merge fix

Author: dghgit

CONTRIBUTORS.html

@@ -571,6 +571,7 @@
 <li>Lomig Mégard &lt;https://github.com/lomigmegard&gt; - BLAKE2 defensive improvements and cleanup.</li>
 <li>Prasanth Sundararajan &lt;prasanth.srihari&#064;gmail.com&gt; - identification of the LDAPStoreHelper wildcard bug (see CVE-2023-33201).</li>
 <li>XlabAI Team of Tencent Xuanwu Lab, Atuin Automated Vulnerability Discovery Engine, Lili Tang, Guannan Wang, and Guancheng Li&lt;xlabai@tencent.com&gt; - detection of the DSTU4145 random number defect, correction of the G3413BlockCipher class (see CVE-2025-14813).</li>
+<li>stevemit &lt;https://github.com/stevemit&gt; - Identified incorrect tagging in the AuthEnvelopedData stream generator.</li>
 </ul>
 </body>
 </html>

core/src/main/java/org/bouncycastle/asn1/ASN1Generator.java

@@ -27,4 +27,16 @@ public ASN1Generator(OutputStream out)
      * @return the stream that is directly encoded to.
      */
     public abstract OutputStream getRawOutputStream();
+
+    static int inheritConstructedFlag(int intoTag, int fromTag)
+    {
+        if ((fromTag & BERTags.CONSTRUCTED) != 0)
+        {
+            return intoTag | BERTags.CONSTRUCTED;
+        }
+        else
+        {
+            return intoTag & ~BERTags.CONSTRUCTED;
+        }
+    }
 }

core/src/main/java/org/bouncycastle/asn1/BERGenerator.java

@@ -41,31 +41,28 @@ private void writeHdr(int tag) throws IOException
 
     protected void writeBERHeader(int tag) throws IOException
     {
-        if (_tagged)
+        if (!_tagged)
         {
-            int tagNum = _tagNo | BERTags.CONTEXT_SPECIFIC;
-
-            if (_isExplicit)
-            {
-                writeHdr(tagNum | BERTags.CONSTRUCTED);
-                writeHdr(tag);
-            }
-            else
-            {
-                if ((tag & BERTags.CONSTRUCTED) != 0)
-                {
-                    writeHdr(tagNum | BERTags.CONSTRUCTED);
-                }
-                else
-                {
-                    writeHdr(tagNum);
-                }
-            }
+            writeHdr(tag);
         }
-        else
+        else if (_isExplicit)
         {
+            /*
+             * X.690-0207 8.14.2. If implicit tagging [..] was not used [..], the encoding shall be constructed
+             * and the contents octets shall be the complete base encoding.
+             */
+            writeHdr(_tagNo | BERTags.CONTEXT_SPECIFIC | BERTags.CONSTRUCTED);
             writeHdr(tag);
         }
+        else
+        {
+            /*
+             * X.690-0207 8.14.3. If implicit tagging was used [..], then: a) the encoding shall be constructed
+             * if the base encoding is constructed, and shall be primitive otherwise; and b) the contents octets
+             * shall be [..] the contents octets of the base encoding.
+             */
+            writeHdr(inheritConstructedFlag(_tagNo | BERTags.CONTEXT_SPECIFIC, tag));
+        }
     }
 
     protected void writeBEREnd() throws IOException

core/src/main/java/org/bouncycastle/asn1/BEROctetStringGenerator.java

@@ -71,14 +71,14 @@ private class BufferedBEROctetStream
     {
         private byte[] _buf;
         private int    _off;
-        private DEROutputStream _derOut;
+        private ASN1OutputStream _asn1Out;
 
         BufferedBEROctetStream(
             byte[] buf)
         {
             _buf = buf;
             _off = 0;
-            _derOut = new DEROutputStream(_out);
+            _asn1Out = ASN1OutputStream.create(_out);
         }
 
         public void write(
@@ -89,7 +89,7 @@ public void write(
 
             if (_off == _buf.length)
             {
-                DEROctetString.encode(_derOut, true, _buf, 0, _buf.length);
+                DEROctetString.encode(_asn1Out, true, _buf, 0, _buf.length);
                 _off = 0;
             }
         }
@@ -110,13 +110,13 @@ public void write(byte[] b, int off, int len) throws IOException
             {
                 System.arraycopy(b, off, _buf, _off, available);
                 count += available;
-                DEROctetString.encode(_derOut, true, _buf, 0, bufLen);
+                DEROctetString.encode(_asn1Out, true, _buf, 0, bufLen);
             }
 
             int remaining;
             while ((remaining = (len - count)) >= bufLen)
             {
-                DEROctetString.encode(_derOut, true, b, off + count, bufLen);
+                DEROctetString.encode(_asn1Out, true, b, off + count, bufLen);
                 count += bufLen;
             }
 
