package unself; import java.io.*; import java.math.BigInteger; import java.security.*; import java.security.spec.*; import javax.crypto.Cipher; import javax.crypto.Mac; import javax.crypto.NoSuchPaddingException; import javax.crypto.ShortBufferException; import javax.crypto.spec.IvParameterSpec; import javax.crypto.spec.SecretKeySpec; import org.bouncycastle.asn1.ASN1EncodableVector; import org.bouncycastle.asn1.ASN1Integer; import org.bouncycastle.asn1.DERSequence; public class EDAT425 { public static final int STATUS_ERROR_INPUTFILE_IO = -100; public static final int STATUS_ERROR_HASHTITLEIDNAME = -1; public static final int STATUS_ERROR_HASHDEVKLIC = -2; public static final int STATUS_ERROR_MISSINGKEY = -3; public static final int STATUS_ERROR_HEADERCHECK = -4; public static final int STATUS_ERROR_DECRYPTING = -5; public static final int STATUS_ERROR_INCORRECT_FLAGS = -6; public static final int STATUS_ERROR_INCORRECT_VERSION = -7; public static final int STATUS_OK = 0; public static final long FLAG_COMPRESSED = 0x00000001L; public static final long FLAG_0x02 = 0x00000002L; public static final long FLAG_KEYENCRYPTED = 0x00000008L; public static final long FLAG_0x10 = 0x00000010L; public static final long FLAG_0x20 = 0x00000020L; public static final long FLAG_SDAT = 0x01000000L; public static final long FLAG_DEBUG = 0x80000000L; /** * * This function reads given file and decrypts it * * @param inFile EDAT file to decrypt * @param outFile Path to store the decrypted data * @param klicense Authentication key. Also used for decryption on free * content * @param keyFromRif Key obtained after decrypting rif60 * @return Result of the operation */ public int decryptFile(String inFile, String outFile, byte[] klicense, byte[] keyFromRif) throws FileNotFoundException, IOException, NoSuchAlgorithmException, NoSuchProviderException, InvalidKeySpecException, InvalidKeyException, SignatureException { File fin = new File(inFile); RandomAccessFile raf; raf = new RandomAccessFile(fin, "r"); if (!checkSignature(raf)) { System.out.println("WARNING: FILE HAS BEEN TAMPERED"); } NPD[] ptr = new NPD[1]; //Ptr to Ptr int result = validateNPD(fin.getName(), klicense, ptr, raf); //Validate NPD hashes if (result < 0) { return result; } NPD npd = ptr[0]; EDATData data = getEDATData(raf); //Get flags, blocksize and file len byte[] rifkey = getKey(npd, data, klicense, keyFromRif); //Obtain the key for decryption (result of sc475 or sdatkey) if (rifkey == null) { System.out.println("ERROR: Key for decryption is missing"); return STATUS_ERROR_MISSINGKEY; } else { System.out.println("DECRYPTION KEY: " + ConversionUtils.getHexString(rifkey)); } result = checkHeader(rifkey, data, npd, raf); if (result < 0) { return result; } RandomAccessFile out = new RandomAccessFile(outFile, "rw"); result = decryptData(raf, out, npd, data, rifkey); if (result < 0) { return result; } raf.close(); return STATUS_OK; } private static final int HEADER_MAX_BLOCKSIZE = 0x3C00; /** * * Performs checks on the header: -Version check: Must be between 0 and 4 * included -Flags check: Checks that only valid active flags are set for * given version. Ver 0, 1 : Debug and compress Ver 