From d0284099857fdf96ecc93480769c9f2c2cbaf938 Mon Sep 17 00:00:00 2001
From: subrahmanyaman <subrahmanyaman@google.com>
Date: Tue, 15 Nov 2022 05:41:13 +0000
Subject: [PATCH] Fixed the issue with one of the wychproof test vectors for
 RSA OAEP

---
 .../seprovider/KMRsaOAEPEncoding.java         | 32 ++++++++++---------
 1 file changed, 17 insertions(+), 15 deletions(-)

diff --git a/Applet/AndroidSEProviderLib/src/com/android/javacard/seprovider/KMRsaOAEPEncoding.java b/Applet/AndroidSEProviderLib/src/com/android/javacard/seprovider/KMRsaOAEPEncoding.java
index 901e93f2..34f46321 100644
--- a/Applet/AndroidSEProviderLib/src/com/android/javacard/seprovider/KMRsaOAEPEncoding.java
+++ b/Applet/AndroidSEProviderLib/src/com/android/javacard/seprovider/KMRsaOAEPEncoding.java
@@ -125,10 +125,8 @@ public short doFinal(byte[] inBuff, short inOffset, short inLength,
     if (len != 256 || outBuff[0] != 0) {
       CryptoException.throwIt(CryptoException.ILLEGAL_VALUE);
     }
-    inBuff = outBuff;
-    inOffset = (short) (outOffset + 1);
-    return rsaOAEPDecode(inBuff, inOffset, (short) (len - 1), outBuff,
-        outOffset);
+    Util.arrayCopyNonAtomic(outBuff, (short) (outOffset + 1), outBuff, (short) 0, (short) (len -1));
+    return rsaOAEPDecode(outBuff, (short) 0, (short) (len - 1));
 
   }
 
@@ -177,7 +175,7 @@ private void I2OS(short i, byte[] out, short offset) {
   }
 
   private short rsaOAEPDecode(byte[] encodedMsg, short encodedMsgOff,
-      short encodedMsgLen, byte[] msg, short offset) {
+      short encodedMsgLen) {
     MessageDigest.OneShot md = null;
     byte[] tmpArray = KMAndroidSEProvider.getInstance().tmpArray;
 
@@ -232,22 +230,26 @@ private short rsaOAEPDecode(byte[] encodedMsg, short encodedMsgOff,
       // encoding parameters is calculated and then copied from the
       // starting of the block and a variable length of 0's are
       // appended to the end of the hash till the 0x01 byte.
-      short start = 0;
+      short start = (short) (encodedMsgOff + encodedMsgLen);
       for (short i = (short) (encodedMsgOff + 2 * hLen);
           i < (short) (encodedMsgOff + encodedMsgLen); i++) {
-        if (i == (short) ((encodedMsgOff + encodedMsgLen) - 1)) {
-          // Bad Padding.
-          CryptoException.throwIt(CryptoException.ILLEGAL_VALUE);
-        }
-        if (encodedMsg[i] != 0) {
+        if ((encodedMsg[i] != 0)) {
           start = i;
           break;
         }
       }
-      // Copy the message
-      Util.arrayCopyNonAtomic(encodedMsg, (short) (start + 1), msg, offset,
-          (short) (encodedMsgLen - ((start - encodedMsgOff) + 1)));
-      return (short) (encodedMsgLen - ((start - encodedMsgOff) + 1));
+      if ((start >= (short)(encodedMsgOff + encodedMsgLen)) ||
+          (encodedMsg[start] != 0x01)) {
+        // Bad Padding.
+        CryptoException.throwIt(CryptoException.ILLEGAL_VALUE);
+      }
+      start++; // Message starting pos.
+      if (start < (short)(encodedMsgOff + encodedMsgLen)) {
+        // Copy the message
+        Util.arrayCopyNonAtomic(encodedMsg, start, encodedMsg, encodedMsgOff,
+            (short) (encodedMsgLen - (start - encodedMsgOff)));
+      }
+      return (short) (encodedMsgLen - (start - encodedMsgOff));
 
     } finally {
       if (md != null) {