src/androidMain/kotlin/net/taler/wallet/kotlin/crypto/RsaBlinding.kt


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120

package net.taler.wallet.kotlin.crypto

import java.math.BigInteger
import kotlin.math.abs
import kotlin.math.ceil
import kotlin.math.floor

internal object RsaBlinding {

    fun rsaBlind(hm: ByteArray, bks: ByteArray, rsaPubEnc: ByteArray): ByteArray {
        val rsaPub = rsaPubDecode(rsaPubEnc)
        val data = rsaFullDomainHash(hm, rsaPub)
        val r = rsaBlindingKeyDerive(rsaPub, bks)
        val rE = r.modPow(rsaPub.e, rsaPub.n)
        val bm = rE.multiply(data).mod(rsaPub.n)
        return bm.toByteArrayWithoutSign()
    }

    fun rsaUnblind(sig: ByteArray, rsaPubEnc: ByteArray, bks: ByteArray): ByteArray {
        val rsaPub = rsaPubDecode(rsaPubEnc)
        val blindedSig = BigInteger(1, sig)
        val r = rsaBlindingKeyDerive(rsaPub, bks)
        val rInv = r.modInverse(rsaPub.n)
        val s = blindedSig.multiply(rInv).mod(rsaPub.n)
        return s.toByteArrayWithoutSign()
    }

    fun rsaVerify(hm: ByteArray, rsaSig: ByteArray, rsaPubEnc: ByteArray): Boolean {
        val rsaPub = rsaPubDecode(rsaPubEnc)
        val d = rsaFullDomainHash(hm, rsaPub)
        val sig = BigInteger(1, rsaSig)
        val sigE = sig.modPow(rsaPub.e, rsaPub.n)
        return sigE == d
    }

    private fun rsaBlindingKeyDerive(rsaPub: RsaPublicKey, bks: ByteArray): BigInteger {
        val salt = "Blinding KDF extrator HMAC key".encodeToByteArray()
        val info = "Blinding KDF".encodeToByteArray()
        return kdfMod(rsaPub.n, bks, salt, info)
    }

    private fun rsaPubDecode(publicKey: ByteArray): RsaPublicKey {
        val modulusLength = abs((publicKey[0].toInt() shl 8) or publicKey[1].toInt())
        val exponentLength = abs((publicKey[2].toInt() shl 8) or publicKey[3].toInt())
        if (4 + exponentLength + modulusLength != publicKey.size) {
            throw Error("invalid RSA public key (format wrong)")
        }
        val modulus = publicKey.copyOfRange(4, 4 + modulusLength)
        val exponent = publicKey.copyOfRange(
            4 + modulusLength,
            4 + modulusLength + exponentLength
        )
        return RsaPublicKey(BigInteger(1, modulus), BigInteger(1, exponent))
    }

    private fun rsaFullDomainHash(hm: ByteArray, rsaPublicKey: RsaPublicKey): BigInteger {
        val info = "RSA-FDA FTpsW!".encodeToByteArray()
        val salt = rsaPubEncode(rsaPublicKey)
        val r = kdfMod(rsaPublicKey.n, hm, salt, info)
        rsaGcdValidate(r, rsaPublicKey.n)
        return r
    }

    private fun rsaPubEncode(rsaPublicKey: RsaPublicKey): ByteArray {
        val mb = rsaPublicKey.n.toByteArrayWithoutSign()
        val eb = rsaPublicKey.e.toByteArrayWithoutSign()
        val out = ByteArray(4 + mb.size + eb.size)
        out[0] = ((mb.size ushr 8) and 0xff).toByte()
        out[1] = (mb.size and 0xff).toByte()
        out[2] = ((eb.size ushr 8) and 0xff).toByte()
        out[3] = (eb.size and 0xff).toByte()
        mb.copyInto(out, destinationOffset = 4)
        eb.copyInto(out, destinationOffset = 4 + mb.size)
        return out
    }

    private fun kdfMod(n: BigInteger, ikm: ByteArray, salt: ByteArray, info: ByteArray): BigInteger {
        val nBits = n.bitLength()
        val bufLen = floor((nBits.toDouble() - 1) / 8 + 1).toInt()
        val mask = (1 shl (8 - (bufLen * 8 - nBits))) - 1
        var counter = 0
        while (true) {
            val ctx = ByteArray(info.size + 2)
            info.copyInto(ctx)
            ctx[ctx.size - 2] = ((counter ushr 8) and 0xff).toByte()
            ctx[ctx.size - 1] = (counter and 0xff).toByte()
            val buf = CryptoJvmImpl.kdf(bufLen, ikm, salt, ctx)
            val arr = buf.copyOf()
            arr[0] = (arr[0].toInt() and mask).toByte()
            val r = BigInteger(1, arr)
            if (r < n) return r
            counter++
        }
    }

    /**
     * Test for malicious RSA key.
     *
     * Assuming n is an RSA modulous and r is generated using a call to
     * GNUNET_CRYPTO_kdf_mod_mpi, if gcd(r,n) != 1 then n must be a
     * malicious RSA key designed to deanomize the user.
     *
     * @param r KDF result
     * @param n RSA modulus of the public key
     */
    private fun rsaGcdValidate(r: BigInteger, n: BigInteger) {
        if (r.gcd(n) != BigInteger.ONE) throw Error("malicious RSA public key")
    }

    // TODO check that this strips *only* the sign correctly
    private fun BigInteger.toByteArrayWithoutSign(): ByteArray = this.toByteArray().let {
        val byteLength = ceil(this.bitLength().toDouble() / 8).toInt()
        val signBitPosition = ceil((this.bitLength() + 1).toDouble() / 8).toInt()
        val start = signBitPosition - byteLength
        it.copyOfRange(start, it.size)  // stripping least significant byte (sign)
    }

}

internal class RsaPublicKey(val n: BigInteger, val e: BigInteger)