Org.BouncyCastle.Asn1.X509;
 using Org.BouncyCastle.Crmf;
 using Org.BouncyCastle.Crypto;
-using Org.BouncyCastle.Utilities;
 using Org.BouncyCastle.X509;
 
 namespace Org.BouncyCastle.Cmp
@@ -83,8 +82,7 @@ namespace Org.BouncyCastle.Cmp
             if (null == certs)
                 return new X509Certificate[0];
 
-            return Array.ConvertAll<CmpCertificate, X509Certificate>(certs,
-                cmpCertificate => new X509Certificate(cmpCertificate.X509v3PKCert));
+            return Array.ConvertAll(certs, cmpCertificate => new X509Certificate(cmpCertificate.X509v3PKCert));
         }
 
         /// <summary>
@@ -92,14 +90,8 @@ namespace Org.BouncyCastle.Cmp
         /// </summary>
         /// <param name="verifierFactory">a factory of signature verifiers.</param>
         /// <returns>true if the provider is able to create a verifier that validates the signature, false otherwise.</returns>      
-        public virtual bool Verify(IVerifierFactory verifierFactory)
-        {
-            IStreamCalculator<IVerifier> streamCalculator = verifierFactory.CreateCalculator();
-
-            IVerifier result = Process(streamCalculator);
-
-            return result.IsVerified(m_pkiMessage.Protection.GetBytes());
-        }
+        public virtual bool Verify(IVerifierFactory verifierFactory) =>
+            X509Utilities.VerifySignature(verifierFactory, CreateProtected(), m_pkiMessage.Protection);
 
         /// <summary>
         /// Verify a message with password based MAC protection.
@@ -120,32 +112,26 @@ namespace Org.BouncyCastle.Cmp
 
             var macFactory = pkMacBuilder.Build(password);
 
-            IBlockResult result = Process(macFactory.CreateCalculator());
-
-            return Arrays.FixedTimeEquals(result.Collect(), m_pkiMessage.Protection.GetBytes());
+            return X509Utilities.VerifyMac(macFactory, CreateProtected(), m_pkiMessage.Protection);
         }
 
 #if NETCOREAPP2_1_OR_GREATER || NETSTANDARD2_1_OR_GREATER
         public virtual bool Verify(PKMacBuilder pkMacBuilder, ReadOnlySpan<char> password)
         {
-            if (!CmpObjectIdentifiers.passwordBasedMac.Equals(m_pkiMessage.Header.ProtectionAlg.Algorithm))
+            var protectionAlgorithm = m_pkiMessage.Header.ProtectionAlg;
+
+            if (!CmpObjectIdentifiers.passwordBasedMac.Equals(protectionAlgorithm.Algorithm))
                 throw new InvalidOperationException("protection algorithm is not mac based");
 
-            PbmParameter parameter = PbmParameter.GetInstance(m_pkiMessage.Header.ProtectionAlg.Parameters);
+            PbmParameter parameter = PbmParameter.GetInstance(protectionAlgorithm.Parameters);
             pkMacBuilder.SetParameters(parameter);
 
             var macFactory = pkMacBuilder.Build(password);
 
-            IBlockResult result = Process(macFactory.CreateCalculator());
-
-            return Arrays.FixedTimeEquals(result.Collect(), m_pkiMessage.Protection.GetBytes());
+            return X509Utilities.VerifyMac(macFactory, CreateProtected(), m_pkiMessage.Protection);
         }
 #endif
 
-        private TResult Process<TResult>(IStreamCalculator<TResult> streamCalculator)
-        {
-            var asn1Encodable = new DerSequence(m_pkiMessage.Header, m_pkiMessage.Body);
-            return X509Utilities.CalculateResult(streamCalculator, asn1Encodable);
-        }
+        private DerSequence CreateProtected() => new DerSequence(m_pkiMessage.Header, m_pkiMessage.Body);
     }
 }
diff --git a/crypto/src/x509/X509Utilities.cs b/crypto/src/x509/X509Utilities.cs
index 3ab6b926c..45fa75916 100644
--- a/crypto/src/x509/X509Utilities.cs
+++ b/crypto/src/x509/X509Utilities.cs
@@ -10,6 +10,7 @@ using Org.BouncyCastle.Asn1.TeleTrust;
 using Org.BouncyCastle.Asn1.X509;
 using Org.BouncyCastle.Asn1.X9;
 using Org.BouncyCastle.Crypto;
+using Org.BouncyCastle.Utilities;
 using Org.BouncyCastle.Utilities.Collections;
 
 namespace Org.BouncyCastle.X509
@@ -204,6 +205,13 @@ namespace Org.BouncyCastle.X509
             return GenerateBitString(signatureFactory.CreateCalculator(), asn1Encodable);
         }
 
+        internal static bool VerifyMac(IMacFactory macFactory, Asn1Encodable asn1Encodable, DerBitString protection)
+        {
+            var result = CalculateResult(macFactory.CreateCalculator(), asn1Encodable);
+
+            return Arrays.FixedTimeEquals(result.Collect(), protection.GetBytes());
+        }
+
         internal static bool VerifySignature(IVerifierFactory verifierFactory, Asn1Encodable asn1Encodable,
 			DerBitString signature)
         {
-- 
cgit 1.4.1