2 : Debug, compress, * SDAT, Keys encrypted,.. Ver 3 & 4: Debug, compress, SDAT, Keys * encrypted... -Metadata section hash: Checks that metadata section is * valid (uses encryption key) -Header hash: Checks that header is correct * (uses encryption key) * * @param rifKey * @param data * @param npd * @param in * @return * @throws IOException */ private int checkHeader(byte[] rifKey, EDATData data, NPD npd, RandomAccessFile in) throws IOException { in.seek(0); byte[] header = new byte[0xA0]; byte[] out = new byte[0xA0]; byte[] expectedHash = new byte[0x10]; //Version check System.out.println("Checking NPD Version:" + npd.getVersion()); if ((npd.getVersion() == 0) || (npd.getVersion() == 1)) { if ((data.getFlags() & 0x7FFFFFFE) != 0) { return STATUS_ERROR_INCORRECT_FLAGS; } } else if (npd.getVersion() == 2) { if ((data.getFlags() & 0x7EFFFFE0) != 0) { return STATUS_ERROR_INCORRECT_FLAGS; } } else if (npd.getVersion() == 3 || npd.getVersion() == 4) { if ((data.getFlags() & 0x7EFFFFC0) != 0) { return STATUS_ERROR_INCORRECT_FLAGS; } } else { System.out.printf("ERROR: VERSION %d DETECTED\r\n", npd.getVersion()); return STATUS_ERROR_INCORRECT_VERSION; } if (((data.getFlags() & FLAG_0x20) != 0) && ((data.getFlags() & FLAG_COMPRESSED) != 0)) { //Extended section can not be used simultaneously to compression return STATUS_ERROR_INCORRECT_FLAGS; } in.readFully(header); in.readFully(expectedHash); System.out.println("Checking header hash:"); AppLoader a = new AppLoader(); int hashFlag = ((data.getFlags() & FLAG_KEYENCRYPTED) == 0) ? 0x00000002 : 0x10000002; if ((data.getFlags() & FLAG_DEBUG) != 0) { hashFlag |= 0x01000000; } int keyIndex = 0; if (npd.getVersion() == 4) { keyIndex = 1; } //Veryfing header boolean result = a.doAll(hashFlag, 0x00000001, header, 0, out, 0, header.length, new byte[0x10], new byte[0x10], rifKey, expectedHash, 0, keyIndex); if (!result) { System.out.println("Error verifying header. Is rifKey valid?."); return STATUS_ERROR_HEADERCHECK; } if ((data.getFlags() & FLAG_0x20) == 0) { System.out.println("Checking metadata hash:"); a = new AppLoader(); a.doInit(hashFlag, 0x00000001, new byte[0x10], new byte[0x10], rifKey, keyIndex); int sectionSize = ((data.getFlags() & FLAG_COMPRESSED) != 0) ? 0x20 : 0x010; //Determine the metadatasection total len int numBlocks = (int) ((data.getFileLen().intValue() + data.getBlockSize() - 1) / data.getBlockSize()); int readed = 0; int baseOffset = 0x100; //baseOffset += modifier; //There is an unknown offset to add to the metadatasection... value seen 0 long remaining = sectionSize * numBlocks; while (remaining > 0) { int lenToRead = (HEADER_MAX_BLOCKSIZE > remaining) ? (int) remaining : HEADER_MAX_BLOCKSIZE; in.seek(baseOffset + readed); byte[] content = new byte[lenToRead]; out = new byte[lenToRead]; in.readFully(content); a.doUpdate(content, 0, out, 0, lenToRead); readed += lenToRead; remaining -= lenToRead; } result = a.doFinal(header, 0x90); if (!result) { System.out.println("Error verifying metadatasection. Data tampered"); return STATUS_ERROR_HEADERCHECK; } } else { System.out.println("Flag 0x20 detected. Ignore metadatasection hash"); } return STATUS_OK; } private