/* |
|
* Copyright (c) 2002, 2017, Oracle and/or its affiliates. All rights reserved. |
|
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. |
|
* |
|
* This code is free software; you can redistribute it and/or modify it |
|
* under the terms of the GNU General Public License version 2 only, as |
|
* published by the Free Software Foundation. Oracle designates this |
|
* particular file as subject to the "Classpath" exception as provided |
|
* by Oracle in the LICENSE file that accompanied this code. |
|
* |
|
* This code is distributed in the hope that it will be useful, but WITHOUT |
|
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or |
|
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License |
|
* version 2 for more details (a copy is included in the LICENSE file that |
|
* accompanied this code). |
|
* |
|
* You should have received a copy of the GNU General Public License version |
|
* 2 along with this work; if not, write to the Free Software Foundation, |
|
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. |
|
* |
|
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA |
|
* or visit www.oracle.com if you need additional information or have any |
|
* questions. |
|
*/ |
|
package com.sun.crypto.provider; |
|
import java.util.Arrays; |
|
import java.util.Locale; |
|
import java.security.*; |
|
import java.security.spec.*; |
|
import javax.crypto.*; |
|
import javax.crypto.spec.*; |
|
import javax.crypto.BadPaddingException; |
|
/** |
|
* This class represents the symmetric algorithms in its various modes |
|
* (<code>ECB</code>, <code>CFB</code>, <code>OFB</code>, <code>CBC</code>, |
|
* <code>PCBC</code>, <code>CTR</code>, and <code>CTS</code>) and |
|
* padding schemes (<code>PKCS5Padding</code>, <code>NoPadding</code>, |
|
* <code>ISO10126Padding</code>). |
|
* |
|
* @author Gigi Ankeny |
|
* @author Jan Luehe |
|
* @see ElectronicCodeBook |
|
* @see CipherFeedback |
|
* @see OutputFeedback |
|
* @see CipherBlockChaining |
|
* @see PCBC |
|
* @see CounterMode |
|
* @see CipherTextStealing |
|
*/ |
|
final class CipherCore { |
|
/* |
|
* internal buffer |
|
*/ |
|
private byte[] buffer = null; |
|
/* |
|
* block size of cipher in bytes |
|
*/ |
|
private int blockSize = 0; |
|
/* |
|
* unit size (number of input bytes that can be processed at a time) |
|
*/ |
|
private int unitBytes = 0; |
|
/* |
|
* index of the content size left in the buffer |
|
*/ |
|
private int buffered = 0; |
|
/* |
|
* minimum number of bytes in the buffer required for |
|
* FeedbackCipher.encryptFinal()/decryptFinal() call. |
|
* update() must buffer this many bytes before starting |
|
* to encrypt/decrypt data. |
|
* currently, only the following cases have non-zero values: |
|
* 1) CTS mode - due to its special handling on the last two blocks |
|
* (the last one may be incomplete). |
|
* 2) GCM mode + decryption - due to its trailing tag bytes |
|
*/ |
|
private int minBytes = 0; |
|
/* |
|
* number of bytes needed to make the total input length a multiple |
|
* of the blocksize (this is used in feedback mode, when the number of |
|
* input bytes that are processed at a time is different from the block |
|
* size) |
|
*/ |
|
private int diffBlocksize = 0; |
|
/* |
|
* padding class |
|
*/ |
|
private Padding padding = null; |
|
/* |
|
* internal cipher engine |
|
*/ |
|
private FeedbackCipher cipher = null; |
|
/* |
|
* the cipher mode |
|
*/ |
|
private int cipherMode = ECB_MODE; |
|
/* |
|
* are we encrypting or decrypting? |
|
*/ |
|
private boolean decrypting = false; |
|
/* |
|
* Block Mode constants |
|
*/ |
|
private static final int ECB_MODE = 0; |
|
private static final int CBC_MODE = 1; |
|
private static final int CFB_MODE = 2; |
|
private static final int OFB_MODE = 3; |
|
private static final int PCBC_MODE = 4; |
|
private static final int CTR_MODE = 5; |
|
private static final int CTS_MODE = 6; |
|
static final int GCM_MODE = 7; |
|
/* |
|
* variables used for performing the GCM (key+iv) uniqueness check. |
|
* To use GCM mode safely, the cipher object must be re-initialized |
|
* with a different combination of key + iv values for each |
|
* encryption operation. However, checking all past key + iv values |
|
* isn't feasible. Thus, we only do a per-instance check of the |
|
* key + iv values used in previous encryption. |
|
* For decryption operations, no checking is necessary. |
|
* NOTE: this key+iv check have to be done inside CipherCore class |
|
* since CipherCore class buffers potential tag bytes in GCM mode |
|
* and may not call GaloisCounterMode when there isn't sufficient |
|
* input to process. |
|
*/ |
|
private boolean requireReinit = false; |
|
private byte[] lastEncKey = null; |
|
private byte[] lastEncIv = null; |
|
/** |
|
* Creates an instance of CipherCore with default ECB mode and |
|
* PKCS5Padding. |
|
*/ |
|
CipherCore(SymmetricCipher impl, int blkSize) { |
