aboutsummaryrefslogtreecommitdiff
path: root/src/cz/crcs/ectester/applet
diff options
context:
space:
mode:
authorJ08nY2017-05-01 16:01:11 +0200
committerJ08nY2017-05-01 16:01:11 +0200
commitded7d49b3f23c140d1e10fe018e0dc42f19d526e (patch)
treea0c6fc4560c63cf0cc5098c20a316ef30ab09b21 /src/cz/crcs/ectester/applet
parent6238d40a1fa44bfbaa251620eb83c3aa803d626e (diff)
downloadECTester-ded7d49b3f23c140d1e10fe018e0dc42f19d526e.tar.gz
ECTester-ded7d49b3f23c140d1e10fe018e0dc42f19d526e.tar.zst
ECTester-ded7d49b3f23c140d1e10fe018e0dc42f19d526e.zip
Change EC_Consts.CORRUPTION_* into a short that's maskable
Diffstat (limited to 'src/cz/crcs/ectester/applet')
-rw-r--r--src/cz/crcs/ectester/applet/ECKeyTester.java85
-rw-r--r--src/cz/crcs/ectester/applet/ECTesterApplet.java40
-rw-r--r--src/cz/crcs/ectester/applet/EC_Consts.java160
3 files changed, 151 insertions, 134 deletions
diff --git a/src/cz/crcs/ectester/applet/ECKeyTester.java b/src/cz/crcs/ectester/applet/ECKeyTester.java
index aac4656..1d113ae 100644
--- a/src/cz/crcs/ectester/applet/ECKeyTester.java
+++ b/src/cz/crcs/ectester/applet/ECKeyTester.java
@@ -50,7 +50,7 @@ public class ECKeyTester {
return sw;
}
- private short testKA(KeyAgreement ka, KeyPair privatePair, KeyPair publicPair, byte[] pubkeyBuffer, short pubkeyOffset, byte[] outputBuffer, short outputOffset, byte corruption) {
+ private short testKA(KeyAgreement ka, KeyPair privatePair, KeyPair publicPair, byte[] pubkeyBuffer, short pubkeyOffset, byte[] outputBuffer, short outputOffset, short corruption) {
short length = 0;
try {
sw = ECUtil.kaCheck(ka);
@@ -72,16 +72,16 @@ public class ECKeyTester {
* Uses {@code pubkeyBuffer} at {@code pubkeyOffset} for computations.
* Output should equal with ECDHC output.
*
- * @param privatePair
- * @param publicPair
- * @param pubkeyBuffer
- * @param pubkeyOffset
- * @param outputBuffer
- * @param outputOffset
- * @param corruption
+ * @param privatePair KeyPair from which the private key is used
+ * @param publicPair KeyPair from which the public key is used
+ * @param pubkeyBuffer buffer to be used for the public key
+ * @param pubkeyOffset offset into pubkeyBuffer that can be used for the public key
+ * @param outputBuffer buffer to be used for the secret output
+ * @param outputOffset offset into the outputBuffer
+ * @param corruption (EC_Consts.CORRUPTION_* | ...)
* @return derived secret length
**/
- public short testECDH(KeyPair privatePair, KeyPair publicPair, byte[] pubkeyBuffer, short pubkeyOffset, byte[] outputBuffer, short outputOffset, byte corruption) {
+ public short testECDH(KeyPair privatePair, KeyPair publicPair, byte[] pubkeyBuffer, short pubkeyOffset, byte[] outputBuffer, short outputOffset, short corruption) {
return testKA(ecdhKeyAgreement, privatePair, publicPair, pubkeyBuffer, pubkeyOffset, outputBuffer, outputOffset, corruption);
}
@@ -90,31 +90,30 @@ public class ECKeyTester {
* Uses {@code pubkeyBuffer} at {@code pubkeyOffset} for computations.
* Output should equal to ECDH output.
