Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Browse files

Change AEADCmd.{generateAEAD,validateAEAD} to using a byte array for …

…data.

Retain String accepting versions of the API calls as well in the YubiHSM class.

It was discovered that you can't take any 8-bit data in a byte array and
turn it into a String that could then be turned into the same byte array
again when it was to be sent to the YubiHSM, since Java applies encoding
to strings and it was not apparent there was an 8-bit clean encoding.
  • Loading branch information...
commit dc874731e7266dfdd492f9932debee6ee007f93d 1 parent f532278
@fredrikt fredrikt authored
View
42 src/main/java/org/unitedid/yhsm/YubiHSM.java
@@ -91,17 +91,32 @@ public String infoToString() throws YubiHSMErrorException {
*
* @param nonce the nonce
* @param keyHandle the key to use
- * @param data is either a string or a YubiHSM YubiKey secret
+ * @param data is the data to turn into an AEAD
* @return a hash map with the AEAD and nonce
* @throws YubiHSMCommandFailedException if the YubiHSM fail to execute the command
* @throws YubiHSMErrorException if validation fail for some values returned by the YubiHSM
* @throws YubiHSMInputException if an argument does not validate
*/
- public Map<String, String> generateAEAD(String nonce, int keyHandle, String data) throws YubiHSMCommandFailedException, YubiHSMErrorException, YubiHSMInputException {
+ public Map<String, String> generateAEAD(String nonce, int keyHandle, byte[] data) throws YubiHSMCommandFailedException, YubiHSMErrorException, YubiHSMInputException {
return AEADCmd.generateAEAD(deviceHandler, nonce, keyHandle, data);
}
/**
+ * Generate AEAD block from the data for a specific key handle and nonce.
+ *
+ * @param nonce the nonce
+ * @param keyHandle the key to use
+ * @param data is the data to turn into an AEAD
+ * @return a hash map with the AEAD and nonce
+ * @throws YubiHSMCommandFailedException if the YubiHSM fail to execute the command
+ * @throws YubiHSMErrorException if validation fail for some values returned by the YubiHSM
+ * @throws YubiHSMInputException if an argument does not validate
+ */
+ public Map<String, String> generateAEAD(String nonce, int keyHandle, String data) throws YubiHSMCommandFailedException, YubiHSMErrorException, YubiHSMInputException {
+ return AEADCmd.generateAEAD(deviceHandler, nonce, keyHandle, data.getBytes());
+ }
+
+ /**
* Generate a random AEAD block using the YubiHSM internal TRNG.
* To generate a secret for a YubiKey use public_id as nonce.
*
@@ -163,18 +178,35 @@ public String generateOathHotpAEAD(String nonce, int keyHandle, String tokenSeed
*
* @param nonce the nonce or public_id
* @param keyHandle the key to use
- * @param aead the AEAD
- * @param plaintext the plain text string
+ * @param aead the AEAD (hex string)
+ * @param plaintext the plain text data
* @return returns true if validation was a success, false if the validation failed
* @throws YubiHSMCommandFailedException if the YubiHSM fail to execute the command
* @throws YubiHSMErrorException if validation fail for some values returned by the YubiHSM
* @throws YubiHSMInputException if an argument does not validate
*/
- public boolean validateAEAD(String nonce, int keyHandle, String aead, String plaintext) throws YubiHSMInputException, YubiHSMCommandFailedException, YubiHSMErrorException {
+ public boolean validateAEAD(String nonce, int keyHandle, String aead, byte[] plaintext) throws YubiHSMInputException, YubiHSMCommandFailedException, YubiHSMErrorException {
return AEADCmd.validateAEAD(deviceHandler, nonce, keyHandle, aead, plaintext);
}
/**
+ * Validate an AEAD using the YubiHSM, matching it against some known plain text.
+ * Matching is done inside the YubiHSM so the decrypted AEAD is never exposed.
+ *
+ * @param nonce the nonce or public_id
+ * @param keyHandle the key to use
+ * @param aead the AEAD (hex string)
+ * @param plaintext the plain text data
+ * @return returns true if validation was a success, false if the validation failed
+ * @throws YubiHSMCommandFailedException if the YubiHSM fail to execute the command
+ * @throws YubiHSMErrorException if validation fail for some values returned by the YubiHSM