|
blockSize = blkSize; |
|
unitBytes = blkSize; |
|
diffBlocksize = blkSize; |
|
/* |
|
* The buffer should be usable for all cipher mode and padding |
|
* schemes. Thus, it has to be at least (blockSize+1) for CTS. |
|
* In decryption mode, it also hold the possible padding block. |
|
*/ |
|
buffer = new byte[blockSize*2]; |
|
// set mode and padding |
|
cipher = new ElectronicCodeBook(impl); |
|
padding = new PKCS5Padding(blockSize); |
|
} |
|
/** |
|
* Sets the mode of this cipher. |
|
* |
|
* @param mode the cipher mode |
|
* |
|
* @exception NoSuchAlgorithmException if the requested cipher mode does |
|
* not exist for this cipher |
|
*/ |
|
void setMode(String mode) throws NoSuchAlgorithmException { |
|
if (mode == null) |
|
throw new NoSuchAlgorithmException("null mode"); |
|
String modeUpperCase = mode.toUpperCase(Locale.ENGLISH); |
|
if (modeUpperCase.equals("ECB")) { |
|
return; |
|
} |
|
SymmetricCipher rawImpl = cipher.getEmbeddedCipher(); |
|
if (modeUpperCase.equals("CBC")) { |
|
cipherMode = CBC_MODE; |
|
cipher = new CipherBlockChaining(rawImpl); |
|
} else if (modeUpperCase.equals("CTS")) { |
|
cipherMode = CTS_MODE; |
|
cipher = new CipherTextStealing(rawImpl); |
|
minBytes = blockSize+1; |
|
padding = null; |
|
} else if (modeUpperCase.equals("CTR")) { |
|
cipherMode = CTR_MODE; |
|
cipher = new CounterMode(rawImpl); |
|
unitBytes = 1; |
|
padding = null; |
|
} else if (modeUpperCase.equals("GCM")) { |
|
// can only be used for block ciphers w/ 128-bit block size |
|
if (blockSize != 16) { |
|
throw new NoSuchAlgorithmException |
|
("GCM mode can only be used for AES cipher"); |
|
} |
|
cipherMode = GCM_MODE; |
|
cipher = new GaloisCounterMode(rawImpl); |
|
padding = null; |
|
} else if (modeUpperCase.startsWith("CFB")) { |
|
cipherMode = CFB_MODE; |
|
unitBytes = getNumOfUnit(mode, "CFB".length(), blockSize); |
|
cipher = new CipherFeedback(rawImpl, unitBytes); |
|
} else if (modeUpperCase.startsWith("OFB")) { |
|
cipherMode = OFB_MODE; |
|
unitBytes = getNumOfUnit(mode, "OFB".length(), blockSize); |
|
cipher = new OutputFeedback(rawImpl, unitBytes); |
|
} else if (modeUpperCase.equals("PCBC")) { |
|
cipherMode = PCBC_MODE; |
|
cipher = new PCBC(rawImpl); |
|
} |
|
else { |
|
throw new NoSuchAlgorithmException("Cipher mode: " + mode |
|
+ " not found"); |
|
} |
|
} |
|
/** |
|
* Returns the mode of this cipher. |
|
* |
|
* @return the parsed cipher mode |
|
*/ |
|
int getMode() { |
|
return cipherMode; |
|
} |
|
private static int getNumOfUnit(String mode, int offset, int blockSize) |
|
throws NoSuchAlgorithmException { |
|
int result = blockSize; // use blockSize as default value |
|
if (mode.length() > offset) { |
|
int numInt; |
|
try { |
|
Integer num = Integer.valueOf(mode.substring(offset)); |
|
numInt = num.intValue(); |
|
result = numInt >> 3; |
|
} catch (NumberFormatException e) { |
|
throw new NoSuchAlgorithmException |
|
("Algorithm mode: " + mode + " not implemented"); |
|
} |
|
if ((numInt % 8 != 0) || (result > blockSize)) { |
|
throw new NoSuchAlgorithmException |
|
("Invalid algorithm mode: " + mode); |
|
} |
|
} |
|
return result; |
|
} |
|
/** |
|
* Sets the padding mechanism of this cipher. |
|
* |
|
* @param padding the padding mechanism |
|
* |
|
* @exception NoSuchPaddingException if the requested padding mechanism |
|
* does not exist |
|
*/ |
|
void setPadding(String paddingScheme) |
|
throws NoSuchPaddingException |
|
{ |
|
if (paddingScheme == null) { |
|
throw new NoSuchPaddingException("null padding"); |
|
} |
|
if (paddingScheme.equalsIgnoreCase("NoPadding")) { |
|
padding = null; |
|
} else if (paddingScheme.equalsIgnoreCase("ISO10126Padding")) { |
|
padding = new ISO10126Padding(blockSize); |
|
} else if (!paddingScheme.equalsIgnoreCase("PKCS5Padding")) { |
|
throw new NoSuchPaddingException("Padding: " + paddingScheme |
|
+ " not implemented"); |
|
} |
|
if ((padding != null) && |
|
((cipherMode == CTR_MODE) || (cipherMode == CTS_MODE) |
|
|| (cipherMode == GCM_MODE))) { |
|
padding = null; |
|
String modeStr = null; |
|
switch (cipherMode) { |
|
case CTR_MODE: |
|
modeStr = "CTR"; |
|
break; |
|
case GCM_MODE: |
|
modeStr = "GCM"; |
|
break; |
|
case CTS_MODE: |
|
modeStr = "CTS"; |
|
break; |
|
default: |
|
// should never happen |
|
} |
|
if (modeStr != null) { |
|
throw new NoSuchPaddingException |
|
(modeStr + " mode must be used with NoPadding"); |
|
} |
|
} |
|
} |
|
/** |
|
* Returns the length in bytes that an output buffer would need to be in |
|
* order to hold the result of the next <code>update</code> or |
|
* <code>doFinal</code> operation, given the input length |
|
* <code>inputLen</code> (in bytes). |
|
* |
|
* <p>This call takes into account any unprocessed (buffered) data from a |
|
* previous <code>update</code> call, padding, and AEAD tagging. |
|
* |
|
* <p>The actual output length of the next <code>update</code> or |