byte[] decryptMetadataSection(byte[] metadata) { byte[] result = new byte[0x10]; result[0x00] = (byte) (metadata[0xC] ^ metadata[0x8] ^ metadata[0x10]); result[0x01] = (byte) (metadata[0xD] ^ metadata[0x9] ^ metadata[0x11]); result[0x02] = (byte) (metadata[0xE] ^ metadata[0xA] ^ metadata[0x12]); result[0x03] = (byte) (metadata[0xF] ^ metadata[0xB] ^ metadata[0x13]); result[0x04] = (byte) (metadata[0x4] ^ metadata[0x8] ^ metadata[0x14]); result[0x05] = (byte) (metadata[0x5] ^ metadata[0x9] ^ metadata[0x15]); result[0x06] = (byte) (metadata[0x6] ^ metadata[0xA] ^ metadata[0x16]); result[0x07] = (byte) (metadata[0x7] ^ metadata[0xB] ^ metadata[0x17]); result[0x08] = (byte) (metadata[0xC] ^ metadata[0x0] ^ metadata[0x18]); result[0x09] = (byte) (metadata[0xD] ^ metadata[0x1] ^ metadata[0x19]); result[0x0A] = (byte) (metadata[0xE] ^ metadata[0x2] ^ metadata[0x1A]); result[0x0B] = (byte) (metadata[0xF] ^ metadata[0x3] ^ metadata[0x1B]); result[0x0C] = (byte) (metadata[0x4] ^ metadata[0x0] ^ metadata[0x1C]); result[0x0D] = (byte) (metadata[0x5] ^ metadata[0x1] ^ metadata[0x1D]); result[0x0E] = (byte) (metadata[0x6] ^ metadata[0x2] ^ metadata[0x1E]); result[0x0F] = (byte) (metadata[0x7] ^ metadata[0x3] ^ metadata[0x1F]); return result; } private EDATData getEDATData(RandomAccessFile in) throws IOException { in.seek(0x80); byte[] data = new byte[0x10]; in.readFully(data); return EDATData.createEDATData(data); } private boolean compareBytes(byte[] value1, int offset1, byte[] value2, int offset2, int len) { boolean result = true; for (int i = 0; i < len; i++) { if (value1[i + offset1] != value2[i + offset2]) { result = false; break; } } return result; } private int validateNPD(String filename, byte[] devKLic, NPD[] npdPtr, RandomAccessFile in) throws IOException { in.seek(0); byte[] npd = new byte[0x80]; in.readFully(npd); byte[] extraData = new byte[0x04]; in.readFully(extraData); long flag = ConversionUtils.be32(extraData, 0); if ((flag & FLAG_SDAT) != 0) { System.out.println("INFO: SDAT detected. NPD header is not validated"); } else if (!checkNPDHash1(filename, npd)) { return STATUS_ERROR_HASHTITLEIDNAME; } else if (devKLic == null) { System.out.println("WARNING: Can not validate devklic header"); } else if (!checkNPDHash2(devKLic, npd)) { return STATUS_ERROR_HASHDEVKLIC; } npdPtr[0] = NPD.createNPD(npd); return STATUS_OK; } private boolean checkNPDHash1(String filename, byte[] npd) throws UnsupportedEncodingException { byte[] fileBytes = filename.getBytes("US-ASCII"); byte data1[] = new byte[0x30 + fileBytes.length]; System.arraycopy(npd, 0x10, data1, 0, 0x30); System.arraycopy(fileBytes, 0x00, data1, 0x30, fileBytes.length); byte[] hash1 = ToolsImpl.CMAC128(EDATKeys.npdrm_omac_key3, data1, 0, data1.length); boolean result1 = compareBytes(hash1, 0, npd, 0x50, 0x10); if (result1) { System.out.println("NPD hash 1 is valid (" + ConversionUtils.getHexString(hash1) + ")"); } return result1; } private boolean checkNPDHash2(byte[] klicensee, byte[] npd) { byte[] xoredKey = new byte[0x10]; ToolsImpl.XOR(xoredKey, klicensee, EDATKeys.npdrm_omac_key2); byte[] calculated = ToolsImpl.CMAC128(xoredKey, npd, 0, 0x60); boolean result2 = compareBytes(calculated, 0, npd, 0x60, 0x10); if (result2) { System.out.println("NPD hash 2 is valid (" + ConversionUtils.getHexString(calculated) + ")"); } return result2; } private byte[] getKey(NPD npd, EDATData data, byte[] devKLic, byte[] keyFromRif) { byte[] result = null; if ((data.getFlags() & FLAG_SDAT) != 0) { //Case SDAT result = new byte[0x10]; ToolsImpl.XOR(result, npd.getDevHash(), EDATKeys.SDATKEY); } else { //Case EDAT if (npd.getLicense() == 0x03) { result = devKLic; } else if (npd.getLicense() == 0x02) { result = keyFromRif; } } return result; } private int decryptData(RandomAccessFile in, RandomAccessFile out, NPD npd, EDATData data, byte[] rifkey) throws IOException { int numBlocks = (int) ((data.getFileLen().intValue() + data.getBlockSize() - 1) / data.getBlockSize()); int metadataSectionSize = ((data.getFlags() & FLAG_COMPRESSED) != 0 || (data.getFlags() & FLAG_0x20) != 0) ? 0x20 : 0x10; int baseOffset = 0x100; //+ offset (unknown) int keyIndex = 0; if (npd.getVersion() == 4) { keyIndex = 1; } for (int i = 0; i < numBlocks; i++) { in.seek(baseOffset + i * metadataSectionSize); byte[] expectedHash = new byte[0x14]; long offset; int len; int compressionEndBlock = 0; if ((data.getFlags() & FLAG_COMPRESSED) != 0) { byte[] metadata = new byte[0x20]; in.readFully(metadata); byte[] result = decryptMetadataSection(metadata); offset = ConversionUtils.be64(result, 0).intValue(); // + offset (unknown) len = Long.valueOf(ConversionUtils.be32(result, 8)).intValue(); compressionEndBlock = Long.valueOf(ConversionUtils.be32(result, 0xC)).intValue(); System.arraycopy(metadata, 0, expectedHash, 0, 0x10); } else if ((data.getFlags() & FLAG_0x20) != 0) { byte[] metadata = new byte[0x20]; in.seek(baseOffset + i * (metadataSectionSize + data.getBlockSize())); in.readFully(metadata); for (int j = 0; j < 0x10; j++) { expectedHash[j] = (byte) (metadata[j] ^ metadata[j + 0x10]); System.arraycopy(metadata, 0x10, expectedHash, 0x10, 0x4); } offset = baseOffset + i * (metadataSectionSize + data.getBlockSize()) + metadataSectionSize; len = Long.valueOf(data.getBlockSize()).intValue(); if (i == numBlocks - 1) { //Last block int aux = data.getFileLen().mod(BigInteger.valueOf(data.getBlockSize())).intValue(); len = (aux > 0) ? aux : len; } } else { in.readFully(expectedHash); offset = baseOffset + i * data.getBlockSize() + numBlocks * metadataSectionSize; len = Long.valueOf(data.getBlockSize()).intValue(); if (i == numBlocks - 1) { //Last block int aux = data.getFileLen().mod(BigInteger.valueOf(data.getBlockSize())).intValue(); len = (aux > 0) ? aux : len; } } int realLen = len; len = (len + 0xF) & 0xFFFFFFF0; System.out.printf("Offset: %016X, len: %08X, realLen: %08X, endCompress: %d\r\n", offset, len, realLen, compressionEndBlock); in.seek(offset); byte[] encryptedData = new byte[len]; byte[] decryptedData = new byte[len]; in.readFully(encryptedData); byte[] key = new byte[0x10]; byte[] hash = new byte[0x10]; byte[] blockKey = calculateBlockKey(i, npd); ToolsImpl.aesecbEncrypt(rifkey, blockKey, 0, key, 0, blockKey.length); if ((data.getFlags() & FLAG_0x10) != 0) { ToolsImpl.aesecbEncrypt(rifkey, key, 0, hash, 0, key.length); } else { System.arraycopy(key, 0, hash, 0, key.length); } int cryptoFlag = ((data.getFlags() & FLAG_0x02) == 0) ? 