Search code examples
encryptionpkcs#11hsm

lHash mismatch error in decryption with HSM stored key


In decryption of encrypted key i receive lhash mismatch error. The key is encrypt with RSA/ECB/OAEPWithSHA-1AndMGF1Padding . I used PKCS#11 provider . this is my code. Please provide solution for this ..

public class DataDecryptorNew {
private static final int PUBLIC_KEY_SIZE = 294;
private static final int EID_SIZE = 32;
private static final int SECRET_KEY_SIZE = 256;
private static final String TRANSFORMATION2 = "RSA/ECB/OAEPWithSHA-1AndMGF1Padding";
private static final String TRANSFORMATION3 = "RSA/ECB/OAEPWithSHA-256AndMGF1Padding";
private static final String SECURITY_PROVIDER = "BC";
private static SunPKCS11 providerPKCS11;
private static String provider;
private static final String DIGEST_ALGORITHM = "SHA-256";
private static final String MASKING_FUNCTION = "MGF1";
private static final int VECTOR_SIZE = 16;
private static final int HMAC_SIZE = 32;
private static final int BLOCK_SIZE = 128;
private static final byte[] HEADER_DATA = "VERSION_1.0".getBytes();
private static final String SIGNATURE_TAG = "Signature";
private static final String MEC_TYPE = "DOM";

public static final String DLL = "C:\\pkcs11\\cknfast.dll";
public static String alias = "";
public static int keyLength = 2048;

private static final String password = "";
public static final String storeType = "PKCS11-nCipher";

private PrivateKey privateKey;
private PublicKey publicKey;
private KeyStore.PrivateKeyEntry keyEntry;
private KeyStore keyEntry1;

static {
    Security.addProvider(new BouncyCastleProvider());
}
public byte[] decrypt(byte[] data) throws IllegalBlockSizeException, BadPaddingException, InvalidKeyException,
        NoSuchAlgorithmException, NoSuchProviderException, NoSuchPaddingException, IOException, CertificateException, Exception {
    if (data == null || data.length == 0) {
        throw new Exception("byte array data can not be null or blank array.");
    }
    PrivateKey key = getPrivateKey();
    ByteArraySpliter arrSpliter = new ByteArraySpliter(data);
    byte[] secretKey = decryptSecretKeyData(arrSpliter.getEncryptedSecretKey(), arrSpliter.getIv(), key);
    byte[] plainData = decryptData(arrSpliter.getEncryptedData(), arrSpliter.getIv(), secretKey);
    boolean result = validateHash(plainData);
    if (!result) {
        throw new Exception("Integrity Validation Failed : "
                + "The original data at client side and the decrypted data at server side is not identical");
    }
    return trimHMAC(plainData);
}
private KeyStore.PrivateKeyEntry getKeyFromFile(String keyStoreFile, char[] keyStorePassword) {

    try {
        // Load the KeyStore and get the signing key and certificate.
        KeyStore ks = KeyStore.getInstance("PKCS12");
        FileInputStream keyFileStream = new FileInputStream(keyStoreFile);
        ks.load(keyFileStream, keyStorePassword);
        String alias = ks.aliases().nextElement();

        KeyStore.PrivateKeyEntry entry = (KeyStore.PrivateKeyEntry) ks.getEntry(alias, new KeyStore.PasswordProtection(keyStorePassword));

        if (entry == null) {
            throw new Exception("Key not found for the given alias.");
        }

        keyFileStream.close();

        return entry;
    } catch (Exception e) {
        e.printStackTrace();
    }
    return null;
}


private static PrivateKey getPrivateKey() throws Exception {
    String config = "name=nCipher\n"
            + "library=" + DLL + "\n"
            + "slotListIndex = 0 ";

    ByteArrayInputStream bais = new ByteArrayInputStream(config.getBytes());
    Provider p = new SunPKCS11(bais);