|
* <code>doFinal</code> call may be smaller than the length returned by |
|
* this method. |
|
* |
|
* @param inputLen the input length (in bytes) |
|
* |
|
* @return the required output buffer size (in bytes) |
|
*/ |
|
int getOutputSize(int inputLen) { |
|
// estimate based on the maximum |
|
return getOutputSizeByOperation(inputLen, true); |
|
} |
|
private int getOutputSizeByOperation(int inputLen, boolean isDoFinal) { |
|
int totalLen = Math.addExact(buffered, cipher.getBufferedLength()); |
|
totalLen = Math.addExact(totalLen, inputLen); |
|
switch (cipherMode) { |
|
case GCM_MODE: |
|
if (isDoFinal) { |
|
int tagLen = ((GaloisCounterMode) cipher).getTagLen(); |
|
if (!decrypting) { |
|
totalLen = Math.addExact(totalLen, tagLen); |
|
} else { |
|
totalLen -= tagLen; |
|
} |
|
} |
|
if (totalLen < 0) { |
|
totalLen = 0; |
|
} |
|
break; |
|
default: |
|
if (padding != null && !decrypting) { |
|
if (unitBytes != blockSize) { |
|
if (totalLen < diffBlocksize) { |
|
totalLen = diffBlocksize; |
|
} else { |
|
int residue = (totalLen - diffBlocksize) % blockSize; |
|
totalLen = Math.addExact(totalLen, (blockSize - residue)); |
|
} |
|
} else { |
|
totalLen = Math.addExact(totalLen, padding.padLength(totalLen)); |
|
} |
|
} |
|
break; |
|
} |
|
return totalLen; |
|
} |
|
/** |
|
* Returns the initialization vector (IV) in a new buffer. |
|
* |
|
* <p>This is useful in the case where a random IV has been created |
|
* (see <a href = "#init">init</a>), |
|
* or in the context of password-based encryption or |
|
* decryption, where the IV is derived from a user-provided password. |
|
* |
|
* @return the initialization vector in a new buffer, or null if the |
|
* underlying algorithm does not use an IV, or if the IV has not yet |
|
* been set. |
|
*/ |
|
byte[] getIV() { |
|
byte[] iv = cipher.getIV(); |
|
return (iv == null) ? null : iv.clone(); |
|
} |
|
/** |
|
* Returns the parameters used with this cipher. |
|
* |
|
* <p>The returned parameters may be the same that were used to initialize |
|
* this cipher, or may contain the default set of parameters or a set of |
|
* randomly generated parameters used by the underlying cipher |
|
* implementation (provided that the underlying cipher implementation |
|
* uses a default set of parameters or creates new parameters if it needs |
|
* parameters but was not initialized with any). |
|
* |
|
* @return the parameters used with this cipher, or null if this cipher |
|
* does not use any parameters. |
|
*/ |
|
AlgorithmParameters getParameters(String algName) { |
|
if (cipherMode == ECB_MODE) { |
|
return null; |
|
} |
|
AlgorithmParameters params = null; |
|
AlgorithmParameterSpec spec; |
|
byte[] iv = getIV(); |
|
if (iv == null) { |
|
// generate spec using default value |
|
if (cipherMode == GCM_MODE) { |
|
iv = new byte[GaloisCounterMode.DEFAULT_IV_LEN]; |
|
} else { |
|
iv = new byte[blockSize]; |
|
} |
|
SunJCE.getRandom().nextBytes(iv); |
|
} |
|
if (cipherMode == GCM_MODE) { |
|
algName = "GCM"; |
|
spec = new GCMParameterSpec |
|
(((GaloisCounterMode) cipher).getTagLen()*8, iv); |
|
} else { |
|
if (algName.equals("RC2")) { |
|
RC2Crypt rawImpl = (RC2Crypt) cipher.getEmbeddedCipher(); |
|
spec = new RC2ParameterSpec |
|
(rawImpl.getEffectiveKeyBits(), iv); |
|
} else { |
|
spec = new IvParameterSpec(iv); |
|
} |
|
} |
|
try { |
|
params = AlgorithmParameters.getInstance(algName, |
|
SunJCE.getInstance()); |
|
params.init(spec); |
|
} catch (NoSuchAlgorithmException nsae) { |
|
// should never happen |
|
throw new RuntimeException("Cannot find " + algName + |
|
" AlgorithmParameters implementation in SunJCE provider"); |
|
} catch (InvalidParameterSpecException ipse) { |
|
// should never happen |
|
throw new RuntimeException(spec.getClass() + " not supported"); |
|
} |
|
return params; |
|
} |
|
/** |
|
* Initializes this cipher with a key and a source of randomness. |
|
* |
|
* <p>The cipher is initialized for one of the following four operations: |
|
* encryption, decryption, key wrapping or key unwrapping, depending on |
|
* the value of <code>opmode</code>. |
|
* |
|
* <p>If this cipher requires an initialization vector (IV), it will get |
|
* it from <code>random</code>. |
|
* This behaviour should only be used in encryption or key wrapping |
|
* mode, however. |
|
* When initializing a cipher that requires an IV for decryption or |
|
* key unwrapping, the IV |
|
* (same IV that was used for encryption or key wrapping) must be provided |
|
* explicitly as a |
|
* parameter, in order to get the correct result. |
|
* |
|
* <p>This method also cleans existing buffer and other related state |
|
* information. |
|
* |
|
* @param opmode the operation mode of this cipher (this is one of |
|
* the following: |
|
* <code>ENCRYPT_MODE</code>, <code>DECRYPT_MODE</code>, |
|
* <code>WRAP_MODE</code> or <code>UNWRAP_MODE</code>) |
