public string Encrypt(string data)
{
SecureRandom random = new SecureRandom();
// Generate 256-bits AES key
byte[] aesKey = new byte[32];
random.NextBytes(aesKey);
// Generate Initialization Vector
byte[] IV = new byte[12];
random.NextBytes(IV);
// Apply RSA/None/PKCS1Padding encryption to the AES key
byte[] encyptedAESKey = rsaCipher.DoFinal(aesKey);
// Apply AES/CCM/NoPadding encryption to the data
byte[] cipherText = System.Text.Encoding.UTF8.GetBytes(data);
var ccmParameters = new CcmParameters(new KeyParameter(aesKey), 64, IV, new byte[] { });
aesCipher = new CcmBlockCipher(new AesFastEngine());
aesCipher.Init(true, ccmParameters);
var encrypted = new byte[aesCipher.GetOutputSize(cipherText.Length)];
var res = aesCipher.ProcessBytes(cipherText, 0, cipherText.Length, encrypted, 0);
aesCipher.DoFinal(encrypted, res);
// Merge 'IV' and 'encrypted' to 'result'
byte[] result = new byte[IV.Length + encrypted.Length];
System.Buffer.BlockCopy(IV, 0, result, 0, IV.Length);
System.Buffer.BlockCopy(encrypted, 0, result, IV.Length, encrypted.Length);
// Return encrypted data
return Prefix + Version + Separator + System.Convert.ToBase64String(encyptedAESKey) + Separator + System.Convert.ToBase64String(result);
}
/// <summary>
/// Default constructor. Creates a new matched pair of escrow invitation codes.
/// </summary>
public EscrowCodeSet()
{
SecureRandom sr = new SecureRandom();
byte[] x = new byte[32];
byte[] y = new byte[32];
sr.NextBytes(x);
sr.NextBytes(y);
// Force x to be even
// Force y to be odd
x[31] &= 0xFE;
y[31] |= 0x01;
KeyPair kx = new KeyPair(x, true);
KeyPair ky = new KeyPair(y, true);
BigInteger xi = new BigInteger(1, x);
BigInteger yi = new BigInteger(1, y);
ECPoint Gx = kx.GetECPoint();
byte[] bytesGx = Gx.GetEncoded();
ECPoint Gy = ky.GetECPoint();
byte[] bytesGy = Gy.GetEncoded();
ECPoint Gxy = Gx.Multiply(yi);
byte[] bytesGxy = Gxy.GetEncoded();
Sha256Digest sha256 = new Sha256Digest();
byte[] hashGxy = new byte[32];
sha256.BlockUpdate(bytesGxy, 0, bytesGxy.Length);
sha256.DoFinal(hashGxy, 0);
sha256.BlockUpdate(hashGxy, 0, 32);
sha256.DoFinal(hashGxy, 0);
int identifier30 = ((hashGxy[0] & 0x3f) << 24) + (hashGxy[1] << 16) + (hashGxy[2] << 8) + hashGxy[3];
byte[] invitationA = new byte[74];
byte[] invitationB = new byte[74];
long headA = headbaseA + (long)identifier30;
long headB = headbaseB + (long)identifier30;
// turn headA and headB into bytes
for (int i = 7; i >= 0; i--) {
invitationA[i] = (byte)(headA & 0xFF);
invitationB[i] = (byte)(headB & 0xFF);
headA >>= 8;
headB >>= 8;
}
Array.Copy(x, 0, invitationA, 8 + 1, 32);
Array.Copy(y, 0, invitationB, 8 + 1, 32);
Array.Copy(bytesGy, 0, invitationA, 8 + 1 + 32, 33);
Array.Copy(bytesGx, 0, invitationB, 8 + 1 + 32, 33);
EscrowInvitationCodeA = Util.ByteArrayToBase58Check(invitationA);
EscrowInvitationCodeB = Util.ByteArrayToBase58Check(invitationB);
}
private void RandomTest(SecureRandom random)
{
byte[] key = new byte[16];
random.NextBytes(key);
int length = 1 + random.Next(1024);
byte[] input = new byte[length];
random.NextBytes(input);
SipHash mac = new SipHash();
mac.Init(new KeyParameter(key));
UpdateMac(mac, input, UPDATE_BYTES);
long result1 = mac.DoFinal();
UpdateMac(mac, input, UPDATE_FULL);
long result2 = mac.DoFinal();
UpdateMac(mac, input, UPDATE_MIX);
long result3 = mac.DoFinal();
if (result1 != result2 || result1 != result3)
{
Fail("Inconsistent results in random test");
}
}
public RecipientInfo Generate(KeyParameter contentEncryptionKey, SecureRandom random)
{
byte[] keyBytes = contentEncryptionKey.GetKey();
string rfc3211WrapperName = Helper.GetRfc3211WrapperName(keyEncryptionKeyOID);
IWrapper keyWrapper = Helper.CreateWrapper(rfc3211WrapperName);
// Note: In Java build, the IV is automatically generated in JCE layer
int ivLength = Platform.StartsWith(rfc3211WrapperName, "DESEDE") ? 8 : 16;
byte[] iv = new byte[ivLength];
random.NextBytes(iv);
ICipherParameters parameters = new ParametersWithIV(keyEncryptionKey, iv);
keyWrapper.Init(true, new ParametersWithRandom(parameters, random));
Asn1OctetString encryptedKey = new DerOctetString(
keyWrapper.Wrap(keyBytes, 0, keyBytes.Length));
DerSequence seq = new DerSequence(
new DerObjectIdentifier(keyEncryptionKeyOID),
new DerOctetString(iv));
AlgorithmIdentifier keyEncryptionAlgorithm = new AlgorithmIdentifier(
PkcsObjectIdentifiers.IdAlgPwriKek, seq);
return new RecipientInfo(new PasswordRecipientInfo(
keyDerivationAlgorithm, keyEncryptionAlgorithm, encryptedKey));
}
private static void DoTestClientServer(bool fragment)
{
SecureRandom secureRandom = new SecureRandom();
TlsClientProtocol clientProtocol = new TlsClientProtocol(secureRandom);
TlsServerProtocol serverProtocol = new TlsServerProtocol(secureRandom);
clientProtocol.Connect(new MockTlsClient(null));
serverProtocol.Accept(new MockTlsServer());
// pump handshake
bool hadDataFromServer = true;
bool hadDataFromClient = true;
while (hadDataFromServer || hadDataFromClient)
{
hadDataFromServer = PumpData(serverProtocol, clientProtocol, fragment);
hadDataFromClient = PumpData(clientProtocol, serverProtocol, fragment);
}
// send data in both directions
byte[] data = new byte[1024];
secureRandom.NextBytes(data);
WriteAndRead(clientProtocol, serverProtocol, data, fragment);
WriteAndRead(serverProtocol, clientProtocol, data, fragment);
// close the connection
clientProtocol.Close();
PumpData(clientProtocol, serverProtocol, fragment);
CheckClosed(serverProtocol);
CheckClosed(clientProtocol);
}
public static void Test()
{
Console.Out.WriteLine("Begin Example_060.");
// Create the AES Service
AESService aes = new AESService();
string password = "******";
SecureRandom random = new SecureRandom();
byte[] salt = new byte[AESService.SALT_SIZE];
random.NextBytes(salt);
// Create the AES Key using password and salt.
aes.GenerateKey(password, salt);
// Encode and Decode a string then compare to verify they are the same.
string clear_text = "This is a test";
byte[] enc_bytes = aes.Encode(UTF8Encoding.UTF8.GetBytes(clear_text));
byte[] dec_bytes = aes.Decode(enc_bytes);
string dec_text = UTF8Encoding.UTF8.GetString(dec_bytes);
/**
* Compare the original and decrypted files.