    Security.addProvider(p);
    KeyStore ks = KeyStore.getInstance("PKCS11", p);
    ks.load(null, "".toCharArray());
    System.out.println("Keystore size : " + ks.size());

    String alias = "ncipher-cert/cn=(n)code solutions ca 2014,2.5.4.51=#13133330312c20474e464320496e666f746f776572,street=bodakdev\\, s g road\\, ahmedabad,st=gujarat,2.5.4.17=#1306333830303534,ou=certifying authority,o=gujarat narmada valley fertilizers and chemicals limited,c=in/1396768448";

    KeyStore.ProtectionParameter protParam = new KeyStore.PasswordProtection(password.toCharArray());
    KeyStore.PrivateKeyEntry pkEntry = (KeyStore.PrivateKeyEntry) ks.getEntry(alias, protParam);
    // get my private key
    PrivateKey key = pkEntry.getPrivateKey();
    if (key instanceof PrivateKey) {
        // Get certificate of public key
        Certificate cert = ks.getCertificate(alias);
        System.out.println(">>>>>>>>>" + ((X509Certificate) cert).getSerialNumber().toString(16));

        // Get public key
        PublicKey publicKey = cert.getPublicKey();

        //Get Private Key
        Key privatekey = (PrivateKey) key;
        System.out.println("privatekey=" + privatekey);
    }

    return (PrivateKey) key;
}

private byte[] decryptSecretKeyData(byte[] encryptedSecretKey, byte[] iv) throws IllegalBlockSizeException, BadPaddingException, InvalidKeyException,
        NoSuchAlgorithmException, NoSuchProviderException, NoSuchPaddingException, IOException, CertificateException, Exception {
    try {

        PrivateKey key = (PrivateKey) getPrivateKey();
        System.out.println("Private Key:" + getPrivateKey().getFormat());
        Cipher decCipher = Cipher.getInstance("RSA/ECB/NoPadding");
        decCipher.init(Cipher.DECRYPT_MODE, key);

        byte[] decipheredText = null;
        decipheredText = decCipher.doFinal(encryptedSecretKey);
        System.out.println("OAEP padded plain text: " + Arrays.toString(decipheredText));
        if (decipheredText.length < keyLength / 8) {
            byte[] tmp = new byte[(keyLength / 8) - 42];
            System.arraycopy(decipheredText, 0, tmp, tmp.length - decipheredText.length, decipheredText.length);
            System.out.println("Zero padding to " + (keyLength / 8));
            decipheredText = tmp;
        }
        PSource pSrc = (new PSource.PSpecified(new byte[256]));
        OAEPParameterSpec paramSpec = new OAEPParameterSpec("SHA-256", "MGF1", MGF1ParameterSpec.SHA1, pSrc);
        RSAPadding padding = RSAPadding.getInstance(RSAPadding.PAD_OAEP_MGF1, keyLength / 8, new SecureRandom(), paramSpec);
        System.out.println("PaddedPlainText length: " + decipheredText.length); //256
        byte[] plainText2 = padding.unpad(decipheredText, 0, decipheredText.length);
        System.out.println("Unpadded plain text: " + DatatypeConverter.printHexBinary(plainText2));
        System.out.println("Decrypted Value:" + new String(plainText2));
        return plainText2;
    } catch (GeneralSecurityException e) {
        e.printStackTrace();
        throw new Exception("Failed to decrypt AES secret key using RSA.", e);
    }
}


private static class ByteArraySpliter {

    private final byte[] headerVersion;
    private final byte[] iv;
    private final byte[] encryptedSecretKey;
    private final byte[] encryptedData;
    private final byte[] publicKeyData;