|
* @param key the secret key |
|
* @param random the source of randomness |
|
* |
|
* @exception InvalidKeyException if the given key is inappropriate for |
|
* initializing this cipher |
|
*/ |
|
void init(int opmode, Key key, SecureRandom random) |
|
throws InvalidKeyException { |
|
try { |
|
init(opmode, key, (AlgorithmParameterSpec)null, random); |
|
} catch (InvalidAlgorithmParameterException e) { |
|
throw new InvalidKeyException(e.getMessage()); |
|
} |
|
} |
|
/** |
|
* Initializes this cipher with a key, a set of |
|
* algorithm parameters, and a source of randomness. |
|
* |
|
* <p>The cipher is initialized for one of the following four operations: |
|
* encryption, decryption, key wrapping or key unwrapping, depending on |
|
* the value of <code>opmode</code>. |
|
* |
|
* <p>If this cipher (including its underlying feedback or padding scheme) |
|
* requires any random bytes, it will get them from <code>random</code>. |
|
* |
|
* @param opmode the operation mode of this cipher (this is one of |
|
* the following: |
|
* <code>ENCRYPT_MODE</code>, <code>DECRYPT_MODE</code>, |
|
* <code>WRAP_MODE</code> or <code>UNWRAP_MODE</code>) |
|
* @param key the encryption key |
|
* @param params the algorithm parameters |
|
* @param random the source of randomness |
|
* |
|
* @exception InvalidKeyException if the given key is inappropriate for |
|
* initializing this cipher |
|
* @exception InvalidAlgorithmParameterException if the given algorithm |
|
* parameters are inappropriate for this cipher |
|
*/ |
|
void init(int opmode, Key key, AlgorithmParameterSpec params, |
|
SecureRandom random) |
|
throws InvalidKeyException, InvalidAlgorithmParameterException { |
|
decrypting = (opmode == Cipher.DECRYPT_MODE) |
|
|| (opmode == Cipher.UNWRAP_MODE); |
|
byte[] keyBytes = getKeyBytes(key); |
|
int tagLen = -1; |
|
byte[] ivBytes = null; |
|
if (params != null) { |
|
if (cipherMode == GCM_MODE) { |
|
if (params instanceof GCMParameterSpec) { |
|
tagLen = ((GCMParameterSpec)params).getTLen(); |
|
if (tagLen < 96 || tagLen > 128 || ((tagLen & 0x07) != 0)) { |
|
throw new InvalidAlgorithmParameterException |
|
("Unsupported TLen value; must be one of " + |
|
"{128, 120, 112, 104, 96}"); |
|
} |
|
tagLen = tagLen >> 3; |
|
ivBytes = ((GCMParameterSpec)params).getIV(); |
|
} else { |
|
throw new InvalidAlgorithmParameterException |
|
("Unsupported parameter: " + params); |
|
} |
|
} else { |
|
if (params instanceof IvParameterSpec) { |
|
ivBytes = ((IvParameterSpec)params).getIV(); |
|
if ((ivBytes == null) || (ivBytes.length != blockSize)) { |
|
throw new InvalidAlgorithmParameterException |
|
("Wrong IV length: must be " + blockSize + |
|
" bytes long"); |
|
} |
|
} else if (params instanceof RC2ParameterSpec) { |
|
ivBytes = ((RC2ParameterSpec)params).getIV(); |
|
if ((ivBytes != null) && (ivBytes.length != blockSize)) { |
|
throw new InvalidAlgorithmParameterException |
|
("Wrong IV length: must be " + blockSize + |
|
" bytes long"); |
|
} |
|
} else { |
|
throw new InvalidAlgorithmParameterException |
|
("Unsupported parameter: " + params); |
|
} |
|
} |
|
} |
|
if (cipherMode == ECB_MODE) { |
|
if (ivBytes != null) { |
|
throw new InvalidAlgorithmParameterException |
|
("ECB mode cannot use IV"); |
|
} |
|
} else if (ivBytes == null) { |
|
if (decrypting) { |
|
throw new InvalidAlgorithmParameterException("Parameters " |
|
+ "missing"); |
|
} |
|
if (random == null) { |
|
random = SunJCE.getRandom(); |
|
} |
|
if (cipherMode == GCM_MODE) { |
|
ivBytes = new byte[GaloisCounterMode.DEFAULT_IV_LEN]; |
|
} else { |
|
ivBytes = new byte[blockSize]; |
|
} |
|
random.nextBytes(ivBytes); |
|
} |
|
buffered = 0; |
|
diffBlocksize = blockSize; |
|
String algorithm = key.getAlgorithm(); |
|
// GCM mode needs additional handling |
|
if (cipherMode == GCM_MODE) { |
|
if(tagLen == -1) { |
|
tagLen = GaloisCounterMode.DEFAULT_TAG_LEN; |
|
} |
|
if (decrypting) { |
|
minBytes = tagLen; |
|
} else { |
|
// check key+iv for encryption in GCM mode |
|
requireReinit = |
|
Arrays.equals(ivBytes, lastEncIv) && |
|
MessageDigest.isEqual(keyBytes, lastEncKey); |
|
if (requireReinit) { |
|
throw new InvalidAlgorithmParameterException |
|
("Cannot reuse iv for GCM encryption"); |
|
} |
|
lastEncIv = ivBytes; |
|
lastEncKey = keyBytes; |
|
} |
|
((GaloisCounterMode) cipher).init |
|
(decrypting, algorithm, keyBytes, ivBytes, tagLen); |
|
} else { |
|
cipher.init(decrypting, algorithm, keyBytes, ivBytes); |
|
} |
|
// skip checking key+iv from now on until after doFinal() |
|
requireReinit = false; |
|
} |
|
void init(int opmode, Key key, AlgorithmParameters params, |
|
SecureRandom random) |
|
throws InvalidKeyException, InvalidAlgorithmParameterException { |
|
AlgorithmParameterSpec spec = null; |
|
String paramType = null; |
|
if (params != null) { |
|
try { |
|
if (cipherMode == GCM_MODE) { |
|