*/
if (Compare.SafeEquals(UTF8Encoding.UTF8.GetBytes(clear_text), UTF8Encoding.UTF8.GetBytes(dec_text)))
{
Console.Out.WriteLine("Original and Decrypted are the same!");
}
else
{
Console.Out.WriteLine("Original and Decrypted are NOT the same!");
}
Console.Out.WriteLine("End Example_060.");
}
public static byte[] GenerateEncryptedPreMasterSecret(SecureRandom random,
RsaKeyParameters rsaServerPublicKey, Stream output)
{
/*
* Choose a PremasterSecret and send it encrypted to the server
*/
byte[] premasterSecret = new byte[48];
random.NextBytes(premasterSecret);
TlsUtilities.WriteVersion(premasterSecret, 0);
Pkcs1Encoding encoding = new Pkcs1Encoding(new RsaBlindedEngine());
encoding.Init(true, new ParametersWithRandom(rsaServerPublicKey, random));
try
{
byte[] keData = encoding.ProcessBlock(premasterSecret, 0, premasterSecret.Length);
TlsUtilities.WriteOpaque16(keData, output);
}
catch (InvalidCipherTextException)
{
/*
* This should never happen, only during decryption.
*/
throw new TlsFatalAlert(AlertDescription.internal_error);
}
return premasterSecret;
}
private void MakeSeedAndPayload(out byte[] seed, out byte[] payload)
{
var rnd = new SecureRandom();
var priv = new byte[32];
rnd.NextBytes(priv);
payload = MontgomeryCurve25519.GetPublicKey(priv);
seed = MontgomeryCurve25519.KeyExchange(MY_PUBLIC, priv);
}
public JObject Encrypt(string key, JObject blob, string adata)
{
var result = new JObject();
var random = new SecureRandom();
var iv = new byte[32];
var salt = new byte[8];
random.NextBytes(salt);
random.NextBytes(iv);
try
{
byte[] plainBytes = Encoding.UTF8.GetBytes(blob.ToString());
byte[] adataBytes = Encoding.UTF8.GetBytes(adata);
byte[] nonce = ComputeNonce(iv, plainBytes);
KeyParameter keyParam = CreateKey(key, salt, _iter, _ks);
var ccm = new AeadParameters(keyParam, MacSize(_ts), nonce, adataBytes);
var aes = new CcmBlockCipher(new AesFastEngine());
aes.Init(true, ccm);
var enc = new byte[aes.GetOutputSize(plainBytes.Length)];
int res = aes.ProcessBytes(plainBytes, 0, plainBytes.Length, enc, 0);
aes.DoFinal(enc, res);
result.Add("ct", Base64.ToBase64String(enc));
result.Add("iv", Base64.ToBase64String(iv));
result.Add("salt", Base64.ToBase64String(salt));
result.Add("adata", EncodeAdata(adata));
result.Add("mode", Mode);
result.Add("ks", _ks);
result.Add("iter", _iter);
result.Add("ts", _ts);
return result;
}
catch (Exception e)
{
throw new ApplicationException("Json encryption failed.", e);
}
}
/// <summary>
/// Create an intermediate from a passphrase or intermediate code
/// </summary>
public Bip38Intermediate(string fromstring, Interpretation interpretation)
{
if (interpretation == Interpretation.IntermediateCode) {
createFromCode(fromstring);
} else {
_ownersalt = new byte[8];
// Get 8 random bytes to use as salt
SecureRandom sr = new SecureRandom();
sr.NextBytes(_ownersalt);
createFromPassphrase(fromstring, _ownersalt);
}
}
internal AbstractTlsContext(Org.BouncyCastle.Security.SecureRandom secureRandom, Org.BouncyCastle.Crypto.Tls.SecurityParameters securityParameters)
{
IDigest digest = TlsUtilities.CreateHash((byte)4);
byte[] buffer = new byte[digest.GetDigestSize()];
secureRandom.NextBytes(buffer);
this.mNonceRandom = new DigestRandomGenerator(digest);
this.mNonceRandom.AddSeedMaterial(NextCounterValue());
this.mNonceRandom.AddSeedMaterial(Times.NanoTime());
this.mNonceRandom.AddSeedMaterial(buffer);
this.mSecureRandom = secureRandom;
this.mSecurityParameters = securityParameters;
}
internal AbstractTlsContext(SecureRandom secureRandom, SecurityParameters securityParameters)
{
IDigest d = TlsUtilities.CreateHash(HashAlgorithm.sha256);
byte[] seed = new byte[d.GetDigestSize()];
secureRandom.NextBytes(seed);
this.mNonceRandom = new DigestRandomGenerator(d);
mNonceRandom.AddSeedMaterial(NextCounterValue());
mNonceRandom.AddSeedMaterial(Times.NanoTime());
mNonceRandom.AddSeedMaterial(seed);
this.mSecureRandom = secureRandom;
this.mSecurityParameters = securityParameters;
}
/// <summary>
/// Create an intermediate from a passphrase or intermediate code
/// </summary>
public Bip38Intermediate(string fromstring, Interpretation interpretation, int startingSequenceNumber = 0)
{
if (interpretation == Interpretation.IntermediateCode) {
createFromCode(fromstring);
} else {
_ownerentropy = new byte[8];
// Get 8 random bytes to use as salt
SecureRandom sr = new SecureRandom();
sr.NextBytes(_ownerentropy);
// set lot number between 100000 and 999999, and sequence number to 1
long x = (sr.NextLong () % 900000L + 100000L) * 4096L + (long)startingSequenceNumber;
for (int i=7; i>=4; i--) {
_ownerentropy[i] = (byte)(x & 0xFF);
x >>= 8;
}
createFromPassphrase(fromstring, _ownerentropy, true);
}
}
public static void Test()
{
Console.Out.WriteLine("Begin Example_070.");
string password = "******";
string secret_key = "secret-shared-key";
string content = "Lorem ipsum dolor sit amet, duo cu nobis epicurei hendrerit, mei agam elit an.";
string hmac = HMAC.Sha256(content, secret_key);
Console.Out.WriteLine("HMAC_sha256: " + hmac);
string hex_string = Hex.Encode(UTF8Encoding.UTF8.GetBytes(content));
Console.Out.WriteLine("Content Hex String: " + hex_string);
SecureRandom random = new SecureRandom();
byte[] salt = new byte[AESService.SALT_SIZE];
random.NextBytes(salt);
hmac = HMAC.Sha256(content, password);
Console.Out.WriteLine("HMAC_sha256: " + hmac);
Console.Out.WriteLine("End Example_070.");
}
public void TestClientServer()
{
SecureRandom secureRandom = new SecureRandom();
PipedStream clientPipe = new PipedStream();
PipedStream serverPipe = new PipedStream(clientPipe);
TlsClientProtocol clientProtocol = new TlsClientProtocol(clientPipe, secureRandom);
TlsServerProtocol serverProtocol = new TlsServerProtocol(serverPipe, secureRandom);
Server server = new Server(serverProtocol);
Thread serverThread = new Thread(new ThreadStart(server.Run));
serverThread.Start();
MockSrpTlsClient client = new MockSrpTlsClient(null, MockSrpTlsServer.TEST_IDENTITY, MockSrpTlsServer.TEST_PASSWORD);
clientProtocol.Connect(client);
// NOTE: Because we write-all before we read-any, this length can't be more than the pipe capacity
int length = 1000;
byte[] data = new byte[length];
secureRandom.NextBytes(data);
Stream output = clientProtocol.Stream;
output.Write(data, 0, data.Length);
byte[] echo = new byte[data.Length];
int count = Streams.ReadFully(clientProtocol.Stream, echo);
Assert.AreEqual(count, data.Length);
Assert.IsTrue(Arrays.AreEqual(data, echo));
output.Close();
serverThread.Join();
}
/// <summary>
/// Generate a set of M-of-N parts for a specific private key.
