| Code with Misuse: |
class PassportAuthService {
/**
* Performs the <i>Active Authentication</i> protocol.
*
* @param pubkey the public key to use (usually read from the card)
*
* @return a boolean indicating whether the card was authenticated
*
* @throws GeneralSecurityException if something goes wrong
*/
public boolean doAA(PublicKey pubkey) throws GeneralSecurityException {
aaCipher.init(Cipher.ENCRYPT_MODE, pubkey);
aaSignature.initVerify(pubkey);
byte[] m2 = new byte[8]; /* TODO: random rndIFD */
byte[] response = service.sendInternalAuthenticate(wrapper, m2);
System.out.println("DEBUG: response.length = " + response.length);
System.out.println("DEBUG: response = " + Hex.bytesToHexString(response));
int digestLength = aaDigest.getDigestLength(); /* should always be 20 */
byte[] plaintext = aaCipher.doFinal(response);
byte[] m1 = Util.recoverMessage(digestLength, plaintext);
// System.out.println("DEBUG: m1 = " + Hex.bytesToHexString(m1));
aaSignature.update(m1);
aaSignature.update(m2);
boolean success = aaSignature.verify(response);
notifyAAPerformed(pubkey, m1, m2, success);
if (success) {
state = AA_AUTHENTICATED_STATE;
}
return success;
}
}
|