+ * @throws YubiHSMInputException if an argument does not validate
+ */
+ public boolean validateAEAD(String nonce, int keyHandle, String aead, String plaintext) throws YubiHSMInputException, YubiHSMCommandFailedException, YubiHSMErrorException {
+ return AEADCmd.validateAEAD(deviceHandler, nonce, keyHandle, aead, plaintext.getBytes());
+ }
+
+ /**
* Load data into the YubiHSMs internal buffer.
*
* @param data the data to load into the internal buffer
View
14 src/main/java/org/unitedid/yhsm/internal/AEADCmd.java
@@ -39,15 +39,15 @@ private AEADCmd() {}
* @param device the YubiHSM device handler
* @param nonce the nonce
* @param keyHandle the key to use
- * @param data is either a string or a YubiHSM YubiKey secret
+ * @param data is the byte array to turn into an AEAD
* @return a hash map with the AEAD and nonce
* @throws YubiHSMInputException argument exceptions
* @throws YubiHSMCommandFailedException command failed exception
* @throws YubiHSMErrorException error exception
*/
- public static Map<String, String> generateAEAD(DeviceHandler device, String nonce, int keyHandle, String data) throws YubiHSMInputException, YubiHSMCommandFailedException, YubiHSMErrorException {
+ public static Map<String, String> generateAEAD(DeviceHandler device, String nonce, int keyHandle, byte[] data) throws YubiHSMInputException, YubiHSMCommandFailedException, YubiHSMErrorException {
byte[] nonceBA = validateNonce(hexToByteArray(nonce), true);
- byte[] newdata = validateByteArray("data", data.getBytes(), 0, 0, YubiHSM.minHashLength);
+ byte[] newdata = validateByteArray("data", data, 0, 0, YubiHSM.minHashLength);
byte[] cmdBuffer = concatAllArrays(nonceBA, leIntToBA(keyHandle), addLengthToData(newdata));
byte[] result = CommandHandler.execute(device, YSM_AEAD_GENERATE, cmdBuffer, true);
@@ -106,16 +106,16 @@ private AEADCmd() {}
* @param device the YubiHSM device
* @param nonce the nonce or public_id
* @param keyHandle the key to use
- * @param aead the AEAD
- * @param plaintext the plain text string
+ * @param aead the AEAD (hex string)
+ * @param plaintext the plain text data
* @return returns true if validation was a success, false if the validation failed
* @throws YubiHSMInputException argument exceptions
* @throws YubiHSMCommandFailedException command failed exception
* @throws YubiHSMErrorException error exception
*/
- public static boolean validateAEAD(DeviceHandler device, String nonce, int keyHandle, String aead, String plaintext) throws YubiHSMInputException, YubiHSMCommandFailedException, YubiHSMErrorException {
+ public static boolean validateAEAD(DeviceHandler device, String nonce, int keyHandle, String aead, byte[] plaintext) throws YubiHSMInputException, YubiHSMCommandFailedException, YubiHSMErrorException {
byte[] aeadBA = hexToByteArray(aead);
- byte[] plainBA = validateByteArray("plaintext", plaintext.getBytes(), 0, aeadBA.length - YSM_AEAD_MAC_SIZE, YubiHSM.minHashLength);
+ byte[] plainBA = validateByteArray("plaintext", plaintext, 0, aeadBA.length - YSM_AEAD_MAC_SIZE, YubiHSM.minHashLength);
byte[] plainAndAead = concatAllArrays(plainBA, aeadBA);
if (plainAndAead.length > (YSM_MAX_PKT_SIZE - 0x10))
throw new YubiHSMInputException("Plaintext+aead too long");
View
14 src/test/java/org/unitedid/yhsm/internal/AEADCmdTest.java
@@ -50,8 +50,18 @@ public void tearDown() throws Exception {
@Test
public void testGenerateAEADAndValidation() throws Exception {
- String aead = AEADCmd.generateAEAD(deviceHandler, nonce, 8192, "123qwe").get("aead");
- assertTrue(AEADCmd.validateAEAD(deviceHandler, nonce, 8192, aead, "123qwe"));
+ String aead = hsm.generateAEAD(nonce, 8192, "123qwe").get("aead");
+ assertTrue(hsm.validateAEAD(nonce, 8192, aead, "123qwe"));
+ }
+
+ @Test
+ public void testGenerateAEADAndValidationBA() throws Exception {
+ /* Test using 8-bit data that can't be converted from hex-string to byte
+ * array and then back into a String.
+ */
+ byte[] secretBA = Utils.hexToByteArray(new String("ec1c263a5d9bd270db0b19b18ca5396b"));
+ String aead = hsm.generateAEAD(nonce, 8192, secretBA).get("aead");
+ assertTrue(hsm.validateAEAD(nonce, 8192, aead, secretBA));
}
@Test
Please sign in to comment.
Something went wrong with that request. Please try again.