/// If desiredPrivKey is null, then a random key will be selected.
/// </summary>
public void Generate(int PartsNeededToDecode, int PartsToGenerate, byte[] desiredPrivKey)
{
if (PartsNeededToDecode > PartsToGenerate) {
throw new ApplicationException("Number of parts needed exceeds number of parts to generate.");
}
if (PartsNeededToDecode > 8 || PartsToGenerate > 8) {
throw new ApplicationException("Maximum number of parts is 8");
}
if (PartsNeededToDecode < 1 || PartsToGenerate < 1) {
throw new ApplicationException("Minimum number of parts is 1");
}
if (desiredPrivKey != null && desiredPrivKey.Length != 32) {
throw new ApplicationException("Desired private key must be 32 bytes");
}
KeyParts.Clear();
decodedKeyParts.Clear();
SecureRandom sr = new SecureRandom();
// Get 8 random big integers into v[i].
byte[][] vvv = new byte[8][];
BigInteger[] v = new BigInteger[8];
for (int i = 0; i < 8; i++) {
byte[] b = new byte[32];
sr.NextBytes(b, 0, 32);
// For larger values of i, chop off some most-significant-bits to prevent overflows as they are
// multiplied with increasingly larger factors.
if (i >= 7) {
b[0] &= 0x7f;
}
v[i] = new BigInteger(1, b);
Debug.WriteLine(String.Format("v({0})={1}", i, v[i].ToString()));
}
// if a certain private key is desired, then specify it.
if (desiredPrivKey != null) {
// replace v[0] with xor(v[1...7]) xor desiredPrivKey
BigInteger newv0 = BigInteger.Zero;
for (int i=1; i<PartsNeededToDecode; i++) {
newv0 = newv0.Xor(v[i]);
}
v[0] = newv0.Xor(new BigInteger(1,desiredPrivKey));
}
// Generate the expected private key from all the parts
BigInteger privkey = new BigInteger("0");
for (int i = 0; i < PartsNeededToDecode; i++) {
privkey = privkey.Xor(v[i]);
}
// Get the bitcoin address
byte[] keybytes = privkey.ToByteArrayUnsigned();
// make sure we have 32 bytes, we'll need it
if (keybytes.Length < 32) {
byte[] array32 = new byte[32];
Array.Copy(keybytes, 0, array32, 32 - keybytes.Length, keybytes.Length);
keybytes = array32;
}
KeyPair = new KeyPair(keybytes);
byte[] checksum = Util.ComputeSha256(BitcoinAddress);
// Generate the parts
for (int i = 0; i < PartsToGenerate; i++) {
BigInteger total = new BigInteger("0");
for (int j = 0; j < PartsNeededToDecode; j++) {
int factor = 1;
for (int ii = 0; ii <= i; ii++) factor = factor * (j + 1);
BigInteger bfactor = new BigInteger(factor.ToString());
total = total.Add(v[j].Multiply(bfactor));
}
Debug.WriteLine(String.Format(" pc{0}={1}", i, total.ToString()));
byte[] parts = new byte[39];
parts[0] = 0x4f;
parts[1] = (byte)(0x93 + PartsNeededToDecode);
int parts23 = (((checksum[0] << 8) + checksum[1]) & 0x1ff);
Debug.WriteLine("checksum " + parts23.ToString());
parts23 += 0x6000;
parts23 += (i << 9);
byte[] btotal = total.ToByteArrayUnsigned();
for (int jj = 0; jj < btotal.Length; jj++) {
parts[jj + 4 + (35 - btotal.Length)] = btotal[jj];
}
parts[2] = (byte)((parts23 & 0xFF00) >> 8);
parts[3] = (byte)(parts23 & 0xFF);
KeyParts.Add(Util.ByteArrayToBase58Check(parts));
decodedKeyParts.Add(parts);
}
}
public void Save(
Stream stream,
char[] password,
SecureRandom random)
{
if (stream == null)
throw new ArgumentNullException("stream");
if (random == null)
throw new ArgumentNullException("random");
//
// handle the keys
//
Asn1EncodableVector keyBags = new Asn1EncodableVector();
foreach (string name in keys.Keys)
{
byte[] kSalt = new byte[SaltSize];
random.NextBytes(kSalt);
AsymmetricKeyEntry privKey = (AsymmetricKeyEntry)keys[name];
DerObjectIdentifier bagOid;
Asn1Encodable bagData;
if (password == null)
{
bagOid = PkcsObjectIdentifiers.KeyBag;
bagData = PrivateKeyInfoFactory.CreatePrivateKeyInfo(privKey.Key);
}
else
{
bagOid = PkcsObjectIdentifiers.Pkcs8ShroudedKeyBag;
bagData = EncryptedPrivateKeyInfoFactory.CreateEncryptedPrivateKeyInfo(
keyAlgorithm, password, kSalt, MinIterations, privKey.Key);
}
Asn1EncodableVector kName = new Asn1EncodableVector();
foreach (string oid in privKey.BagAttributeKeys)
{
Asn1Encodable entry = privKey[oid];
// NB: Ignore any existing FriendlyName
if (oid.Equals(PkcsObjectIdentifiers.Pkcs9AtFriendlyName.Id))
continue;
kName.Add(
new DerSequence(
new DerObjectIdentifier(oid),
new DerSet(entry)));
}
//
// make sure we are using the local alias on store
//
// NB: We always set the FriendlyName based on 'name'