0x2 : 0x1; int hashFlag; if ((data.getFlags() & FLAG_0x10) == 0) { hashFlag = 0x02; } else if ((data.getFlags() & FLAG_0x20) == 0) { hashFlag = 0x04; } else { hashFlag = 0x01; } if ((data.getFlags() & FLAG_KEYENCRYPTED) != 0) { cryptoFlag |= 0x10000000; hashFlag |= 0x10000000; } if ((data.getFlags() & FLAG_DEBUG) != 0) { cryptoFlag |= 0x01000000; hashFlag |= 0x01000000; } AppLoader a = new AppLoader(); byte[] iv = (npd.getVersion() <= 1) ? (new byte[0x10]) : npd.getDigest(); boolean result = a.doAll(hashFlag, cryptoFlag, encryptedData, 0, decryptedData, 0, encryptedData.length, key, iv, hash, expectedHash, 0, keyIndex); if (!result) { System.out.println("Error decrypting block " + i); return STATUS_ERROR_DECRYPTING; } if ((data.getFlags() & FLAG_COMPRESSED) != 0) { //byte[] decompress = new byte[Long.valueOf(data.getBlockSize()).intValue()]; //DECOMPRESS: MISSING ALGORITHM //out.write(decompress, 0, data.getBlockSize()); } else { out.write(decryptedData, 0, realLen); } } return STATUS_OK; } private byte[] calculateBlockKey(int blk, NPD npd) { byte[] baseKey = (npd.getVersion() <= 1) ? (new byte[0x10]) : npd.getDevHash(); byte[] result = new byte[0x10]; System.arraycopy(baseKey, 0, result, 0, 0xC); result[0xC] = (byte) (blk >> 24 & 0xFF); result[0xD] = (byte) (blk >> 16 & 0xFF); result[0xE] = (byte) (blk >> 8 & 0xFF); result[0xF] = (byte) (blk & 0xFF); return result; } class AppLoader { private Decryptor dec; private Hash hash; private boolean hashDebug = false; private boolean cryptoDebug = false; //NOT USED?? public boolean doAll(int hashFlag, int cryptoFlag, byte[] in, int inOffset, byte[] out, int outOffset, int len, byte[] key, byte[] iv, byte[] hash, byte[] expectedHash, int hashOffset, int keyIndex) { doInit(hashFlag, cryptoFlag, key, iv, hash, keyIndex); doUpdate(in, inOffset, out, outOffset, len); return doFinal(expectedHash, hashOffset); } public void doInit(int hashFlag, int cryptoFlag, byte[] key, byte[] iv, byte[] hashKey, int keyIndex) { byte[] calculatedKey = new byte[key.length]; byte[] calculatedIV = new byte[iv.length]; byte[] calculatedHash = new byte[hashKey.length]; getCryptoKeys(cryptoFlag, calculatedKey, calculatedIV, key, iv, keyIndex); getHashKeys(hashFlag, calculatedHash, hashKey, keyIndex); setDecryptor(cryptoFlag); setHash(hashFlag); System.out.println("ERK: " + ConversionUtils.getHexString(calculatedKey)); System.out.println("IV: " + ConversionUtils.getHexString(calculatedIV)); System.out.println("HASH: " + ConversionUtils.getHexString(calculatedHash)); dec.doInit(calculatedKey, calculatedIV); hash.doInit(calculatedHash); } public void doUpdate(byte[] in, int inOffset, byte[] out, int outOffset, int len) { hash.doUpdate(in, inOffset, len); dec.doUpdate(in, inOffset, out, outOffset, len); } public boolean doFinal(byte[] expectedhash, int hashOffset) { return hash.doFinal(expectedhash, hashOffset); } private void getCryptoKeys(int cryptoFlag, byte[] calculatedKey, byte[] calculatedIV, byte[] key, byte[] iv, int keyIndex) { int mode = cryptoFlag & 0xF0000000; switch (mode) { case 0x10000000: