From e82fb82c4466a4d1f5c9540bc9bb94ef68104ca2 Mon Sep 17 00:00:00 2001
From: dangfan <dangf09@gmail.com>
Date: Sun, 20 Dec 2020 13:10:28 +0800
Subject: [PATCH] fix ecdh decryption error: Invalid KEK

---
 .../securitytoken/operations/PsoDecryptTokenOp.java         | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/securitytoken/operations/PsoDecryptTokenOp.java b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/securitytoken/operations/PsoDecryptTokenOp.java
index 83c8349de..d0949e5f6 100644
--- a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/securitytoken/operations/PsoDecryptTokenOp.java
+++ b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/securitytoken/operations/PsoDecryptTokenOp.java
@@ -164,6 +164,10 @@ public class PsoDecryptTokenOp {
        */
         byte[] keyEncryptionKey = response.getData();
 
+        int xLen = (keyEncryptionKey.length - 1) / 2;
+        final byte[] kekX = new byte[xLen];
+        System.arraycopy(keyEncryptionKey, 1, kekX, 0, xLen);
+
         final byte[] keyEnc = new byte[encryptedSessionKeyMpi[mpiLength + 2]];
 
         System.arraycopy(encryptedSessionKeyMpi, 2 + mpiLength + 1, keyEnc, 0, keyEnc.length);
@@ -172,7 +176,7 @@ public class PsoDecryptTokenOp {
             final MessageDigest kdf = MessageDigest.getInstance(MessageDigestUtils.getDigestName(publicKey.getSecurityTokenHashAlgorithm()));
 
             kdf.update(new byte[]{(byte) 0, (byte) 0, (byte) 0, (byte) 1});
-            kdf.update(keyEncryptionKey);
+            kdf.update(kekX);
             kdf.update(publicKey.createUserKeyingMaterial(fingerprintCalculator));
 
             byte[] kek = kdf.digest();