//if (privKey[PkcsObjectIdentifiers.Pkcs9AtFriendlyName] == null)
{
kName.Add(
new DerSequence(
PkcsObjectIdentifiers.Pkcs9AtFriendlyName,
new DerSet(new DerBmpString(name))));
}
//
// make sure we have a local key-id
//
if (privKey[PkcsObjectIdentifiers.Pkcs9AtLocalKeyID] == null)
{
X509CertificateEntry ct = GetCertificate(name);
AsymmetricKeyParameter pubKey = ct.Certificate.GetPublicKey();
SubjectKeyIdentifier subjectKeyID = CreateSubjectKeyID(pubKey);
kName.Add(
new DerSequence(
PkcsObjectIdentifiers.Pkcs9AtLocalKeyID,
new DerSet(subjectKeyID)));
}
keyBags.Add(new SafeBag(bagOid, bagData.ToAsn1Object(), new DerSet(kName)));
}
byte[] keyBagsEncoding = new DerSequence(keyBags).GetDerEncoded();
ContentInfo keysInfo = new ContentInfo(PkcsObjectIdentifiers.Data, new BerOctetString(keyBagsEncoding));
//
// certificate processing
//
byte[] cSalt = new byte[SaltSize];
random.NextBytes(cSalt);
Asn1EncodableVector certBags = new Asn1EncodableVector();
Pkcs12PbeParams cParams = new Pkcs12PbeParams(cSalt, MinIterations);
AlgorithmIdentifier cAlgId = new AlgorithmIdentifier(certAlgorithm, cParams.ToAsn1Object());
ISet doneCerts = new HashSet();
foreach (string name in keys.Keys)
{
X509CertificateEntry certEntry = GetCertificate(name);
CertBag cBag = new CertBag(
PkcsObjectIdentifiers.X509Certificate,
new DerOctetString(certEntry.Certificate.GetEncoded()));
Asn1EncodableVector fName = new Asn1EncodableVector();
foreach (string oid in certEntry.BagAttributeKeys)
{
Asn1Encodable entry = certEntry[oid];
// NB: Ignore any existing FriendlyName
if (oid.Equals(PkcsObjectIdentifiers.Pkcs9AtFriendlyName.Id))
continue;
fName.Add(
new DerSequence(
new DerObjectIdentifier(oid),
new DerSet(entry)));
}
//
// make sure we are using the local alias on store
//
// NB: We always set the FriendlyName based on 'name'
//if (certEntry[PkcsObjectIdentifiers.Pkcs9AtFriendlyName] == null)
{
fName.Add(
new DerSequence(
PkcsObjectIdentifiers.Pkcs9AtFriendlyName,
new DerSet(new DerBmpString(name))));
}
//
// make sure we have a local key-id
//
if (certEntry[PkcsObjectIdentifiers.Pkcs9AtLocalKeyID] == null)
{
AsymmetricKeyParameter pubKey = certEntry.Certificate.GetPublicKey();
SubjectKeyIdentifier subjectKeyID = CreateSubjectKeyID(pubKey);
fName.Add(
new DerSequence(
PkcsObjectIdentifiers.Pkcs9AtLocalKeyID,
new DerSet(subjectKeyID)));
}
certBags.Add(new SafeBag(PkcsObjectIdentifiers.CertBag, cBag.ToAsn1Object(), new DerSet(fName)));
doneCerts.Add(certEntry.Certificate);
}
foreach (string certId in certs.Keys)
{
X509CertificateEntry cert = (X509CertificateEntry)certs[certId];
if (keys[certId] != null)
continue;
CertBag cBag = new CertBag(
PkcsObjectIdentifiers.X509Certificate,
new DerOctetString(cert.Certificate.GetEncoded()));
Asn1EncodableVector fName = new Asn1EncodableVector();
foreach (string oid in cert.BagAttributeKeys)
{
// a certificate not immediately linked to a key doesn't require
// a localKeyID and will confuse some PKCS12 implementations.
//
// If we find one, we'll prune it out.
if (oid.Equals(PkcsObjectIdentifiers.Pkcs9AtLocalKeyID.Id))
continue;
Asn1Encodable entry = cert[oid];
// NB: Ignore any existing FriendlyName
if (oid.Equals(PkcsObjectIdentifiers.Pkcs9AtFriendlyName.Id))
continue;
fName.Add(
new DerSequence(
new DerObjectIdentifier(oid),
new DerSet(entry)));
}
//
// make sure we are using the local alias on store
//
// NB: We always set the FriendlyName based on 'certId'
//if (cert[PkcsObjectIdentifiers.Pkcs9AtFriendlyName] == null)
{
fName.Add(
new DerSequence(
PkcsObjectIdentifiers.Pkcs9AtFriendlyName,
new DerSet(new DerBmpString(certId))));
}
certBags.Add(new SafeBag(PkcsObjectIdentifiers.CertBag, cBag.ToAsn1Object(), new DerSet(fName)));
doneCerts.Add(cert.Certificate);
}
foreach (CertId certId in chainCerts.Keys)
{
X509CertificateEntry cert = (X509CertificateEntry)chainCerts[certId];
if (doneCerts.Contains(cert.Certificate))
continue;
CertBag cBag = new CertBag(
PkcsObjectIdentifiers.X509Certificate,
new DerOctetString(cert.Certificate.GetEncoded()));
Asn1EncodableVector fName = new Asn1EncodableVector();
foreach (string oid in cert.BagAttributeKeys)
{
// a certificate not immediately linked to a key doesn't require
// a localKeyID and will confuse some PKCS12 implementations.
//
// If we find one, we'll prune it out.