*
- * @param privatePair
- * @param publicPair
- * @param pubkeyBuffer
- * @param pubkeyOffset
- * @param outputBuffer
- * @param outputOffset
- * @param corruption
+ * @param privatePair KeyPair from which the private key is used
+ * @param publicPair KeyPair from which the public key is used
+ * @param pubkeyBuffer buffer to be used for the public key
+ * @param pubkeyOffset offset into pubkeyBuffer that can be used for the public key
+ * @param outputBuffer buffer to be used for the secret output
+ * @param outputOffset offset into the outputBuffer
+ * @param corruption (EC_Consts.CORRUPTION_* | ...)
* @return derived secret length
*/
- public short testECDHC(KeyPair privatePair, KeyPair publicPair, byte[] pubkeyBuffer, short pubkeyOffset, byte[] outputBuffer, short outputOffset, byte corruption) {
+ public short testECDHC(KeyPair privatePair, KeyPair publicPair, byte[] pubkeyBuffer, short pubkeyOffset, byte[] outputBuffer, short outputOffset, short corruption) {
return testKA(ecdhcKeyAgreement, privatePair, publicPair, pubkeyBuffer, pubkeyOffset, outputBuffer, outputOffset, corruption);
}
/**
- *
- * @param privatePair
- * @param publicPair
- * @param pubkeyBuffer
- * @param pubkeyOffset
- * @param outputBuffer
- * @param outputOffset
- * @param corruption
+ * @param privatePair KeyPair from which the private key is used
+ * @param publicPair KeyPair from which the public key is used
+ * @param pubkeyBuffer buffer to be used for the public key
+ * @param pubkeyOffset offset into pubkeyBuffer that can be used for the public key
+ * @param outputBuffer buffer to be used for the secret output
+ * @param outputOffset offset into the outputBuffer
+ * @param corruption (EC_Consts.CORRUPTION_* | ...)
* @return
*/
- public short testBOTH(KeyPair privatePair, KeyPair publicPair, byte[] pubkeyBuffer, short pubkeyOffset, byte[] outputBuffer, short outputOffset, byte corruption) {
+ public short testBOTH(KeyPair privatePair, KeyPair publicPair, byte[] pubkeyBuffer, short pubkeyOffset, byte[] outputBuffer, short outputOffset, short corruption) {
short ecdhLength = testECDH(privatePair, publicPair, pubkeyBuffer, pubkeyOffset, outputBuffer, outputOffset, corruption);
if (sw != ISO7816.SW_NO_ERROR) {
return ecdhLength;
@@ -124,7 +123,7 @@ public class ECKeyTester {
if (sw != ISO7816.SW_NO_ERROR) {
return length;
}
- if (Util.arrayCompare(outputBuffer, outputOffset, outputBuffer, (short)(outputOffset + ecdhLength), ecdhLength) != 0) {
+ if (Util.arrayCompare(outputBuffer, outputOffset, outputBuffer, (short) (outputOffset + ecdhLength), ecdhLength) != 0) {
sw = ECTesterApplet.SW_DH_DHC_MISMATCH;
}
return length;
@@ -132,34 +131,34 @@ public class ECKeyTester {
}
/**
- *
- * @param privatePair
- * @param publicPair
- * @param pubkeyBuffer
- * @param pubkeyOffset
- * @param outputBuffer
- * @param outputOffset
- * @param corruption
+ * @param privatePair KeyPair from which the private key is used
+ * @param publicPair KeyPair from which the public key is used
+ * @param pubkeyBuffer buffer to be used for the public key
+ * @param pubkeyOffset offset into pubkeyBuffer that can be used for the public key
+ * @param outputBuffer buffer to be used for the secret output
+ * @param outputOffset offset into the outputBuffer
+ * @param corruption (EC_Consts.CORRUPTION_* | ...)
