1 files changed, 178 insertions, 6 deletions
diff --git a/core/src/main/j2me/org/bouncycastle/crypto/encodings/PKCS1Encoding.java b/core/src/main/j2me/org/bouncycastle/crypto/encodings/PKCS1Encoding.java
index e4a8750f..76051c3f 100644
--- a/core/src/main/j2me/org/bouncycastle/crypto/encodings/PKCS1Encoding.java
+++ b/core/src/main/j2me/org/bouncycastle/crypto/encodings/PKCS1Encoding.java
@@ -1,13 +1,13 @@
 package org.bouncycastle.crypto.encodings;
 
+import java.security.SecureRandom;
+
 import org.bouncycastle.crypto.AsymmetricBlockCipher;
 import org.bouncycastle.crypto.CipherParameters;
 import org.bouncycastle.crypto.InvalidCipherTextException;
 import org.bouncycastle.crypto.params.AsymmetricKeyParameter;
 import org.bouncycastle.crypto.params.ParametersWithRandom;
 
-import java.security.SecureRandom;
-
 /**
  * this does your basic PKCS 1 v1.5 padding - whether or not you should be using this
  * depends on your application - see PKCS1 Version 2 for details.
@@ -32,6 +32,8 @@ public class PKCS1Encoding
     private boolean                 forEncryption;
     private boolean                 forPrivateKey;
     private boolean                 useStrictLength;
+    private int                     pLen = -1;
+    private byte[]                  fallback = null;
 
     /**
      * Basic constructor.
@@ -44,11 +46,48 @@ public class PKCS1Encoding
         this.useStrictLength = useStrict();
     }   
 
+    /**
+     * Constructor for decryption with a fixed plaintext length.
+     * 
+     * @param cipher The cipher to use for cryptographic operation.
+     * @param pLen Length of the expected plaintext.
+     */
+    public PKCS1Encoding(
+        AsymmetricBlockCipher   cipher,
+        int pLen)
+    {
+        this.engine = cipher;
+        this.useStrictLength = useStrict();
+        this.pLen = pLen;
+    }
+
+	/**
+	 * Constructor for decryption with a fixed plaintext length and a fallback
+	 * value that is returned, if the padding is incorrect.
+	 * 
+	 * @param cipher
+	 *            The cipher to use for cryptographic operation.
+	 * @param fallback
+	 *            The fallback value, we don't to a arraycopy here.
+	 */
+	public PKCS1Encoding(
+    	AsymmetricBlockCipher   cipher,
+        byte[] fallback)
+    {
+    	this.engine = cipher;
+    	this.useStrictLength = useStrict();
+    	this.fallback = fallback;
+    	this.pLen = fallback.length;
+    }
+        
+
+    
     //
     // for J2ME compatibility
     //
     private boolean useStrict()
     {
+        // required if security manager has been installed.
         String strict = System.getProperty(STRICT_LENGTH_ENABLED_PROPERTY);
 
         return strict == null || strict.equals("true");
@@ -174,6 +213,121 @@ public class PKCS1Encoding
 