if (oid.Equals(PkcsObjectIdentifiers.Pkcs9AtLocalKeyID.Id))
continue;
fName.Add(
new DerSequence(
new DerObjectIdentifier(oid),
new DerSet(cert[oid])));
}
certBags.Add(new SafeBag(PkcsObjectIdentifiers.CertBag, cBag.ToAsn1Object(), new DerSet(fName)));
}
byte[] certBagsEncoding = new DerSequence(certBags).GetDerEncoded();
ContentInfo certsInfo;
if (password == null)
{
certsInfo = new ContentInfo(PkcsObjectIdentifiers.Data, new BerOctetString(certBagsEncoding));
}
else
{
byte[] certBytes = CryptPbeData(true, cAlgId, password, false, certBagsEncoding);
EncryptedData cInfo = new EncryptedData(PkcsObjectIdentifiers.Data, cAlgId, new BerOctetString(certBytes));
certsInfo = new ContentInfo(PkcsObjectIdentifiers.EncryptedData, cInfo.ToAsn1Object());
}
ContentInfo[] info = new ContentInfo[]{ keysInfo, certsInfo };
byte[] data = new AuthenticatedSafe(info).GetEncoded(
useDerEncoding ? Asn1Encodable.Der : Asn1Encodable.Ber);
ContentInfo mainInfo = new ContentInfo(PkcsObjectIdentifiers.Data, new BerOctetString(data));
//
// create the mac
//
MacData macData = null;
if (password != null)
{
byte[] mSalt = new byte[20];
random.NextBytes(mSalt);
byte[] mac = CalculatePbeMac(OiwObjectIdentifiers.IdSha1,
mSalt, MinIterations, password, false, data);
AlgorithmIdentifier algId = new AlgorithmIdentifier(
OiwObjectIdentifiers.IdSha1, DerNull.Instance);
DigestInfo dInfo = new DigestInfo(algId, mac);
macData = new MacData(dInfo, mSalt, MinIterations);
}
//
// output the Pfx
//
Pfx pfx = new Pfx(mainInfo, macData);
DerOutputStream derOut;
if (useDerEncoding)
{
derOut = new DerOutputStream(stream);
}
else
{
derOut = new BerOutputStream(stream);
}
derOut.WriteObject(pfx);
}
public static EncryptionResult EncryptMessage(byte[] userKey, byte[] userSecret, byte[] data, ushort padding = 0, bool randomisePadding = false)
{
var Random = new SecureRandom();
var Salt = new byte[16];
Random.NextBytes(Salt);
var Curve = ECNamedCurveTable.GetByName("prime256v1");
var Spec = new ECDomainParameters(Curve.Curve, Curve.G, Curve.N, Curve.H, Curve.GetSeed());
var Generator = new ECKeyPairGenerator();
Generator.Init(new ECKeyGenerationParameters(Spec, new SecureRandom()));
var KeyPair = Generator.GenerateKeyPair();
var AgreementGenerator = new ECDHBasicAgreement();
AgreementGenerator.Init(KeyPair.Private);
var IKM =
AgreementGenerator.CalculateAgreement(new ECPublicKeyParameters(Spec.Curve.DecodePoint(userKey), Spec));
var PRK = GenerateHKDF(userSecret, IKM.ToByteArrayUnsigned(),
Encoding.UTF8.GetBytes("Content-Encoding: auth\0"), 32);
var PublicKey = ((ECPublicKeyParameters)KeyPair.Public).Q.GetEncoded(false);
var CEK = GenerateHKDF(Salt, PRK, CreateInfoChunk("aesgcm", userKey, PublicKey), 16);
var Nonce = GenerateHKDF(Salt, PRK, CreateInfoChunk("nonce", userKey, PublicKey), 12);
if (randomisePadding && (padding > 0)) padding = Convert.ToUInt16(Math.Abs(Random.NextInt()) % (padding + 1));
var Input = new byte[padding + 2 + data.Length];
Buffer.BlockCopy(ConvertInt(padding), 0, Input, 0, 2);
Buffer.BlockCopy(data, 0, Input, padding + 2, data.Length);
var Cipher = CipherUtilities.GetCipher("AES/GCM/NoPadding");
Cipher.Init(true, new AeadParameters(new KeyParameter(CEK), 128, Nonce));
var Message = new byte[Cipher.GetOutputSize(Input.Length)];
Cipher.DoFinal(Input, 0, Input.Length, Message, 0);
return new EncryptionResult { Salt = Salt, Payload = Message, PublicKey = PublicKey };
}
public static byte[] GetNextBytes(SecureRandom secureRandom, int length)
{
byte[] result = new byte[length];
secureRandom.NextBytes(result);
return(result);
}
public override void PerformTest()
{
doTestSig(1, pub1, prv1, slt1a, msg1a, sig1a);
doTestSig(2, pub1, prv1, slt1b, msg1b, sig1b);
doTestSig(3, pub2, prv2, slt2a, msg2a, sig2a);
doTestSig(4, pub2, prv2, slt2b, msg2b, sig2b);
doTestSig(5, pub4, prv4, slt4a, msg4a, sig4a);
doTestSig(6, pub4, prv4, slt4b, msg4b, sig4b);
doTestSig(7, pub8, prv8, slt8a, msg8a, sig8a);
doTestSig(8, pub8, prv8, slt8b, msg8b, sig8b);
doTestSig(9, pub9, prv9, slt9a, msg9a, sig9a);
doTestSig(10, pub9, prv9, slt9b, msg9b, sig9b);
//
// loop test - sha-1 only
//
PssSigner eng = new PssSigner(new RsaEngine(), new Sha1Digest(), 20);
int failed = 0;
byte[] data = new byte[DataLength];
SecureRandom random = new SecureRandom();
random.NextBytes(data);
for (int j = 0; j < NumTests; j++)
{
eng.Init(true, new ParametersWithRandom(prv8, random));
eng.BlockUpdate(data, 0, data.Length);
byte[] s = eng.GenerateSignature();
eng.Init(false, pub8);
eng.BlockUpdate(data, 0, data.Length);
if (!eng.VerifySignature(s))
{
failed++;
}
}
if (failed != 0)
{
Fail("loop test failed - failures: " + failed);
}
//
// loop test - sha-256 and sha-1
//
eng = new PssSigner(new RsaEngine(), new Sha256Digest(), new Sha1Digest(), 20);
failed = 0;
data = new byte[DataLength];
random.NextBytes(data);
for (int j = 0; j < NumTests; j++)
{
eng.Init(true, new ParametersWithRandom(prv8, random));
eng.BlockUpdate(data, 0, data.Length);
byte[] s = eng.GenerateSignature();
eng.Init(false, pub8);
eng.BlockUpdate(data, 0, data.Length);
if (!eng.VerifySignature(s))
{
failed++;
}
}
if (failed != 0)
{
Fail("loop test failed - failures: " + failed);
}
}
private static byte[] CreateIV(
SecureRandom random,
int ivLength)
{
byte[] iv = new byte[ivLength];
random.NextBytes(iv);
return iv;
}
protected static byte[] CreateRandomBlock(bool useGMTUnixTime, SecureRandom random, string asciiLabel)
{
/*
* We use the TLS 1.0 PRF on the SecureRandom output, to guard against RNGs where the raw
* output could be used to recover the internal state.