* @return
*/
- public short testANY(KeyPair privatePair, KeyPair publicPair, byte[] pubkeyBuffer, short pubkeyOffset, byte[]outputBuffer, short outputOffset, byte corruption) {
+ public short testANY(KeyPair privatePair, KeyPair publicPair, byte[] pubkeyBuffer, short pubkeyOffset, byte[] outputBuffer, short outputOffset, short corruption) {
short ecdhLength = testECDH(privatePair, publicPair, pubkeyBuffer, pubkeyOffset, outputBuffer, outputOffset, corruption);
if (sw == ISO7816.SW_NO_ERROR)
return ecdhLength;
return testECDHC(privatePair, publicPair, pubkeyBuffer, pubkeyOffset, outputBuffer, outputOffset, corruption);
}
+
/**
* Uses {@code signKey} to sign data from {@code inputBuffer} at {@code inputOffset} with {@code inputOffset}.
* Then checks for correct signature length.
* Then tries verifying the data with {@code verifyKey}.
*
- * @param signKey
- * @param verifyKey
- * @param inputBuffer
- * @param inputOffset
- * @param inputLength
- * @param sigBuffer
- * @param sigOffset
+ * @param signKey key to use for signing
+ * @param verifyKey key to use for verifying the signature
+ * @param inputBuffer buffer to sign data from
+ * @param inputOffset offset into inputBuffer to sign data from
+ * @param inputLength length of data to sign
+ * @param sigBuffer buffer to output signature to
+ * @param sigOffset offset into sigBuffer to output to
* @return signature length
*/
public short testECDSA(ECPrivateKey signKey, ECPublicKey verifyKey, byte[] inputBuffer, short inputOffset, short inputLength, byte[] sigBuffer, short sigOffset) {
diff --git a/src/cz/crcs/ectester/applet/ECTesterApplet.java b/src/cz/crcs/ectester/applet/ECTesterApplet.java
index 88d1b8c..4e586ec 100644
--- a/src/cz/crcs/ectester/applet/ECTesterApplet.java
+++ b/src/cz/crcs/ectester/applet/ECTesterApplet.java
@@ -340,7 +340,7 @@ public class ECTesterApplet extends Applet {
* @param apdu P1 = byte pubkey (KEYPAIR_*)
* P2 = byte privkey (KEYPAIR_*)
* DATA = byte export (EXPORT_TRUE || EXPORT_FALSE)
- * byte corruption (00 = valid, !00 = invalid)
+ * short corruption (EC_Consts.CORRUPTION_* | ...)
* byte type (EC_Consts.KA_* | ...)
*/
private void insECDH(APDU apdu) {
@@ -350,8 +350,8 @@ public class ECTesterApplet extends Applet {
byte pubkey = apdubuf[ISO7816.OFFSET_P1];
byte privkey = apdubuf[ISO7816.OFFSET_P2];
byte export = apdubuf[ISO7816.OFFSET_CDATA];
- byte corruption = apdubuf[(short) (ISO7816.OFFSET_CDATA + 1)];
- byte type = apdubuf[(short) (ISO7816.OFFSET_CDATA + 2)];
+ short corruption = Util.getShort(apdubuf, (short) (ISO7816.OFFSET_CDATA + 1));
+ byte type = apdubuf[(short) (ISO7816.OFFSET_CDATA + 3)];
short len = ecdh(pubkey, privkey, export, corruption, type, apdubuf, (short) 0);
@@ -386,8 +386,9 @@ public class ECTesterApplet extends Applet {
}
/**
+ * Performs card memory cleanup via JCSystem.requestObjectDeletion()
*
- * @param apdu
+ * @param apdu no data
*/
private void insCleanup(APDU apdu) {
apdu.setIncomingAndReceive();
@@ -399,8 +400,10 @@ public class ECTesterApplet extends Applet {
}
/**
+ * Returns data about card support for various EC related tasks collected on applet
+ * install.