         return engine.processBlock(block, 0, block.length);
     }
+    
+    /**
+     * Checks if the argument is a correctly PKCS#1.5 encoded Plaintext
+     * for encryption.
+     * 
+     * @param encoded The Plaintext.
+     * @param pLen Expected length of the plaintext.
+     * @return Either 0, if the encoding is correct, or -1, if it is incorrect.
+     */
+	private static int checkPkcs1Encoding(byte[] encoded, int pLen) {
+		int correct = 0;
+		/*
+		 * Check if the first two bytes are 0 2
+		 */
+		correct |= (encoded[0] ^ 2);
+
+		/*
+		 * Now the padding check, check for no 0 byte in the padding
+		 */
+		int plen = encoded.length - (
+				  pLen /* Lenght of the PMS */
+				+  1 /* Final 0-byte before PMS */
+		);
+
+		for (int i = 1; i < plen; i++) {
+			int tmp = encoded[i];
+			tmp |= tmp >> 1;
+			tmp |= tmp >> 2;
+			tmp |= tmp >> 4;
+			correct |= (tmp & 1) - 1;
+		}
+
+		/*
+		 * Make sure the padding ends with a 0 byte.
+		 */
+		correct |= encoded[encoded.length - (pLen +1)];
+
+		/*
+		 * Return 0 or 1, depending on the result.
+		 */
+		correct |= correct >> 1;
+		correct |= correct >> 2;
+		correct |= correct >> 4;
+		return ~((correct & 1) - 1);
+	}
+    
+
+    /**
+     * Decode PKCS#1.5 encoding, and return a random value if the padding is not correct.
+     * 
+     * @param in The encrypted block.
+     * @param inOff Offset in the encrypted block.
+     * @param inLen Length of the encrypted block.
+     * //@param pLen Length of the desired output.
+     * @return The plaintext without padding, or a random value if the padding was incorrect.
+     * 
+     * @throws InvalidCipherTextException
+     */
+    private byte[] decodeBlockOrRandom(byte[] in, int inOff, int inLen)
+        throws InvalidCipherTextException
+    {
+        if (!forPrivateKey)
+        {
+            throw new InvalidCipherTextException("sorry, this method is only for decryption, not for signing");
+        }
+
+        byte[] block = engine.processBlock(in, inOff, inLen);
+        byte[] random = null;
+        if (this.fallback == null)
+        {
+            random = new byte[this.pLen];
+            this.random.nextBytes(random);
+        }
+        else
+        {
+            random = fallback;
+        }
+
+		/*
+		 * TODO: This is a potential dangerous side channel. However, you can
+		 * fix this by changing the RSA engine in a way, that it will always
+		 * return blocks of the same length and prepend them with 0 bytes if
+		 * needed.
+		 */
+        if (block.length < getOutputBlockSize())
+        {
+            throw new InvalidCipherTextException("block truncated");
+        }
+
+		/*
+		 * TODO: Potential side channel. Fix it by making the engine always
+		 * return blocks of the correct length.
+		 */
+        if (useStrictLength && block.length != engine.getOutputBlockSize())
+        {
+            throw new InvalidCipherTextException("block incorrect size");
+        }
+
+		/*
+		 * Check the padding.
+		 */
+        int correct = PKCS1Encoding.checkPkcs1Encoding(block, this.pLen);
+		
+		/*
+		 * Now, to a constant time constant memory copy of the decrypted value
+		 * or the random value, depending on the validity of the padding.
+		 */
+        byte[] result = new byte[this.pLen];
+        for (int i = 0; i < this.pLen; i++)
+        {
+            result[i] = (byte)((block[i + (block.length - pLen)] & (~correct)) | (random[i] & correct));
+        }
+
+        return result;
+    }
 
     /**
      * @exception InvalidCipherTextException if the decrypted block is not in PKCS1 format.
@@ -184,7 +338,15 @@ public class PKCS1Encoding
         int     inLen)
         throws InvalidCipherTextException
     {
-        byte[]  block = engine.processBlock(in, inOff, inLen);
+        /*
+         * If the length of the expected plaintext is known, we use a constant-time decryption.
+         * If the decryption fails, we return a random value.
+         */
+		if (this.pLen != -1) {
+    		return this.decodeBlockOrRandom(in, inOff, inLen);
+    	}
+    	
+        byte[] block = engine.processBlock(in, inOff, inLen);
 
         if (block.length < getOutputBlockSize())
         {
@@ -192,10 +354,20 @@ public class PKCS1Encoding
         }
 
         byte type = block[0];
-        
-        if (type != 1 && type != 2)
+
+        if (forPrivateKey)
         {
-            throw new InvalidCipherTextException("unknown block type");
+            if (type != 2)
+            {
+                throw new InvalidCipherTextException("unknown block type");
+            }
+        }
+        else
+        {
+            if (type != 1)
+            {
+                throw new InvalidCipherTextException("unknown block type");
+            }
         }
 
         if (useStrictLength && block.length != engine.getOutputBlockSize())