paramType = "GCM"; |
|
spec = params.getParameterSpec(GCMParameterSpec.class); |
|
} else { |
|
// NOTE: RC2 parameters are always handled through |
|
// init(..., AlgorithmParameterSpec,...) method, so |
|
// we can assume IvParameterSpec type here. |
|
paramType = "IV"; |
|
spec = params.getParameterSpec(IvParameterSpec.class); |
|
} |
|
} catch (InvalidParameterSpecException ipse) { |
|
throw new InvalidAlgorithmParameterException |
|
("Wrong parameter type: " + paramType + " expected"); |
|
} |
|
} |
|
init(opmode, key, spec, random); |
|
} |
|
/** |
|
* Return the key bytes of the specified key. Throw an InvalidKeyException |
|
* if the key is not usable. |
|
*/ |
|
static byte[] getKeyBytes(Key key) throws InvalidKeyException { |
|
if (key == null) { |
|
throw new InvalidKeyException("No key given"); |
|
} |
|
// note: key.getFormat() may return null |
|
if (!"RAW".equalsIgnoreCase(key.getFormat())) { |
|
throw new InvalidKeyException("Wrong format: RAW bytes needed"); |
|
} |
|
byte[] keyBytes = key.getEncoded(); |
|
if (keyBytes == null) { |
|
throw new InvalidKeyException("RAW key bytes missing"); |
|
} |
|
return keyBytes; |
|
} |
|
/** |
|
* Continues a multiple-part encryption or decryption operation |
|
* (depending on how this cipher was initialized), processing another data |
|
* part. |
|
* |
|
* <p>The first <code>inputLen</code> bytes in the <code>input</code> |
|
* buffer, starting at <code>inputOffset</code>, are processed, and the |
|
* result is stored in a new buffer. |
|
* |
|
* @param input the input buffer |
|
* @param inputOffset the offset in <code>input</code> where the input |
|
* starts |
|
* @param inputLen the input length |
|
* |
|
* @return the new buffer with the result |
|
* |
|
* @exception IllegalStateException if this cipher is in a wrong state |
|
* (e.g., has not been initialized) |
|
*/ |
|
byte[] update(byte[] input, int inputOffset, int inputLen) { |
|
if (requireReinit) { |
|
throw new IllegalStateException |
|
("Must use either different key or iv for GCM encryption"); |
|
} |
|
byte[] output = null; |
|
try { |
|
output = new byte[getOutputSizeByOperation(inputLen, false)]; |
|
int len = update(input, inputOffset, inputLen, output, |
|
0); |
|
if (len == output.length) { |
|
return output; |
|
} else { |
|
return Arrays.copyOf(output, len); |
|
} |
|
} catch (ShortBufferException e) { |
|
// should never happen |
|
throw new ProviderException("Unexpected exception", e); |
|
} |
|
} |
|
/** |
|
* Continues a multiple-part encryption or decryption operation |
|
* (depending on how this cipher was initialized), processing another data |
|
* part. |
|
* |
|
* <p>The first <code>inputLen</code> bytes in the <code>input</code> |
|
* buffer, starting at <code>inputOffset</code>, are processed, and the |
|
* result is stored in the <code>output</code> buffer, starting at |
|
* <code>outputOffset</code>. |
|
* |
|
* @param input the input buffer |
|
* @param inputOffset the offset in <code>input</code> where the input |
|
* starts |
|
* @param inputLen the input length |
|
* @param output the buffer for the result |
|
* @param outputOffset the offset in <code>output</code> where the result |
|
* is stored |
|
* |
|
* @return the number of bytes stored in <code>output</code> |
|
* |
|
* @exception ShortBufferException if the given output buffer is too small |
|
* to hold the result |
|
*/ |
|
int update(byte[] input, int inputOffset, int inputLen, byte[] output, |
|
int outputOffset) throws ShortBufferException { |
|
if (requireReinit) { |
|
throw new IllegalStateException |
|
("Must use either different key or iv for GCM encryption"); |
|
} |
|
// figure out how much can be sent to crypto function |
|
int len = Math.addExact(buffered, inputLen); |
|
len -= minBytes; |
|
if (padding != null && decrypting) { |
|
// do not include the padding bytes when decrypting |
|
len -= blockSize; |
|
} |
|
// do not count the trailing bytes which do not make up a unit |
|
len = (len > 0 ? (len - (len % unitBytes)) : 0); |
|
// check output buffer capacity |
|
if ((output == null) || |
|
((output.length - outputOffset) < len)) { |
|
throw new ShortBufferException("Output buffer must be " |
|
+ "(at least) " + len |
|
+ " bytes long"); |
|
} |
|
int outLen = 0; |
|
if (len != 0) { // there is some work to do |
|
if ((input == output) |
|
&& (outputOffset - inputOffset < inputLen) |
|
&& (inputOffset - outputOffset < buffer.length)) { |
|
// copy 'input' out to avoid its content being |
|
// overwritten prematurely. |
|
input = Arrays.copyOfRange(input, inputOffset, |
|
Math.addExact(inputOffset, inputLen)); |
|
inputOffset = 0; |
|
} |
|
if (len <= buffered) { |
|
// all to-be-processed data are from 'buffer' |
|
if (decrypting) { |
|
outLen = cipher.decrypt(buffer, 0, len, output, outputOffset); |
|
} else { |
|
outLen = cipher.encrypt(buffer, 0, len, output, outputOffset); |