*/
byte[] secret = new byte[32];
random.NextBytes(secret);
byte[] seed = new byte[8];
// TODO Use high-resolution timer
TlsUtilities.WriteUint64(DateTimeUtilities.CurrentUnixMs(), seed, 0);
byte[] result = TlsUtilities.PRF(secret, asciiLabel, seed, 32);
if (useGMTUnixTime)
{
TlsUtilities.WriteGmtUnixTime(result, 0);
}
return result;
}
public void DoTest13()
{
BigInteger modulus = new BigInteger(1, Hex.Decode("CDCBDABBF93BE8E8294E32B055256BBD0397735189BF75816341BB0D488D05D627991221DF7D59835C76A4BB4808ADEEB779E7794504E956ADC2A661B46904CDC71337DD29DDDD454124EF79CFDD7BC2C21952573CEFBA485CC38C6BD2428809B5A31A898A6B5648CAA4ED678D9743B589134B7187478996300EDBA16271A861"));
BigInteger pubExp = new BigInteger(1, Hex.Decode("010001"));
BigInteger privExp = new BigInteger(1, Hex.Decode("4BA6432AD42C74AA5AFCB6DF60FD57846CBC909489994ABD9C59FE439CC6D23D6DE2F3EA65B8335E796FD7904CA37C248367997257AFBD82B26F1A30525C447A236C65E6ADE43ECAAF7283584B2570FA07B340D9C9380D88EAACFFAEEFE7F472DBC9735C3FF3A3211E8A6BBFD94456B6A33C17A2C4EC18CE6335150548ED126D"));
RsaKeyParameters pubParams = new RsaKeyParameters(false, modulus, pubExp);
RsaKeyParameters privParams = new RsaKeyParameters(true, modulus, privExp);
IAsymmetricBlockCipher rsaEngine = new RsaBlindedEngine();
IDigest digest = new Sha256Digest();
// set challenge to all zero's for verification
byte[] challenge = new byte[8];
// DOES NOT USE FINAL BOOLEAN TO INDICATE RECOVERY
Iso9796d2Signer signer = new Iso9796d2Signer(rsaEngine, digest, false);
// sign
signer.Init(true, privParams);
signer.BlockUpdate(challenge, 0, challenge.Length);
byte[] sig = signer.GenerateSignature();
// verify
signer.Init(false, pubParams);
signer.BlockUpdate(challenge, 0, challenge.Length);
if (!signer.VerifySignature(sig))
{
Fail("basic verification failed");
}
// === LETS ACTUALLY DO SOME RECOVERY, USING INPUT FROM INTERNAL AUTHENTICATE ===
signer.Reset();
string args0 = "482E20D1EDDED34359C38F5E7C01203F9D6B2641CDCA5C404D49ADAEDE034C7481D781D043722587761C90468DE69C6585A1E8B9C322F90E1B580EEDAB3F6007D0C366CF92B4DB8B41C8314929DCE2BE889C0129123484D2FD3D12763D2EBFD12AC8E51D7061AFCA1A53DEDEC7B9A617472A78C952CCC72467AE008E5F132994";
digest = new Sha1Digest();
signer = new Iso9796d2Signer(rsaEngine, digest, true);
signer.Init(false, pubParams);
byte[] signature = Hex.Decode(args0);
signer.UpdateWithRecoveredMessage(signature);
signer.BlockUpdate(challenge, 0, challenge.Length);
if (!signer.VerifySignature(signature))
{
Fail("recovered + challenge signature failed");
}
// === FINALLY, USING SHA-256 ===
signer.Reset();
digest = new Sha256Digest();
// NOTE setting implicit to false does not actually do anything for verification !!!
signer = new Iso9796d2Signer(rsaEngine, digest, false);
signer.Init(true, privParams);
// generate NONCE of correct length using some inner knowledge
int nonceLength = modulus.BitLength / 8 - 1 - digest.GetDigestSize() - 2;
byte[] nonce = new byte[nonceLength];
SecureRandom rnd = new SecureRandom();
rnd.NextBytes(nonce);
signer.BlockUpdate(nonce, 0, nonce.Length);
signer.BlockUpdate(challenge, 0, challenge.Length);
byte[] sig3 = signer.GenerateSignature();
signer.Init(false, pubParams);
signer.UpdateWithRecoveredMessage(sig3);
signer.BlockUpdate(challenge, 0, challenge.Length);
if (signer.VerifySignature(sig3))
{
if (signer.HasFullMessage())
{
Fail("signer indicates full message");
}
byte[] recoverableMessage = signer.GetRecoveredMessage();
// sanity check, normally the nonce is ignored in eMRTD specs (PKI Technical Report)
if (!Arrays.AreEqual(nonce, recoverableMessage))
{
Fail("Nonce compare with recoverable part of message failed");
}
}
else
{
Fail("recoverable + nonce failed.");
}
}
byte[] EncryptAsymmetricKeyParameter (AsymmetricKeyParameter key)
{
var cipher = PbeUtilities.CreateEngine (EncryptionAlgorithm.Id) as IBufferedCipher;
var keyInfo = PrivateKeyInfoFactory.CreatePrivateKeyInfo (key);
var random = new SecureRandom ();
var salt = new byte[SaltSize];
if (cipher == null)
throw new Exception ("Unknown encryption algorithm: " + EncryptionAlgorithm.Id);
random.NextBytes (salt);
var pbeParameters = PbeUtilities.GenerateAlgorithmParameters (EncryptionAlgorithm.Id, salt, MinIterations);
var algorithm = new AlgorithmIdentifier (EncryptionAlgorithm, pbeParameters);
var cipherParameters = PbeUtilities.GenerateCipherParameters (algorithm, passwd);
if (cipherParameters == null)
throw new Exception ("BouncyCastle bug detected: Failed to generate cipher parameters.");
cipher.Init (true, cipherParameters);
var encoded = cipher.DoFinal (keyInfo.GetEncoded ());
var encrypted = new EncryptedPrivateKeyInfo (algorithm, encoded);
return encrypted.GetEncoded ();
}
private bool isProcessingOkay(
RsaKeyParameters pub,
RsaKeyParameters prv,
byte[] data,
SecureRandom random)
{
RsaBlindingFactorGenerator blindFactorGen = new RsaBlindingFactorGenerator();
RsaBlindingEngine blindingEngine = new RsaBlindingEngine();
PssSigner blindSigner = new PssSigner(blindingEngine, new Sha1Digest(), 20);
PssSigner pssEng = new PssSigner(new RsaEngine(), new Sha1Digest(), 20);
random.NextBytes(data);
blindFactorGen.Init(pub);
BigInteger blindFactor = blindFactorGen.GenerateBlindingFactor();
RsaBlindingParameters parameters = new RsaBlindingParameters(pub, blindFactor);
// generate a blind signature
blindSigner.Init(true, new ParametersWithRandom(parameters, random));
blindSigner.BlockUpdate(data, 0, data.Length);
byte[] blindedData = blindSigner.GenerateSignature();
RsaEngine signerEngine = new RsaEngine();
signerEngine.Init(true, prv);
byte[] blindedSig = signerEngine.ProcessBlock(blindedData, 0, blindedData.Length);
// unblind the signature
blindingEngine.Init(false, parameters);
byte[] s = blindingEngine.ProcessBlock(blindedSig, 0, blindedSig.Length);
//verify signature with PssSigner
pssEng.Init(false, pub);
pssEng.BlockUpdate(data, 0, data.Length);
return pssEng.VerifySignature(s);
}
private static byte[] CreateIV(SecureRandom random, int ivLength)
{
byte[] array = new byte[ivLength];
random.NextBytes(array);
return(array);
}
private void randomTest(
SecureRandom srng)
{
int DAT_LEN = srng.Next(1024);
byte[] nonce = new byte[NONCE_LEN];
byte[] authen = new byte[AUTHEN_LEN];
byte[] datIn = new byte[DAT_LEN];
byte[] key = new byte[16];
srng.NextBytes(nonce);
srng.NextBytes(authen);
srng.NextBytes(datIn);
srng.NextBytes(key);
AesFastEngine engine = new AesFastEngine();
KeyParameter sessKey = new KeyParameter(key);
EaxBlockCipher eaxCipher = new EaxBlockCipher(engine);
AeadParameters parameters = new AeadParameters(sessKey, MAC_LEN * 8, nonce, authen);
eaxCipher.Init(true, parameters);
byte[] intrDat = new byte[eaxCipher.GetOutputSize(datIn.Length)];
int outOff = eaxCipher.ProcessBytes(datIn, 0, DAT_LEN, intrDat, 0);
outOff += eaxCipher.DoFinal(intrDat, outOff);
eaxCipher.Init(false, parameters);
byte[] datOut = new byte[eaxCipher.GetOutputSize(outOff)];
int resultLen = eaxCipher.ProcessBytes(intrDat, 0, outOff, datOut, 0);
eaxCipher.DoFinal(datOut, resultLen);
if (!AreEqual(datIn, datOut))
{
Fail("EAX roundtrip failed to match");
}
}
// Token: 0x06000089 RID: 137 RVA: 0x00007028 File Offset: 0x00005228
public static byte[] GetNextBytes(SecureRandom secureRandom, int length)
{
byte[] array = new byte[length];
secureRandom.NextBytes(array);
return(array);
}
// private string GetHexEncoded(byte[] bytes)
// {
// bytes = Hex.Encode(bytes);
//
// char[] chars = new char[bytes.Length];
//
// for (int i = 0; i != bytes.Length; i++)
// {
// chars[i] = (char)bytes[i];
// }
//
// return new string(chars);
// }
private PemObject CreatePemObject(
object obj,
string algorithm,
char[] password,
SecureRandom random)
{
if (obj == null)
throw new ArgumentNullException("obj");
if (algorithm == null)
throw new ArgumentNullException("algorithm");
if (password == null)
throw new ArgumentNullException("password");
if (random == null)
throw new ArgumentNullException("random");
if (obj is AsymmetricCipherKeyPair)
{
return CreatePemObject(((AsymmetricCipherKeyPair)obj).Private, algorithm, password, random);
}
string type = null;
byte[] keyData = null;
if (obj is AsymmetricKeyParameter)
{
AsymmetricKeyParameter akp = (AsymmetricKeyParameter) obj;
if (akp.IsPrivate)
{
string keyType;
keyData = EncodePrivateKey(akp, out keyType);
type = keyType + " PRIVATE KEY";
}
}
if (type == null || keyData == null)
{
// TODO Support other types?