@@ -129,10 +129,10 @@ public void close()
         {
             if (_off != 0)
             {
-                DEROctetString.encode(_derOut, true, _buf, 0, _off);
+                DEROctetString.encode(_asn1Out, true, _buf, 0, _off);
             }
 
-            _derOut.flushInternal();
+            _asn1Out.flushInternal();
 
              writeBEREnd();
         }

core/src/main/java/org/bouncycastle/asn1/BEROutputStream.java

@@ -83,35 +83,28 @@ void writeDEREncoded(
         byte[]    bytes)
         throws IOException
     {
-        if (_tagged)
+        if (!_tagged)
         {
-            int tagNum = _tagNo | BERTags.CONTEXT_SPECIFIC;
-
-            if (_isExplicit)
-            {
-                int newTag = _tagNo | BERTags.CONSTRUCTED | BERTags.CONTEXT_SPECIFIC;
-
-                ByteArrayOutputStream bOut = new ByteArrayOutputStream();
-
-                writeDEREncoded(bOut, tag, bytes);
-
-                writeDEREncoded(_out, newTag, bOut.toByteArray());
-            }
-            else
-            {
-                if ((tag & BERTags.CONSTRUCTED) != 0)
-                {
-                    writeDEREncoded(_out, tagNum | BERTags.CONSTRUCTED, bytes);
-                }
-                else
-                {
-                    writeDEREncoded(_out, tagNum, bytes);
-                }
-            }
+            writeDEREncoded(_out, tag, bytes);
+        }
+        else if (_isExplicit)
+        {
+            /*
+             * X.690-0207 8.14.2. If implicit tagging [..] was not used [..], the encoding shall be constructed
+             * and the contents octets shall be the complete base encoding.
+             */
+            ByteArrayOutputStream bOut = new ByteArrayOutputStream();
+            writeDEREncoded(bOut, tag, bytes);
+            writeDEREncoded(_out, _tagNo | BERTags.CONTEXT_SPECIFIC | BERTags.CONSTRUCTED, bOut.toByteArray());
         }
         else
         {
-            writeDEREncoded(_out, tag, bytes);
+            /*
+             * X.690-0207 8.14.3. If implicit tagging was used [..], then: a) the encoding shall be constructed
+             * if the base encoding is constructed, and shall be primitive otherwise; and b) the contents octets
+             * shall be [..] the contents octets of the base encoding.
+             */
+            writeDEREncoded(_out, inheritConstructedFlag(_tagNo | BERTags.CONTEXT_SPECIFIC, tag), bytes);
         }
     }
 }

core/src/main/java/org/bouncycastle/asn1/DERGenerator.java

@@ -68,8 +68,9 @@ public int calculateHashCode(X500Name name)
             }
             else
             {
-                hashCodeValue ^= rdns[i].getFirst().getType().hashCode();
-                hashCodeValue ^= calcHashCode(rdns[i].getFirst().getValue());
+                AttributeTypeAndValue first = rdns[i].getFirst(); 
+                hashCodeValue ^= first.getType().hashCode();
+                hashCodeValue ^= calcHashCode(first.getValue());
             }
         }
 

core/src/main/java/org/bouncycastle/asn1/x500/style/AbstractX500NameStyle.java

@@ -337,9 +337,10 @@ public static void appendRDN(
         }
         else
         {
-            if (rdn.getFirst() != null)
+            AttributeTypeAndValue first = rdn.getFirst();
+            if (first != null)
             {
-                IETFUtils.appendTypeAndValue(buf, rdn.getFirst(), oidSymbols);
+                IETFUtils.appendTypeAndValue(buf, first, oidSymbols);
             }
         }
     }
@@ -370,9 +371,10 @@ public static void appendRDN(
         }
         else
         {
-            if (rdn.getFirst() != null)
+            AttributeTypeAndValue first = rdn.getFirst();
+            if (first != null)
             {
-                IETFUtils.appendTypeAndValue(buf, rdn.getFirst(), oidSymbols);
+                IETFUtils.appendTypeAndValue(buf, first, oidSymbols);
             }
         }
     }

core/src/main/java/org/bouncycastle/asn1/x500/style/IETFUtils.java

@@ -4,8 +4,11 @@
 import java.io.IOException;
 import java.io.OutputStream;
 
+import org.bouncycastle.asn1.ASN1Encodable;
 import org.bouncycastle.asn1.ASN1EncodableVector;
+import org.bouncycastle.asn1.ASN1OctetString;
 import org.bouncycastle.asn1.ASN1Set;
+import org.bouncycastle.asn1.BEROctetString;
 import org.bouncycastle.asn1.DEROctetString;
 import org.bouncycastle.asn1.DERSet;
 import org.bouncycastle.asn1.cms.AuthEnvelopedData;
@@ -55,16 +58,18 @@ private CMSAuthEnvelopedData doGenerate(
             throw new CMSException("unable to process authenticated content: " + e.getMessage(), e);
         }
 
