Move CRT fault countermeasure into RSACoreEngine

Author: peterdettman

core/src/main/java/org/bouncycastle/crypto/engines/RSABlindedEngine.java

@@ -110,39 +110,31 @@ public byte[] processBlock(
         }
 
         BigInteger input = core.convertInput(in, inOff, inLen);
+        BigInteger result = processInput(input);
+        return core.convertOutput(result);
+    }
 
-        BigInteger result;
+    private BigInteger processInput(BigInteger input)
+    {
         if (key instanceof RSAPrivateCrtKeyParameters)
         {
-            RSAPrivateCrtKeyParameters k = (RSAPrivateCrtKeyParameters)key;
+            RSAPrivateCrtKeyParameters crtKey = (RSAPrivateCrtKeyParameters)key;
 
-            BigInteger e = k.getPublicExponent();
+            BigInteger e = crtKey.getPublicExponent();
             if (e != null)   // can't do blinding without a public exponent
             {
-                BigInteger m = k.getModulus();
+                BigInteger m = crtKey.getModulus();
+
                 BigInteger r = BigIntegers.createRandomInRange(ONE, m.subtract(ONE), random);
+                BigInteger blind = r.modPow(e, m);
+                BigInteger unblind = BigIntegers.modOddInverse(m, r);
 
-                BigInteger blindedInput = r.modPow(e, m).multiply(input).mod(m);
+                BigInteger blindedInput = blind.multiply(input).mod(m);
                 BigInteger blindedResult = core.processBlock(blindedInput);
-
-                BigInteger rInv = BigIntegers.modOddInverse(m, r);
-                result = blindedResult.multiply(rInv).mod(m);
-                // defence against Arjen Lenstra’s CRT attack
-                if (!input.equals(result.modPow(e, m)))
-                {
-                    throw new IllegalStateException("RSA engine faulty decryption/signing detected");
-                }
-            }
-            else
-            {
-                result = core.processBlock(input);
+                return unblind.multiply(blindedResult).mod(m);
             }
         }
-        else
-        {
-            result = core.processBlock(input);
-        }
 
-        return core.convertOutput(result);
+        return core.processBlock(input);
     }
 }

core/src/main/java/org/bouncycastle/crypto/engines/RSACoreEngine.java

@@ -185,36 +185,43 @@ public BigInteger processBlock(BigInteger input)
             //
             RSAPrivateCrtKeyParameters crtKey = (RSAPrivateCrtKeyParameters)key;
 
-            BigInteger p = crtKey.getP();
-            BigInteger q = crtKey.getQ();
-            BigInteger dP = crtKey.getDP();
-            BigInteger dQ = crtKey.getDQ();
-            BigInteger qInv = crtKey.getQInv();
+            BigInteger e = crtKey.getPublicExponent();
+            if (e != null)   // can't apply fault-attack countermeasure without public exponent
+            {
+                BigInteger p = crtKey.getP();
+                BigInteger q = crtKey.getQ();
+                BigInteger dP = crtKey.getDP();
+                BigInteger dQ = crtKey.getDQ();
+                BigInteger qInv = crtKey.getQInv();
 
-            BigInteger mP, mQ, h, m;
+                BigInteger mP, mQ, h, m;
 
-            // mP = ((input mod p) ^ dP)) mod p
-            mP = (input.remainder(p)).modPow(dP, p);
+                // mP = ((input mod p) ^ dP)) mod p
+                mP = (input.remainder(p)).modPow(dP, p);
 
-            // mQ = ((input mod q) ^ dQ)) mod q
-            mQ = (input.remainder(q)).modPow(dQ, q);
+                // mQ = ((input mod q) ^ dQ)) mod q
+                mQ = (input.remainder(q)).modPow(dQ, q);
 
-            // h = qInv * (mP - mQ) mod p
-            h = mP.subtract(mQ);
-            h = h.multiply(qInv);
-            h = h.mod(p);               // mod (in Java) returns the positive residual
+                // h = qInv * (mP - mQ) mod p
+                h = mP.subtract(mQ);
+                h = h.multiply(qInv);
+                h = h.mod(p);               // mod (in Java) returns the positive residual
 
-            // m = h * q + mQ
-            m = h.multiply(q);
-            m = m.add(mQ);
+                // m = h * q + mQ
+                m = h.multiply(q).add(mQ);
 
-            return m;
-        }
-        else
-        {
-            return input.modPow(
-                key.getExponent(), key.getModulus());
+                // defence against Arjen Lenstra’s CRT attack
+                BigInteger check = m.modPow(e, crtKey.getModulus()); 
+                if (!check.equals(input))
+                {
+                    throw new IllegalStateException("RSA engine faulty decryption/signing detected");
+                }
+
+                return m;
+            }
         }
+
+        return input.modPow(key.getExponent(), key.getModulus());
     }
 
     private CryptoServicePurpose getPurpose(boolean isPrivate, boolean forEncryption)