throw new PemGenerationException("Object type not supported: " + obj.GetType().FullName);
}
string dekAlgName = algorithm.ToUpper(CultureInfo.InvariantCulture);
// Note: For backward compatibility
if (dekAlgName == "DESEDE")
{
dekAlgName = "DES-EDE3-CBC";
}
int ivLength = dekAlgName.StartsWith("AES-") ? 16 : 8;
byte[] iv = new byte[ivLength];
random.NextBytes(iv);
byte[] encData = PemUtilities.Crypt(true, keyData, password, dekAlgName, iv);
IList headers = Platform.CreateArrayList(2);
headers.Add(new PemHeader("Proc-Type", "4,ENCRYPTED"));
headers.Add(new PemHeader("DEK-Info", dekAlgName + "," + Hex.ToHexString(iv)));
return new PemObject(type, headers, encData);
}
public void doTestPadding(
IBlockCipherPadding padding,
SecureRandom rand,
byte[] ffVector,
byte[] ZeroVector)
{
PaddedBufferedBlockCipher cipher = new PaddedBufferedBlockCipher(new DesEngine(), padding);
KeyParameter key = new KeyParameter(Hex.Decode("0011223344556677"));
//
// ff test
//
byte[] data = { (byte)0xff, (byte)0xff, (byte)0xff, (byte)0, (byte)0, (byte)0, (byte)0, (byte)0 };
if (ffVector != null)
{
padding.AddPadding(data, 3);
if (!AreEqual(data, ffVector))
{
Fail("failed ff test for " + padding.PaddingName);
}
}
//
// zero test
//
if (ZeroVector != null)
{
data = new byte[8];
padding.AddPadding(data, 4);
if (!AreEqual(data, ZeroVector))
{
Fail("failed zero test for " + padding.PaddingName);
}
}
for (int i = 1; i != 200; i++)
{
data = new byte[i];
rand.NextBytes(data);
blockCheck(cipher, padding, key, data);
}
}
public static KeyParameter MakeRandomKey(
SymmetricKeyAlgorithmTag algorithm,
SecureRandom random)
{
int keySize = GetKeySize(algorithm);
byte[] keyBytes = new byte[(keySize + 7) / 8];
random.NextBytes(keyBytes);
return MakeKey(algorithm, keyBytes);
}
/// <summary>
/// Encryption constructor to create a new random key from an intermediate
/// </summary>
public Bip38KeyPair(Bip38Intermediate intermediate, bool retainPrivateKeyWhenPossible=false)
{
// generate seedb
byte[] seedb = new byte[24];
SecureRandom sr = new SecureRandom();
sr.NextBytes(seedb);
// get factorb as sha256(sha256(seedb))
Sha256Digest sha256 = new Sha256Digest();
sha256.BlockUpdate(seedb, 0, 24);
factorb = new byte[32];
sha256.DoFinal(factorb, 0);
sha256.BlockUpdate(factorb, 0, 32);
sha256.DoFinal(factorb, 0);
// get ECPoint from passpoint
PublicKey pk = new PublicKey(intermediate.passpoint);
ECPoint generatedpoint = pk.GetECPoint().Multiply(new BigInteger(1, factorb));
byte[] generatedpointbytes = generatedpoint.GetEncoded();
PublicKey generatedaddress = new PublicKey(generatedpointbytes);
// get addresshash
UTF8Encoding utf8 = new UTF8Encoding(false);
byte[] generatedaddressbytes = utf8.GetBytes(generatedaddress.AddressBase58);
sha256.BlockUpdate(generatedaddressbytes, 0, generatedaddressbytes.Length);
byte[] addresshashfull = new byte[32];
sha256.DoFinal(addresshashfull, 0);
sha256.BlockUpdate(addresshashfull, 0, 32);
sha256.DoFinal(addresshashfull, 0);
byte[] addresshashplusownerentropy = new byte[12];
Array.Copy(addresshashfull, 0, addresshashplusownerentropy, 0, 4);
Array.Copy(intermediate.ownerentropy, 0, addresshashplusownerentropy, 4, 8);
// derive encryption key material
derived = new byte[64];
SCrypt.ComputeKey(intermediate.passpoint, addresshashplusownerentropy, 1024, 1, 1, 1, derived);
byte[] derivedhalf2 = new byte[32];
Array.Copy(derived, 32, derivedhalf2, 0, 32);
byte[] unencryptedpart1 = new byte[16];
for (int i = 0; i < 16; i++) {
unencryptedpart1[i] = (byte)(seedb[i] ^ derived[i]);
}
byte[] encryptedpart1 = new byte[16];
// encrypt it
var aes = Aes.Create();
aes.KeySize = 256;
aes.Mode = CipherMode.ECB;
aes.Key = derivedhalf2;
ICryptoTransform encryptor = aes.CreateEncryptor();
encryptor.TransformBlock(unencryptedpart1, 0, 16, encryptedpart1, 0);
encryptor.TransformBlock(unencryptedpart1, 0, 16, encryptedpart1, 0);
byte[] unencryptedpart2 = new byte[16];
for (int i = 0; i < 8; i++) {
unencryptedpart2[i] = (byte)(encryptedpart1[i + 8] ^ derived[i + 16]);
}
for (int i = 0; i < 8; i++) {
unencryptedpart2[i + 8] = (byte)(seedb[i + 16] ^ derived[i + 24]);
}
byte[] encryptedpart2 = new byte[16];
encryptor.TransformBlock(unencryptedpart2, 0, 16, encryptedpart2, 0);
encryptor.TransformBlock(unencryptedpart2, 0, 16, encryptedpart2, 0);
byte[] result = new byte[39];
result[0] = 0x01;
result[1] = 0x43;
result[2] = generatedaddress.IsCompressedPoint ? (byte)0x20 : (byte)0x00;
if (intermediate.LotSequencePresent) result[2] |= 0x04;
Array.Copy(addresshashfull, 0, result, 3, 4);
Array.Copy(intermediate.ownerentropy, 0, result, 7, 8);
Array.Copy(encryptedpart1, 0, result, 15, 8);
Array.Copy(encryptedpart2, 0, result, 23, 16);
_encryptedKey = Util.ByteArrayToBase58Check(result);
_pubKey = generatedaddress.PublicKeyBytes;
