CmsEnvelope decryption ECCP256 / AES128CBC failed

[TovabbitoJanos]

HI
The error msg:

checksum failed at Org.BouncyCastle.Crypto.Engines.Rfc3394WrapEngine.Unwrap(Byte[] input, Int32 inOff, Int32 inLen) 
			in BouncyCastle\\crypto\\src\\crypto\\engines\\RFC3394WrapEngine.cs:line 171
  at Org.BouncyCastle.Cms.KeyAgreeRecipientInformation.UnwrapSessionKey(DerObjectIdentifier wrapAlgOid, KeyParameter agreedKey) 
     in BouncyCastle\\crypto\\src\\cms\\KeyAgreeRecipientInformation.cs:line 159 
 at Org.BouncyCastle.Cms.KeyAgreeRecipientInformation.GetSessionKey(AsymmetricKeyParameter receiverPrivateKey) 
    in BouncyCastle\\crypto\\src\\cms\\KeyAgreeRecipientInformation.cs:line 179

when i try to decrypt a cms envelope where the key uese ECC P256
I try to do this:

// My private key
MemoryStream stream = new MemoryStream( certificateRawData );
st.Load( stream, CertPassword.ToCharArray() );
AsymmetricKeyEntry k = st.GetKey( (String) a );

// recipients from msg:
CmsEnvelopedData ced = new CmsEnvelopedData( encryptedData );
RecipientInformationStore rec = ced.GetRecipientInfos();
foreach (RecipientInformation r in rec.GetRecipients())
 {
...
                    byte[] res = r.GetContent( k.Key );

Envelope encrypted with 2.16.840.1.101.3.4.1.2 (Aes128Cbc)
KeyEcryption AlgOid: 1.3.132.1.11.1 (SHA256)
PublicKeyParamSet {1.2.840.10045.3.1.7} 256-bit Elliptic Curve Cryptography

the UnwrapSessionKey(wrapAlgOid, agreedWrapKey);
WrapOID: {2.16.840.1.101.3.4.1.5} AES128 fo wrapping
agreedKey.m_key: 71,240,93,144,182,231,203,68,70,11,69,126,109,174,71,72
calls:
byte[] sKeyBytes = keyCipher.Unwrap(encKeyOctets, 0, encKeyOctets.Length);
in this, at the end:
if (!Arrays.FixedTimeEquals(a, m_iv))
throw new InvalidCipherTextException("checksum failed");
this is failed.
"a" = 46,166,,123,149,177,43,148,153
but m_iv is loaded with 166 , all the 8 bytes.

[heldpeet92]

I have the same issue, do you have any solution for this yet?

[TovabbitoJanos]

As I see the 166 (8 times )is the DefaultIV in RFC3394WrapEngine.cs line 51 : Array.Copy(DefaultIV, 0, m_iv, 0, 8); if I modify the contents of m_iv here so that the comparison is good later, I get an error later, when calling the pkcs7 pad block:
throw new InvalidCipherTextException("pad block corrupted");
Stack trace:

BouncyCastle.Cryptography.dll!Org.BouncyCastle.Crypto.Paddings.Pkcs7Padding.PadCount(byte[] input) Line 53	C#
BouncyCastle.Cryptography.dll!Org.BouncyCastle.Crypto.Paddings.PaddedBufferedBlockCipher.DoFinal(byte[] output, int outOff) Line 316	C#
BouncyCastle.Cryptography.dll!Org.BouncyCastle.Crypto.BufferedBlockCipher.DoFinal(byte[] input, int inOff, int inLen) Line 336	C#
BouncyCastle.Cryptography.dll!Org.BouncyCastle.Crypto.IO.CipherStream.ReadAndProcessBlock() Line 360	C#
BouncyCastle.Cryptography.dll!Org.BouncyCastle.Crypto.IO.CipherStream.FillInBuf() Line 332	C#
BouncyCastle.Cryptography.dll!Org.BouncyCastle.Crypto.IO.CipherStream.Read(byte[] buffer, int offset, int count) Line 91	C#
BouncyCastle.Cryptography.dll!Org.BouncyCastle.Utilities.IO.FilterStream.Read(byte[] buffer, int offset, int count) Line 58	C#
BouncyCastle.Cryptography.dll!Org.BouncyCastle.Utilities.IO.Streams.CopyTo(System.IO.Stream source, System.IO.Stream destination, int bufferSize) Line 37	C#
BouncyCastle.Cryptography.dll!Org.BouncyCastle.Utilities.IO.Streams.PipeAll(System.IO.Stream inStr, System.IO.Stream outStr, int bufferSize) Line 100	C#
BouncyCastle.Cryptography.dll!Org.BouncyCastle.Utilities.IO.Streams.PipeAll(System.IO.Stream inStr, System.IO.Stream outStr) Line 90	C#
BouncyCastle.Cryptography.dll!Org.BouncyCastle.Utilities.IO.Streams.ReadAll(System.IO.Stream inStr) Line 133	C#
BouncyCastle.Cryptography.dll!Org.BouncyCastle.Cms.CmsUtilities.StreamToByteArray(System.IO.Stream inStream) Line 111	C#
BouncyCastle.Cryptography.dll!Org.BouncyCastle.Cms.RecipientInformation.GetContent(Org.BouncyCastle.Crypto.ICipherParameters key) Line 96	C#