java - C# Bouncy CaSTLe AES 解密 + GZ 解压缩 - 不同长度数据失败

Question

使用以下代码 - 我通常能够解密我正在传递的 token 。解码为 json 后的 token 字符串将如下所示:

\"id\":\"9efef759-15a3-4cd0-b1f1-fceab7ad0a6e\",
\"exp\":\"2016-07-23T15:27:50.758+12:00\", 
\"iv\":\"OOqNpy9puM5jPjTwrWHSNb+d5NYDEwIq2pZFqx6mraI14Kkh0bzEWADoU2d/KGu6cp9/FrVt4epheIP5Fw9qUFrdVcNYjLO5HWdJ0V5GhpdLJlFbMnFy4vS1rJ+4X1qTNZrqPwZh2deLceoHmxnqw7ml8JVFeIaz9H8BQXkgcNo=\",
\"ver\":\"1\",
\"iat\":\"2016-07-13T15:27:50.758+12:00\",
\"key\":\"d7R9blmqBYMywOEdYpRbd+gvKPfOqmxsRQMlDipkuGoWZobJ0dnK0MGBFAXq4wOdHbHVbfisjqm+6HoRSZ2w0KcfY+enPoKL5yptvlULkwpDtATEP8pnRmCh6ycWntbanL1gJI7RoNWTkomItBp/yODdL5kSMue76xAtIzc9+no=\",
\"sig\":\"X6A58tRDSUC5HJEP1VVmQjo17Qk2rJC9pYZiV5ccIjdcLmz7HPIkpm0ZCsFcQX4ps1k32asSojqOyegYFIdDqHypdrV9c5sHchIrp6Ak8MOjNTpy+SweTGPzkjlEHCMkWLVHjrkBq9mmoMk2o0sYyZes+/ARuYB8IjtAINtbAQE=\",
\"enc\":\"n+exbDhicBLuUtbYPXrrKESIktgyaidSreD5FWAxErGJeOyjTWv9QOqCGfEou5yJq2njCddf0mu0JOEP9i1mlhe1MUUa1hE4J+qnqxre+tSxWRNszHQL8Pk+0FV6cZ1nqk+aCfw9VOjlOLYXYmNF0NSZBqQIqzpobM3twHIf5u7pvJkvbnfP8Db0S83ZchNgMWyH1t+UEb+jbpcg1Um3U7Yb8Q==\"

从 token 中提取 IV 和 key 并进行非对称解密，然后对 enc 文本进行对称解密，然后再将其传递到 gzip 解压缩。

internal virtual UserObj decrypt(string jsonToken, UserObj cls, System.Security.Cryptography.AsymmetricAlgorithm certPrivateKey)
{

   Org.BouncyCastle.Crypto.AsymmetricCipherKeyPair bcPrivateKey;
   try
   {
        //Make a bouncyCastle private key for feeding to the rsa Engine.
        bcPrivateKey = Org.BouncyCastle.Security.DotNetUtilities.GetKeyPair(certPrivateKey);
        // Attempt to unmarshal the JSON token
        Token token = encoder.unmarshalJsonString<Token>(jsonToken);

        // Asymmetrically encrypt the symmetric encryption iv
        Org.BouncyCastle.Crypto.Engines.RsaEngine rsaCipher = new Org.BouncyCastle.Crypto.Engines.RsaEngine();
        Org.BouncyCastle.Crypto.Encodings.Pkcs1Encoding rsaEncoder = new Org.BouncyCastle.Crypto.Encodings.Pkcs1Encoding(rsaCipher);

         rsaEncoder.Init(false, bcPrivateKey.Private);

         // Asymmetrically decrypt the symmetric encryption key
         byte[] encryptedAesKeyBytes = encoder.fromBase64String(token.Get(Token.ENCRYPTED_KEY));
         byte[] aesKeyBytes = rsaEncoder.ProcessBlock(encryptedAesKeyBytes, 0, encryptedAesKeyBytes.Length);

         // Asymmetrically decrypt the symmetric encryption IV
         byte[] encryptedAesIvBytes = encoder.fromBase64String(token.Get(Token.IV));
         byte[] aesIvBytes = rsaEncoder.ProcessBlock(encryptedAesIvBytes, 0, encryptedAesIvBytes.Length);

         //Setting equivalent excyption to "AES/CTR/NoPadding"
         Org.BouncyCastle.Crypto.Engines.AesEngine aes = new Org.BouncyCastle.Crypto.Engines.AesEngine();
         Org.BouncyCastle.Crypto.Modes.SicBlockCipher blockCipher = new Org.BouncyCastle.Crypto.Modes.SicBlockCipher(aes);
         Org.BouncyCastle.Crypto.Paddings.PaddedBufferedBlockCipher aesCipher = new Org.BouncyCastle.Crypto.Paddings.PaddedBufferedBlockCipher(blockCipher, new Org.BouncyCastle.Crypto.Paddings.ZeroBytePadding());