ToolsImpl.aescbcDecrypt(EDATKeys.EDATKEY[keyIndex], EDATKeys.EDATIV[keyIndex], key, 0, calculatedKey, 0, calculatedKey.length); System.arraycopy(iv, 0, calculatedIV, 0, calculatedIV.length); System.out.println("MODE: Encrypted ERK"); break; case 0x20000000: System.arraycopy(EDATKeys.EDATKEY[keyIndex], 0, calculatedKey, 0, calculatedKey.length); System.arraycopy(EDATKeys.EDATIV[keyIndex], 0, calculatedIV, 0, calculatedIV.length); System.out.println("MODE: Default ERK"); break; case 0x00000000: System.arraycopy(key, 0, calculatedKey, 0, calculatedKey.length); System.arraycopy(iv, 0, calculatedIV, 0, calculatedIV.length); System.out.println("MODE: Unencrypted ERK"); break; default: throw new IllegalStateException("Crypto mode is not valid: Undefined keys calculator"); } } private void getHashKeys(int hashFlag, byte[] calculatedHash, byte[] hash, int keyIndex) { int mode = hashFlag & 0xF0000000; switch (mode) { case 0x10000000: ToolsImpl.aescbcDecrypt(EDATKeys.EDATKEY[keyIndex], EDATKeys.EDATIV[keyIndex], hash, 0, calculatedHash, 0, calculatedHash.length); System.out.println("MODE: Encrypted HASHKEY"); break; case 0x20000000: System.arraycopy(EDATKeys.EDATHASH[keyIndex], 0, calculatedHash, 0, calculatedHash.length); System.out.println("MODE: Default HASHKEY"); break; case 0x00000000: System.arraycopy(hash, 0, calculatedHash, 0, calculatedHash.length); System.out.println("MODE: Unencrypted HASHKEY"); break; default: throw new IllegalStateException("Hash mode is not valid: Undefined keys calculator"); } } private void setDecryptor(int cryptoFlag) { int aux = cryptoFlag & 0xFF; switch (aux) { case 0x01: dec = new NoCrypt(); System.out.println("MODE: Decryption Algorithm NONE"); break; case 0x02: dec = new AESCBC128Decrypt(); System.out.println("MODE: Decryption Algorithm AESCBC128"); break; default: throw new IllegalStateException("Crypto mode is not valid: Undefined decryptor"); } if ((cryptoFlag & 0x0F000000) != 0) { cryptoDebug = true; } } private void setHash(int hashFlag) { int aux = hashFlag & 0xFF; switch (aux) { case 0x01: hash = new HMAC(); hash.setHashLen(0x14); System.out.println("MODE: Hash HMAC Len 0x14"); break; case 0x02: hash = new CMAC(); hash.setHashLen(0x10); System.out.println("MODE: Hash CMAC Len 0x10"); break; case 0x04: hash = new HMAC(); hash.setHashLen(0x10); System.out.println("MODE: Hash HMAC Len 0x10"); break; default: throw new IllegalStateException("Hash mode is not valid: Undefined hash algorithm"); } if ((hashFlag & 0x0F000000) != 0) { hashDebug = true; } } abstract class Decryptor { public abstract void doInit(byte[] key, byte[] iv); public abstract void doUpdate(byte[] in, int inOffset, byte[] out, int outOffset, int len); } class NoCrypt extends Decryptor { @Override public void doInit(byte[] key, byte[] iv) { //Do nothing } @Override public void doUpdate(byte[] in, int inOffset, byte[] out, int outOffset, int len) { System.arraycopy(in, inOffset, out, outOffset, len); } } class AESCBC128Decrypt extends Decryptor { Cipher c; @Override public void doInit(byte[] key, byte[] iv) { try { SecretKeySpec skeySpec = new SecretKeySpec(key, "AES"); c = Cipher.getInstance("AES/CBC/NoPadding"); AlgorithmParameterSpec