public byte[] Unwrap(
byte[] input,
int inOff,
int length)
{
if (forWrapping)
{
throw new InvalidOperationException("Not set for unwrapping");
}
if (input == null)
{
throw new InvalidCipherTextException("Null pointer as ciphertext");
}
if (length % engine.GetBlockSize() != 0)
{
throw new InvalidCipherTextException("Ciphertext not multiple of "
+ engine.GetBlockSize());
}
/*
// Check if the length of the cipher text is reasonable given the key
// type. It must be 40 bytes for a 168 bit key and either 32, 40, or
// 48 bytes for a 128, 192, or 256 bit key. If the length is not supported
// or inconsistent with the algorithm for which the key is intended,
// return error.
//
// we do not accept 168 bit keys. it has to be 192 bit.
int lengthA = (estimatedKeyLengthInBit / 8) + 16;
int lengthB = estimatedKeyLengthInBit % 8;
if ((lengthA != keyToBeUnwrapped.Length) || (lengthB != 0)) {
throw new XMLSecurityException("empty");
}
*/
// Decrypt the cipher text with TRIPLedeS in CBC mode using the KEK
// and an initialization vector (IV) of 0x4adda22c79e82105. Call the output TEMP3.
ParametersWithIV param2 = new ParametersWithIV(this.parameters, IV2);
this.engine.Init(false, param2);
byte [] TEMP3 = new byte[length];
Array.Copy(input, inOff, TEMP3, 0, length);
for (int i = 0; i < (TEMP3.Length / engine.GetBlockSize()); i++)
{
int currentBytePos = i * engine.GetBlockSize();
engine.ProcessBlock(TEMP3, currentBytePos, TEMP3, currentBytePos);
}
// Reverse the order of the octets in TEMP3 and call the result TEMP2.
byte[] TEMP2 = new byte[TEMP3.Length];
for (int i = 0; i < TEMP3.Length; i++)
{
TEMP2[i] = TEMP3[TEMP3.Length - (i + 1)];
}
// Decompose TEMP2 into IV, the first 8 octets, and TEMP1, the remaining octets.
this.iv = new byte[8];
byte[] TEMP1 = new byte[TEMP2.Length - 8];
Array.Copy(TEMP2, 0, this.iv, 0, 8);
Array.Copy(TEMP2, 8, TEMP1, 0, TEMP2.Length - 8);
// Decrypt TEMP1 using TRIPLedeS in CBC mode using the KEK and the IV
// found in the previous step. Call the result WKCKS.
this.paramPlusIV = new ParametersWithIV(this.parameters, this.iv);
this.engine.Init(false, this.paramPlusIV);
byte[] LCEKPADICV = new byte[TEMP1.Length];
Array.Copy(TEMP1, 0, LCEKPADICV, 0, TEMP1.Length);
for (int i = 0; i < (LCEKPADICV.Length / engine.GetBlockSize()); i++)
{
int currentBytePos = i * engine.GetBlockSize();
engine.ProcessBlock(LCEKPADICV, currentBytePos, LCEKPADICV, currentBytePos);
}
// Decompose LCEKPADICV. CKS is the last 8 octets and WK, the wrapped key, are
// those octets before the CKS.
byte[] result = new byte[LCEKPADICV.Length - 8];
byte[] CKStoBeVerified = new byte[8];
Array.Copy(LCEKPADICV, 0, result, 0, LCEKPADICV.Length - 8);
Array.Copy(LCEKPADICV, LCEKPADICV.Length - 8, CKStoBeVerified, 0, 8);
// Calculate a CMS Key Checksum, (section 5.6.1), over the WK and compare
// with the CKS extracted in the above step. If they are not equal, return error.
if (!CheckCmsKeyChecksum(result, CKStoBeVerified))
{
throw new InvalidCipherTextException(
"Checksum inside ciphertext is corrupted");
}
if ((result.Length - ((result[0] & 0xff) + 1)) > 7)
{
throw new InvalidCipherTextException(
"too many pad bytes (" + (result.Length - ((result[0] & 0xff) + 1)) + ")");
}
// CEK is the wrapped key, now extracted for use in data decryption.
byte[] CEK = new byte[result[0]];
Array.Copy(result, 1, CEK, 0, CEK.Length);
return CEK;
}