-        byte[] encryptedContent = bOut.toByteArray();
-        byte[] mac = contentEncryptor.getMAC();
+        ASN1OctetString encryptedContent = new BEROctetString(bOut.toByteArray());
+        ASN1OctetString mac = new DEROctetString(contentEncryptor.getMAC());
 
-        EncryptedContentInfo eci = CMSUtils.getEncryptedContentInfo(content, contentEncryptor, encryptedContent);
+        EncryptedContentInfo encryptedContentInfo = CMSUtils.getEncryptedContentInfo(content, contentEncryptor,
+            encryptedContent);
 
         ASN1Set unprotectedAttrSet = CMSUtils.getAttrDLSet(unauthAttrsGenerator);
 
-        ContentInfo contentInfo = new ContentInfo(
-            CMSObjectIdentifiers.authEnvelopedData,
-            new AuthEnvelopedData(originatorInfo, new DERSet(recipientInfos), eci, authenticatedAttrSet, new DEROctetString(mac), unprotectedAttrSet));
+        ASN1Encodable authEnvelopedData = new AuthEnvelopedData(originatorInfo, new DERSet(recipientInfos),
+            encryptedContentInfo, authenticatedAttrSet, mac, unprotectedAttrSet);
+
+        ContentInfo contentInfo = new ContentInfo(CMSObjectIdentifiers.authEnvelopedData, authEnvelopedData);
 
         return new CMSAuthEnvelopedData(contentInfo);
     }

pkix/src/main/java/org/bouncycastle/cms/CMSAuthEnvelopedDataGenerator.java

@@ -11,7 +11,6 @@
 import org.bouncycastle.asn1.DEROctetString;
 import org.bouncycastle.asn1.DERTaggedObject;
 import org.bouncycastle.asn1.cms.CMSObjectIdentifiers;
-import org.bouncycastle.asn1.x509.AlgorithmIdentifier;
 import org.bouncycastle.operator.OutputAEADEncryptor;
 
 /**
@@ -63,36 +62,25 @@ protected OutputStream open(
         OutputAEADEncryptor encryptor)
         throws IOException
     {
-        //
         // ContentInfo
-        //
-        BERSequenceGenerator cGen = new BERSequenceGenerator(out);
+        BERSequenceGenerator ciGen = new BERSequenceGenerator(out);
+        ciGen.addObject(CMSObjectIdentifiers.authEnvelopedData);
 
-        cGen.addObject(CMSObjectIdentifiers.authEnvelopedData);
+        // AuthEnvelopedData
+        BERSequenceGenerator aedGen = new BERSequenceGenerator(ciGen.getRawOutputStream(), 0, true);
+        aedGen.addObject(new ASN1Integer(0));
+        CMSUtils.addOriginatorInfoToGenerator(aedGen, originatorInfo);
+        CMSUtils.addRecipientInfosToGenerator(recipientInfos, aedGen, _berEncodeRecipientSet);
 
-        //
-        // Encrypted Data
-        //
-        BERSequenceGenerator authEnvGen = new BERSequenceGenerator(cGen.getRawOutputStream(), 0, true);
+        // EncryptedContentInfo
+        BERSequenceGenerator eciGen = new BERSequenceGenerator(aedGen.getRawOutputStream());
+        eciGen.addObject(dataType);
+        eciGen.addObject(encryptor.getAlgorithmIdentifier());
 
-        authEnvGen.addObject(new ASN1Integer(0));
+        // encryptedContent [0] IMPLICIT EncryptedContent OPTIONAL (EncryptedContent ::= OCTET STRING)
+        OutputStream ecStream = CMSUtils.createBEROctetOutputStream(eciGen.getRawOutputStream(), 0, false, _bufferSize);
 
-        CMSUtils.addOriginatorInfoToGenerator(authEnvGen, originatorInfo);
-
-        CMSUtils.addRecipientInfosToGenerator(recipientInfos, authEnvGen, _berEncodeRecipientSet);
-
-        BERSequenceGenerator eiGen = new BERSequenceGenerator(authEnvGen.getRawOutputStream());
-
-        eiGen.addObject(dataType);
-
-        AlgorithmIdentifier encAlgId = encryptor.getAlgorithmIdentifier();
-
-        eiGen.getRawOutputStream().write(encAlgId.getEncoded());
-
-        OutputStream octetStream = CMSUtils.createBEROctetOutputStream(
-            eiGen.getRawOutputStream(), 0, true, _bufferSize);
-
-        return new CMSAuthEnvelopedDataOutputStream(encryptor, octetStream, cGen, authEnvGen, eiGen);
+        return new CMSAuthEnvelopedDataOutputStream(encryptor, ecStream, ciGen, aedGen, eciGen);
     }
 
     protected OutputStream open(