    public ByteArraySpliter(byte[] data) throws Exception {
        int offset = 0;
        headerVersion = new byte[HEADER_DATA.length];
        copyByteArray(data, 0, headerVersion.length, headerVersion);
        offset = offset + HEADER_DATA.length;
        publicKeyData = new byte[PUBLIC_KEY_SIZE];
        copyByteArray(data, offset, publicKeyData.length, publicKeyData);
        offset = offset + PUBLIC_KEY_SIZE;
        iv = new byte[EID_SIZE];
        copyByteArray(data, offset, iv.length, iv);
        offset = offset + EID_SIZE;
        encryptedSecretKey = new byte[SECRET_KEY_SIZE];
        copyByteArray(data, offset, encryptedSecretKey.length, encryptedSecretKey);
        offset = offset + SECRET_KEY_SIZE;
        encryptedData = new byte[data.length - offset];
        copyByteArray(data, offset, encryptedData.length, encryptedData);
    }

    public byte[] getIv() {
        return iv;
    }

    public byte[] getEncryptedSecretKey() {
        return encryptedSecretKey;
    }

    public byte[] getEncryptedData() {
        return encryptedData;
    }

    private void copyByteArray(byte[] src, int offset, int length, byte[] dest) throws Exception {
        try {
            System.arraycopy(src, offset, dest, 0, length);
        } catch (Exception e) {

            throw new Exception("Decryption failed, Corrupted packet ", e);
        }
    }
}

private byte[][] split(byte[] src, int n) {
    byte[] l, r;
    if (src == null || src.length <= n) {
        l = src;
        r = new byte[0];
    } else {
        l = new byte[n];
        r = new byte[src.length - n];
        System.arraycopy(src, 0, l, 0, n);
        System.arraycopy(src, n, r, 0, r.length);
    }
    return new byte[][]{l, r};
}

public byte[] generateHash(byte[] message) throws Exception {
    byte[] hash = null;
    try {
        MessageDigest digest = MessageDigest.getInstance(DIGEST_ALGORITHM, SECURITY_PROVIDER);
        digest.reset();
        hash = digest.digest(message);
    } catch (GeneralSecurityException e) {
        throw new Exception("SHA-256 Hashing algorithm not available");
    }
    return hash;
}


public static void main(String[] args) throws Exception {
    String var = "";
    CustomBase64 base64 = new CustomBase64();
    DataDecryptorNew decryptor = new DataDecryptorNew();
    decryptor.decrypt(Base64.decode(var.getBytes()));
}

}

The error which i received is following.

Exception in thread "main" javax.crypto.BadPaddingException: lHash mismatch
    at in.gov.uidai.kyc.client.RSAPadding.unpadOAEP(RSAPadding.java:396)
    at in.gov.uidai.kyc.client.RSAPadding.unpad(RSAPadding.java:244)
    at in.gov.uidai.kyc.client.RSAPadding.unpad(RSAPadding.java:227)
    at in.gov.uidai.kyc.client.AsymmetricEncryptionExample.performEncryptDecrypt(AsymmetricEncryptionExample.java:127)
    at in.gov.uidai.kyc.client.AsymmetricEncryptionExample.main(AsymmetricEncryptionExample.java:68)

Solution

  • There are 2 things that i have noticed in your piece of code :-

    While initializing the PSource don`t initialize "iv" parameter it again , instead use the argument value from the method .

    So instead of using

    `PSource pSrc = (new PSource.PSpecified(new byte[256]));`
    

    try using

    PSource pSrc = (new PSource.PSpecified(iv));
    

    Also in the you are using SHA-256 , however while initializing OAEPParameterSpec used for OAEP padding , you are using SHA-1 instead of SHA-256 for MGF1ParameterSpec

    So instead of using

     OAEPParameterSpec paramSpec = new OAEPParameterSpec("SHA-256", "MGF1", MGF1ParameterSpec.SHA1, pSrc);
    

    try using :-

    OAEPParameterSpec paramSpec = new OAEPParameterSpec("SHA-256", "MGF1", MGF1ParameterSpec.SHA256, pSrc);
    

    Hope this will work for you... Cheers!!