|
} |
|
buffered -= len; |
|
if (buffered != 0) { |
|
System.arraycopy(buffer, len, buffer, 0, buffered); |
|
} |
|
} else { // len > buffered |
|
int inputConsumed = len - buffered; |
|
int temp; |
|
if (buffered > 0) { |
|
int bufferCapacity = buffer.length - buffered; |
|
if (bufferCapacity != 0) { |
|
temp = Math.min(bufferCapacity, inputConsumed); |
|
if (unitBytes != blockSize) { |
|
temp -= (Math.addExact(buffered, temp) % unitBytes); |
|
} |
|
System.arraycopy(input, inputOffset, buffer, buffered, temp); |
|
inputOffset = Math.addExact(inputOffset, temp); |
|
inputConsumed -= temp; |
|
inputLen -= temp; |
|
buffered = Math.addExact(buffered, temp); |
|
} |
|
// process 'buffer' |
|
if (decrypting) { |
|
outLen = cipher.decrypt(buffer, 0, buffered, output, outputOffset); |
|
} else { |
|
outLen = cipher.encrypt(buffer, 0, buffered, output, outputOffset); |
|
} |
|
outputOffset = Math.addExact(outputOffset, outLen); |
|
buffered = 0; |
|
} |
|
if (inputConsumed > 0) { // still has input to process |
|
if (decrypting) { |
|
outLen += cipher.decrypt(input, inputOffset, inputConsumed, |
|
output, outputOffset); |
|
} else { |
|
outLen += cipher.encrypt(input, inputOffset, inputConsumed, |
|
output, outputOffset); |
|
} |
|
inputOffset += inputConsumed; |
|
inputLen -= inputConsumed; |
|
} |
|
} |
|
// Let's keep track of how many bytes are needed to make |
|
// the total input length a multiple of blocksize when |
|
// padding is applied |
|
if (unitBytes != blockSize) { |
|
if (len < diffBlocksize) { |
|
diffBlocksize -= len; |
|
} else { |
|
diffBlocksize = blockSize - |
|
((len - diffBlocksize) % blockSize); |
|
} |
|
} |
|
} |
|
// Store remaining input into 'buffer' again |
|
if (inputLen > 0) { |
|
System.arraycopy(input, inputOffset, buffer, buffered, |
|
inputLen); |
|
buffered = Math.addExact(buffered, inputLen); |
|
} |
|
return outLen; |
|
} |
|
/** |
|
* Encrypts or decrypts data in a single-part operation, |
|
* or finishes a multiple-part operation. |
|
* The data is encrypted or decrypted, depending on how this cipher was |
|
* initialized. |
|
* |
|
* <p>The first <code>inputLen</code> bytes in the <code>input</code> |
|
* buffer, starting at <code>inputOffset</code>, and any input bytes that |
|
* may have been buffered during a previous <code>update</code> operation, |
|
* are processed, with padding (if requested) being applied. |
|
* The result is stored in a new buffer. |
|
* |
|
* <p>The cipher is reset to its initial state (uninitialized) after this |
|
* call. |
|
* |
|
* @param input the input buffer |
|
* @param inputOffset the offset in <code>input</code> where the input |
|
* starts |
|
* @param inputLen the input length |
|
* |
|
* @return the new buffer with the result |
|
* |
|
* @exception IllegalBlockSizeException if this cipher is a block cipher, |
|
* no padding has been requested (only in encryption mode), and the total |
|
* input length of the data processed by this cipher is not a multiple of |
|
* block size |
|
* @exception BadPaddingException if this cipher is in decryption mode, |
|
* and (un)padding has been requested, but the decrypted data is not |
|
* bounded by the appropriate padding bytes |
|
*/ |
|
byte[] doFinal(byte[] input, int inputOffset, int inputLen) |
|
throws IllegalBlockSizeException, BadPaddingException { |
|
byte[] output = null; |
|
try { |
|
output = new byte[getOutputSizeByOperation(inputLen, true)]; |
|
int len = doFinal(input, inputOffset, inputLen, output, 0); |
|
if (len < output.length) { |
|
return Arrays.copyOf(output, len); |
|
} else { |
|
return output; |
|
} |
|
} catch (ShortBufferException e) { |
|
// never thrown |
|
throw new ProviderException("Unexpected exception", e); |
|
} |
|
} |
|
/** |
|
* Encrypts or decrypts data in a single-part operation, |
|
* or finishes a multiple-part operation. |
|
* The data is encrypted or decrypted, depending on how this cipher was |
|
* initialized. |
|
* |
|
* <p>The first <code>inputLen</code> bytes in the <code>input</code> |
|
* buffer, starting at <code>inputOffset</code>, and any input bytes that |
|
* may have been buffered during a previous <code>update</code> operation, |
|
* are processed, with padding (if requested) being applied. |
|
* The result is stored in the <code>output</code> buffer, starting at |
|
* <code>outputOffset</code>. |
|
* |
|
* <p>The cipher is reset to its initial state (uninitialized) after this |
|
* call. |
|
* |
|
* @param input the input buffer |
|
* @param inputOffset the offset in <code>input</code> where the input |
|
* starts |
|
* @param inputLen the input length |
|
* @param output the buffer for the result |
|
* @param outputOffset the offset in <code>output</code> where the result |
|
* is stored |
|
* |
|
* @return the number of bytes stored in <code>output</code> |
|
* |
|
* @exception IllegalBlockSizeException if this cipher is a block cipher, |