paramSpec = new IvParameterSpec(iv); c.init(Cipher.DECRYPT_MODE, skeySpec, paramSpec); } catch (InvalidKeyException ex) { throw new IllegalStateException(ex); } catch (InvalidAlgorithmParameterException ex) { throw new IllegalStateException(ex); } catch (NoSuchAlgorithmException ex) { throw new IllegalStateException(ex); } catch (NoSuchPaddingException ex) { throw new IllegalStateException(ex); } } @Override public void doUpdate(byte[] in, int inOffset, byte[] out, int outOffset, int len) { try { c.update(in, inOffset, len, out, outOffset); } catch (ShortBufferException ex) { throw new IllegalStateException(ex); } } } abstract class Hash { public abstract void setHashLen(int len); public abstract void doInit(byte[] key); public abstract void doUpdate(byte[] in, int inOffset, int len); public abstract boolean doFinal(byte[] expectedhash, int hashOffset); } class HMAC extends Hash { private int hashLen; private Mac mac; @Override public void setHashLen(int len) { if (len == 0x10 || len == 0x14) { hashLen = len; } else { throw new IllegalArgumentException("Hash len must be 0x10 or 0x14"); } } @Override public void doInit(byte[] key) { try { SecretKeySpec skeySpec = new SecretKeySpec(key, "HmacSHA1"); mac = Mac.getInstance("HmacSHA1"); mac.init(skeySpec); } catch (InvalidKeyException ex) { throw new IllegalStateException(ex); } catch (NoSuchAlgorithmException ex) { throw new IllegalStateException(ex); } } @Override public void doUpdate(byte[] in, int inOffset, int len) { mac.update(in, inOffset, len); } @Override public boolean doFinal(byte[] expectedhash, int hashOffset) { byte[] result = mac.doFinal(); if (hashDebug || compareBytes(expectedhash, hashOffset, result, 0, hashLen)) { return true; } else { System.out.printf("Error on hash. Expected %s. Obtained %s\r\n", ConversionUtils.getHexString(expectedhash), ConversionUtils.getHexString(result)); return false; } } } class CMAC extends Hash { int hashLen; byte[] key; byte[] K1; byte[] K2; byte[] nonProcessed; byte[] previous; public CMAC() { hashLen = 0x10; } @Override public void setHashLen(int len) { if (len == 0x10) { hashLen = len; } else { throw new IllegalArgumentException("Hash len must be 0x10"); } } @Override public void doInit(byte[] key) { this.key = key; K1 = new byte[0x10]; K2 = new byte[0x10]; calculateSubkey(key, K1, K2); nonProcessed = null; previous = new byte[0x10]; } private void calculateSubkey(byte[] key, byte[] K1, byte[] K2) { byte[] zero = new byte[0x10]; byte[] L = new byte[0x10]; ToolsImpl.aesecbEncrypt(key, zero, 0, L, 0, zero.length); BigInteger aux = new BigInteger(1, L); if ((L[0] & 0x80) != 0) { //Case MSB is set aux = aux.shiftLeft(1).xor(BigInteger.valueOf(0x87)); } else { aux = aux.shiftLeft(1); } byte[] aux1 = aux.toByteArray(); if (aux1.length >= 0x10) { System.arraycopy(aux1, aux1.length - 0x10, K1, 0, 0x10); } else { System.arraycopy(zero, 0, K1, 0, zero.length); System.arraycopy(aux1, 0, K1, 0x10 - aux1.length, aux1.length); } aux = new BigInteger(1, K1); if ((K1[0] & 0x80) != 0) { aux = aux.shiftLeft(1).xor(BigInteger.valueOf(0x87)); } else { aux = aux.shiftLeft(1); } aux1 = aux.toByteArray(); if (aux1.length >= 