Merge pull request #237 from subrahmanyaman/rsa_oaep_wychproof_fix

mdwivedi · web-flow · commit e4e724000c9c · 2022-11-22T15:58:07.000-08:00
Fixed the issue with one of the wychproof test vectors for RSA OAEP
diff --git a/Applet/AndroidSEProviderLib/src/com/android/javacard/seprovider/KMRsaOAEPEncoding.java b/Applet/AndroidSEProviderLib/src/com/android/javacard/seprovider/KMRsaOAEPEncoding.java
@@ -125,10 +125,8 @@ public short doFinal(byte[] inBuff, short inOffset, short inLength,
     if (len != 256 || outBuff[0] != 0) {
       CryptoException.throwIt(CryptoException.ILLEGAL_VALUE);
     }
-    inBuff = outBuff;
-    inOffset = (short) (outOffset + 1);
-    return rsaOAEPDecode(inBuff, inOffset, (short) (len - 1), outBuff,
-        outOffset);
+    Util.arrayCopyNonAtomic(outBuff, (short) (outOffset + 1), outBuff, (short) 0, (short) (len -1));
+    return rsaOAEPDecode(outBuff, (short) 0, (short) (len - 1));
 
   }
 
@@ -177,7 +175,7 @@ private void I2OS(short i, byte[] out, short offset) {
   }
 
   private short rsaOAEPDecode(byte[] encodedMsg, short encodedMsgOff,
-      short encodedMsgLen, byte[] msg, short offset) {
+      short encodedMsgLen) {
     MessageDigest.OneShot md = null;
     byte[] tmpArray = KMAndroidSEProvider.getInstance().tmpArray;
 
@@ -232,22 +230,26 @@ private short rsaOAEPDecode(byte[] encodedMsg, short encodedMsgOff,
       // encoding parameters is calculated and then copied from the
       // starting of the block and a variable length of 0's are
       // appended to the end of the hash till the 0x01 byte.
-      short start = 0;
+      short start = (short) (encodedMsgOff + encodedMsgLen);
       for (short i = (short) (encodedMsgOff + 2 * hLen);
           i < (short) (encodedMsgOff + encodedMsgLen); i++) {
-        if (i == (short) ((encodedMsgOff + encodedMsgLen) - 1)) {
-          // Bad Padding.
-          CryptoException.throwIt(CryptoException.ILLEGAL_VALUE);
-        }
-        if (encodedMsg[i] != 0) {
+        if ((encodedMsg[i] != 0)) {
           start = i;
           break;
         }
       }
-      // Copy the message
-      Util.arrayCopyNonAtomic(encodedMsg, (short) (start + 1), msg, offset,
-          (short) (encodedMsgLen - ((start - encodedMsgOff) + 1)));
-      return (short) (encodedMsgLen - ((start - encodedMsgOff) + 1));
+      if ((start >= (short)(encodedMsgOff + encodedMsgLen)) ||
+          (encodedMsg[start] != 0x01)) {
+        // Bad Padding.
+        CryptoException.throwIt(CryptoException.ILLEGAL_VALUE);
+      }
+      start++; // Message starting pos.
+      if (start < (short)(encodedMsgOff + encodedMsgLen)) {
+        // Copy the message
+        Util.arrayCopyNonAtomic(encodedMsg, start, encodedMsg, encodedMsgOff,
+            (short) (encodedMsgLen - (start - encodedMsgOff)));
+      }
+      return (short) (encodedMsgLen - (start - encodedMsgOff));
 
     } finally {
       if (md != null) {