|
* no padding has been requested (only in encryption mode), and the total |
|
* input length of the data processed by this cipher is not a multiple of |
|
* block size |
|
* @exception ShortBufferException if the given output buffer is too small |
|
* to hold the result |
|
* @exception BadPaddingException if this cipher is in decryption mode, |
|
* and (un)padding has been requested, but the decrypted data is not |
|
* bounded by the appropriate padding bytes |
|
*/ |
|
int doFinal(byte[] input, int inputOffset, int inputLen, byte[] output, |
|
int outputOffset) |
|
throws IllegalBlockSizeException, ShortBufferException, |
|
BadPaddingException { |
|
if (requireReinit) { |
|
throw new IllegalStateException |
|
("Must use either different key or iv for GCM encryption"); |
|
} |
|
int estOutSize = getOutputSizeByOperation(inputLen, true); |
|
// check output buffer capacity. |
|
// if we are decrypting with padding applied, we can perform this |
|
// check only after we have determined how many padding bytes there |
|
// are. |
|
int outputCapacity = output.length - outputOffset; |
|
int minOutSize = (decrypting? (estOutSize - blockSize):estOutSize); |
|
if ((output == null) || (outputCapacity < minOutSize)) { |
|
throw new ShortBufferException("Output buffer must be " |
|
+ "(at least) " + minOutSize + " bytes long"); |
|
} |
|
// calculate total input length |
|
int len = Math.addExact(buffered, inputLen); |
|
// calculate padding length |
|
int totalLen = Math.addExact(len, cipher.getBufferedLength()); |
|
int paddingLen = 0; |
|
// will the total input length be a multiple of blockSize? |
|
if (unitBytes != blockSize) { |
|
if (totalLen < diffBlocksize) { |
|
paddingLen = diffBlocksize - totalLen; |
|
} else { |
|
paddingLen = blockSize - |
|
((totalLen - diffBlocksize) % blockSize); |
|
} |
|
} else if (padding != null) { |
|
paddingLen = padding.padLength(totalLen); |
|
} |
|
if (decrypting && (padding != null) && |
|
(paddingLen > 0) && (paddingLen != blockSize)) { |
|
throw new IllegalBlockSizeException |
|
("Input length must be multiple of " + blockSize + |
|
" when decrypting with padded cipher"); |
|
} |
|
/* |
|
* prepare the final input, assemble a new buffer if any |
|
* of the following is true: |
|
* - 'input' and 'output' are the same buffer |
|
* - there are internally buffered bytes |
|
* - doing encryption and padding is needed |
|
*/ |
|
byte[] finalBuf = input; |
|
int finalOffset = inputOffset; |
|
int finalBufLen = inputLen; |
|
if ((buffered != 0) || (!decrypting && padding != null) || |
|
((input == output) |
|
&& (outputOffset - inputOffset < inputLen) |
|
&& (inputOffset - outputOffset < buffer.length))) { |
|
if (decrypting || padding == null) { |
|
paddingLen = 0; |
|
} |
|
finalBuf = new byte[Math.addExact(len, paddingLen)]; |
|
finalOffset = 0; |
|
if (buffered != 0) { |
|
System.arraycopy(buffer, 0, finalBuf, 0, buffered); |
|
} |
|
if (inputLen != 0) { |
|
System.arraycopy(input, inputOffset, finalBuf, |
|
buffered, inputLen); |
|
} |
|
if (paddingLen != 0) { |
|
padding.padWithLen(finalBuf, Math.addExact(buffered, inputLen), paddingLen); |
|
} |
|
finalBufLen = finalBuf.length; |
|
} |
|
int outLen = 0; |
|
if (decrypting) { |
|
// if the size of specified output buffer is less than |
|
// the length of the cipher text, then the current |
|
// content of cipher has to be preserved in order for |
|
// users to retry the call with a larger buffer in the |
|
// case of ShortBufferException. |
|
if (outputCapacity < estOutSize) { |
|
cipher.save(); |
|
} |
|
// create temporary output buffer so that only "real" |
|
// data bytes are passed to user's output buffer. |
|
byte[] outWithPadding = new byte[estOutSize]; |
|
outLen = finalNoPadding(finalBuf, finalOffset, outWithPadding, |
|
0, finalBufLen); |
|
if (padding != null) { |
|
int padStart = padding.unpad(outWithPadding, 0, outLen); |
|
if (padStart < 0) { |
|
throw new BadPaddingException("Given final block not " + |
|
"properly padded. Such issues can arise if a bad key " + |
|
"is used during decryption."); |
|
} |
|
outLen = padStart; |
|
} |
|
if (outputCapacity < outLen) { |
|
// restore so users can retry with a larger buffer |
|
cipher.restore(); |
|
throw new ShortBufferException("Output buffer too short: " |
|
+ (outputCapacity) |
|
+ " bytes given, " + outLen |
|
+ " bytes needed"); |
|
} |
|
// copy the result into user-supplied output buffer |
|
System.arraycopy(outWithPadding, 0, output, outputOffset, outLen); |
|
} else { // encrypting |
|
try { |
|
outLen = finalNoPadding(finalBuf, finalOffset, output, |
|
outputOffset, finalBufLen); |
|
} finally { |
|
// reset after doFinal() for GCM encryption |
|
requireReinit = (cipherMode == GCM_MODE); |
|
} |
|
} |
|
buffered = 0; |
|
diffBlocksize = blockSize; |
|
if (cipherMode != ECB_MODE) { |
|
cipher.reset(); |