*
- * @param apdu
+ * @param apdu no data
*/
private void insSupport(APDU apdu) {
apdu.setIncomingAndReceive();
@@ -541,12 +544,12 @@ public class ECTesterApplet extends Applet {
* @param privkey keyPair to use for private key, (KEYPAIR_LOCAL || KEYPAIR_REMOTE)
* @param export whether to export ECDH secret
* @param corruption whether to invalidate the pubkey before ECDH
- * @param type
+ * @param type KeyAgreement type to test (EC_Consts.KA_* || ...)
* @param buffer buffer to write sw to, and export ECDH secret {@code if(export == EXPORT_TRUE)}
* @param offset output offset in buffer
* @return length of data written to the buffer
*/
- private short ecdh(byte pubkey, byte privkey, byte export, byte corruption, byte type, byte[] buffer, short offset) {
+ private short ecdh(byte pubkey, byte privkey, byte export, short corruption, byte type, byte[] buffer, short offset) {
short length = 0;
KeyPair pub = ((pubkey & KEYPAIR_LOCAL) != 0) ? localKeypair : remoteKeypair;
@@ -564,7 +567,7 @@ public class ECTesterApplet extends Applet {
secretLength = keyTester.testBOTH(priv, pub, ramArray, (short) 0, ramArray2, (short) 0, corruption);
break;
case EC_Consts.KA_ANY:
- secretLength = keyTester.testANY(priv, pub, ramArray, (short) 0, ramArray2, (short)0, corruption);
+ secretLength = keyTester.testANY(priv, pub, ramArray, (short) 0, ramArray2, (short) 0, corruption);
break;
default:
ISOException.throwIt(ISO7816.SW_FUNC_NOT_SUPPORTED);
@@ -619,9 +622,9 @@ public class ECTesterApplet extends Applet {
}
/**
- * @param buffer
- * @param offset
- * @return
+ * @param buffer buffer to write sw to
+ * @param offset output offset in buffer
+ * @return length of data written to the buffer
*/
private short cleanup(byte[] buffer, short offset) {
short sw = ISO7816.SW_NO_ERROR;
@@ -637,10 +640,9 @@ public class ECTesterApplet extends Applet {
}
/**
- *
- * @param buffer
- * @param offset
- * @return
+ * @param buffer buffer to write sw to
+ * @param offset output offset in buffer
+ * @return length of data written to the buffer
*/
private short support(byte[] buffer, short offset) {
@@ -650,14 +652,14 @@ public class ECTesterApplet extends Applet {
Util.setShort(buffer, offset, ISO7816.SW_INS_NOT_SUPPORTED);
}
if (keyTester.hasECDHC()) {
- Util.setShort(buffer, (short) (offset+2), ecdhcSW);
+ Util.setShort(buffer, (short) (offset + 2), ecdhcSW);
} else {
- Util.setShort(buffer, (short) (offset+2), ISO7816.SW_INS_NOT_SUPPORTED);
+ Util.setShort(buffer, (short) (offset + 2), ISO7816.SW_INS_NOT_SUPPORTED);
}
if (keyTester.hasECDSA()) {
- Util.setShort(buffer, (short) (offset+4), ecdsaSW);
+ Util.setShort(buffer, (short) (offset + 4), ecdsaSW);
} else {
- Util.setShort(buffer, (short) (offset+4), ISO7816.SW_INS_NOT_SUPPORTED);
+ Util.setShort(buffer, (short) (offset + 4), ISO7816.SW_INS_NOT_SUPPORTED);
}
return 6;
diff --git a/src/cz/crcs/ectester/applet/EC_Consts.java b/src/cz/crcs/ectester/applet/EC_Consts.java
index 1334541..f749af5 100644
--- a/src/cz/crcs/ectester/applet/EC_Consts.java
+++ b/src/cz/crcs/ectester/applet/EC_Consts.java