         Org.BouncyCastle.Crypto.Parameters.KeyParameter keyParam2 = new Org.BouncyCastle.Crypto.Parameters.KeyParameter(aesKeyBytes);

         // Symmetrically decrypt the data
         Org.BouncyCastle.Crypto.Parameters.ParametersWithIV keyParamWithIv = new Org.BouncyCastle.Crypto.Parameters.ParametersWithIV(keyParam2, aesIvBytes, 0, TokenEncryptor.IV_SIZE_BYTES);
         //
         // Symmetrically decrypt the data
         aesCipher.Init(false, keyParamWithIv);
         string encryptedData = token.Get(Token.ENCRYPTED_DATA);
         byte[] inputBytes = encoder.fromBase64String(encryptedData);
         byte[] compressedJsonBytes = new byte[aesCipher.GetOutputSize(inputBytes.Length)];
         //Do the decryption.  length is the proper size of the compressed data, compressedJsonBytes will
         //contain extra nulls at the end.
         int length = aesCipher.ProcessBytes(inputBytes, compressedJsonBytes, 0);

         //String to look at the compressed data (debug)
         string compressed = encoder.toBase64String(compressedJsonBytes);
         byte[] compressedJsonBytesProperSize = new byte[length];
         Array.Copy(compressedJsonBytes, compressedJsonBytesProperSize, length);

         //String to look at the compressed data (debug)
         compressed = encoder.toBase64String(compressedJsonBytesProperSize);
         byte[] jsonBytes = null;
         try
         {
               jsonBytes = encoder.decompress(compressedJsonBytesProperSize);
         }
         catch (Exception)
         {
               jsonBytes = encoder.decompress(compressedJsonBytes);
         }
         string tmep = System.Text.Encoding.UTF8.GetString(jsonBytes, 0, jsonBytes.Length);
         UserObj dataObj = encoder.fromJsonBytes<UserObj>(jsonBytes);

         return dataObj;

    }
    catch (Exception e)
    {
         throw new Exceptions.TokenDecryptionException(e);
    }
}

最终解密的 token 看起来像这样:

\"domain\":\"GLOBAL\",
\"user\":\"someuser\",
\"groups\":[\"GROUP1\",\"GROUP2\",\"GROUP3\"],
\"branchId\":\"0000\"

我的问题发生在根据组中项目的数量，GZ 解压缩将失败。在某些标记上，如果我传递完整的compressedJsonByte数组(末尾带有空值)，它会提示CRC错误(为什么我在解压缩时有try/catch)，所以然后我将修剪后的字节数组传递给它。但对于其他具有更多组的 token ，它会使用完整字节数组进行解压缩。

我有一个类似的加密例程，发现在其他条件都相同的情况下，如果警告用户名长度为 17 到 19 个字符，我需要使用未修剪的字节数组进行解压缩。但此后发现问题更加严重。

如有任何帮助，我们将不胜感激。我希望它是一个解压缩问题，但我怀疑解密中的某些内容可能会伪造输出字节数组的末尾。

我无法更改解密类型，因为它来自外部实体，并且它们的部分是用 Java 编写的。

供引用，解压例程是:

        public virtual byte[] decompress(byte[] compressedData)
        {
            try
            {
                //Push to a file for debug
                System.IO.FileStream fs = new System.IO.FileStream(@"C:\temp\file.gz", System.IO.FileMode.OpenOrCreate);
                fs.Write(compressedData,0,compressedData.Length);
                fs.Flush();
                fs.Close();

                byte[] outputBytes = new byte[4096];
                byte[] buffer = new byte[4096];
                    using (System.IO.MemoryStream msInput = new System.IO.MemoryStream(compressedData))
                    {
                        System.IO.MemoryStream msOutput = new System.IO.MemoryStream();
                        //using (System.IO.Compression.GZipStream gzs = new System.IO.Compression.GZipStream(msInput, System.IO.Compression.CompressionMode.Decompress))
                        using (ZLibNet.GZipStream gzs = new ZLibNet.GZipStream(msInput, ZLibNet.CompressionMode.Decompress))
                        {

                            int nRead;

                            bool canR = gzs.CanRead;
                            while ((nRead = gzs.Read(buffer, 0, buffer.Length)) > 0)
                            {
                                msOutput.Write(buffer, 0, nRead);

                            }
                        }
                        outputBytes = msOutput.ToArray();
                        if (outputBytes.Length == 0)
                            throw new Exception("Could not decompress");
                    }
                return outputBytes;
            }
            catch (Exception e)
            {
                throw new Exceptions.ServiceException(e);
            }
        }

Answer 1

您使用的是 ZeroBytePadding，而 CTR 模式根本不需要任何填充，您不妨直接使用 SicCipher 实例。

零字节填充将从数据末尾去除所有零值字节，这就是您最终可能会得到受损数据的原因。

零字节填充不是确定性的，不应使用，除非您满足以下条件:

• 确保数据不以零字节或位结尾；
• 能够通过其他方式确定明文长度。