|
} |
|
return outLen; |
|
} |
|
private int finalNoPadding(byte[] in, int inOfs, byte[] out, int outOfs, |
|
int len) |
|
throws IllegalBlockSizeException, AEADBadTagException, |
|
ShortBufferException { |
|
if ((cipherMode != GCM_MODE) && (in == null || len == 0)) { |
|
return 0; |
|
} |
|
if ((cipherMode != CFB_MODE) && (cipherMode != OFB_MODE) && |
|
(cipherMode != GCM_MODE) && |
|
((len % unitBytes) != 0) && (cipherMode != CTS_MODE)) { |
|
if (padding != null) { |
|
throw new IllegalBlockSizeException |
|
("Input length (with padding) not multiple of " + |
|
unitBytes + " bytes"); |
|
} else { |
|
throw new IllegalBlockSizeException |
|
("Input length not multiple of " + unitBytes |
|
+ " bytes"); |
|
} |
|
} |
|
int outLen = 0; |
|
if (decrypting) { |
|
outLen = cipher.decryptFinal(in, inOfs, len, out, outOfs); |
|
} else { |
|
outLen = cipher.encryptFinal(in, inOfs, len, out, outOfs); |
|
} |
|
return outLen; |
|
} |
|
// Note: Wrap() and Unwrap() are the same in |
|
// each of SunJCE CipherSpi implementation classes. |
|
// They are duplicated due to export control requirements: |
|
// All CipherSpi implementation must be final. |
|
/** |
|
* Wrap a key. |
|
* |
|
* @param key the key to be wrapped. |
|
* |
|
* @return the wrapped key. |
|
* |
|
* @exception IllegalBlockSizeException if this cipher is a block |
|
* cipher, no padding has been requested, and the length of the |
|
* encoding of the key to be wrapped is not a |
|
* multiple of the block size. |
|
* |
|
* @exception InvalidKeyException if it is impossible or unsafe to |
|
* wrap the key with this cipher (e.g., a hardware protected key is |
|
* being passed to a software only cipher). |
|
*/ |
|
byte[] wrap(Key key) |
|
throws IllegalBlockSizeException, InvalidKeyException { |
|
byte[] result = null; |
|
try { |
|
byte[] encodedKey = key.getEncoded(); |
|
if ((encodedKey == null) || (encodedKey.length == 0)) { |
|
throw new InvalidKeyException("Cannot get an encoding of " + |
|
"the key to be wrapped"); |
|
} |
|
result = doFinal(encodedKey, 0, encodedKey.length); |
|
} catch (BadPaddingException e) { |
|
// Should never happen |
|
} |
|
return result; |
|
} |
|
/** |
|
* Unwrap a previously wrapped key. |
|
* |
|
* @param wrappedKey the key to be unwrapped. |
|
* |
|
* @param wrappedKeyAlgorithm the algorithm the wrapped key is for. |
|
* |
|
* @param wrappedKeyType the type of the wrapped key. |
|
* This is one of <code>Cipher.SECRET_KEY</code>, |
|
* <code>Cipher.PRIVATE_KEY</code>, or <code>Cipher.PUBLIC_KEY</code>. |
|
* |
|
* @return the unwrapped key. |
|
* |
|
* @exception NoSuchAlgorithmException if no installed providers |
|
* can create keys of type <code>wrappedKeyType</code> for the |
|
* <code>wrappedKeyAlgorithm</code>. |
|
* |
|
* @exception InvalidKeyException if <code>wrappedKey</code> does not |
|
* represent a wrapped key of type <code>wrappedKeyType</code> for |
|
* the <code>wrappedKeyAlgorithm</code>. |
|
*/ |
|
Key unwrap(byte[] wrappedKey, String wrappedKeyAlgorithm, |
|
int wrappedKeyType) |
|
throws InvalidKeyException, NoSuchAlgorithmException { |
|
byte[] encodedKey; |
|
try { |
|
encodedKey = doFinal(wrappedKey, 0, wrappedKey.length); |
|
} catch (BadPaddingException ePadding) { |
|
throw new InvalidKeyException("The wrapped key is not padded " + |
|
"correctly"); |
|
} catch (IllegalBlockSizeException eBlockSize) { |
|
throw new InvalidKeyException("The wrapped key does not have " + |
|
"the correct length"); |
|
} |
|
return ConstructKeys.constructKey(encodedKey, wrappedKeyAlgorithm, |
|
wrappedKeyType); |
|
} |
|
/** |
|
* Continues a multi-part update of the Additional Authentication |
|
* Data (AAD), using a subset of the provided buffer. |
|
* <p> |
|
* Calls to this method provide AAD to the cipher when operating in |
|
* modes such as AEAD (GCM/CCM). If this cipher is operating in |
|
* either GCM or CCM mode, all AAD must be supplied before beginning |
|
* operations on the ciphertext (via the {@code update} and {@code |
|
* doFinal} methods). |
|
* |
|
* @param src the buffer containing the AAD |
|
* @param offset the offset in {@code src} where the AAD input starts |
|
* @param len the number of AAD bytes |
|
* |
|
* @throws IllegalStateException if this cipher is in a wrong state |
|
* (e.g., has not been initialized), does not accept AAD, or if |
|
* operating in either GCM or CCM mode and one of the {@code update} |
|
* methods has already been called for the active |
|
* encryption/decryption operation |
|
* @throws UnsupportedOperationException if this method |
|
* has not been overridden by an implementation |
|
* |
|
* @since 1.8 |
|
*/ |
|
void updateAAD(byte[] src, int offset, int len) { |
|
if (requireReinit) { |
|
throw new IllegalStateException |
|
("Must use either different key or iv for GCM encryption"); |
|
} |
|
cipher.updateAAD(src, offset, len); |
|
} |
|
} |