_hash160 = generatedaddress.Hash160;
var ps = Org.BouncyCastle.Asn1.Sec.SecNamedCurves.GetByName("secp256k1");
if (retainPrivateKeyWhenPossible && intermediate.passfactor != null) {
BigInteger privatekey = new BigInteger(1, intermediate.passfactor).Multiply(new BigInteger(1, factorb)).Mod(ps.N);
_privKey = new KeyPair(privatekey).PrivateKeyBytes;
}
// create the confirmation code
confirmationCodeInfo = new byte[51];
// constant provides for prefix "cfrm38"
confirmationCodeInfo[0] = 0x64;
confirmationCodeInfo[1] = 0x3B;
confirmationCodeInfo[2] = 0xF6;
confirmationCodeInfo[3] = 0xA8;
confirmationCodeInfo[4] = 0x9A;
// fields for flagbyte, addresshash, and ownerentropy all copy verbatim
Array.Copy(result, 2, confirmationCodeInfo, 5, 1 + 4 + 8);
}
private void randomTest(
SecureRandom srng,
IGcmMultiplier m)
{
int kLength = 16 + 8 * srng.Next(3);
byte[] K = new byte[kLength];
srng.NextBytes(K);
int pLength = srng.Next(1024);
byte[] P = new byte[pLength];
srng.NextBytes(P);
int aLength = srng.Next(1024);
byte[] A = new byte[aLength];
srng.NextBytes(A);
int ivLength = 1 + srng.Next(1024);
byte[] IV = new byte[ivLength];
srng.NextBytes(IV);
GcmBlockCipher cipher = new GcmBlockCipher(new AesFastEngine(), m);
AeadParameters parameters = new AeadParameters(new KeyParameter(K), 16 * 8, IV, A);
cipher.Init(true, parameters);
byte[] C = new byte[cipher.GetOutputSize(P.Length)];
int len = cipher.ProcessBytes(P, 0, P.Length, C, 0);
len += cipher.DoFinal(C, len);
if (C.Length != len)
{
// Console.WriteLine("" + C.Length + "/" + len);
Fail("encryption reported incorrect length in randomised test");
}
byte[] encT = cipher.GetMac();
byte[] tail = new byte[C.Length - P.Length];
Array.Copy(C, P.Length, tail, 0, tail.Length);
if (!AreEqual(encT, tail))
{
Fail("stream contained wrong mac in randomised test");
}
cipher.Init(false, parameters);
byte[] decP = new byte[cipher.GetOutputSize(C.Length)];
len = cipher.ProcessBytes(C, 0, C.Length, decP, 0);
len += cipher.DoFinal(decP, len);
if (!AreEqual(P, decP))
{
Fail("incorrect decrypt in randomised test");
}
byte[] decT = cipher.GetMac();
if (!AreEqual(encT, decT))
{
Fail("decryption produced different mac from encryption");
}
}
/// <summary>
/// Constructor that takes a single Escrow Invitation Code and produces a Payment Invitation Code.
/// </summary>
public EscrowCodeSet(string escrowInvitationCode, bool doCompressed=false, byte networkByte = 0)
{
byte[] pubpart, privpart;
int identifier30;
string failreason = parseEscrowCode(escrowInvitationCode, out pubpart, out privpart, out identifier30);
if (failreason != null) throw new ArgumentException(failreason);
// Look for mismatched parity.
// (we expect LSB of einva's private part to be 0 and LSB of einvb's private part to be 1)
// (this is to guarantee that einva's and einvb's private parts aren't equal)
if ((escrowInvitationCode.StartsWith("einva") && (privpart[31] & 0x01) == 1) ||
(escrowInvitationCode.StartsWith("einvb") && (privpart[31] & 0x01) == 0)) {
throw new ArgumentException("This escrow invitation has mismatched parity. Ask your escrow agent to " +
"generate a new pair using the latest version of the software.");
}
// Look for 48 0's or 48 1's
if (privpart[0] == privpart[1] && privpart[1] == privpart[2] && privpart[2] == privpart[3] &&
privpart[3] == privpart[4] && privpart[4] == privpart[5] && privpart[5] == privpart[6] &&
privpart[6] == privpart[7] && privpart[7] == privpart[8]) {
if (privpart[0] == 0x00 || privpart[0] == 0xFF) {
throw new ArgumentException("This escrow invitation is invalid and cannot be used (bad private key).");
}
}
// produce a new factor
byte[] z = new byte[32];
SecureRandom sr = new SecureRandom();
sr.NextBytes(z);
// calculate Gxy then Gxyz
PublicKey pk = new PublicKey(pubpart);
ECPoint Gxyz = pk.GetECPoint().Multiply(new BigInteger(1, privpart)).Multiply(new BigInteger(1, z));
// Uncompress it
Gxyz = PublicKey.GetUncompressed(Gxyz);
// We can get the Bitcoin address now, so do so
PublicKey pkxyz = new PublicKey(Gxyz);
byte[] hash160 = pkxyz.Hash160;
BitcoinAddress = new AddressBase(hash160, networkByte).AddressBase58;
// make the payment invitation record
byte[] invp = new byte[74];
long headP = headbaseP + (long)identifier30;
for (int i = 7; i >= 0; i--) {
invp[i] = (byte)(headP & 0xff);
headP >>= 8;
}
invp[8] = networkByte;
Array.Copy(z, 0, invp, 8 + 1 + 1, 32);
// set flag to indicate if einvb was used to generate this, and make it available in the object
if (escrowInvitationCode.StartsWith("einvb")) {
invp[8 + 1 + 1 + 32 + 20] = 0x2;
}
// copy hash160
Array.Copy(hash160, 0, invp, 8 + 1 + 1 + 32, 20);
PaymentInvitationCode = Util.ByteArrayToBase58Check(invp);
setAddressConfirmationCode(identifier30, networkByte, invp[8 + 1 + 1 + 32 + 20], z, hash160);
}