@@ -950,18 +950,16 @@ public class EC_Consts {
// getCorruptCurveParameter PARAMETER_CORRUPTION TYPES
- public static final byte CORRUPTION_NONE = (byte) 0x00;
- public static final byte CORRUPTION_FIXED = (byte) 0x01;
- public static final byte CORRUPTION_FULLRANDOM = (byte) 0x02;
- public static final byte CORRUPTION_ONEBYTERANDOM = (byte) 0x03;
- public static final byte CORRUPTION_ZERO = (byte) 0x04;
- public static final byte CORRUPTION_ONE = (byte) 0x05;
- public static final byte CORRUPTION_MAX = (byte) 0x06;
- public static final byte CORRUPTION_INCREMENT = (byte) 0x07;
- public static final byte CORRUPTION_INFINITY = (byte) 0x08;
- public static final byte CORRUPTION_PREFIX_COMPRESSED = (byte) 0x09;
- public static final byte CORRUPTION_PREFIX_HYBRID = (byte) 0x0a;
- public static final byte CORRUPTION_PREFIX_UNCOMPRESSED = (byte) 0x0b;
+ public static final short CORRUPTION_NONE = (short) 0x00;
+ public static final short CORRUPTION_FIXED = (short) 0x01;
+ public static final short CORRUPTION_FULLRANDOM = (short) 0x02;
+ public static final short CORRUPTION_ONEBYTERANDOM = (short) 0x04;
+ public static final short CORRUPTION_ZERO = (short) 0x08;
+ public static final short CORRUPTION_ONE = (short) 0x10;
+ public static final short CORRUPTION_MAX = (short) 0x20;
+ public static final short CORRUPTION_INCREMENT = (short) 0x40;
+ public static final short CORRUPTION_INFINITY = (short) 0x80;
+ public static final short CORRUPTION_COMPRESS = (short) 0x0100;
// toX962 FORM types
public static final byte X962_UNCOMPRESSED = (byte) 0x00;
@@ -1242,71 +1240,89 @@ public class EC_Consts {
return length;
}
- public static short corruptParameter(byte corruption, byte[] buffer, short offset, short length) {
- switch (corruption) {
- case CORRUPTION_NONE:
- break;
- case CORRUPTION_FIXED:
- if (length >= 1) {
- buffer[offset] = (byte) 0xcc;
- buffer[(short) (offset + length - 1)] = (byte) 0xcc;
- }
- break;
- case CORRUPTION_FULLRANDOM:
- randomData.generateData(buffer, offset, length);
- break;
- case CORRUPTION_ONEBYTERANDOM:
- short first = Util.getShort(buffer, (short) 0); // save first two bytes
+ public static short corruptParameter(short corruption, byte[] buffer, short offset, short length) {
+ if (corruption == CORRUPTION_NONE) {
+ return length;
+ }
- randomData.generateData(buffer, (short) 0, (short) 2); // generate position
- short rngPos = Util.getShort(buffer, (short) 0); // save generated position
+ short corruptionMask = CORRUPTION_FIXED;
+ while (corruptionMask <= CORRUPTION_COMPRESS) {
+ short corruptionPart = (short) (corruptionMask & corruption);
+ switch (corruptionPart) {
+ case 0:
+ break;
+ case CORRUPTION_FIXED:
+ if (length >= 1) {
+ buffer[offset] = (byte) 0xcc;
+ buffer[(short) (offset + length - 1)] = (byte) 0xcc;
+ }
+ break;
+ case CORRUPTION_FULLRANDOM:
+ randomData.generateData(buffer, offset, length);
+ break;
+ case CORRUPTION_ONEBYTERANDOM:
+ short first = Util.getShort(buffer, (short) 0); // save first two bytes
- Util.setShort(buffer, (short) 0, first); // restore first two bytes
