1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
|
using System;
using Org.BouncyCastle.Crypto;
using Org.BouncyCastle.Crypto.Encodings;
using Org.BouncyCastle.Crypto.Engines;
using Org.BouncyCastle.Crypto.Parameters;
using Org.BouncyCastle.Security;
using Org.BouncyCastle.Utilities;
namespace Org.BouncyCastle.Tls.Crypto.Impl.BC
{
/// <summary>Credentialed class decrypting RSA encrypted secrets sent from a peer for our end of the TLS connection
/// using the BC light-weight API.</summary>
public class BcDefaultTlsCredentialedDecryptor
: TlsCredentialedDecryptor
{
protected readonly BcTlsCrypto m_crypto;
protected readonly Certificate m_certificate;
protected readonly AsymmetricKeyParameter m_privateKey;
public BcDefaultTlsCredentialedDecryptor(BcTlsCrypto crypto, Certificate certificate,
AsymmetricKeyParameter privateKey)
{
if (crypto == null)
throw new ArgumentNullException("crypto");
if (certificate == null)
throw new ArgumentNullException("certificate");
if (certificate.IsEmpty)
throw new ArgumentException("cannot be empty", "certificate");
if (privateKey == null)
throw new ArgumentNullException("privateKey");
if (!privateKey.IsPrivate)
throw new ArgumentException("must be private", "privateKey");
if (privateKey is RsaKeyParameters)
{
}
else
{
throw new ArgumentException("'privateKey' type not supported: " + privateKey.GetType().FullName);
}
this.m_crypto = crypto;
this.m_certificate = certificate;
this.m_privateKey = privateKey;
}
public virtual Certificate Certificate
{
get { return m_certificate; }
}
public virtual TlsSecret Decrypt(TlsCryptoParameters cryptoParams, byte[] ciphertext)
{
// TODO Keep only the decryption itself here - move error handling outside
return SafeDecryptPreMasterSecret(cryptoParams, (RsaKeyParameters)m_privateKey, ciphertext);
}
/*
* TODO[tls-ops] Probably need to make RSA encryption/decryption into TlsCrypto functions so that users can
* implement "generic" encryption credentials externally
*/
protected virtual TlsSecret SafeDecryptPreMasterSecret(TlsCryptoParameters cryptoParams,
RsaKeyParameters rsaServerPrivateKey, byte[] encryptedPreMasterSecret)
{
SecureRandom secureRandom = m_crypto.SecureRandom;
/*
* RFC 5246 7.4.7.1.
*/
ProtocolVersion expectedVersion = cryptoParams.RsaPreMasterSecretVersion;
/*
* Generate 48 random bytes we can use as a Pre-Master-Secret, if the PKCS1 padding check should fail.
*/
byte[] fallback = new byte[48];
secureRandom.NextBytes(fallback);
byte[] M = Arrays.Clone(fallback);
try
{
Pkcs1Encoding encoding = new Pkcs1Encoding(new RsaBlindedEngine(), fallback);
encoding.Init(false, new ParametersWithRandom(rsaServerPrivateKey, secureRandom));
M = encoding.ProcessBlock(encryptedPreMasterSecret, 0, encryptedPreMasterSecret.Length);
}
catch (Exception)
{
/*
* This should never happen since the decryption should never throw an exception and return a random
* value instead.
*
* In any case, a TLS server MUST NOT generate an alert if processing an RSA-encrypted premaster secret
* message fails, or the version number is not as expected. Instead, it MUST continue the handshake with
* a randomly generated premaster secret.
*/
}
/*
* Compare the version number in the decrypted Pre-Master-Secret with the legacy_version field from the
* ClientHello. If they don't match, continue the handshake with the randomly generated 'fallback' value.
*
* NOTE: The comparison and replacement must be constant-time.
*/
int mask = (expectedVersion.MajorVersion ^ M[0])
| (expectedVersion.MinorVersion ^ M[1]);
// 'mask' will be all 1s if the versions matched, or else all 0s.
mask = (mask - 1) >> 31;
for (int i = 0; i < 48; i++)
{
M[i] = (byte)((M[i] & mask) | (fallback[i] & ~mask));
}
return m_crypto.CreateSecret(M);
}
}
}
|