0x10) { System.arraycopy(aux1, aux1.length - 0x10, K2, 0, 0x10); } else { System.arraycopy(zero, 0, K2, 0, zero.length); System.arraycopy(aux1, 0, K2, 0x10 - aux1.length, aux1.length); } } @Override public void doUpdate(byte[] in, int inOffset, int len) { byte[] data; if (nonProcessed != null) { int totalLen = len + nonProcessed.length; data = new byte[totalLen]; System.arraycopy(nonProcessed, 0, data, 0, nonProcessed.length); System.arraycopy(in, inOffset, data, nonProcessed.length, len); } else { data = new byte[len]; System.arraycopy(in, inOffset, data, 0, len); } int count = 0; while (count < data.length - 0x10) { byte[] aux = new byte[0x10]; System.arraycopy(data, count, aux, 0, aux.length); ToolsImpl.XOR(aux, aux, previous); ToolsImpl.aesecbEncrypt(key, aux, 0, previous, 0, aux.length); count += 0x10; } nonProcessed = new byte[data.length - count]; System.arraycopy(data, count, nonProcessed, 0, nonProcessed.length); } @Override public boolean doFinal(byte[] expectedhash, int hashOffset) { byte[] aux = new byte[0x10]; System.arraycopy(nonProcessed, 0, aux, 0, nonProcessed.length); if (nonProcessed.length == 0x10) { ToolsImpl.XOR(aux, aux, K1); } else { aux[nonProcessed.length] = (byte) 0x80; ToolsImpl.XOR(aux, aux, K2); } ToolsImpl.XOR(aux, aux, previous); byte[] calculatedhash = new byte[0x10]; ToolsImpl.aesecbEncrypt(key, aux, 0, calculatedhash, 0, aux.length); if (hashDebug || compareBytes(expectedhash, hashOffset, calculatedhash, 0, hashLen)) { return true; } else { System.out.printf("Error on hash. Expected %s. Obtained %s\r\n", ConversionUtils.getHexString(expectedhash), ConversionUtils.getHexString(calculatedhash)); return false; } } } } private boolean checkSignature(RandomAccessFile in) throws IOException, NoSuchAlgorithmException, NoSuchProviderException, InvalidKeySpecException, InvalidKeyException, SignatureException { in.seek(0); byte[] data = new byte[0xD8]; byte[] rs = new byte[0x28]; in.readFully(data); in.readFully(rs); byte[] pubKey = EDATKeys.PUB_KEY; Security.addProvider(new org.bouncycastle.jce.provider.BouncyCastleProvider()); byte[] rhex = new byte[0x14]; byte[] shex = new byte[0x14]; System.arraycopy(rs, 0, rhex, 0, rhex.length); System.arraycopy(rs, rhex.length, shex, 0, shex.length); ASN1Integer rASN = new ASN1Integer(new BigInteger(1, rhex)); ASN1Integer sASN = new ASN1Integer(new BigInteger(1, shex)); ASN1EncodableVector v = new ASN1EncodableVector(); v.add(rASN); v.add(sASN); DERSequence s = new DERSequence(v); byte[] signature = s.getEncoded(); Signature sign = Signature.getInstance("SHA1withECDSA", "BC"); byte[] publicKeyX = new byte[pubKey.length / 2]; byte[] publicKeyY = new byte[pubKey.length / 2]; System.arraycopy(pubKey, 0, publicKeyX, 0, publicKeyX.length); System.arraycopy(pubKey, publicKeyX.length, publicKeyY, 0, publicKeyY.length); ECPoint publicKey = new ECPoint(new BigInteger(1, publicKeyX), new BigInteger(1, publicKeyY)); ECParameterSpec ecps = CurveManager.getInstance().getVshCurve(2); ECPublicKeySpec ecpks = new ECPublicKeySpec(publicKey, ecps); PublicKey pk = KeyFactory.getInstance("EC", "BC").generatePublic(ecpks); sign.initVerify(pk); sign.update(data); return sign.verify(signature); } }