+ randomData.generateData(buffer, (short) 0, (short) 2); // generate position
+ short rngPos = Util.getShort(buffer, (short) 0); // save generated position
- if (rngPos < 0) { // make positive
- rngPos = (short) -rngPos;
- }
- rngPos %= length; // make < param length
+ Util.setShort(buffer, (short) 0, first); // restore first two bytes
- byte original = buffer[rngPos];
- do {
- randomData.generateData(buffer, rngPos, (short) 1);
- } while (original == buffer[rngPos]);
- break;
- case CORRUPTION_ZERO:
- Util.arrayFillNonAtomic(buffer, offset, length, (byte) 0);
- break;
- case CORRUPTION_ONE:
- Util.arrayFillNonAtomic(buffer, offset, length, (byte) 0);
- buffer[(short) (offset + length)] = (byte) 1;
- break;
- case CORRUPTION_MAX:
- Util.arrayFillNonAtomic(buffer, offset, length, (byte) 1);
- break;
- case CORRUPTION_INCREMENT:
- short index = (short) (offset + length - 1);
- byte value;
- do {
- value = buffer[index];
- buffer[index--] = ++value;
- } while (value == (byte) 0 && index >= offset);
- break;
- case CORRUPTION_INFINITY:
- Util.arrayFillNonAtomic(buffer, offset, length, (byte) 0);
- return 1;
- case CORRUPTION_PREFIX_COMPRESSED:
- buffer[offset] = 2;
- break;
- case CORRUPTION_PREFIX_HYBRID:
- buffer[offset] = 6;
- break;
- case CORRUPTION_PREFIX_UNCOMPRESSED:
- buffer[offset] = 4;
- break;
- default:
- ISOException.throwIt(ISO7816.SW_FUNC_NOT_SUPPORTED);
- }
+ if (rngPos < 0) { // make positive
+ rngPos = (short) -rngPos;
+ }
+ rngPos %= length; // make < param length
+
+ byte original = buffer[rngPos];
+ do {
+ randomData.generateData(buffer, rngPos, (short) 1);
+ } while (original == buffer[rngPos]);
+ break;
+ case CORRUPTION_ZERO:
+ Util.arrayFillNonAtomic(buffer, offset, length, (byte) 0);
+ break;
+ case CORRUPTION_ONE:
+ Util.arrayFillNonAtomic(buffer, offset, length, (byte) 0);
+ buffer[(short) (offset + length)] = (byte) 1;
+ break;
+ case CORRUPTION_MAX:
+ Util.arrayFillNonAtomic(buffer, offset, length, (byte) 1);
+ break;
+ case CORRUPTION_INCREMENT:
+ short index = (short) (offset + length - 1);
+ byte value;
+ do {
+ value = buffer[index];
+ buffer[index--] = ++value;
+ } while (value == (byte) 0 && index >= offset);
+ break;
+ case CORRUPTION_INFINITY:
+ Util.arrayFillNonAtomic(buffer, offset, length, (byte) 0);
+ length = 1;
+ break;
+ case CORRUPTION_COMPRESS:
+ if (length % 2 != 1) {
+ // an uncompressed point should have odd length (since 1 byte type, + 2 * coords)
+ ISOException.throwIt(ISO7816.SW_FUNC_NOT_SUPPORTED);
+ }
+ short half = (short) ((length - 1) / 2);
+ byte yLSB = buffer[(short) (offset + length)];
+ byte yBit = (byte) (yLSB & 0x01);
+ if (yBit == 1) {
+ buffer[offset] = 3;
+ } else {
+ buffer[offset] = 2;
+ }
+
+ length = (short) (half + 1);
+ break;
+ //TODO: test hybrid form with not corresponding yBit (in first byte value) and y_value in the second half of the param
+ default:
+ ISOException.throwIt(ISO7816.SW_FUNC_NOT_SUPPORTED);
+ }
+ corruptionMask = (short) (corruptionMask << 1);
+ }
return length;
}
generated by cgit v1.2.3-70-g09d2 (git 2.52.0) at 2026-01-05 23:05:48 +0000